Identity management in digital health: protecting patient identities

How can organizations protect their patients and secure private health information? Learn how to master identity management in healthcare.

Image of a digital health identity card
Read time:
Share this post
Table of contents
⚡ Key takeaways
  • Health records contain a wealth of information, making them a target for hackers, fraudsters, and other bad actors. In fact, the annual number of healthcare data breaches has nearly doubled since 2018.
  • Identity verification, 2FA, and reverification can play an important role in protecting patient health records from inappropriate access.

Your health records contain a vast assortment of information, from your medical history to your prescriptions list, insurance and payment details, Social Security number, and more. 

This makes these records amongst the most private and sensitive of all data about you. 

It’s easy to understand, then, why there are so many different laws and regulations in place to ensure that patient records are appropriately protected. It’s also easy to understand why electronic health records have proven to be a tantalizing target for hackers, fraudsters, and other bad actors.

All of this means that businesses operating in the healthcare industry — particularly those that collect, handle, store, or transmit patient health records electronically — have a target on their back. Digital health providers, hospitals, clinics, individual providers, insurers, pharmacists (and more) are all potentially at risk of security breaches, regulatory enforcement, and legal action from patients. 

The good news is that by implementing a robust identity and access management (IAM) process, including identity verification and authentication, it’s possible to better protect your patients’ health data and identity information. 

Below, we define identity management in healthcare, take a look at the different kinds of threats that can put patient data at risk, and highlight the role that identity verification, reverification, and authentication can play in an effective IAM strategy. 

What is identity and access management in healthcare?

Identity and access management (IAM) is a framework of technologies, policies, and processes that businesses follow to manage digital identities. It involves policies that dictate sign-in credentials (usernames and passwords), data governance, and who has access to what information. 

In a healthcare setting, identity and access management refers to any party who may access, or attempt to access, a patient’s medical records. This includes individuals employed by your organization as well as partners, vendors, and the patients themselves. 

What puts patient data at risk?

As mentioned above, patient records contain a lot of sensitive data. In recent years, this data has come under increased threats from bad actors. 

According to data compiled by HIPAA Journal, between 2009 and 2021 there were 4,419 healthcare data breaches that involved 500 or more patient records. The annual number of such breaches has nearly doubled from 368 in 2018 to 714 in 2021. 

What has caused this increase? There are a number of factors at play, including:

  • The transition from paper records to electronic health records (EHRs): Paper records — while burdensome to handle, transmit, and store — are fairly secure simply due to the fact that accessing them requires proximity. As more providers and organizations digitize paper records and embrace digital-first record-keeping, it increases the risk that records may be inappropriately accessed by digital means. 
  • Increasingly concentrated healthcare systems: Since 2010, healthcare systems in the US have become increasingly concentrated due to mergers and acquisitions. This consolidation has ultimately led to an increased concentration of health records in fewer systems, meaning a single data breach can potentially impact a greater number of patients. These concentrated systems have also proven to be tempting targets for bad actors. 
  • The migration from in-person to digital healthcare: Digital health and telehealth services have grown popular in recent years, partially spurred by COVID-19 and the ensuing lockdown. In order to access these services, patients must create an account, which they must then subsequently log into for appointments. Unfortunately, each new account also offers bad actors a new potential path into your systems.

All of these factors make it easier for healthcare systems (and the massive amount of records they contain) to potentially fall victim to various types of hacking attacks. These include, but are by no means limited to:

The role of identity verification and authentication 

Unfortunately, there is no single silver bullet that will address all of the risks associated with protecting patient health records from inappropriate access. In most cases, identity and access management will require multiple policies, processes, and technologies working in tandem with one another. 

That said, while identity verification and identity management cannot address all of the challenges associated with identity management in healthcare, they can play an important role. 

Verifying your patients’ identity 

Some bad actors may try to take advantage of your organization by opening an account using fake or stolen information. Doing so successfully may mean that they can defraud your business out of medical fees, gain access to prescriptions for controlled substances that they should not have access to, or engage in other kinds of medical and insurance fraud. 

By verifying the identity of all new patients during the account opening and onboarding process — whether through government ID verification, document verification (think: insurance cards), database verification, selfie verification, and more — you can prevent these bad actors from even getting a foothold in your business. 

Verification during the onboarding process also makes it easier to implement reverification measures, as discussed below. 

Free white paper
See how experts evaluate verification solutions

Leveraging two-factor authentication during login

For as long as people have had digital accounts, those accounts have been protected by passwords. And ever since, bad actors have been developing new ways to steal, guess, intercept, or otherwise “crack” those passwords.

When a person’s login credentials are compromised, bad actors can use them to gain access to your systems — including potentially sensitive patient information. Strengthening the login process with two-factor authentication (2FA) adds an extra layer of defense against such attacks

Two-factor authentication (a form of multi-factor authentication) is the process of requiring a second form of authentication in addition to a user’s password before they are given access to an account, file, system, or other protected information. Examples include:

  • Biometric 2FA, which requires a user to submit a piece of information, such as a selfie, for analysis
  • Possession-based 2FA, which requires the user to have access to a trusted device such as a computer or smartphone, which receives a one-time security code
  • Knowledge-based 2FA, which requires the user to answer a security question in addition to supplying their password

Importantly, multi-factor authentication should be implemented on both the internal side of your business (i.e., for employee accounts) as well as externally (i.e., for your patients), as each side offers bad actors a potential way into your system.

Reverifying users at high-risk moments

Reverification involves periodically reverifying a person’s identity after they have initially been onboarded into your systems. 

While organizations leverage reverification for a variety of purposes, requiring users to reverify their identities just prior to initiating or completing high-risk actions on your platform can be a very effective way of safeguarding sensitive information. This is especially true in cases where login credentials have become compromised, or where a logged-on device has been stolen or perhaps left unattended.

So ask yourself, what high-risk actions can a user perform once they have logged into your platform, and does it make sense to place these actions behind a layer of reverification?

On the patient side of the equation, this might involve a patient trying to:

  • Access or download their health records
  • View or change their payment or insurance details
  • Update their log-in credentials
  • Renew a prescription for a controlled substance
  • Update key account information (such as their address, phone number, billing information, etc.)
  • and more. 

On the employee side of the equation, it might involve an employee trying to:

  • Access sensitive patient information
  • Make changes to a patient record
  • Download, share, or transmit sensitive data
  • Perform other suspicious activities

Identifying potential fraudsters through link analysis

All of the suggestions above revolve around preventing bad actors from gaining access to your business. But what if you suspect that you may already have bad actors on your platform? How can you differentiate potential bad actors from legitimate users so you can flag and ultimately remove their accounts? Link analysis can help. 

Link analysis is the process of understanding how different accounts on your platform may be linked to each other by shared account information, data, or other connections. It can be used to look for known fraud patterns, identify anomalies, and even detect new fraud patterns before they become obvious to the human eye. 

By identifying, analyzing, and understanding these links, it’s possible for you to detect duplicate accounts, discover potential fraud rings, and more. 

The right tools can help

Here at Persona, we understand the critical importance of protecting patient information in an increasingly digital healthcare landscape. That’s why HIPAA compliance is at the core of our identity verification platform, and why it informs each of our solutions — from how we handle PII storage to our verifications solution to our case management product to Graph, our link analysis solution, and more. 

Interested in learning more? Get a demo today.

Frequently asked questions

What is protected health information (PHI)?

Protected health information (PHI) is a term used to refer to the information specifically protected by HIPAA and other health privacy laws. HIPAA specifically lists 18 types of information that fall under this category:

  • Name
  • Address
  • Dates (birth, death, admission/discharge, etc.)
  • Phone number
  • Fax number
  • Email address
  • Social Security number
  • Medical records number
  • Health plan beneficiary number
  • Account number
  • Certificate and license numbers
  • Vehicle identifiers, serial numbers, and license plate numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Full-face photos
  • Biometric identifiers
  • Any other unique identifying numbers, codes, or characteristics

Importantly, this information is only covered by HIPAA when it is created, received, transmitted, or stored by a HIPAA-covered entity during healthcare-related activities.

What is included in a health record?

Health records contain a lot of information about a patient. This primarily includes medical information, such as:

  • Demographic information (age, ethnicity, gender)
  • Height and weight
  • Medical diagnoses
  • Medical test results
  • Immunization records
  • Prescriptions
  • Allergies
  • Treatment history
  • Surgical history 

But it can also include other sensitive information, such as a patient’s Social Security number, insurance information, payment details, and other data that bad actors would take advantage of. 

What are the most important privacy laws related to healthcare?

In the United States, HIPAA is the most well-known of all privacy laws related to healthcare. But it’s far from the only regulation that organizations need to consider. Other laws include the Electronic Prescribing for Controlled Substances (EPCS) and the California Consumer Privacy Act (CCPA)/CPRA, amongst others.

Other countries and regions also have privacy laws. The most well-known of these is General Data Protection Regulation (GDPR). But others also exist, including PIPEDA (Canada), LGPD (Brazil), POPI (South Africa), and more.

Continue reading

Continue reading

Automate school account recovery requests with risk-based identity verification tools
Automate school account recovery requests with risk-based identity verification tools

Automate school account recovery requests with risk-based identity verification tools

Learn how online identity verification can help you automate and simplify your school’s account recovery process.

Guide to KYB in banking
Guide to KYB in banking

Guide to KYB in banking

A strong Know Your Business (KYB) program is the best way for banks and financial institutions to protect against fraud and other financial crimes.

How to detect ghost students and prevent student aid fraud
How to detect ghost students and prevent student aid fraud

How to detect ghost students and prevent student aid fraud

Online identity verification can help schools stop ghost students who steal student aid funds and disrupt classes.

5 best practices for securing health data

5 best practices for securing health data

Healthcare organizations must prioritize data security to protect patient information and ensure regulatory compliance. Learn how.

Cloud security in healthcare: Key considerations

Cloud security in healthcare: Key considerations

Learn about the key considerations in any healthcare cloud security environment.

Know Your Patient (KYP): How to mitigate healthcare fraud

Know Your Patient (KYP): How to mitigate healthcare fraud

KYP is a necessary measure of protection for all sectors of the healthcare space. Learn more.

Ready to get started?

Get in touch or start exploring Persona today.