Patient confidentiality is necessary for building trust between patients and medical professionals. At the same time, accurate health care necessitates the collecting, storage, and use of huge volumes of information, most of which is sensitive and potentially harmful if it ends up in the wrong hands. The HIPAA Privacy Rule outlines federal protections for personal health information held by healthcare organizations and their service providers and gives patients an array of rights with respect to that information.
PHI stands for Protected Health Information, but what if it’s not always protected? This data is valuable to malicious individuals and criminal groups as fodder for extortion, identity theft, fraud, sales, and data laundering.
What Is Call Center Fraud?
PHI is threatened by many different factors and in innumerable ways. One of the latest scams on our radar in the healthcare industry is a form of social engineering–call center fraud. The formula is that an individual obtains hacked or breached data and contacts a call center pretending to be a patient. Using the name, address, birth date, social security number or other PHI, the individual works to convince the call center that he or she is a patient and is walked through the verification process which provides even more sensitive information.
Phone centers in various branches of the healthcare field are being targeted this way: insurance providers, hospital and physician networks, medical billing service providers, and more. A recent Forbes article, “Fraudsters sometimes gain access to victims’ bank and e-commerce accounts by cracking weak passwords or using stolen credentials, but more and more attacks are targeting what is emerging as the weak link in many organizations’ security systems: the phone channel.”
Why are they the weak link? Because call answering services often use knowledge-based authentication. This is a particularly vulnerable way to identify a caller using personal information, such as their account number, mother’s maiden name, or phone number. Essentially, the call center agent grants access to customer accounts via information that may also be accessible online or through breached data.
The goal for these types of fraudsters is full account takeover. That means that a hacker gains control of a legitimate account often using automated techniques with potentially thousands of credentials and user accounts. Depending on the level of access gained and the type of account, full takeover can be extremely valuable on the dark web. For this reason, call center fraud is on the rise; phone scams have increased 30% since 2013, claims American Banker.
If the fraudster already has, or is able to obtain, login information for the patient’s real email account, the scam becomes very difficult to stop. When using a legitimate, trusted mailbox, malicious activity is hard to detect with automated security tools. Thus, the bad actor can take over the patient’s account, change the password, use the same information to access other things like bank accounts and financial information, commit fraud and other crimes.
How Should Healthcare Organizations Safeguard Against Scams?
Digital identity theft is a growing problem that affects many people. When it comes to PHI, covered entities are both required to maintain data security measures to prevent these types of scams and expected to protect patients’ privacy and confidentiality. Additional best practices help healthcare organizations and their third-party service providers to meet this expectation.
Identify the Risk
Identity-based risk detection identifies patterns of digital user activity–across multiple forms and factors–to determine when someone could be an active fraudster. Using this type of security tool, digital identity proxies, such as mobile phone numbers and email addresses, are monitored to prevent them from being changed by someone else and hide follow-up verification attempts.
Device intelligence tools are another option for identifying account takeover attacks and identity theft attempts. They work by analyzing the devices used to access online accounts and the identities that they are associated with. These tools are designed to allow a user to log into accounts and perform low-risk activities from familiar devices, but require additional authentication from unfamiliar devices and for high-risk activities block activity when bot activity or malware are detected.
Address the Risk
Dynamic and Enhanced KBA – knowledge-based authentication can be made more secure by requiring the individual to answer generated questions that have not been saved by the company. These types of questions are generated from data within a person’s credit history or public records. Therefore, the answers are difficult for anyone other than the actual person to answer. Enhanced dynamic KBA uses secure proprietary data to create custom security questions for users.
One-Time Passwords – have become a fairly common form of multifactor identity authentication. They work by sending a unique, single-use password to the customer’s mobile phone in real-time. The customer can verify the activity requested by responding with the OTP.
Document Verification – Works by collecting and verifying images of ID that is uploaded by the customer and double-checked with a “selfie” or webcam shot to confirm that the actual customer and ID match.
Biometric Verification – Technology has made it possible for financial and healthcare organizations to verify the identity of a person before any PII or PHI is exchanged. This can be done via fingerprint scanning through a newer generation smartphone, facial and voice recognition using the device’s microphone or video camera.
PatientCalls – Secure Phone Answering Services for Healthcare
We take patient privacy, data security, and HIPAA compliance seriously. PatientCalls has the following security measures in place:
- Physical facilities are SSAE 16 (SOC 1) Type II compliant,
- Quarterly risk assessments,
- Multiple layer encryption,
- Anti-virus software,
- Cybersecurity detection and prevention,
- Repeat failed log-in prevention,
- Workstation monitoring and encryption,
- HIPAA compliance training for all agents.
For more information about our integrated security features, see here.