Connect with us


Why telemedicine is just as convenient for fraudsters as it is for patients



Philipp Pointner discusses the importance of verifying and authenticating patients and how ‘Know Your Customers’ principles can be applied to telemedicine.

Even as lockdowns lift, COVID-19 has led to significant shifts in the way we live our lives. Because of the pandemic, we have moved most, if not all, aspects of our lives online: our exercise classes, our banking and even our medical aid.

Many of these changes are here to stay. So much so that a recent survey found that only one in 10 GP appointments will remain face to face as we move forward. While the majority will be conducted via phone call, a portion of those appointments will be via online video.

This move is a welcome change for many who don’t want to leave their homes to speak with a doctor. While telemedicine offers vast opportunities to the public and healthcare providers, it also opens up an equal amount of risk.

By letting doctors virtually into our home, we are also potentially opening the door to fraudsters looking to exploit this new virtual process. While online fraud, in general, is on the rise, the healthcare space is particularly vulnerable to impersonation fraud given that medical records can be listed for up to US$1,000 on the dark web, 10 times more than the average credit card record, making telemedicine a lucrative target for cybercriminals.

Putting a plaster over the issue

Medical records carry such a high value to fraudsters because of the data they contain, including a patient’s age and address but also personal information, like medical histories and prescription details.

This level of detail leaves individuals vulnerable to identity, insurance and prescription fraud. This vulnerability is exacerbated by an ever-growing number of data breaches. On average, a data breach in the healthcare industry costs £5.2 million globally, compared to a global figure of £3.2 million across all businesses.

After a data breach, it is often the breached organisation that comes under fire. However, individuals also have a role to play when it comes to protecting their own identities. We have all been guilty of reusing passwords when creating accounts out of ease, but by doing so, you are putting your whole identity at risk due to the rise in credential stuffing.

This is when fraudsters buy email addresses and corresponding passwords in bulk on the dark web and then use bots to try and access thousands of websites with those same login details. Given the high level of credential stuffing success, patients need to think seriously about password hygiene when it comes to setting up an account with a telemedicine provider.

Finding the cure

More secure than passwords is a watertight Know Your Patient (KYP) strategy. This is a far more sophisticated way of protecting data and ensuring that providers genuinely know they are dealing with a legitimate patient.

When we visit the GP in person, we would expect to take some form of documentation with us to prove our identity. In the virtual world, we still need to conduct that identity verification, and in fact, it is even more important that we do.

But how important is this step? Well, 67 per cent of UK healthcare organisations have experienced a cybersecurity incident in the last decade, and 2,550 healthcare breaches have impacted more than 175 million medical records. As a result, these medical records are now likely to be readily available for purchase on the dark web, meaning that the person a doctor is prescribing a drug to may not actually be the person they claim to be.

Once a breach has occurred and the fraudster has obtained medical records, they can use this information for themselves or sell it on the dark web for profit. This information could then be used to exploit the medical industry by accessing medication they shouldn’t be selling online.

Therefore, a KYP process needs to be as strong as possible at all stages of the patient journey in order to mitigate these potentially catastrophic risks. Healthcare agencies need to make sure they can verify that the patient is who they say they are — a potential challenge when not in person.

However, by leveraging technology, patients can prove their identity by providing a photo of their government-issued ID and taking a corroborating selfie using their smartphone or webcam. The healthcare provider can then cross-reference identification documents to ensure they are the same.

Technology is advancing with biometric-based tools such as liveness detection, so organisations can determine that the patient is physically present when taking their selfie. This tactic doesn’t need to be on sign-up only, though. The method can be used to continually verify patients as they conduct further transactions — be it booking a treatment or ordering a prescription.

If we are truly facing the scale back of in-person GP appointments, healthcare providers must step away from vulnerable password processes and look to the future of identity verification. Telemedicine is a huge opportunity but we can’t let opportunistic fraudsters get in the way. If we are to provide safe, convenient and modern ways to access healthcare, we have to make sure the strongest KYP measures are in place.

Phillip Pointner is chief product officer at Jumio, a company specialising in identity verification through AI, biometrics and machine learning.


Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *