Health care cybersecurity

The looming wave of cyber fraud in health care

Cybercriminals employ nuanced, sophisticated, and nefarious methods to commit health care fraud. They are invisible to their victims while committing their crime and difficult to identify and apprehend by law enforcement afterward. To counter this epidemic, health care risk managers must anticipate fraud schemes and move to a preemptive, proactive posture.​

Health care cybersecurity fraud is evolving

Health care fraud exists when unscrupulous individuals or entities seek to exploit vulnerabilities and loopholes in payment systems through deception for their unlawful financial gain. The unsettling news is that with cybersecurity crime, the problem of health care fraud is more complex and difficult to detect. The cybersecurity world allows perpetrators to be anonymous, and employ nuanced, sophisticated, and nefarious methods to exploit individuals and entities very quickly. By operating in a non-physical environment and from disparate locations around the world, perpetrators are nearly invisible to their victims while committing a crime and for practical purposes untouchable to law enforcement after the fact.

Back to top

Why is health care a target?

  1. It amounts to $3.2 trillion or 17.8 percent of US GDP1
  2. It is inherently vulnerable to collusion and misrepresentation, i.e. the "payer" is not the one receiving the service
  3. Payments are mandated to be paid electronically and, thus, subject to cyberattack

A compelling reason to take action

The United States currently spends $3 trillion per year on health care—$9,024 per capita—while other advanced economies rarely spend above $5,000.2 The Institute for Medicine estimates 30 percent of our health-care spend is lost to fraud, waste, and abuse.3 The inevitable conclusion: There is nearly one-trillion dollars in savings to realize across the system.

With health care fraud increasingly in the cybersecurity realm, and outpacing government and industry attempts to mount defenses, matters may well get worse before they get better. The evolution of systems to administer health care is advancing faster than our security solutions, and we must adapt to protect against technology after it is already part of our environment.

Back to top

Eighty percent of providers admit they recently experienced a significant security incident4.​

No simple solution

There is not a simple solution to the challenge of program integrity in health care, and keeping up with ever-emerging schemes of increasing complexity requires extraordinary vigilance and enhanced capabilities. Still, there are prevention and detection "counters" that should be part of a comprehensive solution. Basic recommendations include:

  • Continue to enforce strong IT security practices, including network access controls, firewalls, and anti-virus software.
  • Strengthen collaboration among industry groups, commercial entities, government regulators, and law enforcement to address vulnerabilities.
  • Establish counter-intelligence programs to monitor for insider threat.
  • Utilize predictive modeling and data analytics to detect anomalies and guide the use of forensic and investigative resources.
  • Build stronger pre-payment monitoring systems, integrating claims, third-party data sets, and identity theft patterns to strengthen decision support.
  • Establish models for outbound monitoring.

The risk management community must anticipate new fraud schemes before they are unleashed. The recommended measures will not eliminate the threat, but they can make it more difficult for the attacker and move cybersecurity fraud risk management to a more preemptive and proactive posture.

Back to top

Meet the authors

Brien Lorenze is a principal in the Regulatory, Forensics & Compliance practice of Deloitte Transactions and Business Analytics LLP, and the global public-sector leader. He specializes in monitoring and detection of financial crime, including improper payments, money laundering, fraud, sanctions evasion, and the financing of terrorism.

Dan Olson, CFE is a senior manager in Deloitte's Risk and Financial Advisory practice. He has worked for more than 25 years in health care fraud examination, developing and implementing predictive analytics for Medicaid, Medicare, and commercial payer plans.

Eric Dull, MS, is a specialist leader at Deloitte & Touche LLP. As a data scientist, he leads teams developing cyber solutions that utilize high-performance and cloud computing architectures.

1 Centers for Medicare & Medicaid Services National Health Expenditure Data: www.cms.gov/research-statistics-data-and-systems/statistics-trends-and-reports/nationalhealthexpenddata/nationalhealthaccountshistorical.html; accessed August 10, 2017.
2 www.pgpf.org/chart-archive/0006_health-care-oecd
3 "IOM Report: Estimated $750B Wasted Annually In Health Care System," Kaiser Health News, September 7, 2012.
4 Health Information and Management Systems Society 2016 HIMSS Cybersecurity Survey.​

Did you find this useful?