CBS News investigative reporting into medical data theft recently found that on the dark web, “Social Security numbers sell for $1, and credit card info goes for up to $110,” but added that, “… full medical records can command up to $1,000 because they’re an identity thief’s dream: date of birth, place of birth, credit card details, Social Security number, address, and emails.”
Gary Cantrell, deputy IG, Department of Health and Human Services’ Office of Investigations (OI), told CBS, “One of our most important missions is to mitigate that vulnerability as quickly as possible. And that means communicating with those individuals who oversee the systems.” That’s bureaucratic code for “Regulators will be checking on ‘Know Your Patient’ (KYP) compliance in the near future.” They should. Medical data theft is perhaps the ugliest kind.
“Hospitals and healthcare professionals are adjusting their operations to care for a growing number of patients infected with COVID-19 and mitigate the spread of contagion,” the Tracker states, “but they are also improvising ways to remotely deliver services to meet consumers’ skyrocketing demands for digital healthcare options. This seismic shift is, in turn, making it more important than ever for providers to examine the use of digital identity authentication technologies.”
Medical Records = Dark Web Gold
With data showing that 45 percent of all 2019 data breaches — and there were a lot of them — involved medical records theft, costing healthcare providers $429 per compromised patient record or nearly $18 billion, organizations can’t be confused about their value to cyberthieves.
“Medical records command a high value on the dark web and can be listed for 10 times more than the average credit card data breach record. There is a practice to solve this issue — a Know Your Patient strategy, which starts at the account opening stage,” Philipp Pointner, chief product officer at Jumio, told PYMNTS. “This is where medical organizations use online identity verification technologies to capture a patient’s government-issued ID and a corroborating selfie to ensure the person behind the ID is the person creating the account.”
As things like “deep fakes” get real and digital onboarding replaces face-to-face document presentation and authentication post-pandemic, KYP tech is fast becoming indispensable.
And while the pandemic may have shut down the legit world, fraudsters were extremely busy.
“[The trend of medical data theft] continued during the COVID-19 pandemic, with 25 percent of the breaches reported in Q1 2020 targeting medical records and 51 percent taking aim at firms in the medical sector,” per the Tracker. “Researchers warn that hackers’ focus on healthcare firms and health-related PII will only increase as the pandemic continues and more consumers are tested for COVID-19. They also note a recent spike in COVID-19-related phishing attempts.”
Telehealth Forces The Digital KYP Issue
With the sudden, meteoric growth of telehealth applications, digital “Know Your Patient” compliance is now something you need if you touch any medical data at any stage.
“Healthcare providers in the U.S. must comply with federal regulations regarding the storage and management of medical data as well as any relevant state rules that have recently come into play,” according to the July 2020 Digital Identity Tracker®.
While the California Consumer Privacy Act (CCPA) works at the statewide level, “… wide-ranging telehealth visit regulations [are] being championed by organizations such as the American Health Association and discussed within the U.S. Senate.”
There’s plenty of stress to go around, which might also be detected by advanced identity tech that’s being fielded fast to meet a surge in COVID-era demand for remote KYP with confidence.
“Providers can use biometric-based authentication to verify a patient’s identity on an ongoing basis. When a patient requests an online prescription or appointment, they are prompted to capture a new 3D face map, which is instantly compared to the original face map captured at enrollment,” Jumio’s Philipp Pointner told PYMNTS. “This simple process is going to be key to ensuring that fraudsters cannot take advantage of the rise in telemedicine.”