ID Theft in Health Care Emerging as Major Risk

Risk managers should make prevention of identity theft a top priority, says healthcare risk expert


Thomas McShane, JD, regional managing director of the New York office of the investigative firm SafirRosetti, and James Murray, a forensic accountant and managing director with the firm, recommend these risk reduction strategies for identity theft:

*Build on the strategies you already have in place to comply with the Health Insurance Portability and Accountability Act (HIPAA). While HIPAA focuses more the accidental release of information, many of the same policies and procedures in place for HIPAA compliance will give you a good starting point to enact additional steps to prevent thetheft of data.

*Work closely with your information technology (IT) department to develop the appropriate technical defenses, such as firewalls, encryption, and password policies. While the IT techies may have the know-how about defensive procedures, the risk manager must impress upon them the importance of preventing identity theft and the potential liability for a breach. Make sure the IT department knows it will be a very bad day if a multimillion-dollar liability following an identity theft scandal is traced back to poor computer security.

*Educate all employees, including and especially the front line clerks and office workers, about simple steps to reduce identity theft.Examples include never walking away from a computer and leaving sensitive material on the screen, and never writing down a password whereit can be found easily.

*Perform a risk assessment to determine what information is available on the system and where. How many different computer systems contain sensitive data? Can it be centralized into one system where you can pour all your security resources? A key goal is to ensure that computers — whether they are desktop or laptop — do not contain any unnecessary data that could be useful to an identity thief.

*Assess compliance with your own policies and procedures. It is common for health care organizations to have safeguards that look greaton paper but aren't followed by employees. Employees must be reminded and re-educated about the importance of these security steps on a regular basis.

When you test compliance, you're likely to find out 30% of the employees aren't following your procedures, McShane says. "They're doingit the old way because they don't want to change, or they think the new procedure is too much trouble, or they're just careless," he says. "Don't depend too much on the fact that you've put out this policy and you're assuming everyone follows it."

One of the biggest risks when trying to protect patient information involves the use of laptop computers. Murray and McShane says risk managers must work closely with their information technology staff toensure that laptops contain only the data necessary for the user andthat the information is protected by passwords or encryption. Employees also must understand that the laptops are at a high risk for theft and should be protected at all times.

It is all too easy for someone to walk off with a laptop that contains sensitive information. For instance, Murray points to a recent incident at Vassar Brothers Medical Center in Poughkeepsie, NY, which reported that a laptop computer stolen from the facility contained a copy of the hospital's entire master patient database. That database made it a gold mine for any identity thief.

In announcing the theft, the hospital did not say exactly how manynames were contained in the database but noted that 257,800 of thosewhose names were in the database were at risk of becoming identity theft victims. They were at risk because the database contained other personally identifiable information on those patients, such as SocialSecurity numbers and addresses.