That's not me!

By Emily Margosian, assistant editor

In 2017 alone, there were 16.7 million victims of identity fraud, according to data from Javelin Strategy & Research — a record high in a country seemingly saturated with cybersecurity breaches. While each new news item gives the impression that anyone with a credit card, Social Security number, or access to the internet (essentially all of us) is susceptible, physicians in particular should be aware of the unique risks they face by not properly safeguarding their personal information. “While physicians suffer some of the same concerns about identity theft as everyone else, there are unique issues doctors face in regard to this issue,” said David Goldberg, MD, JD, a dermatologist and lawyer in New York.

Aside from the potential value of physicians’ unique medical identifiers, which can be used to fraudulently bill public or private payers for fake medical goods or services, physicians have other attributes that make them particularly attractive targets to identity thieves. “We frequently have discussions about this with high-wealth individuals, and physicians obviously fall into this category,” said Bob Watts, CEO of Vivitec, a national IT and cybersecurity firm. “The first thing you want to consider is what are these people after? As it relates to personal information, most of the time they’re after money.”

Aside from the potential financial impact, physician victims of identity theft can face additional consequences in the form of steep legal penalties — and even jail time — if they are found to have been negligent with their personal information due to the far-reaching consequences of medical fraud. How, therefore, can dermatologists navigate the risks to keep themselves — and their personal information — secure? This month, Dermatology World consults with legal and technical experts to discuss:

What physicians can do to protect themselves
What to do if your identity is stolen
How to protect patients’ identities

How to protect yourself

While some of society’s seemingly mightiest institutions — credit bureaus, major corporations, hospital systems, political parties — have proven vulnerable to unsavory data miners, dermatologists need not consider personal loss from identity theft an inevitability, suggested Watts. “We’ve had hundreds of conversations with physicians around personal privacy and the current state of personal information breaches,” he said. There are proven, proactive steps physicians can take to keep their assets and personal information secure that include:

1. Invest in a monitoring service. “You could think LifeLock, or IDAgent. Those are the types of services that are going to monitor Social Security numbers, email credentials, bank accounts, who is trying to interact with your credit scores in any way,” said Watts.

2. Go beyond basic email. “It’s really time for folks to progress beyond a simple, unfiltered, unprotected, email solution,” said Watts of free email services from Google, cable companies, hosting providers, etc. While in the past, hackers who gained access to a victim’s inbox would perhaps spam their contacts list with fraudulent emails seeking sensitive information or money, recently identity thieves have begun taking a more nuanced approach. “Within the last nine months, we’re seeing that they’re very discreetly sending the emails back to a server and they go through them for more social engineering. They’re looking for communication with a financial planner or bank, anywhere they can pick up account information or contacts to try to get money transferred,” he explained. In order to avoid falling victim to what is quickly becoming a billion-dollar crime enterprise, physicians should follow some essential email best practices: Frequent password changes, multi-factor authentication, an email address tied to a trusted domain, security settings, and filtering.

3. Keep it “clean.” “If you’re doing anything related to money movement or money transfers, make sure you use a computer that you know is clean, has frequent OS and antivirus updates, and has a firewall installed on it,” advised Watts. This also involves avoiding potentially unsecured internet connections — including anywhere from hotel lobbies to the local Starbucks. Kids too, can potentially compromise a previously secure device. “Don’t use the same computer that the kids surf the internet on every night at home. You want to use a machine where you have confidence that it’s protected — and this applies to mobile devices as well,” said Watts.

4. Don’t be afraid of the dark. Well-known as the seedy underbelly of the internet, periodic dark web scans can help give physicians peace of mind that their information isn’t being held for auction to the highest bidder. “It’s amazing how many credentials we find being bought and sold on the black market today,” said Watts. “There are a variety of services available for that, but you want to have one specifically scanning for your email and Social Security number to see if there is private information or passwords being sold and traded.”

5. Be a little paranoid. “Folks in general need to be more suspicious than they have in the past,” said Watts, who suggests physicians and their staff take basic steps to improve their cybersecurity proficiency. “That can come in the form of reading a little bit more about cybersecurity, like this article. Or taking training about how to review emails and attachments, and really thinking before you engage with an unknown attachment, link, or website.”

The conundrum of medical identifiers

“NPIs have become an integral part of health care providers’ medical identities, much like a Social Security number,” explained Zenobia Harris Bivens, JD, in a 2018 Physicians Practice article. “This also means that, like a Social Security number, an NPI is vulnerable to identity theft. This is primarily because NPIs are not confidential. Your NPI is publicly available on the National Plan and Enumeration System.”

As a sensitive, key component of the modern medical system — that’s available on public domain — preventing theft of medical identifiers poses a unique challenge to physicians who can be subject to major civil and criminal penalties if they are misused. “With NPI, that’s most commonly stolen through cyberspace, but can be stolen from “real space” as well,” explained Dr. Goldberg. “The problem is obviously that NPI numbers are used by all physicians to bill for Medicare and third-party insurance groups. If that’s stolen, it can be used to create fraudulent billings.”

In the event of fraud, the penalties to physicians can be steep. Fraudulent billings to non-government insurance typically result in civil lawsuits, and Medicare or Medicaid fraud can land potential jail time. “Fraud is a big deal. The physician might claim, ‘well, it wasn’t me,’ but then they’re going to have to answer how it was that someone obtained that NPI number,” said Dr. Goldberg. “Was it obtained in a way that could have happened to any of us? Or did it occur because the physician didn’t have appropriate security installed in their computer systems, or left the NPI number on the front desk?” Given the significant time and expense associated with defending a charge of billing fraud in the event of stolen physician identity, being proactive is often the best defense. “A case like this is not going to be covered by medical malpractice insurance, and it’s not going to be covered by your home umbrella policy. You’re on your own with this,” cautioned Dr. Goldberg.

What can physicians do to avoid these consequences? Adopt a bit of a lawyer’s perspective. “NPI is out there and vulnerable, but much like everything else we do with patients, there are levels of protection available,” said Dr. Goldberg. “If you live in New York and have an icy, snowy day, and put salt in front of your house, someone slips and tries to sue you — there’s no liability because you did what a reasonable person would.” Likewise, physicians should leave no opportunity for unforced errors by improperly sharing or giving access to their NPI information. “I know of a case where staff had access to a physician’s NPI number, and a relative of one of the staff members set up a fraudulent billing system and billed Medicare for literally millions of dollars,” said Dr. Goldberg. “The physician involved claimed no liability because he didn’t do it — but in the end he settled because the NPI number was not protected in a reasonable manner.”

Physicians are additionally advised to take particular care regarding their NPI information when changing practice locations or switching organizations. A 2012 JAMA article described one unfortunate case of a physician who gave his information to the wrong potential employer: “Nearly two years after sending out job applications, he was asked by Medicare to return more than $350,000 in overpayments made to a practice he had interviewed with but never joined.” To avoid this fate, the authors recommend that, “Physicians should update payers about material enrollment changes, especially when opening, closing, or moving practice locations, or separating from organizations” (JAMA. 307(5): 459-460).

Other precautionary measures involve frequently monitoring claims and reimbursements to verify that billed services match a physician’s actual income. “If it does not match up, that is an indication that someone is diverting your reimbursements to a bogus address,” said Bivens.

Ultimately, Dr. Goldberg recommends physicians treat their medical identifiers the same way as they would their credit card number. “I’ll never write my credit card number in an email and send it to somebody,” he explains. “Applying for hospital privileges, I’ve had an administrator send me an email asking for my NPI number. There’s no way I’ll ever do that unless it’s through a secure type of email system.”

Beyond billing, fraudulent prescriptions can create another area of liability for physicians, particularly as sensitivity regarding the nation’s ongoing opioid crisis nears its zenith. While most physicians have policies in place to secure paper prescription pads, with e-prescribing on the rise, how can doctors monitor who is able to dispense under their name? The first step is to clearly designate, in writing, which specific staff members are permitted to prescribe, said Dr. Goldberg. “That’s the only way you can protect yourself. You can never stop this stuff totally, but there are ways you can control it.” Failure to do so can, predictably, also result in lawsuits, penalties, and in extreme situations — culpability in homicide. “There’s an ongoing situation involving e-prescribing, where a relative of a staff member was able to obtain narcotics. The relative then took the narcotics and was involved in a car accident where someone was killed. There is now an allegation of negligent homicide against the physician involved,” said Dr. Goldberg. “If I don’t have rules in place, everybody in my office is able to e-prescribe, and if something like this happens, it’s going to be a real big mess.”

Your identity has been stolen. What next?

The worst has happened, an identity thief has stolen your information. What are your next steps?

1. Compile information and evidence. If you suspect someone has stolen your personal information, start reviewing your records for inconsistencies. Check your credit report for unfamiliar accounts or charges, or odd bank account withdrawals. If you believe your NPI has been compromised, check billing files or patient files related to the fraudulently billed services.

2. Report. In the event someone has attempted to file a false tax return on your behalf using your Social Security number, it’s likely you won’t be aware until the second return is filed — either you or the person who has stolen your information. If this occurs, you should immediately contact the IRS using IRS form 14039. Following this, you should consider placing a fraud alert and credit freeze on your credit report to prevent any unauthorized accounts from being opened, in addition to contacting the Federal Trade Commission and filing an identity theft police report.

If someone has stolen your NPI information, “You have to notify all the insurance companies that you have contracts with. You have to notify your state board of medical examiners, and you have to notify your medical malpractice insurer,” said Dr. Goldberg. Physicians are also advised to contact CMS as soon as possible if they suspect NPI theft.

3. Start remediation process. In addition to seeking out identity-recovery services, victims of identity theft may want to consider obtaining legal counsel in the event of any future lawsuits depending on how the stolen information is used. In response to increased concerns regarding NPI identity theft, CMS launched the Center for Program Integrity (CPI) in 2011 to assist victims and aid in recovery and exoneration. More information and resources are available at www.cms.gov/About-CMS/Components/CPI/CPI-Landing.html.

Protecting patients’ identities

All medical practices contain a veritable treasure trove to cyber thieves: Patient data.

From sensitive personal information contained in health records to stored credit card information obtained during check out, data stolen from both major health care systems and small independent practices alike are a hot commodity on the internet black market, suggested Bob Watts, CEO of Vivitec. “While the prices come down in bulk, it can be anywhere between $65 to $100 per verified medical record. Medical records have Social Security numbers, account numbers, personal history, and may include maiden names. You can imagine what kind of accounts you can set up or replicate with that information.”

What can physicians do to ensure that their patients’ data is kept safe? “Physicians really ought to think about cybersecurity as a specialty of technology and not all-encompassing. It’s time for them to have a cybersecurity specialist and an IT provider,” said Watts, who recommends practices screen for a firm with advanced skills that go beyond installing a firewall or installing anti-virus. Additionally, staff education surrounding cyber security best practices, and having a general working understanding of how patient records and images are stored, are important steps. Whether practices store information in-office on a server, through cloud-based means, or through a service provider, “How you are protecting that information is an important consideration for any physician, as well as how you’re sending medical information,” said Watts. From a cybersecurity — and HIPAA — standpoint, protected health information (PHI) should only be sent via encrypted means. (For more on cybersecurity and how it relates to HIPAA compliance, read Dermatology World’s February 2018 feature “Cyber hacking in health care” at staging.aad.org/dw/monthly/2018/february/cyber-hacking-in-health-care).

Dermatologists should also consider adopting additional security monitoring in the form of either a SIEM (Security Incident Event Management) service or MDR (Managed Detection Response) system. “Many of the practices we’re working with have realized that it’s time and are adding security monitoring systems,” said Watts. “These systems will basically be the ‘eyes’ looking for any type of unusual event that might get onto the network, a server, a workstation, or even onto applications. If someone gets past the basic defense, these are going to trigger the alarm.”

How to protect yourself from physician identity theft

That's not me!

How to protect yourself from physician identity theft

How to protect yourself

The conundrum of medical identifiers

Your identity has been stolen. What next?