Risk
9/29/2011
08:16 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Medicare Tests Alternative To Fraud-Fighting Smart Card

Magnetic stripe cards and conventional credit-card terminals may be a less costly way to go.

Healthcare IT Vendor Directory
Slideshow: Healthcare IT Vendor Directory
(click image for larger view and for slideshow)
The Centers for Medicare and Medicaid Services (CMS) is already looking at an alternative to the smart card system that new Congressional bills are proposing that are designed to fight Medicare fraud. Unlike the system envisioned in this legislation, which would require a new data network dedicated to Medicare, the pilot underway in Indianapolis uses magnetic-stripe cards that can be read by conventional credit-card terminals.

Proponents say that this system, which would verify the identities of providers, patients, and suppliers, would be much cheaper and easier to launch than the dedicated network. Advocates of the smart-card system argue that the credit-card terminal approach is less reliable and uses a technology that will soon be obsolete.

The CMS pilot is being conducted by National Government Services (NGS), a WellPoint unit that is the Part B Medicare carrier for Indiana. The 12-month test, which began in July, focuses on durable medical equipment (DME), but could be expanded to other healthcare products and services if it proves successful.

Providers who voluntarily participate in the pilot swipe a special card through their credit-card readers every time they order DME for their Medicare patients. Suppliers--including entities ranging from small equipment retailers to Walgreens--swipe their NGS cards when they fulfill an order. NGS, which is hooked up to the credit-card network, matches the orders and fulfillments and compares them with DME claims before paying those claims, Paul Marks, director of health information technology for NGS, told InformationWeek Healthcare.

[Which healthcare organizations came out ahead in the IW500 competition? See 10 Healthcare IT Innovators: InformationWeek 500.]

In Marks' view, being able to match the physical locations of the credit-card terminals with the addresses of NGS providers and suppliers should greatly reduce the risk of fraud. Moreover, he said, using the established credit-card network "exponentially reduces the cost of rolling this out, because that's already in place." It took about two months to implement the system for the pilot, he added.

The bipartisan Congressional bills would have CMS adopt a Medicare Common Access Card, similar to a smart card already used by the Department of Defense. Besides swiping this identification card through special terminals, patients and physicians (or their office staff) would have to submit to biometric testing such as fingerprint and iris scans.

Jeff Leston, president of Castleton Advisors, a credit-card processor that is working with NGS on the DME pilot, said this kind of biometric testing is unnecessary and would be prohibitively expensive. He noted that credit-card transactions are date- and time-stamped and include the location of the terminal to confirm that the provider works in the office where the transaction took place. It's possible that somebody other than the patient could use the card, he said, but he doesn't believe that justifies the cost of biometrics.

Kelli Emerick, executive director of the Secure ID Coalition, an industry lobbying group, admitted that stolen or misused cards aren't a big factor in Medicare fraud. "CMS isn't concerned about patients passing around their cards," she said. Nevertheless, she insisted, one-factor authentication (swipe cards only) is not as strong as two-factor validation (swipe cards plus biometrics).

Leston pointed out that installing new card readers in 3 million Medicare provider locations would be very expensive. The Secure ID Coalition has estimated the terminals and the associated infrastructure would cost $19 per beneficiary, or nearly $900 billion for the whole Medicare population. Using credit card terminals and connecting them to Medicare carriers, Leston said, would cost less than 10% of that.

Emerick countered that the financial data network charges steep transaction costs. The network to be built for the Medicare Common Access Card would send data directly to CMS, she said, so it wouldn't incur third-party transaction fees.

A Wellpoint spokesperson said that the company is concerned about the transaction costs and will track them during the pilot, weighing them against the value of the data in fighting fraud. "Our expectation is that the ability to capture point-of-sale, point-of-interaction data will outweigh the transaction fees."

Emerick also observed that the mag stripe card being used in the NGS test is an outdated technology. Most advanced countries use smart cards with chips imbedded in them for financial transactions, she said, and Visa and Mastercard are preparing to introduce them in the U.S. over the next few years. In fact, Visa did announce last month that, partly to combat fraud, it expects most U.S. merchants to install terminals that can read smart cards by 2015.

But Marks is unconcerned about this switchover because he said the credit card companies and banks will continue to use the same financial data network. "We want to use the infrastructure that's in place, knowing that as the infrastructure improves, our ability [to fight fraud] will get better as well."

Eventually, if the pilot is successful, he said NGS would like to see similar swipe cards issued to Medicare beneficiaries and used for all physician services. "The pilot for physicians is limited to the DME swipes, but we're proving we can gather this information," Marks noted. "The real power of this is to get to some mag stripe or chip card for beneficiaries. That would make it a lot easier to roll out because then the patient would have the card and could swipe it wherever they are."

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web