We go to the experts for advice on preventing patient data breaches and complying with Red Flag rules.The only certainty about preventing the data breaches that may lead to medical identity theft is it is virtually impossible. What’s not certain is how damaging the breach will be and how your organization will handle the fallout.

“Organizations cannot prevent data breaches,” said Brian Lapidus, COO of Fraud Solutions at Kroll, a risk-consulting firm. “They can put a lot of procedures and processes into place, but so many of these incidents are due to human behavior, and that’s uncontrollable.”

With the proliferation of information, and the devices on which staff can access it, comes risk. Not only might a laptop or smart phone get lost or stolen, but unauthorized personnel could get access to data, compromising security. 

Medical identity theft is the fastest growing form of the identity theft and the most problematic for both victims and organizations. A thief targets victim’s insurance information and either uses it to obtain fraudulent medical treatment or sells it to others who then obtain medical treatment under false pretenses. 

Victims are left trying to sort through a trail of bills and wrongful information in their medical records while organizations work to repair the damage to their reputations, tighten security procedures, and deal with angry patients. 

According to a study by Kroll, 62% of hospitals surveyed that had experienced a breach identified the source as an unauthorized use of facility information, while 32% were caused by wrongful access of paper records.

Adding to the urgency to stay on top of security breaches was the recently passed deadline for healthcare organizations and others that handle sensitive financial information to implement a written identify theft prevention program. The FTC has more information about the rules at www.ftc.gov/redflagrule. 

Virtual desktops

When implementing a plan to prevent breaches and the resulting medical identity theft, it’s important to obtain the technology that will allow you to implement your plan and get your facility’s staff on board. This is how Emory Healthcare, Georgia’s largest healthcare system, created and implemented a such a plan, according to Dee Cantrell, CIO of the 10-hospital and clinic system that employs more than 10,000 people.

After considering a number of vendors, Emory chose to work with Citrix on creating a virtualization technology system that would allow employees easy access to their workstations and mobile devices while maintaining security and control from a centralized information technology department. At all of Emory’s clinics and hospitals, desktops and mobile devices are customized to individual users, with all data and applications maintained by the IT department.

“For instance, if you are a registered nurse, you are supposed to have a certain operating system and certain applications that are defined by the IT department,” said Derek Cheung, a senior product marketing manager at Citrix. “IT updates all those applications, so every time you log in, you get the most up-to-date version of your applications and your operating system. It also decreases the total cost for desktops.”

If a laptop or mobile device is lost, no data is compromised because all of the health system’s data is stored centrally, not on a device. In addition, IT personnel have the ability to prevent practices on individual devices that may lead to breaches, such as capturing screen shots or copying keystrokes. 

The technology enables Emory to deploy an array of mobile devices to meet the needs of its mobile workforce while preserving security, said Cantrell. “If we have a physician attending a conference out of town and a patient need arises, that physician can access the data on the patients he or she is allowed to have access to securely, and we don’t have to worry about that data existing on some device out in California or something,” she said.

Emory engages in continuous training, employing both online training and classroom training, all around the virtual desktop technology. As personnel join and leave the hospital, new personnel receive training and get access to applications, while the staff that is separating is de-authorized. 

The virtualization environment allows IT to propagate changes throughout the entire hospital system quickly so that, for example, if an employee’s status is changed, his/her access to programs and files is changed system-wide, Cantrell noted.

Incident response

Stepping up security through new technology and processes is all well and good, but healthcare organizations need a plan to deal with breaches should they occur. Lapidus recommends that every organization put an incident response plan in place, which will also help with Red Flag rules compliance. 

“If you have an incident response plan in place, you’re going to be quicker to notify everyone when an incident does occur,” he said. “You’re going to know the regulations and who needs to be involved.” Key personnel who should be involved in any breach episode include the general counsel, the outside counsel, the executive team, the risk manager, and the directors of IT and human resources, he added.

Should the breach involve sensitive patient data, the onus is on the facility to notify those patients and take steps to mitigate the damage. Said Lapidus: “If there is a breach of patient identifying information, it’s our responsibility to notify any patients who may have been involved and to be as up front as possible. We take appropriate action to learn from what happened so we can refine our policies and procedures and be as secure as we possibly can.”

There is no once-and-forever answer to the problem of data breaches and medical identity theft. But your organization can certainly take concrete steps to comply with the Red Flag rules by implementing effective technology and specialized training. 

Digital Edition