Brief Discussion on the Federal Laws to Combat Identity Theft

Article post by Anya Bennett, September 22, 2011

Credit card has become a part and parcel of our daily life. All most all individuals are incessantly using their credit cards, and falling into overwhelming debt. However, when such individuals are drown in the sea of credit card debt and look for a way to come out of it, it is advisable to negotiate with the credit card companies in order to reduce the principal amount owed and to eliminate the interest rates or charge-offs. You can either negotiate with the companies by yourself following a few credit card debt negotiation tips, or you can hire the services of a credit card debt negotiate firm.

It is true that credit card debt negotiation firms can more effectively reduce the principal amount of debt and waive off the interest rates or charge-offs by negotiating with the credit card companies. So if you are planning to hire a firm, you must be careful while picking one. That is because many firms obtain your personal identification to reap some sort of benefit promising you to negotiate with the creditors and reduce the debt. But ultimately they use the person’s personal identification information like social security number to take out a loan, and make off with the money leaving the victim with outstanding debt and injured credit. Thus, the federal government has introduced laws as a defensive act against the crime.

In 1982, the False Identification Crime Control Act was passed to prohibit fraud in connection with identification documents. This law makes it illegal for anyone to transfer documents or to create their own documents for personal identification when they know they are either fake or stolen. This law also makes it illegal for anyone to own the machinery for printing their personal identification documents. However, this law could not prosecute anyone transferring information over phone or mail to commit identity theft.

The Identity Theft and Assumption Deterrence Act of 1998 makes identity theft a federal crime with penalties of imprisonment for up to 15 years and a maximum fine of $250,000. These laws make it illegal for anyone to use another person’s means of identification, which includes a wide range of identifiers like a person’s social security number, name, date of birth, license number and others. These laws also prohibit people from transferring identification information through physical documents as well as over the phone or internet.

In December 2003, The Fair and Accurate Credit Transactions Act was passed to allow people who had their identities stolen to talk to credit bureaus about having their credit restored. This act also allows them to obtain credit report from the three nation wide consumer credit reporting companies. The act reduces identity theft enabling individuals to place alerts on their credit histories if identity theft is suspected.

However, it is to be concluded that though federal laws have been passed, there is no certainty that identity theft will not occur. Even there is no certainty that your credit score will be restored if you fall victim to the crime. So you must be alert and careful in your daily life. Be cautious while hiring any debt negotiation firm or while applying for a job, and ensure that the companies are legitimate.

Frightened Immigrants Unknowingly Become Instant Thieves

When looking for help upon entering the US, they usually find it in the wrong places

In the US, when a person thinks of an identity thief, the picture that immediately comes to mind is an illegal immigrant.  Although this is a falsity, it is not altogether unfounded.

First, let me make myself very clear.  Identity thieves come in all shapes, sizes, colors, and nationalities.  They could be your mother, your brother, your employee, or your best friend.  In pursuit of money, or “living large”, there are people that will do outlandish things without caring how it affects the lives of others.

People who come to America seeking the dream of happiness, freedom, and success are generally ill informed as to the laws, employment and living systems, and even the cultural standards by which we all live.  Planning effectively for arrival and assimilation is next to impossible.  So, when they arrive stateside, they have a tendency to seek out and immediately trust their own kind.   That is what typically gets them into trouble right out of the gate.

Picture a mother and her children.  She meets another person native to her country that offers her all the paperwork and identification information that she supposedly needs for a sum of money.  One hundred sacred dollars or so, and voila, she has a Social Security number, a driver’s license, and other documents that prove her and her family as legal visitors or citizens, without having to face frightening foreign government officials.

And now, they are all identity thieves, without even realizing it—guilty without even knowing that they’ve committed a crime.  As they struggle along to make ends meet, they get jobs upon providing the necessary cards and numbers that are requested of them.  They work and are never told about the tax system here and what is required of them, with regard to filing returns.  Deeper and deeper into the hole they go, because they just don’t know, and are too afraid to ask for help from our Government agencies.

And when we find out that we are a victim of an identity theft, and that some immigrant is using our personal information to work, to get medical help, to buy large ticket items, and not pay taxes (our taxes, in fact, since they are working in our names), we are justified to be angry, and miserable, and vengeful.

We want our identity back, and we want justice.
They just want freedom and survival, and never intended to hurt us.

It’s a vicious cycle that needs to be broken.  Our government is working hard to find thieves, and bring them to justice.  But the ignorant individual thieves are not the primary problem.  We need to stop the organized groups that prey on the frightened immigrants.  The crime rings are the source of this niche of the humongous world of identity theft.

We could stand to help these innocent individuals.  Help them understand how to obtain valid visitor documents; how to live in the US, work and pay taxes; how to protect their assets as they accrue, and how to protect their US born children who are U.S. citizens.

Here’s a quick story of a man that I know who is here legally for 16 years.  He has his valid ITIN number, and has 4 US born children who are U.S. citizens.  Most of his extended family is here, many of them illegal.  This man and I are working together to get him legal help for a few issues where he’s been “had”, and also to help him get his citizenship.  I asked him if he had a Will so that his children and assets were protected, if something should happen to him or his wife.  He said, “A Will?  What is a Will?”  I asked him, “Who will get your children if you and Rosa die?”  “My cousin”, he answered.  “Is your cousin a legal U.S. citizen?”  No, of course not.

Where my friend is from, they don’t have Wills.  If the parents die, the family takes care of the children, and that’s that.  I told him that here, since his children are citizens and he has a house, and some money, he and his wife need to prepare a Will, or the Court system will decide what happens with everything that is theirs.  No cousin!

Now, with my help, he has spoken for the first time, with a lawyer.  I found one who speaks his language.  He was frightened and reticent at first, but now he’s ecstatic and excited.  He wants to help his friends and family, like I’m helping him.  I gave him the tools, opened the door, and gave him a nudge.  Now, he’s on his way, finally, after 16 years.

The bottom line, if we help our immigrant population to live smartly here, the number of immigrants that become identity thieves will drop dramatically.  If we teach them to manage their financial lives, their kids will grow up smart and secure, and will surely be strong contributors to bettering our country.

Hackers, Thieves Love to Hate (Hack) Federal Entities

Don’t assume you’re always safe on government Web sites

As the wife of a retired military officer, I enjoy the benefits of terrific medical care, strong banking institutions, and much more. With that care, you would think that you’d also have the benefit of feeling sure that your identity is also secure.

Not so. In fact, hackers, terrorists, and thieves all love to target federal institutions. It could be spite, it could be a game, it could be a national threat. No matter. Just because we use TriCare, USAA, and the VA does not mean we are protected from identity theft. Not by a long shot.

Last week, I logged onto the TriWest Web site to check the status of a claim. Up pops a long notice on a breach that had just occurred. Considering the extent of the theft, I’m left exposed. Here’s the bulk of the text from the site. Read it carefully:

A potential compromise of Protected Health Information (PHI) and/or Personally Identifiable Information (PII) belonging to approximately 4,500 TRICARE beneficiaries was recently discovered. The potential compromise occurred because a fax containing an authorization or referral letter was mistakenly faxed to the incorrect number. The majority of the misdirected faxes were sent to healthcare entities governed by privacy laws. Additionally, the fax coversheet used to transmit the authorization and referral letter contained instructions for the disposal of the faxed information in the event that it was sent to an incorrect location; therefore, we believe that the probability is very low that the information would be used for an improper purpose. Those who may have been potentially affected by this compromise will receive a notification letter; however, this notice serves as a general announcement.

The compromised information may include first and last name, sponsor Social Security Number, date of birth, and provider information to include procedures and diagnosis. . . .

Of course, the notice minimizes the possibility of the breach affecting me, but how do I really know?

Four years ago, when the general awareness of identity theft was less widespread, the VA notified the public of a massive incursion in which a database containing sensitive information had been stolen after an employee violated policy and brought the data home. The database contained the names, Social Security numbers, and dates of birth of as many as 26.5 million veterans and their families.

The VA spent many marketing dollars to assure the public that this and all other security risks were being rectified and no other breaches would occur—guaranteed. Then, in May 2010, two more breaches were uncovered. One involved a contractor’s laptop that was stolen on April 22 and contained unencrypted personal information on 616 veterans. The second occurred in May and involved “thousands” of veterans’ personal information at a VA facility, according to the congressional source familiar with the breach, who spoke on condition of anonymity. Both incidents occurred in Texas.

“These breaches clearly indicate the VA lacks focus on its primary responsibility of protecting veterans’ personal information,” Representative Steve Buyer (R-Indiana) said in his letter to the VA. “It also shows that senior managers have neglected their responsibilities, that there is no clear definition of responsibilities; nor a delineation of responsibilities.”

This problem has become such a dominant issue that new national identity protection laws—the 2010 Data Security Act, the Data Breach Notification Act, and the Personal Data Privacy and Security Act—are finally working their way through the Senate and appear to have some bipartisan support. These proposals offer a wide-ranging response to the growing problem of identity theft. The idea of the bills is to establish national standards for cases of data breaches—an issue that is now handled by varied and conflicting state laws.

So what does this mean for us? Even with these new laws, we are on our own as individuals. Don’t assume you are safe and protected just because you are using government institutions to house your money, receive financial assistance, and get medical care. These entities are simply an amalgamation of many regular folks, and these folks are not able to eliminate our risk of identity theft.

Always assume that you are exposed. Be proactive: get a service that provides identity theft protection and/or restoration for you and your family. It’s not foolproof, but it does lower your risk somewhat; and most importantly, it gives you some peace of mind.

FREE WEBINAR: Understanding ID Theft: Threats, Effects, Services, and Solutions

A decade ago, people thought nothing of sharing their Social Security numbers and personal information, and identity theft was seen as a rare occurrence. Now this debilitating crime has become a pandemic, and everyone must take action to put a protective wall around themselves.

In this FREE WEBINAR, Silver Planet columnist Ora DeMorrow explained the primary ways that identity theft manifests itself in our daily lives and what the effects are. She also discussed the many types of services people should consider when determining how to get the best protection.

Ora is owner and president of ID Security Solutions, a services company focused on protective and restorative identity theft and fraud solutions for individuals, small business, and corporate enterprise.

This event occurred on June 4, 2010. Please view the webinar FREE.

Kroll Fraud Solutions on Improving Data Security Practices in the Healthcare Industry

Hi Ora,

I hope this note finds you well. My name is Monica, and I’m writing on behalf of Kroll Fraud Solutions <http://krollfraudsolutions.com/> , a leading provider of data protection and identity theft response services.  As ID Security Solutions covered in April <http://idsecuritysolutions.wordpress.com/2010/04/10/critical-gaps-in-hospital-data-security/> , earlier this year, Kroll released the 2010 HIMSS Analytics Report: Security of Patient Data <http://www.krollfraudsolutions.com/about-kroll/HIMSS-Security-Patient-Data.aspx> , a survey that identified significant vulnerabilities among healthcare providers nationwide when it comes to securing patient data. Now, in a rapidly changing landscape – from the transition toward EHRs, new regulatory requirements, and increased pressure from oversight agencies — protecting healthcare organizations’ bottom lines and patients’ sensitive information is only becoming more difficult.

Given these factors, there is no better time for those in the healthcare industry to do a pre-breach checkup, assessing areas of risk, closing security gaps, and preparing your organization’s breach response plan for when the inevitable happens. Below, I’ve included several tips from Brian Lapidus, chief operating officer for Kroll’s Fraud Solutions division, on how to improve data security measures in an ever-changing environment. Lapidus regularly advises healthcare organizations in breach preparedness practices that are essential to both information security and regulatory compliance.


Please let me know if you would like more information, or if you have any questions for Brian. I hope you’ll consider sharing the information with your blog readers.

Thank you,
Monica Goldenberg
On behalf of Kroll Fraud Solutions
monica.goldenberg@fleishman.com

As the healthcare industry prepares for a major shift to EHRs over the next several years, providers must take important steps to make sure their data security practices are in good health.

Protect outsourced data. Your organization must know exactly where and how your data is stored with all of your third party vendors. This includes service providers, like labs, as well as internal service arrangements like remote hosting or backup storage facilities. If the organization is considered a Covered Entity (CE) under HITECH, your Business Associates (BAs) are required to notify you if they have a breach. However, it is the CE’s responsibility to notify the individuals and the appropriate federal entities. Specifically:
· Know where data stored by BAs is physically located, particularly if it is going to an offshore facility – depending upon the laws of that country, the BA may be under no obligation to notify you in the event of a breach or to turn over evidence in legal discovery.

· If you haven’t already done so, make sure all of your BA contracts contain strong provisions regarding data privacy and security and detailed guidelines on what to do in the event of a breach. This should include proof of employee training and background checks – two fundamental aspects of a good security plan. Respondents to the HIMSS survey indicated that half did not require proof of employee background checks from third party vendors, and 40 percent didn’t require proof of employee training.


Make sure all portable media devices are fully encrypted. HITECH specifies notification in situations where the PHI that has been lost or stolen is “unsecure” – that is, PHI that has not been rendered unusable or unreadable through some means, generally through encryption. Full disk encryption, especially of portable media devices, is a valuable means of securing any and all sensitive information, and regulators are increasingly looking to encryption as a means to ensure compliance with privacy and security laws. For instance, Nevada has legislation that went into effect at the first of the year that, in general terms, requires the encryption of all personal data transmitted electronically, except via fax. In making the case for encryption, make sure organizational decision makers understand that “password protection” does not equate to encryption.  Kroll has had clients who thought they were covered when a laptop was stolen because it was password protected, but this is still considered unsecured data under HITECH provisions.

Train your staff. Employee training is the most important thing an organization can do to assure that its privacy and security policies are correctly implemented. The most successful organizations make training part of the culture as compared to those organizations who limit training to reviewing a manual and signing an agreement. Employees of healthcare organizations often have widely varying responsibilities and points of touch with patient data, so it’s important to construct a training program that is relevant to job function and level of sensitive data handling. We see many organizations make the mistake of not training employees on relevant new legal requirements, new security threats and other current topics. Simply learning how to detect a breach of information can be invaluable, given the notification requirements timelines under HITECH.

Plan for an event, and then test your plan. The HITECH act specifies that notification must occur “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.” Let’s face it – from the moment you uncover a breach, every second counts. That’s why all healthcare organizations are under pressure to develop and implement a breach preparedness and actionable incident response plan. But having the plan is not enough; in light of the rigorous requirements, it’s best to make sure the plan is thoroughly tested and frequently reviewed for updates in the event of changes within the organization. Testing may include a tabletop drill, in which all stakeholders are brought together for a “dry run” of the response plan in the face of a mock breach scenario. Additionally, don’t be afraid to study other organizations’ breach events and learn from the experiences of others, as these real-life cases can be great teachers.

Understand the complexity of breach response and notification requirements. Even though the new requirements are federal, your organization will still be required to comply with state laws that govern the breach of PII and PHI. Depending upon the number of affected individuals, among other variables, your notification requirements under HITECH (and other applicable state laws) could include notifying Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), local media, state attorneys general offices, as well as affected businesses. Missing deadlines could result in hefty penalties or fines. Clearly, notification is about far more than mailing a letter. Perform a little due diligence and prepare a list of possible vendors that can assist in coordinating breach response, crisis communication, and notification responsibilities. Depending upon the size and scope of the breach, sometimes bringing in outside help is essential to maintaining the day-to-day operations of the organization.

It is important to remember that, although the provisions that appear in the legislative text of HITECH are aimed at expanding the use of electronic records, most of the privacy and security provisions apply to both electronic and paper records. Whether an organization plans to go electronic or not, the pre-breach checkup will be essential in being compliant with federal and state regulations.

For more information on data security issues, visit www.krollfraudsolutions.com <http://www.krollfraudsolutions.com>  or check out the new Kroll blog “A Dialogue on Data Security <http://www.krollfraudsolutionsblog.com> .”

The Importance of Professional Data Recovery for your PC

Professional Data Recovery for PCs Ruined by Hacking and Viruses

Everyone has either heard of, or even experienced first hand, the damage sustained by personal computers from computer viruses infecting the system, and hackers breaking in and gathering private data.  The amount of personal and often critical data that is lost or stolen by identity thieves is just the beginning.  In most cases, the information on the machine is gone and the system just stops working.

The effects reach beyond the computer itself.  Victims have to deal with the potential spread of the effect of a computer breach, reaching into financial, social security, criminal and character, and even medical identity theft,

The first thing that victims must do is to check their credit reports and with their banks and credit card companies to ensure that the spread has not occurred in their financial identities.  Then, the next major task is to determine how to recover the information lost from an infected and seemingly destroyed computer.

Many people in this position will just throw their computer away, and buy a new one.  But data is recoverable, with the right tools.  In the wrong hands, this is a devastating fact, as the wrong people can recover that data and use it against you.  But, in the right hands, companies like DataTech Laboratories can recover that data for you, and enable you to retrieve your personal files and recover the use of your machine, clean of the virus that hit it in the first place.

Mike Sarley, Vice President of Technology at DataTech Laboratories, headquartered outside of Denver, Colorado, explains the importance of working with professionals to help recover your lost data.*

One of the most frequent questions we get asked as a professional data recovery company is ‘what is the difference between your services and simple software that I can buy in a store?’ There are many differences in the services that DataTech Labs offers compared to software recovery solutions, and I will do my best to explain them briefly and concisely.

Software solutions are very basic, and do not have the capability to diagnose what is wrong with a hard drive and determine the best way to recover valuable data based on the physical health of a hard drive. There are hundreds of reasons that can cause a hard drive to fail or not be accessible by a user.
The data recovery business is much like that of a hospital; we have hard drives (patients) and we have recovery engineers (doctors) that have spent years studying the most effective way to retrieve data from each customer‘s unique failure. A failed hard drive is similar to a sick patient. A doctor must first determine what is wrong with a patient before they can chose the best way to treat that individual, the same with hard drives. Over-the-counter software solutions can be equated to a big red pill that a drug manufacturer claims can ‘cure any and all sicknesses.’ There is no diagnosis, the manufacturer simply packs in as many types of medicine into one pill and hopes that one of the medicines will cure the patient with the least likely chances of killing them.

Software solutions will work occasionally just like a big red ‘fix all’ pill, however, there is a great amount of risk involved and you have to ask yourself how important is my data. If someone took a ‘fix all’ pill that contained penicillin and they were highly allergic to it, they would be killed. This is exactly what software utilities can do to your data if they are used without first diagnosing the problem. Software can completely wipe out your data, making it unrecoverable even for our expert engineers.

Software solutions can attempt to recover data if the drive is responsive, however, it cannot diagnose what is wrong with the drive or determine the best way to recover data. It can be equated to standing over a sick, unconscious person, yelling ‘Are you okay? Are you okay? Over and over again with no attempt to diagnose what has happened. The person will never answer and all you have diagnosed is that the person is unresponsive. This is similar to simple recovery software.

DataTech Labs professional data recovery services use hardware tools to evaluate the physical health of a hard drive and its internal components before attempting any type of recovery. Only once our professional data recovery engineers have determined what is wrong with a hard disk, will they attempt to retrieve data. Hard drives are unique, much like patients. Two identical hard drives can have a similar failure (or sickness), however, they must be treated differently depending on individual factors.

The most important thing to keep in mind when it comes to data recovery is that true data recovery professionals have the best chance at retrieving your irreplaceable data through years of practice and study. Don’t take chances.  Work with trusted experts.

* DataTech Laboratories is a trusted partner of ID Security Solutions.

Sneaky Ways Identity Thieves Get Your Information

And steps you can take to thwart them

By Ora DeMorrow, ID Security Solutions

After watching a CBS Evening News segment on the dangers of copiers in workplaces, retail locations, and offices that retain personal information to establish insurance, bank, and other accounts, I was appalled at how exposed we are without even realizing it. Here are a few examples of where your identity is vulnerable:

Gas stations

A few years back, two clerks at neighboring gas stations collaborated, installing skimmers on a single pump at each station. In one day, they managed to empty 650 bank accounts of people who had paid using their bank debit cards and PIN numbers.

What is a skimmer? A skimmer is a small electronic device installed to swipe and store hundreds of victims’ credit card numbers and PIN numbers. The device is put over the card input slot and closely resembles a standard card slot. Take the following steps to protect yourself:

• Use secure card reader machines under video surveillance. They’re less likely to be tampered with.

• Pay careful attention to what the card reader and keypad normally look like on the machines you use most frequently.

• Don’t use an automated gas machine if the card reader appears to be added on, fits poorly, or is loose. Some thieves place a fake box over the card slot that reads and records account and PIN numbers.

• Call the customer service number on the gas machine immediately if it appears suspect or if it does not function properly.

Printers and copiers

Nearly every digital copier built since 2002 contains a hard drive, storing an image of every document copied, scanned, or emailed by the machine. This has turned a standard business tool into a digital time bomb loaded with highly personal or sensitive data.

These copier hard drives are the same kind of data storage device found in your computer. Used to reproduce documents, these seemingly innocuous machines—which are commonly used to spit out copies of tax returns, medical cards, employee records, and more for millions of Americans—can retain the data being scanned.

Identity thieves easily remove the drives from workplace copiers and, more commonly, abandoned ones considered worthless and left as trash by businesses moved or gone under. As the saying goes, one man’s trash is another man’s treasure. The money is on the hard drive left inside.

The bottom line? Invest in a good-quality multifunction printer/copier and copy as much as possible at home. Hint: Make a copy of your medical card at home, and bring it to your doctor’s office. Show them the original card, and hand them the copy, instead of having the ID copied there. If you can’t avoid using outside establishments, ensure that they have installed encryption devices, which greatly lessen the chance of information theft.

Pre-approved credit card offers

Most of us get pre-approved credit or debit card offers in the mail weekly. We tend to just ignore these come-ons, flipping them into the trash as we sift through our mail. But now is the time to pay attention to them and be sure to safely dispose of all such offers.

Do not toss pre-approved credit offers in your trash or recycling bin without first tearing them into very small pieces or shredding them with a diamond cut shredder. They can be used by “dumpster divers” to order credit cards in your name and mail them to their address. This is especially easy since all an identity thief has to do to get all your mail is to fill out a simple change of address card at the post office, hand it to a clerk, and walk out without providing proof of identification.

Make it a habit to shred all sensitive information, period. We’re talking credit card receipts, phone bills, bank account statements, investment account reports, and so on. Home shredders can be purchased in most office supply stores.

The smartest solution

There are too many ways to be victimized to implement every possible measure to secure your identity, and you can’t live life in a bubble. Just do what you can manage to minimize exposure, and consider a monitoring, protection, and restoration service such as Identity Theft Shield [1]. They are typically monthly subscriptions costing between $10 and $20. The cost is well worth the peace of mind!

Find my monthly articles on www.SilverPlanet.com.

Personal Data Still Leaking Despite New Digital Healthcare Rules

Nearly eight months after new rules were enacted requiring stronger protection of health care information, organizations are still leaking such data on file-sharing networks.

One of the more than 3,000 files discovered was a spreadsheet containing insurance details, personally identifying information, physician names and diagnosis codes on more than 28,000 individuals. Another document contained similar data on more than 7,000 individuals. Many of the documents contained sensitive patient communications, treatment data, medical diagnoses and psychiatric evaluations. At least five files contained enough information to be classified as a major breach under current health-care breach notification rules. <Read Computerworld Article>

6 ways unified identity management pays off

• By John Zyskowski
• May 10, 2010

The benefits associated with implementing a unified identity system include:

Increased security, which directly correlates to a reduction in identity theft, data breaches and trust violations. Specifically, such an approach closes security gaps in the areas of user identification and authentication, encryption of sensitive data, and logging and auditing.

Compliance with laws, regulations and standards and the resolution of issues highlighted in Government Accountability Office reports of agency progress.

Improved interoperability, specifically among agencies using their PIV credentials and other partners with PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework. Additional benefits include minimizing the number of credentials that require life cycle management.

Enhanced customer service, both in agencies and with their business partners and constituents. Facilitating secure, streamlined and user-friendly transactions — including information sharing — translates directly into improved customer service scores, lower help-desk costs and increased consumer confidence in agency services.

Elimination of redundancy through agency consolidation of processes and workflow and providing governmentwide services to support the processes, with resulting reductions in the overall cost of the security infrastructure.

Increased protection of personally identifiable information by consolidating and securing identity data, which is done by locating identity data, improving access controls, proliferating the use of encryption and automating provisioning processes.

Related articles

Consolidating access control yields big payoffs

Access granted: NIH opens doors to medical resources

3 stages of identity consolidation

Goals for top-notch identity systems

Critical Gaps in Hospital Data Security

Study points to critical gaps in hospital data security

April 06, 2010 | Mike Miliard, Managing Editor

NASHVILLE – Even as providers work to update their security environments, hospital data continues to be at serious risk, according to the 2010 HIMSS Analytics Report: Security of Patient Data.

Despite new statutory requirements for healthcare privacy and security, the study found critical gaps in data security – and its findings suggested that efforts to keep data safe were often more reactive than proactive, with hospitals dedicating more resources to breach response than to breach prevention.

The report, based on a biannual survey of 250 healthcare professionals nationwide, was commissioned by Kroll Fraud Solutions, a leading provider of data protection and identity theft response services, in partnership with HIMSS Analytics, a wholly-owned, not-for-profit subsidiary of the Healthcare Information and Management Systems Society (HIMSS).

“The results of the latest study are bittersweet to say the least,” said Brian Lapidus, Kroll’s chief operating officer. ”On one hand, healthcare organizations are demonstrating increased awareness of the state of patient data security as a result of heightened regulatory activity and increased compliance. On the other, organizations are so afraid of being labeled ‘noncompliant’ that they overlook the bigger elephant in the room, the still-present risk and escalating costs associated with a data breach. We need to shift the industry focus from a ‘check the box’ mentality around compliance to a more comprehensive, sustained look at data security.”

When the last HIMSS Analytics report on the security of patient data was released in April 2008, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was the primary regulatory requirement for hospitals. At that time, the study suggested that HIPAA’s focus on medical privacy fostered a significant lack of awareness among healthcare providers around the frequency, cause and seriousness of patient identity theft.

Unfortunately, despite the recent flurry of regulatory activity around patient data security, and the severe financial penalties these laws impose, the same is true in 2010, according the new report, key findings of which include:

• Despite new regulatory activity, including the implementation of Red Flags Rule and HITECH Act, and increased compliance among healthcare providers, the reporting of healthcare breaches is on the rise.
• The majority of survey participants indicated that they were compliant with existing laws and regulations.
• Average responses were above a 6.0 (on a scale of 1-7, with 7 being the highest level of compliance) for almost all laws and regulations, including CMS Regulations, HIPAA, State Security Laws and Red Flags Rule. Only HITECH scored lower (5.75), most likely due to the fact that HITECH was still not fully implemented at the time of the survey.
• The number of healthcare organizations that reported a breach increased by six percent in 2010 to 19 percent of total respondents – up from 13 percent in 2008.
• When asked to rate their level of “preparedness” for a future security breach, respondents from organizations having experienced a breach cited a preparedness level of 6.06 (on a scale of 1-7, with 7 being most prepared).
• Healthcare organizations continue to underestimate the high costs of a data breach, despite the fact that penalties for HITECH violations can reach as high as $1.5 million dollars.
• Patient satisfaction was most frequently cited as the primary impact of a data breach on their organization (38 percent), while only 15 percent cited the financial costs —  down from 18 percent in 2008.
• Healthcare organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.
• Eighty-seven percent of respondents indicated that they have policies in place to monitor access and sharing of electronic health information, yet research shows that 84 percent of healthcare breaches since 2003 were due to “low tech” incidents such as lost or stolen laptops, improper disposal of documents, stolen backup tapes, etc.
• Sixty percent of respondents said they required third party vendors to provide proof of employee training and only half indicated that they required third party vendors to provide proof of employee background checks. As organizations prepare for the broader sharing of electronic health records across massive networks of providers, payers, state and federal repository systems, third party involvement is only expected to increase in the coming years.

The 2010 HIMSS Analytics Report did note significant differences between security policies and procedures according to hospital type. For instance, critical access facilities lagged behind general medical/surgical facilities and academic medical centers in several key areas, including monitoring electronic patient health information access and sharing (74 percent of respondents from critical access hospitals said their organization has such policies in place, as compared with 100 percent of academic medical center respondents and 95 percent of general medicine/surgical); and auditing processes for sharing patient data with outside entities (61 percent of critical access hospitals reported conducting regular audits, compared with 90 percent of academic medical centers and 80 percent of general medicine/surgical hospitals).

“We’d still like to see increasing maturity of data security function — from a checklist compliance approach to an organization-wide risk management approach,” said Lisa Gallagher, senior director of privacy and security for HIMSS. “We’d like to see recognition of security risk as a business risk and have the function appropriately supported and resourced by executive management. The healthcare environment is only going to become more complex over time with the emphasis on health information exchange and new technology approaches such as cloud computing.”

To read the full 2010 HIMSS Analytics Report: Security of Patient Data, click here.