Home Health & Hospice Week

Take these steps to safeguard against medical identity theft.

As a healthcare provider, you are likely acutely aware of the importance of patient privacy -- but you may not know all of the new ways that thieves are trying to steal it from you.

Generally medical ID theft occurs two ways. Either it occurs from the inside where employees are involved or it occurs at point of care where patients are posing as someone else for the purpose of gaining expensive treatments or drugs without having to pay for them, information security expert Ester Horowitz tells Eli. The bad news is that often "the very people we trust the most are actually the ones committing the fraud and it could have been going on for years," she warns.

Illicit cash: When medical ID theft is an inside job, "it means that someone who works for a covered entity is taking the IDs and passing them or using them for money," says Horowitz. "The street value of an ID is about $100 per name, which can be sold repeatedly."

Medical IDs do not usually include health information -- only name, address, social security number, date of birth, and health insurance ID number. You don't need an address to commit ID theft, but you do need a date of birth with a name, Horowitz adds. "When you can take someone's identity without permission, it is a crime even if nothing is done to use it in any way," she clarifies.

Healthcare providers "are particularly vulnerable to viruses or attacks that are designed to steal information," attorney Kenneth Rashbaum of Rashbaum Associates in New York City points out. "Phishing" attacks, in which a user is asked to click on an attachment or link that then loads malware that sends identifying information back to the malware authors, is a common and insidious method of identity theft, he adds.

Thwart Security Threats

Taking a two-pronged approach to stopping both inside jobs and external theft of your PHI is the best way forward, experts insist. The first approach is to apply the technical securities that will help prevent a threat to your information systems, "and the other is to require good authentication of individuals when providing services or supplying information," Jim Sheldon-Dean of Lewis Creek Systems in Charlotte, Vt. advises health providers.

Know flash drive risks: A virus can be introduced though use of a USB that had previously been used in an infected home computer, Rashbaum points out. "Clearly written policies and procedures can help in this regard, such as those that direct users not to open attachments or click on links from unknown or untrustworthy sources, and proscribing the use of USBs into facility computers after they have been used at home, unless they are checked out before being plugged into the facility system," he suggests.

Implement authorization controls such as password protocols and access controls that limit access to patient information to those who have a business need for that information, Rashbaum further advises.