News Stay informed about the latest enterprise technology news and product updates.

Medical identity fraudsters target health care info, experts say

Health care organizations say medical identity fraud is on the rise and they're boosting their online security with anti-fraud measures used in the banking industry.

SAN FRANCISCO -- Online criminals know that medical records are a goldmine, and they are using the data to steal drugs or peek into others' medical history, health care security experts said.

RSA Conference 2010

For all the latest news, podcasts and more direct info from the show floor in San Francisco, visit our RSA Conference 2010 special news coverage page.
"We are seeing fraudsters stealing identities, going to a pharmacy and stealing drugs," Simon Chan, senior IT security architect at pharmacy benefits management provider Express Scripts, said during a panel discussion at the RSA Conference 2010. Criminals also are seeing doctors with stolen identities, he said.

To catch such medical identity fraud activity, the company uses financial fraud detection tools, Chan said, noting that part of his job involves working with the company's fraud department.

Ryan Brewer, CISO at the Centers for Medicare & Medicaid Services (CMS), said there have been phishing attacks in which fraudsters try to lure users with offers of cheap medications; the links in the phishing emails lead to spoofed CMS websites that try to collect personal information.

Unlike credit cards that can be replaced if stolen, health care information doesn't change, making it especially valuable to thieves, Brewer said.

"The bad guys realize that stuff is good for life. You can't change your blood type," he said.

David Young, the IT director of Web services for Geisinger Health System, a northeastern PA integrated healthcare delivery system, said his company has used audit logs to catch people spying on the medical records of their ex-spouses and others. The organization has also caught fraudsters exploiting the forgotten password feature on a Web portal; his firm sends physical letters to patients to alert them of the password change, which has succeeded in catching 95% of the fraudulent activity.

His company is also seeing a lot of cases in which people are using relatives' health insurance information in order to receive emergency treatment.

Geisinger Health Systems has several portals, including ones where patients can view lab results and renew prescriptions. The company has been shifting from a rule-based security model around its Web portals to a risk-based authentication model that's been used in the banking industry, Young said.

A risk-based approach takes into account user characteristics, including how a person types, and examines other factors, such as IP address, to allow online access to personal health data. That risk engine is tied into a fraud network that banks and other types of companies connect with to identify fraudsters, he said. In contrast, a rules-based approach uses such techniques as blocking access after three failed login attempts.

RSA Conference 2010 Twitter updates

For up-to-the-minute RSA news and show information updates, be sure to check out the Twitter.
Since physicians don't like carrying authentication tokens, the company aims to replace tokens with the risk-based approach, Young said. "They don't like anything that's obstructive," he said.

Chan said Express Scripts also has many different Web portals, containing data with varying degrees of sensitivity. The company uses a combination of rule-based and risk-based authentication, he said, adding that health care companies are increasingly looking to the latter model. "They want to make [authentication] easy, but very secure in the background," Chin said.

Young said his company has added fraud analysts and digital forensics experts -- which he noted are new types of employees in the health care industry.

Ultimately, it's a numbers game for cybercriminals and health care data, Brewer said. In 2008, $67 billion went through CMS to pay claims. "That speaks to 67 billion reasons why organized crime would want to access our data," he said.

Dig Deeper on Email and Messaging Threats-Information Security Threats

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I feel that the FBI has carried out these crimes