The doctor will see you (online) now, but so could the fraudsters

The coronavirus crisis has forced us to move our lives increasingly

online, adapting every aspect so we can carry on virtually. Our healthcare is no exception. The telehealth market had already been expected to grow by $95.72 billion between 2020 and 2024, without taking into account the global pandemic we find ourselves in now. With 1.5 million people in the UK socially shielding and with the rest of the country set to be in some form of socially distant world for the foreseeable future, it is unsurprising that there has been a surge in online medical advice and services, likely increasing this initial estimate even further.

Before the outbreak, video appointments made up just 1% of the 340 million or so annual visits to the GP at the National Health Service. Now, companies like Push Doctor and Docly are seeing increases in demand up to 100% week on week. It is highly likely that this crisis will act as the catalyst that spurs people to adapt to new ways of interacting with healthcare providers even after the pandemic subsides.

However, this rapid increase has created a lucrative opportunity for those with criminal intent. Already, over one billion patient health records are available on the dark web and millions of records are added daily. What’s more, these medical records can be listed for up to $1,000 each, ten times more than the average credit card record due to the volume of personal information.

Protecting patients from data breaches

In today’s world, data breaches are an unfortunate regularity. More than 800 million records were breached in the UK in March this year alone. According to SecurityScoreboard, healthcare is the most breached industry, experiencing a 50% increase in data breaches from June 2017 to May 2019. Combine this with the growing size of the dark web and you can see why criminals are finding it easier to prosper from obtaining personal information through unscrupulous means. Additionally, healthcare sector breaches cost more – an average of £5.2 million each year compared to the global average of £3.2 million.

This expense comes from the importance of the data, which includes everything from patients’ ages and home addresses to personal details around medical procedures and prescriptions. Every piece of information is highly sensitive, opening individuals up to blackmail and businesses up to astronomical fines with the introduction of the EU General Data Protection Regulation (GDPR).

Patients also increase this risk by using the same password for multiple accounts, a common yet unfortunate practice. This has seen a rise in ‘credential stuffing’, whereby a would-be fraudster purchases your email address and password on the dark web and

uses bots to try to access thousands of websites with these same login details hoping to strike lucky. And most of the time, they do.

To mitigate this risk, and protect their patients’ valuable data, it is vitally important all healthcare institutions reliably establish a secure and accurate Know Your Patient (KYP) strategy. This is particularly pertinent with the increase of patients turning to telehealth during the pandemic.

Investing in KYP is essential

Registering for a medical service in person involves bringing paperwork to prove your identity rather than the GP believing you at face value. Even without the face-to-face contact the same rigorous verification steps must be put in place, especially as the need to confirm the patients are who they say they are has never been higher.

Last year alone, 67% of UK healthcare organisations experienced some kind of cybersecurity incident and over the last decade there have been more than 2,550 healthcare breaches impacting more than 175 million medical records. Clearly there is a significant chance that the person a doctor is providing guidance and prescriptions to is not the patient that is on record. Stringent KYP procedures are the only way to be assured the person a doctor is dealing with is who he or she claims to be. A mistake here can have huge ramifications for all those involved.

Not only can cybercriminals access other accounts that that patient may have online, they can also use their medical records to obtain medications in the patient’s name. These can then be sold on the dark web for significant financial gain for the fraudster, while leaving the patient unable to access medicines he or she needs as the records show these have already been dispensed. This leaves the GP surgery liable for retrospective fines, legal proceedings and other charges.

Making the KYP process watertight

Machine learning and artificial intelligence are allowing cybercriminals to become increasingly sophisticated, expediting the rate at which they can obtain data. There is, however, a way to ensure the power stays with online medical professionals and healthcare organisations.

It starts at the account creation stage. The medical organisation captures an online patient’s government-issued ID (eg. driver’s licence, passport or ID card) via the user’s smartphone or webcam, followed by a live corroborating selfie (in which a 3D face map is created) to ensure the person behind the ID is the person creating the account. Then, the organisation would ensure that the ID document is authentic, unaltered and that the patient pictured in the selfie matches the ID.

Organisations can then check the patient’s age to verify that he or she meets minimum age requirements and confirm through fraud detection analytics that no fraudulent activity has taken place, helping to minimise risk and loss. From this, hospitals, offices, clinics and pharmacies can now approve or deny the new online account.

Medical offices and pharmacies can continue to verify a patient’s identity when he or she collects online prescriptions and treatments with biometric-based authentication. They do this by capturing a new 3D face map of the patient, comparing it to the original one captured at enrolment using online identity verification technology.

Although this method in the UK would prevent those under the age of 16 from accessing telemedical services, it would also provide assurances to those medical organisations that minors are not obtaining powerful prescriptions accidentally.

The evolving medical world

The habits we’ve established during the pandemic are likely to stick as we have seen that it’s possible in most cases to receive the same level of medical care from the comfort of our own homes. We’ve also seen the massive strain that has been placed on our health service over the past few months, something that was already acknowledged on a much smaller scale before this. Therefore, embracing telehealth on an ongoing basis will go some way to righting this problem once this pandemic is over.

However, if we are to truly embrace the benefits of online healthcare, security has to be at its heart. There is no doubt that a strong KYP strategy is the exact medicine to cure the threat of most cybercrime in this sector.

Philipp Pointner is chief product officer of Jumio