ID theft — Should you spend more on security?

One-third of providers say their organization has had at least one known case of medical identity theft, and some of those cases might not have been reported, according to the most recent annual survey results from the Healthcare Information and Management Systems Society (HIMSS).

The survey interviewed 272 IT and security professionals at hospitals and medical practices. Now in its third year, the HIMSS Security Survey, sponsored by Intel, reports the opinions of information technology (IT) and security professionals from healthcare provider organizations across the country regarding key issues surrounding the tools and policies in place to secure electronic patient data at healthcare organizations.

The rate of medical identity theft is surprising to Eduard Goodman, JD, a privacy lawyer and chief privacy officer for Identity Theft 911, a company in Scottsdale, AZ, that provides data protection and similar services. He was surprised that healthcare providers still are facing so much identity theft, even with significant penalties from the the Health Insurance Portability and Accountability Act (HIPAA) hanging over their heads.

"HIPAA is one of the few areas of law in which the injury is just the release of the information itself. It's not about whether anyone uses that information to commit a crime," Goodman says. "With that in mind, you would expect providers to work harder to protect that data, and a third are saying they've failed on that point."

Results of the survey

These were some key results from the most recent survey conducted by the Healthcare Information and Management Systems Society (HIMSS):

Medical identity theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization. Those working for a medical practice were much less likely to report that an instance of medical identity theft occurred at their organization (17%), when compared to those working for a hospital organization (38%).

Patient identity: Half of respondents indicated that they validate patient identity by requiring a government/facility-issued ID and checking the ID against information in the master patient index. A similar percent reported that they have a formal process for reconciling duplicate records in their master patient index.

Security budget: About half of respondents reported that their organization spends 3% or less of their organization's IT budget on information security. However, while this was consistent with what was reported last year, many respondents indicated that their budget actually increased in the past year, primarily as a result of federal initiatives. There is little difference in response in this area by organization type.

Risk analysis: Slightly more than half of respondents (59%) that reported that their organization conducts a formal risk analysis indicated that this type of analysis is conducted annually. Susceptibility to internal threats and external threats are nearly universally included in the risk analysis.

Patient data access: Surveyed organizations most widely use user-based and role-based controls to secure electronic patient information. User-based security requires the user to log on with credentials such as a username and password, whereas role-based security restricts access to authorized people in certain roles. More than half of respondents from hospital organizations reported that they used two or more types of controls to manage data access, compared to 40% percent of respondents from medical practices. About half of respondents reported that their organization allows patients/surrogates to access electronic patient information.

Security in a networked environment: About 85% of respondents reported that their organization shares patient data in an electronic format. Data is most frequently shared with third party providers, state government, and other facilities within the corporate organization. While respondents from hospitals are somewhat more likely to report (83%) that they will share data in the future than are those from medical practices (77%), the likelihood of data sharing in the future is high among both groups.


Eduard Goodman, JD, Chief Privacy Officer, Identity Theft 911, Scottsdale, AZ. Telephone: (888) 682-5911. E-mail:

The Federal Trade Commission (FTC) has Frequently Asked Questions (FAQs) to help healthcare providers minimize the risk of medical identity theft and help their patients who are victims of medical identity theft. Go to Under "Privacy and Security," select "Health Privacy." Then select hyperlink for "Medical Identity Theft: FAQs for Health Care Providers and Health Plans [PDF]."