No industry is exempt from data breaches that lead to widespread fraud. However, the healthcare industry faces unique challenges since it is not always easy to determine the impact of the breach on patients as well as the healthcare organizations that serve them. The problem starts with isolating where the hack originated in the first place. With so many organizations having access to patient demographic and insurance data, this can be the most time-consuming aspect of the entire fraud investigation process.
Healthcare: A Unique Form of Identity Theft
Most patients are aware that their healthcare provider and their insurance company have access to their personal medical data. Providers need the information to diagnose and treat the patient while insurers require it to pay the patient’s claims. What many fail to realize is that a large number of third-party organizations could have access to the data as well. Pharmacies, medical equipment providers, home healthcare organizations, and supplemental insurance providers are just some examples of companies with access to patient data.
The problem in healthcare is that a cybercriminal intent on stealing the medical data of another person can piece it together from a variety of sources that the victim of identity theft does not even know to exist. Some in the healthcare IT industry refer to this as synthetic identity theft. By taking small pieces of information obtained from a healthcare report and combining it with information stolen elsewhere, hackers can easily scam the healthcare system. In fact, the problem is so widespread that millions of cases of fraud take place every quarter.
What Healthcare Providers Can Do
No healthcare administrators like to admit that a security breach took place on their watch. It may look to them like hackers gained access to private patient data and then did not use it. Unfortunately, that is rarely the case. Healthcare fraud differs from financial fraud because most criminals go on to use stolen credit, debit, and other banking information right away. With healthcare fraud, they need more time to piece together a forged identity before they start inflicting real damage. The CEOs of healthcare organizations are often too quick to claim that no one used the stolen information in a nefarious manner.
Obviously, it is better for healthcare IT departments to be proactive rather than reactive. This starts with knowing every location of a patient’s healthcare data. For example, a single patient could have an electronic medical record, a paper medical record, new test results not yet transferred to the medical record, and old information stored in boxes or machines that have not been used in years. To prevent medical fraud, healthcare providers must make it a priority to know the locations of all data about a patient and take adequate steps to protect it.
Sometimes health organizations are unaware a breach has taken place until a patient complains that someone used their information to obtain numerous prescriptions or to commit insurance fraud. Once alerted to it, they need to take immediate action to stop the current fraud and prevent it from happening again. This includes taking measures such as strong encryption with medical records and guarded access to paper records.
Besides a lack of inventory, part of the problem is the current patchwork approach to healthcare privacy laws. Organizations should push the federal and state governments to create uniform standards for improved patient protection.
How to Help Patients Protect Personal Health Data
Healthcare providers must work hard to gain patients’ trust in the current climate. One way they can facilitate this relationship is to provide patients with reminders about safeguarding their own information. Here are some typical examples:
- Request a new medical card with a different identification number if the original has been lost or stolen
- Submit a police report after the theft of a wallet or purse
- Report any information on the explanation of benefits forms that appears suspicious such as services the patient does not remember receiving
- Check medical records at least once a year to ensure accuracy
- Always have the most current copy of medical records available
Providers should also consider publishing an annual notice to members outlining their privacy policy and the steps they take to prevent theft of patient data. Holding open meetings and taking questions from patients is another way to assure them that the organization is serious about protecting them from identity theft in a healthcare setting.