VA Issuing New ID Cards to Fight FraudExperts Question if Security Enhancements Are Adequate
In an effort that could help combat medical identity theft and fraud, the Department of Veterans Affairs is rolling out new healthcare identification cards for millions of U.S. veterans who seek care from VA providers.
But two security experts suggest that the new cards may not go far enough in using the latest technologies and techniques to help protect personal information.
Unlike previous ID cards, the new Veteran Health Identification Cards no longer display veterans' Social Security numbers and birthdates. Nor is that information contained in the cards' magnetic stripe or barcode.
Instead, the new cards display the veteran's unique Electronic Data Interchange Personnel Identifier as their member ID on the front of the card, a VA spokeswoman explains. That Department of Defense internal identification number for veterans is also embedded in the card's magnetic stripe and barcode.
"These new identification cards are an important step forward in protecting our nation's heroes from identity theft and other personal crimes," says Veterans Affairs Secretary Eric Shinseki.
More Changes Needed?
But while two security experts praise the changes in the cards, they suggest more changes could have been made to help mimimize fraud risks.
"As a security consultant and veteran, I applaud the VA's effort to change the ID cards and help reduce medical ID theft and fraud," says Brian Evans, principal at Tom Walsh Consulting. "The use and collection of Social Security numbers and dates of birth have been the de facto identifiers within the U.S. for the better part of a century, which has made this data susceptible for abuse by identity thieves and other criminals."
But Evans says the cards lack the latest available technology.
"I would like to see the VA migrate away from using the magnetic stripe, which is an outdated technology," Evans says. "The U.S. is the world's only advanced economy using magnetic stripes for credit cards and ID cards.
"Every member of the G20 group of industrialized countries uses a newer technology that puts a chip on the cards, which provides a double layer of security. Cards with embedded chips are harder to copy and they generate a unique code for each transaction for additional security."
Security expert Mac McMillan, CEO of consulting firm CynergisTek, says changes in the ID cards were long overdue.
"Military members report more [fraud] incidents each year than any other demographic," he says. "Part of what makes them more susceptible to identity theft is the culture of the military that trains its members to provide information when asked," says McMillan, who previously held information security leadership posts at two Department of Defense agencies. He notes that July 17 is annually designated Military Consumer Protection Day to raise awareness around ID theft.
But McMillan says an additional potential security measure would be to remove the ID number from the face of the new cards. "The question is whether that number even needs to be visible on the card at all or simply readable by the right equipment," he says. "The problem is that, at some point, you begin to lose practical usability of the card, making it more difficult for the user to do what they need to do. The steps the VA has taken here are very positive, improving security while balancing the needs of the user."
Example for Others?
Security experts would like to see other government agencies follow the VA's lead in eliminating Social Security numbers from ID cards.
Since 2006, HHS' Centers for Medicare and Medicaid Services has issued three reports to Congress on the results of studies on potential approaches to replacing the SSN-based identifier on Medicare beneficiary cards, according to a recent Government Accountability Office (see: GAO: Medicare ID Cards a Fraud Risk).
The GAO report urged CMS to step up its efforts to remove Social Security numbers from Medicare beneficiaries' identification cards. In its response to the GAO report, CMS noted that although the agency agrees with the GAO's recommendations for action, "a clear source of funding for both IT and non-IT activities associated with SSN removal would need to be identified before proceeding."
In June 2011, the Department of Defense completed efforts to replace almost 10 million military identification cards that had Social Security numbers printed on them with cards that stored the numbers in bar codes. However, DoD is now working to also remove the numbers from the barcodes and magnetic stripes on the cards by 2016. That's because experts say advancements in technologies, such as barcode readers on smart phones, make the embedded numbers vulnerable to fraud threats as well.
McMillan, the consultant, suggests: "The administration or Congress should pass standards that forces every government-issued identification card to be as secure as possible or at least meet a set of minimum standards. But why stop there? Why not have rules that require anyone who issues a personal identification card do so with security in mind? Make it harder for would-be thieves to get their hands on consumers' information."
And Evans says the VA deserves credit for taking a leadership role. "The VA is leading by example and sending a clear message to CMS and other federal agencies that this ID card change is not only achievable but will enhance privacy protection and help mitigate the risk of medical ID theft/healthcare fraud."