“The IDC’s Health Insights group predicts that 1 in 3 health care recipients will be the victim of a health care data breach in 2016. These stats should be a wake-up call for the entire industry.” – Ponemon Institute
Healthcare industry is facing a serious threat from security breaches in the healthcare systems’ databases. There has been an alarming rise in cases of patients being subjected to hardships because of their data being stolen. Financial implications of such data breaches have impacted not just the patients whose PII (Personally Identifiable Information) and PHI (Protected Health Information) data was stolen but the healthcare institutions as well.
In this article will take a look at healthcare data breaches and their primary causes. This will be followed by an understanding of the role of HIPAA Act in putting in place regulations for deterring such incidents. We will then understand what is biometric authentication, followed by a detailed analysis of how biometric authentication can be used for securing access to patient data as well as preventing medical identity thefts.
Healthcare data breaches – magnitude and causes
Data breaches in healthcare systems have been causing huge financial losses to individuals and healthcare providers alike. The cyber-attack on Anthem, based out of Indianapolis in USA, in February 2015 is the biggest healthcare data breach till date. It can potentially affect over 78.8 million individuals or patients whose records were maintained by Anthem and were accessed by the cyber attacker. The financial impact of this data breach is huge. The $100 million which Anthem will potentially receive from American International Group as insurance money will be fully spent in notifying all the data breach victims itself.
In the backdrop of such looming threats let us take a look at what are the top 5 reasons for healthcare data breaches –
- Criminal hacker exploiting healthcare system’s weaknesses.
- Lost or stolen computing device of healthcare workers.
- Unintentional employee action leading to data breach.
- Data breaches due to security lapses in third-party integration.
- Technical glitches inadvertently causing data leak.
HIPAA Act and its role in securing patient data
Healthcare regulatory agencies had taken due notice of this alarming trend in healthcare data breaches early on. An important legislation known as the HIPAA (Health Insurance Portability and Accountability Act) was passed in 1996. The HIPAA Act aims to lay down stringent regulations for healthcare providers to ensure security and access of patients’ data.
An important section of the HIPAA Act is the Privacy Rule. Privacy Rule creates standards around the use and release of patient’s health records. It mandates that the healthcare service provider has to implement policies that ensure that patient’s data stored with it is not subjected to misuse. Moreover, it lays down the requirement for obtaining patient authorization before disclosing his information for non-routine purposes. Healthcare providers will need to also maintain audit logs of all requests and dissemination of patient information.
With onus of preventing data breaches and securing patient information falling on healthcare providers, a secure personal identification and authentication system became the need of the hour. In this quest for patient data security, biometric authentication has emerged as one of the safest options. Healthcare industry has realized the importance of biometrics for information security and is embracing it at a steady pace.
Biometrics in Healthcare
Biometrics refers to biological measurable characteristics of a person. Put in simpler way, physical traits such as fingerprints, iris structures, retinal patterns etc. are biometrics which are unique for every individual. Biometric authentication is based on the capture and use of biometric information of an individual and then using it to verify his identity.
To determine whether the person who’s biometric is being scanned for authentication has access or not, there needs to be a database of all authorized persons. This is why biometric authentication system essentially works in two modes.
First mode is enrolment mode wherein individuals are ‘enrolled’ by scanning and capturing one or more of their biometrics. Captured biometrics are then read using sophisticated pattern recognition algorithms and then converted to their digital equivalents known as biometric templates. These biometric templates are stored in the healthcare database along with other details of the person such as his name, age and most importantly access permissions.
Second mode is authentication. Authentication happens when a person tries to gain access to an access controlled asset – physical or digital. His biometrics are scanned and converted to equivalent biometric templates. This captured biometric template is then matched to the templates stored in the database at the time of enrolment. If a match is found, then he is allowed access. Else, he is asked to re-attempt authentication.
Biometric authentication is the safest way to ensure security of healthcare systems. Let us now look at how biometric secures healthcare systems’ two important areas – patient identification and patient data.
Biometrics and patient identification
Patient identification refers to determining the identity of the person in the MPI (Master Patient Index) database of the healthcare provider. Healthcare insurance of patients is linked to the patient ID in the MPI. If any person with malicious intent gets hold of essential details of the patient’s MPI record, then the imposter can prove his identity as being the person he has stolen the details of. This act of posing as another person to use his healthcare benefits is known as medical identity theft.
With a biometric patient identification system in place, medical identity thefts cannot happen. In a biometric authentication system, at the time of creation of the patient’s record in MPI, his biometrics are captured and stored against the MPI. Whenever the patient presents himself for authentication in future for availing healthcare benefits his biometric information will be captured and compared with that stored in the MPI database. He will be provided healthcare benefits only if his biometrics match. Biometrics cannot be faked or spoofed. Hence, medical identity theft cannot happen in a biometric patient authentication system.
Biometrics and patient data security
One of the major causes of compromise of patient data that in various security incidents has been deliberately or unintentionally done by healthcare workers. Healthcare workers have access to systems or devices which have direct access to patient data. Such systems are normally password-secured. In many instances the patient data has been lost due to password getting known to multiple employees. In other instances, the devices used to access patient data have been stolen or misplaced and the patient data has fallen into wrong hands.
With biometric authentication for healthcare staff there is no risk of password sharing. Only the staff member enrolled and authorized to access an information will be able to do so by presenting his biometrics such as fingerprint or iris scan. In addition, in the event of the device getting stolen, the thief won’t be able to open the device if it has been secured using biometrics. This implies that leakage of patient data through unauthorized access of healthcare systems, applications and devices cannot happen with biometric authentication in place.
There are numerous cases being reported where patient data and his medical identity are being stolen or accessed without authorization. Such data breaches can happen by unauthorized access of the healthcare systems or devices. Patient’s data, once compromised, can be used to steal his medical identity and cause financial losses to both the patient and the healthcare service providers.
With biometric authentication being used for healthcare systems’ access as well as for patient identification, such security threats can be neutralized. Biometrics is thus an important tool in securing patient data in healthcare industry.