The stakes have never been higher for healthcare providers to deliver a positive patient experience. According to a recent study by Prophet, 81 percent of consumers are unsatisfied with their healthcare experience, while only 40 percent believe providers are best meeting their needs. At the same time, data breaches in the healthcare sector are at an all-time high—occurring at a rate of more than one per day in the United States.
These security incidents not only jeopardize patients’ privacy but also put both patient trust and brand reputation at risk.
All the while, medical practitioners, hospitals, and insurers are pressed to keep up with the ever-evolving regulatory compliance landscape. This not only includes the Health Insurance Portability and Accountability Act (HIPAA) but also the Payment Card Industry Data Security Standard (PCI DSS), the EU General Data Protection Regulation (GDPR), and a long list of individual state regulations and data breach notification laws.
With HIPAA violations alone incurring fines as high as 50,000 dollars (for each violation or exposed record), healthcare organizations are finding themselves wedged between conflicting objectives: how do you protect patient data and maintain compliance, without losing sight of providing the best possible patient experience?
Contact Center Security
While you can’t please every patient, you can strike a balance between care and data security. The first place to address this is your contact center.
Although online interaction tools and patient portals are gaining in popularity, you can’t underestimate the value of the voice channel. Research by PatientPop shows that 58.5 percent of patients still prefer to schedule an appointment via phone.
As such, your contact center is often the go-to point of interaction for your patients and can set the tone for their entire experience. But this also means that your contact center intrinsically holds, processes, and stores copious amounts of personally identifiable information (PII), from medical records to payment card data. This makes the contact center an alluring target for fraudsters and hackers.
However, it’s not only devious cybercriminals who threaten your patients’ data. Company insiders, such as rogue patient service representatives (PSRs) or contact center agents, pose a massive threat, especially if they have access to patient data given over the phone or stored in desktop applications. In fact, 58 percent of all healthcare data breaches and security incidents are the result of insiders, according to Verizon’s Protected Health Information Data Breach Report.
Security Best Practices
With inside and outside threats, as well as vulnerable legacy systems serving as entry points for enterprise-wide breach incidents, contact centers are undoubtedly a weak link in your security chain. But protecting PII, maintaining compliance, and providing a positive patient experience first involve a hearty dose of security best practices:
- Treat all data as potentially toxic: The more information that is available in the event of a breach, the easier it will be for a malicious insider or cybercriminal to steal a patient’s identity or access their private medical records.
- Train all employees and always perform thorough background checks: Go beyond basic employee vetting and background checks, especially when hiring for your contact center environments. Educate PSRs and customer service agents on data security best practices and how to spot social engineering and phishing tactics.
- Prepare your response management policy: Have an incident response management policy and process in place, preferably as part of an information security management system. Prepare for a worst-case scenario, and test your incident response plan at least annually.
- Tokenize data: Replace PII with a meaningless equivalent, so even if a breach is successful, the hacked data will be of no value to the cybercriminal. This approach can also assist in the event of a social engineering attack, which can put even the most trustworthy employee at risk for exposing PII.
- Enforce the principle of least privilege: Give employees the minimum level of access required to perform their job function at the appropriate time. Introduce exception procedures for when emergency access is needed.
- Authenticate the user to authenticate the service agent: Prevent PSRs and agents from accessing patient data until the PSR has received the right data from the user. This means that until the caller has been successfully identified using the appropriate secure authentication approach, deny access to detailed PII.
With these tactics creating a foundation for security in your contact center, you can introduce descoping technologies. Such technologies not only strengthen data security and compliance by removing sensitive data from your infrastructure, but they also garner a positive patient experience and journey.
For the voice channel, in particular, dual-tone multi-frequency (DTMF) masking solutions hold great promise, allowing patients to discretely enter numerical PHI, such as payment card, insurance, or account numbers, using their phone’s keypad. The keypad tones, however, are masked with flat tones, so they are not exposed to anyone but the patient. The data collected is encrypted and sent to a compliant third party, bypassing the contact center’s environment completely.
While this process may invoke notions of automated interactive voice response (IVR) systems, it is not quite the same. Here, agents and PSRs can remain on the line in full voice communication with the patient, guiding them through the transaction, answering questions, and even handling wrap-up tasks. There are no challenges with misheard or miskeyed data, which can lead to premature hang-ups and abandoned calls. In addition, patients have full control over inputting their information and can enjoy peace of mind that their data is protected. This makes for a better overall customer experience.
Data security and privacy are key to providing positive interactions with your customers and patients, and there really is no longer any need to compromise in either area. A combination of security best practices, strategies, and emerging descoping technologies are ideal solutions to achieve both. No matter which route you take, the less PII you hold and handle, the better off you’ll be. Remember, no one can hack the data you don’t hold.