A NAHAM member found this article for us on bizjournals.com: Medical identity theft is fastest-growing identity crime
in the U.S.
In February, Anthem, the nation’s second-largest health
insurer, announced that its systems had been the target of a sophisticated
external cyber-attack. This attack, one of the largest data breaches in U.S.
history, impacted one in three Missourians, according to state officials. Since
the breach involved health insurance information as well as Social Security
numbers, the affected individuals are at true risk of medical identity theft.
The two most
common include an individual posing as someone else in order to secure medical
goods, prescriptions or services; or an individual billing someone else’s
insurance, Medicare or Medicaid without their knowledge.
As with other types of identity theft, the victim often doesn't realize what has happened. But the risks associated with healthcare can be significant.
The affected person
does not realize fraudulent activity has occurred. Electronic health records
could be fraudulently changed, meaning anything from incorrect allergies to
preexisting conditions. This could lead to a future misdiagnosis or
inappropriate medical treatment.
Health care providers without effective security measures
should take note: 48 percent of consumers said they would consider changing
health care providers if their medical records were lost or stolen, according
to the Ponemon Institute’s Fifth Annual Study on Medical Identity Theft.
Consumers expect health care providers to be proactive in preventing and
detecting medical identity theft. Forty percent say that if a breach occurs, it
is important to receive immediate notification by the organization responsible
for protecting their health care information.
So what is a provider to do?
While medical identity theft is most harmful to a
consumer, organizations that handle personal health information (PHI) can
suffer costly legal ramifications as well as a tarnished brand if they are the
source of the data breach. To be less susceptible to these and other
liabilities, cyberattack prevention and cyber insurance plans should be in
place. While there are several components that make up an effective
cybersecurity strategy, the following can be the key lines of defense against
an attack or when facing ramifications:
• Encryption — Data at rest and data in motion should be
encrypted to at least the levels recommended by HIPAA legislation. This will
help minimize the risk that data is compromised.
• Data leak prevention (DLP) — Also known as data loss
prevention, DLP is a data security technology that monitors data in use, in
motion and at rest in order to detect potential data breaches in a timely
manner and prevent them. A DLP system configured properly handles careless data
leaks by internal sources as well as intentional data theft by external hackers
or malware.
• Cyber insurance — Organizations that store or transmit
personally identifiable information (PII) should review the insurance options
for cyber protection. A variety of insurance policies cover things like the
cost of fines, notification that PII has been compromised, liability and
business interruption. Cyber policies vary greatly and an independent insurance
consultant can help review the best coverage option.
