Establishing Digital Trust: Don't Sacrifice Security for Convenience
With last week’s sobering newsthat medical identity theft is on the rise, we now face the prospect of privacy and security problems turning from annoyances into life-or-death issues.
Medical identity theft is one of those “perfect storm” scenarios, the confluence of security problems with medical records and time-tested insurance reimbursement scams. Modern fraud techniques have moved medical identity theft from being a theoretical threat into a deadly reality.
As frightening as it may be, however, the specter of “death by privacy breach” may actually provide the kind of motivation necessary for lawmakers to force the relevant industries to finally tackle two of the biggest remaining challenges in individual privacy rights: the ability to easily access and correct our private data files.
The Right to Knowhttps://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Ever since the Organization for Economic Cooperation and Development issued guidance on Fair Information Practices in the 1980s, those principles have included the right for individuals to know what information is being kept about them and to challenge the accuracy of that data.
These principles of access and redress are core tenets of many privacy-related laws. For example, the Fair Credit Reporting Act (FCRA) allows consumers to access and correct their credit records.
Unfortunately, the credit bureaus have an abysmal record of compliance and the U.S. Federal Trade Commission (FTC) – the federal agency in charge of enforcing the FCRA – has spent much of the last several decades suing the credit bureaus over basic issues of consumer access and data accuracy.
In the world of medical privacy, the Health Insurance Portability and Accountability Act (HIPAA) gives patients the right to access their medical records, and provides some ability for patients to correct (or at least contest) some of the information found therein.
But unlike credit records, many people aren’t used to checking up on what their doctor has been illegibly scribbling in their medical files – much less checking to see if there might be erroneous or fraudulent information in there.
Yet, those files are exactly where medical identity theft can start.
Many Forms of Fraud
Medical identity theft can take many forms, including impersonating someone in order to receive treatments or drugs, fraudulently seeking reimbursements for imaginary procedures, intercepting reimbursements for real procedures… and the scams get more imaginative from there.
The real danger to life and limb arises when fraudsters start entering false data into medical records in order to generate bogus reimbursements, get bogus prescriptions, and so forth. Then when the identity theft victim ends up in the hospital weeks, months, or years later, the bogus information can lead to improper treatments or misdiagnoses.
Until the advent of medical identity theft, the consequences of bad data in the files of companies was limited to the interaction those companies had with you.
For instance, bad information in the database of an Internet advertising company meant you got poorly targeted advertisements or unwanted email. Bad information in a credit bureau database meant having to haggle with a mortgage underwriter or paying a slightly higher interest rate.
And in this post-9/11 world, bad information in the database of some private data mining company might now mean an unpleasant encounter with a rubber-gloved hand behind a curtain at your local airport.
“Just Too Complicated”
Unfortunately, the brilliance of those technology wizards who created the mechanisms for amassing huge databases full of everyone’s most intimate details seems to have stopped short of coming up with ways to help us reliably review and correct the files they created.
Back in 2000, the FTC appointed an Advisory Committee on Online Access and Security to look at how consumers might be better able to use these new interactive technologies to access the information being collected and stored about them by these interactive technologies.
As the federal agency which regulates credit bureaus and enforces the FCRA and other laws protecting consumers’ rights to access and correct their personal financial data, it’s only natural that they might be interested in the growing panoply of companies who are amassing similar databases.
|Recent Alignment Articles|
|Friday Job Watch: High Paying Security Jobs
Vista Exploit Looking For Achilles' Heel
TSpam Bust: The Lessons of Yesmail
Pirated Vista, Office 2007 Already on The 'Net
Some of the best minds in the country spent months reviewing the twin issues of consumer access to data and best practices in web security.
Their conclusion? It was all too complicated and situation-specific for them to make any concrete recommendations about consumer data access!
But the real story of the committee’s findings is hidden away in the transcripts of their meetings and the various individual opinions submitted by the committee members.
Many of the participants, most notably those representing companies whose profits depend on their unfettered ability to scrape together massive databases for marketing and advertising purposes, seemed quite concerned about the costs to poor database companies of providing secure access.
They also expressed many fears that people might make “inappropriate” edits to their records, deleting information not because it was inaccurate, but because they simply didn’t want the information being stored at all.
The industry’s crocodile tears might be more convincing if they showed as much care in assembling and maintaining accurate data as they do in squeezing every last ounce of profit out of it, no matter how bogus it may be.
Peddling False Information
Judging from my own experiences with the credit reporting agencies, they have undoubtedly made hundreds, if not thousands, of dollars peddling my files to advertisers, not caring for a moment that the files are riddled with stupid errors.
What kinds of errors? Well, until recently, two of the three major credit bureaus showed my “current” address as an apartment I lived in for just one year during college, even as the records also indicated a half-dozen more recent addresses, not to mention a recently issued residential mortgage!
Such absurd incompetence is either exasperating or amusing, depending on one’s mood and circumstances. But when such easily correctable errors in a medical record can result in a patient being given a dangerous drug or unnecessary procedure, the stakes are far higher.
If there is any possibility of a silver lining in the dark clouds of the “perfect storm” represented by medical identity theft, it’s that the stakes have indeed gotten much higher than ever before.
Unfortunately it may require some lurid and tragic story to come to the public’s attention before the politicians are whipped into a sufficient frenzy to get serious about protecting both the integrity of our private records and the principles of access and redress that policymakers claim to hold so dear.