Smart cards key to eliminating ID theft and billions in fraud
By Michael Magrath, Director, Business Development, Government and Healthcare for Gemalto, CSCIP
Identity theft is common in the banking world and online, but now it is also lurking where Americans are told to feel the most protected–hospitals. The frightening reality is that there is little to no identity management, much less protection, in our health care system today.
Because of this, health care fraud and identity theft are growing at an alarming rate and becoming very well organized. Recently, federal authorities shut down a 44-member crime ring responsible for two massive health insurance fraud schemes. The $100 million scheme to defraud Medicare and private health insurers in the state of New York was the largest in history.
How did this fraud attempt become so massive? The indictment alleges defendants operated at least 118 bogus medical clinics in 25 states each submitting fraudulent claims using stolen identities from both doctors and patients. Medicare eventually shut down the fake clinics, but not before $35 million in false claims were distributed.
At the heart of this issue are two fundamental challenges: (1) transition from a paper-based record system to electronic health records in the U.S. and (2) implementation of strong authentication of individuals requesting access to medical records.
This summer, President Obama said that all Americans must have electronic medical records within five years. Digital records, he said, will save billions by cutting waste and eliminating repeated tests and errors. Providers who do not comply by 2015 deadline will face cuts in Medicare payments.
It is critical for this transition to occur in a way that not only establishes online records but also implements high-security resistant to outside breaches.
In order to protect patient privacy and security there must be a very high level of assurance that every person within the system is who they claim to be. Obviously this applies to patients, but it also applies to everyone accessing sensitive medical records–physicians, nurses, EMTs, therapists, administrative personnel, etc. Moreover, this applies to physical and virtual identity presentation.
In early 2011, it is expected that President Obama will sign the National Strategy for Trusted Identities in Cyberspace (NSTIC) to combat fraud and identity theft. Among other things NSTIC calls for strong authentication for certain types of online activity. Because of its sensitivity and personal privacy, access to electronic health records is referenced throughout the early drafts.
Breaking Down the Numbers
A 2010 report by the National Health Care Anti-Fraud Association stated that the U.S. health care system sees $100 billion a year in medical fraud.
To date, most information from patient documents was stolen via inside access, such as doctors or nurses selling patient information. However, a rising trend finds hackers stealing information online and submitting false claims through the Medicare system. Stolen information such as social security numbers and addresses are used to submit false claims from past patients.
About 9% of U.S. adults have been victims of identity fraud, with 6% classified as medical identity theft. This translates to 1.4 million people, according to survey results from the Ponemon Institute’s National Study on Medical Identity Theft.
The average total cost to resolve a medical identity theft incident, according to the survey, exceeded $20,000. But it isn’t just money that patients are sacrificing–it’s their health. Misdiagnosis or incorrect treatment can cause serious injury or even death if a person’s medical information is entered into another patient’s record.
A common cure
Both medical fraud and identity theft can be addressed through the same solution: strong identity assurance and verification of both the patient and the provider. Implementing standards-based, smart card technology into the health care system has the potential to completely revitalize the records system.
Patient identification can be securely stored on a chip that has built-in, tamper-resistance features making it extremely difficult to duplicate, hack or forge.
Smart cards support advanced cryptographic methods to secure data on the card and can be used as secure tokens to provide authenticated access to health care information. They can also be used in conjunction with biometrics to provide the highest levels of security. For example, a health care provider could have a biometric template–i.e., fingerprint–stored and matched on their smart card to provide three factors of authentication, preventing an unauthorized person from accessing, stealing or misusing patient identification.
In the case of the previously mentioned Medicare fraud crime circle, a smart card enabled system could have eliminated the fraudulent claims. To enable this protection smart cards would need to be issued to properly vetted medical professionals and patients.
At the point of treatment both the patient and provider would mutually authenticate themselves using a PIN or biometric to acknowledge the specific treatment was administered and specific medications or medical equipment prescribed. Both the patient and physician would use their card to digitally sign the claim that would then be electronically transmitted to Medicare.
The European connection
The use of smart cards in the health care system is not a novel idea. The technology has been used across Europe and has been in place in some countries since the early 1990’s.
In February of this year Bulgaria began deploying smart cards from Gemalto to secure access to personal health records for the country’s military personnel and their families. Patients and doctors use the cards to access personal data online allowing access only after both simultaneously insert their cards and enter their PINs.
The personal electronic health record is a complete electronic archive of the patient’s medical history. It stores all existing medical documentation, including laboratory tests and results, X-ray pictures, all visual tests, electronic prescriptions, etc. It also contains the patient’s blood group, allergies, genetic predisposition to diseases, health check ups, and surgical interventions.
The personal electronic health record enables providers to immediately access a patient’s medical data and therefore make more accurate decisions.
Bulgaria is just one country utilizing Gemalto’s smart cards for medical technology advancements. Other countries including France, Germany, Slovenia and Algeria are providing ID cards for two-factor authentication, eliminating the chance for identity theft and implementing safer medical procedures and data storage.
Ramifications of medical identity theft
Authenticating identity and issuing proper credentials is a solid first step in modernizing the U.S. health care system. By taking this step, patients, medical professionals and insurance agencies can benefit from the increased efficiencies and built in protections provided by a strong identity credential.
Even though the White House is enforcing a zero-tolerance approach to health care fraud, it will continue until the U.S. implements stronger identity management and authentication practices for patients and providers.
About the author
Michael Magrath is business development director for the security division of Gemalto North America. He is responsible for strategic marketing, business development and government affairs activities in the government and health care sectors.