By Walt Meffert
An online search of “data security” in the news returns more than 710 million articles. The first seven pages of results are articles about data breaches of private information. Personal. Financial. Health.
In 1978, decades before you could search for “data security” news online and the internet became what we know it to be today—a proliferation of mobile apps, online banking, wearables and the data sharing we participate in daily—researchers at Purdue University were pointing out the information security issues users would face in the future. “The white-collar criminal, the old adage goes, is a man who has learned to steal with a pencil,” according to the researchers. “In the last decade or two, a few of the more perceptive of these entrepreneurs have discovered that the rewards are greater, and the risks lower, if they steal with a computer.”
The authors explored four different types of data security from limiting physical access to data to encryption (both of which are used still used today around the world to protect data), but acknowledge that: “All these controls are subject to practical (and sometimes theoretical) limitations which keep them from achieving their objectives under all conditions. No mechanism is perfectly secure. A good mechanism reduces the risk of compromise to an acceptable level.”
(I recently wrote about the importance of data security vis a vis security certifications as a way to help organizations understand IT security vulnerabilities and how to remedy them.)
And while many organizations use the highest level of security available to protect data, issues remain. And consumers understand that their data can be compromised—in many cases it already has; see the search results—at any time. “Nearly two-thirds of all Americans (64%) have at least one online account that holds their health, financial or other sensitive personal information. And a similar share (64%) have experienced or been notified of a significant data breach pertaining to their personal data or accounts,” according to a 2019 Pew Research Center study. “(M)ajorities of the public are not confident that corporations are good stewards of the data they collect. For example, 79% of Americans say they are not too or not at all confident that companies will admit mistakes and take responsibility if they misuse or compromise personal information, and 69% report having this same lack of confidence that firms will use their personal information in ways they will be comfortable with.”
Forty-four years after the Purdue University researchers published their data security article, organizations contend with more sophisticated data safety challenges as healthcare consumers demand a better, simpler online experience often based on the desire for quick access to the most personal data, which, it turns out, is not at odds with developing and implementing tools and processes to reduce risk.
Healthcare data safety, security
Between the lack of confidence expressed by consumers who willingly or unwillingly provide personal data, to the ongoing risk of data hacking and system malware infiltrations, healthcare organizations that value members and their members’ experiences must work to secure personal information and other forms of individual data. These efforts can improve the interaction and help build trust between the company and the individual and improve the overall member experience with the company’s website, mobile app or interactive voice response (IVR) system.
A risk-based approach, one in which an organization focuses on those security challenges it’s most likely to face, is the preferred method of keeping a healthcare consumer’s data safe. “Cyber attackers are growing in number and strength, constantly developing destructive new stratagems,” says McKinsey & Company in a report on a risk-based data infrastructure. “The organizations they are targeting must respond urgently, but also seek to reduce risk smartly, in a world of limited resources.”
The Healthcare Cybersecurity Act of 2022, introduced to the US Senate on March 23, 2022, calls for cybersecurity training, including risk mitigation, for the healthcare industry. The bill relates that during “almost every month” in 2020, 1 million people were impacted by healthcare data breaches; cyberattacks on healthcare facilities increased by 55% in 2020. “Healthcare and Public Health Sector assets are increasingly the targets of malicious cyberattacks,” according to the Healthcare Cybersecurity Act of 2022, “which result not only in data breaches, but also increased healthcare delivery costs, and can ultimately affect patient health outcomes.”
The happy accident
In information security, the paradigm is such that not a lot of thought is given to improving the user experience, not out of neglect, but because of the intense focus caused by getting protection measures right.
Information security experts think in terms of:
These are the questions that keep information security specialists up at night.
Nevertheless, those of us in IT security have discovered that implementing new data security features often do have the added benefit of making the user experience better. In a way, it’s a happy accident.
B2C companies must make the user experience convenient and easy to use. Not doing so, increases the risk that your current customer will go someplace else where the experience causes fewer headaches and less stress.
In healthcare, of course, members are often captives without the ability to make changes in their coverage until the next open enrollment. Even so, they will remember a bad experience with a website, mobile app or IVR; getting it right is crucial for current members, prospective members and those members you hope will return.
“If they achieve the right balance (between security and the customer experience),” McKinsey & Company explains in a report, “users will be offered a seamless journey—creating greater business opportunity—while the risk from exploitative attackers will fall significantly.”
Today, smartphones allow users to use facial recognition to open the device; many apps use the same functionality. Other biometric options include finger or voice prints to confirm the user’s identity.
Biometrics are but one new level of security measure that healthcare organizations should take advantage of to safeguard the business as well as members. Which also has the effect of improving the customer experience.
Interactive Voice Response
Oftentimes, IVRs may ask for more information than necessary to identify a user. By using a stored voiceprint and phone number, an IVR can quickly understand if you are who the system thinks you are. This makes the customer experience proceed more quickly whether the user’s question can be answered by the IVR or a human customer service representative. It also helps ensure data security.
But to get to the endpoint, the first time a member calls an IVR, a fair amount of personal data will be collected to establish identity. Every encounter that follows, however, will be faster with fewer questions.
This type of real-time authentication could involve sending a text message with a link to click. Once you click the link confirming the phone number on file with the organization, an authentication service will then use the biometrics capabilities built into the phone to fully confirm a member’s identity.
All the member has done is make a phone call and click a link. And we now have very strong authentication because we're also using biometrics.
A good IVR system reduces the time a user spends on a call, provides information and helps ensure accuracy, rather than decreasing or avoiding the number of human interactions a user has with a company.
Eliminating passwords without the loss of data security is another way to help improve the member experience. Just imagine not needing to remember passwords anymore; all a member would need to do is call from the same phone number used in the past and the organization could use this as the first step in authenticating identity. From there, biometrics can be used as the second part of a two-factor authentication process.
This is where healthcare and other industries are heading to increase data security and improve the member experience.
ISO 27001 Standards
Healthcare organizations should consider ISO 27001 certification. Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which is the world's largest developer of voluntary international standards, ISO 27001 is the highest standard for information security certification.
Security, member experience intertwined
In healthcare, the onus is on the service provider to ensure the company is talking to the right person and securing data, such as a member’s name, DOB, identification number, medical history and more.
The goal from an IT security perspective when identifying a member is to ask for the least information possible to recognize that person while keeping the data safe. Connecting and confirming, for instance, the legitimacy of a phone number and voiceprint should be enough information to work with the customer effectively from the company’s point of view and improve the customer experience.
Information security and the member experience in healthcare is a symbiotic relationship where improvements to one side of the equation can have the effect of directly and positively impacting the other.
Walt Meffert is Chief Information Officer at Modivcare.