Protect Against Rising Medical Data Fraud

Ann Patterson

Oncology practices should protect themselves from the danger of having their IT systems hacked by having a risk analysis done to identify potential access and compromise points, says Ann Patterson, senior vice president and program director for the Medical Identity Fraud Alliance (MIFA). The alliance was formed three years ago when its originators realized that medical ID fraud was growing rapidly and had the potential to become a huge problem.

A study by the Ponemon Institute indicates that the number of US victims of medical ID theft increased 21.7% just from 2013 to 2014, reaching a total of 2.3 million people.¹ Figures like that indicate that practices need to be aggressive about protecting themselves from data theft, Patterson says. “You need to do a risk analysis, no matter how large or small you are. The data losses aren’t just caused by data hackers. The lost or stolen laptop is high on the list.”

Inadvertent employee actions also are responsible for data losses, such as when a staff member unsuspectingly opens up some malware on an office computer. Practices need to develop clear policies about the use of outside Wi-Fi networks and whether to allow employees to connect personal devices to office-based systems. The degree of security declines when employees take sensitive material home with them on their laptops or when they hook up to public Wi-Fi systems, Patterson says. In addition, “everybody from the front desk registration person to the physician oftentimes may have the same level of access, which may be inappropriate. Your risk analysis would ask the question, ‘Does all of that data need to be exposed?’”

Figure 1: Medical Identity Theft Base Rates Over Five Years Base Rates are Calculated from Sample Evidence

Source: Medical Identity Fraud Alliance

Huge data breaches in just the last few years have affected millions of US healthcare consumers. Early last year, health insurer Anthem reported that unauthorized persons had gained access to 78.8 million patient records in what was one of the largest incidents of its type. Closer to home, 21st Century Oncology announced earlier this year that it was cooperating with an FBI investigation into the hacking of 2.2 million patient records from the chain of 183 treatment centers it operates in the United States and Latin America.

As Patterson and other data security experts tell it, thieves have discovered that medical IDs have far greater value to them than credit card data, for various reasons. Whereas credit card accounts can be tracked moment-to-moment and shut down in an instant, medical records are permanent. They contain information that can be exploited time and again—such as Social Security numbers—and no solid consumer protection laws exist that assign liability for losses or mandate that providers take responsibility. Further, the lack of interconnectivity between medical databases means that individuals in distant communities can impersonate insured victims and obtain services for weeks and months before fraud is noticed. A credit warning or depleted benefits notice may be the first sign a victim has that something is amiss. For thieves, these advantages have caused them to assign much higher values to medical identities. Whereas a Social Security number sold on the black market can fetch $1, full medical information about an individual can bring as much as $50, according to Patterson.

Independent practices are not generally as aware of the dangers of medical ID theft as they should be, data security experts say. Also, practices may not have the budgets for IT staff and services that a hospital or other large health system would have. “There definitely is more of a challenge, in terms of trying to juggle their resources, to have full-scale information security practices in place,” Patterson said. On the other hand, independent practices, with their smaller collections of patient data, have the advantage of being less favorable targets for thieves. “They’re going to go for the largest, biggest bang for their buck. Certainly, hacking into the servers at a hospital is going to yield much more content.” That said, growing interoperability will make smaller practices increasingly vulnerable when systems are compromised at larger institutions with whom they do business, such as payors, hospital networks, and research centers.

Healthcare workers have differing opinions on how concerned they should be about the potential for data loss. Edward Garon, MD, a medical oncologist at UCLA, said he believes data hacking is more of a systems-level problem than something individual practitioners need to be concerned about. On the other hand, Elta Davoudi, a registrar in charge of cancer data management at Torrance Medical Center in California, believes that there should be a way to filter out nonessential financial information, such as Social Security numbers, so that patient vulnerability is reduced when records are transferred. “These are not things we need as clinicians,” she said. Davoudi believes that the ability to share information among institutions should be preserved because it’s essential to the practice of medicine. “Today, we benefit more from sharing information than from trying to hide it,” she says.

Figure 2: Why Was Your Medical Identity Stolen? More than One Response Permitted

Source: Medical Identity Fraud Alliance

Patterson believes the medical community’s preference for having information widely available is going to lead to larger problems. She notes that the trend toward aggregating patient data so that it can be “mined” for information on drug effectiveness and safety runs counter to the interests of security. “How much access to patient data do we need in order to deliver top-quality care?” she asks. “If a bad guy knows there’s a large pool of data available, it’s a little more tempting to try to steal than little pieces of segregated data. Having it segregated makes it a little harder to get the job of healthcare done, and I think that one of the reasons healthcare struggles with this is because the primary goal of healthcare isn’t to protect patient data—it’s to deliver healthcare, as opposed to the primary goal of financial services being to protect our money and to keep our money secure so that the economy keeps running.”

Patterson says there is a direct correlation between passage of the Health Information Technology for Economic and Clinical Health Act, which was passed in 2009 to stimulate use of electronic health records (EHRs), and the rise in medical identity theft. Michelle De Mooy, acting director of the Privacy & Data Project for the Center for Democracy & Technology, agrees. EHRs have increased practice exposure to electronic theft while placing heavy stresses on practices that are trying to comply with medical reforms imposed by CMS, De Mooy says. “I think practices are so focused on adopting EHRs that the security aspect tends to fall by the wayside.” Part of the reason practices aren’t paying enough attention to cybersecurity is because it costs money, “and depending on the size of the provider, they don’t have a lot of money lying around to do this,” she says.

There are affordable ways to address the problem, however. De Mooy recommends that training employees in proper data handling is one of the cheapest and most effective solutions. Mapping your network to know who is using the information and where that information is going every day is another wise choice of action. “I think it would be useful for a lot of administrators and other people in providers’ offices to see just how broad that network can become. It’s not easy or quick, but by systematically checking off where the security vulnerabilities are, you can do your best to mitigate them.”

Figure 3: How Did You Learn About the Medical Identity Theft? More than One Response Permitted

Source: Medical Identity Fraud Alliance

Switching computers off or logging out after use is recommended, and practices should make sure that software is up-to-date and secure,” De Mooy says. Monitoring services are available to help providers recognize when there’s a threat or an attack, as are technologies that back up records so practices are not idled in the event of a ransom-ware attack, where data is essentially held hostage for a fee.

Finally, practices should make sure that vendors and other business entities have appropriate security protocols. “Practices should tell that third-party vendor that if they want to do business, they’ll need to get a third-party assessment of their security and produce that certification for inspection. That’s how to patch some of the vulnerabilities in the system,” De Mooy says.

Dan Lodder, vice president and general manager of technological solutions for McKesson Specialty Health, works with numerous independent oncology practices providing IT products and support. He has observed that practices are, in general, very concerned about protecting themselves and their patients from unauthorized data intrusion and use. McKesson uses a cloud-based storage system that Lodder believes affords a higher level of security than many individual practices could achieve on their own. The system allows for regular updates to software products and avoids the need for practices to spend time doing lengthy installments that may be done infrequently, if at all. McKesson guarantees the security of its own products and supports practices financially for any losses.

Whereas Lodder is an advocate for cloud-based systems and the security they provide, Patterson says aggregated data systems should be considered on a case-by-case basis. “The cloud gives you the group economies of scale that you might not get when you’re trying to do everything in-house. Obviously, there are huge benefits, but what we do understand is that there are varying degrees of cloud security. There’s a lot of cloud services, but they’re not all equal. Small practices that might want to take advantage of them for economic reasons should certainly do their due diligence.” Such a pre-flight check should include making certain that a practice’s written business agreements with a cloud vendor reflect any promises and expectations, she says.

The financial industry has the Fair Credit Billing Act to protect consumers, but there are no consumer protection laws that put a solid wall between patients and healthcare fraud. The losses that patients are exposed to could be very deep and prolonged. For that reason, consumer advocates seek vast reforms in the way medical ID theft is handled. They want providers to work harder to keep patient information safe, they want interoperability between data storage systems so that illicit data use can be recognized quickly, and they want the CMS Medical Loss Ratio (MLR)—which mandates minimum levels of payor healthcare spending—amended so that payors invest more in anti-fraud programs.

The MLR was designed to prevent overspending on administrative salaries and expenses. “The flip side of that really good law is that the fraud got lumped into the administrative category, so on the payor side, the plans are really hampered. They can’t just go out and buy the latest fraud software,” says Patterson. The MIFA contends that allowing anti-fraud expense to be classified as health spending rather than administrative would free up dollars for patient record protection. Such a switch could be justified by the fact that many patients who’ve suffered losses from identity fraud tend to fare worse on the health scale, Patterson said. “Our studies show that about 20% of medical ID theft victims experience some negative health outcome due to their record being erroneous.”