Identity Theft and Medical Theft in the Workplace

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://it.tmcnet.com/topics/it/articles/2014/12/15/395153-identity-theft-medical-theft-the-workplace.htm

Medical theft is defined as falsifying a victim’s medical record with
information from the perpetrator and crime. One major reason for medical
theft is that it provides criminals the necessary information to move
forward and commit identity theft. Identity theft is when one person
assumes another's identity and under false pretenses, performs acts or
makes purchases. Violation of this law is a Federal offense and it is
illegal to knowingly assume the identity of another person without their
permission with either the intent or the actual act of performing any kind
of unlawful activity.

How Medical Theft Is Performed

According to the diagram called "Theft,“ a pattern exists for medical
identity theft. The theft starts with identifiable health information which
can come from multiple sources.  This information is available through a
primary healthcare continuum of patients, providers, plans, vendors, etc.
or they can come from what is referred to as a secondary healthcare
continuum of agencies, research, public health records, law enforcement
agencies etc.  The theft of this type of information is known as medical
identity theft.

Stopping Medical Theft

Identity theft is fast becoming a major issue with businesses today. As
more personal connections are linked through the web, there are increasing
ways of data to leak out. Once that data leakage occurs, it could just be a
matter of time before more of the victim data gets out. This problem
affects many industries but perhaps the industry that has the most data to
lose is the medical field. The ways to prevent and detect medical theft can
vary. Companies are ultimately expected to protect their data but the
individual does have a responsibility in safeguarding their own
information.  They can take multiple preemptive steps to further protect
their data by performing some routine safety measures.  For example, they
can maintain their own healthcare records, demand that their medical
partners fix any incorrect entries or errors in their records, monitor
their benefits and ensure they receive what they were entitled to receive,
and more.

Stopping Identity Theft

There are also many cases which result in the loss of identity or identity
theft that can be prevented.  Many of these steps can be taken not just by
the victim but also by the organization.  According to HIPPA and other
standards, there are specific requirements that companies must take to
ensure the safety of this data.  Furthermore, according to Inc.com, there
are some steps a company can take to stop identity theft.

The first is to address "insider mistakes". These are general best
practices that need to be applied by organizations and their employees that
would cause them to be more cautious with data.  Simple acts such as
sending data over e-mail, saving data to removable devices such as flash
drivers, etc are common errors in the loss of data.

Another significant issue the company needs to be aware of is that of the
disgruntled employee also known as corporate espionage or a "malicious
insider".  These are individuals who will intentionally steal data or spy
for rival corporations typically for financial gain.  Through proper
implementation of the security group and limiting what an individual can do
as well as routine auditing these acts can be limited.

The final form of breach is that of an "outside attack".  This is when a
company is attacked by an adversary or a hacker with the intent of stealing
data.  In some cases the data that is stolen contains customer's personally
identifiable information (PII).  That information has a great deal of value
and the black market and in many cases is sold or used to purchase goods
and services while misrepresenting themselves as the victim.

A final thought on the topic relates to a preventative measure that can,
and should be taken - the use of encryption technology.  More and more
companies are beginning to use encryption across the board to further
protect data.  The use of policies and procedures, encryption key access,
key escrow mechanisms and other forms of encryption technology can greatly
improve the level of protection of company data.

Unfortunately, many people don't know the difference between identity theft
and medical theft.  However that's not the real problem, the real problem
is that individuals need to take a more proactive role in securing their
own data as do companies.  In fact, most people may not even realize that
their data has been compromised until it's too late.

Regardless of where you live or what your beliefs are on the use of the
Internet, the fact remains that your records are on the Internet; therefore
people need to take a more proactive role in protecting themselves.
Remember, while there are laws designed to protect both victims and
companies, every piece of documentation that exists on identity theft also
states or implies that individuals take steps to protect themselves in
addition to companies protecting their data.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!