I was speaking with a friend the other day about Medical Identity Theft, HIPAA compliance and enterprise fraud management. We were discussing a survey report published in March by the Ponemon Institute that found roughly 1.5 million Americans are victims of medical ID theft. In the survey, fourteen percent of respondents said the breach occurred at a health care office, and 10% said employees at a health care organization’s office had stolen the data.

 It occurred to me that medical identity theft is one of those “wild west” opportunities for identity thieves at the moment. While everyone is pretty familiar with the concept of financial fraud and what happens when your credit card information is stolen, what happens when someone pretends to be you to access medical care can have far more devastating consequences.

According to the Federal Bureau of Consumer Protection, here are some indications that might indicate that someone has been a victim of medical identity theft. Victims may:

• get a bill for medical services they didn’t receive;
• be contacted by a debt collector about medical debt they don’t owe;
• see medical collection notices on their credit report that they don’t recognize;
• be told by their health plan that they’ve reached their limit on benefits; or
• be denied insurance because their medical records show a condition they don’t have.

Source: http://business.ftc.gov/documents/bus75-medical-identity-theft-faq-health-care-health-plan

Whoa—think about that for a moment. Those are significant impacts. Then, spin the scenario out a bit further. What happens if medical records become co-mingled at the provider level? Can you get to a point where the records of the thief are entered into the medical history of the victim? According to the experts, you can. Back in 2006, Pam Dixon, founder of the World Privacy Forum, referenced the challenges that medical identity theft can create and cited examples of misinformation appearing in patient files. She also stated that changes to patient records could remain in the files for many years.

Providers Protecting Privacy as Part of Their Healthcare Brand

Leading healthcare organizations are increasingly seeing ways to protect their brand while safeguarding patient privacy. Moving the privacy discussion beyond the HIPAA disclosure form that all of us sign when accessing care and making ePHI protection a differentiator demonstrates a commitment on the part of the provider. When given a choice, my healthcare dollars are spent with those institutions that care enough about me to protect my personal information. It just makes sense to require the same level of accountability from my doctor as I do from my bank—the risks are just as real and the opportunity for damage may even be greater.

Recently, on the heels of the ISSA International Conference, noted authority Michael Angelo raised the question of ethics in security. It is a topic that comes up from time to time and never ceases to fascinate me. In his recent blog posting, Michael writes “Ethics is a particularly interesting topic as the security industry is always concerned about addressing issues in a constantly changing environment. It is easy to follow a set of ethics if the environment is consistent, however if the environment changes will those ethics still apply or do they need to evolve?”

Over the years, we’ve seen huge shifts in the issue of ethics and security. The spectrum of recent dialog ranges from securing end points and the interests of enterprise all the way to hacktivism. The core tenants of privacy, security and personal responsibility are all represented in the current debate. I was heartened to see the diversity of opinion expressed by our community. It shows that we are examining critical issues, considering the implications of choice and the why of new technologies rather than mindlessly favoring the technical possibilities

Michael concludes his article by stating, “In the 70’s corporate and professional ethics demanded secrecy around all aspects of security. The corporate and professional ethics from the 70’s have gradually evolved to enable us to disclose information and work together on solutions so that we can not only survive but we can innovate and surpass our individual boundaries. In the end it is important to remember that while our environments are evolving we must re-examine our ethics and see if they also need to evolve.” I, for one, whole heartedly agree.

Here are some other positions on the issues of ethics in security:

ISACA: Auditors Ethics for Continuous Monitoring and Continuous Auditing: http://www.isaca.org/Journal/Past-Issues/2008/Volume-3/Pages/Auditor-Ethics-for-Continuous-Auditing-and-Continuous-Monitoring1.aspx

SANS: The Legal System and Ethics in Information Security: http://www.sans.org/reading_room/whitepapers/legal/legal-system-ethics-information-security_54

Dell SecureWorks: Crossing the Line: Ethics for the Security

http://www.secureworks.com/research/articles/other articles/ethics/