Telehealth Has a Major Weakness: Identity Proofing.
Here Are Zero Trust and IAM Strategies to Modernize Your Virtual Care Security
By: Amogh Tarcar, CTO AI Research, Persistent
Even as the vaccines begin to reach a critical mass of the U.S. population, virtual care and telehealth usage continues to rise. Though it is expected to plateau after some point as the pandemic recedes, forecasts show that virtual care will continue to be used permanently for low acuity conditions, representing a large volume of care encounters.
Traditionally each virtual care encounter has involved the patient connecting with a clinician using a remotely connected video conference. The same caregiver may be assigned for a follow-up encounter, but it is more likely that the caregiver may change over time given the call volume or due to specialist referrals. Even with a registration card, it may be difficult to validate the person receiving care is the same one entitled to receive care.
This presents challenges in delivery of virtual care. It will be very difficult to ensure that patient safety can be guaranteed without securely verifying the identity of the care recipient. This will potentially open the door for fraud and abuse for the services rendered. Another potential risk is violation of HIPAA if the intended purpose of the unverified care recipient is more targeted towards getting unauthorized access to the patient’s records.
As healthcare organizations move patient care into the cloud, they need to modernize their Identity and Access Management (IAM) programs to manage identity and access related security risks. Here’s an overview of zero trust frameworks and identity proofing strategies that can make your virtual care considerably more secure.
What is Zero Trust?
Zero Trust, as a model and term, was coined in 2010 by then Forrester Research principal analyst, John Kindervag. It means exactly what it sounds like. Organizations should never automatically trust requests for access to their systems, whether that be from an outsider or an insider. Everything represents a potential threat, and everything should be verified.
This model is a huge departure from the old castle-and-moat approach, where organizations were primarily concerned with defending their perimeters. In actuality, insider threat remains a huge issue. Even more concerning is the threat that outside hackers pose once they’ve gained access beyond an organization’s firewalls, where they’re basically free to wreak havoc with few, if any, checks.
Security breaches now cost healthcare organizations $7.13 million on average, up 10% from 2019, according to the latest IBM Report. Part of this increase is likely due to the rise in telehealth and virtual care, and identity proofing via a zero trust framework will become increasingly important in this context.
Here are a few of the best strategies to keep your telehealth and virtual care safe and secure:
The first and most obvious protocol that all healthcare providers should be using in their virtual care solutions is multi-factor authentication.
This would go beyond just matching the registration card or accepting credentials. Secondary authentication is already widespread, especially in the form of codes being sent to your mobile device, but there are a number of alternatives. This includes authenticator apps that use QR codes, pushed-based authentication that allow users to approve logins based on prompts sent to their device, and, finally, Universal Second Factor (U2F) that use devices such as USBs that contain “security keys” that must be present on your computer when you attempt to login.
A Verifiable Credential is a relatively new solution that stamps a digitally issued credential onto a disrupted ledger or blockchain, ensuring that it is accessible and verifiable. Because distributed blockchains are immutable and the information on them cannot be reversed, things like educational qualification, job history, personal details, licenses, certificates, etc., are accessible to the authorized parties in a tamper-proof and authenticated manner.
These Verifiable Credentials make onboarding a patient into your virtual care system instant, tamper-proof, and completely hassle-free. For instance, if the patent had a driver’s license issued from the DMV in this manner, your healthcare organization would be able to instantly verify their identity by checking their identity wallet. This has the added benefit of protecting patient privacy, as, in what is known as a zero knowledge proof, it can verify identity without revealing any additional information. For instance, you could verify a patient is over 18 without actually requiring them to share their birthdate.
Facial Recognition with Liveness Checks
Despite the many benefits of multi-factor authentication, it can only go so far, especially if a device has been stolen.
An additional level of proofing would be to use face recognition with liveness checks and detection. The latter mechanism provides the most robust form of validation of the person receiving care.
Liveness detection essentially allows an AI system to determine if a face is real or fake. It counters biometric spoofing attacks, which take advantage of the abundance of epassport data now available to create fake images that fool facial recognition systems and gain access into systems.
By using algorithms that can spot variations of poses, expressions, and background lighting, liveness detection can easily spot such spoofing attacks. In fact, many systems even go so far as to brighten or darken the screen to test for pupil dilation, something that is difficult to mask with a rendered image.
A practical approach is to trigger the checks dynamically based on the risk level of the associated activity. Appointment scheduling should be considered less risky as compared to a mental health consult. In the future, regulatory requirements may also need the associated authentication records to be maintained along with actual health information.
The Future of Virtual Care
HIPAA regulation is remarkably strict with how healthcare organizations should handle patient data, but telehealth and virtual care represent a relatively new area of vulnerability. As biometric data continues to grow, it is increasingly likely that bad actors will try to use this data to gain access to systems as if they were insiders.
Healthcare organizations are increasingly combating these security challenges by implementing Digital Front Door solutions that leverage a zero trust framework and identity proof their systems through IAM. By layering in multi-factor authentication, Verifiable Credentials, and facial recognition with liveness checks, healthcare organizations can make sure that virtual care is safe and secure moving forward.