Health News Digest

June 20, 2011

More On Medical Identity Theft

Stealing medical records

By  Michael D. Shaw

A few months ago, this column discussed the skyrocketing problem of medical identity theft, an offense that has the dubious distinction of being the fastest growing area within the fastest growing crime. If you need to know why, simply reflect on the folkloric statement of the late bank robber Willie Sutton: Because that’s where the money is.

“While credit card data will earn a few dollars on the black market, medical and medical insurance account information can sell for hundreds,” says Robbie Higgins, VP of security services at IT solution provider GlassHouse Technologies. It also tends to be easier to steal this sort of information, since unlike dealings with financial institutions, the health care industry is far more fragmented. Several providers can be involved in a single transaction, drastically increasing the potential number of security holes.

In a recent study, the Ponemon Institute—a research center dedicated to privacy, data protection and information security policy—reported that an estimated 1.5 million Americans are victims of medical identity theft, a slight increase over last year. Notably, the average cost to resolve the matter is an astonishing $20,663.

Experian’s Data Breach Resolution Blog summarized the key findings…

1.    Recognizing the importance of privacy does not equate to action. Even among past medical identity theft victims, 49% took no new steps to protect themselves after their own incident.

2.    Consumer indifference is fueled by lack of understanding of repercussions. 50% of victims did not even report the incidents, with a goodly number of them fearing embarrassment more than loss of insurance coverage or a lowering of their credit score.

3.    Medical identity theft is a family affair. The most frequent occurrence of this offense is within a family, and is often not reported.

Some observers are beginning to think that this problem defies a legal or political solution. When one considers the family connection, the sad fact that great breaches of health care data are likely perpetrated by those who are authorized to view the information, and the finding last year by the Ponemon Institute that up to 94% of health care industry companies are not in compliance with the standards defined in the HITECH act despite the threat of stiff fines, it is difficult to disagree.

Regarding computer security in general, once networks became commonplace, the difficulties grew by orders of magnitude. Even within the FBI, notorious convicted spy Robert Hanssen, who was little more than an amateur hacker, repeatedly broke into the computers of colleagues.

When Web browsers were first introduced, security was not a prime concern. Rather, browsers were fashioned to quickly obey all sorts of commands, enabling the rendering of a web page. The opportunities for misdeeds under such an environment are virtually limitless.

Some are relatively benign such as tracking cookies that can place focused ads on any number of destinations. Even though the click-though rates of such placements are extremely small and seem to raise questions about their economic viability, many people will be annoyed by such personal information being spread around.

While it is possible to adjust most browsers to not allow any cookies, surfing the Web under those conditions will engender restrictions that many will find unacceptable.

But, there are countless threats that are far from benign. The most common of these result from a popular website becoming infected with a malicious script, which will run on the computer of a visitor to the site. While some offenders are content to install so-called “ransomware” on the affected machine, demanding payment to avoid some purported dire consequence, other offenders are more subtle.

They can grab passwords and personal data that could be much more valuable. A recent hack, called tabnapping, takes advantage of multi-tab browsers. Using a malicious script, offenders are able to replace an inactive browser tab with a fake, designed to collect personal data.

If there is any good news here, it’s that competition does exist among browser vendors, forcing them to provide enhanced security. I spoke recently with Karl Mattson, California-based general manager of Maxthon International, purveyors of up-and-coming browser Maxthon. Mattson described their typical users as young and tech savvy, who are tinkerers and who want something different. Many became frustrated with Firefox and Internet Explorer.

Mattson discussed their early adoption of sandboxing, a method to isolate processes initiated by the browser so that they are prevented from doing harm. “Building a secure browser has always been a priority for Maxthon.” Mattson added this observation…

I think that in time we’ll see a much broader understanding and awareness of web security in a way that actually causes people to take action on an on-going basis. Web security will be viewed similar to the way most people understand the risks associated with driving. That vocabulary is growing and is becoming more widespread and more internalized.

The hope is that through a combination of increased public awareness, and more robust software, we can deal a crippling blow to medical identity theft.