Measure Twice, Cut OnceHealthcare Organizations Take a Lesson in Carpentry
This also got me thinking about how important this mantra is for healthcare and insurance providers when they are determining the authenticity of a patient's identity during the initial enrollment into healthcare portals that provide access to Personal Health Records. Not enough can be said about how critical it is for providers to verify the identity upfront (measure twice) before granting access, privileges, credentials and services (cut once).
Just as financial institutions have recognized the huge benefits of offering online banking to their customers, healthcare organizations are quickly learning that self-service online portals are one of the most cost-effective, convenient means of interacting with their patients and members. Yet for many organizations, more than half of the members who begin the process of enrolling for online access do not finish - and turn to other, more costly methods of contact. -
Simply put, victims can close a compromised bank account or credit card, but they can't delete or change their personal information, medical records or history of prescription use.
Why? Because the manual process of verifying a user's identity takes too long!
I speak from personal experience, too. Last year, when trying to get access to my information online from my healthcare insurer's portal, I received a message that I would be sent a one-time code through the mail and that I could expect to receive it in 7 - 10 business days. I don't want to wait seven days; I want access now. So when the code did come in the mail, I put it aside and ultimately never registered on the portal.
Not only is this frustrating (and certainly no way to drive adoption), it is a time-consuming and costly process from a business perspective. Think about it: if you are manually sending individuals a PIN number via snail mail, there is a significant amount of manual work and delays of up to 10 days for patients waiting to access their data online. Coupled with the average costs of $15 to manually activate or reset account information, this process can become quite expensive. For example, if you have 100,000 new users and password resets per year, this equals over $1.5 million in operational expenses you could eliminate simply by automating this one process.
Additionally, the emergence of Electronic Health Records (EHR) and healthcare portals opens another potential door for cybercriminals to gain access to healthcare data and other personal information. EHRs and healthcare portals contain massive amounts of PII, including dates of birth and Social Security numbers, as well as sensitive information about medical diagnoses and treatments. And for those that enable payment of medical bills and other account management services online, there is the prospect of gaining access to financial data. In fact, the World Privacy Forum has reported the street cost for stolen medical information is $50, versus $1 for a stolen Social Security number. Even more disturbing is once you are a victim of medical identity theft it is extremely challenging to get resolution. Simply put, victims can close a compromised bank account or credit card, but they can't delete or change their personal information, medical records or history of prescription use.
So, what happens when personal information gets out there?
- Personal data could be used by criminals to open new credit accounts in their name;
- Individuals could be wrongly accused of abusing medical services because of criminals filing false medical claims or prescriptions using their information;
- Individuals could see medical collection notices on their credit file for services they never received;
- Individuals could be threatened with blackmail or extortion from criminals threatening to expose sensitive medical or health details;
- Individuals could be subject to receiving the wrong medical treatment due to false entries in their medical records .
For healthcare organizations that offer portals for their patients or members, here are some key questions to consider:
- How are you verifying the identity of your members when they try to enroll in your online portal?
- Are you experiencing high rates of abandonment among members during the enrollment process? Or are you having difficulty driving adoption to your portal?
- How are you providing members with the PIN or password they need to access their information in your portal? What are the costs associated with this process? (e.g. How many members * postage = cost)
- What kind of security measures must be implemented to meet compliance requirements?
Angel Grant is a Principal Manager in RSA, The Security Division of EMC's Identity Protection and Verification group. She has more than 15 years of experience in the security and financial services industries and is responsible for a variety of initiatives which protect organizations against fraud and identity theft.
Prior to joining RSA, she was an Online Banking Senior Product Manager at P&H Solutions where she helped launch one of the industry's first online corporate cash management applications. Previously, she managed a mortgage division inside sales and service team for a large financial institution. Mrs. Grant holds a B.S. from Bentley University and studied at Oxford University.