Understanding the Value of Digital Identity Assessment to Healthcare

September 26, 2022 - The healthcare industry has rapidly transformed its digital ecosystem to allow a more significant number of stakeholders to interact virtually in large part to respond to the coronavirus pandemic and healthcare consumerism. But lagging behind this digital transformation is the ability of healthcare organizations to deliver a frictionless experience and prevent unauthorized access to sensitive data and mission-critical applications and services.

A sense of urgency should be driving HIPAA-covered entities (e.g., providers, payers, business associates) to address digital identity, given the proliferation of cyberattacks targeting healthcare organizations. Between January and August of this year, the Office for Civil Rights (OCR) breach portal shows 332 cases of hacking/IT incidents currently under investigation. That represents an 89% increase over the same period in 2021.

“Cyberattacks are much more commonplace now than just a couple of years ago,” says Cheria Poole, Director of Healthcare Identity Solutions at LexisNexis Risk Solutions. “Beyond compliance and potential penalties, healthcare organizations must also protect themselves from the brand damage resulting from a cyberattack. Whether a hacking incident or ransomware, it could take years for an organization to recover from an attack.”

With 26 million individuals affected by cyberattacks already this year, the onus is on healthcare organizations to invest in digital identity assessment.

“Many healthcare organizations believe it is expensive, but when they consider the return on investment, they will realize that it is worth investing in something they will need for the future. Those prepared for new levels of online interaction are exposing themselves to more risk of cyberattacks by bad actors,” Poole stresses.

Value of digital identity assessment

Multiple industries with similar levels of regulatory complexity are turning to digital identity assessment solutions with the understanding that a growing repository of data about online users can be used to separate the wheat from the chaff, the good actors from the bad. Data collected at scale from real-world scenarios — that is, truth data — is crucial for providing context and training algorithms to differentiate between authorized and unauthorized behavior.

“These types of solutions are rules-based, and companies are further strengthening the capabilities of these tools based on the cyberactivity they have monitored at their company which becomes their truth data. Dynamic decisioning can then come into play by allowing organizations in real time to allow or disallow a user access to a system based on the user’s risk score. It creates an environment of constant learning,” Poole observes.

For an industry often playing catchup and acting reactively, dynamic decisioning offers the opportunity to be a step ahead.

“We’re moving to a place where literally they can stop cybercriminals before they strike — identifying and blocking them before any damage can be done,” Poole explains. “We want to ensure that HIPAA-covered entities can get ahead of any attack or hacker attempting to compromise the healthcare organization.”

Moreover, digital identity assessment with dynamic decisioning also benefits trusted users, mitigating concerns about not delivering a frictionless experience to these individuals.    

“After this type of tool has learned from an organization’s truth data, the organization can turn down the risk friction ratio for trusted users. Knowing more about cybercriminals creates simpler pathways for trusted users. In addition, the right tool works in tandem with other products organizations may have used in the past for identity verification and authentication,” Pool maintains.

“At the same time, these tools give visibility into how the organization’s rules are performing, good or bad,” she continues. “Their relative strength of these tools comes from the ability to compare identities against a repository of data. Some vendors have amassed repositories that contain global consumer transaction data, including known suspicious behavior. The greater the number of data points, the likelier users are to identify both known suspicious identities and trusted user identities.”

Advantages of a strategic partner

Given the penchant for healthcare organizations to rely on their own data to inform their decision-making, they have much to gain from leveraging external expertise.

“Healthcare organizations have not been as invested in cybersecurity on par with other industries such as e-commerce and finance. As a result, proven rules and baselines have emerged that can be brought to bear on healthcare,” says Poole.

“As more bad actors are defined, more insight becomes available to create rules and models that can benefit many more organizations,” she continues. “It is definitely in the best interest of healthcare organizations to work with a strategic partner to glean deeper and wider insight.”

When choosing the right partner, HIPAA-covered entities should look to a vendor with a proven track record and technology.

“Those that have already worked with larger organizations for a more extended period of time understand trends with bad actors and cyberattacks. One should be able to provide insights right off the bat based on proven experience with mature and complex organizations across industries.”

With the healthcare system looking to expand its digital footprint and create new forms of engagement between providers, payers and patients, HIPAA-covered entities must have the ability to make interactions for trusted users efficient and attempts by bad actors unsuccessful.

____________________________

About LexisNexis Risk Solutions

LexisNexis Health Care helps providers meet interoperability goals and gives patients more control of their health data. Through proprietary linking technology and access to the most robust and accurate consumer data in the industry, LexisNexis helps to improve patient outcomes, provide market intelligence, protect patient identities, and enable compliance.