Posts Tagged ‘HIPAA’

Storm Clouds Ahead: Hackers, Healthcare Data & Medical ID Theft

Tuesday, December 11th, 2012

If you think you are having a bad day, consider the healthcare providers and patients of the Australian Miami Family Medical Center, all of whom have been locked out of medical records. Thousands of patient medical histories, prescriptions, lab test results and health records have been breached, hijacked and encrypted, and are being held for ransom by Russian hackers.
This is not an isolated incident by any means – earlier this year, a small Illinois medical practice was similarly breached with health records stolen, encrypted, for held for ransom. Extortionists also struck Express Scripts a few years ago, threatening exposure of more than 700,000 records.
Not all health data breaches are the result of hackers. In fact, hackers may be the tip of the iceberg. The less dramatic day-today threat of unsecured mobile devices, lost laptops, and disgruntled or dishonest employees likely represents the lion’s share of the breaches — at least at present. And such problems are hardly unique to healthcare – the issue of employees bringing mobile devices into the workplace is a common one, dubbed “bring your own device” or BYOD for short. Security experts quip that it stands for “bring your own danger.”
Medical ID Theft
While ransom may not be a particularly successful criminal strategy, the real paydirt might be in medical identity theft. With the high cost of medical care and a proliferation of opioid abuse, medical IDs are increasingly valuable. Thieves can hijack medical identities and health data to file insurance claims or secure medical treatment, prescription drugs and even surgery. On a broader scale, operatives can use medical data to submit false bills to insurers. To add insult to injury, illegal medical transactions may unknowingly be added to patient records, making for inaccuracies and potentially dangerous situations.
People are aware that they could be a victim of financial fraud – medical fraud, not so much. A study by Nationwide Insurance revealed that most people are unaware of the risk of medical ID theft. While people are in the habit of checking financial accounts somewhat regularly, that is often not the case with medical records.
Expect growing risk for health data
Experts say that we can expect to see more healthcare breaches ahead – particularly as more records are digitized. A recently released study on patient data security by Poneman/ID Expert reports:

Ninety-four percent of healthcare organizations surveyed suffered at least one data breach; 45 percent of organizations experienced more than five data breaches during the past two years. Data breaches are an ongoing operational risk that could be costing the U.S. healthcare industry an average of $7 billion annually. A new finding indicates that 69 percent of organizations surveyed do not secure medical devices–such as mammogram imaging and insulin pumps–which hold patients’ protected health information

The report paints a picture of an industry that is woefully unprepared to deal with the burgeoning threat. Most organizations surveyed said that they have insufficient resources to prevent and detect data breaches.
In health data breaches involving more than 500 people, HIPAA privacy regulations specify that, in addition to individual notifications, the incident must be reported and made public (See Breach Notification Rule). The US Department of Health & Human Services maintains a database of health data breaches affecting 500+ people – you can check to see if any of your providers are on the list. The Federal Trade Commission offers consumer advice on preventing or recovering from medical identity theft.
Besides individual consumers, employers, insurers and TPAs should be alert for health data fraud and should report any questionable activity. As entities with greater buying power than the average consumer, wholesale buyers can also help manage the risk by requiring adherence to security and privacy standards and having crisis plans in place as part of the RFP or buying process.
Rick Kam, president and co-founder of ID Experts, offers these security tips to healthcare organizations:

  • Operationalize pre-breach and post-breach processes, including incident assessment and incident response processes
  • Restructure the information security function to report directly to the board to symbolize commitment to data privacy and security
  • Conduct combined privacy and security compliance assessments annually
  • Update policies and procedures to include mobile devices and cloud
  • Ensure the Incident Response Plan (IRP) covers business associates, partners, cyber insurance

New year’s news roundup from fellow ‘blogs

Sunday, January 4th, 2004

PA Judge Robert Vonada of PAWC points to an article in the New York Times about two different treatment options for back pain and the methods hardware manufacturers use to market their products to doctors and hospitals. Would you be surprised to learn that the more expensive treatment is prevalent, despite lack of evidence that it is more effective? We weren’t.

Confined Space has a scathing indictment of OSHA for its abandonment of a workplace TB standard and the public health ramifications that this might have in the era of SARS which requires similar precautions.

The Employers’ Lawyer informs us that the 2000 Census Data has recently been released, and also reports on an a court judgement involving a police officer who was discharged for no longer being able to fulfill his job requirements and the disability/ADA implications.

The HIPPA Blog has some advice for physicians on strategies for ensuring that medical privacy programs are in good working order.

A story posted on the Harvard Law School blog leads to an article on the University’s experience with building a community of 350+ webloggers among students and faculty.

HIPAA Blog added to sidebar

Tuesday, December 16th, 2003

Workers’ compensation, insurance, workplace health & safety and HR weblogs are far and few between so we were delighted to chance upon the HIPAA Blog. This is a weblog that bills itself as “a discussion of medical privacy issues buried in politcal arcana.” Besides frequent news updates, it has an impressive list of links to HIPAA-related resources. (for the unitinitated, HIPAA stands for Health Insurance Portability and Accountability Act of 1996.)