Like clockwork, new compliance standards are released to the health care industry with unrelenting efficiency. In efforts to ensure full compliance, health care facilities are waking up to a whole new area of exposure not covered by HIPAA. Just one incident can be as damaging and costly as non-compliance. And only now has health care coming to grips with this new threat.

The cycle of care
As patients enter the health care system, they experience the efficiencies that organizations have come to master, called the "cycle of care." From field care such as emergency services and paramedics, hospital care such as physicians, labs and ORs, to post-hospital care such as outpatient services, the cycle of care delivers a nearly seamless transfer between specialty areas in order to achieve the highest level of care and best patient outcome.

The man behind the curtain
A patient that spends any length of time receiving care quickly becomes exposed to the processes behind the proverbial curtain that provides the cycle of care. It is not uncommon for a patient with chest pain to receive in excess of six separate bills including ones from EMS in the field, the hospital, emergency room physician, cardiologist, labs, angiogram, anesthesiologist and any post-hospital care follow-up that may be required.

Upon discharge, the patient receives bills, each representing a different specialty or module of care. But in order for billing to occur, patient credentials pass from one provider to the next with maddening efficiency. And while the level of efficiency is often touted by public relations as achieving a new level of health care excellence, it also can expose patients to risk and the institution to a public relations nightmare.

Beyond compliance
Across virtually every industry, highly publicized cases of identity theft give great cause for concern. The Identify Theft Center reports a new victim of this crime every 19 minutes. This increased problem poses critical concern and need for awareness. According to USA Today, one in four U.S. households has experienced identity theft. These stories, while being all too familiar, are starting to reach the medical field, which is ripe for the picking.

While we have been expending substantial efforts to ensure the safeguarding of health care information in accordance with HIPAA guidance, our facilities have not closed the gaping hole that is beyond compliance, namely the security of our patient's identity.

Ignorance is not bliss
While the primary thrust of HIPAA is to ensure the non-disclosure of health care records to unauthorized entities, it does not specifically guard against the release of information such as a patient's date-of-birth or other pieces of credentialed information that can be used in committing identity theft. As a result, many facilities are unprepared to deal with the problem. Only 48 percent of the nearly 8,000 health care executives surveyed in a recent PriceWaterhouseCoopers study reported that their facility encrypted data before transmission and only 37 percent have an information security strategy.

Identity theft costs organizations hundreds of dollars per customer record exposed. But this does not even begin to capture the full cost in terms of shaken customer confidence, negative PR and impact on the stock price in the case of public companies.

What's worse is that health care has become a prime target for identity theft because the criminal goes beyond selling the credit identity of the victim, to also selling the health identity of the victim.

Linda Weaver from Florida was one such victim when she received a bill from a local hospital for the amputation of her right foot. After weeks of wrangling with the hospital, Weaver finally stormed into the facility and kicked both her heels up on the desk of the chief administrator. The mistake wasn't a simple billing error. Weaver's identity had been stolen and resold. But it does not end there. Health care adds the exposure of having incorrect health information due to the fraudster having procedures performed with someone else's identity. When Weaver was hospitalized a year later, it became apparent that the amputee's medical information was now mixed in with her own after a nurse reviewed her chart and said, "I see you have diabetes." She didn't. (Diagnosis: Identity Theft , 2007.)

Prescription for security
While the security of the network, applications and data will always be a cat-and-mouse game, several key actions can be taken to tilt the game in our favor:

• Employees - Background checks help ensure that employees are honest on their resume and are not career criminals.
• Training - Most security breaches are accidental. Adding a security training module beyond HIPAA can greatly enhance the security you currently have or plan on deploying.
• Beyond perimeter protection - Most identity-based threats occur on the internal network, which means protection must evolve beyond perimeter protection. Security must detect stealthy and sophisticated actions and attacks that happen on the internal network where perimeter protection is blind.
• Coordination of efforts - Point-based security products almost myopically focus on a single type of problem. Leverage your security products by deploying a solution-based system that can correlate multiple feeds from different security products. This is the only way to find the most sophisticated attacks that evade point security products. Similarly, full visibility and control across the entire solution can root out additional non-compliant behavior while reducing the costs associated with employees having to learn and manage multiple systems.
• Performance and scalability - As more mission critical operations come online and more employees require access, throughput requirements will only increase. Make sure that the solutions you consider offer throughput and security without compromise. 

Demonstrating your compliance with HIPAA is an initiative not to be taken lightly. Equally important is looking beyond compliance and safeguarding data that can land you on the front page of the morning's paper for all the wrong reasons. The last question that should be asked by a patient is "Doctor, is my data safe?"

Mr. Rothschild is senior manager of product marketing at Juniper Networks.