data sharing increases risk of medical identity theft ·...

26 AE Fall 2012

security breach: medical identitytheft (sometimes called insuranceidentity theft).

What and howThe Federal Trade Commission (FTC)defines medical identity theft as“someone using another person’sname or insurance information toget medical treatment, prescriptiondrugs, or surgery” or when officestaff use patient information to submit falsified claim information.Physicians, however, have also beenvictims of identity theft, accordingto the Centers for Medicare andMedicaid Services (CMS). It happenswhen the physician’s unique medicalidentifier number (tax ID number,licensure information, etc.) is used tocollect fees for services the physiciannever provided.

According to Peter Budetti, MD,JD, CMS Deputy Administrator forProgram Integrity, this kind of fraudcan increase financial liabilities forphysicians. They might have to paytaxes on earnings that were notreceived, or repay insurance compa-nies for benefits paid for services notprovided.

The increasing popularity ofmobile computing, particularly theintroduction of apps to the health-care market, raises yet anotherpotential security threat. The threatisn’t coming from hackers. It’s coming from unauthorized access tohealth information due to theft orloss of laptops, computers, tablets,and smartphones.

Ounces of preventionRules that would “unlock the benefits of EMRs while protectingAmericans from security risks” are

As medicine moves towarddigitizing health informa-tion, security of electron-ic health records isincreasingly being viewed

as a substantial risk. Security is anissue not just because of privacy lawsbut also because, as KatherineRourke writes in a recent article,“Data shared widely is data exposed,unless you’ve got some great solu-tions in place.” The 2011 ThreatReport from Symantec noted thatthe healthcare industry is the most-often monitored industry for securityviolations. Yet healthcare organiza-tions spend less than the industryaverage on security measures (Keene,2012).

One of the key issues is training:It needs to be thorough. It shouldinclude not only HIPAA complianceissues, but also information abouthow security breaches are occurringand what providers can do to pre-vent a particularly troubling kind of

Data Sharing Increases Riskof Medical Identity Theft

Running the Practice Information Technology

Joanne M. Lozar Glenn

underway. The HIPAA Security Rule,for example, established nationalstandards for protecting personalhealth information and requires thatadministrative, physical, and techni-cal safeguards be put in place byhealthcare entities. According to anarticle in Information Week Healthcare,“Healthcare IT pros will be requiredto implement systems and businessprocesses that conform to these regulations, or face lost funding,institutional fines—and, in somecases, personal criminal penalties.”

EMR-certified systems meet government-established standardsfor access control, emergency access,automatic logoff, encryption, audit,data integrity, and authentication.However, according to the National Institute of Standards andTechnology, which established toolsand standards to support IT-certifiedprograms, using a certified EHR sys-tem in and of itself does not guaran-tee compliance with the HIPAA security rule. All other systems usedin the practice must also be securedand compliant as well. The HITECHAct, of course, requires that a securi-ty analysis be performed each year(Jones, 2012).

Aside from conducting an annu-al security analysis, security expertsrecommend that practices using EHRand electronic file sharing, particu-larly with mobile devices, should putsecurity measures such as the follow-ing in place.

General. CMS’ Budetti recommends seven steps for preventing medical identity theft: 1.Keep all medical records up to

date.

continued on page 28

28 AE Fall 2012

• Have functioning, regularlychecked, data backup systems.

• Plan for the unexpected by havingan electronic disaster managementand recovery plan (look for moreon this in the Spring 2013 issue ofAdministrative Eyecare).

• Frequently monitor not only thedevices you are using to store andshare health information but alsothe security policies you have inplace to ensure they are in keepingwith evolving threats.

• Create a security-conscious cultureat your workplace.

Patient-specific. The AmericanHealth Information ManagementAssociation (AHIMA) offers a list oftips that you can share with patientsto raise their awareness about med-ical identity theft and keep theirmedical records safe. AHIMA alsooffers a checklist on how to respondto medical identity theft incidents(see references). In addition, theIdentity Theft Resource Center (identitytheftresourcecenter.com)offers assistance to identity theft

2. Review billing notices carefully.3. Protect medical information by

giving it only to trusted sources.4. Train staff.5. Educate patients.6. Report suspected abuses.7. Protect prescription pads (Budetti,

2012).Technology-specific. The

Department of Health and HumanServices (HHS) and other organiza-tions concerned about maintainingthe security of health informationrecords recommend taking the following actions:• Inventory all electronic data

devices, including serial numbersand other identifying information.

• Write policies for how devices areto be kept secure, for example,strict sign-out policies after pullingup patient files, locking rooms ordesks where computing devices arestored, and use of encryption,secure passwords, and mobiledevice locking technologies.

• Use up-to-date antivirus softwareand strong firewalls.

Running the Practice Information Technology

victims at no charge, and education/consulting to consumers, corpora-tions, and government agencies onbest practices for fraud and identitytheft detection, reduction, and mitigation. AE

ReferencesAHIMA. (N.d.). Avoiding medical identity theft.American Health Information ManagementAssociation. Available from: www.myphr.com/Privacy/medical_identity_theft.aspx

Budetti, P. (2012, April 4). 7 ways to protect your-self from medical identity theft. CMS blog.Available from blog.cms.gov/2012/04/04/7-ways-to-protect-yourself-from-medical-identity-theft/

Bureau of Consumer Protection. (2011, January).Medical identity theft: FAQs for Health CareProviders and Health Plans. Available fromtinyurl.com/c49pchr

HHS. (2010, November). Cybersecurity: 10 bestpractices for the small healthcare environment. U.S. Department of Health and Human Services.Available at healthit.hhs.gov/pdf/cybersecurity/Basic-Security-for-the-Small-Healthcare-Practice-Checklists.pdf

HHS. (N.d.). The security rule. Health InformationPrivacy. Available at www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html

Jones, E. (2012, May 9). ONC issues meaningfuluse guide for privacy and security attestation compliance. HIPAA.com. Available atwww.hipaa.com/2012/05/onc-issues-meaningful-use-guide-for-privacy-security-attestation-compli-ance/

Keene, C. (2012, Feb. 23). HIMSS: EHR, mobile usecatapult security threats. Healthcare IT DigitalCommunity. Available from www.auntminnie.com/index.aspx?sec=sup&sub=ris&pag=dis&ItemID=98428

Rourke, K. (2012, June 13). Are we ready forACOs? EMR and HIPAA. Available fromwww.emrandhipaa.com/category/emr-security/

Wagner, M. (2009, Dec. 5). Can electronic medicalrecords be secured? Information Week Healthcare.Available from tinyurl.com/d3voc5p

Better password technology

H ackers have compromised passwords at Citibank, Yahoo, Linked In,and numerous other websites. The advice is standard: Have a differentpassword for every site and every computer. But the advice is ignored:

Most people can’t remember all these passwords, and if they’re written downsomewhere (on paper or in a computer address book, for instance) they’rehardly secure.

Some computer experts (Farhad Manjoo, tech writer for Slate and TheWashington Post, for example) suggest choosing a favorite phrase only youknow and using the first letter of each word in the phrase, with some signifi-cant numbers thrown in, to make a gobbledygook password that is hard tocrack. Yet even these are not failsafe, according to a recent blog post on dailykos.com.

New technology like fingerprint scanners offers some reassurance, but ifyour equipment is not there yet, you might explore some of the new pass-word-protecting software companies that will encrypt your password automati-cally. Blogger “Element 61” on Daily Kos recommends LassPass, KeePass,and 1Password. Check them out on your favorite search engine.

Sources: Daily Kos (How to avoid writing passwords [tinyurl.com/cyql43e]) and Slate (Fix your terrible insecure passwords in one minute [tinyurl.com/7w7d874])

continued from page 26

Joanne Lozar Glenn (703-721-2088, AEeditor@asoa.org) is managing editor ofAdministrative Eyecare and AE eZine.