A multilayered approach to pharmacy portal security
Pharmacies are keepers of protected health information, and one of their greatest responsibilities is to defend it against security breaches and fraud. Unfortunately, threats are rampant, and fraudsters’ means of achieving their objectives are ever-growing. The Identity Theft Resource Center Breach List identified that 23.7 % of all breaches in 2017 were in the medical/healthcare industry. Furthermore, medical identity theft is growing at a rate of 22% year, according to Consumer Reports. Pharmacies need to consider how to stave off this threat via increased security without compromising the patient’s and staff’s experience. Nothing short of a multi-layered, proactive approach to user authentication and authorization will do.
What patients want
Just a few years ago, pharmacy patient portals served the primary purpose of a refill method — a new and revolutionary one at that. Today’s patients want to access lists of medication history, check on outstanding invoices or bills, ask pharmacists a question, or download data to complete tax or other forms. Pharmacy portal functionality has expanded substantially to become part of a set of tools for proactive management of health.
As patients come to expect immediate, user-friendly access to their protected health information, they also (rightfully) expect that outside sources could never gain access to it. Patients are understandably worried about medical identity theft: surveys show that 65% of the medical identity theft victims spent an average of $13,500 to pay the healthcare bills run up in their name, to recover their health insurance, and to pay lawyer’s fees, and more than 200 hours to undo the mess, according to Consumer Reports. Claims data, prescription history, demographic information, medical history, test results and insurance information are all extremely valuable. As pharmacists serve customers who now demand quick, convenient access to their health data, they must instill a sense of trust in the measures they are taking to protect this very sensitive information.
At the same time, as pharmacies exercise vigilance in vetting the identities of patients accessing the system, it often comes at the price of user experience. Amid the battle for patient loyalty, pharmacies need their portal applications to be not only secure but seamless, simple, understandable, and productive.
Portal possibilities
To meet the challenges of fraud identification in this complex application, the pharmacy needs to first consider the connection point, or hub, that spans all patient data in all available solutions. What are the customer contact channels someone can tap into to access this data: In the store, on a kiosk, on an iPhone, via a customer service representative on the phone, from a computer at home or via a shared workstation? A one-size-fits-all security strategy certainly isn’t going to address all of these access scenarios.
A pharmacy’s security plan needs to take the form of a multilayered defense platform. Take the example of a brand-new patient who’s filling a prescription—the pharmacy has no personal or medical history here. The platform must capture the instance of this person on his mobile device, and interrogate it for risks such as malware, bots or scripted attacks. The system might also solicit the user to take a non-intrusive identification quiz covering top-of-mind questions that would be very difficult for an outside party to know. After the pharmacy staff scans the patient’s driver's license, the portal could automatically incorporate that data into the patient system.
Let’s say the patient comes back to the store next week: the identity vetting needs to be less involved but still thorough. The system confirms the device’s credibility in relation to its location—another layer of safety—and subsequently prompts the patient for a user ID and password. If a patient forgets his password and wants to reset it, the system sends a one-time password only to that device. Then, the tool will help the patient authenticate himself and access data through the portal.
By extracting the identification data and using it in the future to confirm the identity, the approach creates a seamless user experience for the patient and the pharmacist while delivering rigorous protection.
Value considerations
The biggest risk of a pharmacy portal data breach is, of course, exposing patient information to an outside entity. Such a lapse could present legal challenges, and if exposed by the media, would certainly rock patient confidence. To keep up with today’s threats, pharmacies need to be proactive about security: identify the security gaps in their current portals and consider ways to improve or augment protection and services. Today, healthcare data is much more valuable than credit card data. It’s incumbent upon the industry to take appropriate measures to protect patients’ most valuable asset.
Rene Lopez is vertical solutions consultant, identity, for LexisNexis Risk Solutions
What patients want
Just a few years ago, pharmacy patient portals served the primary purpose of a refill method — a new and revolutionary one at that. Today’s patients want to access lists of medication history, check on outstanding invoices or bills, ask pharmacists a question, or download data to complete tax or other forms. Pharmacy portal functionality has expanded substantially to become part of a set of tools for proactive management of health.
As patients come to expect immediate, user-friendly access to their protected health information, they also (rightfully) expect that outside sources could never gain access to it. Patients are understandably worried about medical identity theft: surveys show that 65% of the medical identity theft victims spent an average of $13,500 to pay the healthcare bills run up in their name, to recover their health insurance, and to pay lawyer’s fees, and more than 200 hours to undo the mess, according to Consumer Reports. Claims data, prescription history, demographic information, medical history, test results and insurance information are all extremely valuable. As pharmacists serve customers who now demand quick, convenient access to their health data, they must instill a sense of trust in the measures they are taking to protect this very sensitive information.
At the same time, as pharmacies exercise vigilance in vetting the identities of patients accessing the system, it often comes at the price of user experience. Amid the battle for patient loyalty, pharmacies need their portal applications to be not only secure but seamless, simple, understandable, and productive.
Portal possibilities
To meet the challenges of fraud identification in this complex application, the pharmacy needs to first consider the connection point, or hub, that spans all patient data in all available solutions. What are the customer contact channels someone can tap into to access this data: In the store, on a kiosk, on an iPhone, via a customer service representative on the phone, from a computer at home or via a shared workstation? A one-size-fits-all security strategy certainly isn’t going to address all of these access scenarios.
A pharmacy’s security plan needs to take the form of a multilayered defense platform. Take the example of a brand-new patient who’s filling a prescription—the pharmacy has no personal or medical history here. The platform must capture the instance of this person on his mobile device, and interrogate it for risks such as malware, bots or scripted attacks. The system might also solicit the user to take a non-intrusive identification quiz covering top-of-mind questions that would be very difficult for an outside party to know. After the pharmacy staff scans the patient’s driver's license, the portal could automatically incorporate that data into the patient system.
Let’s say the patient comes back to the store next week: the identity vetting needs to be less involved but still thorough. The system confirms the device’s credibility in relation to its location—another layer of safety—and subsequently prompts the patient for a user ID and password. If a patient forgets his password and wants to reset it, the system sends a one-time password only to that device. Then, the tool will help the patient authenticate himself and access data through the portal.
By extracting the identification data and using it in the future to confirm the identity, the approach creates a seamless user experience for the patient and the pharmacist while delivering rigorous protection.
Value considerations
The biggest risk of a pharmacy portal data breach is, of course, exposing patient information to an outside entity. Such a lapse could present legal challenges, and if exposed by the media, would certainly rock patient confidence. To keep up with today’s threats, pharmacies need to be proactive about security: identify the security gaps in their current portals and consider ways to improve or augment protection and services. Today, healthcare data is much more valuable than credit card data. It’s incumbent upon the industry to take appropriate measures to protect patients’ most valuable asset.
Rene Lopez is vertical solutions consultant, identity, for LexisNexis Risk Solutions