Protecting Electronic Health Records
“I don’t care if someone knows I’ve had surgery on my knee,” said a friend when discussing electronic health records (EHR). “It’s not that they want to know your medical history, it’s that they’re using it to commit medical claims fraud,” I replied. I could see him processing the implications: Fraud = bad. Fraud against my health insurance = bad for me.
Without knowing the impact of stolen electronic records, particularly in the case of health records, it’s hard for people to take cyber security of medical information seriously. It sounds like someone else’s problem. Even medical professionals who deal with EHR daily have a hard time grasping the value of this treasure trove of information. Instead, they’re focused on the safety of the cloud. With the introduction of electronic health systems, it’s difficult enough to integrate the new technology into their workflow, much less worry about how they can help protect information.
A new report by the Institute for Critical Infrastructure Technology (ICIT), Your Life, Repackaged and Resold, sheds light on this issue. How bad is it? In 2015, 113 million U.S. medical records were breached. That’s roughly 1/3 of U.S. citizens!
According to the report, a credit card with CVV code sells for $1-2 on the Deep Web, an area of the web not indexed by standard search engines such as Google or Bing. Health insurance information such as patient name, family members covered, plan number, group number, plan type, or insurer contact goes for about $20 on these hidden sites, making it 10 times as valuable as the credit card information most work so hard to protect.
The long reaching effects of medical identity theft
A stolen medical record allows someone to:
- File a false medical claim, which will affect the victim’s insurance caps and can cause debt.
- Obtain prescriptions drugs to resell illegally.
- Extort the victim over an embarrassing medical condition.
In 2014, there were 2.3 million reported cases of medical identity theft (not all related to the theft of EHR). Clearing up medical identity theft cost an average of $13,500 for victims in the 2014 Fifth Annual Study on Medical Identity Theft report.
If EHR is part of your business, talk to your employees about how EHR is being sold on the Deep Web and how medical ID theft can negatively affect an individual. Search the reported health breaches on this site: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. There are many stories of stolen records due to unauthorized disclosure, hacking, or physical theft, affecting more than 500 individuals.
Not My Problem
People may feel the EHR they work with isn’t THEIR information and may be more lackadaisical with it. But remember, someone, somewhere works with YOUR information. I’ll bet you want them to know how to safely manage your information and protect you from ID theft and medical ID theft. We’re all connected online.
What to Do Personally
Until it becomes easier to review your complete EHR and receive notifications of suspicious activity, here are a few things you can do to protect yourself:
- Examine your credit report and those of your family members (children especially) at least once a year.
- Examine all claims information from your health provider to be sure it relates to a recent visit/treatment.
- Request copies of your medical records from all of your providers annually.
- Don’t share your health insurance information with others.
- Ask your providers whether staff has been trained to handle EHR. As a consumer, the goal is to plant a seed of concern about security and medical ID theft in the hopes that it is shared within the organization and can effect change from the bottom up.