Unhealthy Rise In Healthcare Fraud: 5 Tips For Protecting Patient Privacy

By Hagai Schaffer, Cyber Fraud and Risk Management VP Product Management and Marketing, Bottomline Technologies

Fraud is a serious and growing problem for all sectors, but healthcare is taking a bigger hit than most. According to one study, while other industries suffered average losses of 5.6 percent in 2015, in healthcare the losses were 6.1 percent — an almost 30 percent rise since 2007. This trend is predicted to continue with IDC Health Insights predicting one in three health records will be breached in 2016.

The simple reason for this is that personal patient data is valuable. Medical information is enticing for hackers because it includes personal details such as height and eye color that can be used to create fake identities. According to a recent FBI presentation, stolen health insurance information fetched a price of $60 to $70 on the black market while a Social Security Number went for less than a dollar.

One contributing factor is the fact that the majority of healthcare IT leaders rely heavily on traditional security solutions such as firewalls, audit logs, and data encryption. Technology by itself can’t provide an adequate defense. Protecting patients’ data requires a complete program including clear proactive policies, employee education, and verification of compliance integrated with technical solutions. Following are five steps that healthcare organizations can take to keep their patients’ data secure.

1. Create Corporate Culture Of Protecting Patient Privacy
   Educate and re-educate employees on current HIPAA rules and regulations, including state regulations involving privacy of patient information. This training should be part of employee orientation and include periodic refresher courses. This includes everyone with access to sensitive patient data and computing systems (whether full-time, part-time, temporary, or transferring), medical staff (including both admitting and referring physicians), contractors, vendors, students, and volunteers. If employees are reminded of the implications of data breaches, the risk that security policies will be violated can be drastically reduced.
2. Conduct Regular Validation And Verifications
   Internal audits should verify all fundamental health care fraud management activities are adequately performed using independent tools for verification. Sanitized results of audits that catch employees not following policies and procedures can be made available to raise awareness that management is serious about protecting patient’s data. Releasing official reports internally measuring the organizations progress at preventing data theft helps keep all the employees diligent.
3. Manage User Identity And Access Stringently
   With so many members of the healthcare system frequently accessing patient information — for a multitude of different reasons — it is important to carefully manage identity of users. Make sure users at each level are only granted access to information pertinent to their position. For example, some organizations allow all staff and admitting physicians unrestricted access to all patient files, but limit the access privileges of referring physicians to their patients of record. Also ensure that log on/off and other security related procedures are clearly communicated and carefully enforced on shared machines. Automation of user access helps create an audit trail and ensures efficiency and safety for everyone involved.
4. Monitor Users, Applications, Devices And Records
   Make sure you have a record of when electronic files are viewed and not only when they are modified or created. It is also just as important to make sure employees know they are being monitored. Inappropriate access is deterred when users understand that their actions will be recorded and reviewed and that sanctions can be applied for violating patient privacy. However, don’t overlook low tech data theft. Remind employees to be watchful of electronic devices and paper records left unattended. More often than not, data breaches occur due to theft of these items from a home, office or vehicle. Secure data exchange systems can catch when an employee sends an email or a file without the appropriate authorization, but carelessness is impossible to detect until it’s too late.
5. Proactively Take Action To Prevent Snooping
   Take a special note when there are events that might increase the incidence of unauthorized access of patient data. Automated solutions have the advantage that business rules can be added quickly based on targeting those circumstances that are the most likely to result in data theft, for example when your organization is providing services to high profile people such as celebrities. Also it is recommended to monitor when workers might have family members treated to make sure they are not breaching security policies by accessing their records.

By being proactive and planning ahead, health care organizations have a better chance of avoiding data breaches and keeping their patients’ personal data secure. Formal policies regarding information system security, employee training, and procedures for monitoring and penalizing breaches of privacy and security are essential. Investing up front in protect patient privacy is preferable to the long painful process of fixing a problem after it has already happened. Once trust in your organization has been damaged, it can be difficult — if not impossible — to repair.

About The Author
Hagai Schaffer leads Product Management and Marketing at Intellinx Ltd. which merged with Bottomline Technologies in 2015 to create their Cyber Fraud and Risk Management division. He has over 25 years of experience in the software industry in both technology and business positions.