24 August 2009

Health Care: Operational Risk on Steroids...

Health Care Sector Operational Risk Management is on the front burner once again. Recent changes to federal law governing health information suggest expanded regulation, increased enforcement, and significantly enhanced penalties could be on the horizon for businesses not previously subject to HIPAA. The Health Insurance Portability and Accountability Act (HIPAA), which was amended by the American Recovery and Reinvestment Act of 2009 (ARRA) in February, regulates the use of, access to, and dissemination of healthcare information. The increased scrutiny of our own health related personal identifiable information is only the beginning of a national platform for health care. Personal health records will be highly sought after by criminal organizations to help them with extensive online extortion schemes so they can monetize the stolen information.

Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records – say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record?

The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.

Transnational economic crime syndicates that have been fueled by the failures in systems and people at institutions in the financial services industry may now be getting a better source to perpetuate their wave of extortion . Just think about the phishing e-mail that goes out to the hundreds of thousands of people who have a particular type of medical condition or are taking a specific drug to help a particular medical diagnosis. Revealing the names, occupations and other relevant information on the subset of male politicians running for office that are currently taking the Pfizer drug for ED or the subset of women talk show hosts that are taking the drug Xanax may have some individuals willing to pay up the 500 or 1000 dollars being demanded from the criminals that stole the Protected Health Information (PHI).

As the United States speeds along towards the consensus on a national health care system the risk of health care data breaches will be rising. Where a doctor had a small staff helping with the back office to bill insurers and where the health care information systems vendors were in high demand you will now have the nexus of targets that cyberspace criminals will be focused on. Like the consumer retailers who rely on third party credit card processing companies to take care of the millions of annual point-of-sale transactions, so too will the consumers of health care services at the retail level. Doctors offices, pharmacies and out patient or triage centers.

The HHS and FTC interim rules were mandated by more stringent privacy and security requirements outlined in the American Recovery and Reinvestment Act of 2009 (ARRA) for Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and business associates and certain non-HIPAA-covered entities.

"This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care," said Robinsue Frohboese, acting director of the HHS Office for Civil Rights.

HHS and FTC said their rules were intentionally written to be harmonious with one another. The entities covered by either rule have up to 60 days to notify individuals whose information was accessed without authorization. If the breach involves PHI belonging to 500 or more people, entities must alert the media and either HHS or FTC, depending on which rule they are subject to. If the breach involves less than 500 people, the entities must keep a log of the incident to be submitted to either HHS or FTC at the end of the year.

Unlike the motive to utilize the information from a compromised credit card to monetize through additional fraudulent purchases, the new health care criminal syndicates will find their own niches. Whether there is a continued attempt at utilizing the PHI for spear phishing attempts at specific individuals online or a more broad use of PHI to steal ones identity to obtain health services at hospitals or physicians offices, the impact could now turn more deadly:

Medical identity theft is potentially lethal to its victims. When the identity thief obtains medical treatment, medical records are created in the name of the victim. When treatment occurs in the same locality as the victim, the treatment of the thief can be appended to local medical records of the victim. With the strong movement towards electronic medical records, all those under the victim’s name and social security number can be collated in seconds. Once the thief’s medical records are collated with the victim’s, there is a risk of mistreatment of the victim, which can potentially lead to death.

Lind Weaver, a retired school teacher, was harassed by a bill collector for a medical bill for the amputation of her foot. The problem was that Weaver still had two feet. Foot amputations are associated with diabetes, a disease that Weaver did not have. Months later Weaver suffered a heart attack, when she awoke in the hospital a nurse asked her which type of drugs she was taking for her diabetes. Had Weaver underwent heart surgery as a diabetic, mistreatment could have been life threatening.


Protected Health Information will continue to be a challenge for those institutions that are trying to achieve a "Defensible Standard of Care" in the decade ahead. The wave of risks associated with online banking and the technologies driven by consumers thirst for financial information will seem non-consequential compared to what we are about to experience in the online health care industry.