By: Brian Lapidus, Senior Vice President of Kroll Fraud Solutions, www.krollfraudsolutions.com
Guest Blogger on Healthcare Blogmatica
The fact of the matter is that patients – and the law – demand that healthcare companies protect highly sensitive information from every possible threat. But in-house security options just can't keep pace with rapidly growing risks. After all, anti-virus software won't stop someone from taking medical records. A firewall can't help retrieve a stolen laptop. Below, I answer several questions that every healthcare organization should know.
Q: Why are healthcare organizations particularly vulnerable to data breaches?
A: There are several factors that make healthcare organizations particularly vulnerable to data breaches. Some of these factors include:
Sensitivity of data - The healthcare industry is responsible for maintaining its patients' most sensitive Personal Health Information. PHI is a treasure-trove for identity thieves.
Immense Data flow (masses of data flowing in and out) - A primary reason healthcare data security breaches occur is because facilities do not know where all instances of their patients' sensitive or confidential information resides within the network. Moreover, the danger does not stop at the hospital perimeter, but includes vendors that share or receive the data, as well as employees' and contractors' laptop computers and other portable storage devices.
Portability/Usage of EPHI (Electronic Protected Health Information) storage devices - Improvements in technology and the portability of patient data come at a cost to security. Devices used to store and access PHI include laptops; home-based personal computers; Personal Digital Assistants (PDAs) and Smart Phones; USB Flash Drives and Memory Cards; floppy disks; CDs; DVDs; backup media; Email; Smart cards; and Remote Access; not to mention hotel, library or other public workstations and Wireless Access Points (WAPs).
Q: Who and/or what is at risk should a data breach occur? Are children, in particular, at risk? If so, why?
A: The credit reporting agencies do not knowingly maintain credit files on minor children. Therefore, if the Personal Identifying Information (PII) of a minor is at risk, it is impossible to place a "fraud alert' on his or her credit file to monitor and help protect the child from identity abuse. Many victims do not realize that their information was used until they apply for credit as an adult.
There are two different ways that an identity thief can use a minor's information. The first is "Minor ID Cloning" where a thief uses the minor's name and social in combination with a fraudulent address and date of birth to apply for credit. Once the credit bureau receives an application for credit, that begins the minor's credit history and the child "becomes" the age of whatever information the thief supplied on the application for credit.
The second form of minor identity theft is "Minor ID Combining" where a thief uses the minor's social security number in combination with the thief's name and date of birth.
The detection and repair of minor identity theft is a time consuming and difficult process.
Q: What should healthcare organizations be doing to better protect the personal information of children and all patients?
A: Awareness of data-breach methods and ways to thwart an attack are key to reducing exposure. Following are some simple steps to elevate awareness and establish a better defense:
Educate employees about appropriate handling and protection of sensitive data. Have sanctions in place for employees found not following proper guidelines. Both are HIPAA requirements.
Consistently enforce policies and procedures, physical safe guards, and IT security. All three are required by HIPAA.
Review and revise physical security practices as needed in both bricks and mortar and virtual operations. Address all the critical areas, such as who can leave the office with patient's PHI, where sensitive data is stored and destroyed, who has access to sensitive data, and whether employees are required to surrender keys and badges upon leaving the company's employ.
Q: What are the top three things healthcare organizations can do to protect themselves pre-breach? Post-breach?
Designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity's privacy practices as required by the HIPAA Privacy Rule at 45 C.F.R. § 164.530(a).
Covered entities should be extremely cautious about allowing the offsite use of, or access to, EPHI. There may be situations that warrant such offsite use or access, e.g., when it is clearly determined necessary through the entity's business case(s), and then only where great rigor has been taken to ensure that policies, procedures and workforce training have been effectively deployed, and access is provided consistent with the applicable requirements of the HIPAA Privacy Rule. Covered entities must develop and implement policies and procedures for authorizing EPHI access in accordance with the HIPAA Security Rule at §164.308(a)(4) and the HIPAA Privacy Rule at §164.508. It is important that only those workforce members who have been trained and have proper authorization are granted access to EPHI.
Partner with a corporate breach and data security expert to map a breach response strategy and plan. A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the HIPAA Privacy Rule at 45 C.F.R. § 164.530(f).
Have a relationship with a corporate breach and HIPAA data security expert so that any investigation can begin immediately and affected individuals will be notified in a timely manner. Collaborating with a company that can investigate, notify, and assist breached individuals goes a long way to avoid loss of brand integrity.
Detail who is in charge of any internal investigation, and who will speak to the police and media. Notify your corporate breach and data security expert partner there is a security issue.
Maintain a good relationship with local, state, and federal law enforcement throughout the investigation. A positive report about a healthcare provider's cooperation with law enforcement goes a long way toward maintaining brand integrity.
Q: Describe a client in this industry who benefited from your service.
A: A healthcare provider lost backup tapes and disks which contained personal information of 365,000 patients. The personal information exposed included patient's names, physicians' names, addresses, date of birth, patient financial information, insurance data, diagnoses, prescriptions, and in some instances, lab results. The tapes also contained personal information of deceased individuals and minors who had received treatment at their facility. Kroll was hired to notify these individuals of the loss of information and to provide licensed investigators to respond and educate disturbed callers on how they could protect their personal information as well as that of minors and deceased loved ones. In addition to consultative services, the investigators provided assistance to individuals who had fallen victim to identity theft as a result of this incident, and helped these individuals regain their pre-theft identity status.
Q: What are the latest trends in security breaches at healthcare organizations?
A: I'll provide two examples that discuss two of the latest trends, one focusing on a healthcare payer and the other focusing on a healthcare provider.
A large commercial healthcare insurance company experienced a data breach as a result of a laptop being stolen from an employee's car. The employee did not follow the corporate policies for protecting member data which resulted in exposing Personally Identifiable Information (PII) for 38,000 plan members. The information compromised included names, addresses and Social Security numbers and health related data. Kroll was hired to provide notification and consultation to impacted individuals. Additionally, for individuals who had fallen victim to Identity Theft as a result of this incident, Kroll provided licensed investigators to assist those individuals in resolving the issue and returning their identity to its pre-theft status.
A hospital while under an expansion of its IT system, discovered there were unauthorized entries (breaches) into two separate computer databases. The first database contained personal information of patients, and of the parents or guardians who were listed as the main policy holders with the health insurance carrier. This personal information included names, addresses, social security numbers and patient (minors) birth dates.
The second database contained personal financial information, unencrypted bank account and routing numbers pertaining to individuals who had donated to the hospital. Kroll was hired to provide notification and consultation to impacted individuals. Additionally, for individuals who had fallen victim to Identity Theft as a result of this incident, Kroll provided licensed investigators to assist those individuals in resolving the issue and returning their identity to its pre-theft status.
If you or your company would like to discuss a particular identity theft protection solution or issue, please visit www.krollfraudsolutions.com to get additional information or to contact a Kroll Fraud Solutions specialist.
Posted at 11:57 PM in HIPAA, Privacy, Regulations | Permalink
Technorati Tags: credit fraud, hipaa, id theft, privacy
Graphic Courtesy Bankrate.com
In terms of the risk to minor's and identity theft, what is described above as "Minor ID Combining" has been labeled synthetic identity theft. Synthetic Identity Theft, as opposed to True Name Fraud, uses a piece of a consumer's identity but not the entire identity (True Name Fraud). Tracking the damages of Synthetic Identity Theft is difficult. Consumer's may not discover they have become a victim by the usual route of ordering a credit report. Why? The credit bureaus produce what are called sub-files. The bureaus pretend that this does not occur yet everyone knows that it does indeed occur. The sub-file is produced by querying all credit information connected to a Social Security Number (SSN), (but not necessarily a name). When a creditor requests a credit report based solely upon the SSN, all the information appears. When the consumer requests their own credit report, they must provide a full set of PII. The report that is produced using a full set of PII is of course more accurate due to better filtering. The consumer usually finds out about Synthetic Identity Theft due to a creditor running the SSN in a skip trace and contacting the consumer to verify an application (often in a similar or all together different name) or to ask about a delinquency.
Children are particularly vulnerable to synthetic identity theft because their SSN is fresh. The sub-file will be produced (later leaving the fraudster looking like the consumer instead of the consumer who was issued the number) and the child or child's parents will have no means to discover what is happening until the minor attains legal status and requests credit the first time.
The bureaus could cease being a contributor to fraud by requiring the same PII inputs from business as they do from the consumer or vice versa, allow the consumer to request a credit report with only a SSN. Given the peril of the latter suggestion, (fraud and privacy issues) the bureaus should require a complete set of PII for any credit report request. If the name, address, and SSN does not match the application, the creditor should decline the request for credit. So much for easy credit, huh?
Graphic Courtesy McMaster University
In re: medical ID Theft
The rights that a consumer has under HIPAA include:
- The right to access your medical records
- The right to ask for amendment of your medical records, and
- The right to have your request for amendment added to the records.
- The right to have an accounting (or history) of disclosures.
All covered entities must post these rights on site and make them available to the consumer.
The World Privacy Forum studied medical identity theft in depth and published their research along with suggested policy changes in 2006.
More of the WPF's work can be found here.
Other resources include:
Privacy Rights Clearinghouse
Health Privacy Project
HIPAA FAQ'S from the US HHS Department