December 11, 2012

Storm Clouds Ahead: Hackers, Healthcare Data & Medical ID Theft

If you think you are having a bad day, consider the healthcare providers and patients of the Australian Miami Family Medical Center, all of whom have been locked out of medical records. Thousands of patient medical histories, prescriptions, lab test results and health records have been breached, hijacked and encrypted, and are being held for ransom by Russian hackers.

This is not an isolated incident by any means - earlier this year, a small Illinois medical practice was similarly breached with health records stolen, encrypted, for held for ransom. Extortionists also struck Express Scripts a few years ago, threatening exposure of more than 700,000 records.

Not all health data breaches are the result of hackers. In fact, hackers may be the tip of the iceberg. The less dramatic day-today threat of unsecured mobile devices, lost laptops, and disgruntled or dishonest employees likely represents the lion's share of the breaches -- at least at present. And such problems are hardly unique to healthcare - the issue of employees bringing mobile devices into the workplace is a common one, dubbed "bring your own device" or BYOD for short. Security experts quip that it stands for "bring your own danger."

Medical ID Theft
While ransom may not be a particularly successful criminal strategy, the real paydirt might be in medical identity theft. With the high cost of medical care and a proliferation of opioid abuse, medical IDs are increasingly valuable. Thieves can hijack medical identities and health data to file insurance claims or secure medical treatment, prescription drugs and even surgery. On a broader scale, operatives can use medical data to submit false bills to insurers. To add insult to injury, illegal medical transactions may unknowingly be added to patient records, making for inaccuracies and potentially dangerous situations.

People are aware that they could be a victim of financial fraud - medical fraud, not so much. A study by Nationwide Insurance revealed that most people are unaware of the risk of medical ID theft. While people are in the habit of checking financial accounts somewhat regularly, that is often not the case with medical records.

Expect growing risk for health data
Experts say that we can expect to see more healthcare breaches ahead - particularly as more records are digitized. A recently released study on patient data security by Poneman/ID Expert reports:

Ninety-four percent of healthcare organizations surveyed suffered at least one data breach; 45 percent of organizations experienced more than five data breaches during the past two years. Data breaches are an ongoing operational risk that could be costing the U.S. healthcare industry an average of $7 billion annually. A new finding indicates that 69 percent of organizations surveyed do not secure medical devices--such as mammogram imaging and insulin pumps--which hold patients' protected health information

The report paints a picture of an industry that is woefully unprepared to deal with the burgeoning threat. Most organizations surveyed said that they have insufficient resources to prevent and detect data breaches.

In health data breaches involving more than 500 people, HIPAA privacy regulations specify that, in addition to individual notifications, the incident must be reported and made public (See Breach Notification Rule). The US Department of Health & Human Services maintains a database of health data breaches affecting 500+ people - you can check to see if any of your providers are on the list. The Federal Trade Commission offers consumer advice on preventing or recovering from medical identity theft.

Besides individual consumers, employers, insurers and TPAs should be alert for health data fraud and should report any questionable activity. As entities with greater buying power than the average consumer, wholesale buyers can also help manage the risk by requiring adherence to security and privacy standards and having crisis plans in place as part of the RFP or buying process.

Rick Kam, president and co-founder of ID Experts, offers these security tips to healthcare organizations:

  • Operationalize pre-breach and post-breach processes, including incident assessment and incident response processes
  • Restructure the information security function to report directly to the board to symbolize commitment to data privacy and security
  • Conduct combined privacy and security compliance assessments annually
  • Update policies and procedures to include mobile devices and cloud
  • Ensure the Incident Response Plan (IRP) covers business associates, partners, cyber insurance


| No Comments

Leave a comment

Due to a huge flood of comment spam, we have adopted a sign-in system for comments. You can sign-in using your existing account for Google, Facebook, Twitter, Yahoo, AOL, etc., or you can create a new account for blog comments.

Subscribe

Submit your email to be notified when this site is updated

Need help with your workers' comp program?

Monthly Archives

About this Entry

This page contains a single entry by Julie Ferguson published on December 11, 2012 11:28 AM.

News Roundup: Holiday Health Wonkery, Claims Webinar, Firefighter Hazards & more was the previous entry in this blog.

Risk Roundup and Top 10 Forklift Accidents is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

OpenID accepted here Learn more about OpenID