Ace2020/istock via Getty Images
Identifying and Preventing Prescriber Identity Theft in the Digital Era
Identifying and preventing prescriber identity theft in the digital era is a complicated but critical process for minimizing the impacts on patients, providers, and the healthcare system.
Between 2013 and 2015, the Federal Trade Commission (FTC) identified nearly 10,000 cases of prescriber identity theft. An article by the Cooperative of American Physicians states that 10% of prescribers have had their Drug Enforcement Administration (DEA) number stolen or lost, with an additional 29% knowing someone who has experienced DEA number fraud. While everyone would like to believe that cases of prescriber identity theft are rare, data shows it is more common than most people assume. Prescriber identity theft — which leads to prescription drug fraud — has long-lasting impacts on prescribers, patients, and the healthcare system. Although anyone can fall victim to prescriber identity theft, there are ways to identify and prevent it, minimizing risk.
Prescriber Identity Theft
Colin Banas, MD, Chief Medical Officer at DrFirst, defined prescriber identity theft as “this notion of a nefarious actor somehow gaining access to the things that identify a prescriber, using those credentials to go to various other sites connected to the internet, whether that's web or app, and obtaining prescribing privileges.”
Prescriber identity theft is similar to regular identity theft because it requires impersonation. However, unlike traditional identity theft, prescriber identity theft’s reach goes far beyond the person whose identity has been stolen.
Paper vs Digital Prescriptions
Banas, having been a provider in the paper, hybrid, and digital world, provides a unique perspective and context to prescriber identity theft. Throughout all three eras, prescriber identity theft has been a concern; however, the methods and risks have changed. He explains that before digital prescribing became widespread, providers exclusively used prescription pads. One of the caveats with paper prescriptions is that they can be easily stolen.
He revealed that he and many of his colleagues had prescription pads stolen, and people were writing prescriptions under his name. They could continue to do that until they made a mistake and someone at the local level alerted him. In a paper world, prescriber identity theft was local, making it — in some cases — more straightforward to identify.
“There were local safeguards, and now that everything's digital, imagine stealing the prescription pad, except now it's not local. It could be anywhere. I would have no insight into what someone is doing under my name halfway across the country. There's no system for that,” said Banas.
The digital age has compromised prescriber identity and strengthened safeguards against prescriber identity theft. It is essential to look at both sides of the argument when discussing the effects of digital healthcare on prescriber identity theft and prescription fraud.
Like anyone else, providers prefer to reuse usernames and passwords to help them remember them more quickly; however, this practice compromises their security. Banas explains that once someone has a username and password credentials, they can try multiple different sites and see if it works again.
“The good news is that there are many safeguards in digital prescribing and e-prescribing controlled substances. The bad news is that the bad guys are getting good at it, even in a digital world,” said Banas.
“I don't think anybody would advocate returning to a paper world or a fax world. There are excellent authentication methods to ensure that the right person is writing that prescription at the right time,” he continued. “But, the bad guys are also getting equally sophisticated. And so the problem, as mentioned before, is that the care apparatus is so ubiquitous. Someone could take over my identity, pretend to be a doctor on a telehealth platform, or sign up for another e-prescribing platform. And the problem is, I would have no visibility into that and wouldn’t know that someone is writing prescriptions under my name in California.”
Impacts of Prescriber Identity Theft
The impacts of prescriber identity fraud are pervasive, affecting nearly every key player, including patients, prescribers, payers, and the rest of the healthcare system.
Prescribers
For the prescriber, the impacts are comparable to consumer identity theft. According to a document by the Centers for Medicare and Medicaid Services (CMS), prescriber identity theft can take years to identify. Once identified, it can take significant time to deal with or correct.
“If I have to clean up my prescriber identity, that's time spent away from the patient. When my prescription pad was stolen in the paper world, it was a big deal. It took a long time to untangle all the things the person had racked up under my name,” added Banas.
This may take even more time in the digital age because of the broad reach of digital prescribing. The CMS notes that dealing with prescriber identity theft includes responding to overpayment demand letters, communicating with the IRS, and correcting credit issues, leaving little time for the provider to spend caring for patients. Cycles of time spent addressing prescriber identity fraud contributed to wasted productivity, leading to increased healthcare spending.
Beyond the time it takes to correct prescriber identity theft, the CMS notes that being a victim of identity fraud could alter a prescriber’s reputation, making patients and other providers less likely to go to or refer to the victimized prescribers or their practice.
Patients
From the patient’s perspective, prescriber identity theft is a significant threat to their well-being, as prescribers can impersonate doctors on telehealth platforms. According to a report in IBIS World, the United States has 1,387 telehealth businesses, with the industry growing nearly 30% each year since 2018.
Many telehealth businesses are legitimate and have become critical tools for delivering healthcare services to patients throughout the pandemic. However, when using a telehealth platform for care from a provider they have never met, patients run the risk of speaking to someone who is not licensed.
“Perhaps a patient doesn't realize that they're not interacting with a real medical provider or someone who's appropriately licensed and trained. They could be harmed depending on the prescriptions written,” mentioned Banas.
Identifying and Preventing Prescriber Identity Theft
Identifying prescriber identity theft has been a significant issue for many providers as it typically doesn’t happen until many fraudulent prescriptions have been written. This current system is insufficient for protecting patients and providers.
However, many alternatives have been proposed. Banas compares the potential system for preventing identity fraud to the credit monitoring system. Many credit and debit cards have procedures to monitor suspicious charges, which notify the cardholder when necessary. DrFirst and Banas are hoping for a similar model for prescribers.
Banas mentioned that one way to manage prescriber identity theft is through monitoring prescriber trends. He said that DrFirst developed a mobile prescribing platform that tracks where a specific prescriber is located, the volume of prescriptions, and the type of medications. With all this data, the platform can detect deviations or over-utilization.
Protecting Providers
Banas provided some recommendations to providers on protecting themselves against prescriber identity theft. The first suggestion is to refrain from reusing usernames or passwords. This provides an extra layer of protection should one set of credentials be compromised.
In addition to that, he urges providers to use two-factor authentication whenever possible. Despite the benefits of two-factor authentication, some people have been able to spoof phone numbers and override the protection of two-factor authentication, allowing additional identity theft. Instead of two-factor authentication that uses SMS to confirm identity, Banas recommends technology such as fingerprints, face IDs, or passkeys.
Additional recommendations proposed by the CMS include updating information with payers frequently, monitoring billing, and training staff to avoid giving out identifiers to unknown providers. Providers who still use paper prescriptions are urged to control them and keep them from being in an unsecured location when not in use.
“Healthcare lags behind other industries. Pick your time interval, but probably a decade. Many of these monitoring and notification services have been nailed by other industries. That's where we need to get in healthcare for a lot of this identity management. I'm glad to see the momentum finally picking up,” concluded Banas.