– What a difference a couple of months of pandemic makes.
Before COVID-19, the United States telehealth market was estimated at about $3 billion with 11% of consumers using telehealth in 2019. Fast forward to pandemic-plagued 2020, the telehealth market is poised to grow to $250 billion with 46% of consumers now using telehealth, according to McKinsey & Company. McKinsey also found that 76% of consumers are highly or moderately likely to use telehealth in the future and 74% of people who had used telehealth reported high satisfaction.
Unfortunately, these benefits are being offset by a variety of fraud schemes.
Healthcare fraud in the US is approaching $300 billion annually (of which the Department of Justice recovered $2.6 billion in 2019). This article will review three emerging categories of fraud and outline a few best practices that can help protect telehealth.
The Department of Health & Human Services and the Centers for Medicare & Medicaid Services eased their telehealth requirements to serve more patients during the pandemic. But this could inadvertently unleash a wave of billing fraud and risk patient safety.
“There are unscrupulous providers out there, and they have much greater reach with telehealth,” Mike Cohen, an HHS operations officer in the Inspector General’s Office, told reporters in April. “Just a few can do a whole lot of damage.”
Some of the different types of provider fraud expected to observe spikes include:
Genuine patient information is used to fabricate entire claims or legitimate claims are padded with charges for procedures or services that did not take place.
Upcoding: Billing for more expensive services or procedures than were actually provided or performed, which often requires the accompanying “inflation” of the patient’s diagnosis code to a more serious condition consistent with the false procedure code.
Bogus claims: Some of the largest recent Medicare fraud cases have implicated providers making fraudulent claims, often for bogus testing, unnecessary medications, or unwanted medical equipment. Recently, a San Diego doctor was arrested for allegedly marketing packages of drugs that he said could provide six weeks of immunity from COVID-19. He charged $3,995.
Given the public fears of COVID-19, there’s a whole slew of cyberattacks aimed at providers, subscribers, and Medicare patients.
Fake test kits: Bad actors are selling fake COVID-19 test kits and unapproved treatments through telemarketing calls, social media platforms, and door-to-door visits.
The COVID-19 pandemic has spawned dozens of phishing campaigns with the intent of scaring recipients into clicking on harmful links or attachments in text messages, emails, or social media posts. These bogus messages often include charitable appeals to help victims or information about protecting yourself or your children from the virus.
Payment blackmail: Fraudsters are contacting people by phone and email, pretending to be doctors and hospitals that have treated a friend or relative for COVID-19 and demanding payment for that treatment.
Bad actors are using a strain of malware called Emotet to carry out COVID-19-themed campaigns against unsuspecting victims. Emotet is particularly costly and destructive, forcing state and local governments up to dole out $1 million per incident, according to the Department of Homeland Security.
MEDICAL IDENTITY THEFT
Medical identity theft is when someone steals or uses your personal information (e.g., name, Social Security number, Medicare number) to fraudulently obtain medical services or to submit fraudulent claims to health insurers and Medicare. Often, this personal information is acquired through large scale data breaches. In 2019, the healthcare sector had 41.4 million patient records breached, fueled by a 49% increase in hacking. It’s widely believed that medical identity theft will continue to skyrocket in the COVID-19 era because healthcare organizations tend to not adequately invest in IT security.
A THREE-PRONGED APPROACH
Given the breadth and scope of these threats, healthcare systems need to take a comprehensive three-pronged approach to cybersecurity.
Educate your subscribers/members. Hospitals and healthcare systems need to educate their subscribers so they’re aware of how the fraud landscape is evolving. Subscribers should also be knowledgeable about and aware of the healthcare services they receive, keep good records of their medical care, and closely review all medical bills. They should be alerted to recent phishing scams and educated how to spot them.
Fortify your security infrastructure. The medical profession has long been a favorite target of cybercriminals because it often lacks the security resources and requisite infrastructure to withstand today’s sophisticated fraud attacks. At minimum, healthcare organizations need to invest in enterprise-grade virus protection (AV/AS), firewalls, identity and access management and backup/DRaaS technology.
Establish mechanisms to verify patient identity. There are two important points where it’s vital to verify a subscriber’s identity: when a new account is created and when an online transaction occurs. An online transaction could be a virtual consultation or when a prescription is fulfilled. Increasingly healthcare agencies are adopting Know Your Patient (KYP) processes to know that subscriber are who they claim to be online.
With KYP, the patient is required to capture an online user’s (i.e., patient’s) government-issued ID (e.g., driver’s license, passport, ID card) via the user’s smartphone or computer’s webcam, followed by a live selfie (in which a 3D face map is created) to ensure the person behind the ID is the actual person creating the online account. When a telehealth consult is required or a medication is prescribed, the provider or pharmacist can simply authenticate the subscriber by asking her to take a fresh selfie to create a new 3D face map is created and immediately compared to the original face map. This process takes less than 3 seconds and ensures that the patient is the original subscriber and not a fraudster.
Taking this three-pronged approach will help safeguard the provider, the health plan, and the subscriber. Telehealth has enormous potential, but it can only be realized if providers adopt security protocols and processes to keep from being unwittingly drawn into the crosshairs.
Jumio’s mission is to make the internet a safer place by protecting the ecosystems of businesses through cutting-edge online identity verification and authentication services that quickly and accurately connect a person’s online and real-world identities. Jumio’s end-to-end identity verification solutions fight fraud, maintain compliance and onboard good customers faster.