vol 8, issue 10

Healthcare identity assurance - warding off fraud

15 October 2013
By Aasha Bodhani
Share |
A still from Carry on Doctor

Insurance fraud and fake benefit claims are some of the biggest challenges faced by the healthcare industry today

A doctor talks to a patient

Recent ‘e-health’ initiatives have generated an easily accessible treasure trove of patient information

Fujitsu’s biometric PalmSecure system

PalmSecure system has been adopted by over 35 US health providers, particularly for patient identity protection

A doctor talks to a patient

Benefits of digitising records include quicker access to an individual’s healthcare requirements - helpful in emergencies

University Hospitals Birmingham

Entrust provided two-factor authentication to University Hospitals Birmingham to ensure patient information was secure

Lancashire Care NHS Foundation Trust head quarters

In 2012, Lancashire Care NHS Foundation Trust trialled the ‘Identity Agent’ smartcard software

The healthcare industry is under attack, with imposters, fraudsters and cyber-criminals pretending to be people they are not to acquire personal patient data. But the ID theft clampdown has begun.

The migration to electronic medical records is an important transition for the healthcare industry. Not only is it aimed at making healthcare more efficient and improving the quality of patient care, but the concept ties in with other e-health initiatives that can take advantage of emerging technology to improve the quality of patient care.

Electronic medical records have received a good deal of attention in recent years, and not necessarily for the most positive reasons. Whilst the UK's NHS and the USA's Obama administration have encouraged healthcare organisations to invest heavily in electronic healthcare records, it has become increasingly clear that there is a need to guard against playing into the hands of cybercriminals.

With so much personal data residing in one place, it is hardly surprising that electronic medical records have become huge on the global black market for hacked data. They hold a wealth of personal information about individuals, ranging from national insurance numbers, diagnosis outcomes and test information, to financial details, such as income, credit-card details, and home addresses.

Confidentiality is, of course, key to maintaining the trust between doctor and patient, but as the healthcare industry becomes 'modern' in terms of digital imaging, e-prescriptions and electronic medical records, the industry is now prone to further challenges. Medical identity theft varies from stealing personal data to commit insurance and benefit fraud to stealing prescriptions and claiming medicine to resell.

"Fraudsters are very adept at moving goods on to the grey markets very quickly, and as healthcare systems carry large amounts of data on patients, getting access provides a treasure trove of details for ID theft," explains security specialist FireEye's senior architect Jason Steer. "Though healthcare providers would not typically consider themselves a cyber-target, the one thing many businesses are finding is that they are targeted for the data, drugs, prescriptions, research and anything else that one could consider of value."

He adds: "The sheer amount of sensitive data available is worth significant amounts of money on the black market to criminals – the value should not be underestimated."

US analyst Ponemon Institute conducted its 'Third Annual Survey on Medical Identity Theft', commissioned by Experian's ProtectMyID, in 2012. It surveyed 807 individuals who have had their identity stolen in some way. Of these, 757 said they or their immediate family members have been "victims of medical identity theft".

The survey results uncovered that each year an estimated average of two million Americans are victims of medical identity theft, and the estimated cost of theft, based on mean value is $41bn, an increase from the estimated £30.9bn in 2011. Respondents also report having lost their trust in their healthcare providers, and additionally victims resolved the theft by reimbursing the fraudulent charges to the healthcare provider or insurer, which on average took one year for the matter to be resolved and recover the amount paid back.

Some 57 per cent of respondents admitted they never check their medical records to verify the accuracy of information, simply because they do not know how to do the checks, plus they trust their healthcare providers to be accurate.

More alarmingly, 20 per cent of respondents said that their medical records had been accessed or modified. This is a major concern, as altered medical record can result in wrong treatments, particularly if the patient is in a critical condition and does not receive the correct medication, or is left untreated altogether.

Legal requirements

The Data Protection Act 1998 covers information on an individual's physical and mental health, and only a registered health professional has the legal right to access the records. Despite this, the Information Commissioner's Office served Brighton and Sussex Hospitals NHS Trust with a Civil Monetary Penalty of £325,000 when computer hard-drives containing personal information about thousands of patients were sold on eBay in 2010.

This is by no means the only such incident. In 2012 NHS Surrey was ordered to pay £200,000 after over 3,000 patient records – 2,000 belonging to children – were found on a second-hand computer, and again sold on eBay. The ICO said it was one of the most serious data breaches as a contractor for NHS Surrey had failed to wipe and destroy 1,570 hard-drives.

"If these records end up in the hands of criminals, and the data is accessed, and it includes information on adults and children, who knows what it can lead to? At the very least it would be ID theft," says security consultant firm Accourt's security analyst Neira Jones. "Should the contractor be accountable? Definitely not, because NHS Surrey has been entrusted with the welfare of its patients. Should the contractor be responsible? Absolutely, yes."

The US holds a similar act and the healthcare industry must comply. The Office of Civil Rights enforces: the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy rule which protects the privacy of individually identifiable health information; the HIPAA Security Rule which sets standards for the security of Protected Health Information; and the HIPAA Patient Safety Rule which protects information being used to analyse patient safety events.

Earlier this year, Advocate Health Care lost approximtely four million patient records due to the theft of four unencrypted computers. The data comprised social security numbers, personal details and clinical data, including diagnoses and insurance information of patients dating back to the 1990s.

Healthcare analyst Shane Walker from IHS Research explains, if US healthcare providers are not compliant with HIPAA, it can also be very costly, as was the case in 2011, where Cignet Healthcare was fined $4.3m for blocking patients' rights to copies of their medical records.

"Turning to computer-based systems is a great enabler for any business, medical or not, but given the sensitivity of the data held in such systems, healthcare providers need to have rigorous processes to protect the information help within it," says Steer. "Though we have the UK Data Protection Act to do this, none of the [providers] will go to the extent of discussing how they should protect against targeted, cyber-attacks today. My fear is that most healthcare organisations do not have the tools to prevent an attacker with clear intent."

Two-factor authentication

Whilst modernising the healthcare industry is already in practice with complex technologies including robotics, artificial-intelligence software, and digital imaging systems used for X-rays, it has been a slow process to migrate patient records to the digital domain. The benefits are clear: digital records can deliver in terms of efficiency and quick access to information, especially during emergencies, where medical staff need fast access to patient data.

Alex Bazin, Fujitsu's application services, cloud and strategic solutions CTO, says there are four reasons why hospitals implement biometric patient ID technologies: to improve efficiency of patient check-in, to reduce insurance fraud, to improve compliance in prescribing and drug administration, and to reduce risk of patient harm.

However, these reasons do present a challenge for those tasked with protecting personal information and preserving the bond of confidentially between doctor and patient. In order to prevent medical identity theft and identity confusion, the healthcare industry must adopt better two-factor authentication systems, and biometric technology is typically a strong option.

Authentication can be classified in three forms; a user can create a unique password or personal ID number, use a security token or smart card, or use their own physical or behavioural biometric traits, such as DNA, facial characteristics, voice patterns, which can be measured, analysed and matched.

There is an element of risk, as passwords can be hacked and ID cards, security tokens, and contactless bracelets can be lost, stolen, swapped or even hacked. Biometric technology can offer a more secure method, as fingerprint, voice, retina and face traits are more challenging to mimic or steal.

"In the banking industry they have faced this problem for a number of years. Banks used tokens, keys, SMS codes and now even telephone calls to deliver a pin – however all have been subverted by criminals with a clear intent to gain access," says FireEye's Jason Steer. "Biometrics are a good way to provide extra authentication; however one thing we do know is that two-factor authentication schemes can now be bypassed."

Then there is the phenomenon of 'health tourism' or 'cross-border healthcare', when foreign nationals move to a different country for treatment, but then leave without paying the costs. In the UK this had resulted in secretary of state for health Jeremy Hunt proposing to charge non-EU migrants £200 a year to access the NHS, as a way of protecting UK taxpayers.

The European Healthcare Fraud and Corruption Network (EHFCN) aims to work alongside medical professionals to prevent, detect, investigate, prosecute and redress the result of healthcare fraud and corruption. However, the organisation warns that fraud and corruption is not only committed from a patient and tourist perspective; practitioners, healthcare providers and suppliers can also commit these crimes. The EHFCN says healthcare professionals can commit fraud by charging unofficial fees, demanding bribes for medication, and of course, using patient data to commit identity fraud.

Earlier this year, two healthcare nurses'from Virginia were charged with stealing the identities of at least a dozen patients as part of a scheme to claim $116,000 in fraudulent tax refunds. The nurses stole patient names, date of births and social security numbers and give them to their accomplices, who would then file false income tax returns, with refunds ranging from $999 to $7,300.

Further information

Share |

Case studies: Hospitals on board with two-factor authentication

ICT business provider Fujitsu Frontech North America and healthcare technology provider HT Systems announced in 2012 that HT Systems was the exclusive provider of Fujitsu's PalmSecure, a palm vein authentication technology for patient registration and identification.

HT Systems' initial biometric identification management system PatientSecure uses Fujitsu's PalmSecure palm vein biometric sensors which automatically links patients to their medical record, with the aim of bolstering security of medical records and enhancing patient experience, but most importantly preventing medical identity theft.

PalmSecure technology uses a near-infrared light to capture a patient's palm vein pattern, generating a unique biometric template that is matched against pre-registered users' palm vein patterns. The contactless authentication technology can only recognise the vein pattern if haemoglobin is actively flowing within them, and also vascular pattern recognition is reliable. One further benefit is that PalmSecure does not come into contact with the users skin, making the process more hygienic, Fujitsu claims.

"Palm vein patterns cannot be observed under normal lighting, or be left on surfaces, therefore the risk of somebody obtaining a patient's palm vein image is low in comparison to other biometrics," says Fujitsu's CTO Alex Bazin. "This solution prevents issues of fraudsters using a patient's insurance documents to obtain treatments, and ensures a positive match between patient attendance and treatment and prescriptions, which prevents billing fraud." Bazin adds: "The system does not relate to sickness benefits or other disability payments; it is simply concerned with ensuring a reliable connection with the patient and their claimed identity."

Over 35 US healthcare providers (including the Langone Medical Center, Texas Health Resources, Covenant HealthCare, Valley Care Health System, Orlando Health, Baptist Health, and Saint Peter's Hospital) have adopted the biometric authentication technology as a way to protect patient identity and medical information, prevent impersonation and eliminate misidentification related to human error. The system also claims to eliminate duplicate medical records resulting from having patients registered under more than one name or address during multiple visits, and it allows for identification in an emergency, even if the patient is unconscious.

Bazin adds: "Fujitsu has no specific plans to offer this technology in the UK health market, the particular NHS funding model means the issue of fraud related to billing or patient identification is perceived to be less of an issue than in other countries; this limits the scope of adoption."

University Hospitals Birmingham

In 2012 identity-based security company Entrust provided two-factor authentication to University Hospitals Birmingham to ensure patient medical records and clinical information were secure. Alongside systems integrator Data Integration, Entrust aims to ensure myhealth@QEHB web-based portal gives patients access to their medication, lab results, letters and patient information. The portal was first trialled by liver patients at Queen Elizabeth Hospital Birmingham in 2011.

The myhealth@QEHB portal enables long-term care patients to remotely access their clinical information, including test results, letters and medication information, as well as contacting their doctor directly,'book appointments and receive reminders. The portal also provides a network for patients experiencing similar illnesses; they are able to converse, contribute to group discussions and form friendships.

However, web-based designs are prone to cybercrime and the amount of personal information stored on the myhealth@QEHB portal, makes it a perfect target for hackers.

The development team has factored this issue in and has hired ethical hackers to carry out penetration and coding tests, this is particularly required for the 'the vault' feature in the portal.

The feature enables patients to upload any information they wish to share, but it makes it a prime spot for hackers to interfere.

Lancashire Care NHS Foundation Trust

As well as patient identity assurance, healthcare workers also need to authenticate their identity when accessing patient data. In 2012, Lancashire Care NHS Foundation Trust trialled the 'Identity Agent', a software which enables healthcare workers to use Microsoft Windows 7 or 8 to connect to the National Programme for IT's Spine infrastructure using NHS smartcards.

Alan Boardman, IM&T technical systems manager at the Trust explains why the Microsoft upgrade was necessary. "The Identity Agent component issued for use on Microsoft Windows computers was only supported up to Microsoft Windows XP, which has limited life in terms of ongoing support; this had the potential to pose security issues for the Trust if used after this time."

The Spine is part of a national infrastructure that supports the delivery of services and health care facilities in the UK, such as pharmacies, opticians, dentists and education and training establishments. The infrastructure enables staff to share patient information across organisations with the NHS and also use patient data for research, management, audit,and financial activities.

Related forum discussions
forum comment To start a discussion topic about this article, please log in or register.    

Latest Issue

E&T cover image 1411

"This issue we honour a national hero, and the subject of Benedict Cumberbatch's latest film, codebreaker Alan Turing"

E&T jobs

E&T Marketplace

The essential source of engineering products and suppliers.

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T