Fraud is a serious and growing problem for all sectors, but healthcare is taking the biggest hit. According to a study by PKF Littlejohn LLP while other industries suffered average losses of 5.6%, in healthcare the losses were 6.1%, rising almost 30% since 2007. This upward trend is predicted to continue. In fact, an IDC Health Insights report predicts 1 in 3 health records will be breached in 2016.
The simple reason for this increase is that personal patient data is valuable. Medical information is enticing for hackers because it includes personal details such as height and eye color that can be used to create fake identities.
According to a recent FBI presentation, stolen health insurance information fetched a price of $60-$70 on the black market while a Social Security Number went for less than a dollar.
One contributing factor is the fact that the majority of healthcare IT leaders rely heavily on traditional security solutions such as firewalls, audit logs and data encryption. Technology by itself can’t provide an adequate defense. Protecting patients’ data requires a complete program including clear proactive policies, employee education, and verification of compliance integrated with technical solutions.
Here are five steps that healthcare organisations can take to keep their patients’ data secure:
Instill patient privacy in corporate culture
Educate and re-educate employees on current HIPAA rules and regulations including state regulations involving privacy of patient information. This training should be part of employee orientation and include periodic refresher courses.
This includes everyone with access to sensitive patient data and computing systems (whether full-time, part-time, temporary, or transferring), medical staff (including both admitting and referring physicians), contractors, vendors, students, and volunteers.
If employees are reminded of the implications of data breaches, the risk that security policies will be violated can be drastically reduced.
Make internal audits a policy
Internal audits should verify that all fundamental health care fraud management activities are adequately performed using independent tools for verification. Sanitized results of audits that catch employees not following policies and procedures can be made available to raise awareness that management is serious about protecting patient’s data. Releasing official reports internally measuring an organization’s progress at preventing data theft helps keep all employees diligent.
Implement controlled access for personnel
With so many members of the healthcare system frequently accessing patient information – for a multitude of different reasons – it is important to carefully manage identity of users. Make sure users at each level are only granted access to information pertinent to their position.
For example, some organisations allow all staff and admitting physicians unrestricted access to all patient files, but limit the access privileges of referring physicians to their patients of record.
Also ensure that log on/off and other security related procedures are clearly communicated and carefully enforced on shared machines. Automation of user access helps create an audit trail and ensures efficiency and safety for everyone involved.
Follow the flow of data
Make sure you have a record of when electronic files are viewed and not only when they are modified or created. It is also just as important to make sure employees know that they are being monitored.
Inappropriate access is deterred when users understand that their actions will be recorded and reviewed and that sanctions can be applied for violating patient privacy. However, don’t overlook low tech data theft.
Remind employees to be watchful of electronic devices and paper records left unattended. More often than not, data breaches occur due to theft of these items from a home, office or vehicle. Secure data exchange systems can catch when an employee sends an email or a file without the appropriate authorisation, but carelessness is impossible to detect until it’s too late.
Create a system to automatically detect fraud activity
Take a special note when there are events that might increase the incidence of unauthorised access of patient data. Automated solutions have the advantage that business rules can be added quickly based on targeting those circumstances that are the most likely to result in data theft, for example when your organisation is providing services to high profile people such as celebrities.
Also it is recommended to monitor when workers might have family members treated to make sure they are not breaching security policies by accessing their records.
By being proactive and planning ahead, health care organisations have a better chance of avoiding data breaches and keeping their patients’ personal data secure. Formal policies regarding information system security, employee training, and procedures for monitoring and penalising breaches of privacy and security are essential.
Investing up front in protect patient privacy is preferable to the long painful process of fixing a problem after it has already happened. Once trust in your organisation has been damaged, it can be difficult – if not impossible – to repair.
Sourced from Hagai Schaffer, cyber fraud and risk management VP product management and marketing, Bottomline Technologies