Healthcare: The Benefits of a Federated Identity

From better care to stopping fraud, the case for a standardized way to recognize people in the healthcare setting is the key to a secure environment

A common theme of fraud is found among all public- and private-sector stakeholders — but especially in its relation to Medicare and Medicaid claims. The current model is often referred to as “pay and chase” because the typical procedure for the government is to pay a bill and see if an anomaly turns up later. The tools for spotting anomalies are very poor and because they happen on such a large scale, keeping pace becomes a losing battle.

Criminals have figured out how bad it is. They can buy lists of stolen patient identities off the black market, steal or forge a doctor’s prescription pad, and start billing as much as they can in fake procedures, prescriptions and equipment. This goes on for a month or two since, for example, Medicare’s policy is to pay within 15 to 30 days of any claim. After racking up millions of dollars in fraudulent income and by the time an investigator arrives, the criminals are long gone and an empty shell is all that remains.

Fraud on this type of scale is alarmingly easy and low-risk. All a criminal needs to execute fake claims are four pieces of patient information, such as name, social security number, address, date of birth, and of course know that the stolen identity is legitimately covered under the Medicare program.

How big is the problem? In 2012, a RAND Corp. analyst and former CMS administrator estimated that fraud and abuse cost Medicare and Medicaid as much as $98 billion in 2011. There has been talk of hiring more investigators to attempt to curb the losses; however, it would make more sense to invest in transforming the legacy paper-based identification model to align with the electronic medical record model we have already chosen. If done correctly, it would decimate fraud incidents before they happen, have a much stronger digital trail for the few that do, and get a grasp on metrics that help correlate information at the time of care — when it really matters.


Stronger Identity means Stronger Cards and Protection

A digitally trusted identity ecosystem for federating medical data can be leveraged to issue identification cards that are more secure, smarter and useful. As we all know, patients and plan beneficiaries are already issued cards — flimsy paper or plastic things that display static data that could be used for fraudulent activity and don’t serve much other purpose. In the technical evolutionary scale, they are on par with identification that was issued in the 1950s.

By leveraging a smart card that has a purpose-built secure microprocessor chip, it can prevent displaying static information to unauthorized persons, while holding the patient’s latest CCD (Continuity of Care Document) and optional data. This would empower providers to have access to allergies, history, procedures, immunizations, and so on, even if their system is not connected to an HIE or the patient is not conscious.

This means instant accurate information — right when it is needed without going through paperwork, phone calls and being a detective before applying care. A CISO of a state Medicaid agency recently told me that he is looking at smart cards as a portable DR (disaster recovery) platform to deal with emergency scenarios where paper records are otherwise not accessible or gone entirely.

The stronger cards could also be applied to the healthcare workers themselves. Doctors and administrators would be able to securely identify themselves while performing procedures at the time of treatment to eliminate “phantom” and excessive billing. The DEA already requires strong authentication procedures for Electronically Prescribed Controlled Substances (EPCS), and these smart cards could be a suitable fit with some modifications. The federal government already has mature identity, security and other identification standards such as FIPS 201; however, these standards would need to be modified to suit the needs of the healthcare industry.

The digital evolution can also play a role here, as the smart authentication already exists in most smartphones. Other form factors are also possible — including watches, inpatient bracelets and others.


Barriers to Adoption

While all the above makes perfect sense, there are still barriers to immediately implementing a strong federated healthcare identity system. Here are a couple of the challenges: