Here’s another place where passwords need to take a hike: healthcare. Bruce Forman, chief information security officer for UMass Memorial Health Care, tells PYMNTS that healthcare needs to take a lesson from financial services, embrace biometrics and two-factor authentication, and give complex passwords the heave-ho.
Like many other facets of consumers’ lives, medical care is becoming increasingly digital. Many healthcare providers’ systems offer smartphone apps enabling users to schedule appointments with primary doctors, check in for appointments, chat with nurses or review test results. Before they can access this sensitive information, however, patients must first verify their identities.
Patients may be asked to prove their identities by providing email addresses, usernames and passwords, or one-time codes sent to their phones via text message. While authentication methods may vary, users across all channels seek secure, frictionless access to their account information, meaning medical providers must make authentications seamless while keeping it strong enough to ward off cybercriminals.
To better understand which authentication methods are most well-received in the healthcare market, PYMNTS spoke with Bruce Forman, chief information security officer at UMass Memorial Health Care, which caters to residents of central Massachusetts across three hospitals. Forman discussed how both traditional passwords and biometric solutions appeal to patients in different ways, and how the healthcare market can learn digital identity lessons from the financial services sector.
Easing Patients’ Login Pains
UMass Memorial Health Care has approximately 1,000 beds across its network and has handled more than 1.5 million total outpatient visits so far this year. Patients can access its system through the online medical portal myChart, which, according to Forman, is easiest to sign up for in person, as clinic staff can review physical IDs and create users’ accounts.
Patients can create myChart accounts off-site, but the process involves more rigorous, knowledge-based verification solutions. Those signing up this way might be asked to confirm information gathered from public databases, such as their previous addresses or the makes and models of previously owned vehicles. Similar identity tools are used in the financial services sector, and Forman said the healthcare market should strive to deliver equally smooth customer experiences.
“My hope is that we see more standardization, so the way you access your health information looks [similar] to how you access your bank and financial information,” he said.
Forman’s remarks also support the findings outlined in PYMNTS’ Digital Identity Lifestyle Capsule report. It found that of all three markets surveyed – healthcare, eCommerce and financial services – the latter’s consumers were the most satisfied with their available authentication options.
Biometric Benefits
Users can choose from several authentication options when logging into their accounts through their computers or smartphones. Biometric-based smartphone solutions are popular among UMass Memorial patients, Forman noted, because many devices include readers that can integrate their physical signatures with the app.
“[Biometrics are] clearly a preference for a lot of people because they’re easy to use,” he noted.
These solutions also verify users’ identities by requiring them to provide biometric identifiers – fingerprint authentications, in UMass Memorial’s case. This allows the network to grant users convenient healthcare access while remaining confident they are who they claim to be. Forman also said the systems smartphone app can keep patients up to speed on appointments and help them schedule medical visits.
“Clearly, we want to provide a good experience for our patients,” he said. “Having a smartphone app is appreciated because patients can have it with them and receive alerts from the device.”
The Problem With Passwords
Biometric-based authentication solutions also cure a pain point that has plagued healthcare and other markets: lengthy and hard-to-remember passwords. Forman said their length and complexity requirements – such as the use of special characters – can make them difficult for consumers to recall.
“With many online systems, there’s often frustration with being able to remember a password,” he said. “You ideally don’t want to make someone [have to] remember a password so complex that they won’t be able to remember it and have to write it down.”
Forman added that even complex passwords can be compromised by identity thieves using techniques like email scams. “Phishing attacks are prevalent, and everyone will fall for one at one time or another,” he said.
These vulnerabilities mean passwords may have outlived their usefulness as healthcare authentication measures. On the other hand, biometric data is more difficult to compromise and does not have be remembered. Additionally, these methods are widely used in the financial services industry, which means healthcare customers have likely already grown accustomed to them.
As healthcare providers and medical facilities seek improved authentication practices, they may be able to bank on the methods currently used by the financial services market to verify – and satisfy – their customers.