Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/29/2011
08:16 AM
50%
50%

Medicare Tests Alternative To Fraud-Fighting Smart Card

Magnetic stripe cards and conventional credit-card terminals may be a less costly way to go.

Healthcare IT Vendor Directory
Slideshow: Healthcare IT Vendor Directory
(click image for larger view and for slideshow)
The Centers for Medicare and Medicaid Services (CMS) is already looking at an alternative to the smart card system that new Congressional bills are proposing that are designed to fight Medicare fraud. Unlike the system envisioned in this legislation, which would require a new data network dedicated to Medicare, the pilot underway in Indianapolis uses magnetic-stripe cards that can be read by conventional credit-card terminals.

Proponents say that this system, which would verify the identities of providers, patients, and suppliers, would be much cheaper and easier to launch than the dedicated network. Advocates of the smart-card system argue that the credit-card terminal approach is less reliable and uses a technology that will soon be obsolete.

The CMS pilot is being conducted by National Government Services (NGS), a WellPoint unit that is the Part B Medicare carrier for Indiana. The 12-month test, which began in July, focuses on durable medical equipment (DME), but could be expanded to other healthcare products and services if it proves successful.

Providers who voluntarily participate in the pilot swipe a special card through their credit-card readers every time they order DME for their Medicare patients. Suppliers--including entities ranging from small equipment retailers to Walgreens--swipe their NGS cards when they fulfill an order. NGS, which is hooked up to the credit-card network, matches the orders and fulfillments and compares them with DME claims before paying those claims, Paul Marks, director of health information technology for NGS, told InformationWeek Healthcare.

[Which healthcare organizations came out ahead in the IW500 competition? See 10 Healthcare IT Innovators: InformationWeek 500.]

In Marks' view, being able to match the physical locations of the credit-card terminals with the addresses of NGS providers and suppliers should greatly reduce the risk of fraud. Moreover, he said, using the established credit-card network "exponentially reduces the cost of rolling this out, because that's already in place." It took about two months to implement the system for the pilot, he added.

The bipartisan Congressional bills would have CMS adopt a Medicare Common Access Card, similar to a smart card already used by the Department of Defense. Besides swiping this identification card through special terminals, patients and physicians (or their office staff) would have to submit to biometric testing such as fingerprint and iris scans.

Jeff Leston, president of Castleton Advisors, a credit-card processor that is working with NGS on the DME pilot, said this kind of biometric testing is unnecessary and would be prohibitively expensive. He noted that credit-card transactions are date- and time-stamped and include the location of the terminal to confirm that the provider works in the office where the transaction took place. It's possible that somebody other than the patient could use the card, he said, but he doesn't believe that justifies the cost of biometrics.

Kelli Emerick, executive director of the Secure ID Coalition, an industry lobbying group, admitted that stolen or misused cards aren't a big factor in Medicare fraud. "CMS isn't concerned about patients passing around their cards," she said. Nevertheless, she insisted, one-factor authentication (swipe cards only) is not as strong as two-factor validation (swipe cards plus biometrics).

Leston pointed out that installing new card readers in 3 million Medicare provider locations would be very expensive. The Secure ID Coalition has estimated the terminals and the associated infrastructure would cost $19 per beneficiary, or nearly $900 billion for the whole Medicare population. Using credit card terminals and connecting them to Medicare carriers, Leston said, would cost less than 10% of that.

Emerick countered that the financial data network charges steep transaction costs. The network to be built for the Medicare Common Access Card would send data directly to CMS, she said, so it wouldn't incur third-party transaction fees.

A Wellpoint spokesperson said that the company is concerned about the transaction costs and will track them during the pilot, weighing them against the value of the data in fighting fraud. "Our expectation is that the ability to capture point-of-sale, point-of-interaction data will outweigh the transaction fees."

Emerick also observed that the mag stripe card being used in the NGS test is an outdated technology. Most advanced countries use smart cards with chips imbedded in them for financial transactions, she said, and Visa and Mastercard are preparing to introduce them in the U.S. over the next few years. In fact, Visa did announce last month that, partly to combat fraud, it expects most U.S. merchants to install terminals that can read smart cards by 2015.

But Marks is unconcerned about this switchover because he said the credit card companies and banks will continue to use the same financial data network. "We want to use the infrastructure that's in place, knowing that as the infrastructure improves, our ability [to fight fraud] will get better as well."

Eventually, if the pilot is successful, he said NGS would like to see similar swipe cards issued to Medicare beneficiaries and used for all physician services. "The pilot for physicians is limited to the DME swipes, but we're proving we can gather this information," Marks noted. "The real power of this is to get to some mag stripe or chip card for beneficiaries. That would make it a lot easier to roll out because then the patient would have the card and could swipe it wherever they are."

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the ship...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.
CVE-2020-15943
PUBLISHED: 2020-08-04
An issue was discovered in the Gantt-Chart module before 5.5.4 for Jira. Due to a missing privilege check, it is possible to read and write to the module configuration of other users. This can also be used to deliver an XSS payload to other users' dashboards. To exploit this vulnerability, an attack...