Lessons from Crime and Security Experts

Healthcare fraud is basically a security issue. We can learn a lot by looking at security and crime-fighting principles. The credit card industry only loses 6 cents per $100, while the healthcare industry loses at least 6 cents per dollar. We have a lot to learn. This month I’m reading: Beyond Fear by Bruce Schneier (security expert), Crime Fighter by Jack Maple (former NYPD Deputy Commissioner) and Where the Money Was by Willie Sutton (bank robber and jail breaker). These books can teach us many things about fighting fraud. The most important lesson I want you to take away is that fraud is crime and fighting fraud is security.

In this month’s issue:

• Lessons from a Deputy Police Commissioner
• Lessons from a Security Expert
• Lessons from a Bank Robber
• New Tele-class: Think Like a Criminal

——————————-
Lessons from a Deputy Police Commissioner

What you can learn from: Crime Fighter: How You Can Make Your Community Crime-Free
by Jack Maple with Chris Mitchell

In Crime Fighter we learn that enforcing sound principles can turn a losing fight against crime into a winning fight. Using the four principles below, the NYPD dramatically reduced crime in just two years (from 1994 to 1996):

1) Accurate, timely intelligence. Everyday each precinct reviewed their crime statistics on a map that was posted in the station. At each level, decision makers were help responsible for the crime in their area. They would use the maps to help establish patterns and track down the criminals.

We’ve got to make it easier for people to submit accurate bills quickly, then we’ve got to monitor billing daily or weekly, rather than monthly or quarterly. And we need good intelligence about what we’re fighting. Right now, we only know about a fraction of the fraud that is being committed.

2) Rapid deployment. They put cops where the maps showed there was a lot of crime (he calls it “put cops on dots”, at the times when there was a lot of crime. Previously, most detectives had worked 9 to 5 on weekdays. It is no surprise that that was not when most of the crimes occurred. A lot of crimes occurred as officers were changing shifts, and many officers decided they would rather go home on time than stop a crime.

What is the lesson for fraud? First we need to have more “cops on dots.” We don’t have the manpower to come up with all the ideas, much less to follow through on them. Where possible, we need to use automation to bring our attention to where the dots are. We need to have some security that flags claims in real time for review. We’ve got to stay on top of new patterns and build cases quickly. We’ve come a long way in this area, but we’re still lagging too far behind the crimes.

3) Effective tactics. Maple outlines seven tactics they used to accomplish the goals of: arresting people early in their crime spree, pressuring them to abandon their worst behavior and take away their guns. For us, this translates into: catch them early, put restrictions on their participation, and take away their licenses (and don’t let them get licensed elsewhere).

4) Relentless follow-up and assessment. Maple helped setup cold case units that would go over old cases to see if anything had been missed. They’d work with the original detectives to make sure that they learned from their mistakes.

It seems like in fighting healthcare fraud, we rely almost entirely on cold case evaluation. We’re reviewing claims months or years after the service occurred. If we had real time investigations of crimes early in the spree, then the cold case investigations would focus on what was left and help us improve the quality of our real time investigations.

——————————-
Lessons from a Security Specialist

Beyond Fear: Thinking Sensibly about Security in an Uncertain World
by Bruce Schneier

1) Security is only as strong as the weakest link. If a crook can enroll as a provider without providing any credentials and can bill using a list of patients stolen from another provider, then all the computer network security in the world is not going to help you. If he can create believable bills, most of your sophisticated algorithms aren’t going to find him. Provider enrollment is just one of many very weak links in healthcare payment.

2) Class breaks allow a perpetrator to attack several systems with the same ease as he can attack one system. “You can be vulnerable simply because your systems are the same as everyone else’s.” The standardization required under HIPAA is going to make it easier for us to use fraud fighting algorithms developed for one plan to find fraud in another plan, but it will also make it easier for criminals to use the same exact scam in multiple places.

3) Automation allows attackers to make a huge number of attacks with about the same effort as one attack. The payoff for each attack can be very low, since the cost is low. If I set up a booth at the mall offering free chiropractic exams, I can collect insurance information for hundreds of patients in a weekend. I can bill weekly services for each of those people, while I move to a new location to collect more insurance data. Automation also means that only one attacker has to be smart, while the rest can just use his software or methods to carry out the fraud.

4) Defense in depth uses multiple counter-measures to protect assets. There is no silver bullet. You’ve got to implement different kinds of security that overlap. This is why HIPAA requires restricted access to locations with sensitive data, as well as passwords, and need-to-know authorization restrictions.

5) Good security systems are resilient. Every security system fails sometime. Good systems aren’t brought down by a single failure. To be resilient, a system should be dynamic (it can respond to new threats) and should not be overly reliant on secrecy. If your security relies on intruders not knowing that your back door doesn’t lock, it is not a very resilient system. Lots of computer systems have back doors that are only guarded by supposed secrecy.

——————————-
Lessons from a Bank Robber

Where the Money Was: The Memoirs of a Bank Robber
by Willie Sutton with Edward Linn

1) Specialized knowledge learned for legitimate reasons can be valuable for criminal activities. Before becoming a bank robber, Willie Sutton worked at an insurance company that had a banking department, worked on ocean liners, cutting their hulls with an acetylene torch and worked in a repair shop fixing household items including burglar alarms. He didn’t get those jobs so he could learn to rob banks, but he said, “I never doubted that I was going to be putting all this specialized knowledge to the best possible use.”

The lesson is don’t assume that criminals don’t have the skills they need to commit fraud. Maybe they learned these skills as an assistant at a doctor’s office, a file clerk at a hospital or a temporary employee at your HMO.

2) Criminals devote serious resources to stealing. “A professional thief is a man who wakes up every morning thinking of committing a crime, the same way any other man gets up and goes to his job,” said Sutton.

We’ve got to wake up every morning thinking of how we would commit the crime, if we were the criminal (that’s what my new tele-seminar is about: Think Like a Criminal). Fighting fraud is a full-time job.

3) Sometimes the crime itself is the reward. Although Willie Sutton is most famous for saying that he robs banks, because “that’s where the money is,” his real feelings were a lot clearer. “Why did I rob banks? Because I enjoyed it. I loved it. I was more alive when I was inside a bank, robbing it, than at any other time in my life. I enjoyed everything about it so much that one or two weeks later I’d be out looking for the next job.”

Some people just love cheating. Somebody may hack into your claims payment system just to see if they can. They might even tell other people exactly how to do it. Then there could be hundreds of people stealing your data to create false claims. If people weren’t motivated by challenges, we’d expect them to only use the simplest methods to defraud us. Stealing data from your system might not be the easiest way to commit fraud, but for some people it will be the most thrilling.

4) If you respond to every security breech by strengthening the weakest point, you end up with great security. Willie Sutton liked breaking out of jail almost as much as he liked robbing banks. Breaking out of Sing Sing was a big challenge for him, because there had been so many attempts to break out. The authorities had already found out about all the easiest ways to break out and made them much more difficult. Sutton still managed to break out.

I’m not suggesting your remain reactive in your fraud fighting, but if somebody shows you where the secret door is, you should probably remove that point of entry or put a lock on it. Of course to do this, you’ve got to know when somebody has broken in. That’s a big challenge in healthcare fraud.

5) The biggest security strength can be made its greatest weakness. Nobody had ever escaped from Holmesburg before. A prisoner has nothing to do all day except think about how to escape. Thick steel doors with small windows are hard to break through, but they have limited visibility. Sutton was able to hide in the blind space next to the door, then slip out with a gun. He forced guards to exchange clothes with him and fellow prisoners. Pretending to be guards they walked out during a snowstorm, put a ladder against the wall, told the tower guards everything was under control, and climbed over the wall. At each step, because nobody had ever escaped before, the guards were taken completely by surprise.

Prior authorization is one of our stronger tools for reducing unnecessary use of services. However, if we say that prior authorization is required only when services exceed a certain threshold, we’ll find that a large number of patients end up receiving services just to the point where prior authorization is not required. For some services, that makes sense. We expect to see lots of people getting two dental exams per year and one pair of glasses. But if our cap is somewhat arbitrary (10 units of oxygen per month), and 50% of the people get 10 units per month, then we have to assume that we’ve simply capped the waste at 10 units, rather than eliminated it.

——————————-

New Tele-class: Think Like a Criminal
December 7, 2004 at Noon Eastern
Sign-up

Learn more about how to adapt crime fighting techniques to healthcare fraud control. There will be a 60-minute presentation followed by 15 minutes for questions.

Robin Mathias will present: Think Like a Criminal. The fraud you read about in the news is just the tip of the iceberg. If you only look for the fraud that other agencies have already found, you’ll miss most of the fraud. In this session you’ll learn about the importance of going beyond known fraud to uncover the hidden fraud. Criminals are constantly looking for new ways to steal. They review every provider bulletin and policy announcement looking for new loopholes. They test each potential weakness they can think of, looking for the perfect scam. To have any chance of stopping fraud, we must look at each of our policies with a criminal eye.