Cybersecurity: Balancing Risk and Member Engagement | LexisNexis Risk Solutions


Greetings everyone. We would like to welcome you to our live webinar presentation: Cybersecurity – Balancing Risk and the Member Experience If you were on an airplane right now you need to listen to some safety instructions before the plane takes off So buckle up and please pay attention to these brief items of note before our webinar takes off today During the webinar all attendee lines will be muted To ask speakers a question on the left hand corner of your screen You’ll see a blue ask a question box simply type in your question and press send to listen by phone Please reference your webinar login instructions if you need any other assistance during the webinar Please contact our help web summit office at two zero nine five seven seven four eight eight eight The rise in digital health initiatives prevent more vulnerabilities than ever before to patient data As a result health care organizations are experiencing a record number of data breaches and suffering millions of dollars in fines settlements and operational losses Today’s discussion will pinpoint ways to reduce the risk of a data breach explain the necessary steps to validate and verify member information and identify the ingredients for a strong multi-factor authentication strategy Our speakers today are Aaron Benson and Courtney Timmons Aaron is the director of market planning for LexisNexis Risk Solutions healthcare MS Benson focuses on the development and execution of strategic planning for Identity Management and social determinants of health solutions She came to LexisNexis from Deloitte Consulting MS Timmons serves LexisNexis health care as market planning specialists Her focus is on the development and execution of strategic planning for cybersecurity and risks defense solutions So without further ado our speakers are now ready to begin Hello everyone, thank you for joining today’s webinar My name is Charlene serrano with LexisNexis and today’s moderator and on behalf of LexisNexis I welcome you to today’s program now. I would like to introduce today’s first speaker, Aaron Benson Thank You Charlene and good afternoon everyone Courtney and I would like to thank you for taking the time to join us today and considering some new ways to address your organization’s top priorities around cybersecurity and member engagement We’d also like to extend their thanks Tim Cole the support facilitating today’s session so we can have these important discussions We hope today’s session will lead to continued conversations and our direct contact information will be provided at the end So why is it that we’re all here today? With a growing number of data breaches the need for cyber security and physical security keeps the iOS up at night At the same time value-based care and the rise of consumerism are driving a need to provide members with a quality experience That introducing a lot of friction into the process. These two needs are fundamentally at odds Cybersecurity calls for more secure access gates while member engagement calls for more ease of use of online portals of other health care services So specifically over the next hour we want to discuss how market trends have led to this need for balancing data security with number engagements will Then discuss two key ways to address this challenge first by using a unique member identifier to create a golden record for each member and second by placing appropriate layers of defense in front of member and Proprietary data to ensure only the right individuals are getting access We’ll conclude today with our thoughts on how these efforts achieve the desired balance Courtney I’ll turn it over to you to explore these impactful market trends Thank You Erin but exploring the challenges that health plans are facing in 2019 There is no denying that technology has played a primary role in how members are interacting with their health plans in Turn it is requiring health plans to take a more proactive role in protecting their systems from a breach While maintaining a great member experience throughout their medical journey in this first section I will dive into market trends and highlight the challenges both health plans and providers are facing in balancing member engagement and data security Members are increasingly taking control of the health of their health through the engagement of member portal and this is a trend that is Continuing to grow into a norm By engaging in member portals users are able to view and get answers to coverage question track claims and account activity Locate providers and services from five health advice manage their member profiles pay bills and much more And this is a trend this trend is on a rise according to health IT 52% of individuals have online access to their health records 72 percent of Millennials stated that they prefer to share health data and manage their care via a mobile application an Increasing number of health organizations are investing and serving omni-channel members looking to open or login to new or existing Accounts change passwords or member information make payments for access claims This omni-channel model allows access through both physical and digital channels Members are accessing both their data and care benefits in-person at hospitals and care centers through call centers online via email computer or tablet and through mobile applications as You can imagine it’s not only member access that health plans are concerned about For every access method or channel into a system There is a desired user and a potential vulnerability point for fraud While members are accessing their data Employees and vendors are also logging into systems at other access points and those access points need security as well Protecting organizational data any identities of members is not only the responsibility of the health plans But is required by several federal regulations As digital Healthcare has become a new norm and members are accessing medical data in a variety of ways This has resulted in a more attack point for hackers according to the crisis management group of Edwin public-relations Presentation at him this year healthcare organizations have become primary targets for three reasons Outdated systems low layers of security and healthcare companies are statistically known to pay ransom This is interesting when you contrast it with a recent survey. We commissioned where 58% of healthcare organizations Responding stated that they believe in cybersecurity of their online patient portal is above average Of course the most obvious issue with that is that over half of the organizations Statistically can’t all be above average But even more so we know from market trends that fraud is on the rise and hackers are Attacking systems and an effort steal member identities obtain fraudulent health care or prescriptions Open new lines of credit facilitate blackmail or extortion compromise corporate IP addresses and more As the ways in which members access their data becomes more sophisticated So to do the ways in which hackers are finding ways to commit fraud in 2017 there were 477 US healthcare breaches of that’s affecting 5.6 million patient records More than one in ten new account openings are fraudulent with 60% of those accounts being created using a mobile device call center fraud is up 113 percent a Record one billion baht attacks were seen in q1 of 2018 there have been 202 percent growth and login attacks since 2016 and 88% of all ransomware attacks were against healthcare Organizations in 2017 because as I mentioned earlier health care organizations are known on the black market to pay So what’s the solution to this balancing act regulations continue to promote patient and member engagement through things like 21st century Care Act’s My healthy data initiative and trusted exchange framework and common agreement at the same time they push for safe and secure environment for all users through regulations such as HIPAA hi-tech and the fact that This year we held our second annual focus group in partnership with a college of health care information Management executive on top priorities for healthcare technology leaders here if you take away from this focus group Although these industry tech leaders have a lot on their plate Earning and retaining patient and member trusts whether it be by keeping information safe Maintaining accurate and complete records or providing a personalized and meaningful health care experience with said to be paramount Cybersecurity is a key priority for this group with participants admitting to their increase in the use of multiple layers of security including one-time password biometric screenings and knowledge-based authentication There’s a growing understanding that as fraud schemes are becoming more and more sophisticated Every point where a user can enter a system needs to be appropriately secured These experts acknowledge that when fraudsters are successful. It compromises patients trust in the healthcare organization it increases cost for the healthcare organization if they don’t have if they have to remediate a breach and Potentially leads to patient safety risks if any other patients health data is altered and caregivers then act on bad information Not to mention as one of the participants pointed out Patients will go somewhere else if they don’t trust that you can take care of their data As you consider these market trends and potential ramifications of a breach I would encourage you to ask yourself What conflicting challenges your organization faces around data security and member engagement? How are you solving these challenges today? And what could be done better? We believe that identity is the key to solving the challenge of balancing member engagement and data security in today’s digital Economy, we believe it’s about getting to know your members maintaining accurate data at all times and Leveraging that data and linking technologies to create a multi-layered security approach Filling the gaps within your organization’s workflow that leads data vulnerable Identity management and proofing in tandem with new technological innovation allows organizations to perform intuitive linking of data points to the accurate identity Leverage cross industry analytics that allow organizations to determine if and identity enrolling in your plan actually exists and if all of the identity information is accurate and belongs together and lastly monitored transaction activity across a diverse array of industries from financial Retail insurance and government using machine learning to build analytics provide fraud intelligence and tracked fraudulent behaviors and schemes The first step in this approach is understanding that we must assess the risk of both the physical and the digital identity attributes of each and every person looking to gain access to your portal file a claim Change contact information or any other high-risk transaction being performed Having the ability to assess and link data points such as the user name and email addresses Their biometrics geolocation and a person’s digital behavior and reputation across industries And waking them to vehicles phone numbers addresses dates of birth relatives and associates is Key in protecting your member population in order to protect their data You have to know who to grant access to and be able to verify their identities Knowing your members will allow you to validate that the right users get access to their information while keeping fraudsters out and providing an insight into who is accessing your site Mobile application and or portal no matter where in the medical journey a member or fraudster is trying to gain access This is our first polling question Is your organization addressing the challenge of balancing member engagement and data security We’ll give you all a few minutes to answer You’ll see the possible options are yes, however, we’re more focused on member engagement. Yes, but we’re more focused on data security Yes, or equally focused on both or no this is not a focus area We’re curious to see where you feel like the emphasis is within your health care organizations So it’s looking like according to the results are pretty evenly split between Focused on data security and then equally focused on both What are your thoughts on that? That’s great Achieving balance is certainly a shared challenge in the market today and with good reason We are so used to in investing in technology that provides the best care and medical experience for our members that we often fail to acknowledge that technology and innovation as a Double-edged sword it helps our members while also making their data more vulnerable keeping accurate up-to-date data and investing in the necessary methods of securing that data then becomes a key part of the member experience by serving as a good way to maintain trust with your members in The next several slides Aaron discusses the first step in getting to know your members and the importance of maintaining what we like to call the golden record Thanks Courtney, this is also really interesting I expected more of a balance, but it’s great to see that data Security is so critical. So Recently, we’ve seen an increase in healthcare organizations stopping and asking the question, even if I validate a person’s identity correctly How do I know that individuals then provided access to the right record? Position stems from the fact that they’re often duplicate records and system Users may be linked to only a partial file at other times records contain outdated member data that challenges the linking process So that’s why we’re recommending using a unique member specific non social security number based Universal identifier is an important first step to data security The idea behind this is pretty simple Organize the data in your systems first in order to best protect it after all health care Organizations can effectively control who has access to data If a member’s data is split across multiple records or can’t be located based on outdated information As Courtney mentioned previously we believe identity is the key to achieving the right balance between data security and member engagement It’s important to establish that the identity on the record really exists versus being synthetic It is important to verify the members identity information and validate they are who so they say they are before granting access to health care systems and services the health care Organization should determine when and how to communicate with the member ensuring updated contact information is maintained so they can best engage them the members information should be protected from fraud stir access and as we discuss in this section a Foundational step is for health care organizations to aggregate the many data points about each member into one location linked together by a unique Persistent member level identifier to create that one golden record about the individual The mismatches and duplicate records Happen throughout the process of linking data elements to the member records and they’re introduced at multiple points in a workflow with data being captured remotely through telehealth offerings and portals as well as in person or over the phone through traditional means You have members and employees entering data into systems all the time When humans enter data they can not only miss type the data and error such as transposing digits in an address or phone number So they can also enter data this is inconsistent with other records for that patient so for example Do they enter the person’s nickname one time and their legal name the next time? Do they put a middle name and middle initial or do they leave that field blank? Even when we standardize within an organization there may not be standardization across Organizations. So for example systems will often standardized addresses, but they might not use the same rules as other systems Often this results in those systems not being able to match the similar but different data elements to linked in to the same member record manually, enter data and even standardized data can then result in records that are just solar not that the records can’t be associated to a Single member record without manual intervention or the use of third party matching tools When healthcare organizations then go to linked records together direct matches are not always possible Especially for those members enrolled in care management programs keeping track of all the medicals records coming in from different systems can be complex Mismatched and duplicate records start to be introduced Mergers and acquisitions which are becoming more common in the industry as well as the use of health information exchanges another cross Organization sharing of data just compound these challenges Then there’s the issue of data maintenance unit The initial record is entered exactly correct data quality starts to degrade almost immediately people move They get married they change their last names. They get new jobs and change email addresses This makes the linking challenge more complicated because you’re now trying to link records with varying degrees of updated information to the right person For that reason systems must have an ongoing process for maintaining quality member data So I like this Nexis We approach the healthcare industry from the point of view of how data can help to solve problems to do this We recognize that for any healthcare organization to be successful data has to be complete accurate timely Consistently maintained and delivered valid and relevance We recommend the use of a universal patient identifier to match in linked records Which is also the critical first step to enabling all of these interoperability initiatives that we’ve been hearing about healthcare entities that use a universal Patient identifier will be most successful at accurately and consistently matching and managing number identities within their system Ensuring that only access is granted to a portal the identity accesses the right record when they are getting access as an example of how this works, LexisNexis Aggregates data and then we use our patented linking technology to assign that data unique identifier This is what we call a Lex ID is our version of a universal patient identifier Healthcare organizations then send us basic contact information from their patient records and we append and return these Lex IDs we can also append updated contact information this allows health care organizations to identify where they have duplicate records and merge those records and The examples shown traditional linking methods might not have revealed that my car Jones Michael Jones. Rob Jones are all actually the same person These three records can now be collapsed into one. So a care manager can understand my full medical history in one place When choosing a unique identifier we do not recommend using a social security number or other numbers of tied to external processes Our laxity for example is not really a meaningful number in and of itself to an outsider by selecting a number that doesn’t tied to something like a social security number it Significantly mitigates the risk of exposing an individual’s personal information or having their identity stolen You In order to optimize member record matching and linking through automated approaches you need two things I’ve asked referential database and sophisticated linking technology The reason we could say that my Jones and Rob Jones are actually the same person is because we can match that data to public Records that show other common elements that would identify they are the same person The same could be said if one of the records has an old address and one had a new address Referential databases make that type of matching possible Sophisticated linking technologies make it possible to apply statistical analyses to the matching process and account for variations And how data is entered We look at how unique different combinations of elements are to achieve confidence in our matching for example As you can see on the slide we can say Jane and Jana the same person because their first and last name Combination is very unique for the Atlanta area. There are many John Smith’s in Atlanta. So we wouldn’t make that same assumption When choosing or designing a patient record matching approach these are the key components for you to consider Now I always discussed the importance of the Golden record. I’d like to hear your thoughts on either personal identifiers and our next poll question So our next poll question is is a universal identifier important to the future of health care Your options are yes, I agree. We need to begin utilizing a universal identifier to benefit that way the risk now I don’t think we need a universal identifier the risks outweigh the benefits Or maybe you’re still deciding if any universal identifier is needed. We’ll give you a few seconds to respond All right So as the responses are coming in, we’re pretty clearly it has almost 78 percent an agreement that we do need a Universal identifier and obviously based on what we just shared with you we agree. So that’s great to see You So once you have your golden records of data meaning you have well organized consolidated member records Then they’ll be best positioned to link the right user to the right record that leads us to our next recommendation Which is putting the proper data security protocols in place to validate identities and maintain the trust of your member population in this next section We’ll discuss the various layers of security Highlight strategic analytics and innovative technology and present some key questions to ask when designing and strategizing Your multi-layered security approach. We’ll also walk you through two example workflows that will show you how these solutions can be effective in achieving balance Courtney can you tell us more about the importance of data security and key considerations for selecting a multi-factor authentication solutions? yes, Aaron as You know healthcare systems are under attack and breaches Which appear in the headlines are preventing members both young and old from adopting the usage of member and patient portals 1/4 of overall patient state data privacy concerns for not using the portals and Patients over the age of 65 have security and usability concerns that limit patient portal use as we indicated earlier Users have a reason to be concerned Fraudsters are penetrating health systems and an increasing rate in order to enroll in health plans Fraudulently receive benefits and establish false identities to sell on the black market So what can you do to help your members feel safe and secure when Interacting with your portal site web application or calling into your call center. The answer we recommended is multi-factor authentication Now that we have complete accurate and up-to-date information on our members We are ready to leverage the data along with technology to build a multi-layered security approach to implement throughout your workflow The goal here is to build the right level verification and authentication across workflows so that the right members get through with little to no friction and the fraudsters are kept out hitting several security blocks due to the detection of synthetic or manipulated identity information or their lack of proof that they are who they say they are on this slide we Present a number of identity verification layers that can be implemented and layered in ways that allow your organization to achieve the best balanced possible for your organization It is important to keep in mind that not all layers are necessary for every transaction type the layers in a multi-layered approach should be customizable to your specific workflow and use-case and Lastly to achieve balance and the key is pairing both low friction and high security solutions. I Will briefly review each layer at a high level and in the following slides, we will walk through two workflows Which will allow us to take a deeper dive into how these layers can be effective when leverage The first layer presented here is contextual based on how a member in interacts with your site portal or mobile application This layer is a great first line of defense and is completely frictionless To the members it analyzes the device being used to access your site or mobile Application and the behavior of the person as they maneuver through your site The second layer is based on how well the members information compares to others Here is where public and proprietary information paired with linking technology is leveraged to determine if the input data being presented is representative of an actual identity and if the information belongs together The third layer leverages something you are through biometric technology It uses voice recognition or fingerprint scans to authenticate an identity the fourth layer is contributory Leveraging what others know about you it collects data from other organizations and other industries to monitor when or is an identity has been seen throughout the network how Frequently, it’s been seen and if the identity that was involved in any past fraudulent activity next is possession based it leverages what the member already has such as their email address a phone number or government-issued ID to verify their identity Its test whether the ID is real or if the email or phone number Receiving a one-time password is valid and belongs to the person requesting access Lastly there’s a knowledge base Leveraging information that only the true owner of the identity knows to authenticate their identity With all of these various options, how do you know which one to choose? Prior to jumping into workflows I want us to set the stage and present some questions to consider when selecting the right security layers for work. Well First you should assess the effectiveness of the solution how quickly and easily Will fraudsters find ways around the layer Various types of authentication methods should be used to cover different types of security vulnerabilities How much will this layer cost to implement How will the layer interact with your existing systems? While multi-factor authentication is important you do reach a point of diminishing returns It is important to implement solutions that serve different purposes targeting different types of frauds throughout your workflow How will these layers working together impact your member? Will it provide value? Does it cause complexity and unnecessary friction to the workflow We recommend putting the know too low friction solutions upfront in the process and introducing solute These suspicious identities are facing additional scrutiny before logging in or completing a high-risk transaction lastly what will be the impact on business processes call centers customer service and staff as with all new technology implementation Processes and training will be required to make the most use of the new fact multi-factor solution These are all things to consider when determining which solutions to implement into your workflow in The next several slides Aaron and I will walk through You through two common workflows for a new account opening and a login password reset Youth tape Here. We not only lay out our recommended layers of solution But we also highlight the members journey through the process the friction levels They’ll face and the core security questions that each solution will help your organization answer when determining whether or not you should grant access and Will you walk us through the first example? Thanks Courtney and be happy to before I go do the example though I just wanted to remind you all that you can send questions to via the ask a question Box at the bottom and we’ll be happy to address those at the end. But please go ahead and start sending them now So our first example shows a new account opening use case in This workflow. We recommend leveraging contextual based data, which is analyzing how a member acts Analytics based data, which is based on how a member compares to others and knowledge based information, which is what a member knows One key takeaway. Is that while we have a large variety of solutions deploy We’ve elected to select only three for this youth case. That will be the most impactful In the first step in the new account opening workflow the member accesses the site via remote device This is a laptop or a mobile phone Our goal is to get the real number set up with their account as quickly and easily as possible So we start with a security check that occurs entirely behind the scenes by assessing the device and the users behavioral patterns We’re trying to answer two questions First is this device being used to access this portal secure the step looks for ways of filtering out boss and other technical threats We also asked is the user attempting to gain access to your portal exemplifying suspicious behavior for both questions We’re looking to recognize anything about the device of the behavioral patterns of the user. That would raise suspicion During the next step the member completes some basic information about themselves such as entering their name their address or their phone number So once this information is submitted that kicks off the second layer of defense this time the multi-factor authentication solution compares The user’s input data to public record files to confirm. The identity is a real person So the inputs match to that identity and that there’s not a high progress with that identity This layer defense requires the user to complete a form with their information. So it includes a moderate amount of friction into the process At the last step. We validated the user’s device and identity But now we want to make sure the person creating the app actually is the person whose information they supply to Do this knowledge based authentication Quizzes can be provided asking The user questions that the real person should usually know and a fraudster would have to look up but not before the system timed out So let’s look at each of these steps in a bit more detail And step one of identity proofing for a new account opening for evaluating how the user acts to determine if they should be permitted to open an account a Colleague of mine likens the step to the analogy of a car pulling up in front of your house The first thing you do is peek out the window to judge whether you recognize car Is it suspicious or is it some a car you recognize is the driver recognizable or are they concealing their features? in a cyber world This is the same as device detection and behavioral assessments Your devices and how you use them are part of your identity and there are hundreds of attributes You send every time you make a call or sign on to an internet site This includes aspects like the device ID the time zone you’re in the browser language You’re using your IP address your GPS location and more moreover the way of frost or handles a mouse or interacts with a portal interface is different from the way a real user would Things like your device ID your location whether you copy and paste or manually fill out fields All these things contribute to a digital fingerprints that can be associated with you. It can also be used to detect fraudsters For example where a call is coming from is being passed through a proxy server So technology can detect if the same device claims to be calling from Texas and then two minutes later claims to be calling from, Georgia Further technology allows us to check to five versus a human simply by looking at screen behavior Like are they going in straight lines or curves? Is it scrolling? are things like our click speed Different elements like that we can look at which differs for a bot use versus a human use The benefit to evaluating a device or behavioral patterns is it doesn’t cause friction for the user because it occurs behind the scenes your members can then feel confident and safer knowing you are providing them with security without inconveniencing them an Additional benefit is that once a device is determined to be safe. That device can be associated with users So future requests for access coming in on those devices can be more easily verified in step 2 after you validate the device and behavior of the person it’s important to verify the person’s information If we consider the car analogy from before once you’ve determined at the car look suspicious or not You still want to make sure you know the person inside if you can’t see them Well as they approach the door You might ask for more information before letting them in You can picture someone standing at a closed door and calling through it. Who’s there? Who is it? This next step is data security is equivalent During account setup users are typically asked in or basic information about themselves so you can link this to the right member record to answer The question, who is it technology can compare the information They enter to public records and determine if the name is real the addresses Deliverable phone number is active that the date of birth matches the name and so forth by verifying the identity elements We can be more confident that the identity is real and not likely to be fraudulent Now that you’ve confirmed the person’s device and behavior seems safe when you verify that the identity is a real person There’s a third step that is recommended Authentication that the user is who they say they are this can be easily tested by asking questions only the real person should know We probably all experienced these questions before when we applied for a loan or an insurance policy These are the questions you get like what counties you live in which of the following people do you know and which of the following? Addresses have you lived at before you? Would immediately know the answers because you lived it you experience it But a fraudster is going to have to look it up and that takes time This final step authenticates that it’s really you that it’s trying to access your member records And that should increase the trust of your members in your healthcare organization With these three layers of defense in place real number accounts can be created with a high degree of confidence Next Courtney will walk us through another common use case that happens on a reoccurring basis Thanks, Aaron our second workflow walks you through a login or password change use case in this workflow contextual based data analyzing how a member acts contributory data based on what others know about you and Possession based information what a member already had in the first step of the workflow The member assesses the site via a remote device For example a tablet a laptop a mobile phone here we’re asking ourselves is the device being used to access this portal secure do I recognize this device is it returning device as Aaron mentioned in the previous workflow This layer is completely frictionless to the end-user and serves as a great way to determine the next step in the authentication process in the event that the member attempts to login from an Unrecognized device. We have a couple of recommended options for step two in Preparation to send the one-time password the member select forgot username and password Then the member must choose whether they would like a one-time password Sent to their phone number or their email address and based on their response. They must input a phone number or email address Now we must ask ourselves. Does the phone number belong to the user requesting an OTP? So the email address belong to the user requesting access? Here is where we introduced contributory data leveraging that email address provided we are able to search industry networks to find out if fraud has been associated with that email address you are sending a one-time password to or Has anyone else detected something suspicious about the email address requesting an OTP? due to the fact that majority of people have their phone or emails at Their fingertips. We consider this to be a low to medium friction for our end user based on the success of the phone or e-mail verification The last step in this workflow is for the member to receive an alphanumeric Code in real time and enter the code into the system for authentication Let’s dive a bit deeper into contributory space data for what others know about you contributory based data answers the question have other organizations experienced fraud or suspicious behavior with disassociated identity Where else does this identity appear in my system or with other health organizations? has this address been associated with financial insurance or industry frauds contributory data based data allows you to take your internal network and test it up against the external network of known fraud in an effort of Preventing fraud before it happens with the interlocking of network activity Members can benefit from monitoring technology To receive alerts when their identity information is being used and transact transaction cross industry Lastly I’ll talk about possession based data Leveraging something that the member already has in our log and password reset workflow example We spoke briefly about sending a one-time password via SMS to a mobile phone or via email But there are other forms of possession based verification here we can ask ourselves The following is the government issued ID being used real Is the email address being used to interact or send one time password? Valid and is the phone number you’re calling or sending a one-time password to valid? Aside from a one-time password organizations have the ability to authenticate? government-issued identification for example licenses Driver’s licenses or passports. They do this by performing dozens of different tests and image based tests Including but not limited color accuracy placement of elements on a card like a portrait picture signature state seals Hologram patterns and micro print and other security features expected for a known ID That ID image is cross-checked against thousands of document templates from hundreds of countries and territories worldwide to test for accuracy and validity this method of Verification could be best utilized when picking up a prescribed controlled substance or when enrolling in a health plan for the very first time images of identification to now be captured via webcam a document scanner and or mobile phone taking pictures of technologies such as facial recognition and Matching logarithms to compare a selfie taken by the end-user at the time of document Authentication to the portrait image that is extracted from the submitted document. Let’s look at our next polling question How many forms of verification is your organization currently using is it one two forms three layers of detection or four more So it looks to me right now that 66 70 percent are using two or more forms of authentication Which is great to see But often it was a great to see but oftentimes it’s not about having the most layers or the highest security layers within the workflow but as mentioned it’s about Analyzing your existing workflow and highlighting the gaps or potential fraud might occur So all those two layers is great. You might need three or four depending on what access Methods and gaps you’re trying to fill within your workflow So you should leverage the questions discussed on today’s training to fit the right solutions in the right places This will allow you to fill those gaps in a way. That makes sense for your organization I Will hit now hand it over to Aaron will summarize the keys to creating balance and provide you insight into next steps Should you be interested in learning more on how this can impact your organization Thanks, Courtney Before we review the keys to creating data security member engagement balance. I wanted to share two final points from the cybersecurity survey We commissioned recently on healthcare organizations It was interesting to see on our polling questions that most organizations are using two or more different types of layers in our survey 93% of respondents said they were using username and password to protect member and patient data So less than half we’re using more sophisticated methods like knowledge-based authentication and device assessments So that had me asking myself what I feel safe knowing my medical and science data was only protected by a username and password I don’t think I would feel safe which is why a multi-factor authentication is so important The second interesting finding from that survey that I wanted to share was that 65% of healthcare organizations stated their patient identity management Budget would stay the same or even decrease over the next year This was shocking to me at a time when fraud is up and a breach can cost organizations There were 400 dollars per person to recover from the multi-factor authentication. Not only protects the member But also the healthcare organization, so now let’s take a final look at those keys to achieving the balance between data security and member engagement To achieve balance a patient engagement data security You should access both the digital and the physical identity of your members Members access your systems and health plan services in a variety of ways and it’s important to have multi-factor authentication methods that match the methods and point of entry the same can be said for access points for employees and vendors Although we primarily focused on members today You should also create and maintain a golden record on each member this helps you to better protect data by linking your members to their complete records and an improves member engagement by helping you to see A holistic view of your members in one place and better keep their records up to date Finally you should implement the right Solutions at the access points within your workflow and verify and authenticate the identity of your members when they are accessing your systems and health Plan benefits. It doesn’t mean utilizing every verification Authentication tool every time a user tries to perform any type of transaction It means matching the data security tools to the use case and balancing high and low friction solutions We always recommend having two to three layers of security in place with step authentication options because there are different types of fraud But also being efficient and thoughtful in which types of security deploy to optimize the real members experience So with that, I’ll turn it over to our moderator Charlene to open up the session for questions At this time We would like to answer a few questions from the audience and I do see some coming in if you still have a question You still have a few minutes you can go ahead and submit that The first question that we’re going to share today It says as technological advances accelerate How can we ensure that older patients who have fallen behind the technology curve still have access to the medical information? Now this is a great question we can ask this a lot I think the key ways that we can do this are with those Basically the security levels up front like device assessment behavioural patterns where you’re not really expecting the older generation to interact at all And then what we will do with things like knowledge-based authentication Questions particularly when a population tends to trend older like Medicare populations is we will build more time into the service to give them longer to read the questions and respond and Then there’s always the option to send them as a call center so that they can interact with a real individual in order to be able to get their information that way so the other 10 though that we’re seeing is that older generations actually are becoming More comfortable with using the online system So expect that to be a trend that continues But certainly we want to be able to continue to support the different needs of the populations Okay, we have a few more minutes here so we’ll entertain a couple more questions The next one is is there any difference in how payers and providers are approaching cybersecurity? I don’t think there’s much of a difference with how how payers and providers are Approaching cybersecurity as the access points or access methods for both patient portals and member portals are very much so similar And also both seem to have call centers that require those level of multi levels of security when authenticating a Patient call or a member calling in to gain access whether it be to their lab results or whether it be to claims data Or personal information. So in terms of how patients and members or providers and payers are securing their patient or member portals Similar in terms of how they’re implementing these processes Thank you for that Courtney I have one more question and we still have a few minutes if there’s any others that want to roll in So which groups in an organization should be responsible for achieving this balance? Yeah, that’s a great question and you know I think the answer has been shifting over time when we did the focus group with our chime and CIOs and other executives what we found is that in the past data security has been pretty much the full responsibility of the IT group and member engagement fell within other Parts of the organization around member enrollment and basically care management programs, but we’re starting to see those groups collaborate across to achieve that balance between wanting to put data security in place But also make it easy for users to get access to portals So the answer is it falls in multiple places and it’s becoming more of a cross Organizational initiative to help find this balance and do what’s in the best interest of members Thank you for that and it looks like we have Another question. So how are we going to get to a nationwide? Universal member ID. It has not happened so far Yeah, that’s a great question. I am as part of the time focused group. We have the same discussion and a lot of our Participants are starting to lose faith and the idea of coming up with a national patient identifier So what we really have proposed is as an initial step coming up with what we’re referring to more is like a universal patient identifier Where it may not be a national standard But it can be used to help with interoperability And basically if you’re comparing it to a referential database Then you’re still able to take in data from multiple locations And assign an identifier and as that data moves to different organizations They can do the same and over time as different organizations start to adopt similar universal identifiers so start to see that interoperability increasing and Hopefully that will lead us to a point where we feel more comfortable at the National Patient identifier I think right now we’re not willing to commit to what that should look like because we’re still learning the best methodologies around this but it’s certainly becoming more sophisticated over time and I would expect that as Organizations start to adopt some form of standardizing this it will eventually lead to a position where we can look at doing it nationally Thank you, okay, so it looks like we don’t have any more questions coming in We want to thank you for joining our webinar. This will conclude today’s presentation Thank you again for your time. And please watch out for our follow-up communication

Leave a Reply

Your email address will not be published. Required fields are marked *