To the criminally-minded, Protected Health Information (PHI) can be as precious as jewels. A recent case study on ID theft ring activity proves that facilities and independent practices alike must carefully monitor those with access to such highly coveted data.
An assistant clerk of a hospital was recently indicted for stealing PHI of over 12,000 patients and selling that data to an identity theft ring of cybercriminals. This employee was granted access to patient names, dates of birth, Social Security numbers, and other data via her authorized use of the facility's EHR program. She printed this information out, then sold the PHI to members of an ID theft ring for as little as $3 per record, using the money to make thousands of dollars in purchases at luxury department stores. Unfortunately, this case is not isolated, and fraud of this nature is easy to replicate.
When handled in certain ways, individually identifiable health information becomes PHI under HIPAA privacy and security regulations. The inappropriate disclosure of PHI is known as a breach, defined in regulations as:
“…the acquisition, access, use, or disclosure of protected health information in a manner…which compromises the security or privacy of the protected health information.” Breach of PHI may result in both civil and criminal penalties when there is “… intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm." The criminal penalty can reach $250,000 and 10 years in federal prison.
With such potential penalties, one might question why individuals would engage in such theft. The answer lies in the value of the information. The medical clerk used her theft profit for personal items, but the information she sold was destined to be used for more extensive purposes. A market exists where profit can be made from “… caches of farmed medical identities, medical insurance ID card information, and personal medical profiles.” According to Trend Labs, the EHR information can repeatedly be used to:
- Acquire prescription drugs
- Receive medical care
- Falsify insurance claims
- File fraudulent tax returns
- Open credit accounts
- Obtain official government-issued documents such as passports, driver’s licenses
- Create new identities
Credit card numbers are only useful to thieves until the point of card expiration, credit limit reach, or cancellation. In contrast, medical information such as social security numbers has a longer "shelf life” for potential criminal use. Frequently, such use is not immediately apparent to the medical practice or patient, and a single piece of information may be sold or repeatedly used over a long period of time.
Given the differences in information, it is not surprising that health information is worth more than 10 times that of credit card numbers. In an extensive recent analysis, fake birth certificates based on medical data could be sold for $500. Individual identities could be sold up to $1,000, and an EHR database can be worth $500,000.
The problem of medical information breaches is clearly increasing. The US health/medical sector has the dubious distinction of being the “… industry with the highest number of data breaches, followed by the government and retail sectors.” The medical sector represents 45% of all industry breaches. It is clear that “…poor security around increasingly data-rich EHR systems pose a huge opportunity…" for criminal profit. The breaches of PHI come from many directions, but one study shows a primary source of healthcare data breaches after a criminal attack is that of employee negligence at 37%.
Prevention is key. Part of the solution is recognition of the extreme value of PHI. The value of medical information is so high that it is a magnet to the criminal element and a temptation to even medical employees. Some critical prevention activities include:
- Medical organizations must have appropriate policies to safeguard the privacy and security of health information held in their designated record sets, e.g., their medical records both electronic and otherwise. HIPAA regulations have long-required such policies.
- Beyond having policies, practices should have documented methods of implementing the policies along with tracking of policy effectiveness.
- Ensuring that there is clear and ongoing employee training promoting recognition of their legal responsibilities and potential liability.
- Conducting a practice security risk analysis not once, but frequently on a periodic plan, assuring that necessary administrative, physical and technical safeguards are in place.
- Giving special attention to the dangers of PHI on mobile devices, e.g. smartphones, tablets, flash drives and laptops. Breaches related to these devices have resulted in single civil penalties over $1,000,000.
These activities, while not being a complete protection of PHI, will provide a high level of security if done properly.
In spite of HIPAA privacy and security regulations having been in place for over 16 years, necessary attention to PHI protection is still lacking. A 2016 study by the Ponemon Institute on privacy and security of healthcare data concluded the following:
- “About half of all organizations have little or no confidence that they can detect all patient data loss or theft.”
- “The majority of healthcare organizations still lack sufficient budget for security that will be used to curtail or minimize data breach incidents. A majority also believes that their incident response process has inadequate funding and resources.”
- “The majority of healthcare organizations have not invested in the technologies necessary to mitigate a data breach, nor have hired enough skilled IT security practitioners.”
- “The budget for security of most healthcare organizations has declined by 10%, while that of more than half of the organizations has remained static and most healthcare organizations believe they don’t have the budget to properly protect data.”
Anyone in medical practice should be concerned about these conclusions. The guarding of Protected Health Information is not a single task, but an ongoing daily undertaking in the current practice of medicine requiring total physician and staff involvement. Appropriate protection of PHI not only protects patient information but also protects physicians and medical practices from extreme liability.
Chickowksi E. Stolen Health Record Databases Sell For $500,000 In The Deep Web. Site: www.darkreading.com. http://www.darkreading.com/attacks-breaches/stolen-health-record-databases-sell-for-$500000-in-the-deep-web/d/d-id/1328225. Pub. February 21, 2017. Accessed March 25, 2017
District Attorney’s Office. DA Vance: hospital employee indicted for stealing personal information of more than 12,000 patients and providing info to id theft ring. New York County. Site: www.manhattanda.org. http://manhattanda.org/press-release/da-vance-hospital-employee-indicted-stealing-personal-information-more-12000-patients-. Pub. June 19, 2015. Accessed March 28, 2017
District Attorney New York County. HIPAA Breach for Handbags: Manhattan DA Indicts 8 in ID Theft Ring. HIPAA Journal. Site: www.hipaajournal.com. http://www.hipaajournal.com/hipaa-breach-for-handbags-manhattan-da-indicts-8-in-id-theft-ring-7091/. Pub. June 20, 2015. Accessed June 25, 2015
DOJ. Opinion. Opinion on Enforcement, Site: www.justice.gov http://www.justice.gov/olc/hipaa_final.htm, Pub. June 1, 2005. Accessed March 15, 2014
Fuentes M. Cybercrime and Other Threats Faced by the Healthcare Industry. Trend Labs Research Paper. Site: www.trendmicro.com. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/electronic-healthcare-data-in-the-underground. Pub. February 21, 2017. Accessed March 25, 2017
Goldman J. 91 Percent of Healthcare Organizations Suffered Data Breaches in the Past Two Years. Site: www.esecurityplanet.com. http://www.esecurityplanet.com/network-security/91-percent-of-healthcare-organizations-suffered-data-breaches-in-the-past-two-years.html. Pub. May 12, 2015. Accessed March 29, 2015
HHS. HITECH Act Enforcement Interim Final Rule. Health Information Privacy. Site: www.hhs.gov. http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html. Accessed July 14, 2015
HHS Office for Civil Rights. HIPAA Administrative Simplification Regulation Text §164.512. Site hhs.gov. http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf. Pub. March 26, 2013. Accessed November 4, 2014
HHS. Omnibus Final Rule. Federal Register Vol.78; No.17. Site: www.gpo.gov.
http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf. Published January 25, 2013. Accessed June 4, 2015
HIMSS. HIMSS Survey Finds Two-Thirds of Healthcare Organizations Experienced a Significant Security Incident in Recent Past. Site: www.himss.org. http://www.himss.org/News/NewsDetail.aspx?ItemNumber=42944. Pub. June 30, 2015. Accessed July 13, 2015
Humer C. et al. Your Medical Record is Worth More to Hackers Than Your Credit Card. Reuters. Site: www.reuters.com. http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924. September 24, 2014. Accessed July 13, 2015
McCann E. Employees Top Cause of Security Mishaps. Healthcare IT News. Site: www.healthcareitnews.com http://www.healthcareitnews.com/news/employees-no-1-cause-data-security-mishaps. Pub. May 11, 2015. Accessed July 18, 2015
Myers L. Stolen Medical Data is Now a Hot Commodity. Dark Reading. Site: www.darkreading.com. http://www.darkreading.com/cloud/stolen-medical-data-is-now-a-hot-commodity--/a/d-id/1316598. Pub. October 14, 2014. Accessed March 29, 2017
Ponemon Institute. More Employees Ignoring Data Security Policies.Compliance. Site: www.ponemon.org. http://www.ponemon.org/library/tag/compliance.Pub. June 10, 2009. Accessed July 18, 2015
Trend Micro. The Price of Health Records: Electronic Healthcare Data in the Underground. Data in the Underground. Site: www.trendmicro.com. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/electronic-healthcare-data-in-the-underground. Pub. February 21, 2017. Accessed March 25, 2017
Vogel P. Electronic Health Record (EHR) databases worth $500,000 to cybercriminals. Site: www.vogelitlawblog. http://www.vogelitlawblog.com/2017/03/articles/cyber/electronic-health-record-ehr-databases-worth-500000-to-cybercriminals/#page=1. Pub. March 21, 2017. Accessed March 25, 2017