Friday, June 29, 2007

Identity Theft

One of the factors considered when you conduct a threat and risk assessment is the motivation of the threat agent (i.e. bad person) who wants to steal the personal health information in your custody. This often leads some privacy naysayers to ask "who would want to steal my health information? There's nothing interesting there and even if they did, who cares?" There is a touch of truth to this. I can't imagine anyone getting off on my history of negative lab test results.

There is however the matter of identity theft. No one wants my lab tests, but they might be motivated by the opportunity to take over my bank accounts, credit cards and home mortgage. Health care databases are a rich source of data for identity thieves who are more interested in the state of my finances than the state of my health.

We must also recognize that health care is a valuable service that doesn't cover everyone, especially those living in the United States who might be motivated to scam some free health services. Stealing the identity of an insured person is one way of gaining access to free health care.

Gordon Atherley has written a white paper on identity theft in health care. I'll also point you to the article Diagnosis: Identity Theft from an earlier post on this blog. The World Privacy Forum has published a report titled Medical Identity Theft: The Information Crime that Can Kill You. Download and read these papers. Someone out there will be motivated to go after your databases not because they intend to misuse the health data, but because they want to rob us blind.

No comments: