Stealing credit card data suddenly seems so last year. Today’s sophisticated cybercriminals see real potential in the juicy details associated with patient information: Social Security numbers, emails, addresses and phone numbers. Philip Andreae, Vice President, North America, at Oberthur Technologies, and MPD CEO Karen Webster discussed what lessons the U.S. health care industry can learn from payments when it comes to protecting a patient’s digital identity.
On a scale of 1 to 10, most would admit that payments is about as close to a 10 as it gets when measuring complexity. That same question when applied to health care would pin the scale well beyond a 10, given both the number of players involved and the sensitivity of the data that the ecosystem captures and stores.
It’s a sentiment that Philip Andreae, Vice President, North America, at Oberthur Technologies, shared in his recent conversation with MPD CEO Karen Webster about the latest issue of the PYMNTS Digital Identity Tracker.
“[If I] lose my payment card,” he told her, “so what. I call the bank and get it fixed. But [if I] lose my personal information — my address, my Social Security number, my salary, the claims that I’ve had, my medical history — that’s personal.”
It feels that way — it is that way — because there’s “a lot more at stake,” observes Webster, when that information is compromised.
While no consumer wants his or her bank account to be compromised, he or she nevertheless can take solace in the support system that the bank provides in “making things right.” For medical records to be compromised is, as Andreae pointed out, a much more troublesome personal experience (on top of the unique financial costs, which The Wall Street Journal reported on recently). Unlike the case with an account number, there’s only one consumer — and, right now, there’s no process in place within the U.S. health care industry to make things right in the event of fraud.
This begs the bigger question: What does the industry do to protect breaches? And can health care learn from the successes – and even some of the failures – of the payments industry?
Listen in on Andreae and Webster’s conversation.
KW: The health care industry is a bit of a departure from our typical conversations about payments and financial services. But it’s related for one very important reason: Like payments and financial services, it’s under attack from cybercriminals who want data — in this case, patient data — for nefarious purposes.
What can the health care industry learn from our experiences in dealing with cybercrime in payments and financial services?
PA: As we speak, our people [at Oberthur] are working with Congress to try to help it understand the issues that health care must address. There needs to be put in place a more secure environment that protects against these cybercriminals that are playing games with us.
What’s telling is that the amount of fraud in the card payments industry pales in comparison to fraud in even one small section of the health care industry. There is $30 billion of it that U.S. citizens subsidize in taxes. One begins to wonder, why did we address payments before we addressed health care?
What the health care industry should take from how payments has dealt with fraud is the need to address authentication. In its case, authentication of the patient being presented to any part of the industry — be it a doctor, a hospital, a clinic, a pharmacist, et cetera.
What many — myself included — believe is best is multi-factor authentication. The individual patient needs to be associated with something genuine that only he or she possesses, similar to what’s being done in payments with EMV cards.
Data security is another important point that needs to be addressed, particularly as it applies to enterprise systems. We’re talking with health care providers about introducing more secure ways of protecting enterprise data at rest. Tokenization can be useful in that regard, but the option of storing personally identifiable information (PII) in the cloud raises additional concerns about secure access.
KW: It’s hard to know where to start. I agree that authenticating the patient is critical, but that leaves mountains of data there for the hacking. I’ve heard a lot of executives in retail, for example, say that they don’t want anything to do with any of that data to begin with; they want it out of their hands and secured and stored somewhere else.
So, how do you think about where to start in health care, given that it contains two ends of a spectrum that are both important to protect?
PA: While the health care and payments industries are similar from a security perspective in that they both require a great deal of strategy, they’re diametrically opposed in another way.
The payments industry in the U.S. contains two large entities — Visa and MasterCard — that are able to heavily influence the environment how it will operate, and how data is going to be managed. The health care industry in this country, on the other hand, is dealing with multiple players: the payer, the insurance companies, Medicare, the state and federal governments, care providers, doctors, hospitals…and of course the patient. It’s a much more complex ecosystem, and the challenge is figuring out how to get all of the different parts to work together, and potentially create a standard moving forward.
KW: Creating the EMV standard certainly wasn’t a simple process…but I take the point that Visa and MasterCard set the rules and the operating procedures for payments, while such an analog is lacking in health care.
If we are on a path to a digital identity-defining patient credentials and authenticating consumer access to health care services, who is in the best position to be the Visa or MasterCard of the health care system? Does such a player already exist, or is this an opportunity for a new one to emerge?
PA: Let’s start with who pays the most to the health care ecosystem. That’s the federal government, through the state government.
KW: That sounds a little scary to me.
PA: I totally agree — it is scary. The federal government is the largest payer. The same party that’s in a position to save citizens money on costs related to health care fraud is also the one that carries the greatest risk — that $30 billion previously mentioned — that can be addressed by positive identification of the payment on an annualized basis.
Were we to consider private enterprise as a solution, there’s a long list of companies to be dealt with: Anthem, UnitedHealthcare, Kaiser Permanente, and many others. Would they be willing to sit down at the same table and agree to develop something? It would require a lot of work — for example, establishing a method that would allow for electronic patient records to be transferred across different systems. But I think we can get there. It’s going to take the will of Congress first, and then the willingness of the 50 states to cooperate to develop a coherent set of solutions.
As for the potential for a new actor to walk into this already complex system…I wish them luck. Maybe there is somebody who can do that.
KW: $30 billion: that’s a big motivator to try to solve a problem. Typically, as we’ve seen in a lot of ecosystems, including payments, there’s often a trigger that moves the industry to action — the Target breach propelled EMV forward; payment networks incentivized merchants to accept debit.
Are you saying that a regulatory initiative is the only possible incentive that will affect change in the health care industry?
PA: On April 14 of this year, the (H.R. 2) Medicare Access and CHIP Reauthorization Act of 2015 — sponsored by Representative Michael Burgess of Texas — was passed into law. In Section 503 there is a requirement for the associated health care agencies to look at using a smart card as a means of patient identification. Congress knows that multi-factor authentication makes a lot of sense, and it’s now looking to the administration to figure out how to implement it.
Oberthur, as part of the work that we’re doing with some of our competitors, is actively lobbying the Hill to embrace and understand the process. Taking the lesson from payments and what was done related to PCI, making lasting and effective changes is all about getting people to embrace, adopt, enforce, and maintain.
The catalyst that has to drive the health care industry right now is that $30 billion in U.S. taxpayer expense.
KW: It’s also a question of enforcement, right? Perhaps there isn’t enough.
PA: I agree. And establishing that regulatory construct is the real challenge.
We have the enabling technology; the fact that we can argue about which particular element to use — cloud, tokenization, smart card, mobile device, and so on — proves that the challenge is not a technological one.
KW: There is such a complexity associated with health care, because of all the state regulations, the government programs, the private insurance companies, and now the consumer — who’s absorbing a lot more of the health care expense than they probably ever had to manage previously. They have a louder voice in the matter.
Let’s talk about the smart card. For the technology to work, there has to be hardware and other enabling infrastructure in place. With payments here in the U.S., we’ve seen how long it can take for that to happen. Where does it start for health care — does it start with the government and its programs?
PA: I think that’s one place where it can start. But with, as you mentioned, the patient taking on more of the cost, there’s also more intersection between health care and payments.
An interesting synergy is taking place with payment terminals being installed that are capable of communicating with a smart card and a smartphone; it’s creating an opportunity to talk with the system providers about adding a layer that allows for communication with a smart card that is also a health care card. Part of the existing infrastructure can facilitate health care payments.
Can all of the infrastructure do so? No. There are still doctors who prefer payment with paper check, and there are still citizens who don’t remember their PIN or understand how to use the ATM. Issues such as those will have to be addressed as things move forward. But there is room for synergy. The fact that you and I are talking on PYMNTS.com about health care speaks to that.
KW: Might the mobile device — and designing a health care data-protection strategy around it — be the unifier?
PA: At Oberthur, we have nothing against using the mobile device. As you know, we provide, for example, PEARL — which is a secure element that is integrated into mobile devices. It’s the same thing that we put into a card and that we’ll put into Internet of Things (IoT) devices. We embrace moving to the mobile form factor because we understand the advantages that, one, mobile is the consumer’s device, so it’s singular; and two, secure elements can be embedded within it at an affordable price.
What needs to be done now is to create an overlay that allows for token service provision (TSP) capability for security within a unified standard. It’s already been done in the case of the government, where Personal Identity Verification (PIV) — its security standard — was put into a mobile device.
The mobile device with a secure element inside can create a unified framework for identity authentication, and it can be carried out via any number of communication protocols (NFC, BLE, Wi-Fi, cellular network, et al). The question is who’s going to say, “We need to do this together.”
KW: Who is going to say that?
PA: That depends on a number of things, including: how H.R. 2 progresses, what the American Medical Association (AMA) is currently doing to standardize procedures, the evolution of the Health Insurance Portability and Accountability Act (HIPAA), and the progression of the electronic patient record. There are currently a lot of efforts being made in relation to standards.
What we in the payments industry — including Oberthur and PYMNTS.com — need to do is help people understand that the only way to fix the problem is to work together. Doing it independently will lead to different entities competing for a standard, and that has never worked.
KW: Where do you start? Which part of the house is on fire, so to speak?
PA: I think the house is burning down at the enterprise level.
For example, we are working with a Florida health system that will be requiring its employees to use a smart card to physically access their workplaces and any secure areas, as well as to logically log on to the network. That’s the security focus that we recommend because, looking at the Target and Anthem breaches, it wasn’t the consumer that was stealing data — it was the hacker resembling an employee that was doing so.
Systems like Anthem, and UnitedHealthcare, and the U.S government, and the Veteran’s Administration, et al, need to protect the enterprise — because that’s where the data is stored.
KW: I think that makes a lot of sense. And it seems easier — relatively speaking — to affect, because you can hold the enterprise accountable, and it’s less of a challenge than getting the consumer to make a change.
PA: If the doctor has to insert his ID card or tap his phone containing his ID to his device, we’ve begun to build the infrastructure that can then be used by the patient.
Another thing that’s happening in the marketplace, relative to our discussion of identity and the Identity Tracker, is what’s called “Bring Your Own Identity.” That practice begs the question, what is the thing that a person is going to use to authenticate themselves?
In that regard, I love the idea of the mobile phone with the secure element inside. Adding Touch ID to that would create even greater security in identification.