Watch for insider breaches and human error, advise experts. Providers of healthcare -- nursing facility staff included -- need to be aware of the threat of medical identity theft and take suitable steps to prevent its occurrence. Generally medical ID theft occurs two ways. Either it occurs from the inside where employees are involved or it occurs at point of care where patients are posing as someone else for the purpose of gaining expensive treatments or drugs without having to pay for them, Ester Horowitz, CMC, CITRMS, CIISA, explains. The bad news is that often "the very people we trust the most are actually the ones committing the fraud and it could have been going on for years," she warns. Illicit cash:
Medical IDs do not usually include health information -- only name, address, social security number, date of birth, and health insurance ID number. You don't need an address to commit ID theft, but you do need a date of birth with a name, Horowitz adds. "When you can take someone's identity without permission, it is a crime even if nothing is done to use it in any way," she clarifies.
"Hospitals, and physicians' offices, are particularly vulnerable to viruses or attacks that are designed to steal information," Kenneth Rashbaum, Esq. of Rashbaum Associates, New York, N.Y. points out. "Phishing" attacks, in which a user is asked to click on an attachment or link that then loads malware that sends identifying information back to the malware authors, is a common and insidious method of identity theft, he adds.
Use a 2-Part Strategy to Thwart Security Threats
Taking a two-pronged approach to stopping both inside jobs and external theft of your PHI is the best way forward, experts insist. The first approach is apply the technical securities that will help prevent a threat to your information systems, "and the other is to require good authentication of individuals when providing services or supplying information," Jim Sheldon-Dean, Director of Compliance Services, Lewis Creek Systems, LLC in Charlotte, Vt. advises health providers and facilities.
Medical practices can be prone to "phishing" attacks, in which a user is asked to click on an attachment or link that then loads malware that sends identifying information back to the malware authors, which is a common and insidious method of Rashbaum says.
Know flash drive risks:
A virus can be introduced though use of a USB that had previously been used in an infected home computer, Rashbaum points out. "Clearly written policies and procedures can help in this regard, such as those that direct users not to open attachments or click on links from unknown or untrustworthy sources, and proscribing the use of USBs into facility computers after they have been used at home, unless they are checked out before being plugged into the facility system," he suggests.Implement authorization controls such as password protocols, and access controls that keep access to patient information limited to those who have a business need for that information, Rashbaum further advises.