Health care organizations face unique security challenges, stemming from the sensitive data they regularly work with, the appetite of cybercriminals for this information, and the difficulties of fending off breaches while also wrangling with issues such as patient identity fraud. The enormous scale of the health care industry complicates all of these problems:
- The U.S. Centers for Disease Control and Prevention estimated that the country spent $3 trillion, or roughly one-sixth of its Gross Domestic Product, on health-related expenses in 2014. Hospital visits were the largest portion of this total, followed by physician visits and clinical services and then prescription drugs.
- That same year, the Centers for Medicare and Medicaid Services, in conjunction with the RAND Corporation, projected that fraudulent activity added up to $98 billion to annual Medicare and Medicaid spending, as part of a staggering $272 billion across the entire health care system, according to The Economist.
- There is enormous opportunity for false billings and extraneous services in the U.S. system in particular, since it is a complex mix of public and private payers. Specific tactics such as unbundling (billing one service as a bunch of separate ones), kickbacks for referrals and medical identity theft are also possible in this system.
Data breaches are undoubtedly still a central concern for members of the health care sector, but fraud is becoming a problem of similar scope and one that exacerbates the type of damage caused by cyberattacks. For example, medical identity theft and improper billings both contribute to higher premiums and out-of-pocket costs for patients, as providers struggle to cover losses that may have already accumulated from previous incidents.
The various types of health care fraud are all well-recognized as threats, yet they are under -addressed in terms of actual implemented security mechanisms. A 2015 study from The Office of the National Coordinator for Health IT found that fewer than half of U.S. hospitals possessed the infrastructure for two-factor authentication (2FA), including 35 percent of critical-access hospitals and 40 percent of rural ones.
More on 2FA and its Role as an Identity and Authentication Solution in Health Care
There are many possible routes health care providers can take to protect patient data, ensure proper access controls and comply with applicable legislation such as the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. 2FA/multi-factor authentication is particularly appealing because it is a relatively cost-effective and user-intuitive method for mitigating risk and meeting HIPAA’s standards.
Moreover, 2FA can be enforced in several ways, depending on the user population in question and the requirements of the organization. Indeed, a token utilized in tandem with a basic login could be implemented in multiple fashions:
- A one-time passcode, given that it is generated by secure devices and of sufficient length and complexity, is a good solution for infrequent users of something like a medical content management system.
- The Federal Information Processing Standard Publication Standard 140-2 is also relevant for compliance with Centers for Medicare and Medicaid Services rules. FIPS 140-2 may necessitate specific card design features such as graphics, fingerprints and digitally signed facial images.
- Logical and physical access can both be tied to a common smartcard credential. This way, a secure physical system can be set up across the enterprise and tightly integrated with the human resources department to keep up with credential issuance and revocation.
- Basic patient ID cards, as well as other mobile solutions that leverage the growing presence of smartphones and tablets within the health care space, can also play a role in reducing fraud and improving the quality of services.
Ideally, strong authentication in health care settings would be implemented with end-to-end token and credential management, whereby a single platform issues and authenticates all credentials. Entrust IdentityGuard provides this convenience. Under such a setup, it is not necessary to create a separate certificate authority since one is already built into, and managed by, the authentication solution.
Deployment can be done entirely on-premises, in the cloud or through a combination of the two. The deployment model will determine how employees are authenticated and where cards are printed. Entrust IdentityGuard has already helped health care institutions such as Gwinnett Medical Center in Georgia to improve its authentication practices.
“We now are able to save money across the board and deploy strong enterprise authentication for a larger group of users, and employees can carry the grid cards with their ID badges, which makes them much easier to keep track of than a key-fob token,” explained Rick Allen, IT director at Gwinnett Medical Center. “In addition, the platform supports a wide array of authenticators that, in the future, can help us secure a variety of applications that also house sensitive patient information.”
Preparing for the Future of Health Care Fraud and Breaches
Health care spending is likely to continue rising in the years ahead, in turn raising the stakes for fraud reduction and secure authentication. Using 2FA/MFA and end-to-end token and credential management can give hospitals, clinics and pharmacies a stronger foothold in protecting sensitive data from theft.