A new prescription for building trust online
By Jeff Barnett, December 2010
Only four out of 100 adults access healthcare services online. Here's how to reach the other 96 percent.
The effort to access and manage healthcare information online is well underway, and for good reason: it's one way healthcare providers and health plans can rein in the cost of administering care. But adoption has been slow. Consumers are worried that placing their health and medical records online also places their information — and their identities — at risk. Nearly 1.5 million Americans have suffered from medical identity theft, at a cost of approximately $20,000 per victim.1
Meanwhile, security threats to healthcare Web sites and externally facing Web portals are mounting. In September 2009, the U.S. Department of Health and Human Services (HHS) began requiring healthcare organizations to alert any individual whose information may have been compromised from a security breach. Since then, more than 150 healthcare organizations have reported breaches2 that, according to HHS, have put more than 5 million people and their personal information at risk.
With these statistics, it is no wonder consumers worry whether their patient data is safe online, and who might have access to it. In fact, they may be surprised to learn that an estimated 67 percent of healthcare organizations allow access to their networks from personal or home computers.3 That's more than any other industry segment, and it begs the question: What are these organizations doing to protect patient data? And more importantly, what safeguards will work best?
Building trust online
As banks and e-commerce giants already know, establishing trust online is a prerequisite for loyal, lasting relationships with consumers. But online healthcare services present unique challenges. Consumers view medical information as particularly sensitive, a fact that is reflected in new privacy regulations and mandates. And with more consumers communicating with their physicians via e-mail, selecting coverage plans online and making payments from mobile devices, the need to build trust has become not just inevitable, but urgent.
That's why organizations looking to provide access to records and services should consider implementing proven measures that demonstrate to consumers that they are dealing with a legitimate entity committed to protecting their personal information. Among them:
• Strong authentication: Strong authentication provides another layer of protection beyond the standard user name and password login. After signing in as usual, consumers must provide a six-digit security code generated by the user's strong authentication credential. Because the codes change with every sign-on, they are exceptionally difficult to foil. Credentials are available in many formats, including free apps for smart phones.
• Extended validation SSL (EV SSL): Secure Sockets Layer (SSL) is a security protocol used by Web browsers and Web servers to help users protect their data during transfer. When users with high-security Web browsers see their address bar turn green, they know they've reached a site protected by an EV SSL certificate. Because the green address bar is built into the browser interface, it cannot be easily spoofed. For this reason, EV SSL certificates are particularly effective in protecting users from phishing schemes that lure them to sites designed to look real, but aren't.
• Public key infrastructure (PKI): PKI solutions — usually deployed to serve thousands, even millions, of users — combine strong authentication with encryption using digital signatures to ensure auditable communications and transactions. PKI is useful to harden the networking infrastructure within a healthcare provider, and it helps protect information as it flows through a healthcare provider.
• Fraud detection: While strong authentication, SSL and PKI are all visible to users, fraud detection works behind the scenes. It works by learning how users behave online and then recognizing and responding to unusual behaviors that could signal potential fraudulent activities. Fraud detection is especially useful in providing a non-intrusive authentication solution to protect information made available through self-service healthcare/health insurance portals run by healthcare providers and health plans.
Each of these protective layers reinforces the other while ensuring the security of sensitive information across multiple computing platforms and mobile devices. Together, they make it harder for fraud cartels to gain access to user accounts or fool consumers into revealing sensitive information.
And because these services are cloud based, IT departments don't have to build and maintain expensive on-premise security systems. That should come as a relief, because 40 percent of healthcare companies report they are overwhelmed with the complexity of on-premise strong authentication implementations.4
The benefits of trust
By establishing trusted relationships with patients and policyholders, these safeguards encourage the adoption of online services that bring new cost efficiencies. They also help providers and health plans comply with government privacy and risk-management mandates. And by detecting and preventing fraud, medical identity theft and data breaches, they mitigate losses that would harm the bottom line.
As healthcare services continue to move online, consumers' questions remain — chief among them whether providers and health plans are doing what it takes to protect their personal information. Without the right security measures, the healthcare industry can expect a long, painful and costly future.
1. Ponemon Institute, March 2010.
2. "Breaches of Health Care Data Expected to Keep Rising, Study Concludes," iHealthBeat, Sept. 8, 2010, accessed at www.ihealthbeat.org.
3. Forrester Study commissioned by the VeriSign User Authentication Group, now part of Symantec, August 2010.
4. A commissioned study conducted by Forrester Consulting on behalf of VeriSign Authentication, August 2010.