April 29, 2015 By Brian Evans 3 min read

According to the FBI, health care fraud costs the country tens of billions of dollars a year, and it’s an ever-increasing issue. Unfortunately, it’s all too common for health care organizations to overlook or miss these types of incidents. Fraudulent health care schemes come in many forms. When health care fraud losses are assessed, the results show far more originate from inside the organization as opposed to outside. Historically, insiders have been the root of the problem, whether from the malicious abuse of information or sidestepping procedural controls. Coupled with the increasing amount of fraud activity, there are major concerns about insiders leaking organizational information. However, the health care industry has a long way to go since strategies and solutions to address them still lag behind other industries.

Fundamental Health Care Fraud Management Practices

To counter insider threats and fraud activity, health care organizations need to reinforce fundamental health care fraud management practices and basic security controls. Deterrence, prevention, detection and response all have their place. Prevention practices are ideal, but without data collection, a health care organization cannot successfully detect or react to anything. IT departments generally collect copious amounts of data, but aggregation, normalization, centralization and retention may not be thoroughly executed.

The following are fundamental health care fraud management practices that health care organizations should employ:

Auditing and Monitoring

Alarms, audits and investigations help detect bad actors and determine the effectiveness of controls. Alerts or alarms should be designed to identify event sequences with potentially negative consequences. Statistical and anomaly detection methods are useful for these purposes, as are rule-based detection mechanisms. In other words, these processes can help notify the security team when insiders are abusing an organization’s IT systems in fraudulent ways and creating activities and transactions that exceed the norm or expected threshold.

Organizations are increasingly turning to security information and event management or log management tools to augment data collection efforts. In order to be effective, audit logs should be at an appropriate level of detail to the loss thresholds being detected. The Centers for Medicare & Medicaid Services has leveraged predictive modeling technology to identify health care fraud and fraudulent Medicare claims, and health care organizations should explore the feasibility of employing something similar. These technologies incorporate predictive models and other analytics that can scrutinize systems and applications, identify potential problems and create alerts for further investigation. Credit card companies use a similar method to recognize suspicious behavior.

Background Investigations

Background investigations should be a part of the hiring process for all workers. These checks should be proportional to the business requirements, the types of information being accessed and the perceived risks that have been formally identified. At a minimum, consider conducting background investigations to address criminal, education and reference checks as well as licensing and employment verification. There are health care organizations that still conduct criminal background investigations for only their surrounding counties or statewide as a cost-saving measure. Ensure nationwide checks are performed for obvious reasons; the additional cost is minimal but worth it. Also, conduct periodic background reinvestigations for workers with higher levels of insider access in areas such as system administration or finance and accounting. This has both a deterrent and preventive effect against health care fraud.

Security Awareness and Training

Security awareness and training programs should include health care fraud examples of insiders being caught and prosecuted. The program should dovetail with training that ensures workers have the proper level of knowledge to identify when harm might occur, whether it is with accounting procedures or the improper use of information assets.

Code of Conduct and Confidentiality Agreements

Code of conduct and confidentiality agreements should have adequate language addressing health care fraud. Additionally, workers who sign them should be well aware of the implications associated with violating these agreements. When a violation does occur, it should be consistently sanctioned in order to help deter future fraudulent activity.

Verification and Validation

Internal audits should verify all these fundamental health care fraud management activities are adequately performed using independent tools for verification. Ensure auditors methodically assess business associates for their conformance to contractual and agreement requirements. For proper deterrence, workers should be made aware of these ongoing audit activities.

Health care fraud will continue to be an issue whenever the opportunity presents itself and when money is involved. However, stepped-up audit efforts, technologies and general awareness publicizing the offenses are the best ways to prevent fraud. Health care organizations can neither accept the high risks of fraud nor abandon pursuit for defenses against insider abuse just because controls aren’t easy to implement or they cost money. The notions of trust within health care organizations should be reexamined so prudent decisions can be made about insiders who are both trusted and worthy of that trust.

Image Source: iStock

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today