The use of electronic medical records (EMR) has become the norm. Medical records have been catapulted into electronic form and into the cloud by the advent of cloud computing, distributed data, and the Affordable Care Act requirement.
The Electronic Medical Identity Theft Threat
The Affordable Care Act made it a requirement for medical records to go electronic in hopes of reducing paperwork, minimizing administrative work related to paper records, reducing costs, decreasing the number of errors, and improving care.
With this electronization of private medical data comes increased risk. These security issues may put that paperless data at risk of theft or fraud. The U.S. Department of Health and Human Services estimated that in 2006, there were 250,000 victims of medical fraud. In 2013, the Ponemon Institute followed up with findings of 1.84 million victims in 2013.
The security threat is real and it is growing. Cybercriminals aren’t the only culprits. There is also an issue of people “sharing” their medical information with someone they are trying to help. A 2013 Ponemon Institute study found 47% of medical identify theft victims knowingly shared their information with someone they know, which resulted in the fraud.
Unlike a stolen credit card number, private medical data can’t simply be changed once it’s stolen or “borrowed.” In the case of medical care, the costs of stolen medical identities can be very high. The Ponemon study found an average cost of $18,660 for the victims who had to pay out-of-pocket for the fraud. 36% of victims were in this category of personally paying the damages. The total cost in the U.S. was estimated at a shocking $12.3 billion annually.
Protecting Medical Identities
The U.S. government does have policies in place to support privacy and security during the transition to paperless medical data. The most significant is HIPAA, the Health Insurance Portability and Accountability Act. HIPAA deals with the privacy of the data, but also lays out guidelines for the protection of the data.
The following are tips to help prevent medical identify theft:
- Do careful background checks on employees before hiring them
- Only give an employee access to the data that he/she needs
- Train employees on what to do and what not to do
- Put policies and monitoring in place to track access
- Assign a fraud officer to keep up-to-date on medical fraud issues
- Use fraud detection software to flag suspicious activity
- Put a plan together in case of fraud with a mechanism to address it internally and with the affected patient
- Provide access to computers, tablets, and mobile devices only to those people that need access
- Secure the devices with passwords, encryption, and remote wipe capabilities in case of loss or theft
- Put a policy in place for regular changing of passwords
- Make sure any device with private data is not publicly viewable
- Encrypt patient data stored in a private or public cloud with strong encryption and a key management policy
- All vendors that “touch” the data need to comply with HIPAA rules
Transitioning successfully
While the transition is faster than some doctors would like it to be, it is still possible to make the transition a successful one. There are vendors and security experts that work with doctors and hospitals to transition their procedures, provide training, technology solutions, and support. When done properly, electronic records should be able to reduce the number of medical theft and fraud cases.
