The HHS report, which was published last week, is the third stage in the former Bush administration's Identity Theft Task Force project and comes at a time when the new administration is calling for moving medical records online as part of an effort to lower healthcare costs. But with those cost efficiencies and conveniences come increased risk of hacked or stolen medical records, security experts say.
The HHS report says the government should spearhead medical ID theft prevention and awareness efforts (including policy), with a public-private task force that analyzes how financial identity theft cases are handled to see if what can be adapted for medical ID theft, which the report defines as the "misuse of an individual" personally identifiable information (PII), such as name, date of birth, social security number (SSN), or insurance policy number to obtain or bill for medical services or medical goods."
The result: Medical records become inaccurate, victims lose money, the healthcare system loses money, and patient care could be compromised.
The report, which was written by Booz Allen Hamilton, distinguies between healthcare fraud and medical ID theft: "The primary motive for committing healthcare fraud is most often monetary gain, such as when fraudulent providers bill for more expensive services than those rendered. However, medical identity theft tends to be focused on the use of someone else's information to gain goods, services and healthcare, which can affect the victim's medical record and future care," according to the report.
So far, medical ID theft accounts for only approximately 250,000 of the more than 8 million identity theft victims logged in the FTC's latest ID theft report covering 2005, according to preliminary government data, and that number is likely much higher today, the report says.
But some experts question just how valuable medical records are to cybercriminals versus financial information. "Generally, the criminals like ID theft better, and the bigger problem for medical records is actually legitimate access," says Robert Enderle, principal with The Enderle Group. "One of the interesting conundrums regarding medical records is that it is often easier for someone who wants to steal them to gain access than it is for someone who needs the records for legitimate purposes. And unlike financial information, which can be used to drain a person's bank account and destroy their credit rating, medical records have no real monitory value other than for research, celebrity news, or advertising. On the other hand, if altered, the result could be fatal."
The HHS report suggests several technology solutions for protecting medical records online, including role-base access for users on a need-to-know basis; audits that flag anomalies; and stronger authentication of patients. It also suggests the creation of a model for incident response in medical ID theft, and studying the use of social security numbers in patient records and ways to minimize the use of them.
Just what Obama's team will do with the report is unclear so early in the administration. Either way, medical identity theft will be an issue that the new administration's potential electronic medical records initiatives will need to address.
"Medical identity theft is an issue that has the potential of having significant healthcare and financial implications for all healthcare stakeholders. Although the true magnitude of the problem remains to be quantified, the information that is available on current cases is serious enough to demand a look at what can be done now and what can be done in the future to better understand the problem," according to the HHS report.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message