E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: Health News Digest

Posted on October 15, 2010

Imagine your personal medical information has been compromised by a security breach. Then imagine finding out that your personal information has been used by someone to obtain medical treatments and even prescription drugs. The gravity of this breach becomes even more serious when you receive an invoice for the treatment, or worse, find out medical information in your personal file has been changed.

Medical identity theft is the fastest-growing form of ID theft in America today and has become a growing global problem, with The World Privacy Forum estimating the number of victims to be between 250,000 to 500,000 people each year.

According to a Harris poll, the numbers are even higher than what the World Privacy Forum estimates, with approximately 4 percent of American adults, or nine million people, believing that they or a member of their family have had confidential medical information lost or stolen.

Medical identity theft can expose a person's personal information, which can then be used by fraudsters to get medical treatments, benefits, prescription drugs and generally defraud the medical system. The victims of identity theft may ultimately receive incorrect medical treatment if their records have been altered. In a medical emergency, these fraudulent changes could lead to incorrect diagnoses and even death.

Cases of Medical Identity Theft are Growing

In the U.S., where the for-profit healthcare system creates incentives for hospitals and insurance companies to root out identity theft, an estimated 15 percent of claims are considered fraudulent.

From the standpoint of medical institutions, the consequences of medical identity theft may be significant. Healthcare providers may be assessed of heavy fines, legal expenses, bad publicity and reputation loss. According to Forrester Research Inc., in 2006 companies that experienced security breaches lost between one and $22 million, and with the Ponemon Institute's 2009 Cost of Data Breach Study placing the average cost of a breach across a range of organizations as high as $202 per record or $6.6million per breach, a patient data breach is potentially a debilitating event for any healthcare facility regardless of size." The Mechanics of the Breach

The moment a hospital admits a new patient, a medical record is initiated. Moving through different phases of the medical process, the record accumulates a multitude of details - from the patient's lifestyle to symptoms, test results, diagnoses, treatment plans, procedures, insurance and personal information. These files, often kept in paper-based form, may continue beyond the original medical institution, making their way to other hospitals and clinics, family practice offices, insurance companies and health-related organizations.

In a hospital, many people may have access to patients' confidential information. While most employees would never use this information for fraudulent purposes, some may, by exploiting it themselves or leaking it to thieves.

Security breaches may also result from the intentional or unintentional negligence of healthcare employees. While stories about medical files being dumped into recycling dumpsters or garbage containers - and even posted on the Internet - may sound anecdotal, such incidents do happen. These kinds of security breaches are becoming more common worldwide:
• Confidential documents left in unsecure recycling boxes or garbage bins.
• Lack of training for staff on what patient information should be protected and securely destroyed.
• Unsupervised medical files in file rooms or on desks.
• Lack of focus on document destruction due to budgetary concerns.
• Unsupervised or inadequate in-house document destruction facilities.

Furthermore, medical records also must be stored for a period of time, increasing the chances for a breach. Regular paper records are often kept for 10 years, and if it is a teaching hospital, or concerns a pediatric patient, hospitals may keep the records for 15 years or longer.

Medical Identity Theft Trends

While there is no all-encompassing research on this, here are some of the trends in medical identity theft that Shred-it experts have compiled:

Insider wrongdoing - The most common pattern in medical identity theft involves healthcare insiders. According to the Healthcare Information and Management Systems Society, about 23 percent of all breaches that required notification since 2000 have been caused by an employee.

Organized crime - The people who work within the healthcare sector may sell stolen medical identity data to organized crime groups. Such groups may set up dummy corporations for short periods of time and bill insurance companies for expensive medical equipment.

Internet disclosure - Medical information may be erroneously posted on the Internet, which may or may not result in identity theft and fraud.

Stolen or lost laptops - There are a number of examples when the security of patient information is compromised as a result of the loss or theft of laptops and data drives.

Common Document Security Measures

In the U.S., most medical institutions are using some kind of document shredding process; they either outsource it through third parties or use shredders. However, their level of security varies widely, based on several factors:
• How the process is organized - do they have a detailed information security strategy and accompanying policies?
• Are there any security gaps - consistency of the process throughout the organization?
• Level of top-management's commitment to the department's integrity.
• Employee training in secure document storage and destruction protocols.
• Employees attitudes to, and culture around, managing the paper trail.
• Before each shredding session, all paper that is no longer required is stored in special on-site locked containers.

U.S. Legislation protecting Medical Information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires healthcare organizations to "maintain reasonable and appropriate technical and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information."

The Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of the American Recovery and Reinvestment Act of 2009 (ARRA), contains incentives related to health care information technology and incentives designed to accelerate the adoption of electronic heath record systems among providers. The Act also widens the scope of privacy and security protections available under HIPAA, increasing the potential legal liability for non-compliance and provides more enforcement.

The Shred-it Solution

Balancing the protection of patients' medical records with budgetary constraints and patient information accessibility in a hospital environment is no easy task. To protect the security of patients' information, hospitals should correctly identify security challenges in their organization and physically secure data. In a busy hospital setting, emphasis is typically placed on speed and ease of access to information rather than on information security. The challenges of making medical information secure are particularly critical in the context of large medical organizations. Hospitals should also integrate and manage the emerging large-scale e-health applications and get sufficient funding for security management systems.

While there is no single solution, medical institutions should consider the following:
• Analyze possible security gaps and work with security experts to assess existing security systems.
• Invest in ongoing risk analysis processes.
• Develop stringent policies regarding access to sensitive patient information, as well as the protocols for authorization and authentication of individuals accessing health information.
• Formulate strategies for dealing with security incidents.
• Effectively integrate electronic information systems with clinical and administrative workflows.
• Ensure medical documents that are no longer required to be kept on record are destroyed in a secure manner.

The value Shred-it offers to its medical clients extends beyond the physical process of destroying documents. Working as a strategic partner, Shred-it help clients identify and proactively manage their unique security risks. It addresses the full spectrum of their operational, security and financial needs, developing - and executing - a strategy that is both effective and cost-efficient.

Among Shred-it's document destruction solutions are:
• Working alongside hospital Privacy Officers and departments to come up with custom solutions to protect patients' private information.
• Sharing and employing best practices learned at other healthcare facilities.
• Understanding the budgetary restraints that affect hospitals and coming up with the most cost-effective solution possible.
• Providing the highest level of security in document destruction processes.
• Training and sharing with hospital staff the importance of secure document destruction techniques.
• For institutions with in house shredders, providing support when this process gets backed up.
• Providing pre-screened, bonded and insured customer service representatives.
• Allowing healthcare staff to view the document destruction process, if necessary working Together to eliminate Medical Identity Theft.

Secure document destruction saves costs, increases employee productivity and enhances the reputation of medical institutions. But it also does much more, protecting patients from the medical, financial and psychological consequences of privacy breaches and identity theft and fraud.

By Mike Skidmore, Shred-it Privacy & Security Officer

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.