Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Criminals Have Their Eyes on Your Patients’ Records

Written by:

The following is a guest blog post by Art Gross, Founder of HIPAA Secure Now!
Art Gross Headshot
It’s one thing to have a laptop stolen with 8,000 patient records or for a disgruntled doctor to grab his patients’ records and start his own practice.  It’s another when the Cosa Nostra steals that information, siphons money from the patient’s bank account and turns it into a patient trafficking crime ring.  Welcome to organized crime in the age of big data.

Organized crime syndicates and gangs targeting medical practices and stealing patient information are on the rise. They’re grabbing patient names, addresses, insurance details, social security numbers, birth dates, etc., and using it to steal patients’ identities and their assets.

It’s not uncommon for the girlfriend of a gang member to infiltrate a medical practice or hospital, gain access to electronic health records, download patient information and hand it over to the offender who uses it to file false tax returns. In fact gang members often rent a hotel room and file the returns together, netting $40,000-$50,000 in one night!

Florida is hotbed for this activity and it’s spreading across the country.  In California, narcotics investigators took down a methamphetamine ring and confiscated patient information on 4,500 patients. Investigators believe the stolen information was being used to obtain prescription drugs to make the illicit drug.

Value of patient records

Stolen patient information comes with a high price tag if the medical practice is fined by HIPAA. One lost or stolen patient record is estimated at $50, compared to the price of a credit card record which fetches a dollar.  Patient records are highly lucrative. The below charts shows the value of patient information that might be sitting in an EHR system:

Amount of Patient Records Value of Patient Records
1,000 $50,000
5,000 $250,000
10,000 $500,000
100,000 $5,000,000

 
Protect your practice

Medical practices need to realize they are vulnerable to patient record theft and should take steps to reduce their risk by implementing additional security.  Here are seven steps that organizations can take to protect electronic patient information:

  1. Perform a security risk assessment – a security risk assessment is not only required for HIPAA Compliance and EHR Meaningful Use but it can identify security risks that may allow criminals to steal patient information.
  2. Screen job applicants – all job applicants should be properly screened prior to hiring and providing access to patient information. Look for criminal records, frequent job switches or anything else that might be a warning sign.
  3. Limit access to patient information – employees should have minimal access necessary to perform their jobs rather than full access to electronic health records.
  4. Audit access to patient information – every employee should use their own user ID and password; login information should not be shared. And access to patient information should be recorded, including who accessed, when, and which records they accessed.
  5. Review audit logs – organizations must keep an eye on audit logs. Criminal activity can be happening during a normal business day. Reviewing audit logs can uncover strange or unexpected activity. Let’s say an employee accesses, on average 10 patient records per day and on one particular day they retrieve 50 to 100 records.  Or records are being accessed after business hours. Both activities could be a sign of criminal activity. The key is to review audit logs regularly and look for unusual access.
  6. Security training – all employees should receive security training on how to protect patient information, and make sure they know any patient information activity is being logged and reviewed.  Knowing that employee actions are being observed should dissuade them from using patient information illegally.
  7. Limit the use of USB drives – in the past it would take a truck to steal 10,000 patient charts. Now they can easily be copied onto a small thumb/USB drive and slipped into a  doctor’s lab coat.  Organizations should limit the use of USB drives to prevent illegal activity.

The high resale value of patient information and the ability to use it to file false tax returns or acquire illegal prescriptions make it a prime target for criminals.  Medical practices need to recognize the risk and put proper IT security measures in place to keep their patient information from “securing” hefty tax refunds

About Art Gross

Art Gross co-founded Entegration, Inc. in 2000 and serves as President and CEO. As Entegration’s medical clients adopted EHR technology Gross recognized the need to help them protect patient data and comply with complex HIPAA security regulations. Leveraging his experience supporting medical practices, in-depth knowledge of HIPAA compliance and security, and IT technology, Gross started his second company HIPAA Secure Now! to focus on the unique IT requirements of medical practices.  Email Art at artg@hipaasecurenow.com.

June 26, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Disaster Planning and HIPAA

Written by:

When talk turns to HIPAA, most of us are focused on privacy compliance.  After all, privacy is a complex, expensive nightmare, and few hospitals or medical practices feel up to the task, so talking through those issues makes sense.

But as blogger Art Gross points out, the HIPAA Security General Rules require more than protecting a patient’s privacy. They also require that ePHI remains available even in the face of disaster. From the rules (courtesy of Gross, emphasis his):

§ 164.306 Security standards: General rules.
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

Apparently, far too few healthcare providers are paying enough attention to this part of the rules. Gross, who is a HIPAA security consultant, says that when he audits organizations, few have disaster recovery or emergency operations procedures in place.

Now, big enterprise IT departments aren’t going to leave disaster recovery out of their planning; it’s simplly part of the drill for any large installation. But the smaller the provider group gets — particularly when you zoom down to one to three-doctor practices — the story changes.

As people who read blogs like this one know, smaller practices aren’t likely to have so much as a single IT staffer on board. Keeping their EMR up and running is enough of a burden. I’m not at all surprised to hear that they aren’t prepared for disasters like Hurricane Sandy, which brought down even large medical centers.

But with HIPAA demanding immediate access to ePHI, doctors won’t have a choice much longer. And hospitals will want to make sure independent doctors aren’t the weak link in the availability chain.

Yes, it’s asking a lot of small practices to make intellligent disaster recovery plans for their EMR, and even more of their hospital partners if they want to keep access to disparate EMRs out there.  But there’s just no getting around the problem.

November 20, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.