Fraud Fighting: Providers Lagging
In an exclusive interview, the anti-fraud specialist says:
- Organizations should hold roundtable discussions with their employees to ask "If you were going to steal, how would you do it?" She says "you would be surprised what employees will report back in terms of where your areas of vulnerability are."
- Insurers and providers alike should regularly audit all activity on their networks and make sure system access privileges are appropriate to job functions.
- Federal healthcare reform will lead to an increase in insurance fraud in the short term as information systems are adjusted. But it should lead to a decrease in fraud over the long haul as more individuals get insurance coverage.
Busch, a registered nurse, formerly served as a hospital medical auditor setting up internal controls for documentation and reimbursement issues before starting a consulting firm that offers audits and forensic services.
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We are talking today with Rebecca Busch, president and CEO of Medical Business Associates, a healthcare consulting, audit and forensic services firm. Thanks for joining us today Rebecca.
REBECCA BUSCH: Thank you.
ANDERSON: Based on your experience, what are the most important steps that health insurers can take to prevent fraud, and which technologies play a key role in the prevention effort?
BUSCH: ...The first step is just to have a fraud risk assessment form and have relevant questions and red flags that you can create for yourself. Technology, without a question plays, a critical role because we are a high-volume, high-cash business....Labor associated with individual reviews...remains in a constant pay-and-chase form, and will never catch up.
ANDERSON: Are there particular technologies that play important roles in the prevention effort?
BUSCH: Yes, I would call them a relational database or generalized audit software, where you have some basic level algorithms that you're running across, for example...a claim file. And they could look for simple things like address profiles or diagnosis profiles or this provider is treating patients at a volume of 100 patients per hour seven days a week. So there are some basic tests that you could run to look for anomalies. The general term that I like to use is "what's normal?" and anything outside of that is abnormal and deserves attention. The same thing would go for the provider. We all read the papers every single day. There is a huge concern with access to health insurance, so what are some ways that individual consumers can take advantage of this or manipulate the system? One of the fastest growing areas is medical identity theft.
So, an example...is a consumer going to a hospital...misrepresenting their identity using someone else's to get healthcare benefits.
Each...market player: the patient, the provider, the insurance company...and vendors like pharmacies or durable medical equipment companies -- each one of them can experience fraud....So, the technology portion would be looking at your business and the data that you collect, and looking for any aberrant patterns that indicate, "Hey, something different is going on here, we need to take a closer look at that."
ANDERSON: How do fraud detection strategies differ in the insurance setting versus the hospital or clinic setting?
BUSCH: The insurance industry is at a different level than the provider market. What I mean by that is addressing fraud prevention or risk assessment is something that has been active in the insurance market going back 20 years, and they are constantly on the offensive, looking for, for example, providers or claimants submitting false claims.
The provider market is still catching up, and usually they're on the defensive, being concerned from a compliance perspective that they're going to be accused of fraud. I'm not sure many of them are as prepared for the expectation that fraud may be committed against them.
Here is a perfect example....Counterfeit medications or diluted medications: You have people who are trying to sell it to a provider....That is an example where the provider can be a victim, and I already gave you an earlier example of a patient misrepresenting their status of coverage. That is where a provider can be a victim. So those are also both examples of external fraud.
The most frustrating fraud for any of these market players is internal. Again, I'll use identity theft because that works for providers and payers. You can have an employee stealing people's files and selling them. That is a huge problem that they have to prevent. And technology, for example, comes into play for protection of identity. If you have any type of electronic system, you really need to test your audit trails and your user ID access. So the user ID is truly designed (to grant access to information) on a need-to-know basis for the employee to do their work. Do you have any kind of algorithms or tests that you run to see if an employee deviates from their type of work and accesses information that they should not?
ANDERSON: Should fraud prevention be included as an integral part of the broader risk management efforts of both provider organizations and insurers?
BUSCH: I think fraud risk assessment should be a key area, especially when you are in a market where you have a lot of individuals and organizations struggling financially. Unfortunately, that type of environment creates an atmosphere where people who would normally not walk into that gray area, if they see an opportunity, may easily rationalize taking that risk. And sometimes the people who fall into that bucket are having some type of life crisis and they think, "You know, I'm just going to borrow money for a little bit. Then once they start "borrowing" it, the mind has an amazing ability to rationalize behavior and choices, and they continue to take that step.
I can tell you from my experience in working with people and organizations, when people do plot a particular fraud or scheme, they may identify the mechanics, they may look for the opportunities -- the vulnerabilities of an organization or an individual -- but at the end, they never conclude with "and this is what I'm going to do when I get caught." So that particular piece is often missing from the logic, and when people do things under duress, they often make a lot of mistakes. That is where the opportunities for effective internal controls and technology come into play -- to look for those weaknesses in how people make decisions and how they access information.
ANDERSON: Do you anticipate medical identity theft might decline as a result of federal healthcare reform, which could lead to more Americans having insurance coverage so they don't need to seek it out fraudulently?
BUSCH: I actually think things are going to get worse before they get better. Anytime we introduce change, we go through growing pains....As we implement evolving IT infrastructures...there will be a time period where there are vulnerabilities that we don't catch right away. So that is the basis for saying I think it is going to get worse before it gets better, but eventually it should get better....
ANDERSON: What other fraud detection and prevention advice would you give to providers as well as payers based on your extensive experience?
BUSCH: You need to get the internal audit department involved in looking at your system. And one of the activities that I actually like to do with individual organizations is have a roundtable discussion with their employees and simply ask the question, "If you were going to steal, how would you do it?" You would be surprised what employees will report back in terms of where your loopholes or areas of vulnerability are in terms of access to your information systems. Globally, your fraud risk assessment should be divided into two categories. What exposure do I have to internal fraud schemes? What exposure do I have to external? When you look at external, you're looking at both your vendor relationships and, in addition, your customer relationships....So it's an internal assessment and an external assessment, and they really should be done contemporaneously....
Lying, cheating, and stealing is as old as time. We've never had a market where we didn't have those behaviors....There was one report by the Association of Certified Fraud Examiners that it takes 18 months for a fraud to materialize when it comes to detecting employee theft, as an example. Well then the goal should be, do we have an infrastructure that can take that 18 months down to 12? And when you get to 12 you want to move it down to six, and so forth -- get it down that you stop the bleeding ideally within the first 30 days as opposed to something that lingers on...let alone is never found at all.
ANDERSON: Thanks Rebecca. We've been talking today with Rebecca Busch of Medical Business Associates. This is Howard Anderson, thanks so much for listening.