Setting the Record Straight on Smart CardsAre WEDI Compliant Health ID Cards Truly Smart?
Published in 2007, WEDI's Health ID Card Implementation Guide has become the de facto standard that organizations turn to when designing and issuing a health ID card. It is important to point out that the guide is exactly that - a guide - not a standard. However, the guide is based on a standard, INCITS 284, published by the American National Standards Institute. ANSI's standard includes a variety of technologies for health ID cards, including smart cards, but the WEDI Guide narrows the choices to two.
Why not include all technologies? The WEDI Guide was developed by a large group of representatives from several organizations. Obtaining a technology consensus was difficult. Those that are included in the guide are Track 3 Magnetic Stripe, favored by health plans; and PDF 417 barcode, favored by the pharmacy industry.Â Essentially, the guide provides a card designed for obtaining information and enabling transactions. However, these technologies do nothing to prove or protect the identity of the cardholder. Both cards display an abundance of personally identifiable information (PII), such as Name, Date of Birth, Sex, Medical Plan ID numbers (sometimes same as social security number), etc, all which can be used by fraudsters for medical identity theft.Â
How can smart card based health IDs help, and how is this technology different from mag strip and barcode technology?
With healthcare fraud and identity theft on the rise, these very basic technologies can be easily copied and fake health ID cards easily created. The potential losses are endless, including inaccurate health records, medical errors, and inaccurate claims as well as patient risk.
So how can smart card based health IDs help, and how is this technology different from mag stripe and barcode technology? Smart cards are essentially a fully functional computer (microprocessor) embedded into a standard size identification card (there are several other form factors but for this post we will focus on the card). The card has the capability of storing and encrypting a significant amount of data. Based on internationally accepted standards, the smart card has been in use for over 35 years and has become the default technology for securing banking transactions and wireless authentication for most of the world. Paired with a PIN, the card holder becomes the only person who can authorize access to the information stored on the card. The power to protect health identity is now in the hand of the patient.
Not only are smart cards "smart", they are secure. So secure that every employee of the U.S. Government is being issued one as their ID badge. It is more than an ID; it is an electronic identity credential that can be used for a variety of purposes including access into buildings, secure multi-factor authentication into networks, and payment to name a few.
Let's set the record straight. WEDI-compliant cards are not smart cards, but can be.
How can smart cards improve a WEDI card?
The WEDI card issued by my health plan does nothing to prove my identity. However, a WEDI card based on secure standards-based smart card technology would, since much of the PII on the face of the card could be securely stored on the chip. A .jpg image of the person can also be stored on the chip. Like a CD-RW, smart cards are re-writable and can securely store basic information about a person including date of birth, insurance eligibility, allergies, current medications, blood type, and emergency contact information. Having this data securely stored on the card can save lives in emergencies. The smart card would address the need for identity verification and authentication - desperately lacking in our health system today. To benefit the health plans and pharmacies, the barcode and magnetic stripe along with some of the data elements currently printed on the face of the WEDI card would remain for transaction purposes.
With HITECH and Meaningful Use, the healthcare landscape has changed significantly in the three years since WEDI first published its guide. With online fraud and medical identity theft on the rise, providers, institutions and payers need extremely high assurance that the person walking in the door for treatment or accessing their PHR online is who they say they are.
The question should not be whether health plans should issue a WEDI-compliant smart card as the health ID. It should be why aren't health plans already issuing them?