Identity Theft: Enterprise-Wide Strategies for Prevention, Detection and Remediation

Similar documents
Consumer Protection & System Security Update. Bill Jenkins and Cammie Blais

The Benefits of Strong Authentication for the Centers for Medicare and Medicaid Services

Presented by the Federal Interagency Elder Justice Working Group May 13, 2013

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

MNsure Privacy Program Strategic Plan FY

Keeping It Under Wraps: Personally Identifiable Information (PII)

Security and Privacy Governance Program Guidelines

Policy 24 Identity Theft Prevention Program IDENTITY THEFT PREVENTION PROGRAM OF WEBB CREEK UTILITY DISTRICT

Cybersecurity and Hospitals: A Board Perspective

How to Prepare a Response to Cyber Attack for a Multinational Company.

NFPA 3000 (PS) Standard for an Active Shooter / Hostile Event Response (ASHER) Program IT S A BIG WORLD. LET S PROTECT IT TOGETHER.

Putting It All Together:

Identity Theft Policies and Procedures

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

HIPAA & Privacy Compliance Update

Cybersecurity in Higher Ed

Professional Training Course - Cybercrime Investigation Body of Knowledge -

Information Governance, the Next Evolution of Privacy and Security

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

Red Flag Regulations

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Cybersecurity for Health Care Providers

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

Ransomware, Viruses, and Hackers in Health Care: Five Steps to Avoid Being the Next Victim. Michael Overly and Chanley Howell.

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

European Union Agency for Network and Information Security

SURVIVING THE CYBERPOCALYPSE. Craig Felty Vice President, Patient Care Services Hancock Regional Hospital

CompTIA Security+ Study Guide (SY0-501)

Red Flags/Identity Theft Prevention Policy: Purpose

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

HITPC Stage 3 Request for Comments Smart Card Alliance Comments January, 14, 2013

Legal and Regulatory Developments for Privacy and Security

Ouachita Baptist University. Identity Theft Policy and Program

Red Flag Policy and Identity Theft Prevention Program

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

a publication of the health care compliance association MARCH 2018

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Defending Our Digital Density.

Security Breaches: How to Prepare and Respond

The Role of IT in HIPAA Security & Compliance

The ABCs of HIPAA Security

Protecting Health Information

The Customer Relationship:

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Red Flags Program. Purpose

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Campus Health Your Information Your Rights Our Responsibilities

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

The HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.

Overview of the Federal Interagency Operational Plans

Data Security Standards

Motorola Mobility Binding Corporate Rules (BCRs)

What is a Breach? 8/28/2017

HIPAA Security and Privacy Policies & Procedures

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Defense in Depth Security in the Enterprise

HCISPP HealthCare Information Security and Privacy Practitioner

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

Bradford J. Willke. 19 September 2007

Views on the Framework for Improving Critical Infrastructure Cybersecurity

Medical Device Vulnerability Management

Bad Idea: Creating a U.S. Department of Cybersecurity

Breaches and Remediation

Your Information. Your Rights. Our Responsibilities.

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

EXAM PREPARATION GUIDE

Managing Cybersecurity Risk

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

SECURETexas Health Information Privacy & Security Certification Program

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

ACF Interoperability Human Services 2.0 Overview. August 2011 David Jenkins Administration for Children and Families

HPH SCC CYBERSECURITY WORKING GROUP

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

New Data Protection Laws

Overview of Presentation

Data Breach Preparation and Response. April 21, 2017

CipherCloud CASB+ Connector for ServiceNow

Electronic Service Provider Standard

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

FDA & Medical Device Cybersecurity

Implementing Executive Order and Presidential Policy Directive 21

Connected Medical Devices

This document is a preview generated by EVS

Prevention of Identity Theft in Student Financial Transactions AP 5800

Breach Notification Form

CHIEF INFORMATION OFFICER

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

The Next Frontier in Medical Device Security

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Transcription:

Booz Allen Hamilton Proprietary 1 Conference Presentation Identity Theft: Enterprise-Wide Strategies for Prevention, Detection and Remediation Kris O Neal Dan Steinberg Harvard Privacy Symposium August 20, 2008

Booz Allen Hamilton Proprietary 2 We offer the usual disclaimer for the contents of this presentation and any verbal comments we make during its delivery. Any and all opinions expressed are solely our own, and should not be attributed to Booz Allen Hamilton, the Office of the National Coordinator for Health Information Technology, or any other business or agency.

Booz Allen Hamilton Proprietary 3 Table Of Contents Enterprise View of Identity Theft Enterprise Identity Theft Prevention Strategy Medical Identity Theft: Detection and Mitigation

Booz Allen Hamilton Proprietary 4 Identity theft strategies must take into account multiple actors, platforms, and stakeholders but privacy efforts remain central to identity theft strategies

Booz Allen Hamilton Proprietary 5 Table Of Contents Enterprise View of Identity Theft Enterprise Identity Theft Prevention Strategy Medical Identity Theft: Detection and Mitigation

Booz Allen Hamilton Proprietary 6 Prominent activities that can help prevent identity theft include data minimization, accuracy, and individual rights Eliminate PII where possible, especially social security numbers (SSNs) SSNs and other PII may need to be used because of secondary and ancillary needs, such as correlating records Ensure information is accurate Validate data received from business partners where possible Implement authentication schemes Be prepared to serve the customer When your organization is the subject of a data breach When the customer has been the victim of identity theft elsewhere

Booz Allen Hamilton Proprietary 7 Identity theft prevention requires strong privacy and security controls at all levels and sectors of the enterprise Understand existing technologies within your organization and deploy tools to enforce privacy and security Ensure the business components understand expectations for implementing privacy, security and identity theft strategies Establish performance metrics for privacy and security and use that data to drive decisions

Take a cross-organizational and cross functional approach by recruiting senior officials to communicate their strong support for privacy and security activities Booz Allen Hamilton Proprietary 8 All privacy offices must demonstrate the primary competency of fostering stakeholder collaboration Privacy and identity theft efforts must be integrated at the business level Ideally, privacy governance will provide strong infrastructure Even then, business units must ultimately support and implement solutions, and may even determine what approaches are needed and used Organization leadership must support the privacy and identity theft strategy Bears ultimate responsibility for navigating challenges

Booz Allen Hamilton Proprietary 9 Table Of Contents Enterprise View of Identity Theft Enterprise Identity Theft Prevention Strategy Medical Identity Theft: Detection and Mitigation

Medical identity theft is a new topic within identity theft with limited information available about its scope, depth, and breadth Booz Allen Hamilton Proprietary 10 Occurs when a person: Uses someone else's personally identifiable information (PII) or protected health information (PHI) Without the individual's knowledge or consent To obtain medical goods or services, or submit false claims for medical services. There is limited information available about the scope, depth, and breadth of medical identity theft Year Identity Theft Complaints Medical Identity Theft Complaints 2001 86,000 1400 2005 256,000 4600 Source: Federal Trade Commission, 2006 Identity Theft Survey Report Possible effects include loss of patient privacy; loss of health record integrity; slowed adoption of health IT (EHRs, PHRs, NHIN); and financial consequences to the patient, provider, or health care system.

Other health care fraud case studies are relevant to the exploration of true medical identity theft Case Studies Patient Record Integrity Threatened Possible Financial Consequences Change in Pattern: Patient Services Received Change in Pattern: Provider Billing Health Care Actually Provided Patient Authentication Failure Medical Identity Theft Medical Familial Identity Theft Phantom Provider/ Wholesale Fraud Upcoding Booz Allen Hamilton Proprietary 11

Booz Allen Hamilton Proprietary 12 Anecdotal evidence provides examples of the kinds of fraud and identity theft techniques organizations must combat 2006: A Pennsylvania man stole a coworker s identification and used it to obtain over 40 prescriptions for Viagra. 2006: Another Pennsylvania man accessed a stranger s medical information and used it to pay for $140,000 in hospital charges. 2005: An unknown Washington State person stole the identity of a 3-week old baby to obtain large prescriptions of the often-abused painkiller, Oxycontin. March 2004: A Colorado man used a stranger s medical identity information to obtain surgery worth over $41,000 2003: Five health care providers in Milpitas, California provided elderly patients with checkups at a fake clinic, but also used their Medicare information to charge the program for $900,000 in services that were not delivered.

To understand beyond the anecdotal and to begin to scope the breadth and depth, the Office of the National Coordinator for Health Information Technology is studying this issue Booz Allen Hamilton Proprietary 13 Medical identity theft has possible implications for the development of a National Health Information Network (NHIN) ONC is developing: A comprehensive Environmental Scan of the medical identity theft problem in the U.S particularly focusing on the intersection of Health IT A one-day Town Hall meeting to enable health care experts to share knowledge and experience of medical identity theft and how health IT can be utilized to prevent and detect medical identity theft. A final report and roadmap Topics for exploration include: Understanding the magnitude of the problem (cost, frequency) Understanding its mechanisms (threats and vulnerabilities) Available methods of prevention, detection, remediation

Booz Allen Hamilton Proprietary 14 Solutions and controls must implemented and targeted at the full life-cycle: prevention, detection, and remediation. Categories of possible controls are identified for discussion purposes only Possible and available categories of controls for: Prevention Detection Remediation Incorporation into risk assessment Education and awareness Exceptions or pattern recognition Explanations of Benefits (EOBs) provided to patients Law enforcement (DOJ, FTC, HHS, CMS, State Attorneys General, FBI, others) Incident response protocols and mechanisms Patient authentication Other victim reporting Patient privacy principles: Notice, Choice, Access, Redress Access controls Red Flag validation of medical claims submitted Health record corrections Other security controls Information sharing environments Ongoing assessment 1 No particular control or standard within each of these categories is endorsed by the ONC or Booz Allen

Booz Allen Hamilton Proprietary 15 For More Information. Kris O Neal Associate Booz Allen Hamilton Inc. 8283 Greensboro Drive McLean, VA 22102 Tel 703.377.1257 o neal_kris@bah.com Dan Steinberg Associate Booz Allen Hamilton Inc. 8283 Greensboro Drive McLean, VA 22102 Tel 703.377.1261 steinberg_daniel@bah.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback