How identity can prevent telehealth fraud

By SailPoint

Interview with Chern-Yue Boey, Senior Vice President, Asia-Pacific, SailPoint.

“I don't need to worry about identity theft because no one wants to be me,” once said stand-up comedian Jay London. Unfortunately, malicious hackers after health data would disagree.

Protecting and safeguarding your identity is key, especially in healthcare. The need for such protections is growing with the increased adoption of telehealth. During Covid-19, the accelerated use of telehealth and digital health tools for patient services has made providers re-examine their identity security infrastructure.

Chern-Yue Boey, Senior Vice President of Asia-Pacific at SailPoint, shares the importance of identity security.

Preventing fraud in telehealth


Telemedicine platforms in Singapore saw the number of daily users rise by more than 140 per cent in the first few months of 2020, according to a study by Bain & Company. The next phase of telehealth security is using consumer identity access and user verification to audit these interactions, says Boey.

Consumer identity management will help prevent fraud as it ensures three data points are being collected. In a hospital setting, the patient ID, records of the clinician accessing the patient file, and claims data, are all recorded, he explains.
But in most instances of telehealth, only clinician access and claims data are noted, he says. This could open payers to fraudulent procedural claims, where a healthcare provider could receive payment for a medical service that was never carried out, warns Boey.

Ensuring that patient identity is recorded verifies who was treated, when the treatment was carried out and what is being billed, he advises. This gives payers greater confidence to pay for telehealth services without worrying about fraudulent claims.

At the beginning of the pandemic, most telehealth systems reached capacity and didn’t have the appropriate security features to handle the surge in e-visitors, says Boey. To improve patient privacy during e-visits, many health providers started to use identity security tools with enhanced access and permission features.

How healthcare is responding


Healthcare organisations around the world have adopted identity security to bolster their system’s protections. Orizon handles financial transactions for 43 healthcare insurance companies across Brazil, but couldn’t meet the requirements of new data protection laws, they wrote.

New users on Orizon’s systems were given the same access permissions as their colleagues in the same role. The organisation needed to establish a secure identity system for its 1,100 staff working across 40 different data systems.
By implementing an identity management tool, they were able grant and revoke access to users, which “helps a lot” with abiding by the data protection laws, said Ricardo Zeviani, Information Security Superintendent at Orizon.

Orizon saw an 80 per cent reduction in data errors relating to identity management as the system took over the previously manual process, reducing human error. The system is expected to reduce service desk calls by 30 per cent once fully implemented, said Zeviani.

Integris Health also faced a security challenge as employees and external contracts could access clinical systems without an access management system. The Oklahoma-based healthcare organisation wanted to give every system user greater visibility to IT management.

They implemented a system which allowed for more identity recognition. The system met regulatory and audit requirements, and boosted efficiency for IT staff and healthcare workers, they reported.

The challenge of protecting personally identifiable information (PII)


Only 20 per cent of protected health information sits neatly in structured data storage, says Boey. This means that 80 per cent of data such as clinician notes and radiological images are unprotected and unmonitored, he explains.

Not only that, but hospitals cannot dispose of this data like other industries due to data retention rules, creating large volumes of data. After hospitals adopted the cloud to deal with this immense volume, another problem emerged.
Different sets of rules apply to data stored on-premise and data stored on the cloud. This complex process led IT departments to grant too much access, allowing individuals to see information they shouldn’t, Boey explains.

This disconnect between cybersecurity rules, data creation, and cloud storage is a security “Achilles heel”, he says. This ultimately makes healthcare organisations vulnerable to hacking, he continues.

Identity security is essential for an overall cybersecurity roadmap, warns Boey. Ransomware also accounts for nearly 50 per cent of the data breaches in the healthcare sector. More than 40 per cent of healthcare organisations who have had a data breach state that the theft of consumer data is a major concern.

There’s no running away from the challenges of identity security. Healthcare organisations must ensure that systems are in place to grant and record access to the relevant individuals, preventing internet-enabled fraud and hacking attacks.