Embed Size (px)
Citation preview
October 18, 2005Robert S. Brown
UW Medical Center
Identity Theft
So, what you gonna do about it?
The Law
RCW 9.35.020: No person may knowingly obtain, possess, use, or transfer a means of identification or financial information of another person, living or dead, with the intent to commit, or to aid or abet, any crime.
The Costs
$53 Billion per year nationwide Loss of good will = loss of business?
The Methods
Phishing has replaced dumpster diving Other methods include:
– Shoulder Surfing– Skimming (data device on an ATM)– Social Engineering (think Mission: Impossible)– Mail Theft (old fashioned but it works)– Retail Theft (stealing, hacking, conning, bribing)– Plus a zillion other ways your data gets stolen
Two likely scenarios at UWMC
1. Care Recipient is an identity thief
2. Inside job (or hacker)
Care Recipient is an identity thief
Duty to notify the victim– Do not share PHI unless permitted by law
RCW 70.02.050 HIPAA
– Consider notifying law enforcement– Share handout explaining what you will do, what
they can do (e.g. FTC’s excellent white paper)– http://www.consumer.gov/idtheft/
Care Recipient is an identity thief
Need to mitigate the damage– Amend medical records– Notify internal departments– Promptly investigate & notify the victim of your
findings and actions taken to fix
Employee is the Identity Thief
Investigation policy?– Who is on point?– Who should you alert?– How will you summarize at conclusion?
Sanction policy?– Does it explicitly address ID theft?– Will the penalties meet the Seattle Times test?
Summary
Review the laws:– RCW 9.35– HIPAA– RCW 70.02.050
Summary
Be proactive in protecting data Be diligent about investigating Create policies now
UW Medical Center
Rob Brown, Assistant Director of Compliance206.598.4342 [email protected]
Ellen Rubin, RN, Privacy Officer206.598.5701 [email protected]
