How Are You Managing Your Health Care Fraud?

According to the FBI, health care fraud costs the country tens of billions of dollars a year, and it’s an ever-increasing issue. Unfortunately, it’s all too common for health care organizations to overlook or miss these types of incidents. Fraudulent health care schemes come in many forms. When health care fraud losses are assessed, the results show far more originate from inside the organization as opposed to outside. Historically, insiders have been the root of the problem, whether from the malicious abuse of information or sidestepping procedural controls. Coupled with the increasing amount of fraud activity, there are major concerns about insiders leaking organizational information. However, the health care industry has a long way to go since strategies and solutions to address them still lag behind other industries.

Fundamental Health Care Fraud Management Practices

To counter insider threats and fraud activity, health care organizations need to reinforce fundamental health care fraud management practices and basic security controls. Deterrence, prevention, detection and response all have their place. Prevention practices are ideal, but without data collection, a health care organization cannot successfully detect or react to anything. IT departments generally collect copious amounts of data, but aggregation, normalization, centralization and retention may not be thoroughly executed.

The following are fundamental health care fraud management practices that health care organizations should employ:

Auditing and Monitoring

Alarms, audits and investigations help detect bad actors and determine the effectiveness of controls. Alerts or alarms should be designed to identify event sequences with potentially negative consequences. Statistical and anomaly detection methods are useful for these purposes, as are rule-based detection mechanisms. In other words, these processes can help notify the security team when insiders are abusing an organization’s IT systems in fraudulent ways and creating activities and transactions that exceed the norm or expected threshold.

Organizations are increasingly turning to security information and event management or log management tools to augment data collection efforts. In order to be effective, audit logs should be at an appropriate level of detail to the loss thresholds being detected. The Centers for Medicare & Medicaid Services has leveraged predictive modeling technology to identify health care fraud and fraudulent Medicare claims, and health care organizations should explore the feasibility of employing something similar. These technologies incorporate predictive models and other analytics that can scrutinize systems and applications, identify potential problems and create alerts for further investigation. Credit card companies use a similar method to recognize suspicious behavior.

Background Investigations

Background investigations should be a part of the hiring process for all workers. These checks should be proportional to the business requirements, the types of information being accessed and the perceived risks that have been formally identified. At a minimum, consider conducting background investigations to address criminal, education and reference checks as well as licensing and employment verification. There are health care organizations that still conduct criminal background investigations for only their surrounding counties or statewide as a cost-saving measure. Ensure nationwide checks are performed for obvious reasons; the additional cost is minimal but worth it. Also, conduct periodic background reinvestigations for workers with higher levels of insider access in areas such as system administration or finance and accounting. This has both a deterrent and preventive effect against health care fraud.

Security Awareness and Training

Security awareness and training programs should include health care fraud examples of insiders being caught and prosecuted. The program should dovetail with training that ensures workers have the proper level of knowledge to identify when harm might occur, whether it is with accounting procedures or the improper use of information assets.

Code of Conduct and Confidentiality Agreements

Code of conduct and confidentiality agreements should have adequate language addressing health care fraud. Additionally, workers who sign them should be well aware of the implications associated with violating these agreements. When a violation does occur, it should be consistently sanctioned in order to help deter future fraudulent activity.

Verification and Validation

Internal audits should verify all these fundamental health care fraud management activities are adequately performed using independent tools for verification. Ensure auditors methodically assess business associates for their conformance to contractual and agreement requirements. For proper deterrence, workers should be made aware of these ongoing audit activities.

Health care fraud will continue to be an issue whenever the opportunity presents itself and when money is involved. However, stepped-up audit efforts, technologies and general awareness publicizing the offenses are the best ways to prevent fraud. Health care organizations can neither accept the high risks of fraud nor abandon pursuit for defenses against insider abuse just because controls aren’t easy to implement or they cost money. The notions of trust within health care organizations should be reexamined so prudent decisions can be made about insiders who are both trusted and worthy of that trust.

Image Source: iStock

Share this Article:
Brian Evans

Senior Managing Consultant, IBM

Brian Evans, CISSP, CISM, CISA, CGEIT is a Senior Managing Consultant for IBM Security Services and assists clients in building regulatory compliant information security programs. With over 20 years of combined experience in IT management, consulting and information security, Brian has served in the role of Chief Information Security Officer for a variety of organizations and worked in various industries. He has led the Incident Response and Computer Forensic Investigations teams for Nationwide Insurance and was Vice President, IT Risk Management at KeyBank and JPMorgan Chase. Brian held director level positions with CynergisTek and Computer Task Group consultancy firms and started his career in the U.S. Air Force. He has earned a Master’s in Public Administration from the University of Cincinnati and a B.S. in Business Management from the University of Maryland.