By Phil Fasano and Tim Critchley/ Special to Healthcare Facilties Today

You don’t have to be a brain surgeon to have a basic understanding of the Hippocratic Oath. One of the world’s oldest binding documents, the Oath has evolved over the years, but its purpose has remained the same: ensure ethical conduct by physicians. However, one line in the modern version of the Oath stands out in particular: “I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.”

On the surface, this statement seems straightforward. No patient wants their doctor exposing an embarrassing medical issue or prying for personal information that is not relevant to their treatment plan. But, what if this statement went a little deeper? Should healthcare providers consider the Hippocratic Oath as framework for better protecting their patients’ sensitive data from cybersecurity threats?

A data security epidemic

There is an epidemic in the healthcare industry, and it’s not medically related nor treatable by the best doctors or medicine. Rather, it involves data security and patient privacy. Despite the introduction of numerous laws and industry standards – from the Health Insurance Portability and Accountability Act (HIPAA) to the new EU General Data Protection Regulation (GDPR) – personally identifiable information (PII) and medical records are hot commodities for hackers and fraudsters. In fact, healthcare data breaches are reported at a rate of more than one per day in the U.S. alone. At the same time, the healthcare industry boasts the highest breach-related costs of any sector, at $408 per record. These breaches include patient data and medical records, which go for as much as $1,000 apiece on the Dark Web.

Unlike credit card fraud where a consumer can simply change their number and often receive reimbursement through their bank, fraud involving medical records carries a far heavier weight. A person’s medical history cannot be changed, so when their complete medical records and historical information are stolen, the severity of the identity theft and fraudulent activity that they fall victim to can be life-altering. With a person’s medical records in their hands, a cybercriminal or fraudster can access social security numbers, addresses, birthdates, family members’ contact information, possibly payment information and more. Thus, any entity in the healthcare chain that touches patient information – whether a doctor’s office, a pharmacy, a multi-national insurer or a collections agency – should consider it an ethical obligation to protect that data to the best of their ability.

Now, let’s go back to that line in the Hippocratic Oath: “I will respect the privacy of my patients.” If a single medical record breach could jeopardize one’s safety and lead to financial and even reputational harm, shouldn’t this statement extend to include patient data? In short, the answer is, “Yes.” Anyone who trusts a medical professional with their well-being should also have the peace of mind that their personal information is safe and secure. But, with data breaches and fraud showing no signs of a slowdown any time soon, healthcare providers need a strong dose of cybersecurity. In a sector as complex and interwoven as the healthcare industry, where do you start?

Cure the contact center first

When a patient needs to make an appointment, check on test results or pay a bill, the call and contact center, more often than not, serves as the first point of contact. For that reason, copious amounts of PII and medical information “touch” and are stored in the contact center infrastructure, making it an ideal target for fraudsters. And, because many healthcare organizations still rely on legacy systems and “flat” networks (i.e. those that are not segmented, allowing threats to easily move from one area to another), a cybercriminal could access other data repositories in the organization through this single, vulnerable entry point.

However, only a portion of healthcare cybersecurity incidents are caused by external threats and outside cybercriminals. According to Verizon’s 2018 Protected Health Information Breach Report, 58 percent of all healthcare data breaches and security incidents are cause by people inside the organization. This includes patient service representatives and agents, as well as doctors, nurses and other staff within the contact center. Whether these employees maliciously or accidentally expose patient data, the crux of the matter is that the more people that have access to PII, the higher the risk.

For example, in 2017, SSM Health, a St. Louis-based healthcare system, revealed that a customer service representative previously employed in its contact center accessed the records of 29,000 patients who were prescribed a controlled substance. Although SSM Health did not specify which “illegal activities” this individual performed, this incident showcases the very real dangers that come with an abundance of easily accessible patient data.

They can’t hack data you don’t hold

With people inside and outside of an organization eyeing healthcare data that flows through the contact center, the best prescription for mitigating risk is removing as much sensitive data from the infrastructure as possible. Yes, performing thorough employee background checks and limiting access to data are important precautions, but it comes down to this: no one can hack data you don’t hold.

Contact centers across industries embracing this notion are on the right track, using “descoping” technologies to keep sensitive data from ever touching their environments in the first place. For instance, dual-tone multi-frequency (DTMF) masking solutions hold great promise for healthcare providers. These technologies help contact centers comply with complex regulations, like the Payment Card Industry Data Security Standard (PCI DSS), by removing cardholder data (credit/debit card information), but they can also be used to protect any numerical patient data.

Essentially, callers enter numerical details (such as a payment card, birth date, account or social security number) directly into their telephone’s keypad. The keypad tones are replaced with flat tones, so they are indecipherable to the agent, call recording systems and even eavesdroppers with fraudulent intentions. Once captured, the data is encrypted and sent directly to the appropriate third party (like a payment processor). This makes compliance with data security and privacy regulations is even simpler and less costly, as regulated data can be offloaded to a compliant intermediator – taking vulnerable, interoperable legacy systems out of the equation.  

Undoubtedly, the healthcare industry has some work to do to better protect patient data. Compliance with ever-evolving industry regulations, as well as the prevalence of non-segmented networks and legacy systems, make the task of strengthening data security and privacy easier said than done. But, we must begin somewhere. Healthcare organizations can work towards a cure by first securing their call and contact centers, employing emerging descoping technologies, and then replicating those best practices in other areas of the organizations.

Along the way, it is important to keep the Hippocratic Oath in mind as a framework for ethically addressing patient care – and that means keeping their bodies, minds and personal data healthy and safe.

 Phi Fasano is the CEO of Bay Advisors LLC  and Tim Critchley is the CEO of Semafone.