Fighting Medical Fraud: Where to Begin?Moving Beyond a Focus on Compliance
To protect against medical identity theft and fraud, healthcare organizations need to build comprehensive security programs that go beyond putting their "finger in the dike," says security expert Mark Ford.
"You need to know where you stand before you can start addressing the risks that are hitting you," says Ford, a principal in Deloitte's cyber-risk services practice. "If you just ... start throwing technology and controls into place, then you really are taking a ... finger-in-the-dike approach." And that can leave an organization exposed to "the changing threat world."
Conducting a thorough security risk analysis to identify gaps is a key component of any fraud-fighting effort, he says in an interview with Information Security Media Group. And while the HIPAA Security Rule requires covered entities to perform such an assessment, he stresses that it's important that healthcare entities develop and implement security plans that go far beyond compliance, taking into consideration evolving threats.
For example, when it comes to ID theft and fraud, external threats are becoming the No. 1 concern, rather than insider threats, because cybercriminals recognize the lack of data security in the healthcare sector compared with other industries, Ford says.
Protecting patient data in electronic health records is particularly challenging, Ford says, because so many caregivers need access to EHR data.
The number of individuals who need access to EHRs is significantly higher than the number who who must access patient financial records, he notes. "If you compare the two, you need to have more structure and process and oversight over what you're doing with electronic health record systems," he says. The controls to protect EHRs, vs. financial systems, "aren't that much different; they just have to be managed much more closely."
In the interview, Ford also discusses:
- Why medical ID theft and fraud is a growing problem;
- The kinds of data being targeted by identity thieves;
- Cyberthreats posed by insiders versus hackers.
Ford is principal in Deloitte's cyber-risk services practice and the lead for the life sciences and healthcare industry. In this role, he has consulted with dozens of healthcare organizations participating in the HITECH Act's EHR incentive program. Before taking on the healthcare leadership role, he established Deloitte's identity and access management practice, which he led for about 10 years.