I recently read an excellent piece on BenefitsPRO about cyberattacks in health care. The article noted that the value of a stolen health identity is 10 times what a credit card is worth. This number reflects the cyber thief’s calculation: How much can I steal multiplied by what are the odds of getting away with it. The answer to this equation makes a health identity that much more valuable in the black market.

Part of the reason for the reduced value of a credit card is the lower odds of getting away with the crime, and the amount that can be stolen has been significantly reduced by credit bureau reporting of transactions in real-time. We’ve all had one of those calls (“Mr. Leston? This is your bank. Your card is being used to buy tires in Istanbul, so we wanted to make sure you had your card in your possession…”) [a real case]

Stolen credit cards aren’t worth what they used to be. We need to make health identities less valuable to cyber thieves, as the financial industry has done with credit identity. Health plan and benefit executives need to start with the assumption that health and benefits information has already been compromised; unfortunately, the odds are that it has. It is already widely available; the reasons are below. The priorities should not only include limiting access to the benefits information, but preventing inappropriate use in daily interaction with the health care system.

Health plan breaches and hospital ransomware have garnered a lot of press, but two current trends contributing to the increase in health care identity theft affect benefits executives and employees closer to home. The insurance risk (and the risk of fraud) has been shifted from the health plan administrator to the employer and now to the individual. A high-deductible health plan (HDHP) is essentially self-insurance, including the risk of health care identity theft, for which there is no cap like there is for credit card losses. And since any fraud recoveries are due to the policy holder, no health plan CEO or CFO is going to approve spending money to get back somebody else’s money. Individuals are also the least equipped to address the problem of medical identity theft, and are most at risk.

The second contributing factor is the proliferation of electronic medical records. There are 50 percent more EHR systems in physician offices than there were in 2009. Our health care identities and benefits information are stored on the computers of every doctor, hospital pharmacy, physical therapist, X-ray center, etc. we have ever visited. Small medical practices do not have chief information security officers and contain tens of thousands of individual medical histories, Social Security numbers and health insurance details. Their systems are just as valuable to a cyber thieves as health insurers’ systems, if not more so, and are easier to access.

The long time shortcoming that makes health cybersecurity more important is the way we pay claims. Health care represents 20 percent of our economy, yet the bills are paid without any inkling of whether the services were actually rendered. This contributes to the attractiveness of stealing health information. Borrowing from our credit card example above, the “tires” will likely show up on our statement (an explanation of benefits), and if we are paying attention, we call the health insurance company and tell them that we weren’t being treated by this provider. We also got a bill for copayments or co-insurance from the provider we didn’t see. All of this happens weeks after the service was supposedly rendered.

Health care cybersecurity has to address both sides of the “how much can I steal / what are the chances of getting away with it” equation. Securing health records address part of that equation. As long as health information is everywhere, the security of health records is only as strong as the provider system with the weakest access controls.

The damage is not in the theft of records, per se, but in their inappropriate or illegal use. Along with securing access to the records themselves, individuals and health plan executives in sponsoring companies need to think and act about the use of benefit information in everyday interactions with the health care system, primarily in the claims and payment side of the industry, where the greatest near-term damage can be done.

What can individuals and benefits executives do?

The best way to prevent inappropriate use of health insurance records is to create or use an independent data source to validate the claim before it is paid. Like credit monitoring that notifies an individual that their “identity” applied for a mortgage, individuals need to know that their health identity was used to receive health services. In both cases, this notification and reporting must take place before the transaction is approved and funds exchanged. The credit industry does this now; the health benefits industry does not. This is most effective at the point of care to inform the physician that a compromised identity is being used to obtain services under someone else’s benefit plan, although capturing validation from the insured prior to payment will also help. These validations from an independent source will prevent many of the medical identity thefts from turning into fraudulent medical claims. The benefits executive and their administrator must work collaboratively.

The benefit executive cannot assume that their administrator will take the lead in this. The administrator should not assume that they can ignore medical identity theft and merely pass the costs down the chain. An effective, collaborative solution will require benefits executives and plan administrators to provide tools for verification, and adding that verification to the claims payment stream will provide employees, health plans and benefits executives greater protection from cybercrime.

The National Association of Insurance Commissioners introduced a ‘Cybersecurity Bill of Rights’ which states, "Receive a minimum of two years of identity theft protection from the insurer, insurance producer, or other state-regulated entity in the event of a data breach.” This is limited to credit protection. HR1770, introduced in Congress recently, further limits responsibility of the party whose system has been breached to notify the victim promptly.

To date, there is no pending legislation to blunt medical identity theft, a serious and costly issue that can readily affect the 90 million Americans who have had their benefits information compromised. Unless benefits executive and administrators act, some portion of that 90 million will be too busy warding off collection agencies trying to recover the co-insurance portion of the surgery bill the employee never had.

Instant Insights /

Cybersecurity and health identities: Strategies beyond health plans and hospitals

More From HR Executive

Related Stories

Recommended For You