Tag: identity management

Not every healthcare organization embraced electronic medical records (EMRs) at first. But the incentives and regulations put in place by Meaningful Use and the Affordable Care Act have made it necessary to implement them. Now, organizations are not only embracing EMRs, but also making it easier for their patients to access and manage them through remote portals. According to the Office of the National Coordinator for Health IT, approximately 63 percent of patients who used portals did so at their doctors’ recommendation. Despite the growing popularity of patient portals, there are still more than 25 percent of patients who refuse to use them for fear of jeopardizing their data. Considering the sensitive nature of their protected health information (PHI), along with the nearly 5.6 million health records that were compromised last year, those fears are more than reasonable. What can providers do? Hackers have honed in on the healthcare industry for two main reasons: the treasure trove of valuable information in medical records and a sometimes dated approach to cybersecurity. In fact, between 2009 and 2016, more than 30 percent of all big data breaches occurred within healthcare systems. Without proper encryption methods, login redundancies, and detection tools, portals are almost as easily accessible to hackers as they are to authorized users. As their usage grows, that lack of security will become an exponentially greater threat to patients’ PHI and identities. “Many of us are accustomed to keeping the same name and password with our accounts, and as we know, that information is very lucrative to the right individuals," says Victoria Dames, Director of Identity Management for Experian Health. "While it's our due diligence to constantly change them, there are certain scenarios where maybe we forgot to change them or we don’t regularly login and that password may sit idle. When that happens, you want to make sure that you have the right technology in place to be able to catch somebody potentially logging in, trying to impersonate a patient.” Providers can’t lower the value of PHI to make it less attractive to hackers, but they can protect it more effectively with up-to-date cybersecurity measures. These four tips can help organizations bring their patient portal security up-to-date and keep their networks safe from unauthorized access: 1. Automate the portal sign-up process. Automating the initial sign-up process can stop false enrollments into the portal at the source. When implemented correctly, the automation will only require the patient to enter a few pieces of information, and then the software can confirm the user’s identity on the back end. 2. Leverage multilayer verification. After patients have signed up to access the portal, using multilayer verification can ensure all future sessions are equally secure. For example, two-factor authentication adds additional protection on top of conventional login credentials. In addition to a password or PIN, users also have to provide something personal such as a cell phone number, ZIP code, fingerprint, iris scan, or more. If the user’s device, account ID, and/or password are compromised, two-factor authentication can ensure the organization’s network remains safe. 3. Keep anti-virus and malware software up-to-date. Multilayer verification protects users’ direct access to portals, but there are other, more frequent vulnerabilities that also need attention. For instance, HIMSS Analytics recently found that 78 percent of providers experienced ransomware and malware attacks last year. Email is the avenue of choice for malware, and these attacks constantly evolve to slip past conventional security measures. If anti-virus software is outdated, it remains vulnerable to every new iteration of malware that attacks the network. Most solutions allow for automatic opt-ins so updates are downloaded and installed as soon as they’re made available. 4. Promote interoperability standards. When primary care physicians, specialists, and healthcare payers talk to one another throughout the course of a patient’s care, it isn’t always through email. When their systems aren’t compatible, they can’t communicate as clearly and securely as they need to. Interoperability makes it possible for disparate systems to share medical histories and patient data while making that data easily understandable on either system. Because interoperability is essential for improving the continuum of care, the Centers for Medicare and Medicaid Services provide standards for healthcare organizations to promote it. More patients and providers are optimistic about using technology to improve the healthcare experience. However, one in five patients remain so suspicious of healthcare data security that they refuse to even divulge some information to their physicians. Fortunately, with the right tools, organizations can effectively strengthen portal security and boost the confidence their patients have in them.

This week, Experian Health is a proud partner of National Health IT Week. U.S. National Health IT Week is a nationwide awareness week focused on catalyzing actionable change within the U.S. health system through the application of information and technology. Comprehensive healthcare reform is not possible without system-wide adoption of health information technology, which improves the quality of healthcare delivery, increases patient safety, decreases medical errors, and strengthens the interaction between patients and healthcare providers. Initiated in 2006 by the Healthcare Information and Management Systems Society (HIMSS), National Health IT Week has emerged as a landmark occasion for using health IT as part of the overall solution to improve America’s healthcare as a bipartisan, federally led, market driven initiative. While the healthcare industry has transformed in the last decade as health organizations have moved to electronic health records (EHRs), it brings us one step closer to the vision of comprehensive care coordination, but fully achieving care coordination across the vast health enterprise is still a long way ahead. While a recent American Hospital Association (AHA) survey showed that nearly all reported hospitals (96 percent) possessed certified EHR technology in 2015, the Office of the National Coordinator for Health Information Technology reports that there is very little coordination of patient data across the healthcare ecosystem. Much of this disconnect begins with the inability to transfer data in a secure manner that will match, manage and protect patient identities across enterprises. "As hospitals must now deal with hundreds of thousands of electronic patient records, spanning multiple systems and departments, the traditional technologies to managing patient information are no longer sufficient," says Karly Rowe, Vice President of New Product Development, Identity and Care Management Products for Experian Health. "Leveraging sophisticated matching technology and outside data sources, can improve patient identification and prevent duplicate or overlapping records which result in inappropriate care, redundant tests, and medical errors – as well as make data accuracy higher for clinical, administrative, and quality improvement decision purposes." To solve the industry problem of matching, matching and protecting patient identities across the healthcare ecosystem, we must start by creating a universal patient identifier (UPI) to make patient data truly interoperable. For example, one of the biggest challenges in managing patient data begins when patients move, change names, or switch doctors and their EHR doesn’t follow them. They have to start over, trying to recall events and dates in their medical history with a new doctor, who is tasked with providing care without the detailed insight into the patient’s medical record. But if that same patient had a universal identifier that allowed healthcare providers to communicate with another healthcare provider about a patient, the new provider would know all the ins and outs of that patient’s history, leading to a more holistic approach to care and higher patient satisfaction. Simply put, a UPI can be thought of as a mechanism to link all patient information and associate it with the right individual based on patient data. This is similar to how credit bureaus link an individual’s credit history to the right individual to ensure accurate reporting. Using a similar model, patient data — and supporting patient demographic data — can be used for the common good to improve patient safety, increase quality of care and reduce mistaken identity risks. The benefits of a UPI extend across the entire healthcare system as well, as it improves the quality of patient identities, which can have duplicate, overlapping and incomplete records. Additionally, a UPI can help eliminate incorrect medical treatments; deliver current and accurate patient data; and prevent identity fraud, HIPAA breaches and incidental disclosures of protected health information (PHI). Ultimately, this will build patient trust through increased visibility and record accuracy. Knowing that preventable medical errors, many of which are the result of incorrect patient identification, are the third leading cause of death in the United States. The creation of a UPI will allow the healthcare industry to facilitate accurate information exchange to stop problems before they start. For example, if a patient shows up to fill a prescription and is mistaken for another patient with the same name and given the wrong prescription, there could be fatal interactions with other medications that patient is taking. The National Council for Prescription Drug Programs (NCPDP) has already started using this technology to establish national patient safety identifiers. A national patient safety identifier, or UPI, is a vendor-neutral, cost-effective solution that will link patient data at scale efficiently and accurately to improve patient safety and care coordination. Identity management is a critical, underlying component to every interaction, and healthcare is no exception. To fully achieve the goal of comprehensive care coordination, creating a UPI to help match, manage and protect patient data is the first step in achieving the interoperability of patient data. Participate in National Health IT Week’s Virtual March and help catalyze actionable change within the U.S. health system through the effective use of health IT.

There's no question that portals increase patient engagement. According to the Office of the National Coordinator for Health IT, almost eight in 10 patients appreciate the improved access to healthcare information afforded to them by self-service systems. Unfortunately, portal systems also offer an obvious target for healthcare hackers. Within a patient portal, criminals can steal medical identity data, which is worth somewhere between 20 and 50 times as much as financial data, such as credit card numbers. They then use the stolen information to submit fraudulent claims, fill prescriptions, and resell medical equipment. What's more, because many healthcare organizations lack proper detection tools and some patients neglect to check their explanation of benefits (EOB) statements, health data breaches tend to go undetected longer than those in other sectors. No wonder healthcare data security incidents rose 211 percent in 2017, according to the 2018 "McAfee Labs Threats Report." Protecting patients' data with technology Patient portals engender patient engagement and loyalty, but if a data breach occurs, that loyalty is quickly lost. Besides losing patients’ trust, healthcare organizations that experience a data breach face potentially severe HIPAA penalties. Healthcare firms can learn a great deal from how other industries have met similar security challenges without overburdening consumers. Providers can use best-in-class technologies, data and analytics systems, and their deep understanding of patient needs to manage risks and protect patient identities. To arm providers against breaches, Experian Health offers Precise ID® with Digital Risk Score to protect portal users’ identities from their first sign-in to their last. By automating the portal signup process, it stops false enrollments at the source. Then, using multilayer verification, it provides access protection for future sessions. Because Precise ID takes less than a second to evaluate access risks, patients don't need to sit through loading screens. On the provider side, Precise ID satisfies the Centers of Medicare and Medicaid Services' Promoting Interoperability standards, minimizing compliance risks. At a time when one in five patients withhold information from physicians because of data breach concerns, Precise ID builds trust between patients and providers by protecting patients' data from unauthorized access. Giving patients the power to access their medical information through portal technology has been one of the past decade's biggest steps forward in improving patient-provider relationships. But with that reward comes responsibility: Providers must protect portals from unauthorized access and theft of medical records. With Precise ID with Digital Risk Score, providers get the security they need, and patients get the seamless access they've come to expect.

Healthcare has always been driven by data, and today, providers have access to an unprecedented amount from a wide variety of sources. While this influx could be a blessing to the healthcare industry as a whole, it also poses a number of challenges, particularly when it comes to patient identity management. With a soaring volume of patient information coming in from numerous sources, identity errors become increasingly more likely, as well as the potential consequence of fatal mistakes. Keeping this in mind, the importance of effective identity management cannot be overstated. Every year, an estimated 195,000 people die due to medical mistakes. More than half of those deaths – 10 out of every 17 – are the result of identity management errors, such as duplicate records and mistaken patient identities. While current healthcare IT solutions attempt to tackle these discrepancies, they only succeed in identifying about 10 percent of all duplicate records. Consequently, patients often undergo repeated tests or receive incorrect treatment or medication that can result in adverse effects to their health. Also, there is limited coordination of patient data throughout the healthcare ecosystem. The main culprit of this is the lack of secure data transfers that compromise patient records and identity. This raises the question: How can healthcare organizations better manage the massive amounts of data related to each patient’s medical identity? Luckily, such issues can be improved with Experian Health’s Universal Identity Manager (UIM), which creates a single identity for individual patients across multiple disparate healthcare databases. Upgrade your identity management system The ability to share patient information across multiple healthcare organizations with different care management programs is at the core of optimizing overall patient care. Properly utilizing patient and population health data can dramatically improve an organization’s efficiency, raise its quality of care, and lower its readmissions rate. For patient data to be useful, however, providers require a robust infrastructure that allows for secure, precise, and accurate storage of patient data. The same framework should be able to assign patients unique identities across the entire network. In turn, a single, universal patient identity system allows for better analytical insights and more effective care personalization. This kind of management system also allows an organization to add relevant data to a patient’s medical profile faster and more accurately, creating an improved dynamic database that can develop personalized patient engagement and care plans. How Experian Health’s universal identity management software helps Administrative slip-ups in healthcare can have drastic consequences for a patient’s health and wellbeing. Eliminating these inaccuracies is the main goal of Experian Health’s UIM solution. Experian Health has the benefit of leveraging data assets available to us from being part of broader Experian. As a result, the identity management software generates and assigns a unique identifier to each patient that remains consistent across various healthcare systems, such as hospitals, therapeutic facilities, pharmacies, and healthcare payers. Drawing on decades of experience in identity management, Experian Health's multi-matching methodology approach eliminates duplicate and erroneous data through comprehensive search and alert processes. It provides a high degree of likeliness because it expands beyond the limitations of the conventional single-matching methodology that most health systems use today. Even records created on disparate healthcare systems can be automatically analyzed and assigned to the appropriate patient identity. In addition to eliminating discrepancies that could affect the quality of patient care, universal identity management also reduces medical and billing errors, ultimately minimizing an organization's risk of fraud. The solution also works in tandem with Experian Health’s suite of patient engagement and transparency tools, including its Patient Self-Service portal, to further optimize an organization’s ability to deliver personalized, high-quality care. Unique patient identifiers are critical for healthcare organizations to reduce the risks of inaccurate and duplicate records that lead to errors and low-quality care. Combined with Experian Health's suite of patient engagement and price transparency tools, its identity management software is a leap toward making efficient and reliable interoperability more possible across the healthcare ecosystem.

The evolution from paper to online medical records is an opportunity to engage patients more fully in their care while making healthcare organizations more efficient. However, while patients enjoy the convenience of self-service access to all of their medical information, the portals offer cybercriminals a one-stop-shop for identity theft as well. According to Identity Theft Resource Center in San Diego, medical identity theft is the fastest growing type of identity theft, increasing at 32% annually. In fact, healthcare-related data breaches are already 10 times more frequent than data breaches in the financial services sector. And unlike stolen credit card information, which is often detected within a few transactions, medical identity theft often goes undetected for over a year. The comprehensive data contained in patient portals is especially lucrative to fraudsters, demanding a premium price in the underground market. While a stolen credit card number may sell for a dollar, a full set of medical records can command hundreds of dollars. The breadth of data within a patient portal offers fraudsters multiple opportunities to “cash in.” Compounding the problem is the level of detail presented on patient portals, often including unmasked insurance IDs, full images of patients’ insurance cards, problem lists, prescription histories. Stolen medical identities are used by criminals in two ways: obtaining medical care under the victim’s identity and using the identities to fraudulently bill for services or durable goods, which were never delivered. Problem lists, which are a mandated component of patient portals, are particularly useful to criminals, because they allow classification of each victim by the type of fraud which their identity could support. The problem lists typically use standard terminology, which makes them particularly useful for classification purposes. Using malicious software, criminals can search the lists for “key words” describing conditions that demand specific types of services or durable goods. This targeted approach would make fraud more personalized to the victim’s profile and harder to detect. Most patient portals use simple password protection, which can be easily captured by key-logging malware. This type of malware lays dormant on the victim’s machine, waiting for the victim to log into a patient portal site. When the patient logs in, the malware wakes up and captures the victim’s username and password. Using the stolen credentials, the criminals can get into the site, and once in can collect extensive information about the victim. Medical identity theft has severe consequences for both patients and providers. Patients are faced with the financial costs of covering fraudulent bills and medical costs stemming from treatment of other individuals. Comingling of the victim’s and the criminal’s medical records can also put the patient in life-threatening situations if treated or diagnosed incorrectly. Providers face steep financial costs from retribution payments and HIPAA violation fees up to $1.5M per violation, however arguably the most significant consequence they face is damage to reputation. Complicating matters is the fact that security measures cannot be so onerous that they dampen consumer adoption. Towards that end, use of covert technologies to analyze the identities and devices enrolling into a patient portal or logging in to it can increase security without impacting user experience. Precise ID® with FraudNet for healthcare portals provides healthcare organizations with a way to confidently authenticate patients and reduce risk during enrollment and ongoing access to healthcare portals. It does so in a streamlined manner without burdening patients with increased wait times and complexities. Together, these solutions identify fraud, authenticate patients and validate devices – all in a single platform. To learn more, view Experian Health’s complimentary on-demand webinar, “The Hidden Risks of Healthcare Portals,” or download the new white paper, “The Pitfalls of Healthcare Portals,” where we outline why your portal may be more vulnerable than you think.