New Medicare cards miss an opportunity...
U.S. lags in the use of healthcare smart cards
Other countries have adopted healthcare smart cards to improve privacy and impede identity theft. Despite similar problems in the U.S., Medicare is issuing 150 million new beneficiary numbers next year, yet not adopting smart card technology. In my recent e-Book, Med Wreck: Proposing a Solution for the Nightmare of Medication Reconciliation, I briefly covered the topic of healthcare smart cards. This article will update you on the topic as an important option for building a safer, more secure, medication management environment for the United States.
So Where Do Healthcare Smart Cards Fit?
Serendipitously, my Small Business Administration mentor is a citizen of Portugal. After reading Med Wreck, he showed me his Citizen Card, Portugal’s national biometric identification card. This is the government’s secure and private ID card that provides:
- The identity of the person,
- Their equivalent of our Social Security card,
- Their National Health Service card,
- Taxpayer card, and
- Voter registration.
Through an arrangement with Portugal, Brazil uses the same model of Citizen Card. As shown on the sample below, the card includes digital certificates with the card’s authentication and electronic signature. The front of the card includes the holder’s name, address, date of birth, gender, height, nationality and signature image.
Portugal has a population of 10.3 million and GDP of $311 billion (U.S. dollars - USD). Brazil has a population of over 207 million and a GDP of $2.14 trillion (USD).
Maldives Issues Smart Card to Every Citizen
The Republic of Maldives is a sovereign nation located on 26 small islands (technically atolls) in the Indian Ocean southwest of Sri Lanka and India. It has a population of just under 420,000 and a GDP of $3.5 billion (USD).
This summer their government began issuing a new Passport Card. The size of our credit cards, it displays the holder’s name, photograph and a smart chip containing biometric data of each of the holder’s fingerprints. The biometric data is acquired at the time of issuance.
The card functions as a universal citizen ID, including,
- Electronic passport,
- Proof of insurance,
- Driver’s license,
- Health card, and,
- MasterCard payment authorization.
The smart chip enables a dual interface, supporting both smart card readers and contactless card-reading technologies.
Others Nations Using Smart Cards
The Maldives initiative follows that of the Republic of Trinidad and Tobago. This Caribbean nation of 1.3 million and GDP of $21.8 billion (USD) started issuing biometric smart cards in 2013 to prevent fraud among their Senior citizens. Their cards are used for a variety of public assistance grants. Prior to issuance, over 4,000 retirees had lost their benefits due to fraudulent activities.
Many countries of the European Union are using smart cards for visas/passports and will probably expand use of smart cards in the near future.
The Secure Technology Alliance
The Secure Technology Alliance is a New Jersey based not-for-profit, multi-industry group across private and public sectors. They changed their name earlier this year from The Smart Card Alliance. They host councils in a variety of sectors including finance, government, industry and healthcare. They have been championing the application of smart card technology, which most of us have seen in our credit and debit cards in the U.S.
The smart card chip stores and protects more data/information than possible with the magnetic strip of older cards. Many see smart cards as the ideal vector for both privacy and security, due to the ability to store a person’s biometric data. You can learn more by clicking at their website, www.securetechalliance.org. You can download their FAQs on “Smart Card Technology in U.S. Healthcare” HERE.
Why Should We Care? Healthcare Fraud in the U.S.
According to the National Health Expenditure Data (as reported by the Office of the Inspector General, December 2013), CMS estimates healthcare fraud at between $75 and $250 billion (2009 estimates). CMS reports that by 2014, 2.6 million Senior citizens had become victims of identity theft. CMS provides healthcare coverage for about 100 million Americans through Medicare and Medicaid. The United States has a population of 324.6 million and GDP of $18.6 trillion. The U.S. currently spends about $3.16 trillion annually on all healthcare expenditures.
Over 5 years ago, the Director of Health Care in the U.S. Government Accountability Office (GAO) began recommending that the Centers for Medicare and Medicaid (CMS) no longer utilize the Social Security number as the Medicare Health Insurance Claim Number (HICN).
The U.S. House of Representatives introduced the Medicare Common Access Card Act of 2015 (H.R. 3220) in July 2015, which was referred to a variety of committees that summer (Committee on Ways and Means, Subcommittee on Health, and Committee on Energy and Commerce). Many thought that this bill would result in the adoption of smart cards for CMS beneficiaries.
With the passage of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), Congress finally dictated that CMS must drop the use of Social Security numbers as the Medicare HICN and issue new unique ID’s to all 60 million living and 90 million deceased Medicare recipients by April 2019. They call the unique, randomly-assigned number a Medicare Beneficiary Identifier (MBI). They will be begin mailing the new cards to the living recipients beginning in April 2018.
Are the new Medicare cards a solution?
As you can see on the image below, these new cards are not healthcare smart cards and visually display the MBI number on the front. Also, CMS is allowing a 21-month transition period where providers will be able to use either the MBI or the HICN. Thus, there will be multiple databases(providers, payors and CMS) available to hackers and identity thieves who will be able to see the interconnections between the HICN and the MBI.
If A=B and I have A or B, then don’t I have both A & B?
It seems that CMS is not using state of the art technology but rather replacing one identifier with another. With the ongoing breaches of both industry and governmental databases, I would not want to bet that the MBI will be safe, private or secure for long. With the rampant increase in healthcare fraud and identity theft, it seems like this would have been a better time to turn to smart cards.
How is the new Medicare Beneficiary Identifier (MBI) generated?
The current Medicare cards bear the Health Insurance Claim Number (HICN). This number is the Social Security number (SSN) of the primary household beneficiary followed by a 1 or 2-byte Beneficiary Identification Code (BIC) for each member under that account. This creates a unique 11-digit ID with the first nine digits being numeric.
The new Medicare Beneficiary Identifier (MBI) is also 11 digits, with positions 2, 5, 8 and 9 always as alphabetic digits. Medicare states (CMS.gov) that the MBI will have the following characteristics:
- The same number of characters as the current HICN (11), but will be visibly distinguishable from the HICN,
- Contain uppercase alphabetic and numeric characters throughout the 11-digit identifier,
- Occupy the same field as the HICN on transactions,
- Be unique to each beneficiary (e.g., husband and wife will have their own MBI),
- Be easy to read and limit the possibility of letters being interpreted as numbers (e.g., alphabetic characters are upper case only and will exclude S, L, O, I, B, Z),
- Not contain any embedded intelligence or special characters, and
- Not contain inappropriate combinations of numbers or strings that may be offensive.
CMS anticipates that the MBI will not be changed for an individual unless the MBI is compromised or for other limited circumstances still undergoing review.
During the transition (April 2018 through December 31, 2019) CMS will accept, use for processing, and return stakeholders (providers and payors) either the MBI or HICN, whichever is submitted on the claim. Thus it follows that all providers and payors will be storing both the HICN and MBI in their health information systems, allowing hackers and identity thieves the relationship tables that they will need to compromise this new system