The Most Important Question in Identity Management for Healthcare
Guest post by Harry Jordan, vice president and general manager, healthcare for LexisNexis.
The most important question in identity management is not: “Who are you?” It’s “What do we need to know about you?” And nowhere is the answer to that question more critical than in healthcare, where inadequate systems and processes can not only threaten business integrity and success, but jeopardize lives, as well. Inevitably, it is time to shift the focus of the discussion of identity management away from authentication methodology and toward the broader healthcare context in which identity management is no longer a luxury, but a necessity.
Effective patient/member identity management springs from this fundamental question: “Given what we are trying to accomplish through this particular transaction, what do we need to know about this individual to insure safety, integrity and trust?” Or, more elaborately: “What do we need to know to prove this individual is who they say they are and that they are authorized to access the information being requested based on those identity credentials?”
The answer is determined by the intersection of multiple factors: your objectives; product and service characteristics; population demographics and attitudes; the nature, value and riskiness of the transaction being performed; the point in the process and relationship where it takes place; and organizational risk tolerance. Getting the answer right is critical to the sustainability of health care organizations and, more importantly, the safety of the individuals they serve.
Identity fraud is the fastest growing crime in the United States, affecting more than 11 million adults in 2010. Medical identity fraud is the fastest growing type of identity theft. The Ponemon Institute estimates the annual economic impact of medical identity theft to be nearly $31 billion.
Health care consumers will, and should, expect their data to be secure at all times in order to protect their financial and physical well-being. Health care stakeholders will demand solutions that ensure they are dealing with the right person, at the right time, for the right transaction, thereby minimizing risk and negative impact on their health care delivery decisions, the health of their patients and overall business performance.
As a recent Gartner report states, identity management is “increasingly recognized as delivering real-world business value,” and “identity management agility improves support for new business initiatives and contributes significantly to profitability.” Identity management is rapidly evolving to encompass emerging risks and application variability. There are tools you can put in place now to meet the increasing demands of identity management.
Point solutions and one-size-fits-all implementations are being supplanted by or absorbed into more comprehensive and flexible approaches. These solutions provide identity management coherency across processes and relationships, as well as identity management consistency across multiple channels and organizations.
At the same time, they enable organizations to efficiently implement a wide range of identity management tools that blend the right identity elements together with the appropriate view and assurance level for each transaction. Established organizations can layer new identity management capabilities onto existing systems in the form of services. Merely extending enterprise identity management solutions will not work.
Three key concepts are at the core of the most successful health care consumer identity management solutions. They are general principles shared by diverse business-specific implementations.
1. Identity management is as much about business as about security. Identity validation (or “resolution”), verification and authentication – commonly regarded as security functions – have far-reaching business ramifications. How you perform them can strongly shape your most direct and therefore vital interactions with patients, payers, providers and other healthcare stakeholders. Thus, while it is important, and sometimes mandatory, to follow industry standards, it is also critical to make sure that the way in which you implement identity management is tailored to your market, business plan and mission to maximize business goals and minimize organizational risk.
2. “Know your health care consumer” is the point of balance for multiple – and possibly competing – objectives. “Know your healthcare consumer” is a phrase that traditionally has different meanings to health care consumer service than it does for security management Service people are concerned with raising healthcare consumer satisfaction by increasing access and ease. Security people are concerned with reducing risk by restricting access.
3. Ask for only what you need to know. Knowing more can, in fact, enable you to ask for less information. In identity management industry jargon, the objective is “friction reduction” through “data minimization.” Improve the health care consumer experience by not asking for information you don’t need.
Strong security can be, for the most part, invisible to the user. Analytics operating in the background can spot links between healthcare consumer data and suspicious entities or recognize suspicious patterns of verification failure.
Analytics can be integrated with business rules to adjust the security level and trigger appropriate treatments or approval of treatments. They can also be used to determine if the current transactional pattern of behavior is unusual. Reacting to healthcare consumer responses in real time – taking business rules for different product lines, channels and types of transactions, and an entity’s tolerance for risk – an identity management service can make dynamic decisions about when to invoke additional and/or stronger measures.
The number of identity-reliant transactions engaged in across the health care continuum is multiplying rapidly and becoming ever more critical to the success of individual health care organizations. When dealing with any situation involving the sharing of a patient’s personal health information it is essential these organizations ask themselves the fundamental question about the individual or entity with which they will be sharing the information: “What do we need to know about you?”
This question is the starting place for all other questions in identity management. The right answer is the key to making identity management an enabler of great services accessed with ease and delivered at a low coast and minimal risk of fraud.
Harry Jordan is Vice President and General Manager, Healthcare for the risk solutions business of LexisNexis. He directs the healthcare business, offering capabilities in health management, predictive claims fraud analytics and health information exchanges.