Oncology practices should protect themselves from the danger of having their IT systems hacked by having a risk analysis done to identify potential access and compromise points, says Ann Patterson, senior vice president and program director for the Medical Identity Fraud Alliance (MIFA). The alliance was formed three years ago when its originators realized that medical ID fraud was growing rapidly and had the potential to become a huge problem.
A study by the Ponemon Institute indicates that the number of US victims of medical ID theft increased 21.7% just from 2013 to 2014, reaching a total of 2.3 million people.1
Figures like that indicate that practices need to be aggressive about protecting themselves from data theft, Patterson says. “You need to do a risk analysis, no matter how large or small you are. The data losses aren’t just caused by data hackers. The lost or stolen laptop is high on the list.”
Inadvertent employee actions also are responsible for data losses, such as when a staff member unsuspectingly opens up some malware on an office computer. Practices need to develop clear policies about the use of outside Wi-Fi networks and whether to allow employees to connect personal devices to office-based systems. The degree of security declines when employees take sensitive material home with them on their laptops or when they hook up to public Wi-Fi systems, Patterson says. In addition, “everybody from the front desk registration person to the physician oftentimes may have the same level of access, which may be inappropriate. Your risk analysis would ask the question, ‘Does all of that data need to be exposed?’”
Figure 1: Medical Identity Theft Base Rates Over Five Years Base Rates are Calculated from Sample Evidence
Source: Medical Identity Fraud Alliance
Huge data breaches in just the last few years have affected millions of US healthcare consumers. Early last year, health insurer Anthem reported that unauthorized persons had gained access to 78.8 million patient records in what was one of the largest incidents of its type. Closer to home, 21st Century Oncology announced earlier this year that it was cooperating with an FBI investigation into the hacking of 2.2 million patient records from the chain of 183 treatment centers it operates in the United States and Latin America.
As Patterson and other data security experts tell it, thieves have discovered that medical IDs have far greater value to them than credit card data, for various reasons. Whereas credit card accounts can be tracked moment-to-moment and shut down in an instant, medical records are permanent. They contain information that can be exploited time and again—such as Social Security numbers—and no solid consumer protection laws exist that assign liability for losses or mandate that providers take responsibility. Further, the lack of interconnectivity between medical databases means that individuals in distant communities can impersonate insured victims and obtain services for weeks and months before fraud is noticed. A credit warning or depleted benefits notice may be the first sign a victim has that something is amiss. For thieves, these advantages have caused them to assign much higher values to medical identities. Whereas a Social Security number sold on the black market can fetch $1, full medical information about an individual can bring as much as $50, according to Patterson.
Independent practices are not generally as aware of the dangers of medical ID theft as they should be, data security experts say. Also, practices may not have the budgets for IT staff and services that a hospital or other large health system would have. “There definitely is more of a challenge, in terms of trying to juggle their resources, to have full-scale information security practices in place,” Patterson said. On the other hand, independent practices, with their smaller collections of patient data, have the advantage of being less favorable targets for thieves. “They’re going to go for the largest, biggest bang for their buck. Certainly, hacking into the servers at a hospital is going to yield much more content.” That said, growing interoperability will make smaller practices increasingly vulnerable when systems are compromised at larger institutions with whom they do business, such as payors, hospital networks, and research centers.