Medical Identity Theft: Discussion – The Security Issues this Crime Raises
Data Breaches and Medical Identity Theft: Data Breach Notification Needs to go to Each Individual Impacted
Given the evidence that sophisticated criminals are working in the area of medical identity theft, it is reasonable to conclude that the data breaches targeting hospital systems with rich patient and insurance data may well lead to patient information being used without patient consent or knowledge.
Individuals must be informed directly anytime their protected health information is inappropriately accessed. If individuals are not notified of a breach, then they may not know that their medical files may be being altered by criminals in ways that may threaten their health, impact their insurability, or cause other harms. Because of a lack of studies in the area of medical identity theft, we do not know how many medical identity theft crimes go undetected. Data breach notification is one way to ensure that breach victims begin to monitor their insurance information closely.
Since 2005, some health care providers have given notice to consumers when there is a data breach involving sensitive or protected health information, depending on state laws.
For example, in January 2006, Providence Health System notified individuals of a data breach.  It is not unusual for the health care provider to follow up with a “post-breach study” of victims to determine if there has been any incidence of identity theft. Companies such as ID Analytics and others have acquired expertise in analyzing credit report activity and other indicators to make this assessment. While breach assessments have been helpful for victims of financial identity theft, the same may not necessarily hold true for victims of medical identity theft.
New Polling Methods for Post-Breach Studies are Needed
Medical identity theft may not always reveal itself like standard financial identity theft, and as a result, it has not always been identified in follow-up studies of data breaches of medical data. One of the questions that could be asked to begin to develop a more effective methodology for victims of identity theft would be to poll insurers to see if there are claims made in the victims’ names. This kind of polling is expensive, because the individual victims need to be interviewed as well. Victims may be the only ones who can tell if a medical service billed to an insurer in their name was really a service that they received or sought.
The National Health Information Network and Medical Identity Theft
A number of well-intended individuals and organizations have claimed that making all health records electronic and implementing the NHIN will reduce costs, save lives, and reduce fraud. This report does not consider the cost claims of the NHIN. However, this report has considered the claims of the HHS and others that the NHIN will reduce fraud and save lives.
Here are, in brief, the scenarios that HHS officials envision due to the NHIN:
- The NHIN will save lives because medical records for everyone will be online, and will be available everywhere.
- The NHIN will save lives because there will be no more medical errors when medical records are digitized and put online.
The NHIN will reduce fraud because it will be easier to analyze records when they are in digital form.
It would be difficult to find a person who would not desire for these statements to be true. However, due to the presence of medical identity theft and other forms of fraud from within the system, these statements cannot be and are not supported by the current facts.
The GAO, in a 48-page report published in February 2006 about the problems with information security at Health and Human Service in its existing health information systems such as Medicare (among others) wrote:
“Information system controls are a critical consideration for any organization that depends on computerized systems and networks to carry out its mission or business. Without proper safeguards, there is risk that individuals and groups with malicious intent may intrude into inadequately protected systems and use this access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks.” 
This statement is an excellent summary of the problem that already exists in Medicare/Medicaid, and it is a potent harbinger of what the NHIN will face.
The Lessons the NHIN Needs to Learn from the High Incidence of Fraud in Medicare / Medicaid Electronic Systems
The Office of the National Coordinator for Health Information Technology  commissioned a report to look at fraud in the NHIN. The report concluded that the NHIN could be used to reduce fraud.  One of the suggestions in the report was that data required from the NHIN for monitoring fraud and abuse must be derived from its operations and not require additional data transactions.  In light of all the studies of fraud in the already-digitized Medicare systems, this is an assertion that needs to be reevaluated. If this model is indeed incorporated, this recommendation may ensure that medical identity theft would not be caught by the system. This is something that has already been shown in the Medicare systems.
Medicare/Medicaid systems are highly digitized. That is how HHS handles more than a billion health care claims each year: the majority of those claims are auto-adjudicated. A voluminous number of excellent studies have been conducted on fraud within the electronic systems of Medicare and Medicaid. At this point, prominent researchers have concluded – based upon the factual evidence – that the electronic environment has greatly contributed to the fraud problem in those programs.  There is no reason to think that the NHIN will not be subject to these same dynamics.
A February 2006 GAO report looked at Medicare Claims Processing Systems. These are the CMS contractor-operated group of systems that are used to process Medicare claims. These processing systems include inpatient hospital care, nursing facilities, home health care, and other health care services. The GAO investigation found significant weaknesses in information security.
“Significant weaknesses in information security controls at HHS and at CMS in particular put at risk the confidentiality, integrity, and availability of their sensitive information and information systems. HHS has not consistently implemented effective electronic access controls designed to prevent, limit, and detect unauthorized access to sensitive financial and medical information at its operating divisions and contractor-owned facilities. Numerous electronic access control vulnerabilities related to network management, user accounts and passwords, user rights and file permissions, and auditing and monitoring of security-related events exist in its computer networks and systems. In addition, weaknesses exist in controls designed to physically secure computer resources, conduct suitable background investigations, segregate duties appropriately, and prevent unauthorized changes to application software. These weaknesses increase the risk that unauthorized individuals can gain access to HHS information systems and inadvertently or deliberately disclose, modify, or destroy the sensitive medical and financial data that the department relies on to deliver its vital services.” 
If the HHS systems reveal systemic weaknesses such as that which the GAO discovered, then how can another system that HHS is overseeing be substantively different?
Current Audit Systems Do not Resolve The Problem
One 2002 article advocated that to combat health care fraud, that automation was the answer, and that consumers should not be allowed privacy protections that allow opting out of automated regimes:
“Automation can also reduce fraud and abuse by carefully tracking providers’ reimbursement claims and matching those claims with electronic treatment records. To effectuate these savings, national privacy policies should encourage consumer and provider participation in electronic filing techniques, and avoid measures that would limit potential savings (e.g., privacy protections that allow consumers to “opt out” of computerized health databases).” 
What the authors may not have taken into consideration is that particularly in medical identity theft, comparing a fake billing record with an equally fake electronic treatment record only proves that the slick criminals lied two times. This pattern of “lying twice” is the norm in medical identity theft, and this proposal of automated checking would do nothing to prevent or even detect medical identity theft, particularly the variety that introduced life-threatening changes to health records.
Thoughtless automation is not helpful in prevention. And automation that does not have rigorous security enhancements and audit trails can introduce new challenges into the environment.
Digital Security Issues in the NHIN and Other Highly Digitized, Virtualized Environments
The medical environment poses unique challenges for anyone attempting to provide meaningful security against crimes such as medical identity theft. In a financial environment such as a bank, the structure and idea of defense is to erect an impermeable perimeter with a membrane that only the right people (such as legitimate account holders) can get through – using such tools as two –factor authentication and so on. Auditing tools and protocols can strictly control and track insider access.
But in a medical environment, this sort of moat and castle security architecture is not realistic. The larger the medical environment, the more complex the virtualization will become. Hospitals may have multiple ports of data access and dissemination, including mobile devices such as PDAs. Some hospitals are increasingly using RFID tags to interface with wireless LANs and to create “sensor space” where blood, equipment, and sometimes even patients are tracked electronically through the hospital.  Etherealized patient data can be picked up not from one terminal, but from wireless entry points, RFID bracelets and anklets, PDAs, paper charts, and in some structures, remotely from laptops in doctor’s homes.  And finally, that patient data, if housed on a network, may be generated amongst dozens of other hospitals, crossing state lines.119 In one NHIN scenario outlined by HHS, the patient data could be potentially remotely accessed from any hospital or provider connected to the NHIN, no matter what city the patient is in. 
The security issues go further and deeper, though, than just display of data. Medical information has to be moved across software and hardware, and sent off to multiple third parties such as insurers, labs, and so forth, thus infinitely making more complex the security issues. These profound security issues, which have no simple or easy or even a perfect answer, must be seriously and rigorously considered in the context of medical identity theft. To do any less is to jeopardize patient safety and health, and ultimately, the integrity of medical research based on patient data.
Physical Security Issues in a Medical Environment
One of the most challenging issues in a medical environment is to physically secure data. In a provider environment such as a hospital, where a few seconds or minutes may mean the difference between life and death for a patient, the emphasis is correctly on speed and ease of access to information. And therein lies the extraordinary challenge of securing patient data in the health care environment.
How does an organization or provider go about meeting health and safety goals while meeting security goals that also impact health and safety? These two issues are at odds, and to date there have not been mature enough solutions that fully meet both needs. In even the most rigorous, responsible environment, there will be a tension. In environments where there or a lack of attention to security issues, various types of disasters ensue.
One recent example occurred in Sacramento. There, at an HIV/AIDs clinic, a laptop containing the health information for 1,764 clients was stolen in a home burglary. The computer records include the name, age, gender, race, ZIP code and HIV status of nearly every CARES client. The files do not include addresses, Social Security numbers or driver’s license numbers.A researcher had brought the computer home to do some work. 
Other examples include:
- A CMS Medicare contractor used a privately owned vehicle and an unlocked container to transport approximately 25,000 Medicare check payments over a 1- year period. 
- Four hundred forty individuals were granted unrestricted access to an entire HHS data center, including a sensitive area within the data center— although their job functions did not require them to have this level of access. 
Insider Aspect of Medical Identity Theft is a Fundamental Security Issues for the NHIN and other Health Care Systems
Based on the known cases of medical identity theft and health care fraud, many medical identity theft cases have an insider aspect to them. This is true in the private and in the public sector.
The GAO wrote:
“ …. it has long been recognized that the greatest harm to computing resources has been done by authorized individuals engaged in improper activities— whether intentionally or accidentally. 
There is a percentage of medical identity theft that occurs by siblings or by individual criminals without insider access. But the current evidence strongly indicates that people with legitimate access to computer systems and/or patient data may often be the primary culprits. 
In one case brought in Texas, a woman was sentenced for identity theft. She stole patient information she found while working in a medical billing department.  In another case, an individual who worked in an intermediate care unit at a hospital in Alexandria, Virginia was charged with used her position in the hospital to take protected patient information, photocopy, and then pass it off to an accomplice or use it for her own purposes. 
Of all the security issues raised by medical identity theft as a whole, other than the harm to victims and to the medical system , the insider nature of the crime is likely going to be the most intransigent to correct. While a bank may use internal audit trails to log and monitor insider access, in a medical environment that depends on a high amount of interaction between people, the same kinds of controls are not likely to be as effective.
 Joe Rojas-Burke, “Providence critics push for safer records.” The Oregonian, January 27, 2006.
 Government Accountability Office, INFORMATION SECURITY: Department of Health and Human Services Needs to Fully Implement Its Program at 5 (GAO-06-267), (2006).
 The Office of the National Coordinator is part of the Department of Health and Human Services. See < http://www.hhs.gov/healthit/>.
 Nikki Swartz, “E-Records May End Fraud.” 1 January 2006. Information Management Journal.
 The most definitive technical and operational analysis of these systems has been written by Malcolm K. Sparrow in License to Steal: How Fraud Bleeds America’s Health Care System, at chapters 5-8 (Westview Press, 2000)
 GAO-06-267, p. 2.
 Lawrence O. Gostin, James G. Hodge, Jr , Modern Studies in Privacy Law: National health information Privacy regulations under HIPAA: Personal Privacy and Common Goods: A Framework for Balancing Under the National Health Information Privacy Rule, 86 Minn. L. Rev. 1439 (2002).
 Business Wire. February 9, 2005 Wednesday 5:07 PM GMT. “University of Chicago Comer Children’s Hospital Selects Mobile Aspects.” Also see “System targets blood-type mix-ups,” The Boston Globe, 24 February 2005. Scott Allen. Also see “Ubisense Ultrawideband Location Devices Certified by US FCC Approval Opens U.S. Market for Location Aware ‘Smart Space’ Platform, Ubisense one of the First Companies to Receive Certification.” PR Newswire (U.S.) 06 December 2004.
 See: “Company receives product leadership award for patient ID wristband.” Biotech Business Week, 20 December 2004. Also see “AXCESS ActiveTag Product Tapped for Patient ID System.” 17 February 2005, Wireless News.
 HHS Awards Contracts to Advance Nationwide Interoperable Health Information Technology – Strategic Partnerships with Public-Private Groups Will Spur Health IT Efforts. 6 October 2005, U.S. Health & Human Services Documents.
 “HHS Awards Contracts to Advance Nationwide Interoperable Health Information Technology – Strategic Partnerships with Public-Private Groups Will Spur Health IT Efforts.” 6 October 2005, U.S. Health & Human Services Documents. See also Robin Blair, RHIO Nation, 1 February 2006, Health Management Technology.
Todd Milbourn , “Stolen laptop contains files on HIV patients”, 23 February 2006. The Sacramento Bee.
 Government Accountability Office, INFORMATION SECURITY: Department of Health and Human Services Needs to Fully Implement Its Program at 12 (GAO-06-267), (2006)..
 GAO-06-267 HHS Information Security
 See discussion of cases in this report for examples.
 “Defendant sentenced in identity theft scam.” U.S. Department of Justice press release, United States
Attorney Northern District of Texas. August 19, 2002. < http://www.usdoj.gov/usao/txn/PressRel02/thompson_cynthia_sen_pr.html >.
 News Release. U.S. Department of Justice. United States Attorney Eastern District of Virginia, July 21, 2005.
Roadmap: MEDICAL IDENTITY THEFT – The Information Crime that Can Kill You: Part II Discussion: The Security Issues this Crime Raises