Uncategorized

TECH: Identity Theft Protection for Healthcare Companies By Brian Lapidus

Brian Lapidus is a seasoned expert in security and risk mitigation who focuses on the increasing challenges faced by the public and private sectors in protecting sensitive data and personal information from loss, theft and fraud.

The chief architect of product development at Kroll’s Fraud Solutions group, Lapidus sets direction for the company’s continued success in identity theft discovery, investigation and restoration.  Lapidus is particularly knowledgeable about the security gaps – physical, procedural and electronic – common to many U.S. companies and organizations, as well as the criminal landscape where stolen identities are bought, sold and used.

He is frequently quoted on the types of data breaches being experienced by thousands of organizations, and what steps can be taken to better protect confidential data and to recover should a data breach occur.  He oversees a highly-skilled team that includes veteran licensed investigators who specialize in supporting breach victims and restoring individuals’ identities to pre-theft status.

The fact of the matter is that patients – and
the law – demand that healthcare companies protect highly sensitive information
from every possible threat. But in-house security options just can’t keep pace
with rapidly growing risks. After all, anti-virus software won’t stop someone
from taking medical records. A firewall can’t help retrieve a stolen
laptop.  Below, I answer several questions that every healthcare
organization should know.

Q: Why are healthcare organizations particularly vulnerable to data breaches? A: There are several factors that make healthcare organizations particularly vulnerable to data breaches. Some of these factors include:

I. Sensitivity of data – The  healthcare industry is responsible for maintaining its patients’ most   sensitive Personal Health Information. PHI is a treasure-trove for identity thieves.

II. Immense Data flow (masses of data flowing in and out) – A primary reason healthcare data security breaches occur is because facilities do not know where all instances of their patients’   sensitive or confidential information resides within the network. Moreover, the danger does not stop at the hospital perimeter, but includes vendors that share or receive the data, as well as employees’ and contractors’ laptop   computers and other portable storage devices.

III. Portability/Usage of EPHI (Electronic Protected Health Information) storage devices – Improvements in technology and the portability of patient data come at a cost to security.   Devices used to store and access PHI include laptops; home-based personal   computers; Personal Digital Assistants (PDAs) and Smart Phones; USB Flash Drives and Memory Cards; floppy disks; CDs; DVDs; backup media; Email; Smart cards; and Remote Access; not to mention hotel, library or other public workstations and Wireless Access Points (WAPs).

Q: Who and/or what is at risk should a data breach occur? Are children, in particular, at risk?  If so, why?

A: The credit reporting agencies do not knowingly maintain
credit files on minor children. Therefore, if the Personal Identifying
Information (PII) of a minor is at risk, it is impossible to place a
"fraud alert’ on his or her credit file to monitor and help protect the
child from identity abuse. Many victims do not realize that their
information was used until they apply for credit as an adult.

There are two different ways that an identity thief can use a minor’s information. The first is "Minor ID Cloning"
where a thief uses the minor’s name and social in combination with a
fraudulent address and date of birth to apply for credit. Once the
credit bureau receives an application for credit, that begins the
minor’s credit history and the child "becomes" the age of whatever
information the thief supplied on the application for credit.

The second form of minor identity theft is "Minor ID Combining" where a thief uses the minor’s social security number in combination with the thief’s name and date of birth.

The detection and repair of minor identity theft is a time consuming and difficult process.

Q: What should healthcare organizations be doing to better protect the personal information of children and all patients?

A: Awareness of data-breach methods and ways to thwart an attack
are key to reducing exposure. Following are some simple steps to
elevate awareness and establish a better defense:

I. Educate employees about appropriate handling and 
protection of sensitive data. Have sanctions in place for employees
found not following proper guidelines. Both are HIPAA requirements. 

II. Consistently enforce policies and procedures,   physical safe guards, and IT security. All three are required by HIPAA.

III. Review and revise physical security practices as 
needed in both bricks and mortar and virtual operations. Address all
the   critical areas, such as who can leave the office with patient’s
PHI, where   sensitive data is stored and destroyed, who has access to
sensitive data, and   whether employees are required to surrender keys
and badges upon leaving the   company’s employ.

\u003c/div\>\u003c/blockquote\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003cstrong\>\u003c/strong\>\u003c/font\> \u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003cstrong\>Q: Who and/or what is at risk should a data \nbreach occur? Are children, in particular, at risk? If so, \nwhy?\u003c/strong\>\u003c/font\>\u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003c/font\> \u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003cstrong\>A:\u003c/strong\> The credit reporting agencies \ndo not knowingly maintain credit files on minor children. Therefore, if the \nPersonal Identifying Information (PII) of a minor is at risk, it is impossible \nto place a "fraud alert' on his or her credit file to monitor and help protect \nthe child from identity abuse. Many victims do not realize that their \ninformation was used until they apply for credit as an adult.\u003c/font\>\u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003c/font\> \u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>There are two different ways that an identity thief \ncan use a minor's information. The first is\u003cstrong\> "Minor ID Cloning"\u003c/strong\> \nwhere a thief uses the minor's name and social in combination with a fraudulent \naddress and date of birth to apply for credit. Once the credit bureau receives \nan application for credit, that begins the minor's credit history and the child \n"becomes" the age of whatever information the thief supplied on the application \nfor credit. \u003c/font\>\u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003c/font\> \u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>The second form of minor identity theft is \n\u003cstrong\>"Minor ID Combining"\u003c/strong\> where a thief uses the minor's social \nsecurity number in combination with the thief's name and date of \nbirth.\u003c/font\>\u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003c/font\> \u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>The detection and repair of minor identity theft is \na time consuming and difficult process.\u003c/font\>\u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003c/font\> \u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003cstrong\>\u003c/strong\>\u003c/font\> \u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003cstrong\>Q: What should healthcare organizations be \ndoing to better protect the personal information of children and all \npatients?”,1]
);
//–>
 

Q: What are the top three things healthcare organizations can do to protect themselves pre-breach?  Post-breach?

A: Pre-Breach

1. Designate a privacy official responsible for 
developing and implementing its privacy policies and procedures, and a
contact   person or contact office responsible for receiving complaints
and providing   individuals with information on the covered entity’s
privacy practices as   required by the HIPAA Privacy Rule at 45 C.F.R.
§ 164.530(a).

2. Covered entities should be extremely cautious  about
allowing the offsite use of, or access to, EPHI. There may be
situations that warrant such offsite use or access, e.g., when it is
clearly determined   necessary through the entity’s business case(s),
and then only where great   rigor has been taken to ensure that
policies, procedures and workforce   training have been effectively
deployed, and access is provided consistent   with the applicable
requirements of the HIPAA Privacy Rule. Covered entities   must develop
and implement policies and procedures for authorizing EPHI access   in
accordance with the HIPAA Security Rule at §164.308(a)(4) and the
HIPAA   Privacy Rule at §164.508. It is important that only those
workforce members   who have been trained and have proper authorization
are granted access to EPHI.

3. Partner with a corporate breach and data security 
expert to map a breach response strategy and plan.  A covered entity
must   mitigate, to the extent practicable, any harmful effect it
learns was caused   by use or disclosure of protected health
information by its workforce or its   business associates in violation
of its privacy policies and procedures or the HIPAA Privacy Rule at 45
C.F.R. § 164.530(f).

Post-Breach

1. Have a relationship with a corporate breach and   HIPAA
data security expert so that any investigation can begin immediately
and   affected individuals will be notified in a timely manner.
Collaborating with a   company that can investigate, notify, and assist
breached individuals goes a   long way to avoid loss of brand integrity.

2. Detail who is in charge of any internal   investigation,
and who will speak to the police and media. Notify your   corporate
breach and data security expert partner there is a security   issue.

3. Maintain a good relationship with local, state,   and
federal law enforcement throughout the investigation. A positive
report   about a healthcare provider’s cooperation with law enforcement
goes a long way   toward maintaining brand integrity.

Q: Describe a client in this industry who benefited from your service.

A: A healthcare provider lost backup tapes and disks which contained
personal information of 365,000 patients. The personal information
exposed included patient’s names, physicians’ names, addresses, date of
birth, patient financial information, insurance data, diagnoses,
prescriptions, and in some instances, lab results. The tapes also
contained personal information of deceased individuals and minors who
had received treatment at their facility. Kroll was hired to notify
these individuals of the loss of information and to provide licensed
investigators to respond and educate disturbed callers on how they
could protect their personal information as well as that of minors and
deceased loved ones. In addition to consultative services, the
investigators provided assistance to individuals who had fallen victim
to identity theft as a result of this incident, and helped these
individuals regain their pre-theft identity status.

Q: What are the latest trends in security breaches at healthcare organizations?

A: I’ll provide two examples that discuss two of the latest trends, one
focusing on a healthcare payer and the other focusing on a healthcare
provider.

Healthcare Payer
A large commercial healthcare insurance company experienced a data
breach as a result of a laptop being stolen from an employee’s car. The
employee did not follow the corporate policies for protecting member
data which resulted in exposing Personally Identifiable Information
(PII) for 38,000 plan members.  The information compromised included
names, addresses and Social Security numbers and health related data.
Kroll was hired to provide notification and consultation to impacted
individuals.  Additionally, for individuals who had fallen victim to
Identity Theft as a result of this incident, Kroll provided licensed
investigators to assist those individuals in resolving the issue and
returning their identity to its pre-theft status.

Healthcare Provider
A hospital while under an expansion of its IT system, discovered there
were unauthorized entries (breaches) into two separate computer
databases. The first database contained personal information of
patients, and of the parents or guardians who were listed as the main
policy holders with the health insurance carrier. This personal
information included names, addresses, social security numbers and
patient (minors) birth dates.

The second database contained personal financial information,
unencrypted bank account and routing numbers pertaining to individuals
who had donated to the hospital. Kroll was hired to provide
notification and consultation to impacted individuals.  Additionally,
for individuals who had fallen victim to Identity Theft as a result of
this incident, Kroll provided licensed investigators to assist those
individuals in resolving the issue and returning their identity to its
pre-theft status.

If you or your company would like to discuss a particular identity theft protection solution or issue, please visit www.krollfraudsolutions.com to get additional information or to contact a Kroll Fraud Solutions specialist.

 

Livongo’s Post Ad Banner 728*90

Categories: Uncategorized

Tagged as:

2
Leave a Reply

2 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
Unni Kuttan Recent comment authors
newest oldest most voted
Unni Kuttan
Guest

Healthcare industry is a fast growing industry in now a days, among these nurses have an important role.Keep the nice work .If you are interested in nursing jobs in detroit have a look on our link
http://www.ktcusa.org/

Unni Kuttan
Guest

Healthcare industry is a fast growing industry in now a days, among these nurses have an important role.Keep the nice work .If you are interested in nursing jobs in detroit have a look on our link
http://www.ktcusa.org/