|
Posted on Aug. 25, 2008
Can the Internet help cure our data-clogged health care system? Internet stalwarts Google and Microsoft seem to think so.
The two companies recently launched separate services (Google Health and Microsoft HealthVault) that allow consumers to create an online depository for historical health information, medical prescriptions, test results and insurance coverage and billing information. The services are designed to use the convenience and efficiency of the Internet to streamline information access in an industry sometimes known for just the opposite.
Despite the obvious advantages presented by Google Health and Microsoft HealthVault, consumers worry about the privacy of their personal information. Few would blame them. Recent news of high-profile data breaches seem to remind us that, whenever we go online, we may be vulnerable to identity theft and fraud.
But really, what could e-criminals possibly do with the knowledge that you suffer from hay fever or are allergic to arugula? Perhaps not much. Trouble is, that type of information tends to reside with other data that presents more lucrative opportunities to fraudsters.
Just consider the various organizations in the health care ecosystem: doctors, hospitals, insurers, drug makers and pharmacies, not to mention employers and state and federal agencies. In fact, buried in your medical records are dozens of access points for fraud.
Unlike financial services sites, which are increasingly opting for strong authentication, most health care portals can be logged onto using only a weak username and password. They provide the patient with access to his or her name, insurance group ID numbers, policy numbers, benefits summaries and even medical records and related provider information. Users can change addresses, order online prescriptions, check claims status, request appointments, access test results, renew and redirect prescriptions and more. Meanwhile, services like Google Health and HealthVault allows users to add more information.
Add to this the threat of phishing scams that lure consumers to fraudulent (and increasingly convincing) Web sites that trick them into entering their personal information, including account numbers, user names, passwords, and Social Security numbers. It's enough to make an otherwise healthy consumer feel downright ill.
One of the chief threats is medical insurance fraud, a rapidly growing problem fueled by the increasing number of uninsured Americans--43.6 million of them, according to a 2006 National Health Interview Study. This coverage vacuum has created a black market for selling "insurance plans" to those who can't or won't secure coverage through legal means. Black market plans are purchased with information stolen from legitimately insured consumers. Securing an insurance ID card can be as easy as accessing a legitimate account and ordering a change of address, leading the insurance company to send an updated ID card to the fraudulent patient--in some cases ID cards can be printed directly from the Web site. It may be weeks before the real patient notices a problem--even longer for consumers who rarely need medical attention.
Even worse, a consumer's medical records could begin to include information from other people. As a result, a consumer might receive someone else's medical bills, a potentially costly and frustrating problem. But the worst-case outcome is far more grim. Based on erroneous medical information, patients could receive the wrong treatments, including medications and dosages that could go un-vetted, particularly during a health care emergency. Inaccurate records could also impact employment or life insurance eligibility.
Fortunately, one of the two new online services, Microsoft HealthVault, has recognized that providing strong authentication to prevent medical identity theft is just as important as accessing medical information online. HealthVault recently announced it will offer two-factor authentication to its members, while coupling that protection with the convenience of OpenID single sign-on.
Two-factor authentication requires patients to produce both something they know (their usernames and passwords) and something they have (a one-time password authentication token or smart card) to safely and securely log in to access their sensitive health care information. If either of these factors is compromised--if a password is wrong or a token is stolen--the thief will not gain access to a patient's personal information.
HIPAA regulations have gone far in protecting the integrity of patient data, but the area of online authentication remains neglected. For their part, health care providers and insurers must recognize the liability they have to data breach and fraud threats, and the damage their brands could sustain from successful attacks.
Today, adopting strong authentication represents a competitive advantage for health care providers and online services like HealthVault. Providing that protection displays a genuine concern for data integrity and the well-being of patients and members and can help drive Internet self-service, which will offset many administrative costs. Those who wait too long to safeguard their customers will risk appearing neglectful--and they may even risk legal and regulatory reprisals.
The Internet may indeed hold the key to many health care industry ills. But only by properly protecting online users can this industry emerge from its Internet initiatives with a clean bill of health.
Jennifer Gilburg is director of business development with VeriSign Inc.
|