Code Red host, Rod Piechowski, had the opportunity to interview Kevin Johnson, chief executive officer and senior security analyst at Secure Ideas, about how medical identity theft has wide ranging impacts beyond stolen information. Here are some excerpts from their conversation
Rod Piechowski: Kevin, thank you very much for joining us today.
Kevin Johnson: Thanks for having me on.
Rod: Every year at HIMSS we do a cybersecurity survey ‑‑ at least, we have for the last two or three years. This year it showed that medical identity theft was considered by the respondents to be the number one motivation for breaching provider data. You presented a view from the top at HIMSS '16 and you spoke about your own family's experience with identity theft. Would you mind going into that and sharing that experience with our listeners? How has it affected your perspective as a security professional?
Kevin: Yeah, no problem at all. Actually I share it quite often, because I think that most people misunderstand the threat of identity theft. When you say "identity theft" to most people they think, "Ah, they stole my credit cards." OK, that's not identity theft. Or they think that they're opening up mortgages and loans and affecting your credit. Most people don't think about medical records. Even if you talk to people about medical records they don't understand the danger.
My experience that you were referencing was my oldest daughter, Brenna. Love her to death. I have two kids, Brenna and Sarah. They're awesome. Brenna is diagnosed with a seizure disorder, OCD. She was going through all the neurologists and all of her tests, and everything else like that. The hospital we went to, Wolfson Children's, was great with her. They were very friendly, they helped her. Thank goodness, she was diagnosed with something that she'll outgrow, with no long‑lasting effects, medically.
Here's the problem. About six months later, she was nine, we got the letter from the hospital saying, "We take security very seriously," but they lost it. They don't explain exactly what happened. I've heard rumors, but Brenna's data was one of the records they got. They got her social security, her address, her phone number, her date of birth, everything about her. Plus, they got her medical records. They know her diagnosis, they know all the tests, everything like that. Of course, Wolfson was very apologetic. They provided a year of free credit monitoring, which I found to be funny, because at nine years old, Brenna wasn't allowed to find out for free credit monitoring. You have to be 18, which means that Wolfson's paid for it but nobody can use it.
For the rest of Brenna's life, she has to deal with the fact, and I got to explain it to my nine‑year‑old‑daughter, that was fun, that she has to monitor this. It's not just monitor your credit, make sure that somebody isn't opening up loans as you, but she also has to monitor her medical records. It's quite common for somebody to steal medical records and then use that to get insurance, to get treatment, whatever. Brenna has to deal with what happens if somebody goes, as Brenna, and then they're allergic to penicillin, and she's not.
Now she's at a hospital and she's being treated, and they won't treat her with penicillin because the records now show that she's allergic to it. If she needs to be treated for something, but the records already show her appendix was already removed, but it hasn't been. If she has a problem, they're not going to look at the appendix, because it's gone, according to her records.
This is something Brenna has to think about. This is something that she has to live with for the rest of her life. As a security professional, I had dealt with criminals and things like this my whole career, but it never struck home as it did when I was sitting with my nine‑year‑old daughter, talking it over with her. It changes the way I look at things. It made me realize that, as weird as it may sound, that we really are responsible for things that can effect people's lives forever.
Rod: Can't we all assume that all of our records, at one point or another, have been compromised to some degree?
Kevin: I think it's a sad state of affairs, but yes. I think at this point we can assume that at least some portion of our records is public, medical, financial, whatever. A good example of that is social security numbers. I assume that my social security number has been compromised, and so I regularly monitor my financial records, because there have been so many breaches that I've been a part of. The big one that everybody knows, OPM, the Office of Personnel Management, my records were in there, so that data's public. You can actually get Brenna's social security number on the Internet today. I just think that everybody should assume their data is stolen, but that doesn't mean that we should treat the data as if it should be public. It doesn't remove the responsibility of the maintainers of the data to protect it. Just because my social security number was stolen before doesn't mean that my doctor doesn't have to protect my records.