Cracking Down on Medical ID Theft

Credit EligibleAs a HealthcareInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

The risk of medical identity theft is growing as more hospitals and physicians adopt electronic health records and prepare to exchange this information, experts say.

"The shift to EHRs probably happened faster than the organizations' abilities to understand the security implications and react to them," says Matt Marshall, vice president of security at Redspin Inc., a Carpinteria, Calif.-based consulting firm.

"If the industry doesn't take security seriously, there will be an erosion of trust in healthcare," warns Mike Spinney, senior privacy analyst with Ponemon Institute, a Traverse City, Mich.-based research firm.

A recent Ponemon survey of consumers found that 9 percent had experienced an identity theft crime directly or through an immediate family member. Of those crimes, nearly 6 percent involved medical identity theft. (To read about the survey, click here).

To help prevent ID theft, hospitals and clinics need to take information security far more seriously, the two experts say. For example, they advise organizations to:

• Educate staff members about the threat of medical ID theft;
• Create comprehensive risk management programs;
• Designate someone to enforce security policies; and
• Assess the security policies of business associates.

Stacks of cash?

Hackers are beginning to view EHRs as "electronic stacks of cash because they represent high-value data to sell on the black market," Marshall says.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

While a hacker might get 40 cents for a stolen credit card number, a stolen medical identity could fetch a premium price of $14 to $18, he says.

"If I steal a credit card number, I can create a fake card and use it a few times. If I can get your full identity, I can open up many accounts, max out your credit and use it for a number of malicious activities. And it's much harder to shut that down; it's not as simple as canceling a credit card."

Medical ID theft is a "much more sinister crime" than credit card fraud, Spinney contends. Once a hacker has access to the wealth of information, such as Social Security numbers, images of drivers' licenses and insurance cards, and full medical histories, stored in a healthcare organization's computers, they can do a lot of damage, he argues.

For example, hackers can sell personal information to illegal aliens so they can obtain employment. They can sell it to the uninsured so they can obtain healthcare coverage. And they can use the information to open new bank accounts or access an individual's existing accounts.

Some 52 percent of those who were medical ID theft victims said it took one year or longer to discover the theft, the Ponemon survey found. "The criminal element operating these days is very intelligent, very patient, and will hold onto the information they've stolen for a long time," Spinney says. "The more information they collect before the fraud is committed, the bigger the eventual payoff."

The Ponemon survey found that, on average, medical ID theft costs the victim more than $20,000. That's partly because it takes so long to detect the fraud, Spinney says.

Risk continues

Although the HITECH Act set higher penalties for HIPAA privacy and security rule violations and ramped up federal enforcement, Spinney still expects medical ID fraud to escalate. He points out that credit card fraud has continued to grow "despite all the attention on it." And he notes that cyber-criminals are becoming much more sophisticated.

The wealth of information being added to electronic records is becoming a more tempting target for the hackers, Marshall adds.

"People haven't recognized how this shift to EHRs has made them a target," he says. "Many organizations are operating on security assumptions that are now out of date."

Preventive measures

The best way to prevent medical identity theft, Spinney says, is to educate staff members about the threat. "Get them to understand that there is a very real personal cost to identity theft. Make sure they know they need to regard their security responsibility as if they were the ones at risk."

In addition to building awareness, Marshall says healthcare organizations need to build a comprehensive security program. "If you can identify your highest risk areas, you can address those and mitigate the risk."

Having good risk management policies in place can be a strong competitive advantage, says David Bailey, a security engineer at Redspin. "If consumers see a news story about records stolen at a hospital, they're going to think twice about going there and giving them all their information," he says.