The COVID-19 pandemic has forced the entire world indoors, making us rethink how we navigate all aspects of daily life, from work to grocery shopping to how we connect with friends and family. It’s also causing us to rethink how we seek medical attention.
Before the coronavirus outbreak, telemedicine struggled to take hold in the U.S., in part because of government regulation and a lack of interest from patients and big companies. Now, companies like Teladoc Health Inc. and Doctor on Demand Inc. are seeing massive increases in demand — as COVID-19 began to spread across the U.S., Minneapolis-based telemedicine company Zipnosis reported a 3,600% increase in virtual visits on its platform.
While this shift has helped ease some pressure off of an overburdened healthcare system, it’s important to be aware of the inherent risks associated with the rise in telemedicine. Namely, the opportunity presented to fraudsters. Due to the high amount of personal information they contain, medical records command a high value on the dark web and can be listed for up to $1,000 each, 10 times more than the average credit card data breach record. Unfortunately, over 1 billion of these patient health records are already available on the dark web, with millions being added daily.
The data breach prognosis
Data breaches are a constant these days, and they’re growing in regularity in the health space – in fact, healthcare is the most breached industry, experiencing a 50% increase in breaches from June 2017 to May 2019. These breaches are costly, coming in at an average of $6.45 million each year. Why so costly compared to the global average of $3.92 million? Well, it’s the importance of the data. A medical record often contains more PII data such as the patient’s age, their address and more personal details like their medical history.
Cybercriminals are now more empowered than ever to easily impersonate legitimate patients by simply reusing the login credentials (acquired on the dark web or through social engineering tactics). And we, as consumers, have made their jobs easier by using the same password for multiple accounts. This has led to a rise in credential stuffing, a tactic used by fraudsters that enlists bots to automate login attempts to access thousands of websites with the same logins. Unsurprisingly, this often works.
The KYP prescription
But it’s not all doom and gloom. While there isn’t a pill, there is a practice to solve this issue: a Know Your Patient (KYP) strategy. This is the only way to protect patients’ valuable data and create an ecosystem of trust.
Under normal circumstances, if we were to visit a doctor in person, we’d be expected to bring some paperwork to prove our identity. This need to confirm who a person claims to be is even more important in a virtual setting.
This is particularly important because 2,550 healthcare breaches have impacted more than 175 million medical records over the last decade. As such, it’s possible that the person a doctor prescribes a medication to, may not be the patient on record. Therefore, it is vital that all healthcare organizations have a robust KYP process in place — not only at new account onboarding, but also for ongoing telemedicine interactions.
The risks of not doing so can be catastrophic. A fraudster could use a stolen medical record to obtain medications in their name, which could then be sold on the dark web for financial gain. Not to mention that the patient could be left unable to access medications they need if it appears that they have already accessed them.
Embracing KYP
The KYP process needs to be fully invested in and made watertight at each stage for it to truly mitigate the fraud risks in the telemedicine space. It starts at the account opening stage. This is where a medical organization captures an online patient’s government-issued ID (e.g., driver’s license, passport or ID card) via the user’s smartphone or webcam, followed by a live corroborating selfie (in which a 3D face map is created) to ensure the person behind the ID is the person creating the account. Then, they would ensure that the ID document is authentic, unaltered and that the patient pictured in the selfie matches the ID.
Organizations can then check the patient’s age to verify that they meet minimum age requirements, helping to minimize risk. Based on these security checks and identity proofing methods, hospitals, offices, clinics and pharmacies can now approve or deny the new online account.
Providers can then continue to verify a patient’s identity when they collect online prescriptions and request new appointments and treatments with biometric-based authentication. When a tele-consult is required or an online prescription, the healthcare professional asks the patient to capture a new 3D face map, which is instantly compared to the original face map captured at enrollment using online identity verification technologies.
This simple process is going to be key in ensuring that fraudsters cannot take advantage of the rise in telemedicine. Particularly when some habits made in lockdown, like virtual appointments, are more than likely to stick. Let’s ensure that telemedicine can continue to flourish, and fraudsters are stopped at the door.