Let’s take a look at the state of the Medicare nation. We’ll see that Medicare fraudsters operate in much the same way as fraudsters in any other industry, the only real difference being that targeting Medicare is much more lucrative. What is clear is that criminals in the insurance industry leave no stone unturned under which they may find some loot. In addition, Medicare security is paltry, so the agency is open to waste, abuse and fraud; fewer than 5% of Medicare claims are audited. It’s not all doom and gloom. Cybersecurity experts agree that employee awareness training can help. In a Forbes article, InfoSec Institute’s president Jack Koziol says that employee awareness retention rates are almost doubled 12 months after a simulation program is implemented, at 40% instead of 20%. In other words, telling employees about phishing is not half as effective as showing them how scams work. InfoSec Institute’s PhishSim is a free phishing simulator that you sign up for and send simulated phishing emails. It’s a good way to see just how phishing aware your employees really are. As we’ll see, the audacious variations in the types of attacks fraudsters think up means that it’s an ongoing risk and employees need to be kept on their toes. Phishing simulation can do just that. But, back to Medicare: why does it have such a fatal attraction for cyber-criminals? Types of Medicare Fraud Medicare fraud generally involves health care reimbursement under false pretenses. Wikipedia succinctly identifies three main types of Medicare fraud:
Phantom billing: Medical service providers are paid by Medicare based on a series of billing codes that are designed to reflect the complexity of the treatments delivered and the time required. In this type of fraud, the medical provider bills Medicare for unnecessary procedures, medical tests, or equipment or for those that were never provided. Patient billing: A patient who is in on a scam provides his or her Medicare number in exchange for kickbacks and lies to Medicare about the non-existent services they received. Upcoding scheme and unbundling: Providers inflate bills by using a billing code that indicates the patient needs more expensive procedures that they need and/ or actually receive.
But the criminals don’t stop there. Athens Review identifies a host of knock-on scams in the medical industry:
Identity theft, particularly of vulnerable seniors; The sale of counterfeit prescription drugs; Extortion of money in lieu of phantom debts, e.g., from families of a deceased person; Fake, unnecessary and unproven cures, e.g. homeopathic remedies; Phone and internet phishing scams; Health insurance pyramid schemes.
Why Criminals Target Medicare Medicare was originally set up to assist honest doctors who helped the needy with medical services and was based on the “honor system.” A provider, e.g., an ambulance company, hospice, physiotherapy business, etc., sends in a bill and Medicare sends them a check. Sure, there are checks and balances but, by its very nature, the system is open to fraud and abuse. For instance, Medicare officials don’t generally review billing codes before reimbursing providers. In addition, Medicare doesn’t have strict standards in place as to how providers must use codes. The result is that providers take advantage of the intrinsic vulnerabilities in the Medicare system. According to Dr. Donald M. Berwick, a past CMS administrator: “If you create a payment system in which there is a premium for increasing the number of things you do or the recording of what you do, well, that’s what you’ll get.” Maria Perrin of Gide Public Affairs argues the reasons Medicare and Medicaid are so vulnerable is because:
For criminals, government healthcare has a better risk-reward profile than dealing in illegal drugs or credit card fraud; Sheer volume makes it difficult to audit most claims; Recipient populations can be transient and more susceptible to fraud schemes. And this is where cyber-security awareness training comes in, as an integral part of a larger company security strategy.
In addition, the administration of Medicare is resource-hungry. Every month alone, some 45,000 new providers, from doctors to physical therapists, apply to enroll in Medicare. It seems inevitable that implementing better security takes a back seat to the rigors of the day-to-day administration of the fund. Costs of Medicare Fraud
Nobody really knows how much Medicare fraud really costs the country but some estimates put the total Other, more conservative (government), estimates fix that figure at $60 Billion. Is that a drop in the ocean compared to the As the Washington Post notes, pursuing some Medicare fraud, like inflated billing, may be counterproductive. While average overcharge costs Medicare about USD43, according to federal estimates, reviewing a medical claim costs the government as much as USD30 to USD55. The cost of fraud has permeated every level of medical care. In fact, Medicare pays more to ambulance companies (around $5 Billion a year) than to cancer doctors, and much of it goes into the pockets of fraudsters. The Centers for Medicare and Medicaid Services (CMS) and the Justice Department have identified ambulance services as having one of the highest rates of Medicare fraud. How do they do it? One sneaky way is to bill Medicare for taking dialysis patients for their twice-weekly hospital visit. In reality, a lot of these apparently bedridden patients happily drive themselves to hospital every week but the ambulance companies fake the paperwork and conceivably pay kickbacks to unscrupulous patients.
insurancefraud.org cites some chilling statistics: false claims against federal healthcare programs such as Medicare and Medicaid accounted for $2.3 Billion of the record $5.69 Billion the U.S. Department of Justice obtained in settlements and judgments from civil cases involving fraud and false claims against the government in 2014.
The going price for a Medicare or Medicaid record on the Dark Web is around USD500. Experts estimate the price of health care records is up to ten times the price of credit card numbers on the black market.
Research from Aberdeen Group and Wombat Security shows that security awareness training can reduce cyber-security risks by between 45 and 70 percent. Before organizations bemoan the cost of training, they need to consider how these figures can translate into a significant dollar ROI. Making news headlines
In mid-2016, the Justice Department uncovered what it says is the biggest Medicare fraud ever, a South Florida scheme that defrauded $1 Billion from the government program for the elderly and disabled. Author Carl Hiaasen, author of Razor Girl and other deranged satires usually involving a host of nefarious characters who spend their time cooking up ways to crook the books, says of his beloved Florida: “We have such insurance fraud in general and Medicare in particular, so there’s no shortage of manpower if you want to launch a scam … It’s amazing what people will do, the amount of enterprise that goes into a crime. If only they could have redirected that energy to something productive.” Again in mid-2016, the Medicare Fraud Strike Forces announced that they arrested 301 people in what is believed to be the biggest fraud bust in history. The accused were charged with submitting a total of approximately USD900 million in fraudulent billing, including submitting claims to Medicare and Medicaid for treatments that were medically unnecessary and often never provided, and identify theft. Kindred Healthcare, the country’s largest provider of post-acute care, in 2016 had to cough up more than USD3 million for failing to comply with a Medicare fraud resolution agreement. It is apparently the largest penalty ever doled out by the Office of the Inspector General for violation of a corporate integrity agreement (CIA). Kindred Healthcare was somewhat unfortunate in backing the wrong horse. It had acquired Gentiva Healthcare in 2015, a company that owned Odyssey Healthcare. Odyssey Healthcare was in 2012 accused of improperly billing Medicare for home health services that were either medically unnecessary or never provided for and had to pay USD25 million to the government as well as sign the aforementioned CIA. But Kindred did not keep to the terms of its inheritance and apparently continued to bill Medicare for hospice services for patients who were either ineligible or who were ineligible for the highest level and highest paid hospice services. In a bizarre Pittsburgh case, Horizons Hospice chief operating officer Mary Ann Stewart was indicted for false enrolments of people who weren’t really dying. Prosecutors apparently said she actively pressured her employees to recruit anyone they could find, even people at bus stops. Hospice care became a Medicare benefit in 1983 for people with terminal conditions who had less than six months to live, and unscrupulous hospices didn’t take long to try to pinch that golden egg.
These examples highlight not only a lack of security awareness but either a lack of resources or the will to police claims. It’s a vicious circle: Fraud and abuse drain Medicare of the funds necessary to bolster security initiatives. Effective cyber-security programs require a commitment on the part of organizations to institute a secure cyber-culture at all employee levels, including senior management, line managers and security officers. But it’s not always easy. Employees often don’t understand the risks, adopting an “it won’t happen to me” attitude. Senior managers believe it is someone else’s responsibility (like the security department) to do something about the problem. Non-management staff members believe they are too small fry to be a target. The security department believes they’ve “seen it all” and are not at risk. Gamifying security training, e.g., by using simulation programs, is a power tool to keep everyone on their toes … and make it fun; after all, everyone likes playing games. The Failure of the Fraud Prevention System Over the past five years, the CMS has implemented a Fraud Prevention System (FPS) using big data and predictive analytics to fight the scourge of fraud in the Medicare fee-for-service program. Since its inception in 2011, the FPS has been running sophisticated analytics on 4.5 million Medicare claims every day, resulting in what it calls a significant increase in the identification of fraud. According to Modern Health Care, since the beginning of the program, over $1.5 Billion in inappropriate payments has been identified by the system through new leads or contributions to existing investigations. For instance, the system found a radiologist billing Medicare for care he never provided and detected a chiropractor who was filing claims for more patients than he could possibly see in a day. It sounds good, so why are some experts adamant that this approach isn’t working? An in-depth article titled by Joe Eaton is a good read in its entirety, but let’s look at what light Eaton can throw on why fraudsters keep slipping through the net. Peter Roskam, a Republican congressman from Illinois, was the father of CMC’s big data solution. His idea was that Medicare should use the same digital-age tools as credit card companies so successfully do. As John Eaton explains, “Like Visa, Medicare collects mountains of data from processed claims. Visa’s algorithms know to deny purchases in Zimbabwe when the card’s owner lives in Wyoming; the idea was that a similar system for Medicare should be able to spot and deny bad Medicare claims.” Things didn’t work out as planned. And here’s the nub of the matter: “And the main reason is likely not that the federal government doesn’t have the technical skills to add Big Data to its enforcement tool kit. It’s because the government does not want to anger doctors by increasing scrutiny of their billing.” Looking at a 2014 report by the Department of Health and Human Services Office of the Inspector General on the big data/ predictive analytics program, Eaton notes that: “The numbers sound impressive, but they’re a drop in the bucket considering the tens of billions of dollars criminals take from the program each year. And shutting down claims before they are paid, like Visa, rarely happens. Only USD19.4 million was stopped through software instructions that deny or suspend all or part of a claim, according to the report. By contrast, almost USD30 million of the system’s savings came from ‘pay-and-chase’ recoveries and law enforcement referrals.” Shenanigans in the medical insurance industry play out like an international espionage novel. Russian and Armenian crime syndicates have been linked to the growing network of counterfeit drugs that plague Medicare operations. Eaton quotes Sergeant Steve Opferman of the Los Angeles County Sheriff’s Department, an experienced medical fraud investigator: “Fighting fraud with law enforcement is like ’dipping a net in a river’ — you may catch one big fish but thousands of little fish pass through.” According to Malcolm Sparrow, a Harvard fraud expert, the problem lies not with the computer algorithms used to detect fraud, but with the inability of CMS to cope with the sheer volume of false claims and “turn off the spigot of cash.” In short, it is not enough to rely on computer algorithms. The human antenna is a powerful tool that can be sharpened by cyber-security training programs, helping employees to be aware of potential fraud and mitigate the “battering ram” of fraudulent activity, an approach that criminals often use to dull people’s natural instinct to “smell a rat.” Direct Messaging The Electronic Submission of Medical Documentation, or esMD, was introduced in 2011 by CMS to eliminate the use of fax and snail mail for prior authorizations and provide a secure channel of communication. But the Department of Health and Human Services has been slow to implement government recommendations to help reduce billing fraud related to electronic health records (EHRs). The primary loophole in the system is the technology’s copy-and-paste functionality, which allows fraudsters to rewrite EHRs to suit their own agenda by copying and pasting false digitized documentation to support billing for extra and/ or costlier services. Meet Health Information Exchange’s (HIE) direct messaging program, introduced by DirectTrust. The system enables providers to communicate more easily with Medicare. Both parties have a direct address, which is simply a secure healthcare email address. Instead of the email server being maintained for the addressees/ subscribers by an employer or by an email provider like Google or Yahoo, an agent known as a health internet service provider (HISP) handles the email exchanges. The company says that direct messaging offers a clear path whereby providers, health information handlers (HIHs) and CMS can be connected under the DirectTrust umbrella, eliminating contractual barriers and compelling all vendors to exchange information with each other securely, efficiently, and in real time under the DirectTrust standards and framework. DirectTrust has more than 40,000 health care organizations and nearly a million individual end-points capable of exchange and is one of the most successful interoperability backbones in the medical insurance industry. David Kibbe, MD MBA/DirectTrust President and CEO, says that the growth of the healthcare industry has largely occurred because it has not been required to produce value. Talking about the need for healthcare providers to collaborate, he says that when everything is electronic, you can’t collaborate without health data interoperability. If you don’t have ways of communicating, everything gets really expensive really fast. The problem is that “Providers want to keep their information at the enterprise level – they don’t want it to get out.” If this is indeed the case, it means that fraudsters can operate more freely in a non-transparent environment, which is exactly what they seem to be doing. It’s not security technology that is failing, but the use of it. Predictive analytics and big data are simply tools. If you’re obese, you smoke and drink heavily, and don’t do exercise, you run a high risk of suffering a stroke or heart attack. Identifying you as a high risk is useful but you have to change your behavior, which is easier said than done. Similarly, when it comes to Medicare fraud, identifying fraudsters is one thing; hauling them in is another. It comes back to reality: pay-and-chase, as Joe Eaton noted, nets more fraudsters than CMS’s Visa approach. Criminals Always Spot the Loopholes As fast as authorities crack down on medical insurance fraud, another variation appears. In 2015 a podiatrist, his wife, and the CEO of Chicago-based healthcare firm Aggeus Healthcare were indicted in connection with an alleged Medicare fraud scam involving an electronic medical records system deliberately configured to submit false billing claims for services that patients didn’t receive or need. What is interesting about the case is that it’s one of the few detected that involves deliberate configuration of a patient records system to submit false claims. The case again highlights the need for employees to undergo regular security awareness training to keep up to date with new types of scams. Fraudsters rely on complacency for a steady stream of ill-gotten income. How Individuals Can Avoid Medicare Scams The stopmedicarefraud.gov website has some useful tips to help individuals avoid being scammed. Be suspicious of medical practitioners who:
Ask for your Medicare number in exchange for free goods or services; Tell you that tests become cheaper the more that are provided; Use door-to-door selling techniques; Bill Medicare for services you never received or a diagnosis you do not have; Offer non-medical transportation or housekeeping as Medicare-approved services; Bill home health services for you when you’re not confined to your home, or if you still drive a car; Bill Medicare for a power wheelchair or scooter when you don’t meet Medicare’s qualifications.
Conclusion With the increase in new technologies, data, and computing devices in the modern world, come new ways to commit fraud. The medical industry is an irresistible target, with the theft of personal information more profitable than drug trafficking on the black market, and the value of medical patient data the ultimate prize. In 2015 the CMS was inundated with spearphishing emails designed to steal agency users’ passwords. A few laptops contracted malware when employees clicked on the messages and unwittingly entered their passwords. To counteract the threat of phishing, the CMS has introduced voluntary data guardians at its offices. Their role is to train employees on security protocols and ensure that they collect only a minimum amount of personal information on citizens. The agency reported that 99 percent of its staff does not click on links anymore. For its part, the information security department at Lawrence General Hospital in Massachusetts has successfully used fake phishing emails as part of a training program to educate employees about cyber-security. Fake phishing can be used to identify employees who need to be re-trained. If an employee opens three fake phishing emails at the hospital, they have to undergo security re-training. Learn more about Medicare fraud and employee security training at the InfoSec Institute and check out their free phish.io simulation program. They also offer interactive training and intensive certificate courses for security professionals.