ID theft in health care emerging as major risk

Health care records are a "treasure trove of information" for identity thieves because they typically contain more detailed personal information on people than could be found in any other business, according to experts who help health care providers avoid identity theft.

Risk managers should make prevention of identity theft a top priority, says Thomas McShane, JD, regional managing director of the New York City office of the investigative firm SafirRosetti, which specializes in the area of financial investigative services and integrity monitoring. His unit implements legal, auditing, investigative, research, and technical support, and they recently used many of these services to uncover a major Medicaid fraud case at Staten Island University Hospital that led to several convictions. As a result of that case, SafirRosetti was appointed to a 12-year monitorship by the hospital's insurance company.

McShane works on identity theft issues with James Murray, a forensic accountant and managing director with SafirRosetti in New York City. Murray says instances of identity theft are increasing in all types of businesses, but health care organizations are proving to be a particularly fertile hunting ground for criminals in search of personal financial data. There is no way to guarantee that patients' confidential information will not be divulged, he says, but there are steps you can take to minimize that risk.

Murray points out that health care organizations are doubly burdened when it comes to protecting confidential information because they have data on employees and patients. Staten Island University Hospital has 3,500 employees. "There have been instances where employees of that hospital have had their identities stolen," Murray says. It's important to include employee data in discussions about identity theft, he says. "You probably have as much confidential information on your employees as you do on your patients, if not more."

McShane notes that if a criminal obtains personal information about a hospital employee, that person's identity can be stolen, but the information might also be used to gain access to secure areas of the hospital computer system, where much more information can be stolen.

Screening employees for criminal history is critical, the experts say. Murray recalls working with a company that hired a director of sales and promoted him quickly to president of a subsidiary company, then called in SafirRosetti to investigate financial improprieties. They found out that the man had written his application for the sales job from prison. Once he had access to information on the company's employees, he stole their identities and leased five cars in their names.

"We recommend to all our clients that they do at least a basic background check on all new hires, and the more senior the person or the more sensitive the position, the more you should a very thorough investigation," McShane says. "Anyone who will have access to sensitive information should be screened, and that can be a lot of people in health care. The entire billing department, for starters."

In addition to a criminal background check, it may be appropriate to do a credit check on people in sensitive positions such as the billing department.

Murray says a bankruptcy or other financial hardship could put the person at higher risk of criminal activity, including identity theft. Remember that it usually is necessary to obtain permission from the applicant before doing a credit check. (See article below for more advice on how to reduce the risk of identity theft.)

Steps for preventing identity theft in health care

Thomas McShane, JD, regional managing director of the New York office of the investigative firm SafirRosetti, and James Murray, a forensic accountant and managing director with the firm, recommend these risk reduction strategies for identity theft:

• Build on the strategies you already have in place to comply with the Health Insurance Portability and Accountability Act (HIPAA). While HIPAA focuses more the accidental release of information, many of the same policies and procedures in place for HIPAA compliance will give you a good starting point to enact additional steps to prevent the theft of data.

• Work closely with your information technology (IT) department to develop the appropriate technical defenses, such as firewalls, encryption, and password policies. While the IT techies may have the know-how about defensive procedures, the risk manager must impress upon them the importance of preventing identity theft and the potential liability for a breach. Make sure the IT department knows it will be a very bad day if a multimillion-dollar liability following an identity theft scandal is traced back to poor computer security. (See p. 44 for more information on the potential liability from identity theft.)

• Educate all employees, including and especially the front line clerks and office workers, about simple steps to reduce identity theft. Examples include never walking away from a computer and leaving sensitive material on the screen, and never writing down a password where it can be found easily.

• Perform a risk assessment to determine what information is available on the system and where. How many different computer systems contain sensitive data? Can it be centralized into one system where you can pour all your security resources? A key goal is to ensure that computers — whether they are desktop or laptop — do not contain any unnecessary data that could be useful to an identity thief.

• Assess compliance with your own policies and procedures. It is common for health care organizations to have safeguards that look great on paper but aren't followed by employees. Employees must be reminded and re-educated about the importance of these security steps on a regular basis.

When you test compliance, you're likely to find out 30% of the employees aren't following your procedures, McShane says. "They're doing it the old way because they don't want to change, or they think the new procedure is too much trouble, or they're just careless," he says. "Don't depend too much on the fact that you've put out this policy and you're assuming everyone follows it."

Stolen laptops

One of the biggest risks when trying to protect patient information involves the use of laptop computers.

Murray and McShane says risk managers must work closely with their information technology staff to ensure that laptops contain only the data necessary for the user and that the information is protected by passwords or encryption. Employees also must understand that the laptops are at a high risk for theft and should be protected at all times.

It is all too easy for someone to walk off with a laptop that contains sensitive information. For instance, Murray points to a recent incident at Vassar Brothers Medical Center in Poughkeepsie, NY, which reported that a laptop computer stolen from the facility contained a copy of the hospital's entire master patient database. That database made it a gold mine for any identity thief.

In announcing the theft, the hospital did not say exactly how many names were contained in the database but noted that 257,800 of those whose names were in the database were at risk of becoming identity theft victims. They were at risk because the database contained other personally identifiable information on those patients, such as Social Security numbers and addresses.

The hospital reported that the computer theft occurred during a hospital disaster planning exercise. The hospital copied its master database to several laptops for a disaster drill, simulating the need to operate during a disaster without access to the facility's main computer system. The master database was placed on several laptop computers that were distributed throughout the facility.

The stolen laptop had been strapped to a cart in the hospital's emergency department and used to collect patient data at the bedside during admission. The hospital reports that since the theft, it has erased copies of the database that were on other laptop computers. The hospital notified those whose information was on the laptop and advised them to place a fraud alert on their credit reports.

Laptops are like treasure chests for identity thieves, especially if they know that kind of database is on them, Murray says. "They can just walk out with it and work on cracking passwords and so forth at their leisure," he says. "You should exercise extreme caution, using your best security procedures, with any laptop that has sensitive information."