Risk
9/29/2011
08:16 AM
50%
50%

Medicare Tests Alternative To Fraud-Fighting Smart Card

Magnetic stripe cards and conventional credit-card terminals may be a less costly way to go.

Healthcare IT Vendor Directory
Slideshow: Healthcare IT Vendor Directory
(click image for larger view and for slideshow)
The Centers for Medicare and Medicaid Services (CMS) is already looking at an alternative to the smart card system that new Congressional bills are proposing that are designed to fight Medicare fraud. Unlike the system envisioned in this legislation, which would require a new data network dedicated to Medicare, the pilot underway in Indianapolis uses magnetic-stripe cards that can be read by conventional credit-card terminals.

Proponents say that this system, which would verify the identities of providers, patients, and suppliers, would be much cheaper and easier to launch than the dedicated network. Advocates of the smart-card system argue that the credit-card terminal approach is less reliable and uses a technology that will soon be obsolete.

The CMS pilot is being conducted by National Government Services (NGS), a WellPoint unit that is the Part B Medicare carrier for Indiana. The 12-month test, which began in July, focuses on durable medical equipment (DME), but could be expanded to other healthcare products and services if it proves successful.

Providers who voluntarily participate in the pilot swipe a special card through their credit-card readers every time they order DME for their Medicare patients. Suppliers--including entities ranging from small equipment retailers to Walgreens--swipe their NGS cards when they fulfill an order. NGS, which is hooked up to the credit-card network, matches the orders and fulfillments and compares them with DME claims before paying those claims, Paul Marks, director of health information technology for NGS, told InformationWeek Healthcare.

[Which healthcare organizations came out ahead in the IW500 competition? See 10 Healthcare IT Innovators: InformationWeek 500.]

In Marks' view, being able to match the physical locations of the credit-card terminals with the addresses of NGS providers and suppliers should greatly reduce the risk of fraud. Moreover, he said, using the established credit-card network "exponentially reduces the cost of rolling this out, because that's already in place." It took about two months to implement the system for the pilot, he added.

The bipartisan Congressional bills would have CMS adopt a Medicare Common Access Card, similar to a smart card already used by the Department of Defense. Besides swiping this identification card through special terminals, patients and physicians (or their office staff) would have to submit to biometric testing such as fingerprint and iris scans.

Jeff Leston, president of Castleton Advisors, a credit-card processor that is working with NGS on the DME pilot, said this kind of biometric testing is unnecessary and would be prohibitively expensive. He noted that credit-card transactions are date- and time-stamped and include the location of the terminal to confirm that the provider works in the office where the transaction took place. It's possible that somebody other than the patient could use the card, he said, but he doesn't believe that justifies the cost of biometrics.

Kelli Emerick, executive director of the Secure ID Coalition, an industry lobbying group, admitted that stolen or misused cards aren't a big factor in Medicare fraud. "CMS isn't concerned about patients passing around their cards," she said. Nevertheless, she insisted, one-factor authentication (swipe cards only) is not as strong as two-factor validation (swipe cards plus biometrics).

Leston pointed out that installing new card readers in 3 million Medicare provider locations would be very expensive. The Secure ID Coalition has estimated the terminals and the associated infrastructure would cost $19 per beneficiary, or nearly $900 billion for the whole Medicare population. Using credit card terminals and connecting them to Medicare carriers, Leston said, would cost less than 10% of that.

Emerick countered that the financial data network charges steep transaction costs. The network to be built for the Medicare Common Access Card would send data directly to CMS, she said, so it wouldn't incur third-party transaction fees.

A Wellpoint spokesperson said that the company is concerned about the transaction costs and will track them during the pilot, weighing them against the value of the data in fighting fraud. "Our expectation is that the ability to capture point-of-sale, point-of-interaction data will outweigh the transaction fees."

Emerick also observed that the mag stripe card being used in the NGS test is an outdated technology. Most advanced countries use smart cards with chips imbedded in them for financial transactions, she said, and Visa and Mastercard are preparing to introduce them in the U.S. over the next few years. In fact, Visa did announce last month that, partly to combat fraud, it expects most U.S. merchants to install terminals that can read smart cards by 2015.

But Marks is unconcerned about this switchover because he said the credit card companies and banks will continue to use the same financial data network. "We want to use the infrastructure that's in place, knowing that as the infrastructure improves, our ability [to fight fraud] will get better as well."

Eventually, if the pilot is successful, he said NGS would like to see similar swipe cards issued to Medicare beneficiaries and used for all physician services. "The pilot for physicians is limited to the DME swipes, but we're proving we can gather this information," Marks noted. "The real power of this is to get to some mag stripe or chip card for beneficiaries. That would make it a lot easier to roll out because then the patient would have the card and could swipe it wherever they are."

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.