Risk
9/29/2011
08:16 AM
Connect Directly
RSS
E-Mail
50%
50%

Medicare Tests Alternative To Fraud-Fighting Smart Card

Magnetic stripe cards and conventional credit-card terminals may be a less costly way to go.

Healthcare IT Vendor Directory
Slideshow: Healthcare IT Vendor Directory
(click image for larger view and for slideshow)
The Centers for Medicare and Medicaid Services (CMS) is already looking at an alternative to the smart card system that new Congressional bills are proposing that are designed to fight Medicare fraud. Unlike the system envisioned in this legislation, which would require a new data network dedicated to Medicare, the pilot underway in Indianapolis uses magnetic-stripe cards that can be read by conventional credit-card terminals.

Proponents say that this system, which would verify the identities of providers, patients, and suppliers, would be much cheaper and easier to launch than the dedicated network. Advocates of the smart-card system argue that the credit-card terminal approach is less reliable and uses a technology that will soon be obsolete.

The CMS pilot is being conducted by National Government Services (NGS), a WellPoint unit that is the Part B Medicare carrier for Indiana. The 12-month test, which began in July, focuses on durable medical equipment (DME), but could be expanded to other healthcare products and services if it proves successful.

Providers who voluntarily participate in the pilot swipe a special card through their credit-card readers every time they order DME for their Medicare patients. Suppliers--including entities ranging from small equipment retailers to Walgreens--swipe their NGS cards when they fulfill an order. NGS, which is hooked up to the credit-card network, matches the orders and fulfillments and compares them with DME claims before paying those claims, Paul Marks, director of health information technology for NGS, told InformationWeek Healthcare.

[Which healthcare organizations came out ahead in the IW500 competition? See 10 Healthcare IT Innovators: InformationWeek 500.]

In Marks' view, being able to match the physical locations of the credit-card terminals with the addresses of NGS providers and suppliers should greatly reduce the risk of fraud. Moreover, he said, using the established credit-card network "exponentially reduces the cost of rolling this out, because that's already in place." It took about two months to implement the system for the pilot, he added.

The bipartisan Congressional bills would have CMS adopt a Medicare Common Access Card, similar to a smart card already used by the Department of Defense. Besides swiping this identification card through special terminals, patients and physicians (or their office staff) would have to submit to biometric testing such as fingerprint and iris scans.

Jeff Leston, president of Castleton Advisors, a credit-card processor that is working with NGS on the DME pilot, said this kind of biometric testing is unnecessary and would be prohibitively expensive. He noted that credit-card transactions are date- and time-stamped and include the location of the terminal to confirm that the provider works in the office where the transaction took place. It's possible that somebody other than the patient could use the card, he said, but he doesn't believe that justifies the cost of biometrics.

Kelli Emerick, executive director of the Secure ID Coalition, an industry lobbying group, admitted that stolen or misused cards aren't a big factor in Medicare fraud. "CMS isn't concerned about patients passing around their cards," she said. Nevertheless, she insisted, one-factor authentication (swipe cards only) is not as strong as two-factor validation (swipe cards plus biometrics).

Leston pointed out that installing new card readers in 3 million Medicare provider locations would be very expensive. The Secure ID Coalition has estimated the terminals and the associated infrastructure would cost $19 per beneficiary, or nearly $900 billion for the whole Medicare population. Using credit card terminals and connecting them to Medicare carriers, Leston said, would cost less than 10% of that.

Emerick countered that the financial data network charges steep transaction costs. The network to be built for the Medicare Common Access Card would send data directly to CMS, she said, so it wouldn't incur third-party transaction fees.

A Wellpoint spokesperson said that the company is concerned about the transaction costs and will track them during the pilot, weighing them against the value of the data in fighting fraud. "Our expectation is that the ability to capture point-of-sale, point-of-interaction data will outweigh the transaction fees."

Emerick also observed that the mag stripe card being used in the NGS test is an outdated technology. Most advanced countries use smart cards with chips imbedded in them for financial transactions, she said, and Visa and Mastercard are preparing to introduce them in the U.S. over the next few years. In fact, Visa did announce last month that, partly to combat fraud, it expects most U.S. merchants to install terminals that can read smart cards by 2015.

But Marks is unconcerned about this switchover because he said the credit card companies and banks will continue to use the same financial data network. "We want to use the infrastructure that's in place, knowing that as the infrastructure improves, our ability [to fight fraud] will get better as well."

Eventually, if the pilot is successful, he said NGS would like to see similar swipe cards issued to Medicare beneficiaries and used for all physician services. "The pilot for physicians is limited to the DME swipes, but we're proving we can gather this information," Marks noted. "The real power of this is to get to some mag stripe or chip card for beneficiaries. That would make it a lot easier to roll out because then the patient would have the card and could swipe it wherever they are."

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio