The health sector needs to tighten security on medical records to prevent financial fraud, writes Ciara O'Brien
IDENTITY FRAUD is something most people are aware of these days. But while we can take additional security precautions, what can be done about the companies and the State agencies that have access to our confidential details? Can they be trusted to keep them as secure and away from prying eyes?
In the past, medical identity theft was not considered top of the list for identity theft crimes. In 2005, a study by the US department of commerce found that only 3 per cent of total identity theft was medical, usually carried out by insiders and with insurance fraud in mind.
However, if experts are right, it may soon become a serious issue for Irish people.
Gunter Ollman, director of security strategy for IBM Internet Security Systems, views the health sector as particularly vulnerable to identity thieves. The problem is rooted in two main areas. First of all, the amount of information held in medical records that could be used to steal an identity, and secondly, how secure that information is.
"Medical records include names, addresses, PPS numbers, but also all of your banking details, your next of kin - all the information you need to steal a complete identity," says Ollman.
The health sector has already been hit by news that hundreds of confidential patient files, dating from before 1983, were discovered in a landfill site in Co Cork some weeks ago.
While the loss of paper records can present a problem, the growth of the use of technology can also present a challenge for firms involved in the health sector, exposing systems and the information contained in them to a host of new threats. In February, a laptop with the personal details of more than 171,000 Irish blood donors was stolen in New York, including names, addresses, dates of birth, gender, blood groups and contact phone numbers.
Although the data was encrypted, the Irish Blood Transfusion service admitted there was a "remote" chance the data could have been accessed by a third party.
These incidents, though cause for concern, could be just the tip of the iceberg. Information taken from medical records is often extensive, and could be used to commit further financial fraud, such as gaining access to online banking records, or fraudulently getting access to funds.
"One of the problems in healthcare is that access to this information is generally open to anyone inside the establishment. The computer systems are generally of a poor level compared to other sectors. They can be a softer target," says Ollman.
This is a perception that is likely to increase as other, more traditional avenues are closed off to identity fraudsters, thanks to increased security procedures.
"Cyber crime has developed and is very much focused on the low-hanging fruit, such as the medical industry," says Ollman.
"Given the amount of effort going into the criminal side of identity theft, the healthcare industry itself is prone to these type of attacks. More teams are focusing on the industry."
IBM's research on the value of identities bought and sold online has uncovered that those from English-speaking countries fetch a higher price, and identities gathered from the UK and Ireland can often be the most valuable.
The quality of the information has a significant impact on value too; while credit card details may sell for as little as €1.25, the information contained within medical records can be worth between €20 and €30. Add in banking information - which could be gleaned using information already gathered from medical records - and the price rises.
"The more complete the identity, the more value it has," says Ollman.
The medical industry is, like most other sectors, becoming increasingly dependent on technology to carry out not only its day-to-day business, but the more intricate tasks. Medical devices and equipment are becoming increasingly connected through wireless technology, and contain some form of operating system, leaving them open to attack through security vulnerabilities.
The complexity of the medical devices can make it more difficult for the patches to be updated and deployed in a timely fashion.
"Rolling out patches and applying security fixes to these systems tends to be a bit difficult as there are so many vendors, with different responsibilities," says Ollman. However, exploits for flaws in systems are being developed at a faster pace than before, meaning it's a race against time to get the patches deployed.
"Patching requires someone or a team to physically go to the devices and patch these devices. There are also technologies that can provide an 'umbrella' to protect the systems while it is going on," says Ollman.
These technologies, such as intrusion prevention, have already been used in the financial sector to some success, he says.
Ollman says that there are other steps the health sector can take to prevent it being top of the hit list for fraudsters.
Limiting the amount of information supplied to health sector institutions and companies is often not an option.
However, increasing the security on the systems that contain that information can help, making them more secure against the possibility of attack. He also advocates the implementation of an education programme, to highlight awareness of the risks posed.
Ollman flags ownership of the systems as another area that could be improved. He says that failure to do this is one of the reasons why health sector interests may be more susceptible to data theft.
"Especially in the public healthcare side, ownership of the networks is often up for debate in the institutions. There seems to be consistently poor performance in the security of those networks. As the other avenues become tougher, the healthcare industry stands out like a sore thumb and will be targeted."