The Blue Cross Blue Shield Association recently released a report that highlights a 7-to-1 savings for every dollar spent on anti-fraud activities. In their announcement they note that this represents a 47% increase in fraud savings in 2009 compared to 2008.

With growing evidence of the expansion in medical identity theft crimes, the focus of private insurers on fraud reduction is most welcome. There is a direct correlation between eliminating fraud and the reduction in medical identity theft. Unfortunately, while their progress appears to be solid, there remains the fact that the incidence of medical identity theft is on the rise.

In a recent Wall Street Journal article, it was noted that”

“‘Medical identity theft is the fast-growing form of identity theft,’ says Jim Quiggle, spokesman for the Coalition Against Insurance Fraud. He says individuals often don’t know that they have been victimized until the thief has distorted their medical records and run up medical bills.”

While statistics on actual number of victims and level of financial harm in medical identity theft are hard to come by, the fact that the incidence of these events is increasing is not good news for patients.

The passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act earmarks over $19 billion in funds as incentives for healthcare providers to adopt EHR technologies. As these funds flow, the amount of medical data will grow exponentially into the petabytes over the next four years.

As recent article titled “As health data goes digital, security risks grow” published in Computerworld and Business Week highlights a significant issue with this trend, the fact that the security of your medical records is far from assured. It concludes that:

“Over the next four years, the amount of personal medical information online will increase exponentially, opening up new avenues for hackers to expose personal data that, unlike financial information, can result in a permanent violation of privacy.”

With the focus of healthcare providers being on securing HITECH stimulus funds for the implementation of EHR systems, there is the risk that the security systems and architecture for these systems, especially in areas of interchange with other entities, may increase risks of exposure of protected health information (PHI) of patients.

Dr. Taher Elgamal, the individual that led the development of  secure sockets layer (SSL network encryption) as the chief scientist at Netscape, and is now the chief security officer at Axway, highlights that the current solution path for this issue, encryption of the PHI data, isn’t a silver bullet for assuring patient privacy.

“The fact that you did encryption doesn’t mean you’ve protected medical information, because access control is the real issue,” Elgamal said. “New cybercriminals do not do what the old cybercriminals did. They realize you’ll be encrypting the data and instead access the application and steal access rights.”

The implications of this on healthcare providers is significant. The financial and patient benefit motivation associates with implementing EHR systems must be balanced by the security and privacy requirements that now have public and financial implications as well for non-compliance.  It isn’t clear to me that most covered entities are appropriately balancing both sides of this equation.

Over six months in 2009, 12,500 mobile devices were left in taxis. And 4,500 USB “thumb” drives were left in pants pockets that were then set to the cleaners. And the vast majority of these devices did not use data encryption.

What makes this so damaging to the organizations that employ these individuals, is that one-third of healthcare professionals maintain patient data on their mobile devices – smartphones, laptops and removable media such as memory sticks.

Now that the data breach provisions of the HITECH Act our open to enforcement, such incidents may cost the healthcare provider up to $1.5 million. Quite a sum for a simple momentary lapse or accident.

This article, and the related study, highlights the importance for healthcare providers to evaluate the risk factors for non-malicious identity data loss. These types of risks are often overlooked, or at least prioritized at a lower level, by security professionals because of the tendency to focus on technology solutions for data security. Or in lieu of technology, to rely on policies.

While I suspect most healthcare providers have policies to inhibit professionals to storing patient data on their laptops, moving it from one location to another with a thumb drive, or viewing it on a smartphone, as a practical matter, these do not appear to stand in the way of progress. And progress of this sort creates risks that organizations must acknowledge as a first step towards understanding how to manage them.

This segment describes a situation where a young woman’s social security number at the Red Cross became associated with a patient who visited a clinic in another state, years ago, who had AIDS. It illustrates the difficulty that one has in correcting such issues with our medical identities.