[BreachExchange] Unhealthy Rise In Healthcare Fraud: 5 Tips For Protecting Patient Privacy

[Inga Goddijn]

http://www.healthitoutcomes.com/doc/unhealthy-rise-in-healthcare-fraud-tips-for-protecting-patient-privacy-0001

Fraud is a serious and growing problem for all sectors, but healthcare is
taking a bigger hit than most. *According to one study*
<http://www.pkf-littlejohn.com/healthcare-fraud-report-2015>, while other
industries suffered average losses of 5.6 percent in 2015, in healthcare
the losses were 6.1 percent — an almost 30 percent rise since 2007. This
trend is predicted to continue with *IDC Health Insights*
<http://www.washingtontimes.com/news/2015/dec/10/hackers-likely-to-breach-1-in-3-health-care-custom/>
predicting one in three health records will be breached in 2016.

The simple reason for this is that personal patient data is valuable.
Medical information is enticing for hackers because it includes personal
details such as height and eye color that can be used to create fake
identities. According to a recent *FBI presentation*
<http://www.forbes.com/sites/laurashin/2015/05/29/why-medical-identity-theft-is-rising-and-how-to-protect-yourself/#6b3ddbcde200>,
stolen health insurance information fetched a price of $60 to $70 on the
black market while a Social Security Number went for less than a dollar.

One contributing factor is the fact that the majority of healthcare IT
leaders rely heavily on traditional security solutions such as firewalls,
audit logs, and data encryption. Technology by itself can’t provide an
adequate defense. Protecting patients’ data requires a complete program
including clear proactive policies, employee education, and verification of
compliance integrated with technical solutions. Following are five steps
that healthcare organizations can take to keep their patients’ data secure.

   1. *Create Corporate Culture Of Protecting Patient Privacy*
   Educate and re-educate employees on current HIPAA rules and regulations,
   including state regulations involving privacy of patient information. This
   training should be part of employee orientation and include periodic
   refresher courses. This includes everyone with access to sensitive patient
   data and computing systems (whether full-time, part-time, temporary, or
   transferring), medical staff (including both admitting and referring
   physicians), contractors, vendors, students, and volunteers. If employees
   are reminded of the implications of data breaches, the risk that security
   policies will be violated can be drastically reduced.
   2. *Conduct Regular Validation And Verifications*
   Internal audits should verify all fundamental health care fraud
   management activities are adequately performed using independent tools for
   verification. Sanitized results of audits that catch employees not
   following policies and procedures can be made available to raise awareness
   that management is serious about protecting patient’s data. Releasing
   official reports internally measuring the organizations progress at
   preventing data theft helps keep all the employees diligent.
   3. *Manage User Identity And Access Stringently*
   With so many members of the healthcare system frequently accessing
   patient information — for a multitude of different reasons — it is
   important to carefully manage identity of users. Make sure users at each
   level are only granted access to information pertinent to their position.
   For example, some organizations allow all staff and admitting physicians
   unrestricted access to all patient files, but limit the access privileges
   of referring physicians to their patients of record. Also ensure that log
   on/off and other security related procedures are clearly communicated and
   carefully enforced on shared machines. Automation of user access helps
   create an audit trail and ensures efficiency and safety for everyone
   involved.
   4. *Monitor Users, Applications, Devices And Records*
   Make sure you have a record of when electronic files are viewed and not
   only when they are modified or created. It is also just as important to
   make sure employees know they are being monitored. Inappropriate access is
   deterred when users understand that their actions will be recorded and
   reviewed and that sanctions can be applied for violating patient privacy.
   However, don’t overlook low tech data theft. Remind employees to be
   watchful of electronic devices and paper records left unattended. More
   often than not, data breaches occur due to theft of these items from a
   home, office or vehicle. Secure data exchange systems can catch when an
   employee sends an email or a file without the appropriate authorization,
   but carelessness is impossible to detect until it’s too late.
   5. *Proactively Take Action To Prevent Snooping*
   Take a special note when there are events that might increase the
   incidence of unauthorized access of patient data. Automated solutions have
   the advantage that business rules can be added quickly based on targeting
   those circumstances that are the most likely to result in data theft, for
   example when your organization is providing services to high profile people
   such as celebrities. Also it is recommended to monitor when workers might
   have family members treated to make sure they are not breaching security
   policies by accessing their records.

By being proactive and planning ahead, health care organizations have a
better chance of avoiding data breaches and keeping their patients’
personal data secure. Formal policies regarding information system
security, employee training, and procedures for monitoring and penalizing
breaches of privacy and security are essential. Investing up front in
protect patient privacy is preferable to the long painful process of fixing
a problem after it has already happened. Once trust in your organization
has been damaged, it can be difficult — if not impossible — to repair.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160321/2d28834e/attachment.html>