Safeguarding Against Identity Theft

Safeguarding Against Identity Theft






In the healthcare industry, conversion to electronic healthcare records has made life much easier and more organized for doctors, patients, and insurers alike. As many will attest, a well-maintained digital filing system can save countless hours of administrative backlog, not to mention ensure us that the right information is sent to the right people at the right time.

Unfortunately, digital health records are a prime target for hackers and identity thieves, and independent medical practices can provide furtive ground for data breaches. The number of data breaches has increased dramatically in the last three years, compromising tens of millions of patient records. Just this year, major health insurers like Anthem have been the victims of massive data breaches. Why are an individual’s healthcare records so prized by web pirates? Because they contain a boatload of personal information: name, DOB, address, Social Security number, and so on.

The cyber-threat

Forget credit cards. Medical records are a treasure trove for the wrong element, and can leave your most valued, long-time patients incredibly vulnerable. With the information gained from their records, criminals can abuse your patient’s health benefits themselves, or sell the info to others who do not have coverage. Moreover, stolen health records can allow them to perpetrate Medicare/Medicaid fraud. Direct attack and stolen, or lost computing devices are the main causes of data breaches. Remember, if your practice has been the victim of robbery, there is much more at stake than the dollar value of a few PCs, laptops, or tablets.

Full disclosure

In accordance with HIPPA regulations, the onus is on you to act swiftly and effectively to recover any compromised protected healthcare information (PHI). First, you must notify anyone directly affected. In larger cases involving several hundred victims or more, media outlets must be notified as well, which can make things even more difficult. Most of these posts deal with enhancing the quality of care you give to your patients, in some way or another. This is one moment where you must not waver in that commitment, for their sake, and yours. Prolonged silence can seriously harm the reputation of your practice, and can result in unwanted media coverage. Let your patients know that you are doing everything humanly possible to retrieve their stolen records.

The plan

Then, you demonstrate these efforts. What do they entail? Let’s backtrack a bit. First, if you are certain you’ve been the victim of a direct criminal attack, notify law enforcement immediately. Second, a proper plan should ideally be put in place to deal with a data breach at your practice. The backbone of such a plan is a complete, accurate inventory of all electronic devices containing PHI. Many practices adhere to a “Bring Your Own Device/Technology” (BYODT) policy. If you are among these, be sure you know exactly what devices your staff are using, and if they rely on external memory devices. Password protection and hard drive encryption are simple measures to take to protect your info from prying eyes, even if the hardware itself is stolen.

A set of clear, concise procedures for reporting any lost or stolen devices is also a must. Like other kinds of emergency response plans, the drafting of this one should be delegated to a specific staff member, and should be memorized and practiced by all others. A thorough investigation into the cause should run concurrently with your breach containment plan. An investigation of this kind will likely involve a sweep of a variety of media, including e-mails, voicemail, and log-in times, to name a few. It is important that you are able to locate this information, and that you know where your data is being stored, be it on a hard drive, the Cloud, etc… This investigation should also be led by a delegated member of your staff.

The takeaway

The world post-digital revolution is one where massive amounts of information can be easily compressed, neatly stored, and quickly accessed. But in a world made more streamlined and convenient, we have the responsibility to ourselves and others to remain smart and vigilant in how we conduct our affairs. Just as it is easier for you to operate, it has never been easier for people to cheat the system, or slowly bleed your practice of funds or something even more valuable: the personal information of those you treat on a daily basis. You’ve gone to great lengths to make sure your office is a comfortable and safe place for your patients. Make doubly sure their privacy is safe after they’ve left.


Brian Torchin

| HCRC Staffing | |

– See more at: