HIPAA

“Electronic Medical Records” or “Ready - Fire - Aim!”

What happens when we build a national database, with everyone’s health records? Will everyone get better, less expensive healthcare? That’s the impetus for funding a portion of the stimulus bill to push more health providers into the electronic age.

There are three items to consider, and they are the same ones we must always deal with:

Confidentiality - WHO has access to your health records? Right now hospitals, doctors, pharmaceutical companies and the government have access to your health records. And probably a lot more marketing companies have pieces of information, as well. A online pharmacy clerk in West Overshoe knows all your prescription medications and is paid minimum wage.

Integrity Is your data accurate? Or has someone stolen your medical information to get health care, died, and left you with a rolling disaster?

Availability Can you inspect and correct your data - ALL your data, including any diagnoses? What if you don’t agree with one? Can you delete it?

If you compare the answers, it looks remarkably similar to where your (and my) credit record is right now - in the hands of the data miners. All my data belong to….them.

From a regulatory perspective, the Feds are not providing any real consequences for medical data breaches, or lack of HIPAA compliance. They are waving a large carrot around, instead. Only one or two organizations have actually been fined for non-compliance, despite a large uptick in data breaches. It is left to the outraged patient to sue for damages. There are no clear statistics for medical identity theft, because the appropriate agency isn’t tracking them.

It’s one thing to get information online, another thing to get it online safely. It seems to be a pattern in every industry that data becomes electronic before any thought of security.

Getting What You Pay For…..2008

In my travels as an auditor this year, I’ve visited 15 states and seen approximately 20 different networks, both LAN and WAN. I’ve audited hospitals, lotteries, racetracks, banks, small businesses, large online retailers, metal fabricators, telco service bureaus and health care service bureaus.

I continue to see networks that are not patched. “It might break our custom code,” is the most common excuse, followed by, “Gee, we just didn’t get around to it.”

Software coding continues to be a security disaster in the making. Developers continue to open up databases by giving too many rights to users and application IDs. I still find individual developer IDs inside production databases.

Management continues to be unwilling to invest the money in a secure architecture. In the last three years, I can count on the fingers of one hand the organizations I’ve seen that follow secure best practices. And not use all the fingers.

I still hear people try to tell me that they don’t need a firewall because they have really good routers. And then they don’t update the IOS on the routers and/or leave the default SNMP strings in place.

If you are paying for these services, and you are getting the above, there is a problem waiting to happen on your network. If you don’t know what’s going on in your databases, time to find out before another Countrywide happens in your back yard.

Have a safe holiday. And remember: who is responsible for good security? You are. I am. Let’s keep trying to do it right.

Data Breaches and Business Liability Part I

The most significant financial impact of identity theft has yet to be examined. I believe that the risks to business and other institutions now include legal, reputation, financial and compliance risks that cannot be transferred.

Victims of identity theft are looking to recoup their financial losses and punish those people or institutions that enable identity theft to happen. The average arrest rate (according to law enforcement) is under 5% of all reported cases. Thieves do not have the resources to repay their victims by the time (or if ever) they are caught. Business does. If business organizations are providing the opportunity for identity theft to occur, they will be sued. We should make it our job to see that we are not among the defendants.

According to the Identity Theft Resource Center, (An outfit that I happen to respect a lot because they are very specific about their statistics and criteria of what a “breach” actually is), As of November 11, 2008 there have been 574 breaches, with a total of 33,593,557 records exposed.

You can download the report at their site. It’s painfully interesting.
Here’s how it breaks down, keeping in mind that we’re not done with 2008 yet:

Category: Banking/Credit/Financial
Number of breaches: 66
Number of records: 17,231,057
Overall % of breaches: 11.5 (2007? 7%)
Overall % of records: 51.3% The fewest breaches, but the most loss of data. Thieves are not stupid.

Category: Business
Number of breaches: 202 The most number of breaches. We need to get much stronger here
Number of records: 5,705,628
Overall % of breaches: 35.2% (2007? 29.3%)
Overall % of records: 17%

Category: Educational
Number of breaches: 120
Number of records: 761,303
Overall % of breaches: 20% (2007? 24.7)
Overall % of records: 2.3%

Category: Government/Military
Number of breaches: 100
Number of records: 2,656,407
Overall % of breaches: 17% (2007? 24.5%)
Overall % of records: 7.9%

Category: Medical/Healthcare
Number of breaches: 86
Number of records: 7,239,162
Overall % of breaches: 15% (2007? 14.5%)
Overall % of records: 21.5%

Why do these statistics matter? Because, one way or another, every business and every person is affected.

More on Medical Identity Theft - New California Law Requires Breach Notification

Can you tell I got behind on my hardcopy reading? I just caught Rebecca Herold’s fine article in the Computer Security Alert of 2/2008 (a CSI monthly newsletter well worth getting, bye the bye, for the quality of the articles) concerning one of the aspects of medical identity theft: breach notification.

California is the first state in the nation to include “medical information” AND “health insurance information” in their updated state law on privacy breach notification. Since California was also the first state to implement a privacy breach requirement in state law, we can hope that other states will follow suit in this as well. The updated law, S.B. 1298, came into effect in January 2008. Here’s the relevant section:

(e)For purposes of this section, “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(1) Social security number.
(2) Driver’s license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(4) Medical information.
(5) Health insurance information.

(f) (1) For purposes of this section, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
(2) For purposes of this section, “medical information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
(3) For purposes of this section, “health insurance information” means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.

This law will have an impact on any entity doing business in the state of California, and addresses the fact that HIPAA regulations contain no requirement for breach notification. “Ooops, we lost your medical information, but whew, we don’t have to tell you!”

These regulations also affect health care technology companies, including companies like Google, or Microsoft (think Health Vault) who want to hold your information for you:

This bill would apply the prohibitions of the Confidentiality of Medical Information Act to any business organized for the purpose of maintaining medical information to allow an individual to manage his
or her information, or for the treatment or diagnosis of the individual.

You can read the full legislative act here.

The bill does exempt organizations that encrypt their Personally Identifiable Information. And I suspect this bill will have a bigger impact on health care in terms of compliance .

“Medical” Identity Theft - New (to me) and Scary

A recent story in Government Technology magazine educated me on exactly what “medical identity theft” is and what the risks are. Although the article focused on Medicaid and Medicare fraud, the statistics and risks made for scary reading. And it started me thinking about MY medical data.

In a nutshell, medical identity theft involves the use of patient identification numbers and/or physician identification numbers, both used to bill for services and obtain payment.

The FTC estimated, based on overall identity theft statistics, that medical identity theft cases numbered 3 percent of all identity theft cases. That’s about 250,000 cases a year, at a conservative estimate.

The FTC is not responsible for addressing medical identity theft, the Department of Health and Human Services is. Nor is there an ability to use FACTA (Fair Credit Reporting Act) to remove fraudulent medical records.

According to the World Privacy Forum and Blue Cross Blue Shield Association, at least 1 percent of fraud is estimated to be medical identity theft: that’s $600 million per year. Ouch.

For individual patients, the theft of their medical identification numbers presents an even more difficult scenario to resolve than “regular” identity theft. Their medical history gets changed, along with erroneous information about allergies, medications and procedures done. With HIPAA protecting medical records, it is much harder to change the records that list the “bad” information.

And imagine trying to get insurance with a false “pre-existing condition” created by fraud? Not to mention dealing with hospitals and other medical organizations trying to get payment.

Another interesting (and scary) statistic from the WPF:
Cost, on the street, for a stolen Social Security number? $1.
Cost, on the street, for stolen medical ID information? $50.

Medical identity data sitting in our HR databases is more valuable than Social Security numbers. Has it occurred to anyone else besides me that our medical ID numbers are often our Social Security numbers?

Bankrate has noted that since HIPAA has no enforcement mechanism, data security is not a high priority issue for health care facilities. The penalties are there in the legislation, but there is no inspection or reporting mechanism to ensure compliance. We are, in essence, trusting our medical providers and billers to keep our personal information secured.

Given the state of security in the majority of our business networks today, would that give you a warm fuzzy?

Me neither.

Next: “Synthetic” Identity Theft