Healthcare fraud of all types is becoming more worrisome by the day. Experts say that both internal and external threats are growing exponentially. Internally, there are individuals working within patient care organizations who choose to participate in illegal and unethical activities and use their data access to defraud the organizations they work for; external fraud, perpetrated by outside individuals and organizations—and, disturbingly, even foreign governments—is mushrooming as well.
Indeed, a white paper published last fall by the Medical Identity Fraud Alliance entitled “The Growing Threat of Medical Identity Fraud: A Call to Action,” and which focused on identity theft, stated that healthcare fraud costs U.S. society at least $80 billion a year.
The topic of identity theft-driven fraud is intensifying, and with it, so is the increase in the number of patient care organizations whose senior executives are calling on healthcare IT security and privacy consultants to help them sort out the issues and craft IT security and privacy strategies that work.
Among those working in this critical area is Mark Ford, principal of the Cyber Risk Services division at the New York-based Deloitte consulting firm. Ford, based in Ann Arbor, Mich., has spent over 20 years consulting in the IT security area, after having worked as a military intelligence officer in the U.S. Army. Ford has been with Deloitte since 1999, in this cyber risk area the entire time, and for the first decade, working broadly across industries. In 2009-2010, Ford shifted his focus to healthcare, particularly after changes in the HIPAA (Health Insurance Portability and Accountability Act of 1996) regulations began compelling patient care organization leaders to think more rigorously about healthcare IT security and privacy issues.
Ford spoke recently with HCI Editor-in-Chief Mark Hagland about this topic. Below are excerpts from that interview.
With everything going on healthcare, your personal shift into a primary focus on this industry obviously makes sense.
Yes, it does; we’ve got more of our focus on healthcare as a vertical these days.
Things are ramping up now in terms of the illegal activity around medical identity-based healthcare fraud.
Yes, and I carry the historical experience of data security from other industries. And within healthcare, have three areas: life sciences, health plans, and providers; and we are supporting all three sectors in this area. My area of responsibility is cyber risk among the health plans and providers.
Let’s start with the big-picture view of what’s going on now.
Where the industry is at is really the important factor. And we go to where the buyers are—we’re going to go to those clients investing in their programs because their business drives them to do it. Healthcare, especially on the provider side, was always a laggard. Providers in fact had to be forced to do it, had to be pulled, by the HITECH [Health Information Technology for Economic and Clinical Health Act] legislation, kicking and screaming, to pay attention to this. The government had to go and say, we have to transform healthcare, and we want you to modernize.
So you have an industry that hadn’t been focused on this, and all of a sudden is in the middle of transformation, and flying faster than they can manage in this area, and are being exposed to what’s happened already in other industries.
What are we learning from other industries right now?
The big lesson learned from those more mature industries is the realization that this pervasive threat is actually bigger than what we can actually protect ourselves from. And applying that to a very immature industry like the healthcare provider sector, is a very daunting task, because providers are trying to bootstrap themselves up from nowhere. However, we are seeing progress, very nascent, towards mature. Most of our banking clients, are at the four or five level of five levels, in your classic CMMI [capability maturity model integration] model. Gartner once described healthcare as being in “blissful ignorance,” in a report several years ago.
So from my perspective, providers have made progress and have moved into the 1 or 2 level., because of the new focus, and quite frankly, the federal government’s HIPAA-related rules. The opportunity is for them to mature towards the state of the art.
What are the most advanced providers doing right now?
They are doing similar to what you’d see a large financial services institution doing—they’re putting in dedicated security programs. They’re investing in a cyber-risk capability. If you look at what banking’s done, they’ve spent a lot of time around this concept called Information Sharing and Analysis Center, ISAC, and the financial sector was probably the leading industry to go after the ISAC concept, to share information with each other, and to…
I understand that the top information security officers from the biggest banks are now having a weekly conference call with federal officials. Among other things, they’re discussing weekly cyber threats coming from hostile foreign governments, as well as international crime syndicates.