This is about IT policy rather than implementation, so if folks think it's
OT here than I won't continue with this.
I'm still on about matching security responses to actual threats.
In the "Immutable Audit" thread I said:
> Also IMO, the obsession with security with regard to health records is over
> the top. I've always been taught that the first principle of devising a
> security system for data is to evaluate the nature of the threat, and then
> base the security system on that. If you're dealing with credit card numbers
> or other financial data, then yes, that stuff faces serious threats that
> justify almost anything you can do to protect it.
>
To which Matt replied:
You obviously haven't met the HIPAA folks have you???
And I said:
> There is very little incentive for people to misuse health data, and no
> financial incentive that would justify expensive efforts to do so. The only
> money to be made here might be by stealing Medicare or Medicaid numbers. But
> this kind of fraud is only--and can only effectively--be perpetrated by
> crooked medical practitioners.
And Matt said:
Oh contrare....
Identity theft and medical fraud are BIG BUSINESS and RAMPANT... one
of the 5 main things for front line HIPAA compliance they hammer into
us twice a year is what is called "Red Flag Reporting" which is to try
and prevent these frauds from happening.
I have gobs and gobs of access to medical records, but I can't legally
even go in and look up my own records, my wife's, a friends etc. And
there's an audit trail for every time I go in there....
To which I respond:
My previous statements were imprecise, so I'm going to try to clarify what
I meant.
I can imagine that the HIPAA bureaucrats are big on this. But here's the thing:
"Identity theft" encompasses a broad range of behavior. It's "identity
theft" if somebody misuses some person's identifying data. But that doesn't
address HOW the misuser got that data.
I have been unable to find a single case where J. Random Cracker broke into
a database, stole a bunch of Medicaid or Medicare numbers, and then either
used them to fraudulently bill for services, or sold them to somebody else
who did the fraudulent billing.
As an example, in my research I came across a story from TX in October 2012
that described 5 sets of indictments for Medicare fraud. The leading
paragraph of the story claimed that somebody stole lists of Medicare
numbers and used them for fraudulent billing. But when I read the details
on each of the 5 sets of indictments, I saw that no such thing had taken
place. In each case, some pre-existing medical provider, that already had
Medicare numbers in its database, *itself* used them for fraudulent billing.
News reporters typically do not understand complex issues. My organization
deals with the media all the time. In almost every story they report about
us, or about some issue that is important to us, they make errors of fact.
Reporters don't understand distinctions between random theft of lists of
Medicare numbers on the one hand, and misuse of numbers already in some
medical crook's possession on the other.
Regulatory bureaucrats also typically don't understand complex issues, and
their general approach to everything is CYA.
IT policy makers, however, should understand the distinction because the
security responses are different.
The fact is that you can't just get somebody's Medicare or Medicaid number
and submit fraudulent bills using it. You can't bill Medicare or Medicaid
at all unless you first go through a pretty involved process to become a
certified provider of medical goods or services. I'm not saying it's
impossible to fake such a process; I'm saying I can't find an example of
anyone who has ever done it.
Crooks of a geekish nature can make more money more easily by stealing
credit card numbers, running phishing schemes, or directly tinkering with
bank records, than they can by somehow constructing entirely fraudulent
medical businesses from scratch, getting them certified as Medicare or
Medicaid providers, and jumping through the many, many hoops that are
required to submit a bill.
All of the Medicare and Medicaid billing fraud I've seen was committed by
people who own or work in businesses that have that certification--that is,
they are, or at least started out as, legitimate medical providers. They
don't use "stolen lists" of Medicaid or Medicare numbers that they bought
on the black market from some shadowy cracker. They use the Medicare and
Medicaid numbers they already have in their databases from their legitimate
patients--some of whom, admittedly, may be dead or otherwise inappropriate
for the services being billed.
Yes, that's "identity theft". No, it can't be prevented by encrypting data
or making people change their passwords.
The people who do this have, in the ordinary course of business, legitimate
access to these numbers, and the ability to generate and submit bills using
them.
The problem is that up until very recently, the software that receives and
pays bills was so brain dead that it could not detect that dead people were
receiving medical services or that a single dentist was billing for 90
dental procedures every day. As is often the case when dealing with
government, it's the government that messed up and is now trying to hold
somebody else accountable for its own failures.
So you're right: It's a good idea to use role-based security to control who
can access what data, maintain logs of who accesses or outputs what and
when, and to take reasonable steps to protect those logs from tampering.
Unattended software shutdown is another good idea.
My software had most of those features before HIPAA was even enacted (I
probably should beef up my logging a bit).
But data encryption, forced password changes, and account lockouts after
multiple login failures are responses that are not aimed at the actual
threats facing medical records, and should not be required when handling them.
Let the flaming begin.
Ken Dibble
www.stic-cil.org
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
