Just recently we saw two major data breaches in the health space: Quest Diagnostics and LabCorp. The former saw the data of a potential 11.9 million patients exposed, while the latter involved the theft of 7.7 million patient records.
But this wasn’t the first time the industry was victim to a data breach. We can all remember the massive ransomware attack on the National Health Service (NHS) just a couple of years ago, and data shows that there have in fact been over 2,550 health care data breaches impacting more than 175 million medical records in the last decade.
However, what is perhaps not commonly acknowledged is that medical records command an exceedingly high value on the dark web. These medical records can be listed for up to 10 times more than the average credit card data breach record. This is because there is far more personal information attached to health records than any other electronic database.
Given the scope of recent data breaches in this space, and the growth of the dark web and identity theft, cybercriminals are now more empowered than ever to easily impersonate legitimate patients. Therefore, it is of critical importance that all sectors of the health space properly vet and verify their patients to ensure that they are who they claim to be.
The emergence of KYP
We’re all familiar with the term Know Your Customer (KYC), which has formed a vital part of today’s financial regulatory environment. It is the basis of verifying the identity of clients to prevent banks from being used, intentionally or unintentionally, by criminal elements for money laundering activities.
However, given the degree to which medical institutions are being victimised by fraud (e.g., prescription and insurance fraud) and the need to ensure patients are of legal age for specific medications and procedures, perhaps now is the time for the health care industry to adopt a similar standard to KYC – something we call: Know Your Patient (KYP).
The growing need for online identity verification
There are a number of clear reasons for online identity verification. For example, with online prescriptions, there are growing regulations that require online pharmacies to verify the identities of patients seeking prescriptions. In the UK, online pharmacies are required to perform age verification under new guidance published by the General Pharmaceutical Council.
In addition to this scenario, automating data capture during patient intake is also crying out for KYP. Verifying new patients is still a manual and time-consuming process. Streamlining the intake process would boost efficiency by drastically cutting down on potential for human error and further reducing time spent on rejected insurance claims.
Health insurance fraud is yet another area for consideration. When a patient’s identity and privacy are compromised, not only do they suffer financial fallout, but the industry has to deal with fraudulent claims and any related legal fees. A thief may use your name or health insurance ID to see a doctor, get prescription drugs, file claims with your insurance provider, or get other care. If the thief’s health information is mixed with yours, your treatment, insurance, payment records and credit history may be affected.
Underpinning all of these use cases is of course the reputation management element. If patient data falls into the wrong hands, it can tarnish that organisation’s reputation instantly. Having the power to verify patient identities accurately allows hospitals and other practices to confirm that any given record is accurate and up to date, and gives them the peace of mind that their patient data isn’t being used by malicious hackers or fraudsters.
It’s therefore vital that health care organisations get the verification process right. Advances in digital identity proofing and biometric-based authentication technologies hold great promise that health care can be delivered in smarter, simpler and more cost-effective ways and address the emerging use cases just discussed.
KYP in practice
So how would a KYP process work? Firstly, users are asked to capture an online user’s (patient’s) government-issued ID (e.g., driver’s license, passport or ID card) via the user’s smartphone or computer’s webcam, followed by a live selfie (in which a 3D face map is created) to ensure the person behind the ID is the actual person creating the online account.
Then, they would ensure that the ID document is authentic and unaltered and that the person (patient) pictured in the selfie matches the picture on the ID. They could then check the returned identity for minimum age requirements and potential fraudulent activity through fraud detection analytics to help minimise risk and loss. Depending on the results, hospitals, offices, clinics and pharmacies could then approve or deny the new online account and attempted purchases.
Ongoing, after an online account has been approved, medical offices and pharmacies could approve future online prescriptions and treatment requests by capturing a new 3D face map of the patient and using online identity verification technology to automatically compare it to the 3D face map captured at enrolment to authenticate the patient.
Now is the time for health care organisations to adopt a rigorous KYP procedure. Not only in light of the rising data breaches in the space, and subsequent growth of the dark web, but because 89 per cent of English consumers are worried about breaches. And of those, 80 per cent worry most about a data breach of their health information. A KYP procedure is the only clear way forward in light of this, and in the face of growing cybercrime in the space.
Dean Nicolls, Vice President of Marketing, Jumio