Monday, May 19, 2008

Hospitals underrate malicious intent in data breaches

Hospitals, medical clinics, and other health related groups have a much higher risk from identity theft and record theft than do financial businesses. Why? Simply for openers a medical record contains so much information that it can easily be converted to a fake identity. Medical records are a hot commodity among data thieves. Most definitely they can be used to recieve medical care. They can also be used to file false insurance claims. Stolen medical records can enable someone with a terminal or social disease to obtain employment. Medical records can be be sold on the market many times over to identity marketeers, potentially at $100s per sale. All of these and other types of misuse of medical records can wreak havoc on a persons' good name for years.

End users can run the gamut from drug addicts, insurance fraud thieves, illegal aliens, and persons who for any number of reasons cannot get health insurance. HIPAA compliance is only a starting point when it comes to records safety. A holistic approach of training and the adoption of a more comprehensive data protection policy must be adopted by all medical and health related organizations. It is not enough for staff to know what to do step by rote step in securing medical records. If they can see how it might affect their lives to be a victim, it is easier to relate to protecting others' information. Now is the time to train people as to why they need to be careful, cautious and vigilent. Another thing to remember, medical facilities also have employee HR records, financial records, and all of the same types of data as do all businesses. HIPAA does not address the safekeeping of that data, only that of patient records.

The following is from the current AMA AMedNews;

Hospitals underrate malicious intent in data breaches
Experts say there are also lessons about data security for physician practices in the HIMSS study findings.
By Pamela Lewis Dolan, AMNews staff. May, 2008.

Hospitals generally are well aware of what they have to do under the Health Insurance Portability and Accountability Act to ensure the security of patient data. They are also aware that their own employees might be the ones who breach that security.
However, hospitals generally underestimate the malicious intent and the financial damage involved in data breaches and are unaware they're being targeted by perpetrators wishing to commit identity theft or medical fraud.
That is the conclusion of a recent report by the Health Information and Management Systems Society. The report was based on responses to a January telephone survey from 263 hospital executives responsible for patient data.
"I think ... hospitals, they may stick their heads in the sand, and they don't want to acknowledge that people want to access people's data for personal gain," said Brian Lapidus, chief operating officer of Kroll Fraud Solutions. Kroll, which sells data protection and identity theft response solutions, commissioned the study by HIMSS.
The report did not look into breaches at physician practices. But some experts say physicians also underestimate their chances of being targeted.Mike Spinney, spokesman for Ponemon Institute, a Traverse City, Mich.-based think tank that researches privacy and data security issues, said while breaches are commonly discovered at hospitals and large medical groups, too often physician practices adopt a mentality that they are too small to be targeted.