The Silent Thief

A burgeoning electronic medical records theft business is silently invading the medical community. How can you stop it from affecting your business?

By Erinn Morgan

On the black market, a stolen medical record goes for about $50 while a stolen Social Security number brings in a mere $1. This financial reality is the fuel behind the astounding growth of electronic medical records (EMR) theft over the past several years—a spreading problem that victimizes more than two million people each year with medical identity theft, according to Ponemon Institute's Third Annual National Study on Medical Identity Theft, which was released in June 2012.

The study also found that U.S. medical ID theft costs patients a whopping $41 billion a year. EMR theft is now the fastest-growing type of identity theft in the world.

Why—and how—does EMR theft occur today? “It's become big business for organized crime, both here and abroad,” says Mary Ann Fitzhugh, vice president of marketing and business development at Compulink Business Systems, Inc., a provider of EMR software and practice management systems for medical providers in optometry, ophthalmology, dermatology, and podiatry. “Causes are either professional hackers who hack into office servers or it's an inside job where authorized users are accessing electronic protected health information (ePHI) data.” Wondering what EMR thieves look to gain from stolen medical records? While records linked to a practice management system often provide access to patients' credit card numbers, the real draw is the medical information available, which is enough to steal a patient's medical ID.

“EMR records have everything needed to steal an identity—Social Security number, gender, date of birth, last addresses,” says Dan Cane, president and CEO of Modernizing Medicine, a maker of EMR software that is relatively new to optical but has more than 1,500 active customers, including 14 percent of the total U.S. dermatology market.

Stealing a medical identity gives thieves (and their clients) the ability to file fraudulent medical claims under the compromised patient's insurance plan. “Plus, in some cases, sensitive patient information can be remarketed,” adds Fitzhugh.

Unless proper security protocols can be documented (the HIPAA Security Rule requires documentation of the decision-making process that led the provider to select the means of achieving security for ePHI at rest or in transmission), the federal government can impose significant fines upon those medical providers whose electronic medical records are stolen. This financial slap, along with police involvement, cleanup, and patient notification, makes EMR theft a big headache for both providers and their patients.

The Ponemon Institute study estimated that identity theft victims spend more than $22,000 clearing their names. The same study also found that 51 percent of consumers felt that a loss of trust and confidence in their healthcare provider was the primary nonfinancial consequence of the medical identity theft.

THE OPTICAL FACTOR

What is the state of EMR theft in the optical community? By many accounts, EMR theft is not as much of a problem in the eyecare community as it is in the general medical community. “Optical data might simply be less interesting to a thief,” says Cane. “Thieves are generally looking for the easiest places—and the most appealing—from which to steal records.”

“Our specialty is probably lower-risk than others,” says Brad Rourke, CEO of The Williams Group, an optometric consulting firm, and head of the company's software division, Practice Director. “To date, I haven't heard of any minor or major EMR thefts in the optical community.”

Chad Fleming, OD, business and career consultant at AOAExcel and a practicing optometrist in Wichita, Kan., says he's aware of offices where patients had their identity stolen because people sitting in the reception area were listening and taking down their personal information while the receptionist was verifying it. “No longer do we hand people a piece of paper,” he says. “That's why I strongly recommend using iPads or a computer screen that's only visible to the patient to verify their information.”

In addition, Rourke adds that anyone could “potentially hack into” an ECP's EMR records, especially if proper security protocols aren't in place. Thus, many EMR experts say there is much room for improvement in the optical community (along with the general medical community) when it comes to safeguarding data.

THEFT-BUSTING STRATEGIES

Some basic and more sophisticated strategies to help ECPs keep their networks—and, most important, their EMR—secure:

■ TALK to your EMR company. Define what your EMR system is providing in the way of security and footprint accessibility.

“Find out what they're doing to make sure your data is secure,” says Cane. “The question you need to ask is: ‘Is our information communicated in a secure server and is it encrypted while it's sitting as well as in transit?’ Fully SSL encrypted is great, but what about the data in rest, when it's sitting on the drive? I've seen a lot of young companies that don't realize they should encrypt everything.”

■ ASK about your EMR vendor's certification. “Believe it or not, there's nothing in the ONC certification process that certifies that a vendor's EMR system has special security features to support HIPAA compliance,” says Fitzhugh. “Just because an EMR is ONC-ATCB Certified, doesn't mean that it's HIPAA compliant. Practices should look for more stringent certifications, such as CCHIT Certification, which does require that a vendor demonstrate they support special HIPAA security features such as audit logs.”

■ ENSURE that your office covers the simple basics, such as utilizing more complex passwords for system access. “Make sure it's always at least seven characters long and contains one uppercase letter and a number,” says Cane. “And, make sure users don't share passwords; every user should have his or her own login username and password.” Rourke also suggests changing passwords regularly to up the security factor. If an employee leaves the business, also be sure to delete her username and password from the system immediately.

■ AVOID email. Cane also says ECPs should always refrain from emailing records: “It's one of the most unsecure things you can do.”

■ SECURE your server. According to Rourke, physical security of an office's server is often overlooked. “Try to keep all your servers plus local backups in a locked room,” he says. “A lot of offices put the server at the front desk with the receptionist, which is definitely not ideal from a physical security standpoint.”

■ EMPLOY automated logoffs. While all EMR systems are required to have this feature, ECPs can take additional security measures by setting automatic logoffs to a reasonable amount, such as a five-minute interval. This will reduce the amount of time that an EMR (and the entire system) is accessible if the staff user leaves the room or moves to another station for any reason.

■ PROTECT your wireless network. Fleming suggests having two WiFi spots—”One is the office network that is password protected and the other is a guest network that is password protected but not connected to your own office network where EMR can be accessed.”

■ DEDICATE an in-office computer for Internet use. “It's OK for the staff to get onto Facebook on their breaks, but know that every time they click on a site, they've opened a door to your network,” says Fleming. “If your staff accesses the Internet in your office, then it should be on one computer not connected to your office network, practice management software, and your EMR.” EB