(This article was originally published in Healthcare Call Center Times in December 2020.)
Healthcare organizations and their contact centers deal with unique data security and privacy challenges. The healthcare industry has long been a preferred target of hackers and cybercriminals because healthcare providers, insurance companies and their contact center agents handle and have access to a wide variety of highly sensitive information including patients’ medical records, payment card information, birthdates, addresses, social security numbers and more.
Given the sensitivity of the information that is shared and recorded on an hourly basis, it’s vital that Healthcare contact centers ensure all this data is kept safe and secure—both from outside threats as well as from potential bad actors internally. Research shows healthcare data breaches more than tripled in 2019 over the previous year and resulted in more than 41 million patient records exposed, with a nearly 49 percent increase in the number of breaches caused by external hacking incidents. Yet, even with this growth in external hacking attacks, the majority of data breaches in the healthcare industry come from internal threats (59 percent), according to the annual data breach investigations report from Verizon.
In one recent example, an employee working for the Veterans Administration (VA) call center stole $19 million from the VA in a single year. He regularly spoke over the phone with health care providers and VA beneficiaries or their family members about their healthcare needs and claims reimbursement. He used the information he gathered to fraudulently sign up family members of beneficiaries for home health services with sham entities, from which he received kickbacks when the reimbursements were paid.
Now, as the COVID-19 pandemic sweeps the globe, the data security and privacy challenges faced by healthcare contact centers become even more complicated. Malicious hackers are upping their attacks on the healthcare industry because they know their targets are already overwhelmed, making them easier victims for ransomware attacks and data breaches. At the same time, healthcare providers and insurance companies are attempting to figure out how to securely transition their contact center workers to a remote working model as shelter-in-place orders force people to remain home. Contact center agents and patient service representatives are taking calls, answering questions via online chat, responding to patient emails and more, all from their own homes—where they are likely in an unsecured environment. Work-from-home agents may be using unsecured Wi-Fi networks, they could have compromised devices, and could even have housemates or family members who could overhear sensitive information being shared on phone calls and use it for their own personal gain.
As COVID-19 dramatically changes the way we all work, healthcare contact centers must enable a dispersed and remote workforce, while still maintaining strong data security and complying with regulations like the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), the General Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA) and more.
Here are four best practices for adapting your healthcare contact center businesses to remote work while ensuring data security and compliance remain top of mind.
1. As much as possible, keep sensitive data off networks. In times of crisis, strict security controls may be more difficult to implement, especially if employees are working from home and are reliant on their own networks and Wi-Fi systems. The best way to prevent data leaks—both those caused by outside hackers as well as those caused by inappropriate access from internal employees—is to ensure, as much as possible, that sensitive data is kept out of agents’ home networks.
Using technologies like DTMF masking, patient representatives can securely accept payments over the phone, without ever handling or storing the sensitive payment card information itself. The caller simply inputs their payment card information, birth dates, social security numbers or other sensitive numerical data using their telephone keypad. The touch tones of the keypad are replaced with flat tones, making them indecipherable to the patient service representative on the line, call recordings or anybody who may be eavesdropping nearby. The payment data is encrypted and routed directly to the payment service provider (PSP) for processing. Similarly, secure payment technology solutions can also be used to accept payments in digital channels such as email, webchat and social platforms, all while keeping the data encrypted and segregated from the contact center or the patient service representative’s home network by routing it directly to the PSP.
For sensitive data that cannot be kept out of the network completely, businesses should consider using tokenization to replace personally identifiable information (PII) with a meaningless equivalent. That way, even if a breach is successful, the hacked data will be of no value to the cybercriminal. For additional PII that can’t be tokenized, use the principle of least privilege user access on computer systems to give employees the minimum level of access required to perform their job function at the appropriate time. This limits the data that enters an employee’s home environment, while still allowing your teams to focus on serving patients.
2. Make sure all employees have thorough compliance training. All employees with access to any type of sensitive data should undergo thorough data security and privacy compliance training. At a minimum, they should be trained on the relevant requirements for HIPAA, GDPR and PCI DSS. Employees should have their training refreshed at least annually. As organizations transition to a remote working model, now is the perfect time to conduct a compliance training refresher and incorporate additional training and best practices for securely working from home.
3. Implement security alerts. Healthcare contact centers should adopt technology solutions that alert appropriate staff if an employee views sensitive patient data unnecessarily. Sometimes referred to as “Break the Glass” technologies, these solutions ask the employee to re-enter their password when accessing confidential information or the records of a high-profile patient. Some even use sophisticated pattern recognition to automatically flag suspicious activity to higher-ups, such as when a contact center agent or patient service representative accesses information not typically used in their role, or is viewing an unusually large number of patient records, which could be a sign that they are looking for sensitive data to steal. These types of technology solutions are becoming more sophisticated and available to healthcare providers of all sizes.
4. Use real-time analytics to be your eyes. Before COVID-19 you may have been physically able to oversee your healthcare contact centers’ day-to-day operations, but don’t let remote work hinder your understanding of how agents are working or servicing patients. By implementing cloud-based, real-time analytics solutions, healthcare contact center managers can gain a more comprehensive view of the center’s payment and patient support systems from anywhere. Analytics can also monitor higher-level trends that may be of concern, such as an increase in failed payments, system resets or increased wait times.
We are all vulnerable to COVID-19, but people should not be vulnerable to potential data breaches or fraud stemming from their healthcare contact center. Implement these tips in your organization to keep patient data safe, stay compliant with industry regulations and minimize risk while your employees work from home. We are all in this challenge together and can successfully protect important personal data.