Medical identity theft occurs when a person uses someone else’s personally identifiable information or protected health information to commit insurance fraud, obtain free medical services or falsely secure prescription drugs. As a result, victims may be unable to access care, experience insurance issues and end up in medical debt.
This issue also affects health care facilities. They face HIPAA violations, costly record restoration and potential legal action. While tracing these incidents back to the source is often impossible, cybercrime is the leading cause. If professionals can secure their systems, they can prevent medical identity theft.
1. Secure Internet-Enabled Medical Devices
Many hospitals’ internet-connected medical devices are unsecured. One report found that an estimated 53% had known critical vulnerabilities in 2022. Since Internet of Things devices often ship with weak default passwords and few security controls, hackers can easily target them. Once compromised, they provide a literal wealth of PHI.
Thankfully, securing IoT wearables and implantables is relatively simple. Strong passwords and monitoring tools can prevent breaches. Information technology professionals should also keep up with security updates, bug fixes and patches.
2. Conduct Employee Security Training
HIPAA training isn’t the only education employees should receive. Since the health care industry is one of cybercriminals’ most tempting targets, they must understand the risks of a weak security posture — and what they can do to protect patient privacy.
3. Restrict Access to Data Storage Systems
Addressing medical identity theft is expensive and time-consuming for all parties involved. According to the Ponemon Institute, resolution costs around $13,500 per fraud incident. Targets must pay tens of thousands of dollars to settle these issues, and it takes an average of 200 hours to resolve each case.
When IT teams turn their backs to restore records and identify the extent of the breach, their systems become vulnerable. If they leverage access controls to limit who can view, edit and share medical records, they can protect data storage systems — even when they are not actively monitoring them.
4. Leverage Patient Authentication Methods
How do hospitals know whether an access attempt is legitimate? What if a fraudster has compromised their information? IT teams can verify those requests with authentication tools like identification checks and multifactor authentication. Secure patient portals are essential.
5. Practice Proper Document Disposal
A HIPAA-compliant cross-cut shredder is enough to ensure paper documents don’t fall into the wrong hands. Securing PHI stored on electronic media is more complicated. Wiped hard disk drives retain residual data — meaning a skilled hacker could quickly recover deleted files.
Hackers may be able to recover PHI if hospitals throw away old HDDs or use a dishonest third-party recycling vendor. This information goes for $250 to $1,000 per record on the dark web, so such theft isn’t unheard of.
Deletion isn’t enough. IT professionals should use software to overwrite PII with nonsensitive data or expose the HDD to a magnetic field for permanent erasure. Then, they should physically destroy the drive via incineration, shredding or crushing to make any leftover residual data irretrievable.
6. Strategically Segment the Network
It only takes a single device to compromise multiple patient records. For example, imagine a receptionist unknowingly gets hacked after using public Wi-Fi. The next day, they bring their hacked phone to work with them. The hacker sees an opportunity to move laterally through the network, stealing PII to sell on the dark web. Buyers use that data for medical identity theft.
While banning personal devices from the building is the safest approach, people will likely be unwilling to follow it, creating security gaps. Instead, IT leaders should segment the network, ensuring those electronics stay separate from sensitive data storage systems.
7. Regularly Perform PHI Audits
Medical identity theft is common. According to the United States Federal Trade Commission, there were around 5.15 million cases in 2022, up from 2.11 million in 2012 — a 143.5% increase in one decade. However, fraudsters don’t always get caught before doing damage. If the IT department regularly audits its databases, it can identify them early.
8. Monitor for Indicators of Compromise
The health care sector is a prime target for cybercrime. In 2023, it paid the highest price of any industry for cyberattacks, spending an average of $10.92 million per incident. Facilities must monitor for signs of fraud and indicators of compromise to prevent breaches in real time.
9. Build Warnings Into Patient Portals
The penalties for medical identity theft are severe. According to Section 1177 of the Social Security Act, offenders who knowingly commit these crimes face five years in prison and a fine of up to $100,000. If they intend to sell, transfer or use that data for malicious harm or personal gain, they can be subject to a fine of up to $250,000 and risk a 10-year imprisonment.
If the IT team incorporates warnings like these into the patient portal, they can dissuade identity thieves from exploiting their system for personal gain. Including details on how their monitoring tools work to keep legitimate patients safe further disincentivizes fraudulent activity.
10. Deidentify and Encrypt PHI
Replacing or redacting identifying details like names and dates from PHI lowers the risk of a data breach, preventing identity thieves from stealing data. Encryption turns plaintext into ciphertext, making it unreadable without a unique decryption key. These measures are essential for preserving privacy.
Securing Health Care Systems Against Identity Theft
Infiltration attempts and cyberattacks routinely bombard health care systems. While making a digital platform 100% secure is virtually impossible, IT teams can minimize the risk of medical identity fraud with savvy strategies.
As the Features Editor at ReHack, Zac Amos writes about cybersecurity, artificial intelligence, and other tech topics. He is a frequent contributor to Brilliance Security Magazine.
.
.
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information. BSM is cited as one of Feedspot’s top 10 cybersecurity magazines.