SAN FRANCISCO -- Online criminals know that medical records are a goldmine, and they are using the data to steal drugs or peek into others' medical history, health care security experts said.
To catch such medical identity fraud activity, the company uses financial fraud detection tools, Chan said, noting that part of his job involves working with the company's fraud department.
Ryan Brewer, CISO at the Centers for Medicare & Medicaid Services (CMS), said there have been phishing attacks in which fraudsters try to lure users with offers of cheap medications; the links in the phishing emails lead to spoofed CMS websites that try to collect personal information.
Unlike credit cards that can be replaced if stolen, health care information doesn't change, making it especially valuable to thieves, Brewer said.
"The bad guys realize that stuff is good for life. You can't change your blood type," he said.
David Young, the IT director of Web services for Geisinger Health System, a northeastern PA integrated healthcare delivery system, said his company has used audit logs to catch people spying on the medical records of their ex-spouses and others. The organization has also caught fraudsters exploiting the forgotten password feature on a Web portal; his firm sends physical letters to patients to alert them of the password change, which has succeeded in catching 95% of the fraudulent activity.
His company is also seeing a lot of cases in which people are using relatives' health insurance information in order to receive emergency treatment.
Geisinger Health Systems has several portals, including ones where patients can view lab results and renew prescriptions. The company has been shifting from a rule-based security model around its Web portals to a risk-based authentication model that's been used in the banking industry, Young said.
A risk-based approach takes into account user characteristics, including how a person types, and examines other factors, such as IP address, to allow online access to personal health data. That risk engine is tied into a fraud network that banks and other types of companies connect with to identify fraudsters, he said. In contrast, a rules-based approach uses such techniques as blocking access after three failed login attempts.
Chan said Express Scripts also has many different Web portals, containing data with varying degrees of sensitivity. The company uses a combination of rule-based and risk-based authentication, he said, adding that health care companies are increasingly looking to the latter model. "They want to make [authentication] easy, but very secure in the background," Chin said.
Young said his company has added fraud analysts and digital forensics experts -- which he noted are new types of employees in the health care industry.
Ultimately, it's a numbers game for cybercriminals and health care data, Brewer said. In 2008, $67 billion went through CMS to pay claims. "That speaks to 67 billion reasons why organized crime would want to access our data," he said.