Criminals Have Their Eyes on Your Patients’ Records

The following is a guest blog post by Art Gross, Founder of HIPAA Secure Now!
Art Gross Headshot
It’s one thing to have a laptop stolen with 8,000 patient records or for a disgruntled doctor to grab his patients’ records and start his own practice.  It’s another when the Cosa Nostra steals that information, siphons money from the patient’s bank account and turns it into a patient trafficking crime ring.  Welcome to organized crime in the age of big data.

Organized crime syndicates and gangs targeting medical practices and stealing patient information are on the rise. They’re grabbing patient names, addresses, insurance details, social security numbers, birth dates, etc., and using it to steal patients’ identities and their assets.

It’s not uncommon for the girlfriend of a gang member to infiltrate a medical practice or hospital, gain access to electronic health records, download patient information and hand it over to the offender who uses it to file false tax returns. In fact gang members often rent a hotel room and file the returns together, netting $40,000-$50,000 in one night!

Florida is hotbed for this activity and it’s spreading across the country.  In California, narcotics investigators took down a methamphetamine ring and confiscated patient information on 4,500 patients. Investigators believe the stolen information was being used to obtain prescription drugs to make the illicit drug.

Value of patient records

Stolen patient information comes with a high price tag if the medical practice is fined by HIPAA. One lost or stolen patient record is estimated at $50, compared to the price of a credit card record which fetches a dollar.  Patient records are highly lucrative. The below charts shows the value of patient information that might be sitting in an EHR system:

Amount of Patient Records Value of Patient Records
1,000 $50,000
5,000 $250,000
10,000 $500,000
100,000 $5,000,000

 
Protect your practice

Medical practices need to realize they are vulnerable to patient record theft and should take steps to reduce their risk by implementing additional security.  Here are seven steps that organizations can take to protect electronic patient information:

  1. Perform a security risk assessment – a security risk assessment is not only required for HIPAA Compliance and EHR Meaningful Use but it can identify security risks that may allow criminals to steal patient information.
  2. Screen job applicants – all job applicants should be properly screened prior to hiring and providing access to patient information. Look for criminal records, frequent job switches or anything else that might be a warning sign.
  3. Limit access to patient information – employees should have minimal access necessary to perform their jobs rather than full access to electronic health records.
  4. Audit access to patient information – every employee should use their own user ID and password; login information should not be shared. And access to patient information should be recorded, including who accessed, when, and which records they accessed.
  5. Review audit logs – organizations must keep an eye on audit logs. Criminal activity can be happening during a normal business day. Reviewing audit logs can uncover strange or unexpected activity. Let’s say an employee accesses, on average 10 patient records per day and on one particular day they retrieve 50 to 100 records.  Or records are being accessed after business hours. Both activities could be a sign of criminal activity. The key is to review audit logs regularly and look for unusual access.
  6. Security training – all employees should receive security training on how to protect patient information, and make sure they know any patient information activity is being logged and reviewed.  Knowing that employee actions are being observed should dissuade them from using patient information illegally.
  7. Limit the use of USB drives – in the past it would take a truck to steal 10,000 patient charts. Now they can easily be copied onto a small thumb/USB drive and slipped into a  doctor’s lab coat.  Organizations should limit the use of USB drives to prevent illegal activity.

The high resale value of patient information and the ability to use it to file false tax returns or acquire illegal prescriptions make it a prime target for criminals.  Medical practices need to recognize the risk and put proper IT security measures in place to keep their patient information from “securing” hefty tax refunds

About Art Gross

Art Gross co-founded Entegration, Inc. in 2000 and serves as President and CEO. As Entegration’s medical clients adopted EHR technology Gross recognized the need to help them protect patient data and comply with complex HIPAA security regulations. Leveraging his experience supporting medical practices, in-depth knowledge of HIPAA compliance and security, and IT technology, Gross started his second company HIPAA Secure Now! to focus on the unique IT requirements of medical practices.  Email Art at artg@hipaasecurenow.com.

About the author

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

5 Comments

  • “Limit the use of USB drives – in the past it would take a truck to steal 10,000 patient charts. Now they can easily be copied onto a small thumb/USB drive and slipped into a doctor’s lab coat. Organizations should limit the use of USB drives to prevent illegal activity.”

    How about CURTAIL use of USB drives? It’s one of the first things we did, and boy was I glad when I walked up to a nurse using her laptop w/o permission to access our system — and it didn’t work, so she came to get me….

    All of our PRINTER USBs are disabled as well — becasue you can print to a USB also. There is a USB port on thin clients, too. In short, every piece of equipment should be inspected for a USB port, and it should usually be disabled.

    USBs are the equivalent of a hole as big enough to drive a semi truch though – easily.

  • Strong Authentication into clinical desktops/applications and auditing of authentication logs are a key element to the over all puzzle. Putting in place a multi-factor, Single Sign-On adds security as well as convenience that clinicians buy into. 2FA, Inc provides this sort of solution.

  • I do see the point presented in the article. We have experienced personal information hacking when our banking went virtual, when our credit cards went virtual, when our ATM cards went virtual. Nearly every time we conduct business/make a purchase via the internet there is a potential for hacking.

    Have we dismantled or discarded our online banking system due to the potential for hacking and identity theft? Have online purchases diminished due to hacking potential? Do we leave our mobile phones at home for fear of losing it with all of our personal information stored in it. Do we leave our personal or workplace laptops in our file cabinets when we leave for a business trip or attend a local coffee shop?

    My point is that with innovation there are accompanying risks. We will work to minimize medical record hacking, just as we have worked diligently to eradicate bank hacking. Will we eliminate all of it, No?, but we work to minimize the effects. Healthcare providers and hospital care staff will need to become more diligent and focused, now that this new problem has arisen.

  • The advent of “Big Data” has nothing to do with the theft of personal information, healthcare or otherwise. This is the potential theft of sensitive patient data. “Big Data” refers to the ability to leverage computational advances (parallelism, distribution, NLP) to improve operational efficiencies by processing data. “Big Data” has nothing to do with the proliferation of, nor the amount of, data. A database of 50,000 records can be leveraged with “Big Data” while a database of a billion records may have nothing to do with “Big Data”.

Click here to post a comment
   

Categories