Cyber criminals are now turning their sights on the less-protected area of medical data, experts say. According to the research firm Ponemon Institute, medical identity theft affected 1.4 million people in 2009 and 2.3 million in 2014.
Rick Kam, CIPP/US president and co-founder of ID Experts, which designs security software, says, “One reason to take this seriously is that it can be a threat to the continued operation of your business.” To discourage identity theft, consider following some basic precautions.
Know Your Weaknesses
Last year, several large health care organizations fell victim to data breaches. The most common point of ingress? Email. Always use a secure email system, especially if patients communicate with your practice this way.
Encryption is the key to digital security, says Kam. Almost all digital devices offer encryption for free or as a built-in function. “As soon as you pull the device out of the box, make sure the encryption is on,” he says. “That’s about as complex as it needs to get.”
Another point of weakness is the telephone. Thieves may pose as health care professionals seeking patient information over the phone.
With access to just 1 patient’s data, Medicare or insurers can be bilked of thousands of dollars. When unknown clinicians call, take their contact information and offer to call them back. Then, check their geographic location against the patient’s.
Every practice needs a written data security policy. Topics should include procedures for transporting data offsite and using mobile devices, protocols for departing staff (eg, changing passwords), and parameters on personal device use (eg, surfing the Internet). At least 1 staff member should be in charge of implementing and continually updating this policy.
In addition, make sure that staff members can recognize the hallmarks of “phishing” emails (ie, ones designed to infect systems with malware or viruses). Just opening such an email can infect an entire system.
Never sign referrals for unknown patients. In addition, because payers are sometimes the first to detect discrepancies, keep enrollment information updated. Make sure to promptly inform payers when opening, closing, moving, or separating from a practice. Lastly, compare remittance notices with patient records whenever possible.