Healthcare Industry Investments to Fight Medical Identity Fraud A study by the Medical Identity Fraud Alliance September 2015
Table of Contents Executive Summary... 2 Analysis of Survey Results... 4 Strategic priorities... 4 Spending trends... 6 Human resources spending... 6 Budget allocations... 8 IT spending allocations... 9 Conclusions... 10 Acknowledgements... 11 Appendix: Survey demographics and caveats... 12 2015 Medical Identiy Fraud Alliance (MIFA) 1
Executive Summary The Medical Identity Fraud Alliance (MIFA) conducted a survey of its members to better understand investments that the healthcare industry is making to detect, prevent, and mitigate medical identity theft and fraud. The following are findings from the survey. The analysis of the responses will help us better understand investment approaches taken by companies in the healthcare industry in terms of dealing with identity theft and fraud. Our results show the healthcare industry is displaying a trend of increasingly more investments in technology, processes and programs to detect, prevent and mitigate medical identity theft and fraud. Their priorities are for the privacy and security of patients protected health information (PHI). As expected, technology spending ranks high both in dollar amounts spent and also as a priority for budget allocations. The survey looked at various aspects of investments to include monetary as well as human capital investments. The respondents were a mix of healthcare providers, health plans/payers and service providers to the healthcare industry. Demographic information is available in the Appendix. Key Findings: 1. Technology investments garnered the highest dollar amount for budget allocations to detect, prevent or mitigate medical identity fraud. 2. Spending is not necessarily completely aligned with strategic priorities. While personnel and human resources/talent ranked highest in priority by 72 percent of respondents, spending is led by IT systems. 3. There is an upward trend in spending to detect, prevent and mitigate medical ID theft and fraud. Nearly half of respondents indicated increased overall spending, with half staying about the same and only 4.17 percent spending less. 2015 Medical Identiy Fraud Alliance (MIFA) 2
4. Detection systems lead IT spending over prevention and mitigation programs. Nearly half of respondents listed detection systems as half or more of their total IT budget, compared to just 23% indicating they allocated half or more of their budget to prevention systems. These key findings validate what many professionals in the industry already know that disproportionate spending in cyber-related processes is the current trend. Yet, human errors and systems glitches caused nearly two-thirds of data breaches globally in 2012. 1 We recognize the rise in data breaches in the healthcare industry, 2 and hence, budgets that lean heavy on IT spending, however, the survey results seem to indicate the healthcare industry is taking a broader view. When we look deeper into the survey responses, we find a trend emerging that places high importance on not only IT spending, but other areas such as human capital, education and awareness and other measures that combined together, are working to harden our defenses against fraudulent use of PHI. 1 Ponemon Institute & Symantec, 2013 Cost of Data Breach: Global Analysis, March 2013, http://www.ponemon.org/library/2013-cost-of-data-breach-global-analysis 2 Experian Data Breach Resolution, Data Breach Industry Forecast, December 2014, https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcaredata 2015 Medical Identiy Fraud Alliance (MIFA) 3
Analysis of Survey Results Strategic Priorities Human resources and talent lead strategic priorities in fighting medical identity theft and fraud. Respondents ranked personnel as their most important priority in their prevention, detection and mitigation efforts, with software and hardware systems ranking second. Seventy-two percent of respondents cited personnel as either their number one or two most important priority (36% each ranked personnel as first or second). Respondents were asked to rank their priorities regardless of the dollar amounts allocated within their budget to those areas. With nearly three-fourths of respondents indicating personnel as one of their most important priority, this leads us to believe the industry recognizes that regardless of the systems you have in place, human talent and knowledge are critically important in fighting medical identity fraud. Strategic Priorities Software/hardware 39% 18% 18% 25% Personnel 36% 36% 14% 11% 3% Training & awareness programs 21% 27% 14% 38% Compliance/audit 18% 50% 21% 11% Other 8% 4% 4% 85% Percentages of Rankings 1st 2nd 3rd 4th 5th Chart 1: Strategic priorities ranked by category, from highest priority (1 st ) to 5 th. Percentages indicate the number of respondents that placed that area of business as first, second, third, etc. in their priorities. The prevailing nature of many managements is to buy and install something that checks the box for having certain systems in place to solve a corresponding problem, versus a strategy led by investments in people and processes. The survey indicates the healthcare industry s more thoughtful and strategic view of fighting medical identity fraud by placing a high priority on the 2015 Medical Identiy Fraud Alliance (MIFA) 4
individuals that play their respective roles in detecting, preventing or mitigating medical identity theft and fraud. IT systems are also important. Technology, particularly emerging technology, is an important part of any risk management program, as indicated by over half of the respondents ranking IT systems as the second highest priority. Fifty-seven percent of respondents indicated it as either their first or second importance. While a slightly higher percentage ranked IT systems as their top priority (39%) compared to those who ranked personnel as their highest (36%), the disparity in the second highest rankings (18% IT systems versus 36% personnel) indicates the overall importance placed on personnel. Investments in workforce training and education programs equally important. In alignment with the importance placed on human capital and knowledge in fighting medical identity fraud, nearly half of respondents rank training, education and awareness programs as either first or second most important. This not only includes training and awareness for those employed within the enterprise, but also includes awareness programs for external audiences such as consumers, patients and health plan members. Compliance and audit programs important but not highest priority. While no respondents ranked auditing and compliance as their top strategic priority, 18 percent indicated it as second most important and half identified it as their third highest importance. Legal and regulatory compliance with the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act and other mandates are important in protecting the privacy and security of PHI, as are the auditing processes needed to ensure compliance. However, these programs must be accompanied by strong processes and technology. Merely complying with legal statutes and regulatory mandates alone will not protect the loss of, or fraudulent use of, PHI. Other expenditures included: risk analysis policies, system wide health identifiers, government support, and biometric adaptation. These very specific answers represent examples of expenditures that several respondents deemed important as risk management priorities. A multi-faceted fraud prevention program is best. The high importance (first, second or third priorities) placed on these categories personnel, IT, training, compliance indicate that the health care industry recognizes a combination of multiple resources working in concert is vital for fraud detection, prevention and mitigation. It is not any single category, whether people, process or technology, that will work best to combat medical identity fraud, but rather a layered, multi-faceted, enterprise-wide approach. Other priorities included enterprise-wide systems and processes for health identifiers and getting government to understand and support efforts to curb medical identity fraud. 2015 Medical Identiy Fraud Alliance (MIFA) 5
Spending Trends Spending to detect, prevent and mitigate medical ID theft and fraud is increasing. Nearly all respondents are spending at least the same amount as they did the year before and almost half of the respondents have increased their spending from the prior year. Only 4 percent of the respondents indicated that their spending for medical identity fraud detection, prevention and mitigation has decreased. Spending Trends Stayed the same 50.00% Downward spending trend 4.17% Upward spending trend 45.83% 0% 10% 20% 30% 40% 50% 60% Chart 2: Spending trends to fight medical identity fraud. Human Resources Spending The importance of people within the organization. Respondents were asked to break down their personnel spending into different categories of human resources (HR). As with all other questions in this survey, it is difficult to reflect larger industry attributes to the importance placed on the type of personnel within each organization since the respondents are varied. Cyber and IT personnel had very mixed responses for human resource spending. The largest was 23 percent of respondents spending 80 percent of their total HR budget on cyber personnel. As can be seen in the following chart, cyber personnel is the most diverse in the percentage of total HR budgets, with nearly every amount garnering a significant number of respondents. The wide percentage spread of cyber personnel allocations, vice a strong lean towards higher percentages, may indicate a general under-employment in this area. This may be of concern, particularly given the importance placed on cyber issues as a strategic priority. We are specifically concerned that information security personnel hiring may lag behind emerging cyber threats as the healthcare sector moves increasingly into an electronic record based environment. These concerns aside, MIFA has seen an increase in titles such as Chief Information Security Officer (CISO) increase as these specific roles are designated within the healthcare sector. 2015 Medical Identiy Fraud Alliance (MIFA) 6
Special Investigations Units (SIU) were very top and bottom heavy in terms of human resources spending. Respondents indicated that 33 percent spent 100 percent of their total HR spending and 33 percent also specified that they spent less than 10 percent of their total HR spending on SIUs. Human Resource/Personnel Allocations Cyber 11% SIU Privacy 12% 23% 11% 22% 11% 22% 33% 17% 12% 25% Compliance/audit 12% 37% Front office/registration 34% Other 50% 17% 33% 13% 38% 13% 38% 33% 33% 25% 25% Percentages of Respondents' Allocations % of total spending 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% <10% Chart 3: Number of respondents indicating their HR spending allocated to various categories of personnel. Compliance personnel did not represent more than 30 percent of any of the respondent s human resource spending. 65 percent of respondents spent between 20-30 percent of their total spending on compliance personnel and the rest (35%) fell under the category of 10 percent or below. The largest representation of respondents (38%) indicated that privacy personnel were 10 percent or less of their entire human resource spending. Furthermore, 88 percent of respondents spent 30 percent or less on privacy personnel, which indicates that it is not a top priority in terms of spending percentage. Sixty-seven percent of respondents spent 10 percent or less of their human resource spending on front office/intake/registration personnel. However, such personnel still do rank as a fairly high priority in terms of percentage spending for 33 percent of respondents that indicated that it represents 80 percent of their entire spending. Half of the respondents indicated they spent most of their human resource spending on personnel types that were not listed in the survey, which indicates that other types of personnel (not cyber, SIU, compliance, privacy or registration) were not listed as a choice on the survey. 2015 Medical Identiy Fraud Alliance (MIFA) 7
Budget Allocations Spending in the healthcare industry is relative. Respondents were asked to indicate how much their organization spends annually on prevention, detection and mitigation of medical identity theft and fraud, in a variety of categories: software/hardware/systems; fraud loss recovery costs; in-house staff education and training; external education and awareness programs for consumers, and other. It is difficult to analyze the dollar amount of spending since the respondents varied greatly on company size. Understandably, larger companies had larger overall budgets. Furthermore, costs for such diverse categories such as IT systems, personnel and training programs vary greatly. It is no surprise that IT systems can be costly versus educational training programs, even if such programs are wide-reaching and have significant positive effects. Generally, about two-thirds of respondents spent less than $1 million (MM) dollars on IT systems, however, almost 30 percent spent over $3MM. Similarly, respondents spent less than $1MM in programs for consumer education and awareness programs but over one-fifth spent $3MM or more. While premium importance was placed on personnel as a strategic priority, in-house education and training programs, including those legally or regulatory mandated, did not have a large share of spending. The majority of spending was under $1MM. The least amount was spent on fraud recovery costs, with all respondents spending less than $3MM. The following chart shows the percentages of respondents that indicated a particular category of spending to assume what percentage of their total budget. For instance, 12 percent of respondents indicated that 100 percent of their budget is allocated to software and hardware systems. Budget Allocations % of total spending Software/Hardware Systems 12% 6% 6% 6% 6% 38% 13% 13% 100% 90% 80% Personnel 7% 8% 15% 31% 8% 31% 70% 60% 50% Compliance Programs 9% 9% 27% 18% 37% 40% 30% 20% Training Programs 9% 9% 9% 27% 46% 10% Percentages of Respondents' Allocations <10% Chart 4: Number of respondents indicating percentages of their total budget allocated to various enterprise areas. 2015 Medical Identiy Fraud Alliance (MIFA) 8
We can better analyze budgetary implications when we look at percentages of the different categories in the overall budgets. As with the strategic priorities, the percentage of budget allocation to various categories such as IT systems, personnel and training/education can be measured in moderated expenditure plans. There is no clear category that respondents overwhelmingly indicated that the majority of their budgets are devoted to those areas. In measuring IT systems, 20 percent of enterprise budgets were allocated to software and hardware in over one-third of the respondents. Likewise, almost one-third of respondents allocated 20 percent of their budgets to personnel and 20 percent to compliance programs. Training programs has the smallest share, with nearly half of the respondents allocating less than 10 percent of their budgets to education and training. IT-Specific Spending Allocations Detection systems lead IT spending over prevention and mitigation. Respondents were asked to estimate the percentage distribution of their total IT budget to various systems that fight medical identity fraud whether to detect, prevent or mitigate theft fraud. Fraud Detection Systems Fraud Prevention Systems Fraud Mitigation Systems IT Budget Allocations 7% 23% 8% 8% 23% 8% 15% 8% 7% 8% 8% 31% 8% 15% 15% 8% 15% 8% 62% 15% Percentages of Respondents' Allocations % of total spending 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% <10% Chart 5: Number of respondents indicating percentages of their total IT budget allocated to detection, prevention or mitigation systems. Forty-six percent of respondents listed detection systems as half or more of their total IT budget, while half that number, 23 percent, indicated they allocated half or more of their budget to prevention systems. Identity fraud mitigation systems obtained the least amount of any IT budget, with about threefourths of respondents spending 10 percent or less of their total IT budget on such systems. 2015 Medical Identiy Fraud Alliance (MIFA) 9
Conclusions Understanding the investments being made in the healthcare industry to fight medical identity theft is a complicated issue and spreads across the enterprise. Respondents of this survey indicate an approach that encompasses people, processes and technology as a common structure. There is not one category of investments that is the silver bullet to fighting fraud it is many types of subject expertise spread across multiple kinds of technologies, conducting varying types of activities. While technology consistently ranks high in both the dollar amounts spent and the importance placed on the IT infrastructures of our healthcare eco-system, it is apparent that technology alone is not the answer. It is the deployment of technologies along with the investments in expert personnel who are properly educated and trained to protect PHI from fraudulent use that will help reduce the incidence of medical identity fraud. It is important for all entities across the enterprise to understand their importance and the interconnected roles they play in the fight against identity fraud. Cyber and IT personnel must collaborate with fraud investigation units; compliance and privacy experts must understand emerging technologies and how it affects PHI protection; education and training personnel should reach out to all stakeholders to raise awareness about the negative effects of medical identity fraud, whether communicating to internal staff or external patients, health plan members or consumers. Systems to detect identity fraud are obviously key components, but front-end prevention systems are also vitally important to stop the fraud at the source as much as possible. And, mitigation is needed on the back-end as much as we invest in fraud prevention, it is an unfortunate fact of business that fraudsters will always be present. It is in this collaborative space where investments in multiple areas are important. The healthcare industry cannot have tunnel-vision and invest in only one area. The results of this survey are helpful in identifying the various facets to the types of investments being made by the healthcare industry to combat medical identity fraud. 2015 Medical Identiy Fraud Alliance (MIFA) 10
Acknowledgements Many thanks to the MIFA Best Practices, Benchmarking and Research Working Group, who collaborated on the survey tool, identified key areas of industry investments and helped analyze the results. Expressed appreciation goes to Jared Platt of the Center for Identity Management and Information Protection at Utica College. This report would not have been accomplished without his tireless contributions to organize and analyze the raw survey data. MIFA member companies and strategic partners: 21CT AARP * Aetna * All Medical Solutions * Association of Credit Counseling Professionals Aware, Inc. * Blue Cross Blue Shield Association CareFirst BlueCross BlueShield Center for Identity Management and Information Protection (CIMIP), Utica College * Clearwater Compliance, LLC Coalition Against Insurance Fraud Consumer Federation of America CSID * Emdeon * Europ Assistance USA Experian * Florida Blue * Henry Ford Health System * ID Experts * Identity Fraud Institute at Hodges University Identity Theft Resource Center IDology, Inc. * IDT911 * Information Systems Security Association * Kaiser Permanente * LifeMed ID, Inc. * Maize Analytics * Maryland Crime Victims' Resource Center, Inc. Meditology Services, LLC National Health Care Anti-Fraud Association Norse Corporation North Shore-LIJ Health System * Parry Advisory * Patient Secure * Paycasso Verify, Inc. Secure ID Coalition * Smart Card Alliance Stoel Rives LLP * TraitWare UnitedHealthcare U.S. Department of Labor * U.S. Department of Veterans Affairs * * Members companies of the Best Practices, Benchmarking and Research Working Group. Contact For further information on this survey, please contact info@medidfraud.org. 2015 Medical Identiy Fraud Alliance (MIFA) 11
Appendix: Survey demographics Below are self-identified demographics of the respondents. Providing demographic information was voluntary and not all respondents replied to all questions. Type of organization. The largest representation of the survey sample is Service Provider and Health Plan/Payer. These diverse demographics represent over half of the respondents and therefore tilt the responses of the survey toward their respective business models. Trade association Academia Government entity (federal, state, local) 5.95% 7.14% 9.52% Service provider/business associate to 26.19% Integrated provider/payer 5.95% Health plan payer 28.57% Healthcare provider 16.67% 0.00% 10.00% 20.00% 30.00% Company size (in net revenue). The largest portion of respondents (33.33 %) were made up of companies with a net revenue of less than $500 million. It is important to note when looking at the responses to this survey, that roughly one-third of the companies are relatively small in size. It is also worth noting that a fairly large percentage of the respondents (27%) did not list net revenue and this should be considered when interpreting the responses as a whole. $50B+ 11.83% $10B to $49.99B 4.30% $500M to $9.99B 23.66% Under $500M 33.33% N/A 26.88% 0.00% 5.00% 10.00% 15.00% 20.00% 25.00% 30.00% 35.00% 2015 Medical Identiy Fraud Alliance (MIFA) 12
Survey caveats This survey was conducted in a limited scope with a small sample size, including MIFA members and other healthcare industry participants. There were 98 total respondents. Not all questions were answered by all respondents. Some questions had a smaller number of respondents, therefore, response percentages are reflected accordingly, with some responses appearing to have large variations attributed to the smaller response sample. Given the sample size, the report should not be construed as industry standards or best practices. 2015 Medical Identiy Fraud Alliance (MIFA) 13