Healthcare CFO's Guide to Smart Card Technology

Technology is an ever-changing and evolving aspect of modern business. In healthcare, most
 agree that the use of technology is essential to achieving many of the milestones critical to
healthcare reform. Three primary drivers are increasing the use of technology in healthcare:

• The need to lower costs and create administrative efficiencies
• The need to improve patient outcomes and enhance physician and patient relations
• The need to meet increasing privacy, security and identity concerns, as a result of
Federal and state directives mandating increased control over private information

TABLE OF CONTENTS
1 INTRODUCTION .................................................................................... 4
2 HOW SMART IS A SMART CARD? ........................................................ 4
3 SMART CARD USE WORLDWIDE............................................................. 4
3.1 IDENTIFICATION CARDS........................................................................ 5
3.2 PAYMENT.............................................................................................. 5
3.3 MOBILE TELECOMMUNICATIONS........................................................... 5
3.4 HEALTHCARE........................................................................................ 6
4 HOW SMART CARDS CAN IMPROVE HEALTHCARE ................................. 7
4.1 COST REDUCTIONS ............................................................................... 8
4.2 USER AUTHENTICATION AND AUTHORIZATION....................................... 9
4.3 IMPROVED PATIENT IDENTIFICATION AND WORK FLOW....................... 10
4.4 CLAIMS DENIAL AND REVENUE CAPTURE............................................. 11
4.5 EMPLOYEE CREDENTIALS FOR STRONG AUTHENTICATION................... 11
4.5.1 HIPAA Compliance................................................................................ 12
4.5.2 Benefits throughout the Hospital ............................................................. 12
4.5.3 Network Security.................................................................................... 13
4.6 IMMEDIATE ACCESS TO LIFESAVING INFORMATION............................... 13
4.7 HEALTHCARE FRAUD, ABUSE, AND MISUSE.......................................... 14
4.8 LANGUAGE ISSUES AND PATIENT HEALTH RECORDS ........................... 14
4.9 PATIENT AND PHYSICIAN SATISFACTION ............................................... 14
4.10 SUPPORT FOR A NATIONAL HEALTH NETWORK ................................... 15
5 CONCLUSION.............................................................................................. 16
6 RESOURCES AND REFERENCES .............................................................. 17
7 PUBLICATION ACKNOWLEDGEMENTS........................................................ 19



2009_Healthcare_CFO_Guide_to_Smart_Cards_FINAL_012809.pdf

Visit the Smart Card Alliance at http://www.smartcardalliance.org/ for more information

Excerpts

Table 2. Smart Card Benefits
Stakeholder Benefit

Patient
• Positive identification at initial registration
• Secure and portable health record
• Personal ownership and control of access to medical records
• Easier and faster registration
• Improved and faster treatment and medical care
• Positive identification for payer coverage, treatment, and billing
• Accelerated treatment in emergencies
• Audit trail through a course of treatment that crosses multiple organizations

Healthcare Provider
• Instant patient identification
• Accurate link between patients and institutional medical records
• Elimination of duplicate and overlaid records
• Faster care delivery in emergency care settings
• Rapid accessibility to patient medical history
• Potential reduction in adverse events and medical errors due to lack of patient information
• Reduction in claims denials
• Faster access to key medical record data
• Integration with legacy systems with nominal IT costs
• Audit trail through a course of treatment that crosses multiple organizations
• Reduction in unnecessary/duplicate diagnostic tests or procedures by showing results from other medical providers

Healthcare Delivery Organization
• Accurate patient identity
• Reduced medical record maintenance costs (duplicate/overlaid)
• Streamlined administrative processing
• Increased awareness of provider brand, in and out of the service area
• Strengthened voluntary physician/referral relationships
• Ability to support value-added service to patient community Payer (Insurance, Pharmancy Benefits Manager)
• Positive identification of the insured
• Verification of eligibility and health plan information
• Reduction in medical fraud
• Reduction of duplicate tests and reduction in payments
• Enforced formulary compliance
• Immediate adjudication at point of care
• Potential integration with health savings account (HSA) cards Healthcare Employer
• Highly secure identity credential for both physical and logical access
• Single sign-on capabilities (reduction in help desk calls/password management requirements)
• Link to other employee services (ID badge, parking, cafeteria)

4.1 Cost Reductions
A major advantage of using smart cards in healthcare is the reduction in costs that results from improving the efficiency of handling medical and administrative information, which also increases the quality of service. Smart cards support strong authentication of the patient's identity and quickly deliver accurate patient information to the provider. Smart cards can be integrated into current systems and processes within the healthcare industry to provide numerous benefits:

• Secure patient identification.
• Reduced administrative time and cost by automating patient identification.
• Reduced duplication of records.
• Fewer errors and adverse events through the use of accurate and timely information.
• Reduced number of rejected claims and faster payments, by using accurate patient
information.
• Reduced fraud and abuse through proper patient identification.
• Reduced claims processing costs through real-time adjudication of claims and insurance
coverage verification.
• Increased patient satisfaction, resulting in improved patient loyalty.
As an example, smart cards can facilitate rapid identification of a patient arriving at an emergency room
and rapid retrieval of lifesaving information about medical history, recent tests, treatments, and medications. This critical information can be stored on the smart card chip or the smart card can provide secure access to data stored elsewhere. Smart cards can also provide fast access to demographic and insurance information, critical to an accurate  registration/admissions process and to downstream billing and payment processes.

4.2 User Authentication and Authorization
Identification, authentication, and authorization are the pillars of security in the electronic world. As the industry moves from paper to electronic medical records, there is growing awareness of the need for secure and encrypted transitional solutions. The National Health Care Anti-Fraud Association estimates that 3% of annual healthcare spending ($68 billion in 2007) is lost due to healthcare fraud.

In addition to the financial loss incurred by healthcare fraud, fraud poses tangible health risks for patients whose records are compromised or manipulated. The case is therefore even stronger for imposing stricter security controls on health information. With the creation of large clinical data exchanges and the ready availability of information on the Internet, all system users need to be properly authenticated before being allowed to access information.

System user privileges must be assigned using role-based access controls. And finally, all individuals must have the appropriate authorization to initiate particular transactions. Smart cards play the critical role, which is properly to identify and authenticate the individual who
needs access to a system. If an unauthorized user accesses the system, all other functions fail. Therefore, it is critical that the way in which the user is authenticated be secure.
Smart cards trust nothing until proven otherwise. For example, smart cards can require
cardholders to authenticate themselves first (with a personal identification number (PIN) or
biometric) before the cards will release any data. And smart cards support encryption, providing patient data privacy and enabling at-home or self-service applications in suspect or untrusted environments to be secure.

The smart card's embedded secure microcontroller provides it with built-in tamper resistance and the unique ability to securely store large amounts of data, carry out own on-card functions (e.g., encryption and digital signatures), and interact intelligently with a smart card reader.

10
Smart cards have a long history in the security sector. Governments, financial institutions, and healthcare entities worldwide have recognized the security of smart card systems for user
identification, authentication and authorization. Smart card technology is being deployed for
international citizen identification cards and within the U.S. Federal Government. In both the
security and identity sectors, multi-factor authentication methods have been used aggressively to protect both logical and physical access.20 It is a natural and much-needed progression for smart cards to provide robust and proven solutions for healthcare.

4.3 Improved Patient Identification and Work Flow
Accurate registration and identity verification can be extremely challenging for hospitals and
clinics. Busy waiting rooms, thin staffing levels, and manual transcription of important data from handwritten forms create many opportunities for error. Smart cards can provide positive
identification of the patient at the registration desk, by allowing personnel to verify that the patient who is presenting the card matches the photograph on the card or by use of a biometric stored on the smart card.

Using a smart card to verify patient identity can offer healthcare providers the following benefits:

• Make it easy to link patients to the correct medical records
• Reduce the creation of duplicate records
• Reduce the potential for medical identity theft and fraud
• Improve the efficiency of the registration process and the accuracy of data
• Improve the revenue cycle and reduce the number of denied claims

Studies have found that on average, 5%-15% of a hospital's medical records are duplicated or
overlaid.21 This is a serious problem, which many institutions have attempted to remedy with
costly and inefficient medical record cleanup initiatives. The flaw in these efforts is that they
address the problem after it has occurred rather than addressing the root cause, so duplication continues year after year.

Industry benchmarks place the cost of medical record correction at $20-$100 per duplicate, but these figures can quickly escalate to hundreds of dollars per case when multiple systems are involved and total personnel resources are considered.22,23 The more duplicates there are in a system, the higher the rate of new duplicates. The growth rate becomes exponential with the size of the patient database.

24
One manifestation of these issues is the additional cost incurred by an institution. Unnecessary or redundant tests and procedures are often performed due to incomplete or unavailable medical records. In addition, duplicate and overlaid medical records can have dire consequences for patient care and outcomes, exposing an institution to malpractice liability, errors, and adverse events.

Consider, for example, a 300-bed hospital facility with a database of 250,000 patients. If 10% of these records are duplicated (25,000 records), the average cost of cleanup is $500,000-$2,500,000.

Unfortunately, without any change in process, this cleanup will need to be repeated every 2-3 years. By implementing smart card technology as part of the admission and registration process, an institution can reliably identify its patients, increase the accuracy of data capture, optimize patient throughput, accurately link patients to their medical records, and ultimately improve patient experience and satisfaction.

Smart cards can greatly reduce medical record maintenance costs associated with errors from duplicate or commingled patient records. These errors occur when a new record is created for an existing patient, or the wrong patient record is selected. Reducing identity errors during patient registration can also greatly improve billing and collection processes and enhance revenue capture.

4.4 Claims Denial and Revenue Capture
Two of the most common reasons for claims denials are incomplete demographic information and incomplete insurance information, which can cost a healthcare institution millions of dollars in lost or delayed revenue. Most healthcare CFOs are acutely aware of the high cost of reviewing and resubmitting old claims and the revenue lost because of cumbersome claims processing, including detailed chart reviews and outreach to patients and physicians for additional information.

The healthcare revenue cycle is highly dependent on the front-end registration process, which
drives much of the downstream claims process. Studies estimate that 50%-90% of claim denials could be prevented by securing accurate patient information at the front desk.25,26 According to a study by PNC Financial Services, one out of five claims submitted is delayed or denied by insurers, and 96% of claims must be resubmitted at least once.27 The statistics highlight serious administrative problems that burden providers, payers, and patients. Smart card technology can greatly improve the accuracy of routine data capture. Instead of transcribing information from paper forms and increasing the risk of human error, smart cards can access or provide insurance information, demographics and other patient information, reducing claim denials and increasing cash flow.

4.5 Employee Credentials for Strong Authentication
Smart cards are deployed in hospitals around the world as secure employee credentials. The
cards give healthcare providers and hospitals the ability to consolidate a wide variety of functions without compromising on security. Smart cards can be used to authorize physical access, permitting only those personnel who are authorized to enter certain areas of a hospital (such as the pharmacy, operating room, network server room, or human resources).

They can also be used to authorize logical access to hospital networks and computers and assist in complying with the HIPAA requirements for privacy and security. Smart cards provide two-factor authentication, allowing employees to prove their identities in two ways: using something they have (the secure and personalized ID badge) and something they
know (their PIN) or something they are (a biometric, such as a fingerprint). Multi-factor
authentication provides a higher level of identity verification. In addition, the multi-factor
authentication process can be cryptographically protected to assure robust security for corporate network resources.

Smart cards can be deployed easily into existing infrastructures and operate with many industry leading security applications. Smart card support for standards and interoperability are key advantages for using smart card technology in identification systems.

4.5.1 HIPAA Compliance
The security and privacy of medical records have increasingly been in the news. A recent Harris Interactive Poll28 estimated that 9 million adult Americans, or 4 percent of the population, believe that they or a family member have lost confidential personal medical information or had the information stolen. The poll suggests that Americans are not only concerned about medical identity theft but are also concerned that their personal information might be violated.

Implementing strong authentication within a medical facility will not eliminate but will certainly
reduce the risk that personal heath information is compromised. Adopting smart card technology for use as a secure employee credential for physical and logical access assists with HIPAA compliance for privacy and security. Smart cards comply with the strong privacy guidelines in HIPAA and can be a key component in enforcing a medical facility's privacy and security policies.

Smart cards can provide easier information access management, ensuring that users are
following established security policies.

Read entire article
2009_Healthcare_CFO_Guide_to_Smart_Cards_FINAL_012809.pdf







Recent Entries

CUPPS: The Platform of the Future (Airline Kiosk)
CUPPS has been architected as the platform of the future, able to accommodate many things even beyond the agent-facing applications…
EMV takes aim at U.S.
Nice article on SecureIDnews covering EMV. by Andy Williams, Associate Editor, Avisian PublicationsLike a massive tidal wave, EMV continues to roll…
Tokenization and Enterprise Security
Nice article on tokenization which also highlights lack of formal standards for tokenization at this time. Credit Card Tokenization: Put All…
Wal-Mart's Kiosk Trial Raises Serious PCI, Data Ownership Issues
Wal-Mart this month became the latest major retailer to experiment with self-service kiosks, selling space in 77 stores for units…
Proximity (NFC) Mobile Payment Technology - Security Whitepaper
The opportunities offered by the advent of proximity mobile payments are clear; differentiated payment services, increased transaction volumes, faster transactions,…
Look Beyond Hospitality Touch Screen Solutions
Whether you realize it or not, touch technology quickly is becoming the intuitive input delivery method of choice. Look no…
Level 4: The small-merchant PCI challenge
While sensational data breaches experienced by big-box retailers and processors fill the headlines, 85 percent of reported data compromises involve…
ATM Card Skimming and Pin Capture
ATM Card Skimming is a method used by criminals to capture data from the magnetic stripe on the back of…
Background - Use of Electronic Health Records in U.S. Hospitals
Report from New England Journal of Medicine on Electronic Health Records. Concludes - very low levels of adoption in U.S.…
PCI DSS in real life -- Requirement 1 Firewall
Excerpt: Critical to the selection was choosing a vendor that best met PCI DSS (Payment Card Industry Data Security Standard)…
User Interface & Content - Can I Use My Website?
Web sites, self-service can play nicely together according to Jim Kruper of Kioware.  With the increasing number of devices that…
Resource Link - Understanding credit card transaction fees
Merchants accounts, gateways and rates. Having your kiosk process credits cards swiped locally (card present) come with regulatory standard considerations…
Whitepaper - Introduction to CFM or Customer Flow Management
CFM or Customer Flow Management systems are found in more verticals/markets than any other application. Here is a technical document…
Compliance Resource: ETA and Electronic Transaction Compliance
Worth noting Heartland Payment Systems and RBS Worldpay have been removed from Visa Inc.'s list of PCI compliant service providers and…
Going beyond current PCI security standards
Acknowledging the need for controls that go beyond those offered by the Payment Card Industry (PCI) Data Security Standard, a senior…
ADA Requirements - Changes in California
In late 2008 the California legislature passed a stronger version of ADA which was Senate Bill 1608. This bill became…
Opinion - Why is Redbox Afraid of the iPhone?
Over the last few years, Redbox has been able to build an impressive DVD rental network by being innovative and…
Research Report - Touchscreen Check-In: Kiosks Speed Hospital Registration
March 2009 -- Patient self-service kiosks are being used with growing frequency in hospital ambulatory settings and emergency departments. These interactive…
Cloud Computing - What is it?
Cloud computing resources question was raised by a member of Health Infomatics group we participate in. Health technology right now…
Heartland Put on Probation for Security Breach
Heartland Payment Systems (HPY), one of the largest credit card processors in North America, is finally being called to the…



  |