“We have to do a better education of insider staff; we also need to pay better attention to monitoring,” Mac McMillan said on the morning of May 2, the final day of the Healthcare Informatics Executive Summit. McMillan, the CEO of the CynergisTek consulting firm, and one of the true luminaries in the area of data security in healthcare, was referring not only to data breaches at patient care organizations in healthcare, but also to the growing wave of medical identity theft. “More than 70 percent of identity theft and fraud in healthcare come from insiders, he pointed out. Further, he noted, “2013 witnessed a 20-percent increase in medical identity theft.” Most importantly, “he said, “traditional audit methods and manual auditing are completely inadequate.”
Instead, McMillan told the assembled audience at the Mark Hopkins Hotel in San Francisco, “behavior modeling, pattern analysis, and anomaly detection” will be required to stop medical identity theft and fraud in their tracks. And yes, that means that CIOs and other healthcare IT leaders are going to be under even more pressure going forward to develop sophisticated responses to problems that are accelerating rapidly now in healthcare.
McMillan shared with his audience a story of a recent situation that illuminates some of the challenges that hospitals and medical groups are facing these days. The situation he described is one in which he was personally brought in to help resolve. In that case, the administrators of a hospital were faced with a very strange and perplexing turn of events. Every time a child who had been admitted to the hospital via the emergency department, because of a car accident, he noted, the child’s parents would get solicitation calls from attorneys seeking to represent them. The problem was this: the people at the hospital trying to chase down the evidence in this ongoing case were relying on rules-based controls, such as information being e-mailed out. As it turns out, the perpetrators were viewing the children’s patient records and writing information longhand on a pad of paper to use later.
What broke the case open was that one of the nurses in the hospital ended up having her 16-year-old daughter involved in a car accident, and was standing at her daughter’s beside when she received an attorney solicitation call—and her daughter hadn’t even been fully processed for inpatient admitting. “So we took every individual who had touched the record, and we classified them into types, and measured their access to the system over a 30-day period,” McMillan reported. “And we did pattern analysis. Lo and behold, two admitting people were looking at three times the number of records as everyone else.” McMillan and his colleagues worked with the hospital to install hidden cameras, and called in the FBI. And the perpetrators were caught on camera, after 18 months and 1,900 events. The perpetrators, staff members, were charged both with identity theft, and with charges under HIPAA (Health Insurance Portability and Accountability Act) regulations as well. The hospital was not fined.
“The point” of that story and of so many like it, McMillan said, “is that a lot of our institutions don’t have that level of monitoring going on in their environment; they can’t tell us what has happened.”
Mac’s excellent presentation to those assembled at the HCI Executive Summit resonated strongly with attendees, and provoked a robust discussion of some of the challenges facing healthcare IT leaders. Most importantly, as he noted, the threats facing patient care organizations around protected health information (PHI) are accelerating every week now. It is my sincere hope that everyone responsible for protecting PHI will not only focus strongly on these accelerating threats, but will also heed Mac McMillan’s warning, and will move beyond traditional data auditing methods and move into more sophisticated methods, such as behavior modeling, pattern analysis, and anomaly detection, to better protect patient data in an era of greater challenge and threat than ever before in healthcare.