In this, the second part of Privacy, Security and the Law’s three part interview with M. Eric Johnson (begun here), Dr. Johnson talks about why he thinks the healthcare sector is uniquely vulnerable to security breaches and what special problems that vulnerability poses.
DR. M. ERIC JOHNSON: You know, if I step back and ask what do I think is really interesting out of what we saw, I think there are two or three things. The first thing is that the fragmented nature of the US healthcare systems means that there are many players, and some of them are very unsophisticated from an IT perspective. There are small practices, doctors who don’t employ fleets of IT people and so there are, of course, elements of weakness.
In the debate that is going on right now around electronic healthcare records, one of the things I find most amusing is this notion that records aren’t already digitized. I mean, most of our records are already quickly moving into digital format, even in very small practices. You know, people somehow have this vision of those file folders lined up in the offices. And sure they exist in plenty of small practices, but along side them, most practices, even very small practices, have some IT and they’re using to do their patient billing, they’re tracking some basic amount of information about me through that. Maybe not all my information. They haven’t maybe digitized all my images or radiology or so forth but they’ve digitized parts of those. And what you find is a huge continuum on that and that information, of course, does get passed around in this healthcare supply change in what I call ad hoc file formats. So, rather than what you might see in a bank, enterprise IT – Oracle, or a SAP, or some Microsoft enterprise level system, a lot of the data ends up in spreadsheets and small access databases, other documents and whatnot, which can easily and do easily get passed around.
What I find interesting about that, is that that, in any ways, is an underlying root problem of these inadvertent disclosures, whether or not they show up on a peer-to-peer file sharing network. They may or may not (end up on P2P), depending on the users . But they end up on laptops, they end up on Zip drives, they end up on all kinds of other media, which gets lost or disposed of improperly and every one of those is a potential inadvertent leak source.
AARON WRIGHT So that’s the first of the important things you say you take from the study. What were the others?
ERIC: I think that one’s a pretty interesting issue. The second one, that is equally interesting to me, is the mischief that can be created from this kind of information. You know, we spent, as I said, a good deal of time studying the banking sector and in the banking sector, you worry a lot about people’s names, social security numbers, Visa or other account numbers being leaked. Of course, a leaked Visa number with my name and security code is very fungible. That is, I can create financial costs from that very easily and at relatively low costs and low sophistication from the criminal’s point of view, which of course has attracted a huge industry of criminal elements that are doing that.
In healthcare, what’s true is that first of all, there is a criminal element. It’s growing. We know it’s growing. There are different types of frauds that are happening that we can talk about, it’s kind of the third interesting area of the three takeaways I would say. But finishing off this second idea.
What I think is interesting in healthcare is that the type of data that is leaking is similar to that of banking -name, date, social security number, these kinds of things -things that could be used to create traditional financial fraud. Because if I’ve got your social security number and your birthday and a bunch of personal information about you, I could create frauds where I open accounts or whatnot in your name. But I think what’s far more alarming, from a consumer point of view, is that the data is far more personal. That is, it goes well beyond name, date and social security number. The kinds of things we see are related to my doctor, my diagnoses, maybe my employer. Because of the (healthcare) financial web where you’ve got, some very significant players – my employer is a big player, my healthcare provider, my insurance provider is a big player – typically, those pieces of data often are kept together with information about me and so suddenly it’s not just me but it’s my employer, my healthcare provider, my doctor, my insurance provider, that are all, in some sense, part of the breach. And in some ways you can say that the breach affects them too. If I’m a large employer and a couple of thousands of employees have a disclosure but I’m listed with them, the disclosure is also against me. And then probably the most alarming is that you’d see some relatively detailed protected healthcare information, diagnoses and so forth, that I may not want disclosed for obvious reasons. So, that second takeaway is just the nature, the richness of the data and the fact that, to go back to the first kind of takeaway, you’ve got this ad hoc file format flying around with some pretty rich data, far richer than you might see in the financial world.
So then, getting to that last one, the third one, which is how does that create fraud and what’s going on in that space. There are, I would say, three types of fraud that are prevalent in the healthcare world. The first is kind of good old fashion medical fraud which typically involves billing payers: Medicare/Medicaid, other insurance payers, for treatments that likely were never rendered or exaggerating those treatments for individuals. A lot of that fraud has been around for a long time, Medicare/Medicaid has been fighting that for years. Some estimates say that 10 percent of US healthcare expenditures are really fraud. Those are staggeringly large numbers, when you think about the trillions of dollars that get spent on healthcare in the US. But, much of that has been around for a long time. These kinds of disclosures facilitate that, but there is plenty of other ways to perpetrate it. The second is medical identify theft, which involves, typically, treatment. In this case, it’s getting treatment under some other individual’s identity. The most common approach for criminals to create wealth from that is to steal identities and then package them up and resell them to people who need access to U.S. healthcare, people who don’t have insurance, illegal immigrants, whatnot. There have been a number of cases, some which have already been in prosecution, where identities has been sold to people who need access to healthcare, and then they go get healthcare as Eric Johnson for a while. If they have my insurance information and identity information about me, it’s relatively easy for them to gain access to healthcare.
The alarming thing about that is not only is there fraud that goes on there, but when they do that, they are changing my medical records in those places. So, suddenly you get lots of data accumulating in a medical record that is unrelated to me. And when I talk to docs about this, they’ll quickly share stories of “we always kind of scratch our heads when someone rolls into the emergency room and we look up in their healthcare record and see that the last time they were here they weighed 200 lbs. and now they weigh 125 lbs. and they didn’t lose weight. These are two different people but what are we going to do about it. At the moment, we are treating them and that’s what it’s about.”
The last kind of area that we see around fraud, which is some of the most sophisticated fraud, well it can be unsophisticated. The unsophisticated types look to basically find ways to get prescription drugs to resell and they may do that at a very low level so that if I can get individual’s identities and just get whatever, extra prescriptions for Viagra, OxyCotin, then I can go resell that. At a larger level, the more sophisticated version typically involves using identities that have been stolen, sometimes what we synthetics identities, because sometimes they’ll use parts of real identities with other fabricated pieces of information to bill payers fraudulently for people who don’t exist, deceased individuals, and all kinds of things. When I say they are more elaborate, typically these things have to be built up over time and built around some bit of a real medical system. That is, maybe it’s a clinic that actually is providing care to some group of people with doctors and whatnot, but in some sense the clinic is a fabrication or a fraud, the back end of the clinic is all designed to commit fraud and so they have some element of realism to make them seem legitimate, and to make it easier for them to kind of commit these frauds, and these kinds of organizations grow over time, many times years, before they’re caught, and they are consumers of identities because identities fuel their fraud And so identities can be packaged up and sold to them, and then used to commit the frauds. But, as I started saying at the top of this, if you think about all three of these that I have mentioned, they all require more effort and sophistication then typical financial fraud. Of course, the criminals go to the easier house first, right? There’s a kind of a rolling belief that, when the financial fraud becomes harder and harder, we will see more fraud in healthcare and there’s lots of reasons to believe that, largely because of the data practices that I’m talking about that fuel it and also because many of the safeguards that have grown up in the banking sector don’t yet exist in the healthcare sector. That is, we don’t have Big Brother Visa looking out for individuals in the same way. Today Visa is so good, I would guess that many of your readers have had their Visa cards compromised and often they learn that from Visa themselves – a call saying, “Did you make this purchase?” and many times they call exceedingly quickly, within hours of the fraud and immediately the card is shout off, we move on to a new number and the consumers are out very little, if nothing, other than the aggravation of the event. In healthcare, there aren’t the kind of agencies or organizations with large fraud practices and algorithms that are tracking this and watching for it. It’s more likely the patients, or consumers themselves, may notice some strange billing and wonder what went wrong. Many people in health care worry that many patients don’t have a huge incentive to really chase those down, and maybe don’t understand their statements well enough to even notice when frauds are being committed against them. Also, the amounts of money that can be fraudulently obtained through healthcare could be march larger. There aren’t kind off preset limits and whatnot, like Visa might have, and the frauds, because they involve identities, sometimes are harder to stop over time. I can change my Visa number tomorrow and then Visa can shut the number down and its over, and very little fraud can be committed against a defunct Visa card, but my information related to my identity, like my social security number and whatnot, could be used over and over again to try to commit different types of medical fraud. So, many of us believe that we will see more fraud in the healthcare sector over the next ten years.
AARON: That’s actually something I did want to talk to you about. Your paper indicates that this type of crime is relatively new and it’s not something we have a particularly good handle on. I was wondering what you predict those trends are going to look like. About how many of these types of medical identity thefts and medical fraud in general do you think are going on now, and ten years from now what do you see the trend being?
ERIC: What is kind of funny in some ways is that we say it’s “new,” but in fact, as I said earlier, medical fraud, particularly fraudulently billing Medicare and Medicaid is an old crime, and Medicare/Medicaid has been fighting it for years. But that type of fraud usually involved corrupt organizations that were just overbilling, typically for real patients, and so there’s all kinds of effort and work that goes into auditing health care systems. Medicare and Medicaid are involved in that to try to prevent that type of fraud. That has been around a long time and, as I said, they have been as high as ten percent, big numbers. But these newer innovations, I would say, around medical identity theft are, in fact, much newer. The numbers are not available; they’re really are very few good numbers. FTC has been tracking some complaints, but we all know that a very small fraction of what happens they ever hear about or see, and so, there really aren’t any good numbers out there. It’s left to kind of people’s imaginations what the extent of the problem we’re having and how quickly it’s growing. I think the data is so suspect at this moment that I would be hard-pressed to really believe the numbers that are around at the moment. I think it’s from the anecdotal evidence just from individuals in healthcare organizations that we see it and wonder where this is really going. But, we think it’s going to grow.
AARON: One of the things you mentioned is that there is some difficulty of monitoring and I was hoping you would point us for us why you think this monitoring is so difficult. Do you think it’s a lack of awareness or is it a combination of factors. What do you think is going on there?
ERIC: Some monitoring in what way? Just to make sure I understand.
AARON: Sure. The difficulty of monitoring both whether or not someone is currently the victim of medical identity theft and, in a broader sense, monitoring how many of these types of thefts are going on.
ERIC: Yeh. To date, I think what’s–I’ll make the comparison again back to financial sectors and in the financial sector, of course, we not only have Big Brother Visa but we also have a few very powerful credit agencies that are tracking your credit worthiness and your financial performance across all your financial undertakings. There’s really nothing like that in healthcare other than individual payers, who would be tracking your health care expenditures for their own purposes and, of course, they’re watching for fraud, so Blue Cross Blue Shield is watching for fraud within its own system as is Medicare and Medicaid, but there’s nothing that spans those organizations that is the Equifax, or whatever, of the healthcare world that would be able to see fraud across different sources. So there’s one structural difference.
You mention awareness. I think, as I mentioned earlier, at a patient or consumer level, I think consumers probably spend far more time scrutinizing their bank statements and credit card statements than they do statements from their healthcare providers, and, to be honest, a lot of the HMOs and so forth, the way they’re structured now, they’ve created a situation where there’s really no reason for patients to scrutinize. If I go pay my co-pay and just move on, there’s really no reason for me to kind of be looking at any of those statements, and I may not even be getting statements, in fact. So, there’s plenty of reason to believe that there’s less awareness on every dimension, less overall monitoring of the healthcare dollars that are being expended on my behalf.
[Continued in part 3]
* In part three Dr. Johnson talks about why the fragmented nature of the American healthcare system is so dangerous and why he believes greater consolidation would better protect private information. He also talks about the specific problems associated with data security on peer-to-peer file sharing networks.