They used to be little more than clunky messaging platforms, but today, patient portals are the key to a frictionless digital healthcare experience. Consumers can check their medical records and test results with a few clicks. They can schedule appointments, pay bills and renew prescriptions whenever they want.
Shifting patient information to portals also increases staff productivity and smooths out several sticking points in the revenue cycle. And with improvements in engagement and efficiency leading to better health outcomes, no wonder 90% of healthcare organizations are putting portals at the heart of the patient experience.
But these benefits aren’t without risks. Privacy and security are big concerns for consumers and organizations alike. Patients want to feel reassured their data is safe, while providers want to avoid any reputation-killing headlines about data breaches. Identification and authentication can’t be too complicated though, or the patient experience will suffer.
The safest strategy is to use a risk-based multi-layered approach, including identity proofing, fraud management, device recognition and even biometrics. Different levels of security checks can be applied, depending on the likelihood of the person being an imposter. If the information being accessed is particularly sensitive, or when the log-in information doesn’t quite add up, your system should trigger additional checks, such as identity proofing questions.
But what are the right questions to ask?
The right questions balance risk, trust and proportionality
There’s no point seeking security information that could be easily guessed, obtained through a quick Google search or stolen from a patient’s wallet. You need questions only the true consumer would be able to answer – “out of wallet” questions, or knowledge-based authentication.
This means the traditional “mother’s surname” question would not be a great choice, as it’s easily discoverable by potential fraudsters. Better questions might relate to the consumer’s city of birth, first car model, first pet’s name or previous address. Of course, these identifiers could still be obtained by nefarious parties, but when used in combination with other identity proofing tactics, it’s a significantly reduced risk. The sweet spot lies in the difference between the consumer’s ability to answer correctly and that of a potential fraudster.
Your questions should also be relevant to the consumer and appropriate to the context. For example, a common out-of-wallet question used by financial institutions is to confirm a recent transaction. This ticks the box for security, as only the true consumer would likely know the answer, but in the context of a healthcare portal it could seem odd and out of place. It might make the patient wary and actually do more harm than good in terms of building trust.
Progressive questioning lets you use smart logic to select a range of appropriate, varied questions, rotated over time and layered up for additional checks when a certain threshold of risk is perceived. In this way, the patient experience will be flexible, seamless and reassuring, without the burden of excessive admin.
How Sutter Health System used better questions to increase enrollment and reduce help desk contacts
With around 1.8 million patients actively enrolled, Sutter Health System wanted to offer easy access to their self-service portal, but without accidentally giving anyone access to someone else’s information. They had no true identity proofing process for patients, which led to cumbersome checks, errors and high numbers of calls to the help desk.
Introducing the PreciseID® identity-proofing tool meant the team could authenticate users more quickly and reliably, using knowledge-based questions without an arduous process. Now, patients have just four or five simple questions to answer, which are checked against a robust dataset. An online risk assessment verifies the patient’s device and determines whether additional checks are required, balancing security with convenience.
Tom Mitchell, Applications Manager at Sutter Health System Office describes working in partnership with Experian Health to find the right set of questions:
“It took about a month to really hone in on the types of questions and the frequency of questions needed to achieve a level of accuracy that would equate to properly identified patients. You need to select what is important to you and Experian will work with you to make sure you ask the right questions.”
Not only has this increased the number of positive patient matches, it’s also reduced the number of people trying to contact the help desk with password issues. Tom says:
“We’re always trying to reduce the number of contacts to the help desk. Before integrating with self-service enrollment, patients would have to fill out a paper form or call our contact center, in which case a live person would have to go through some validation processes of our own. It was a fairly cumbersome, long process without this piece of validation.”
Find out more about how PreciseID could help you ask the right questions for better portal protection.