QR codes made an unexpected comeback during the pandemic. They offered a contactless gateway for individuals to check in to venues, log COVID-19 test results, help trace the virus spread and more. Restaurants and retailers embraced the technology as a way to welcome back consumers with touch-free access to online menus and digital payments. Previously seen as gimmicky and hindered by dependence on specific apps, these scannable squares can now be read using most smartphone cameras. With new use cases emerging during the pandemic, “quick response” codes are suddenly relevant again. However, the growing popularity of QR code technology opened the door to new cybersecurity risks, so providers must remain proactive with protecting patient identities.
A 2020 survey found that almost half of consumers said they’d noticed an increase in QR codes since the first shelter-in-place orders. Online payment provider PayPal reported that a new merchant was added to its QR code payment option every 28 seconds in the first quarter of 2021. Cybercriminals are capitalizing on consumer trust in QR codes to harvest personal data or install malware on devices. This leaves healthcare organizations and their patients vulnerable to fraud, especially given the increased adoption of digital healthcare technology during the pandemic. Providers must remain vigilant with protecting patient identities from QR code cybersecurity risks.
How do QR codes threaten patient identities?
QR codes hold far more data than traditional barcodes. They can be easily generated and fixed to any surface, ready for users to scan with their smartphones. They are primarily used to store URLs, which take the user directly to a website.
But while savvy consumers are aware of the risks associated with clicking on a suspicious link in an email, QR codes are intrinsically trusted. It’s much harder to tell if a QR code is legitimate or not. Scanning a QR code is essentially the same as clicking on an unknown link. A study by MobileIron found that while 67% of consumers say they can identify a suspicious URL, less than 30% can identify a malicious QR code. Mike Bruemmer, VP of Experian Data Breach Resolution and Consumer Protection, says that “QR codes are the new stealth threat vector. Regardless of their application, no one can tell a fake code that launches malware on your device from a legitimate one.”
There are two main risks for patients. Firstly, they may click on a QR code that takes them to a web page that appears legitimate, prompting them to share personal data or log-in details. This information is then harvested by cybercriminals. This form of QR code phishing, known as “quishing,” puts the user at risk for spam, adware and identity theft. Secondly, the user may scan a QR code that takes them to a malicious site that installs malware on their device, which will then steal and package the user’s personal and financial data. The QR code can even be used to generate actions that appear to come from the user, such as making payments, sending emails, sharing locations or following social media accounts.
In January 2022, the FBI issued a warning about cybercriminals using QR codes to redirect victims to malicious sites that steal login and financial information. Users are urged to practice caution when entering personal information after scanning a QR code.
How can healthcare organizations help with protecting patient identities against QR code cybersecurity threats?
For healthcare organizations, the concern is that if patients fall victim to a QR code scam, bad actors can steal personal identification data to access patient portals and other digital services. This information can be used to access medical services without paying, obtain medications illegally, or submit false health insurance claims, creating ongoing financial and administrative stress for patients. Or, if cybercriminals use captured information to log on as staff members there’s an added risk of further data breaches from inside the provider’s network.
Healthcare organizations have a few options to help patients protect themselves from QR code scams:
- Targeted awareness-raising campaigns are a simple way to encourage patients to make sure their devices are updated with the latest security patches. Patients can be warned to watch out for suspicious activity, such as when a QR code redirects to a page that asks for personal details. They might also choose to ask for a direct URL, instead of using the QR code.
- Securing access to patient portals and verifying patient identities are practical measures to ensure that the person accessing the account is who they say they are. Another best practice in patient portal security is to take a multi-layered approach. This includes two-factor authentication, device recognition and additional checks on risky requests. By securing patient portals, providers can be proactive at protecting patient identities and reduce the risk of fraud during enrollment.
- Integrating patient identity management tools can also help verify the patient’s identity from the very first registration touchpoint all the way through their healthcare journey. Automated identity checks and algorithmic matching based on Experian Health’s unrivaled reference data can help ensure that the patient’s record is accurate and complete.
- Offering alternative secure methods for contactless patient payments and patient access are other options to make the patient experience more secure. For example, providing patients with their own mobile payment option means they can pay bills securely and access payment plans right from their phone. Experian Health also offers various safe and secure registration and scheduling solutions that will give patients a seamless patient access experience and help protect them from identity theft. Victoria Dames, VP of Product Management at Experian Health, says that patients have come to expect a smooth and secure digital experience: “Providers are focused on patient data security in adherence to multiple health policies, like HIPAA, but also to maintain confidence with patients. They [patients] are embracing digital solutions and expecting appropriate security measures are in place.”
Find out more about how Experian Health can help healthcare providers with protecting patient identities and close the door to QR code scammers. Experian Health can also help prevent other identity theft and fraud, verify that patients are who they say are, and provide safe, secure and convenient ways for patients to get the care they need.
