Introduction

In today’s healthcare business environment, organizations are in a fierce competition to win over customers by providing exceptional patient and customer experiences. At the same time, caregivers and employees are demanding digital tools that can make their work simpler and more efficient. But with the rapid expansion of digital healthcare ecosystems, security has become an even greater concern and cannot be ignored.

According to the 2023 Ping Identity (formerly ForgeRock) Identity Breach Report, the healthcare industry has remained the top target for cybercriminals for the fifth year in a row. Unauthorized access remains the leading cause of breaches, resulting in severe consequences for healthcare organizations, with the average cost of a breach reaching $10.10 million.²

The fallout from data breaches is far-reaching, encompassing financial losses, damage to reputation, and legal liabilities. Even more alarming is the impact on patient health. Startling statistics from the Ponemon Institute reveal that over 20% of healthcare provider organizations have reported an increase in patient mortality rates following cyberattacks.³ The study also exposes the detrimental effects of cyberattacks on patient care, such as delayed procedures, prolonged hospital stays, and other adverse outcomes. Ransomware attacks, in particular, have been extremely damaging, causing delays in procedures or tests in 64% of the organizations that suffered such attacks and leading to extended patient stays in 59% of cases.

After unauthorized access, the second highest cause of healthcare breaches is internal users according to Verizon’s 2024 Data Breach Investigations Report.⁴ Such breaches are often due to human error, misuse of system access, or the unwitting disclosure of a customer’s personally identifiable information (PII) or credentials. This disclosure often occurs when fraudsters interact with contact centers — the front desk, help desk, or call center.

Attackers focus on the weakest link within an organization. Generally speaking, according to Accenture, the call center has become the path of least resistance for fraud due to legacy and siloed authentication processes and technology.⁴ Customer experiences with traditional healthcare contact centers aren’t making the grade either. They often require customers to repeat their credentials at multiple points during the authentication process, a frustrating experience that doesn’t foster satisfaction or loyalty.

¹ https://www.aha.org/news/aha-cyber-intel/2024-08-05-third-party-cyber-risk-impacts-health-care-sector-most-heres-how-prepare

² https://www.ibm.com/downloads/cas/3R8N1DZJ

³ https://www.proofpoint.com/us/cyber-insecurity-in-healthcare

⁴ https://www.verizon.com/business/resources/reports/dbir

⁵ https://www.brighttalk.com/webcast/16337/531083

The Top Healthcare Call-Center Vulnerabilities

The healthcare sector has seen a rising number of attacks because it deals with a wealth of sensitive personal data. Bad actors know that healthcare organizations often have weaker call-center identity verification processes compared to other industries, such as financial institutions, making them easier targets.

To get started on a call-center security strategy, it’s important to first identify the source(s) of risks and vulnerabilities. The most common include:

1. Weak Passwords and Credentials

The use of weak or easily guessable passwords is a common security risk. So too are common authentication questions, like address and date of birth, asked by healthcare call-center/help-desk representatives and administrative staff. Healthcare contact centers often rely on knowledge-based authentication (KBA) questions, which can be easily bypassed if fraudsters already have partial information about a consumer. This creates an attack vector for fraudsters to gain access to confidential accounts.

2. Insider Threats

Insider threats refer to the risks posed by individuals within an organization, such as employees or contractors, who have legitimate access to systems but misuse that access either maliciously or by mistake. This misuse can include unauthorized access, data theft, or improper disclosure of sensitive information.

3. Impersonation and Social Engineering

Fraudsters often impersonate legitimate consumers, like patients, healthcare providers, or insurers, using information they may have already acquired through data breaches, phishing, or other social engineering tactics. By tricking contact center agents into revealing additional details or granting access to accounts, fraudsters can then use the information for financial gain, insurance fraud, or further identity theft. Unfortunately, generative AI makes it easier to impersonate others, contributing to a significant risk in voice and video “deepfakes.”

4. Spoofed Caller IDs

Fraudsters increasingly use spoofed caller IDs to mask their identities and appear legitimate when contacting healthcare centers. By mimicking trusted phone numbers (e.g., a hospital or payer), they can reduce suspicion and increase the chances of gaining unauthorized access to sensitive information.

5. Omnichannel Fraud Attempts

Fraudsters are now employing multi-channel strategies, blending voice calls with email, text, and web-based attacks. They might attempt to gather pieces of information from different interaction points, including contact centers, to complete their fraud puzzle.

Addressing these risks and vulnerabilities requires security capabilities delivered through an enterprise-grade digital identity platform.

How to Secure the Healthcare Call-Center with Ping Identity

Several enterprise-grade identity security solutions not only protect enterprises from breaches, fraud, and ransomware, but they also enable great experiences — all while reducing costs.

1. Identity Verification

Identity verification is the process of confirming that someone is who they say they are. This usually happens when a person signs up for an account, logs in, resets a password, or completes a high-risk action like accessing personal health information (PHI). It often involves checking personal info, like a driver’s license or passport, to confirm their identity. Today, more methods include verifying email addresses, phone numbers, using biometrics like fingerprints or facial recognition, or even vocal characteristics. The goal is to tie a person’s real-world identity to their digital one and prevent fraud—ensuring only authorized users can access certain services.

There are alarming trends necessitating robust identity verification capabilities. First is the rise of job applicants that are using impersonators during interviews. With the rise of internal threats as a significant cause of healthcare breaches, it’s important for security professionals to ensure that a contact center representative, or other employee, that is hired is the same person that interviewed for the position. Second, due to the rise in identity theft, synthetic account creation, and healthcare fraud, it’s important to verify a consumer’s identity during account registration in addition to when risk scores indicate the need at the time of authentication, or during the user’s session.

Ping Identity offers a variety of identity verification options, allowing healthcare leaders to streamline the identity verification processes to significantly enhance security and the overall consumer experience.

1. Document-based identity verification: This service is embedded into applications using a mobile SDK to enable customers to conveniently verify their identity to enhance security and reduce fraudulent account creation by taking a live-face capture, scanning and verifying their government ID and matching the ID to the live-face capture.
2. Knowledge-based identity verification (KBA): Relies on asking users security questions that only the legitimate person should know (e.g., address history, previous transactions, or personal information).
3. Mobile match identity verification: Uses a person’s mobile device as a verification factor, typically by matching the phone number or using device-based biometrics (e.g., facial recognition, fingerprints). This method verifies the ownership of the mobile device through techniques like SMS OTPs (one-time passcodes) or push notifications to authenticate the user. It is often combined with other factors like geolocation or device history to strengthen authentication.
4. Voice biometric identity verification: Identifies and authenticates individuals based on their unique vocal characteristics. Unlike physical biometrics (fingerprints, face scans), no special hardware is required—just a microphone or phone, making it ideal for contact center use cases.

⁶ https://www.verizon.com/business/resources/Tc8f/infographics/2024-dbir-healthcare-snapshot.pdf

2. AI-Powered Identity Governance

As stated earlier, healthcare security risks and vulnerabilities largely stem from internal actors. A significant factor in this security problem lies in how employees, contractors, and partners are granted access to internal systems and resources.

Unfortunately, access provisioning and governance remains largely manual: it’s tedious and prone to human error. Typically, user access rights are granted by allowing a manager or application owner to review the access of users in a given system and then letting them certify that a specific user, or groups of users, should be granted or denied access.

Ping Identity’s governance solution leverages machine learning (ML) and artificial intelligence (AI) to disrupt the traditional static governance models used to grant access by looking at an organization’s entire access entitlement landscape. It then provides insights to make informed provisioning and governance decisions, and identifies high-risk areas that may require more governance. This unified governance solution helps healthcare security leaders significantly reduce the risk of internal users like contact center representatives from having access to resources and data that they shouldn’t.

Unified Identity Governance

3. Passwordless and Multi-Factor Authentication (MFA)

Passwordless authentication and MFA help to address weak credentials and ATO risks and vulnerabilities. Passwordless virtually eliminates credential theft, credential reuse, phishing attacks, credential stuffing, and other threats.

It also significantly cuts help-desk password reset costs and delivers a great consumer and workforce experience — as they never again have to create a password, remember it, or reset it.

Ping Identity offers many passwordless authentication options for enterprise customers and workforces. These options span passwordless as a factor to “complete passwordless,” and enable organizations to implement passwordless at their own pace.

1. Passwordless Factor
   Use a passwordless method, such as a push notification or an emailed magic link, as an additional authentication factor beyond a password.
2. Passwordless Experience
   Remove the password from the user experience and perform any password-based authentication securely in the background.
3. Complete Passwordless
   Eliminate the creation and use of passwords completely and perform authentication with biometrics, private-key cryptography, and other methods.

For healthcare security leaders not ready for passwordless authentication, multi-factor authentication (MFA) is a popular and effective alternative. MFA is a method of validating a user’s identity through multiple authentication mechanisms that include something the user knows, something the user has, and something the user is. For example, access is only granted after a user enters the correct password (what the user knows) along with a push notification or a numeric code sent by email or text to the user’s registered phone (something the user has), or with biometrics like a fingerprint, facial scan, or Touch ID (something the user is).

Customers appreciate knowing that there are additional security features available to them. With Ping, they can even choose which MFA option(s) they prefer, such as an SMS prompt or QR code scan.

4. Real-Time Monitoring and Threat Detection

Ping’s Protect solution helps healthcare security leaders prevent account takeover and fraud at all points of authentication, known as the identity perimeter. It evaluates session activity and call center interactions for abnormal behavior and provides threat insights to adjust authentication requirements based on real-time risk analysis. For example, if a patient calls from an unrecognized location or device, the system may require a stronger form of authentication such as biometric verification or a one-time passcode (OTP) sent to a known device.

Traditional methods, like asking a patient’s birthdate or the last procedure they had, can be easily compromised through data breaches. Instead, PingOne Protect provides real-time identity verification using factors like behavioral analysis and biometric authentication, making it much harder for fraudsters to impersonate real patients.

Ping built its Protect solution to be a seamless part of its highly acclaimed no-code orchestration engine. Risk scores can be incorporated into the design of call-center and help-desk journeys, allowing healthcare security leaders to remove unwanted friction and improve the experience of legitimate users.

With PingOne Protect, you can:

• Reduce the number of times legitimate users are interrupted to authenticate
• Prevent identity fraud by evaluating activity and detecting anomalies
• Gain visibility into risk and fraud posture and trends

Assess Risk and Fraud with Dashboards

Understanding where risk resides within an organization enables security leaders to make the right authentication decisions to increase their security posture. PingOne Protect offers robust dashboards and reports that provide insight into risk events distribution, high-risk locations, high-risk factors, the riskiest users, browser distribution, and operating systems distribution.

5. CIBA and Secure Impersonation

Rather than requiring callers to answer weak authentication questions, Ping Identity’s client-initiated backchannel authentication (CIBA) enables contact-center representatives to authenticate callers through more secure methods, such as sending a prompt via a mobile app or text message. CIBA also supports secure impersonation, allowing representatives to interact with consumers and their data securely.

Given that call-center representatives have access to consumer accounts, fraudsters can potentially exploit this to obtain sensitive data. Therefore, it is crucial for an organization’s identity solution to support secure impersonation. This feature enables consumers to temporarily grant representatives control over their account—often through a mobile app prompt—for a specified period of time. By ensuring representatives only access consumer accounts with explicit permission from authenticated users, healthcare security leaders make it significantly more difficult for fraudsters to succeed. On the consumer side, customers appreciate the ability to control whether a call-center representative can view their account and for how long. Representatives also benefit from this feature, as it reduces the risk of increasing security vulnerabilities through human error.

6. Decentralized Identity

Identity fraud in healthcare is widespread, causing substantial financial losses and escalating the costs of identity verification. Current efforts to mitigate risk, coupled with regulatory requirements, hinder business agility. Healthcare consumers, employees, and partners are burdened with lengthy ID checks, repetitive data entry, and challenges related to securely sharing verified identity information during contact-center calls, often involves manual processes and complex integrations.

Decentralized Identity (DCI) works by giving individuals control over their personal information, allowing them to securely manage and share verified credentials directly without relying on centralized databases. Using technologies like blockchain and cryptography, users store digital versions of personal documents (e.g., IDs, certifications) in a secure digital wallet. When they need to prove their identity, they can share only the required information with others (e.g., just age, not birthdate) through a verifiable credential. This system improves privacy, reduces fraud, and streamlines identity verification processes by minimizing the need for multiple intermediaries.

With Ping’s decentralized Identity (DCI) solution, Neo, healthcare leaders can enhance the security, experience, and privacy of contact center interactions in the following ways:

1. Verifiable Credentials for Identity Proofing: Consumers can share cryptographically secure, verified credentials directly from their digital wallets to prove their identity without sharing sensitive information like Social Security Numbers (SSNs) or passwords. This reduces the risk of impersonation or social engineering attacks.
2. Passwordless Authentication: DCI enables consumers to authenticate themselves using digital credentials stored in their wallets, eliminating the need for passwords. This reduces the risk of password-related attacks such as phishing or credential stuffing, enhancing the security of contact center interactions.
3. Selective Disclosure: With DCI, consumers can share only the specific pieces of information required for an interaction, like proving their age, guardianship, or membership status, without exposing unnecessary personal data. This minimizes the risk of data exposure and fraud during the call-center interaction

7. No-Code Identity Orchestration

Attackers tend to target the weakest links within an organization, and according to Accenture, call centers have become the path of least resistance for fraud due to outdated and siloed authentication processes. Additionally, traditional healthcare contact center experiences often frustrate consumers by requiring them to repeatedly provide credentials at various stages of the authentication process, leading to dissatisfaction and a lack of loyalty.

No-code identity orchestration is a critical capability that simplifies the integration of multiple systems, applications, and security technologies. It provides a no-code or low-code environment where organizations can design and manage authentication workflows without requiring extensive manual coding. Ping’s identity orchestration engine offers a drag-and-drop interface and pre-built connectors to common systems, enabling easy integration of various identity services. For instance, security professionals can create user journeys that include a combination identity verification, fraud detection, and access management solutions within a single workflow.

In the healthcare sector, identity orchestration allows organizations to manage integrations holistically, eliminating the need to juggle multiple vendors or identity platforms for different use cases. This not only reduces the risk of identity-related breaches but also helps ensure that sensitive health data is protected against unauthorized access and fraud.

Ultimately, no-code orchestration enhances the user experience by reducing friction—such as eliminating unnecessary MFA prompts for low-risk interactions. For healthcare security and experience leaders, this means contact centers can provide smoother, faster interactions, improving both operational efficiency and consumer satisfaction, all while maintaining strict security and privacy compliance with healthcare regulations like HIPAA.

Ping Identity No-Code, Low-Code Identity Orchestration

The ROI of Contact-Center Security Modernization

The benefits of improving front-desk, help-desk, and call-center security are clear — and it’s time to create a better experience for customers or patients using these services. While a complete overhaul may seem daunting, the right digital identity solution can result in significant cost savings and customer engagement.

For example, a recent Forrester® Total Economic Impact™ (TEI) study of Ping Identity (formerly ForgeRock) CIAM shows that over three years healthcare enterprises may achieve the following results:

With Ping Identity, healthcare organizations may achieve the following over three years:

Healthcare Leaders Choose Ping Identity

When used in combination, Ping Identity’s enterprise-grade identity security capabilities mitigate risks and vulnerabilities to significantly improve healthcare contact-center security and user experience.

Ping Identity is the leading enterprise-grade IAM provider, helping people simply and safely access the connected world. Eight of the 10 top U.S. healthcare organizations use Ping to modernize and accelerate digital transformation, support their digital healthcare initiatives, and secure their users and organization.

At Ping Identity, we believe in making digital experiences both secure and seamless for all users, without compromise. That’s digital freedom. We let enterprises combine our best-in-class identity solutions with third-party services they already use to remove passwords, prevent fraud, support Zero Trust, or anything in between. This can be accomplished through a simple drag-and-drop canvas. That’s why more than half of the Fortune 100 choose Ping Identity to protect digital interactions from their users while making experiences frictionless. Learn more at www.pingidentity.com.