New challenges are being posed to the security and confidentiality of health data by technological developments in healthcare, in particular the high-growth telemedicine sector. Issues include doctors accessing patients’ records from their home or from devices during house calls, or calling the doctor’s office, hospital or health insurer to ask for information on a patient they are seeing in real time (with impersonation of doctors being a major source of wrongful disclosures of health data). In addition, patients interact verbally with providers through virtual personal assistants, or increasingly Internet of Things (IoT) devices and applications in health care, telemedicine and care for the elderly.
To meet those challenges, there is a pressing need, not just for strong encryption to guard against the loss of the data but crucially, a reliable and effective electronic identification system that provides strong authentication. In both the USA and Europe, regulation increasingly requires the adoption of state-of-the-art technologies to this end.
HIPAA and GDPR and unauthorized disclosure of health data
Under both the U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the EU’s General Data Protection Regulation (GDPR), disclosing health data to a non-authorized third party constitutes a data breach that carries very significant penalties. Moreover, both HIPAA and the GDPR will apply to U.S. based health and care providers or health insurers, if they offer their services to people in the EU/EEA, or “monitor their behavior”.
Secure authentication requirements
It is increasingly recognized in both the U.S. and Europe that the state-of-the-art now requires at least two-factor authentication in relation to online or mobile access to sensitive data including health data. In this context simply asking for a password, the answer to a simple security question or a static PIN must be regarded as insufficient.
The EU’s GDPR requires the carrying out of an in-depth Data Protection Impact Assessment (DPIA) for any system that processes sensitive data (such as health data) on a large scale. If the assessment shows that the risks posed by such systems cannot be properly addressed – for instance the system does not incorporate a reliable and effective electronic identification system that provides strong authentication, then the relevant regulators must be consulted – and many if not all would refuse to allow such an insecure system.
Precision biometrics the key
For oral queries therefore, by doctors, caretakers or patients, voice biometrics offers a highly effective solution to this dilemma. This protects the healthcare workers in particular from the risk of phishing and impersonation attacks, one of the leading causes of healthcare breaches in the US according to HIPAA.
However, where Electronic Health Records are concerned, electronic access should incorporate the strongest possible form of identity authentication. Two Factor Authentication (2FA) as it exists today is simply not strong enough and is proven to be vulnerable to sophisticated fraud vectors. The healthcare sector needs to implement the best of breed and follow the path already being adopted in leading enterprises where the transition from proxy authentication and knowledge-based authentication (KBA) to strong identity authentication is already underway.
At the core of this new capability is precision voice biometrics. Voice biometrics is a unique biometric since it is two dimensional; it is not just who is speaking but also about what is being said. For example, the combination of voice biometric modality with a unique one-time passcode. The biometric modality is provided by voice, the cryptographic strength by a randomly generated One-time-Passcode (OTP). Simply by speaking an OTP, the mathematical precision of biometrically authenticating the voice, confirming the digits and confirming that it is the authenticated voice speaking the digits provides dramatic security strength equivalent to the multiplication of either component in isolation. This approach not only defeats phishing attacks and stops impersonation attacks, it limits the sharing or illicit use of access credentials among health workers and takes biometric authentication, an extremely accurate but nonetheless probabilistic solution, to a level of precision previously unseen. Most importantly, it is incredibly easy to use with no more passwords, phrases, answers or PINs to remember – just speak.
Whilst so much effort in the protection of patient healthcare information is concentrated on encryption, firewalls and physical datastore protection, leaving the analogous front door open to unauthorized access will see the continuation of healthcare data breaches. It’s time for the healthcare sector to take the initiative and move to the highest common factor.