Paper prescriptions were and continue to be targets for fraud. Common methods of fraud with paper prescriptions include altering a medication name, dosage, or refill amount, stealing blank prescription forms, calling in prescriptions, or doctor shopping. By 2010, the year electronic prescribing standards were introduced, the CDC estimated that abuse of opioid pain relievers cost health insurers approximately $72.5 billion annually. Sales of opioid pain relievers quadrupled between 1999 and 2010.
Electronic prescribing combats this by introducing checks on the system, which include identity verification, two-factor authentication, and access controls. Starting in January 2023, providers who issue prescriptions for controlled substances to Medicare Part D beneficiaries will be required to do so electronically, the first federal compliance deadline of its kind.
But the criminals didn’t go away when e-prescribing was introduced. They adjusted, getting more sophisticated and opportunistic with their tactics.
As technology evolved to improve society, criminals and their networks on the dark web evolved to exploit weaknesses within e-prescribing systems and impersonate healthcare providers — often with deadly results. According to the NIH, in 2020 there were 16,416 drug overdose deaths involving prescription opioids. Now, technology is evolving again in a way to make it harder for criminals to cause harm.
Identity verification of prescribers plays a critical role in combating new and emerging fraud vectors in electronic prescribing. It requires constant innovation to ensure that determined networks of fraudsters aren’t undermining the system in new ways that ultimately harm society.
Stealing a doctor’s prescription pad used to be a way that criminals could gain direct access to prescription opioids. Electronic prescribing thwarts that through deprecating paper prescriptions. While national overdose deaths involving opioids have steadily increased over the years, according to the NIH deaths involving exclusively prescribable opioids have been on the decline since e-prescribing was introduced.
Regulating the manner in which identity verification took place in e-prescribing was introduced in 2010. The DEA’s rule, “Electronic Prescriptions for Controlled Substances” revised regulations to allow for e-prescribing and set the standards for how electronic prescribing for controlled substances would be implemented. This was a major development at the time. DEA received over 200 public comments on the ruling and collaborated with the Department of Health and Human Services and a number of other federal healthcare and technology agencies to produce the ruling. This standard is still in place today.
The DEA ruling is important because it empowered the states to take those standards and create their own state-wide mandates. Starting in 2016 with New York, now 36 states have active or pending legislative mandates that controlled substances must be prescribed electronically. Six of those states have even gone farther and passed legislation saying that all prescriptions must be prescribed electronically. According to the 2021 Surescripts National Progress Report, 73% of controlled substances prescriptions were sent electronically in 2021, a significant increase from just 38% in 2019.
The problem? Since 2010, technology has advanced for how we verify identity — and the fraudsters are catching up. With fewer physical prescription pads out there, fraudsters are moving their tactics online and attempting to steal the identities of real healthcare providers so they can illegally write prescriptions.
When the DEA codified e-prescription rules in 2010, the standard process for proving identity included what is known as Knowledge-Based Authentication (KBA).
KBA is the process of asking an applicant a series of questions only they should know to prove their identity. But over time, fraudsters learned how to use bots and other methods to answer questions many people are generally bad at answering correctly about themselves. Additionally, a series of hacks, including the Equifax breach in 2017, have resulted in tens of millions of consumers’ having their personal information dumped onto the dark web, where information like Social Security numbers sell for less than $2. So over the years, KBA has steadily become less effective.
I believe it’s critical for the private and public sectors to collaborate and adopt the updated NIST identity verification standards for e-prescribing.
In response, in June of 2017 the National Institutes of Standards and Technology published updated identity verification guidelines, called NIST Special Publication 800-63-3, which created a new standard called Identity Assurance Level 2, or IAL2. This removed KBA as an option for identity verification and instead replaced it with two key changes: First, a picture ID such as a driver’s license or passport is required. And second, the image on the ID needs to be compared to an image/video of the person’s face if identity verification is being done remotely.
EHRs certify their software with Surescripts, according to NIST Special Publication 800-63-3 from June of 2017, and my company, ID.me, provides EHRs with required identity proofing to ensure the providers are who they say they are. ID.me adamantly supports certification in accordance with NIST Special Publication 800-63-3 from June of 2017.
Beyond just e-prescribing, ID.me is the world’s largest identity network, with more than 90 million accounts created, and growing, in America. Our identity verification services power an individual’s access to everything from filing unemployment claims, to accessing tax records, to e-prescribing. Moreover, the identity credential a user gets with ID.me is portable in a digital wallet — similar to a Paypal for identity — so it can be used to prove your identity anywhere ID.me is accepted.
At ID.me, we were already moving away from KBA for our healthcare clients in 2021 due to fraud concerns. The results were undeniable. For example, one of our partners saw cases of confirmed fraud drop by more than 90% within six months from when they migrated to the guidelines set by NIST Special Publication 800-63-3. This pattern of fraud reduction has remained consistent across all sectors that ID.me serves, from government to healthcare alike.
Society pays a high price for subscription abuse. Criminal attempts to infiltrate the prescriber community are a constant threat, and standards must evolve in order to combat fraud and prevent opioid abuse. I believe it’s critical for the private and public sectors to collaborate and adopt the updated NIST identity verification standards for e-prescribing. High standards in digital identity authentication, as well as robust fraud prevention measures to block and tackle fraud, will help our nation combat the opioid epidemic.
Valerie Holland is the Director of Commercial Identity at ID.me.
