I enjoyed speaking with Robert Siciliano, chief executive officer of IDtheftsecurity.com, about the issue of medical identify theft.

Mr. Siciliano will speak at the upcoming World Healthcare Innovation and Technology Congress later this year.

Butcher: Information technology is in the process of transforming healthcare delivery. Patients are telling physicians about their symptoms over e-mail and checking their lab tests on line, to give just a couple of examples. What security issues should hospitals and physicians be thinking about?

Siciliano: First, it does start with your information technology administrators. They are responsible to protect you from the outside–from criminal hackers– and from the inside, if you happen to have a bad seed working within your organization. So, it all starts with the IT administrators. The physicians themselves, and the employees at all levels,  need to understand what their responsibilities are regarding safety or security and privacy policies, and those policies must be enforced at all times.

Butcher: If a patient’s personal healthcare information does end up being stolen from a hospital’s computer system, what happens? What is the hospital’s liability?

Siciliano: Over the past few years, there have been some major, major breaches of personal information at the government level, corporations, associations, healthcare, insurance companies – you name it. Just about every industry has been affected by a data breach at one level or another.

And as a result of this, state to state, they have passed data breach notification laws, which require corporations–entities whose information has been compromised–to disclose  that breach and to make sure that they notify those who have been affected by that breach, so that those people can then go out and take the necessary steps in getting protection, in getting some type of insurance, or credit monitoring, whatever the case may be, so that their identity is not further damaged as a result of that breach.

Unfortunately, criminal hackers have changed the motivation significantly over the past few years, and they are really targeting everyone. I mean, nobody is immune.

Butcher: It seems to me that protecting against identity theft ultimately is the individual’s responsibility. Do you see this changing in the future, and if so, how?

Siciliano: Unfortunately, it is absolutely the individual’s responsibility. While the organization may be responsible for doing their part to keep that data safe and secure, ultimately, if it is compromised, it is in the personal identifying information, including name, address, and especially social security number, that individuals are ultimately responsible for self-protection.

Responsibilities do boil down to managing your own personal information, and ultimately making sure that, even if they do get that data, that there’s not a whole lot they can do with it.

Butcher: What should health care executives know about medical identify theft?

Siciliano: First, I think it’s very important that everybody understand the extent of the problem, that the issue of  medical identity theft is becoming an ever bigger problem.

Identity thieves have been working at this for as much as 20 years now, and they’ve figured out just about every single way to compromise our information, and then turn that data into cash.

Over the past few years, they’ve shifted just a little bit and they’re paying even closer attention to our medical information. And throughout the country, I’m seeing more and more reports where you have people checking into hospitals, into clinics, and so forth, and they are posing as the individual who owns this particular social security number and/or insurance policy, and they’re either getting medical treatments under that person’s insurance, or they’re getting pharmaceuticals, prescription drugs, under that person’s medical insurance.