Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/29/2011
08:16 AM
50%
50%

Medicare Tests Alternative To Fraud-Fighting Smart Card

Magnetic stripe cards and conventional credit-card terminals may be a less costly way to go.

Healthcare IT Vendor Directory
Slideshow: Healthcare IT Vendor Directory
(click image for larger view and for slideshow)
The Centers for Medicare and Medicaid Services (CMS) is already looking at an alternative to the smart card system that new Congressional bills are proposing that are designed to fight Medicare fraud. Unlike the system envisioned in this legislation, which would require a new data network dedicated to Medicare, the pilot underway in Indianapolis uses magnetic-stripe cards that can be read by conventional credit-card terminals.

Proponents say that this system, which would verify the identities of providers, patients, and suppliers, would be much cheaper and easier to launch than the dedicated network. Advocates of the smart-card system argue that the credit-card terminal approach is less reliable and uses a technology that will soon be obsolete.

The CMS pilot is being conducted by National Government Services (NGS), a WellPoint unit that is the Part B Medicare carrier for Indiana. The 12-month test, which began in July, focuses on durable medical equipment (DME), but could be expanded to other healthcare products and services if it proves successful.

Providers who voluntarily participate in the pilot swipe a special card through their credit-card readers every time they order DME for their Medicare patients. Suppliers--including entities ranging from small equipment retailers to Walgreens--swipe their NGS cards when they fulfill an order. NGS, which is hooked up to the credit-card network, matches the orders and fulfillments and compares them with DME claims before paying those claims, Paul Marks, director of health information technology for NGS, told InformationWeek Healthcare.

[Which healthcare organizations came out ahead in the IW500 competition? See 10 Healthcare IT Innovators: InformationWeek 500.]

In Marks' view, being able to match the physical locations of the credit-card terminals with the addresses of NGS providers and suppliers should greatly reduce the risk of fraud. Moreover, he said, using the established credit-card network "exponentially reduces the cost of rolling this out, because that's already in place." It took about two months to implement the system for the pilot, he added.

The bipartisan Congressional bills would have CMS adopt a Medicare Common Access Card, similar to a smart card already used by the Department of Defense. Besides swiping this identification card through special terminals, patients and physicians (or their office staff) would have to submit to biometric testing such as fingerprint and iris scans.

Jeff Leston, president of Castleton Advisors, a credit-card processor that is working with NGS on the DME pilot, said this kind of biometric testing is unnecessary and would be prohibitively expensive. He noted that credit-card transactions are date- and time-stamped and include the location of the terminal to confirm that the provider works in the office where the transaction took place. It's possible that somebody other than the patient could use the card, he said, but he doesn't believe that justifies the cost of biometrics.

Kelli Emerick, executive director of the Secure ID Coalition, an industry lobbying group, admitted that stolen or misused cards aren't a big factor in Medicare fraud. "CMS isn't concerned about patients passing around their cards," she said. Nevertheless, she insisted, one-factor authentication (swipe cards only) is not as strong as two-factor validation (swipe cards plus biometrics).

Leston pointed out that installing new card readers in 3 million Medicare provider locations would be very expensive. The Secure ID Coalition has estimated the terminals and the associated infrastructure would cost $19 per beneficiary, or nearly $900 billion for the whole Medicare population. Using credit card terminals and connecting them to Medicare carriers, Leston said, would cost less than 10% of that.

Emerick countered that the financial data network charges steep transaction costs. The network to be built for the Medicare Common Access Card would send data directly to CMS, she said, so it wouldn't incur third-party transaction fees.

A Wellpoint spokesperson said that the company is concerned about the transaction costs and will track them during the pilot, weighing them against the value of the data in fighting fraud. "Our expectation is that the ability to capture point-of-sale, point-of-interaction data will outweigh the transaction fees."

Emerick also observed that the mag stripe card being used in the NGS test is an outdated technology. Most advanced countries use smart cards with chips imbedded in them for financial transactions, she said, and Visa and Mastercard are preparing to introduce them in the U.S. over the next few years. In fact, Visa did announce last month that, partly to combat fraud, it expects most U.S. merchants to install terminals that can read smart cards by 2015.

But Marks is unconcerned about this switchover because he said the credit card companies and banks will continue to use the same financial data network. "We want to use the infrastructure that's in place, knowing that as the infrastructure improves, our ability [to fight fraud] will get better as well."

Eventually, if the pilot is successful, he said NGS would like to see similar swipe cards issued to Medicare beneficiaries and used for all physician services. "The pilot for physicians is limited to the DME swipes, but we're proving we can gather this information," Marks noted. "The real power of this is to get to some mag stripe or chip card for beneficiaries. That would make it a lot easier to roll out because then the patient would have the card and could swipe it wherever they are."

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12505
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
CVE-2020-12506
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.