Reconsidering How We Verify Identities in Healthcare
By Matt Phillion
The healthcare industry in the U.S. saw an all-time high for data compromises in 2023. According to the HIPAA Journal, 725 data breaches of 500 or more healthcare records were reported last year as of January 2024—and not every incident was reported or tallied at the time it broke the standing record for data breaches.
The size and scale of data breaches worsens each year; December 2023 saw at least two multimillion-record data breaches reported. As new tools like AI grow in prevalence, organizations need to start changing the way they handle data to keep pace with ever-worsening attacks.
What needs to change? According to data protection expert Raj Ananthanpillai, founder and CEO of Trua, healthcare must reconsider the types of data healthcare organizations handle and consider the concept of verified digital credential as a way to safeguard patient information. He notes that are several interwoven factors that create a challenging environment for improving the security of patient-related data: bureaucracy, regulatory burden, and the types of data organizations collect.
“The administrative part of it is very bureaucratic, chewing up much of the cost,” says Ananthanpillai. “To move a piece of paper from one side of the building to another is like a relay race.”
Meanwhile, the number of regulatory requirements can make it difficult to move forward faster.
“When patients come into the facility for care, they’re given a multi-page form to fill out with all kinds of personally identifiable information (PII) and sign and most people don’t even read,” he says. “We can simplify some of that.”
But the barrier that stands out, Ananthanpillai says, is the way healthcare collects information about patients that is not actually necessary for their care.
“Even today, we’re asking for a driver’s license, asking for Social Security numbers: why do you even need a Social Security number? We’re using it to verify our identity but what if the identity of the individual can be verified and authenticated by other means without exposing your SSN or D0B?” says Ananthanpillai.
There is much discussion about how organizations are not spending enough to fortify their infrastructure, Ananthanpillai notes, but part of the issue is the information organizations are collecting and holding on to.
“We should collect the right amount of information to dispense medical care,” he says. “For example, date of birth is required for age-related medication, but some of this information is already part of the insurance system.”
Despite the criticism about not spending enough on fortifying infrastructure, organizations are, in fact, spending enormous amounts of money trying to protect, store, and safeguard all the information they collect.
“It’s still not enough. Hackers will find a way to [steal information], whether it’s through an inside job or something else,” says Ananthanpillai.
So why not flip the script and think about what is being stored rather than how to protect it?
“I’m talking about identity information itself. The health record is very personal, but what damage can be done with hit? You can expose health conditions, it can be embarrassing and harmful, but if they steal PII like a Social Security number or date of birth or your current residence, that can be significantly damaging,” Ananthanpillai says. “But there are ways to not collect that information or store it in your organization. There are enough headaches protecting what you need to collect let along also protecting information you don’t need to hold on to.”
Looking to air travel for answers
The answer, Ananthanpillai says, already exists in other industries. Take for example TSA Precheck, a project Ananthanpillai’s previous company was a part of the development of.
“What I think we should do is think about using something as a reusable credential,” he says. “You walk into a doctor’s office and all your information, everything about you and your identity information is there. It’s all encrypted, and if you’re here for the first time, the person at the front desk doesn’t need to know your Social Security number or any of those details.”
This type of personal identification eliminates the need for all those favorite hacker vectors, Ananthanpillai says. No more giving out your mother’s maiden name or what car you owned in 1995.
The barrier to entry for this level of change for personal identification is inertia and lack of accountability for not protecting the PII, Ananthanpillai says, but there are forward-thinking institutions looking into it right now. He also says that more regulatory guidance could help nudge the industry in the right direction—if, on the regulatory level, there were recommendations for ways to avoid taking in and storing so much personal information that is so tempting to hackers.
This universal identification goes beyond just signing in at the doctor’s office, he says. It can have an impact on the security surrounding things like patient records accessible via a portal.
“Today, to look at your medical records, you can log into a portal and that’s fine, but again, anybody can log into that if they have the right passcode,” he says. “What if, before you access your own records, it requires biometrics. Your face has to match what has been tokenized in the system any time someone wants to open the record.”
It’s worth noting, Ananthanpillai says, that this isn’t wildly new technology. It’s used in many industries across the world already, often by the very patients it would benefit.
He points out that this level of verification can work both ways as well. Not only is it usable to verify patient identification without giving out vital data constantly, but it can also be used to track and verify physician or nurse credentials so the information is safely verifiable and transmissible.
“It’s like getting your driver’s license or using TSA Precheck to travel—you get it once and then you can go through any airport,” says Ananthanpillai. “That’s why we call it a reusable, verified credential. You can put anything you need in it and then transmit it with the slide of a button. It’s selective disclosure.”
Another use case Ananthanpillai identifies is traveling nurses: having the ability to move from place to place with a verified background and licensing check without retransmitting key PII that hackers are looking for.
And on the topic of cyberthreats, it is well known that hospitals and other healthcare entities are prime targets for hackers because of the data they possess. A common threat is to release information if a health system or hospital does not pay a ransom for stolen data. While the threat of reputational harm is there—private health information should remain private—hackers can do less with someone’s health diagnosis than they can do with their Social Security number or address, Ananthanpillai points out.
“PII has a lot more value than whether or not someone had COVID last year,” he says.
The other reason healthcare institutions are tempting targets is that not only do they require and hold onto valuable personal information about patients, they hold onto that information about a lot of people.
“Millions of people are part of a healthcare system, and if hackers get access to a million Social Security numbers in one place, that’s different than if they have to process one a time. It decentralizes the risk,” says Ananthanpillai.
Providing a verified identification for the patient, it coopts the consumer to own part of their data, and also empowers them to control who has access to their information.
“You can throw money at cyber protection and data protection, and spend millions of dollars mitigating breaches, but if you have guardrails stating you’re not going to collect this information to begin with, what are the hackers going to do?” says Ananthanpillai. “It removes disparity. Everyone has control over their own data, has access to their own data, so you control that as an individual.”
It’s not a new technology or solution, Ananthanpillai points out.
“We’ve spent the last 15 years trying to crack this nut,” he says. “When Equifax had its big breach, the Senate asked why we need to collect Social Security numbers. And when Social Security numbers were introduced, it was for wages, benefits, employments, and Social Security, of course. But over the last few decades we’ve started using it for everything. Why does a gym membership require your social security number?”
Ananthanpillai envisions a case where you’re only giving out that pivotal PII when it’s payroll or banking related, and another, more secure option exists for verifying your identity elsewhere.
“People should start questioning sharing their PII,” he says. “Right now, you don’t have control. I want people to think about how the entire world is run with your data. There are so many places that shouldn’t be taking in this much information. Right now it’s force of habit, and how they’ve always been doing it, but we need to start thinking differently.”
Matt Phillion is a freelance writer covering healthcare, cybersecurity, and more. He can be reached at matthew.phillion@gmail.com.