Medical identity theft is different than other forms of identity theft, in that the consequences can be much more severe if they affect patient safety. While the majority of medical identity theft incidents are still of the fraud related variety, there have been instances of individuals using someone else’s medical identity to receive care. Medical identity theft happens when an individual uses someone else’s name or insurance information to get treatment, prescriptions or worse, get some form of surgery. The financial fraud variety occurs when some unscrupulous individual uses a patient’s information to submit fraudulent bills or claims to insurance companies. This occurs unfortunately far more frequently than the industry would like to admit. The irony is, healthcare is no different in this area than any other industry. Information is valuable to a wide array of dishonest people, from individuals just trying to steal, to professional fraudsters, to information traffickers on the underground black market. Information is money and as long as it is, it will attract those who would seek to exploit it. So lesson number one – the threat is real and it is persistent.
Medical identity theft, just like other forms of fraud, produces multiple victims as mentioned above. If it is the financial variety, the victims can include the person who’s identity was used. If unaware or if perpetrated by a knowledgeable insider, the financial damage could go unnoticed for a while and add up to substantial sums. Substantial or not, the associated frustration and emotional impact of having to deal with cleaning up one’s credit is never pleasant or insignificant. Another victim are the insurance companies who end up paying for these false claims. Another victim is the care provider, be they a physician or a large health system, which has to deal with the investigation costs or worse, the reputational costs, if an unprincipled employee was involved in the fraud. All of these victims are involved directly in one manner or another, but there are other indirect victims as well, such as suppliers of materials or services who may not be paid or patients who pay more for insurance or healthcare services due to the overall cost of fraud. With medical identity theft, there can also be an additional victim, when receiving care using someone else’s identity is the goal. It could be the perpetrator themselves or another person using the false identity seeking care. When caregivers base decisions on false information, the outcomes could be serious and potentially life threatening. Lesson number two – when medical identity theft occurs, someone always gets hurt and usually they are not alone.
So, what can we do about medical identity theft? Earlier we acknowledged that it was a persistent threat, meaning it’s always there. We also said that it often involves knowledgeable insiders who have legitimate or authorized access to the very system or data that is being compromised, making it very difficult to detect. It could also involve other insiders even more difficult to track, such as individuals with elevated privileges or database administrators who can access data directly bypassing access controls employed by applications. These attackers not only have the advantage of access, but they have inside knowledge of processes, controls, audit approaches, etc. to assist them in avoiding detection. To combat these threats, organizations need a combination of the correct controls and technologies such as access controls, system time outs and data management rules along with an active real time monitoring of systems and users, and user/customer awareness. A combination of controls such as: log managers, database monitors, IDS and IPS, security information event managers (SIEM), data loss prevention and identity access managers can provide the information awareness organization need to know when controls are working or disabled, when anonymous access occurs or when users change their pattern of access. All of which is information that can alert them to possible inappropriate behavior. Automating monitoring enables early detection, more accurate information and facilitates incident analysis. Smarter, more informed users and patients equates to quicker detection of anomalies in information, claims, etc. Often, the first indication of a problem is a patient who notices something unusual or odd in their billing statement. Administrative rigor and an alert staff can aid in the discovery of false identification. Early detection and reporting can make all the difference in mitigating fraudulent activity and avoiding patient safety issues. Lesson number three – it takes people, processes and technology to develop a good develop a good defense against medical identity theft, but it’s people that will make the difference.
There are good resources out there to help organizations combat medical identity theft. So...
- Get Educated
- Review Your Readiness
- Remediate Gaps
- Become Information Aware
- Educate
Medical identity theft is serious concern for everyone involved; patients, providers, payers, etc. In today’s environment, we can hardly afford fraud, but in any environment, we cannot afford dangers to patient safety.
