Identity Theft Check Up: Electronic Medical Records are the New Credit Cards

As credit card fraud prevention measures have made it tougher on identity thieves, identity thieves have found a new target, healthcare identities. And healthcare information systems are nowhere near ready to withstand the onslaught. A recent survey by Chicago-based HIMSS (Healthcare Information and Management Systems Society) found that most hospitals spend less than 3% of their IT budget on security, a level Lisa Gallagher, senior director for privacy and security at HIMSS, calls inadequate.

According to the New York Times, a single credit card number was going for as much as $100 on the black market in 2005. The black market has gone through turmoil similar to the stock market and the same number today sells for about $6 dollars to as little as $0.40 cents per number. The market has become flooded with numbers and banks are able to detect fraud more quickly because of online banking and increased awareness. The amount of attention focused on credit card fraud, coupled with the loss of profitability for thieves, has made it tough for criminals so their interest is shifting to healthcare identities.

Enter electronic medical records (EMR). EMRs are essentially an identity plus medical information. In 2007, an identity typically sold for $14 to $18 dollars. An EMR will usually contain a name, address, Social Security Number, date of birth, prescription information, medical history, and possibly a picture of a driver’s license. A single hospital would retain this information for every person who has ever checked in and this is all the information an identity thief would need. Patients with recent birth or death events would be perfect candidates for identity theft as no one is usually monitoring their credit. Medical records that were previously boxed up in the basement are now ripe for the picking as hospitals make the move to digitize EMRs and are slow to adopt the processes and technology needed to protect this information.

Identity theft is only half the picture. A trend is emerging with thieves targeting patient records for the medical information contained within them. These data breaches started with simple hostage/ransom demands of large record holders. In October 2008, Express Scripts was notified by an attacker that records of millions of their customers would be released into the public if ransom was not paid. In a similar April 2009 incident, an attacker hijacked the Virginia Prescription Monitoring Program web site and posted a message demanding a $10 million ransom from the state.

A shift has started where attackers are starting to sell the actual electronic medical and health insurance information. In October 2009, it was discovered that a company in India was selling British medical records. The seller told undercover investigators “I have 30,000 files to give you today, right now. I’ve around 140 diseases here. You just tell me which disease you’re looking out for – I can give you anything”. This data breach was blamed on the British hospital outsourcing its medical record transcription to a third-party business associate who in turn outsourced it to another company in India. These records were fetching £4 ($6.24) each, but the World Privacy Forum claims these records can get upwards of $50 dollars per record.

It is only a matter of time before these stolen records are regularly used for social engineering attacks against patients. Also, people desperate for medical care will begin looking to the black market to buy an insurance identity to file fraudulent claims. Several of these cases, dating back to 2005, are documented by the World Privacy Forum along with many other patient record thefts. They also note an increase in medical identity theft victims from 86,168 in 2001 to 255,565 in 2005, and this number is still increasing. Only time will tell what new crimes come with the theft of electronic medical records.

How Can an Information Security Program help?

As with most technological challenges, there are no quick fixes or easy solutions, however, there are steps you can take to mitigate data breaches. Medical records and health insurance information need to be available to those who require access and secured from thieves trying to steal the data. One cannot just say “those records are encrypted” and think they’re set, the company must demonstrate a true commitment to a complete Information Security Program (ISP). Safeguarding EMRs requires management and implementation tasks that range across the entire business enterprise.

The following recommendations can help a healthcare organization get on the right track:

  1. Demonstrate a true commitment to information security across the entire enterprise – not just within the IT arena. The most effective Information Security Program takes a risk-based approach, balancing potential risks against the convenience and expense to mitigate identified risks.
  2. View IT Security as a Competitive Advantage as companies that experience IT security breaches are subject to damaging consequences such as:
    • Large monetary penalties from regulators
    • Loss of mission-critical IT systems including web applications, business associate networks and internal networks
    • Breach notifications to customers/patients and the media
    • Legal action by affected customers/business associates/vendors
    • Theft and/or misuse of data
  3. Implement and follow well-documented security policies and procedures. Periodically review and adjust these and monitor and measure compliance to industry best practices.
  4. Collaborate with business associates on the implementation of EMR security programs.
  5. Conduct independent security assessments. HIPAA law requires covered entities to conduct routine evaluations of the effectiveness of EMR security programs, policies and procedures. It is also important to evaluate business associates with whom health data is exchanged.

As with any new regulated law, it is important to take a step back and fully understand how this impacts your organization. There are no “cookie-cutter” solutions however understanding the current infrastructure by taking a holistic, risk-based approach and balancing potential risks against the convenience and expense to mitigate identified risks are the recipe for success. Strong leadership, organizational competency, risk classification, collaboration and continuous process improvements are the benchmarks for best practices in healthcare information security and compliance.

Posted on by David Bailey 17 Comments

17 thoughts on “Identity Theft Check Up: Electronic Medical Records are the New Credit Cards

  • Fausto Cicek

    Thanks for sharing excellent informations. Your site is very cool. I’m impressed by the details that you

  • umran

    How do you stop a crazy identity thieves that take your name and impersonate you if you know the secret please do explain to my medical officer, he is as slow as a snail doesn’t know the reason or how to arrest any advice would be helpful or he might be my causer or explianer to cause the thieves the happiness of using me for there idiot fun.

  • Pingback: Medical Identity Theft Plagued by Confusing Claims

  • Pingback: Ceptera Security Newswire » Medical Identity Theft Plagued by Confusing Claims:

  • Pingback: Medical Identity Theft Plagued by Confusing Claims | Security Antivirus Virus

  • Andy Jackson

    I got the iphone a few months ago and was impressed with all the apps Apple had to offer. I got a PHR for myself and it was free but the only thing the company offered was a card. I would rather go for a PHR that comes in flash drive and get automatic reminders, and I think that whether it’s an app or Medefile, or any other PHR company that it is beneficial to both patients and EHR’s. I hope to see a surplus in this field.

  • Calcium Ascorbate :

    identity is rampant both online and offline, always make sure that you don’t share unecessary info about yourself’.,

  • Philadelphia

    Enjoyable data, do you know where I may possibly find out more about this kind of info? I’ve already been intending to find out a little more regarding it to no avail. Any other great reference would certainly be appreciated. You’ve pretty much taken care of nearly all my personal thoughts with this as well as have done a great job with the piece.

  • logo design

    identity theft is the biggest security issue now a days not just in the medical industry bit also in financial one.Although there a tools (digital signature) available to prevent the same but these are not so mature

  • Jacob Patel

    Identity Theft is so rampant these days because it is quite easy to harvest information from someone else.”‘.

  • Lebensversicherung Rechner

    Thanks for the article! I searched for a work like that for months!
    I like your blog very much!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Twitter Facebook Facebook