Healthcare fraud of all types is becoming more worrisome by the day. Experts say that both internal and external threats are growing exponentially. Internally, there are individuals working within patient care organizations who choose to participate in illegal and unethical activities and use their data access to defraud the organizations they work for; external fraud, perpetrated by outside individuals and organizations—and, disturbingly, even foreign governments—is mushrooming as well.
Indeed, a white paper published last fall by the Medical Identity Fraud Alliance entitled “The Growing Threat of Medical Identity Fraud: A Call to Action,” and which focused on identity theft, stated that healthcare fraud costs U.S. society at least $80 billion a year.
The topic of identity theft-driven fraud is intensifying, and with it, so is the increase in the number of patient care organizations whose senior executives are calling on healthcare IT security and privacy consultants to help them sort out the issues and craft IT security and privacy strategies that work.
Among those working in this critical area is Mark Ford, principal of the Cyber Risk Services division at the New York-based Deloitte consulting firm. Ford, based in Ann Arbor, Mich., has spent over 20 years consulting in the IT security area, after having worked as a military intelligence officer in the U.S. Army. Ford has been with Deloitte since 1999, in this cyber risk area the entire time, and for the first decade, working broadly across industries. In 2009-2010, Ford shifted his focus to healthcare, particularly after changes in the HIPAA (Health Insurance Portability and Accountability Act of 1996) regulations began compelling patient care organization leaders to think more rigorously about healthcare IT security and privacy issues.
Ford spoke recently with HCI Editor-in-Chief Mark Hagland about this topic. Below are excerpts from that interview.
With everything going on healthcare, your personal shift into a primary focus on this industry obviously makes sense.
Yes, it does; we’ve got more of our focus on healthcare as a vertical these days.
Things are ramping up now in terms of the illegal activity around medical identity-based healthcare fraud.
Yes, and I carry the historical experience of data security from other industries. And within healthcare, have three areas: life sciences, health plans, and providers; and we are supporting all three sectors in this area. My area of responsibility is cyber risk among the health plans and providers.
Let’s start with the big-picture view of what’s going on now.
Where the industry is at is really the important factor. And we go to where the buyers are—we’re going to go to those clients investing in their programs because their business drives them to do it. Healthcare, especially on the provider side, was always a laggard. Providers in fact had to be forced to do it, had to be pulled, by the HITECH [Health Information Technology for Economic and Clinical Health Act] legislation, kicking and screaming, to pay attention to this. The government had to go and say, we have to transform healthcare, and we want you to modernize.
So you have an industry that hadn’t been focused on this, and all of a sudden is in the middle of transformation, and flying faster than they can manage in this area, and are being exposed to what’s happened already in other industries.
What are we learning from other industries right now?
The big lesson learned from those more mature industries is the realization that this pervasive threat is actually bigger than what we can actually protect ourselves from. And applying that to a very immature industry like the healthcare provider sector, is a very daunting task, because providers are trying to bootstrap themselves up from nowhere. However, we are seeing progress, very nascent, towards mature. Most of our banking clients, are at the four or five level of five levels, in your classic CMMI [capability maturity model integration] model. Gartner once described healthcare as being in “blissful ignorance,” in a report several years ago.
So from my perspective, providers have made progress and have moved into the 1 or 2 level., because of the new focus, and quite frankly, the federal government’s HIPAA-related rules. The opportunity is for them to mature towards the state of the art.
What are the most advanced providers doing right now?
They are doing similar to what you’d see a large financial services institution doing—they’re putting in dedicated security programs. They’re investing in a cyber-risk capability. If you look at what banking’s done, they’ve spent a lot of time around this concept called Information Sharing and Analysis Center, ISAC, and the financial sector was probably the leading industry to go after the ISAC concept, to share information with each other, and to…
I understand that the top information security officers from the biggest banks are now having a weekly conference call with federal officials. Among other things, they’re discussing weekly cyber threats coming from hostile foreign governments, as well as international crime syndicates.
Yes, that’s right. And healthcare organizations are beginning to move there. There actually is a national healthcare ISAC that’s been established. Now, they need to figure out their program and charter and these kinds of things, but one is in place. That will give a lot of credibility to the industry. When I go from client to client on building their security program, the first thing I hear is, what are my competitors or peers doing? And they’re starting to build things. And it’s not as though we’re going to tell our healthcare clients anything fundamentally different from what we would tell a banking client, actually.
There are nuances but the fundamentals are the same—the approach will be very, very similar, and it has to be, because we’re learning from the best in the industry—the government, the financial sector, and so on. Providers’ problem is a little bit different; they’ve got the dynamic nature of health information flowing across their enterprises, and need for it to be accessible for operations and patient care; plus, they’re more heavily regulated than any other industry. But if they do exactly what I’m trying to suggest, and think about how to do this in a more mature, comprehensive way, and are willing to do this, they have the opportunity to reach the goal.
You mentioned cyber-threats from foreign governments and organized crime—I would agree. And the healthcare industry continues to be a growing target because of the opportunity. And a lot of that perception of opportunity comes out of the potential to be able to steal our intellectual property in healthcare and the life sciences.
Does that mean that academic medical centers and teaching hospitals are more at risk than community hospitals?
I would think so, because of that research element. I do a lot of work at AMCs. And they do have this challenge of openness versus protection of patient and intellectual information; there’s always a dynamic tension there. And that struggle or internal conflict may lead to less control, frankly. So you have to figure out how to fence certain things off; and that is a real challenge.
And the researchers want full access to the Internet. So we’re seeing a lot of that challenge when it comes to where those two come together, the research and the medical operations.
Given all of this, what should CIOs, CTOs, and their colleagues in patient care organizations be doing right now?
I tend to want to say, you have to start by assessing your business scenario. If you’re an AMC, your scenario will be different from that of a community hospital. And this is much broader than a HIPAA compliance issue. So it’s looking at your problem from a risk-based perspective, and putting programs in place to continuously assess risk, and then apply the appropriate levels of security controls to manage your risk tolerance. It sounds kind of cliché, but it’s true. Once you figure out your biggest gaps, then you can act. And maybe it will be cyber-risk from hackers. But frankly, I think the threat of fraud exposure is bigger than nation-state threat. So if fraud is your biggest threat, how are fraudsters getting at your data? And then you build based on that. Frankly, the threat of an OCR [the Office of Civil Rights in the Department of Health and Human Services] audit or the threat of exposing PHI [protected health information], will be worse for many. So take stock of what you have, build a program that addresses your priority needs, and then invest.
How much should such a level of preparation cost, generally speaking?
It runs the gamut, and depends on the size of the organization. Several analysts have come up with different quotes. Not spending enough is typically below 1 percent of IT spend. If they’re putting together a world-class program, it will run up to potentially 7-8 percent of total IT spend. And it may come back down to maybe 3-4 percent over time. That’s the general sum we’ve heard about. It’s fairly consistent. Especially in the provider world, you’re not talking about organizations that have been working on this. Many of my clients don’t even have an office for this that’s even a side job for anybody. In many cases, organizations are starting from scratch, and that’s a scary thing. And the whole blissful ignorance stance isn’t going to hold up any longer.
And then, with regard to insider threat—I’ve been consulting in this area for 20 years, and traditionally, we had always had the mode of saying, the biggest threat is insider threat, by far. That seems to have turned, recently, with the change of actors. It used to be 70/30—that 70 percent of your threat was insider; now it seems as though 70 percent of the threat is external. Healthcare is probably now in the 50/50 range. The insider threats still tend to be the ones that cause providers the most pain and agony. And the realization that health data is easily obtained by breaking into a provider is a relatively new phenomenon. So the external threats are emerging and growing. Medical identity theft-based information to use to commit fraud is a growing issue, particularly since providers haven’t adequately protected their data.
We tested against 100 e-mails in a spear-phishing experiment, and close to 90 percent of internal employees, being tested for their awareness, clicked on an e-mail, and close to half actually clicked into a website that was dangerous.
So you really have to educate your staff, then, correct?
Yes, significantly. You need a robust education program, you need to put as many technical controls in as you need, and so on. But when you have 50 percent of your people willing to click on a spear-phishing attack, it shows you need to focus on this and invest in this. Boards will ask what our next investment should be? Well, they need data security. And the other note I’d like to add is that, from an insider standpoint, it seems to me that the potential for people to commit fraud internally has continued to manifest itself even today. We’re seeing more and more cases of people willing to commit fraud because they have information; not just snooping. That level of insider activity is particular to healthcare compared to in banking, where that kind of activity has been very effectively locked down, because it can more easily be locked down per role sensitivity and identity management.
A clinical environment will never be as controlled as a banking environment, for example. So net-net, you’ve got an industry that’s way behind banking, for example and their problem is way harder to resolve, per healthcare operations, and the appeal of stealing the data is so great.