Strengthening Call Center Security

Strengthening Call Center Security: Protecting Systems Is Paramount

In today's digital era, the threat of data breaches looms larger than ever, particularly for hospital systems and providers. Call centers serve as critical touchpoints to support digital access for employees. As the public learns more details on recent data hacks, we can conclude it is imperative that we reassess how we verify caller identities. Recent incidents have highlighted the vulnerability of call centers, with many attacks using social engineering tactics to gain information¹ that allowed criminals to steal employee credentials to gain access to systems or patient information.

The Vulnerability of Traditional Verification Methods

Historically, call centers have relied on traditional authentication methods such as confirming a caller's name and/or employee ID number. While these methods can be efficient for an agent handling requests, they do not account for the sophisticated, emerging cyber threats. Cybercriminals are using things like AI-fueled, sophisticated social engineering schemes to convincingly impersonate employees or trick them into sharing their credentials. In IBM’s 2024 Cost of a Data Breach Report, findings showed that stolen credentials were the most common attack vector². As a result, relying solely on basic identity information can leave your systems open to a breach.

The Need for Enhanced Verification Tools

While call center systems may not be able to detect anomalies in a digital profile, they must be equipped with tools that provide a more comprehensive approach to verifying and authenticating. The goal is not to place more of a burden on agents, but instead to adopt a multi-faceted approach that balances security with a positive service experience.

The Significance of Multi-Factor Authentication

Implementing multi-factor authentication has become a priority³ for healthcare providers. Why is multi-factor authentication different? It requires more than a single identifier for access – a caller would have to provide at least two or more verification factors. Multi-factor authentication, or MFA, has three factors that most cybersecurity plans should adhere to: an employee should have to verify “something they know, something they have, and something they are.” Let’s delve into what these factors represent and how they contribute to securing access.

1. Something You Know: A typical authentication method that involves secret questions that only that employee would know like a pet name or elementary school. This method is reliable as long as the secret is not known to others. This factor is often exploited by cybercriminals through social engineering – looking at an individual’s social media pages can reveal information, so employees must make sure they are submitting secret answers that are not easily found.
2. Something You Have: This method involves an item in the employee’s possession and includes a one-time passcode being sent to a known device or a security token. This method can definitely be compromised if the device is lost or stolen, so it is important to make sure devices are protected and reporting missing immediately if compromised.
3. Something You Are: This authentication method involves biometrics like voice or facial recognition. While it is becoming more popular, there are state laws⁴ that may prohibit certain use of this. Also, cybercriminals have started to use social engineering specifically for voice biometrics. Employees have to be vigilant not to share information with unknown callers.

Balancing Security and Experience

While enhancing security is a necessity in these times, it must be balanced with providing a relatively frictionless experience for callers. Overly complex processes can frustrate agents and the caller leading to decreased productivity.

To achieve this balance, healthcare providers should consider:

• Training Call Center Agents on cyber threats and social engineering tactics: Equip agents with the necessary information to be aware of suspicious behavior while maintaining efficient service. Empowering agents with the right insight and training⁵ will enable them to navigate calls with more scrutiny.
• Multi-layered, customizable security strategies: Design verification and authentication strategies that are intuitive and quick for agents to use. Solutions that allow for rapid phone or email confirmation are an example of this, reducing the time spent on security checks, but making sure there is not a risk associated with the phone or email the end user owns.

In conclusion, cyber threats continue to emerge and healthcare providers must evolve their strategies for protecting sensitive information. By adding additional security to call center systems, healthcare providers can significantly impact the risk of data breaches while maintaining a positive, efficient interaction for the caller and agent. There is a lot at risk, but with the right approach, systems can be better protected. Investing in robust cybersecurity solutions today will pay dividends in against the emerging threats.

References:

1. https://www.splunk.com/en_us/blog/learn/social-engineering-attacks.html
2. https://newsroom.ibm.com/2024-07-30-ibm-report-escalating-data-breach-disruption-pushes-costs-to-new-highs
3. https://pmc.ncbi.nlm.nih.gov/articles/PMC10214092/
4. https://complianceconcourse.willkie.com/resources/privacy-and-cybersecurity-us-state-biometric-privacy-laws-overview/
5. https://www.techtarget.com/searchcustomerexperience/tip/Best-practices-for-call-center-agent-training-programs