Don’t expect medical breaches and healthcare fraud to drop off the radar anytime soon. Here’s why.

First, the number of breaches in the industry is still escalating. In 2011, healthcare breaches occurred 32% more frequently than in 2010.¹

Second, the profitably of medical records on the black market is high – 192% more profitable than Social Security numbers. Estimates put the former at $50 and the latter at $1, according to a GovTech.com article.

It’s this frequency and profitability that, in part, help to ensure the continuation of data loss and fraud. The sooner the industry accepts and prepares for incidents, the better.

Healthcare organizations still have a lot to do in that regard. Forty-three percent rank their ability to counter internal and external data security threats as “needs improvement,” “poor” or “failing.”² And their actions – or lack thereof – can adversely affect patients. Medical identity theft can cost a consumer $20,663 to resolve.³

 So what exactly is compromising data security at healthcare organizations? In a recent study, most organizations (54%) agreed that a lack of budgetary resources dedicated to security and privacy is the greatest weakness in preventing a breach.⁴ The study also named the top three causes of data breaches as:

• Lost or stolen computing devices
• Third-party errors
• Unintentional employee actions⁵

Looking at the list, it’s clear that budgeting for security and privacy needs to encompass protecting mobile and other computing devices, training employees and verifying that third party partners uphold a high level of security as well.

Without a well-rounded approach to data security, organizations make themselves even more vulnerable at a time when vulnerability is a given. Organizations big and small can’t do without computers, third parties and employees – or at least two of the three. So the risk of a breach and resulting fraud can never be completely eradicated. Human error alone is impossible to eliminate.

But risks can be managed with a comprehensive plan that addresses a full spectrum of weaknesses and threats. A plan that includes access controls and encryption for sensitive data as well as a response guide to handling a data breach if one occurs.

[footnotes]

1. Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute (2011)
2. Healthcare Information Security Today (2011)
3. Second Annual National Study on Medical Identity Theft, Ponemon Institute (2011)
4. Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute (2011)
5. Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute (2011)

Say goodbye to bulky manila folders. Today’s healthcare organizations are zipping through medical histories and writing prescriptions using mobile devices. But the new found convenience hasn’t been without cost – not just in implementing new systems and tools but in losing data when security measures aren’t implemented too.

A recent study suggests that adopting new technology is a far greater priority than securing it. Eighty-one percent of healthcare organizations are using mobile devices to “collect, store and/or transmit” protected health information (PHI) but 49% “do nothing” to protect the devices.

The lack of security has been detrimental. The same study found that the breach of protected health information (PHI) records increased 97% from 2010 to 2011.

While data loss is certainly a burden to organizations, mobile security doesn’t have to be. Here are four key considerations for mobile-equipped medical offices:

1. Encryption
   Consider the encryption capabilities of a device before you purchase, not after. Carefully choose tablets and phones that offer a high level of encryption across the various functions and facets, including removable storage, of the device. If your office is already mobile-equipped, be sure encryption is standard procedure.
2. Storage
   Think of a mobile device as a way to access data, not store it. A secure server or cloud network is more appropriate for a centralized storage location, to which your mobile devices can connect and disconnect. The latter function is essential, as the portability of a mobile device makes it both easier to lose and more attractive to thieves. According to the Department of Health and Human Services, stolen physical devices account for 71% of breached healthcare records. A missing device that’s online with your data bank poses a serious threat to you and your patients.
3. Access
   Mobile devices should be password-protected, and so should access to your data bank through the devices. Job requirements should determine what devices and passwords each employee in your office can access. Also consider whether bring your own device (BYOD), when employees use their personal devices to access work data, fits with your security approach.
4. Employees
   Don’t overlook the element of human error in your mobile security plan. In 2011, the volume of breached medical records resulting from an employee losing an unencrypted device jumped 525%. Since you can’t ever completely eliminate human error, be sure to train your employees on properly using and handling mobile devices, as well as reporting any loss, theft or signs that a device has been tampered with.



Experian will be at the annual HCCA 2012 Compliance Institute conference at Caesar’s Palace in Las Vegas. This conference offers an important opportunity to meet industry professionals with solid credentials in a number of areas related to medical information and data security. Some of the topics to be addressed at the conference include healthcare reform, compliance effectiveness and HIPAA privacy/data breach.

Attendees at the Compliance Institute can choose from 128 sessions and 225 speakers. Special conference tracks address legal and regulatory issues and privacy and security concerns, as well as general compliance. Also offered are advanced discussion groups, industry immersions, speed networking and more. For more information, go to http://www.compliance-institute.org/.

Come and visit our booth. We’ll talk about ProtectMyID^®, Surveillance Alerts^TM and ProtectMyID^® ExtendCARE^TM, as well as other Experian products that can play a critical role in protecting your organization, informing patients of a data breach and helping your organization recover from an incident. You can also enter your name in a drawing for a chance to win a new iPad.

Data breaches occur in every industry, but, in healthcare, they’re a whole different ballgame. Black market prices and mobile devices drive data theft and loss. Federal regulations govern breach reporting.
With breaches of medical records increasing 97% from 2010 to 2011, the medical field has been especially hard hit. Here’s a look at five factors that make breaches in this one industry so cumbersome, dangerous and difficult to deter.
 
1. Heavy regulations
While various state laws govern many breaches, a healthcare breach falls under federal law—both for providers and their business associates. The Department of Health and Human Services (HHS) enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to govern PHI management. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 further enforced it. HITECH’s tiered system of fines can cost a company as much as $1.5 million for mishandling a breach.

2. Black market premium
By many estimates, a medical record sells for $50 on the black market, compared to just $1 for a Social Security number (SSN), according to a GovTech.com article. A single breach can be highly lucrative with an average of 49,000 records impacted per incident. This profitability makes it all the more difficult to deter medical breaches and protected health information (PHI) fraud stemming from both internal and external threats.

3. Substantial harm to patients
Ninety percent of healthcare organizations in a recent study agreed that breaches cause patients harm. One example of this is medical identity theft. Another study found that resolving medical identity theft costs victims $20,663, an extrapolated average. Patients with breached PHI may face even worse. They could lose their medical insurance altogether, due to abuse of their benefits by an imposter. And that imposter’s health conditions, blood type, allergies and prescriptions could end up being part of the victim’s medical file. That misinformation could lead to improper medical care, potentially resulting in a life-threatening situation for the victim.

4. High volume of breaches
According to data from the Identity Theft Resource Center, the overall volume of breached records increased 35% from 2010 to 2011. Yet, according to HHS data, the volume of breached PHI records increased 97% in the same timeframe. In fact, three of the top six breaches of 2011 were in healthcare, according to the Privacy Rights Clearinghouse. The numbers point to an industry in crisis. Ninety-six percent of providers in a recent study have experienced at least one breach in the past two years.

5. Unprepared entities
The increase in medical breaches comes at a time when entities are updating their offices with both electronic health records (EHR) and mobile devices. Many are doing so without putting the proper security measures and access controls in place first. In a recent study, 81% of healthcare entities reported using mobile devices to “collect, store and/or transmit” PHI but 49% haven’t implemented any protection measures for the devices.

With so many different factors at play in healthcare breaches, the sector will continue to be an interesting one to watch. As the HHS promotes greater transferability of EHR, the road ahead may become even rockier.

As far as data security goes, 2011 was a dismal year.  Relentless, high-profile breaches punctured any sense that hack attacks are a remote threat, and by year’s end it was clear (if it wasn’t before) that protection against security disaster can only come from the most rigorous breach defense.

Unfortunately, disaster is exactly what has befallen the healthcare industry.  As health care regulations like HIPPA have become more pervasive, and healthcare records have increasingly moved online, the healthcare field has become a larger target of hackers and fraudsters while also becoming more vulnerable to breach by accident (such as a lost laptop).   That’s why health data breaches were up a whopping 97% last year, according to Redspin’s 2011 PHI Breach Analysis Report, with 19 million patients’ health records affected, with 59% of all breaches involved a business associate.

The increasing use of portable devices, such as tablets, has not kept up with security policies to protect new technologies and systems (such as electronic health records) against data breaches.  Of 385 breaches of protected health information during this period, 39% occurred on a laptop or other portable device, 25% occurred on a desktop PC or server, and 60% resulted from malicious intent such as theft or hacking.

The rise of healthcare data breaches have been a known problem.  Last year’s Ponemon Institute’s Second Annual Survey on Medical Identity Theft estimated that more than 1.49 million Americans had at that point been targeted by this crime.  With an average cost per victim of $20,663 the total national economic impact of medical identity theft crimes was calculated to be in excess of $30 billion.

Some of the key takeaways from the Redspin report:

●     The federal government should update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule so that healthcare providers have more relevant and practical guidance.

●     Healthcare providers should conduct a HIPAA security risk analysis on an annual or, at the least, bi-annual basis and put a plan in place to address any vulnerabilities found.

●     Hospitals should conduct a specific “portfolio” risk analysis of the numerous vendors, contractors, and consultants they work with to focus on the subset of business associates that present a high risk of potential damage from data breaches.

●     Healthcare providers must make their employees more security-conscious.

Consumers need to do what they can to protect their own health information, but healthcare organizations must mount vigorous defenses to ward off data breaches and implement incident response plans to quickly address breaches when they happen.

Our guest blogger this week is Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute.

Our latest study, Aftermath of a Data Breach Study, was conducted to better understand how a data breach affects organizations over the long term. In this study, IT professionals weigh in on how their organizations dealt with a data breach that had both serious financial and reputational consequences. While we asked respondents to focus on just one breach, 85 percent say that their organizations had more than one breach involving customer/consumer data in the past 24 months. It is interesting to note that in many cases it took a serious data breach to make privacy and data protection a greater priority and allocate additional resources to the IT security function.

While many respondents were unable to determine the root cause of the data breach, there is a consensus among respondents that insider negligence is making their organizations vulnerable to a data breach. As a result, organizations are investing in training and awareness and technologies that minimize the human factor risk.

The findings also show the concern organizations have about losing the loyalty of their customers. Of the IT practitioners surveyed, few felt that prompt notification to victims was enough to reduce the negative consequences of the data breach. This suggests that compliance with data breach notifications laws in and of itself is not sufficient if an organization is concerned about customer loyalty and reputation. Other lessons learned from the data breach are to limit the amount of personal data collected, limit sharing with third parties and limit the amount of personal data stored. We invite you to read the full report here.

The winter holidays are upon us and that means the travel season is pivoting into high gear.  Employees everywhere are preparing to trot off hither and yon, likely with their laptops and mobile devices in tow – and, accordingly, with your company’s data, as enticing to prowling cyber-thieves as overstuffed Christmas stockings.  While holiday travelers unwind and turn their focus to hearth and family, fraudsters focus on snatching precious data from unwary targets at airports, wi-fi hotspots, hotels and beyond.

What can companies do to mitigate the risk to their holiday-traveling data?

First, remind employees about the importance of protecting their laptops and other data-carrying devices. According to the Ponemon Institute, close to 637,000 laptops are lost each year, most commonly at security checkpoints.  Ponemon notes that 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed.  The airports with the highest number of lost, missing or stolen laptops include (in this order) Los Angeles International, Miami International, Kennedy International, and Chicago O’Hare.  While Atlanta’s Hartsfield-Jackson International is the busiest airport in the U.S., it is tied for eighth place (with Washington’s Reagan National) for lost, stolen or missing laptop computers.

The average value of a lost laptop is $49,246, a number based on several factors: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.  Given the damage associated with laptops that go MIA, it might be wise to restrict access to corporate information while employees are traveling.  If full access to server information isn’t needed, consider using other systems such as read-only export files.  Suggest that employees transfer sensitive data from laptops to your company’s secure central server, or move it to a disk that may be stored safely until they return.  And don’t forget that encryption can serve as an endpoint protection, which allows employees to perform a remote data erase if a device is lost.

A few other tips:

• Encourage the use of privacy filters, which block the ability to view computer screens from an angle.
• Guard against open wi-fi prowlers by setting computer defaults to require owners’ authority before connecting to a new network.
• Discourage the use of public computers.  Many of them contain “keylogger spyware” that can monitor every keystroke.

Our guest blogger this week is Paul Luehr, Managing Director, General Counsel, Stroz Friedberg, LLC - a global digital risk management and investigations firm.

All data breaches have two things in common: the need for prompt resolution and the need for a robust preparedness plan. Healthcare institutions especially should heed the call for an incident response plan because it provides the best preventive medicine to minimize financial and reputational risks.  So PLAN, keeping in mind:  People, the Law, and Action, with No time to waste.

People – Define the responsibilities of a coordinated incident response team. Don’t act alone. A good response team should include key internal players (In-house Counsel, IT, Compliance/Security, HR and Public Relations), as well as outside experts who confront data breaches on a regular basis (trusted Attorneys, Forensic Analysts and Fraud Monitors). These external experts can help restore key business functions, preserve crucial forensic evidence, strengthen data security, address victims’ needs, and communicate effectively with regulators and the public.

Law – Track fast-changing data breach laws, privacy regulations, and notification mandates before a breach should occur.  This can help your organization identify protected health or personally identifiable information (PHI/PII which may trigger liability), navigate the HITECH Act and state law, understand reporting timelines, and effectively reach select constituents (i.e. Health and Human Services, victims, law enforcement and/or the media).

Action – Outline clear action items to accomplish within the first seventy-two hours. One early misstep can destroy crucial evidence, delay an effective response, and trigger government penalties or class-action lawsuits.

No time to waste – Remember that time is of the essence. Once a breach is identified, the clock starts ticking and may require immediate notice to regulators and/or notification to individual victims within 60 days.  

A comprehensive preparedness plan can promote extraordinary efficiencies when a breach threatens a healthcare entity. So, create your PLAN now.

A few weeks ago I discussed a few preventative measures a healthcare business can implement to protect itself from the damages of medical fraud.  However, the fight against medical fraud requires support from many groups, including the U.S. Government.  Bringing new tools to the fight, the Obama Administration recently announced aggressive new measures it is taking to reduce medical fraud. The Administration will be employing modeling tools to help predict potentially fraudulent or abusive activity before it occurs.

These new tools will be employed to fight abuses of Medicare, Medicaid and the federal Children’s Health Insurance Program, Obama Administration officials indicated.  The tools are designed to identify background information, for example, of potentially fraudulent individuals and links to questionable business affiliations.  The goal of this process is to prevent people from creating false healthcare providers or suppliers to act as a front for a scam.

Banks, credit card companies and insurance providers are also using many of these tools and strategies. The goal shared across all industries is to stop fraud before it occurs.  Preventing fraud is far less taxing on a business or organization in any industry than having to minize the potential financial damages caused after an incident.

It’s great that the Obama Administration is taking steps to help the healthcare industry fight medical fraud. There are many other tools out there that can support the fight.   The more industries can share fraud prevention tools with each other the stronger our collective ability will be to stop fraud before it happens.

Medical fraud is occurring at an alarming rate and is expected to cost the US healthcare system $100 billion a year.  Medical fraudsters vary in their sophistication and range from organized crime organizations to individuals preying on senior citizens.  For example, one crime syndicate stole the identities of doctors and thousands of patients to make false claims at bogus health clinics across 20 States worth $100 million.  Fraudsters working alone offer falsified free services as a tactic to acquire Medicare numbers to later bill insurers for supplies a patient never receives.

There are many things consumers can do to help prevent becoming a victim of medical fraud including not providing a Medicare number to a telephone solicitor of free services.  However, a recent article suggests that doctors, hospitals and insurers need to become more involved in protecting themselves from the damages caused by medical identity theft.

For example, medical providers should do more to verify and authenticate people who come to their offices for the first time.  A front office worker could ask the new patient to provide three forms of identification to ensure consistent names and addresses are used.  Secondly, office staff should verify the person actually lives at the address by running a credit check.   Lastly, if a potential fraud case is discovered, medical staff needs to be informed of how to contact the relevant authorities.

Protecting your business from medical fraud will not only reduce future headaches, but will protect your most valuable asset…loyal patients.