Medical ID Theft and Securing Ephi Medical

Medical ID Theft and Securing EPHI

Medical Identity Theft

Medical information can be stolen by 1) the bad guys getting sick and using a victim's information to obtain services, 2) friends or relatives use another friend's or relative's information to obtain treatment, 3) when professionals, such as physicians, fabricate services that did not exist, 4) organized crime, and 5) innocent or not so innocent opportunists (Lafferty, 2007). Bad guys that get sick can take a victim's insurance information to obtain services for treatment. Professionals can fabricate false claims to cover medical errors. Opportunists have access to patient data and the ability to steal, use, or sell that information.

Effective security requires clear direction from upper management (Whitman). Assigning security responsibilities and access controls with audit controls to organizational elements and individuals helps to place accountability on individuals. They must formulate or elaborate security policies and procedures based on the organizational mission priorities, assets, and business operations, as well as on an assessment of threats against the assets and operations. Periodic compliance audits, examinations of the effectiveness of controls and reassessments of threats are essential.

HIPAA, privacy laws, and state laws mandate the security of medical information. HIPAA issues a maximum sanction of $100,000 and up to five years in prison or a maximum of $250,000 and up to ten years prison if there in the intentions to sell, transfer, or use protected health information for personal gain or malicious harm. The healthcare provider may also be assessed a civil monetary penalty for the HIPAA violation as well. Privacy and state laws also issue penalties when personal identifiable information is breached. Penalties can be against the organization for insufficient security and the individual performing the breach.

Securing Medical Data

The HIPAA Security Rule is sketchy at the present, but does offer some guidance to companies and entities that are required to use it (Hoffman, 2007). Administrative safeguards focus on security management processes, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency plans, evaluation, business associate contracts and other arrangements, response and reporting procedures for security incidents, data backup plans, disaster recovery, and emergency mode operation plans. Physical safeguards include facility access controls, workstation use, workstation security and device and media controls. Technical safeguards involve establishing procedures to control access to information, audit activity, protecting information from improper modification or elimination, protecting the transmission of information, and obtaining authentication from those seeking access to information.