When designing and developing applications, security is certainly a topic that will need to be addressed to protect the account data of your users. Within the healthcare and finance industries, that concern is greatly heightened due to the sensitive nature of these industries and the regulations and policies that govern them.
In our experience providing UX/UI and development services for clients in the healthcare and finance spaces, we’ve found a handful of helpful tips when considering how to approach secure experience design.
Enforcing Strong Passwords
This might seem obvious, but generally, longer passwords that are more complex are harder to crack. For that reason, longer passwords with uppercase letters, lowercase letters, numbers, and special characters should be required for applications that access sensitive data such as personal health information (PHI) or financial data. The minimum number of characters for a very strong password would be 15-16 characters in length. Sometimes users shy away from entering long, complex passwords for fear that they may not remember them. Consider a password management system such as LastPass or 1Password to solve this problem.
2-Factor Authentication
Two-Factor Authentication, or 2FA, relates to the idea of using a secondary way to confirm a user’s intent in highly secure and sensitive situations. For example, if someone is attempting to sign into their financial or healthcare application for the first time on a new device, that person would likely receive a 5-6 digit code via text message or email to complete the sign-in process. The same could be true for a user attempting to transfer a large sum of money or to view or share personal health information. The authentication system, in this way, requires the mobile phone number the user entered during registration to be used to confirm certain key actions within these data-sensitive environments.
Authentication or Transactions Messages
Applications requiring heightened security will sometimes send users an email or text message when certain actions are performed. For instance, when signing in from a new device, making a large financial transfer, or performing any action the organization might consider significant, it’s not uncommon for users to receive an email or text message notifying them that such an action took place. Granted, many of these types of actions are also protected by 2-Factor Authentication, but these additional messages serve as an extra heads-up.
Facial Recognition
Upon signing in for the first time, many apps prompt the user to enable FaceID for Apple devices or Face Unlock for Android. This allows your device to authenticate you for future sessions by using a quick camera scan of your face. In many cases, once you’ve enabled this option to sign into an application, this choice will become the primary way you will authenticate in the future, making it more secure than a password – and considerably less work. Since many apps within privacy-intensive industries such as finance and healthcare will prompt you to enter your password each time, facial recognition provides convenience to the user and added security.
Session Timeouts
Sometimes when we use applications, we get sidetracked and switch to another one or step away from our device for a moment. In a worst-case scenario, we might accidentally leave a device unattended in an unsecured location. Depending on how we’ve configured our phone’s security settings, another person might have the opportunity to access our device and our applications. For the protection of those in this use case, most health and finance apps will automatically timeout and notify the user that they’ve been logged out due to 10 or 15 minutes of inactivity and that they can sign back in to continue. By leveraging biometrics such as facial recognition, the act of logging back in is quick, painless, and virtually impossible for someone else to mimic on your device.
Priming and Expectation Management
Another important aspect of user experience for health and finance apps is providing clear and straightforward messaging regarding what data is being collected and exactly what is being done with it. A good content experience team member can help craft a conversational message, yet formal enough for these circumstances so that users feel comfortable and secure in using the app.
One way to think about composing these messages is as follows:
- State exactly what type of data the app is collecting and storing.
- Explain precisely why that data is being collected and stored.
- Divulge whether any third parties will have access to the data, be it deidentified or otherwise.
Using this framework, an example of a diabetes healthcare app notification could be:
A note about privacy
Our app securely collects and stores your profile data and glucose values over time to provide you with a historical log of your blood sugar levels and make recommendations based on the data. We provide third-party partners with de-identified, aggregate data, meaning none of your personal information or personally identifiable health data is ever shared.
Some users might still be uncomfortable with sharing any of their data even after it’s been anonymized. One solution could be to let users opt-out of being included in aggregate reporting and just use the app’s core features.
Language, Tone, and Content
This tip might seem less obvious than some of the security measures, but language, tone, and content are also very important to craft appropriately for highly secure industries. Imagine logging into your bank account to see if an important transaction cleared and seeing the text heading at the top, “hey, what’s up?” That is not exactly the right tone for the situation. Instead, “Good afternoon, Firstname” would likely be closer to what you would expect.
This also holds true for all of the app prompts and calls to action. From headings on screens to instructions for form-based workflows to touchpoints outside of the app, such as text messages and email notifications, a consistent and professional tone will help establish trust with your audience and remind them that you’re providing a professional and dependable solution within a secure-intensive industry.
The one exception here is if your brand has developed a voice and tone that are purposefully meant to be irreverent, fun, or differentiate you from your competitors in a specific way. The guidance for these cases would be to craft messaging that leads with a pithy, brand-oriented heading followed by language that includes personality but is still very clear and respectful of the user and the overall context. The goal would be to inject some personality that users will respond well to without making them doubt its professionalism.
It’s also worth noting that in both finance and healthcare, there are many complicated terms that not all users will readily understand. If possible, try to include several rounds of user testing and observe whether any users get tripped up by the specific language you’ve chosen. If so, consider simplifying that language until it’s more easily understood.
Data Visualization
Both finance and healthcare can benefit by helping users visualize their data to make inferences and gain insights. As long as the data is visualized well with ample context, visualizations can improve experiences. The danger is when visualizations are presented without context and left for users to interpret. This risks creating a false picture of the data or presenting the user’s data as siloed without a baseline to compare against. For example, if I’m looking at a chart that shows glucose levels over time, how might I understand if the values are within a safe range? How do I compare to others in a similar cohort?
A few best practices for data visualization would be to use a clear legend for the data, show average or benchmark values if possible, and make the time series clear. The more visualizations in your app are made clear and provide relational context, the better they’ll serve your users and your product.
Colors and Themes
Many people think of color as a subjective topic, but did you know that various colors are associated with psychology and specific moods? Researchers have studied and compiled the effects of each major color group and the concepts and feelings they evoke. For example, red is associated with danger, excitement, passion, and love. Conversely, blue evokes trust, peace, loyalty, and competence.
Given that finance and healthcare can be sensitive subjects for many people, it stands to reason that we wouldn’t want to design an interface with colors that evoke danger or unrest but rather provide a more soothing, trustworthy tone. This is one of the reasons that so many banks use blue in their branding and within their websites and applications.
Accessibility
It’s difficult to overstate how important accessibility is for applications within all industries. However, it feels even more important to ensure that finance and healthcare apps have undergone extensive development and testing for accessibility, given the seriousness and sensitivity of their industries. In other words, it’s a shame when an app in the games or entertainment category lacks accessibility considerations, but when this happens in healthcare or finance, it’s a showstopper.
Gone are the days when accessibility was a “nice to have.” Not only is it the right thing to do to ensure that all users can access and use an app, but not addressing it has become a major liability for organizations in all categories.
According to the American Bar Association, “Since 2018, website and mobile app accessibility lawsuits have made up roughly a fifth of all ADA Title III filings in federal courts, which now consistently exceed 10,000 lawsuits annually.”
Browser or Device Support
Finance and Healthcare are two industries that are notorious for locking down the technology their employees can use. While this makes sense to some degree at face value, the paradox is that older technology and web browsers are often the most susceptible to security threats. I remember designing a product for a FinTech company that insisted that our web application had to be supported in Internet Explorer 6. This was when version 8 or 9 were available and considered more secure, not to mention far more capable of rendering modern websites correctly. As is common with these industries, their hardware and software were configured to work with legacy systems they had in place. Their IT department felt that upgrading browsers might create a vulnerability.
Though these days are long over, and IE6 is officially dead, the lesson is that you can’t always count on certain industries to allow their employees access to the latest hardware and software. One recommendation is to try to find out early from new clients in these spaces about their technical policies and note anything that may differ from or pose a challenge to how you would normally design and develop in your own environment.
Support Implications
How does the heightened security of the financial and healthcare industries impact customer support? For one, customers that are contacting support could be frustrated by the issue necessitating their request. Given the sensitivity of situations where there are issues with bank accounts or health records, emotions can run high, and issues can seem desperate. One initial recommendation is to meet users on the channel they prefer. Ideally, offering live chat, an email/ticketing form, and a direct phone number are good ways to cover your bases. Offering only a limited subset of contact options is a good way to alienate people who may prefer to communicate differently.
Bringing back up language, tone, and content, including prompts or explanations in your support interface, can also be helpful. For example, let’s say you’re chatting with a support agent through your online bank. If the agent needs specific information to verify you or asks to take control of your screen to resolve an issue, it could be worth providing an FAQ or small footnote somewhere in the chat UI that clarifies what they can and can’t access as well as policies around remote access. Anything you can do to predict your users’ questions in these sensitive situations can help assuage concerns as they arise.
Conclusion
We’ve examined a handful of ways that you can design and develop for enhanced security to meet the stringent requirements of industries like healthcare and finance. Some seem to have less to do with the specific interface itself and more with the ecosystem and communications that stem from it. In contrast, others stress color analysis and micro-copy. As with most great software, user-centered design must work hand-in-hand with developers to produce a product users will trust and find intuitive.
