Preventing Identity Theft in Your Business
Page 19
Other legislation proposed by U.S. Senator Maria Cantwell (D-Wash.) would allow consumers to obtain copies of credit card applications and bills in their names. The Cantwell bill also includes provisions designed to make it easier for consumers to undo the damage caused by identity thieves.
Appendix K presents a list of legislators and others who first came out in support of identity theft measures, who have been victims of the crime, and/or who have testified before or sit on various committees dealing either directly or indirectly with identity thefts. Since it was created, this list has expanded to include many others across the country who have pursued or are actively pursuing legislation to combat identity theft. Not all of this legislation may be practical from a company’s financial perspective.
The challenge for the project team in the exercises that follow is to generate a list of best possible legislative proposals for the prevention of identity theft, as a way to advocate for your business customers and also enable your company to profit financially.
Exercise 1. Review the Identity Theft Laws
Estimated Time: Four Hours
To begin, and before developing your company’s customer advocate proposals for identity theft legislation, review the federal and state identity theft laws that are enacted or currently proposed.
Step 1. Obtain four lists of identity theft legislation, two federal and two state. These lists cover:
Enacted federal legislation
Proposed federal legislation
Enacted legislation in your state
Proposed legislation in your state
Obtain these lists from the federal government Web site and from your state government Web site. For information on federal legislation, go to www.whitehouse.gov/government/legi.html and follow the links to the House of Representatives and the Senate. For information on state legislation, go to www.[abbreviatednameofstate].gov: for example: www.mi.gov for the State of Michigan Web site, or www.mn.gov for the State of Minnesota Web site.
Step 2. Review and discuss as a team the federal and state legislation that has been proposed or enacted. To narrow the lists, briefly discuss and then place a checkmark by only those acts or bills that stand out as potentially nondetrimental, from a business perspective. That is, for each law, pose these questions:
Does it require resources for company compliance?
Is such compliance feasible for small companies with limited resources?
Does it require large investments of a company’s time?
Does it require reorganizing, restructuring, or otherwise redesigning your company’s current business practices or procedures?
This list of legislation will be used together with expert information obtained in exercise 2 as the basis for proposing legislation to protect employees and their customers.
Exercise 2. Prepare to Develop Legislation
Estimated Time: Three Hours
The goal is to develop a list of company proposals for identity theft legislation in your state that are proactive, that would protect consumers and businesses, and that can be reasonably implemented by businesses of any size. In preparation, it is necessary to conduct a focus group interview with a group of criminal justice professionals. Before beginning this exercise and to ensure the most productive outcomes, once again review the instructions in Appendix E for the Security Focus Group Interview.
This focus group interview is imperative because preventive legislation requires knowledge of measures that would help law enforcement to apprehend criminals and give attorneys the power to prosecute them. Identity theft is still considered a low-risk crime; few laws exist to help prevent it. For example, police departments do not have the resources to fight crimes that are not likely to be prosecuted, and legal jurisdictional boundaries interfere with the investigation and prosecution of identity theft networks, which, by criminal design, operate intentionally across legal jurisdictions. These and many other reasons for escalations in identity theft are known only by the experts who confront identity crimes on a daily basis.
Step 1. Extend the invitation. Set a date, prepare the agenda, and compose and send a formal letter of invitation to your city’s police chief and to prosecutors from your state’s attorney general’s office to attend a two-hour focus group interview on legislation that would help those criminal justice professionals combat identity theft. Recall that a goal is to represent your company as a consumer advocate for identity theft protection. Such legislation, drafted and promoted by your company, would strongly convey the message you wish to send consumers.
Step 2. Conduct the two-hour focus group interview. Then consolidate and prepare the ideas generated from this interview for use in exercise 3, where the project team is to create legislation for your own state.
Exercise 3. Develop Legislation on Identity Theft
Estimated Time: Four Hours
Use the list of federal and state laws checkmarked in exercise 1 and the list of ideas generated from the criminal justice professionals in exercise 2 as the basis for formal brainstorming followed by cause-and-effect analysis. The goal is to generate several creative ideas that can be framed as proposals to proactively prevent the thefts of consumer identities.
Each proposal should address two questions:
Is the proposed legislation proactive, that is, will it help to mitigate or prevent identity thefts?
From the perspectives of team members, is the proposal a wise business practice, that is, one that will not financially inhibit businesses, regardless of size?
Proposals developed from these two perspectives may potentially benefit not only the consumer but other businesses as well, inasmuch as criminals do not discriminate as to which businesses to victimize.
To help guide the project team in this exercise, consider the proposals from exercise 1 as potential proposals that could be enacted in your state. Consider each proposal from the perspective of law enforcement and how a bill might be strengthened with a law enforcement practice, based on the focus group interview. Using brainstorming, try to generate new ideas not previously proposed—laws that would not require financial investments for the way a company does business. Seek also to create proposals that will convey to the public the message that your company is a consumer advocate for identity theft protection. These results will be used in exercise 4 for presentations to the state legislature.
Exercise 4. Present Proposals and Issue Press Release
Estimated Time: Four Hours
As a final exercise, make follow-through plans with specific target dates to formally present your package of identity theft proposals to your state’s legislature, and issue a press release to make it known that your company is an advocate for customer security.
Finally, Chapter 23 is a brief summary for healthcare and healthcare-related companies that assume an enormous responsibility for securing hundreds of thousands of personal identities contained in the Health Insurance Portability and Accountability Act database. The chapter illustrates how easy it is for these companies to fully comply with federal laws for securing personal information in this database.
CHAPTER 23
THE HIPAA DATABASE
When it became effective in 2003, the Health Insurance Portability and Accountability Act (HIPAA) of 19981 provided criminals with thousands of new opportunities to steal personal information. How? The HIPAA created a database containing the identifying information on nearly everyone in the United States — all persons who either have healthcare insurance or who have in the past received healthcare.
However, healthcare or healthcare-related institutions need not worry provided they have secured the HIPAA database on the four fronts: people, processes, property, and (thereby) proprietary information. The security standards of the Business Information Security Program (BISP) are essential compliance requirements for all institutions having access to the HIPAA database. This chapter presents an overview of preceding chapters so as to illustrate the BISP applications for businesse
s providing healthcare services and products.
THE BISP SECURITY STANDARDS AND HIPAA
Goal: To prevent the theft of personal identifying information from the HIPAA database.
Specific Objectives: The objectives of this chapter are twofold: (1) to provide healthcare and healthcare-related companies with a brief overview of the BISP security standards contained in Parts II and III, and (2) to summarize sections of the chapters describing how personal information can be compromised from institutions having access to the HIPAA database.
Orientation
Although all U.S. health insurance companies, hospitals, clinics, pharmacies, home health agencies, clinical laboratories, medical supply stores, nursing homes, billing services, and assorted clinics and centers by now are presumably aware of their legal responsibility for preventing identity theft, personal identities cannot be secured without implementing the Security Standards that protect three fronts: people, processes, and property.
On the people front, for example, the Gramm-Leach-Bliley Act (GLB Act) recommends reference checks of employees prior to hiring. This is a troublesome recommendation to businesses for at least two reasons.
Businesses that provide third parties with personal information about previous employees put themselves in jeopardy for lawsuits by those employees.
Libraries are filled with volumes of applied management research showing how reference checks lack validity and reliability when used for personnel selection purposes. Reference checks simply do not work.
Additionally, on the process front, neither the GLB nor any other act addresses the security of information processes — those sequential job tasks (i.e., the process) that, to perform the job, require access to personal identifying information.
Consider, for example, the multiple job tasks that use personal information from a healthcare form provided by a patient who comes into a dental office. The patient’s personal identifiers are directly accessible by as many as five people: receptionist, nurse, dentist, billing company, and most or all other office personnel.
As earlier chapters fully recognized, federal safeguards are required to address computer and network system security. But as was also mentioned earlier, computers do not steal identities. Machine security is only one aspect of identity theft prevention, and a relatively small one at that. The security of the people who have access to the computers is of the most immediate importance, followed by process security and then property security — the security of the computer and network systems.
The compromising of personal information from computer systems can be largely mitigated and even prevented by securing first the people and then the processes that use the personal information. Computer security is only a patch to cover up the root causes: the lack of people and process security.
The security problems for healthcare and related businesses due to the accessibility of the HIPAA database by hundreds of thousands of companies and their employees is unfortunate because the act provides important protections for millions of working Americans and their families who have preexisting medical conditions or might suffer discrimination in health coverage based on a factor that relates to an individual’s health.
For example, the act:
Limits exclusions for preexisting conditions
Prohibits discrimination against employees and dependents based on their health status
Guarantees renewability and availability of health coverage to certain employers and individuals
Protects many workers who lose health coverage by providing better access to individual health insurance coverage.
But it seems that these many blessings for U.S. citizens are incidental to HIPAA’s real purpose.
HIPAA’s Real Purpose
The Proposed Rule for the National Standard Health Care Provider Identifier that is used in the HIPAA national database was reported in volume 63, number 88, of the Federal Register on Thursday, May 7, 1998. The Proposed Rule was published by the Department of Health and Human Services in the section titled “National Standards” and the subsection titled “Identifier Standards.”2
Accordingly, “the ‘Rule’ proposes a standard for a national health care provider identifier. The purpose of HIPAA and the Rule is for faster, electronic processing of financial and administrative transactions” (emphasis added). Based on this report by the U.S. Department of Health and Human Services, the primary purpose for HIPAA is economical — quicker claims processing for healthcare providers. The healthcare provisions for citizens are a secondary by-product. And given the lack of security, citizens may be hindered rather than helped by HIPAA. The contents of the database are unbelievable.
Contents of the HIPAA “National Identity” Database
Instead of being helped by HIPAA, thousands of citizens may suffer from the costs and stresses of identity theft, because the provisions in the act for securing their personal information are limited and lacking, and the databases contain life history information on many or most U.S. citizens. The following examples represent only a part of a longer list of personal information available in the database: patient’s name, address, birth date, birthplace, citizenship, gender, race, maiden name, marital name, middle name, Social Security number, place of employment; past, present, and future physical and mental healthcare services and all details for each health-related incident, including admission and discharge date, weight, diagnosis, treatment, medications; also date of future scheduled surgery and all other information requested by a healthcare provider for healthcare and insurance purposes (p. 25320). The HIPAA database also contains the same health information on spouses and dependents (p. 25320).
Furthermore, the term “health information” means any information, whether oral or recorded in any form or medium that is created or received by a health plan, public health authority, employer, life insurer, school or university, healthcare clearinghouse, home health agency, hospice, hospital, specialty outpatient, pharmacy, medical lab, dental lab, physician, osteopath, dentist, podiatrist, chiropractor, ophthalmologist, optometrist, and any other healthcare professional (pp. 25320; 25335–338).
In addition, the database also holds information on health claims, health encounters, health claims attachments, health plan enrollments, health plan disenrollments, health plan eligibility, healthcare payments and remittances, health plan premium payments, first reports of injury, health claim status, referral certifications and authorizations … and any other financial and administrative transactions that are determined to be appropriate” (p. 25322).
The greatest concern from an information security management perspective is the thousands or millions of people who now have access to the database and background information on U.S. citizens. One recent estimate is that as much as one-third of identity thefts come out of healthcare facilities, and this study was conducted before the enactment of HIPAA and the creation of its national identity database.3
The predicted surge in identity thefts also can be blamed in great part on the accessiblity given to the hundreds (potentially thousands) of other organizations that also have access to the database, such as “repricing companies, community health management information systems, value-added networks, software system vendors, and other second- and third-party claims processors and clearinghouses” (emphasis added).3 To ignore the probability that identity thefts will increase due to HIPAA shows great disregard for American citizens, given the recent history and astonishing increase in identity theft crimes.
However, those healthcare and related companies that take the time — recall, the cost is negligible — to adopt the Business Information Security Program’s standards can demonstrate their concern by securing within their own institutions the personal identifying information of their employees and that of their patients, clients, and other customers.
Examples of the BISP Security Standard Exercises
The security standards are developed by teams of employees through a series of step-by-step and detail
ed instructions with representative illustrations and examples of both the procedures and the standards themselves. The tangible documents prove that security mechanisms have been developed and implemented. The exercises use proven tools and procedures from industrial and organizational psychology, the management sciences, and the field of criminal justice to secure people, processes, and property and, thereby, proprietary information — personal identifiers.
To illustrate, the next three exercises are summary examples from chapters in this book that provide step-by-step instructions for developing security standards to secure work processes in three steps: (1) identify, (2) trace, and (3) secure.
Exercise 1
Identify HIPAA incoming sources. Use structured brainstorming (Appendix C) to determine where the HIPAA information (identities of your employees and customers) enters into or originates within a department. To perform this exercise, generate a list of all incoming sources, or entry points, of identities into the department. Focus on places where information first enters a department or where information (identities) is generated within a department (e.g., receptionist desk). Perform this exercise for each department that either directly or indirectly has access to the HIPAA database.
Exercise 2
Trace the identifying information, that is, the form or document that contains the personal information (e.g., an application for healthcare or healthcare insurance). Start the tracing where the HIPAA document comes into a department (exercise 1) to trace the process — the input-throughput-output flow of the identity through the department. Use the specific procedures and detailed instructions to trace how and where the information is processed through a department. For example: