November 5, 2012
To Catch a Thief
By David Yeager
For The Record
Vol. 24 No. 20 P. 10
Medical identity theft can be difficult to detect, but judicious planning and patient engagement can be effective deterrents.
Most people are familiar with identity theft, but medical identity theft is still flying under the radar. If current trends continue, however, it won’t be for long.
The World Privacy Forum estimates that between 250,000 and 500,000 people have been victims of medical identity theft. Meanwhile, the 2010 white paper “Cybercrime and the Healthcare Industry” by RSA, the security division of EMC, which deals with IT as a service, estimated that medical identity theft costs individuals an average of $20,000 per incident compared with $2,000 for financial identity theft.
Most experts agree that the incidence of medical identity theft is increasing, but because it’s hard to detect and an individual’s record can be used to submit multiple false claims, it’s extremely difficult to measure the monetary—and personal—cost.
Judging by the number and cost of data breaches—essentially unauthorized viewing of patient records—medical identity theft is likely costing the healthcare system billions of dollars each year. A 2011 Ponemon Institute study found that data breaches had increased 32% from the previous year, and 96% of hospitals reported at least one data breach in the previous two years. The study also found that the average cost of data breaches to healthcare organizations rose $183,526 between 2010 and 2011 to approximately $2.3 million. A 2010 Ponemon Institute study estimated that data breaches cost hospitals nearly $12 billion annually.
Unfortunately, the medical industry is far behind the curve when it comes to detecting and preventing identity theft. Although most, if not all, providers are aware of its potential consequences, few are prepared to deal with it. Less than one-half (47%) of the hospitals in the 2011 Ponemon study said they have sufficient policies to efficiently prevent or quickly detect unauthorized patient data access, loss, or theft.
Before medical providers can begin to curb medical identity theft, they need to know the forms it can take. Harry B. Rhodes, MBA, RHIA, CHPS, CPHIMS, FAHIMA, director of HIM solutions for AHIMA, says it generally falls into one of four types, including one-off cases in which a person tries to obtain medical care using someone else’s medical insurance information. So-called Robin Hood cases, in which a person lets a relative or friend use their information, fall under this type. However, in some instances, the individual whose medical information is compromised may be unaware of the connivery.
Although this may seem like a benign crime, it can have catastrophic consequences for the person whose identity is used. Aside from the potential for unauthorized charges on their insurance, medical information is almost certain to be altered in a way that may have serious repercussions when the victim seeks medical care for himself or herself. For example, a nondiabetic may receive an insulin injection or a transfusion may be administered using the incorrect blood type.
In another type of medical identity theft, unauthorized medical information is used to obtain prescription drugs, particularly narcotics, that can then be used or sold. Frequently, the person who commits the fraud is someone the victim knows. The victim may then face an array of consequences, ranging from denial of necessary medication to criminal prosecution.
A more insidious type of medical identity theft is insider crime. Those with access to protected health information have the opportunity to submit false claims or even create their own accounts. This type of behavior is even more problematic in small organizations because a single person may have a great deal of control over medical records.
Perhaps the most difficult type of medical identity theft to detect is the kind that’s carried out by organized crime. These sophisticated, premeditated attacks are usually designed to make as much profit as possible without drawing attention to the perpetrators. For example, a south Florida crime ring trained young women as medical receptionists so they could cull medical information on vulnerable clientele, such as elderly patients with no family who showed signs of dementia or Alzheimer’s disease. The criminal receptionists copied the data and passed the information on to their “bosses.”
“They always made sure that all the claims were below the $10,000 mark so it wouldn’t be on the IRS’ radar because that’s what [the IRS looks] for as part of their audit,” Rhodes says. “These organized crime rings often opened up multiple checking accounts with banks in the community. They then would have accomplices who did nothing else but drive around to all the banks and cash all these claims checks. And they move very quickly. They come into your shop, and they work 90 to 120 days and then move on. And then, on top of that, they often move to another city or they sell your information to someone else.”
Once a person’s medical information has been compromised, it can be very difficult to set the record straight. The information can be sold multiple times and used to submit claims that are nearly impossible to trace. The system places the burden of clearing the record on the patient. Healthcare organizations may assume the victim is trying to avoid paying for legitimately rendered services. The bill will often be paid to keep creditors at bay while trying to resolve the claim, which can be extremely difficult and time consuming.
Detecting and preventing medical identity theft requires effort on multiple fronts. The most fundamental defense is to ensure that the person trying to obtain medical services is who he says he is. Paul Donfried, managing director of identity solutions for Verizon Enterprise Solutions, says the healthcare industry needs to move beyond user names and passwords for identity authentication.
“The harder we try to enforce strong passwords—aka, complexity rules, eight characters, an uppercase, a lowercase, a numeric, a special character, you’ve got to change it every 30 days, anything you change it to can’t be on the list of the last 15 things you used—the more we try to do that, the weaker we actually make the password ecosystem because we relegate people to writing passwords down or coming up with formulas by which they generate their passwords,” he says. “And the bottom line is we are so far beyond the day and age when we should be relying on user names and passwords that it’s scary.”
In security terms, authenticating a person’s identity comes down to three factors: something they know, something they have, and something they are. Donfried recommends that two of those factors be used for patient identification. Strong authentication needs to be intuitive, flexible, and minimally disruptive to users if it’s going to become a part of healthcare delivery. Increasingly, this is becoming possible through existing technology.
Companies are developing biometric technologies that, unlike in the past, do not require specialized equipment or new interfaces to function. Tasks such as voice recognition, facial recognition, and even retinal scans are becoming options on mobile phones and notebook computers. It’s also possible to use cell phones—something most patients have—as unique identifiers.
It’s simple to register a cell phone, Donfried says, adding that there are numerous techniques that can be used to verify identity. For example, a one-time password can be sent via text message or an interactive voice response call can be placed. When combined with a four-digit PIN, these technologies provide stronger and more flexible identity authentication.
While up-to-date technology is necessary, Bob Chaput, CISSP, CIPP/US, CHP, CHSS, CEO and founder of Clearwater Compliance, LLC, says a risk analysis should be the first order of business. Too often, he says, this HIPAA-mandated step—which should reveal an organization’s vulnerabilities—isn’t thoroughly considered by management teams.
Staff training also is important. It’s imperative to have clear data security policies, procedures in place so employees know exactly how they’re supposed to perform their duties, and support from the executive level. Chaput says employees need to know what to do when a patient arrives at the facility, how patient information should be handled, and what to do if they notice anything out of the ordinary. The human factor is perhaps the most overlooked component of a strong data security defense, he notes.
“You can have the greatest policies in the world and the greatest procedures in the world, but if you don’t have an engaged and supportive executive team, skilled compliance and/or privacy-security people, and a trained and aware workforce, you can be in trouble. That is the single biggest issue that organizations face,” Chaput says. “It’s not the spooky black hats who might attack your network; it’s really the internal workforce, some of which may be accidental and uninformed behavior, other of which can be malicious behavior.”
Employee morale is another concern. A happy employee is less likely to compromise medical information and be more cognizant of any potential transgressions. In addition, facilities should conduct background checks on new hires in case there are character issues that may be reason for concern.
With more facilities implementing EHRs, technology controls need to be strengthened. Antivirus and antimalware protection are essential; data should be encrypted. As mobile devices become a larger part of the healthcare data continuum, encryption will become even more important. However, facilities should not forget to keep paper records locked up as well.
Because smaller practices often use the Internet for data management, Rhodes says they should create a simple checklist to keep track of which employees have access to data, bank accounts, user names, passwords, assignment of benefit tools, and other sensitive information. Each time access to the Internet tools changes, the office manager should update the information. Rhodes recommends a checklist with employee names, their level of access, and history changes. When an employee resigns or is terminated, the office manager should retrieve the Internet user checklist from the employee’s file. The tool will be useful when canceling all Internet access for a former employee because the manager will not have to rely on memory to determine which Internet tools were assigned to which employee.
Along with managing the human aspects of data security, healthcare organizations can improve their chances of catching medical identity theft by studying their data. Unusual data patterns are often a tip-off that something is amiss. Rhodes says predictive data modeling similar to what the Centers for Medicare & Medicaid Services uses—which is based on a Verizon algorithm—to find Medicare fraud helps spot anomalies with the goal of detecting malfeasance before payments are made. Signs something fishy may be happening include multiple records for the same patient and multiple claims for the same type of treatment.
Rhodes also recommends using tools from the National Correct Coding Initiative. Because many people who commit medical identity theft don’t work in healthcare, they often submit claims that don’t follow coding rules. Trained medical editors who spot these unusual codes may be on the road to uncovering fraud.
In addition, medical facilities should work with their patients to combat misconduct. A consumer liaison can help facilities discover billing irregularities by pointing out bills that list services that were never received, contain incorrect providers, or misidentify the patient. However, many healthcare organizations fail to utilize this valuable information source.
“A lot of times the first person to discover [suspicious behavior] is the patient. They’ll get a bill for something that doesn’t make sense or they’ll see activity that doesn’t make sense. [Providers] need to have a processing place where a consumer can come to you and there is actually somebody there to receive them,” Rhodes says. “And you need to be sure not to make them feel small or bad or that they’ve used up your time. You need to make sure that they feel comfortable coming to you with any other concerns because it’ll help you catch medical identity theft.”
Patients should be encouraged to examine their explanation of benefits and immediately report unusual charges or significant reductions in lifetime benefit caps. The sooner medical identity theft is discovered, the better the chances of minimizing the damage. Although the crime can cause monetary and reputational damage to a healthcare organization, it has a much deeper and more lasting effect on patients.
“If someone steals your insurance ID card, they can go on for a long, long time [using your card],” Chaput says. “We just don’t have the same mechanisms in healthcare that we have in financial services. The alerts and the alarms and the triggers are just not there. And whereas I can cancel my credit card, I can’t cancel my medical records.”
— David Yeager is a freelance writer and editor based in Royersford, Pennsylvania.