The healthcare industry is under attack, with imposters, fraudsters and cyber-criminals pretending to be people they are not to acquire personal patient data. But the ID theft clampdown has begun.
The migration to electronic medical records is an important transition for the healthcare industry. Not only is it aimed at making healthcare more efficient and improving the quality of patient care, but the concept ties in with other e-health initiatives that can take advantage of emerging technology to improve the quality of patient care.
Electronic medical records have received a good deal of attention in recent years, and not necessarily for the most positive reasons. Whilst the UK's NHS and the USA's Obama administration have encouraged healthcare organisations to invest heavily in electronic healthcare records, it has become increasingly clear that there is a need to guard against playing into the hands of cybercriminals.
With so much personal data residing in one place, it is hardly surprising that electronic medical records have become huge on the global black market for hacked data. They hold a wealth of personal information about individuals, ranging from national insurance numbers, diagnosis outcomes and test information, to financial details, such as income, credit-card details, and home addresses.
Confidentiality is, of course, key to maintaining the trust between doctor and patient, but as the healthcare industry becomes 'modern' in terms of digital imaging, e-prescriptions and electronic medical records, the industry is now prone to further challenges. Medical identity theft varies from stealing personal data to commit insurance and benefit fraud to stealing prescriptions and claiming medicine to resell.
"Fraudsters are very adept at moving goods on to the grey markets very quickly, and as healthcare systems carry large amounts of data on patients, getting access provides a treasure trove of details for ID theft," explains security specialist FireEye's senior architect Jason Steer. "Though healthcare providers would not typically consider themselves a cyber-target, the one thing many businesses are finding is that they are targeted for the data, drugs, prescriptions, research and anything else that one could consider of value."
He adds: "The sheer amount of sensitive data available is worth significant amounts of money on the black market to criminals – the value should not be underestimated."
US analyst Ponemon Institute conducted its 'Third Annual Survey on Medical Identity Theft', commissioned by Experian's ProtectMyID, in 2012. It surveyed 807 individuals who have had their identity stolen in some way. Of these, 757 said they or their immediate family members have been "victims of medical identity theft".
The survey results uncovered that each year an estimated average of two million Americans are victims of medical identity theft, and the estimated cost of theft, based on mean value is $41bn, an increase from the estimated £30.9bn in 2011. Respondents also report having lost their trust in their healthcare providers, and additionally victims resolved the theft by reimbursing the fraudulent charges to the healthcare provider or insurer, which on average took one year for the matter to be resolved and recover the amount paid back.
Some 57 per cent of respondents admitted they never check their medical records to verify the accuracy of information, simply because they do not know how to do the checks, plus they trust their healthcare providers to be accurate.
More alarmingly, 20 per cent of respondents said that their medical records had been accessed or modified. This is a major concern, as altered medical record can result in wrong treatments, particularly if the patient is in a critical condition and does not receive the correct medication, or is left untreated altogether.
The Data Protection Act 1998 covers information on an individual's physical and mental health, and only a registered health professional has the legal right to access the records. Despite this, the Information Commissioner's Office served Brighton and Sussex Hospitals NHS Trust with a Civil Monetary Penalty of £325,000 when computer hard-drives containing personal information about thousands of patients were sold on eBay in 2010.
This is by no means the only such incident. In 2012 NHS Surrey was ordered to pay £200,000 after over 3,000 patient records – 2,000 belonging to children – were found on a second-hand computer, and again sold on eBay. The ICO said it was one of the most serious data breaches as a contractor for NHS Surrey had failed to wipe and destroy 1,570 hard-drives.
"If these records end up in the hands of criminals, and the data is accessed, and it includes information on adults and children, who knows what it can lead to? At the very least it would be ID theft," says security consultant firm Accourt's security analyst Neira Jones. "Should the contractor be accountable? Definitely not, because NHS Surrey has been entrusted with the welfare of its patients. Should the contractor be responsible? Absolutely, yes."
The US holds a similar act and the healthcare industry must comply. The Office of Civil Rights enforces: the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy rule which protects the privacy of individually identifiable health information; the HIPAA Security Rule which sets standards for the security of Protected Health Information; and the HIPAA Patient Safety Rule which protects information being used to analyse patient safety events.
Earlier this year, Advocate Health Care lost approximtely four million patient records due to the theft of four unencrypted computers. The data comprised social security numbers, personal details and clinical data, including diagnoses and insurance information of patients dating back to the 1990s.
Healthcare analyst Shane Walker from IHS Research explains, if US healthcare providers are not compliant with HIPAA, it can also be very costly, as was the case in 2011, where Cignet Healthcare was fined $4.3m for blocking patients' rights to copies of their medical records.
"Turning to computer-based systems is a great enabler for any business, medical or not, but given the sensitivity of the data held in such systems, healthcare providers need to have rigorous processes to protect the information help within it," says Steer. "Though we have the UK Data Protection Act to do this, none of the [providers] will go to the extent of discussing how they should protect against targeted, cyber-attacks today. My fear is that most healthcare organisations do not have the tools to prevent an attacker with clear intent."
Whilst modernising the healthcare industry is already in practice with complex technologies including robotics, artificial-intelligence software, and digital imaging systems used for X-rays, it has been a slow process to migrate patient records to the digital domain. The benefits are clear: digital records can deliver in terms of efficiency and quick access to information, especially during emergencies, where medical staff need fast access to patient data.
Alex Bazin, Fujitsu's application services, cloud and strategic solutions CTO, says there are four reasons why hospitals implement biometric patient ID technologies: to improve efficiency of patient check-in, to reduce insurance fraud, to improve compliance in prescribing and drug administration, and to reduce risk of patient harm.
However, these reasons do present a challenge for those tasked with protecting personal information and preserving the bond of confidentially between doctor and patient. In order to prevent medical identity theft and identity confusion, the healthcare industry must adopt better two-factor authentication systems, and biometric technology is typically a strong option.
Authentication can be classified in three forms; a user can create a unique password or personal ID number, use a security token or smart card, or use their own physical or behavioural biometric traits, such as DNA, facial characteristics, voice patterns, which can be measured, analysed and matched.
There is an element of risk, as passwords can be hacked and ID cards, security tokens, and contactless bracelets can be lost, stolen, swapped or even hacked. Biometric technology can offer a more secure method, as fingerprint, voice, retina and face traits are more challenging to mimic or steal.
"In the banking industry they have faced this problem for a number of years. Banks used tokens, keys, SMS codes and now even telephone calls to deliver a pin – however all have been subverted by criminals with a clear intent to gain access," says FireEye's Jason Steer. "Biometrics are a good way to provide extra authentication; however one thing we do know is that two-factor authentication schemes can now be bypassed."
Then there is the phenomenon of 'health tourism' or 'cross-border healthcare', when foreign nationals move to a different country for treatment, but then leave without paying the costs. In the UK this had resulted in secretary of state for health Jeremy Hunt proposing to charge non-EU migrants £200 a year to access the NHS, as a way of protecting UK taxpayers.
The European Healthcare Fraud and Corruption Network (EHFCN) aims to work alongside medical professionals to prevent, detect, investigate, prosecute and redress the result of healthcare fraud and corruption. However, the organisation warns that fraud and corruption is not only committed from a patient and tourist perspective; practitioners, healthcare providers and suppliers can also commit these crimes. The EHFCN says healthcare professionals can commit fraud by charging unofficial fees, demanding bribes for medication, and of course, using patient data to commit identity fraud.
Earlier this year, two healthcare nurses'from Virginia were charged with stealing the identities of at least a dozen patients as part of a scheme to claim $116,000 in fraudulent tax refunds. The nurses stole patient names, date of births and social security numbers and give them to their accomplices, who would then file false income tax returns, with refunds ranging from $999 to $7,300.