The Ponemon Institute just published its “Third Annual Benchmark Study on Patient Privacy & Data Security” which disturbingly points out that medical identity theft and fraud has risen by 20 percent in the past year. The ramifications are frightening and include: falsified claims for expensive medical procedures and prescription drugs (all at the victim’s expense), life threatening treatments as a result of the co-mingling of medical information from different people, and financial fraud such as applying for IRS refunds, the opening of new loans and credit card accounts (also at the victim’s expense).
Stolen medical records are a lucrative business since they are much more valuable on the black market than credit card numbers and social security numbers, containing more information and data that can be used for multiple types of identity fraud. Criminals have focused on the healthcare industry in particular, because it is much easier to attack than other industries – and is therefore low hanging fruit for ill-gotten gains.
Inherent weaknesses in the privacy and security processes associated with healthcare systems – such as unencrypted laptops, tablets, and flash drives – have led to an increase in data breaches and theft. In addition, there are more than 40M Medicare patients with their SSNs emblazoned on the Medicare ID Cards which makes it very easy to steal those numbers. To comply with the Meaningful Use Stage 2 requirement that patients have easy electronic access to their medical records in a timely manner, more and more healthcare providers are establishing online patient portals that can easily be accessed with static user names and passwords. In today’s cyber environment, this is just not secure enough to prevent inappropriate access to protected health information (PHI) and personally identifiable information (PII), because static user names and passwords are frequently shared or written down where someone else can readily have access to them.
Most cybersecurity experts agree that secure identity proofing of patients and/or their proxies or care givers during initial enrollment/registration using an online patient portal is an essential first step towards protecting medical data. This procedure should include (1) verification that the identity does indeed exist (i.e. is it a real SSN on file at the Social Security Administration and belonging to a living person), and (2) does the identity actually belong to the person who is using it. This can be accomplished by asking out-of-wallet or “knowledge-based” authentication questions that only the correct person can answer, plus adjusting the type and complexity of the questions based on the access context risk profile.
Once a patient has been identity proofed, one time pass codes can be transmitted to a patient’s remote device like a cell phone, pager, or laptop thru texts, IVR, or emails – this protection method is called a secure multi-factor authentication process.
These steps can go a long way toward adding additional, critical layers of security to prevent online fraud stemming from medical identity theft. Find out more about healthcare services ID authentication and fraud protection services from Equifax.