Identity theft comes in many forms, and one of the most overlooked is medical theft. While most people associate identity theft with credit card fraud, medical theft has been quietly increasing every year, including a 22 percent spike from 2014 to 2015.
Medical theft involves the falsifying of individually identifiable health information to gain access to property or services. In other words, a perpetrator uses a victim’s personally identifiable information (PII) to create fictitious medical records and then leverages those records for personal gain.
Preventing the theft of medical records will go a long way toward reducing instances of identity theft. And stopping medical theft will begin with a deeper understanding of how.
The Fight Against Medical Theft
Healthcare information is passed through a number of hands. From the patient to the provider to the insurance company and back again, everything needed to commit identity theft is frequently airborne. Once it reaches a resting place — be it with public health records, law enforcement agencies or research facilities — medical information is left vulnerable to prying eyes thanks to often shaky safekeeping.
There are many ways medical theft can be carried out, but each can be placed into one of three categories.
- Insider Mistakes. With so many employees handling data, it’s inevitable that carelessness will surface. Sensitive data will be emailed unencrypted or personal information will be saved to a portable device, which is then lost. The mismanagement of medical information opens up many doors for medical theft to happen.
- Insider Maliciousness. Medical theft is sometimes the result of a true inside job. It could be a disgruntled employee or one who has been bribed by an outside agency. Purposefully leaking sensitive data can be carried out for revenge or personal financial gain.
- Outside Attack. Even with careful employees who carry no malicious intent, outside adversaries can still get their hands on what they want by hacking into systems and servers.
Stopping Medical Theft
Warding off medical theft is a fight-fire-with-fire approach. The crime is carried out with the help of technology, and it’s technology that will also hopefully one day wipe it out. Until then, the arms race continues.
As we march forward, there are five basic things that every healthcare provider, insurer or other handler of sensitive information can do to ward off medical theft.
HIPAA
It’s so painfully obvious and yet so painfully true: abiding by HIPAA standards will significantly reduce the threat of medical theft. And with so many management software platforms available that make it easy to remain HIPAA compliant, there really is no excuse anymore.
Secure data centers
Out of sight, out of mind is an easy mindset to adopt when your files are tucked away in the cloud. But many handlers of healthcare information don’t realize how tangible the cloud actually is.
Cloud servers still rely on physical datacenters. Those servers are subject to the same weather storms, viruses, short-circuits and burglars that any other hard drive or physical storage system are, although generally they are protected with far better security protocols than most independent servers. Handlers of PII and other healthcare information should be clued in on the parameters of the physical security and backup protocol of their cloud data. And if those data centers don’t measure up to SSAE Type II accreditation or ISO 27001 certification, it’s time for an upgrade.
Email use
Email is a fantastic way of sending messages to patients and colleagues. But it is a terrible way of sending PII. Despite being against HIPAA protocol, many in the healthcare industry still do it.
In terms of sensitive material, email should only be used to send a link to encrypted data that can only be opened by the email recipient. Which brings us to the next point of discussion - encryption.
Encryption
It’s not enough for data to be encrypted only during transfer. Files are just as vulnerable during a state of rest and should be treated with the same defense. And encryption protocols for data at rest should reach the level of AES 256-bit encryption.
Password protection
A study conducted by TeleSign revealed that 40 percent of people reported having a password stolen within one year’s time. The same study disclosed that 73 percent of online accounts are protected by a duplicated password.
The combination of those two things sets up companies for the domino effect: one password is hacked and then that same password is used to unlock all sorts of doors.
To adapt, companies must expand password configuration to include expirations, complexity controls and more.
Companies have a number of self-defense weapons at their disposal but the most effective angle of attack is simply being proactive. Businesses must not just invest in these measures but also buy into them from a strategic sense.
About the Author:
Adrian Phillips (@adrianpphillips) leads product marketing for Citrix ShareFile for Healthcare. With a diverse career dating back to the dot-boom era, his passion is helping customers transform the way they work by using cloud-based technologies. Striving to live a paperless life in Raleigh, N.C., Adrian holds a bachelor’s degree in journalism.
Edited by
Alicia Young
