Cracking Down on Medical ID TheftAs threat grows, staff education is essential
"The shift to EHRs probably happened faster than the organizations' abilities to understand the security implications and react to them," says Matt Marshall, vice president of security at Redspin Inc., a Carpinteria, Calif.-based consulting firm.
"If the industry doesn't take security seriously, there will be an erosion of trust in healthcare," warns Mike Spinney, senior privacy analyst with Ponemon Institute, a Traverse City, Mich.-based research firm.
A recent Ponemon survey of consumers found that 9 percent had experienced an identity theft crime directly or through an immediate family member. Of those crimes, nearly 6 percent involved medical identity theft. (To read about the survey, click here).
To help prevent ID theft, hospitals and clinics need to take information security far more seriously, the two experts say. For example, they advise organizations to:
- Educate staff members about the threat of medical ID theft;
- Create comprehensive risk management programs;
- Designate someone to enforce security policies; and
- Assess the security policies of business associates.
Stacks of cash?
Hackers are beginning to view EHRs as "electronic stacks of cash because they represent high-value data to sell on the black market," Marshall says.
While a hacker might get 40 cents for a stolen credit card number, a stolen medical identity could fetch a premium price of $14 to $18, he says.
"If I steal a credit card number, I can create a fake card and use it a few times. If I can get your full identity, I can open up many accounts, max out your credit and use it for a number of malicious activities. And it's much harder to shut that down; it's not as simple as canceling a credit card."
Medical ID theft is a "much more sinister crime" than credit card fraud, Spinney contends. Once a hacker has access to the wealth of information, such as Social Security numbers, images of drivers' licenses and insurance cards, and full medical histories, stored in a healthcare organization's computers, they can do a lot of damage, he argues.
For example, hackers can sell personal information to illegal aliens so they can obtain employment. They can sell it to the uninsured so they can obtain healthcare coverage. And they can use the information to open new bank accounts or access an individual's existing accounts.
Some 52 percent of those who were medical ID theft victims said it took one year or longer to discover the theft, the Ponemon survey found. "The criminal element operating these days is very intelligent, very patient, and will hold onto the information they've stolen for a long time," Spinney says. "The more information they collect before the fraud is committed, the bigger the eventual payoff."
The Ponemon survey found that, on average, medical ID theft costs the victim more than $20,000. That's partly because it takes so long to detect the fraud, Spinney says.
Although the HITECH Act set higher penalties for HIPAA privacy and security rule violations and ramped up federal enforcement, Spinney still expects medical ID fraud to escalate. He points out that credit card fraud has continued to grow "despite all the attention on it." And he notes that cyber-criminals are becoming much more sophisticated.
The wealth of information being added to electronic records is becoming a more tempting target for the hackers, Marshall adds.
"People haven't recognized how this shift to EHRs has made them a target," he says. "Many organizations are operating on security assumptions that are now out of date."
The best way to prevent medical identity theft, Spinney says, is to educate staff members about the threat. "Get them to understand that there is a very real personal cost to identity theft. Make sure they know they need to regard their security responsibility as if they were the ones at risk."
In addition to building awareness, Marshall says healthcare organizations need to build a comprehensive security program. "If you can identify your highest risk areas, you can address those and mitigate the risk."
Having good risk management policies in place can be a strong competitive advantage, says David Bailey, a security engineer at Redspin. "If consumers see a news story about records stolen at a hospital, they're going to think twice about going there and giving them all their information," he says.
Healthcare organizations also need to do a better job of designating someone, such as a chief information security officer, to be accountable for enforcing a security program, Marshall says. For example, if a hospital determines that all laptops should be encrypted, someone needs to ensure that periodic audits are conducted to make sure everyone is actually complying.
Under the HITECH breach notification rule, healthcare organization's business associates, such as banks, billing firms and software companies, must now comply with the HIPAA privacy and security rules and report breaches to the "covered entity," such as a hospital or clinic. As a result, Marshall says, covered entities should ask their business associates for copies of their security assessments and security audits "that validate that they have a policy in place and that the policy is being followed."
But when it comes to preventing breaches, and, ultimately, identity theft, paying attention to small details, such as not leaving a laptop behind in the back seat of a car, can have a big impact.
Christopher Paidhrin, security compliance officer at Southwest Washington Medical Center in Vancouver, Wash, notes in a blog that most recent healthcare breaches have not been tied to cyber-crimes by sophisticated hackers, but rather have involved such incidents as the theft or loss of laptops.
"No matter how mature an organization's IT security program is, the workforce must remain attentive if privacy and security are to be maintained," Paidhrin says.
"Each workforce member needs to own their share of responsibility as a custodian of protected health information. Each healthcare organization needs to hard-wire into their services, environment and workers a culture of accountability. Our patients expect nothing less."