Tag Archive for Identity

Virginia’s Identity Verification to Reduce Fraud and Increase Efficiency in Shared Services

A technology project that started with a focus on Medicaid will soon produce Virginia’s first enterprise shared service for e-government applications. Called the Commonwealth Authentication Service (CAS), the new system will offer a way for any Virginia agency to manage the identities of people who do business with state government online.

Virginia agencies already take advantage of shared services for internal functions like email, employee identity management and data storage, said state CIO Sam Nixon (pictured above). But CAS is breaking new ground. “This will be a shared service, state-of-the-art identity management that will be citizen facing.”

CAS got its start about two and a half years ago, as Virginia’s Department of Motor Vehicles (DMV) started making plans to buy a set of Oracle Corp. identity management tools.

“That’s quite a powerful suite to have for just one agency,” said David Burhop, the DMV’s deputy commissioner and CIO. As fortune would have it, though, another state department also needed those capabilities.

Virginia’s Department of Health and Human Resources (HHR) was gearing up to comply with the new federal health insurance law, which meant implementing new technology to manage its Medicaid programs and determine eligibility. That system required an identity management component — a system to ensure that when John Doe applied online for benefits, the government could trust that he actually was John Doe.

And officials at HHR didn’t just want their new eligibility system to work for Medicaid; they wanted to use it for a broad spectrum of programs dealing with health care, hunger, disabilities, child care and other issues.

Sharing the same back-end technology would let HHR’s agencies also share information, said William Hazel, Virginia’s secretary of health and human resources. “If someone’s applying for benefits in multiple programs, you don’t have to put the same data in multiple times.” Additionally, if they spent less time entering data, employees could operate more efficiently, he said. “That allows us to use our workforce to be more problem-solving for individuals and families and help hook them up with solutions for their particular needs.”

As the department began planning for its new identity management system, the DMV — the state’s identity management expert — became a natural partner.

HHR bought the enterprise service bus, rules engine and data management tools that the DMV had been planning to purchase, Hazel said. “We essentially gave them to our DMV and said, ‘OK, you develop it.’” So a team led by staff at the DMV got to work on CAS.

Money to purchase the tools and create CAS came largely from a pool of federal funds designed to help states develop the Medicaid Information Technology Architecture. In 2011, the U.S. Office of Management and Budget decided that when states used this funding to develop systems for their Medicaid programs, other state organizations could use those systems as well, as long as they paid a share of the operating costs. That opened the door for Virginia to stretch the benefits of CAS — and the costs of its ongoing operation — across multiple state organizations.

“It doesn’t make sense to the commonwealth to say only health agencies can use it,” said Aaron Mathes, Virginia’s deputy secretary of technology. “We want other agencies to be able to authenticate against the database and use the algorithms that we develop.”

Hazel agreed: “The goal is to create a tool for the commonwealth without having to have a separate tool in every agency.”

Although Virginia developed its Commonwealth Authentication Service (CAS) mainly to support citizen applications, state agencies also can use it to manage identities of employees from other jurisdictions who do business with the state.

An example is the Office of Comprehensive Services (OCS), a branch of Virginia’s Department of Social Services that supervises local governments in implementing services to at-risk youth. These services receive combined state and local funding.

Local governments use several online applications to report expenditures to the state for reimbursement. OCS needs assurance that the individual who logs on to submit such a report is authorized to do so, said OCS Executive Director Susan Cumbia Clare.

The current authentication system isn’t very sophisticated, Clare said. ”We’ve had issues with folks sharing logins or passwords. We [can’t] ensure that [those] who are logging in are actually the individuals who are authorized.” Better controls on who can submit and certify financial information will reduce the opportunity for fraud, she said.

The authentication service could also help OCS ensure that client information is only accessed by authorized individuals, Clare added.

Within CAS, authenticating local government employees will be the same as authenticating private citizens, said David Burhop, CIO of the Virginia DMV, which is leading CAS’ development. ”CAS isn’t written specifically for any one application or function. It’s an authentication engine that integrates with any agency application that can consume Web services and securely pass the required data back and forth.”

While CAS will determine whether a local government employee who presents herself online actually is who she says she is, it won’t determine whether that employee can view or use particular data, Burhop said. ”Access will still be the responsibility of the organization using CAS.”

So in the future, for example, if a Virginia resident uses an online portal to register to vote, the State Board of Elections might use the shared service to verify that citizen’s identity, Mathes said. “While the [State Board of Elections] may keep a completely separate database of registered voters, that registered voter is verified based off the Commonwealth Authentication Service.”

In developing CAS, the DMV is using three levels of identity authentication assurance. Which level the system applies depends on the transaction a citizen needs to conduct.

A person who goes online simply to set up an account (Level 1) just has to provide information about him- or herself, including a name. “It could be Mickey Mouse; it could be anybody,” Burhop said. “They don’t do any verification there.”

But when a transaction requires two-way communication, CAS will verify the individual’s identity. It will obtain this Level 2 assurance by testing the person’s knowledge about information held by the DMV — asking him, for example, dynamic questions such as the make and model of his first car registered in Virginia. “We use that now for DMV, and it works quite well,” Burhop said.

Level 3 comes into play when a person transacts business on behalf of someone else — in a guardianship relationship, for example. At that level, CAS will use some form of two-factor authentication, such as a one-time password or a public key interface certificate.

Of course, not everyone holds a driver’s license: Probably 25 to 30 percent of Virginia residents aren’t in the DMV’s database, Burhop said. Non-drivers can obtain a state ID card from the DMV for $10. Residents who can’t or don’t want to buy that card can still apply for benefits or conduct other business with the state, Burhop said. But they’ll have to do it in person.

CAS is scheduled to start operating in October, when large numbers of Virginia residents become newly eligible to apply for Medicaid benefits under provisions of the Affordable Care Act. At that point, the Virginia Information Technologies Agency (VITA) will take over responsibility for CAS, providing it as a shared service.

In the long run, any Virginia state agency will be able to use CAS, in exchange for a fee. “VITA will develop a cost recovery model of some sort that will help defray the ongoing maintenance and operation cost of that service,” Nixon said. State officials are still working out how the service will be governed and how it will evolve.

Although other agencies have been asking about CAS, VITA isn’t soliciting new participants yet, Nixon said. “We’ve been holding them off somewhat, because we don’t want to distract from the initial and intended use by HHR, particularly since they’re paying for it.” Mechanisms to support other users on CAS will probably be in place by the first quarter of 2014, he said.

One potential mechanism is awaiting approval, though.* It’s an enhanced memorandum of understanding (E-MOU) that allows different agencies within Virginia to share data as needed for the operation of CAS. HHR developed the E-MOU, based on the federal Data Use and Reciprocal Support Agreement, first to allow data sharing among HHR, the DMV and VITA. The state’s attorney general has yet to approve the E-MOU, but once approved, any other agency can use CAS, Burhop said. “All they have to do is agree to it and sign it.”

Although VITA will operate CAS, the DMV will continue to maintain the data used to verify identities. Among other things, that puts new pressure on the department to keep its data current. “We will have to have real-time updates for anyone who comes in and gets an ID card or a driver’s license, especially those people specifically coming in so they can set up an account with the Commonwealth Authentication Service system,” Burhop said.

The advent of CAS could also earn the DMV a reputation as an agency concerned with more than drivers’ licenses and vehicle registrations. “It’s obvious that our mission is shifting to include not only public safety, but also identity management,” Burhop said.

As Virginia prepares to enjoy the benefits that CAS will provide, Nixon points out that these benefits are available in part because of the state’s centralized IT structure, including a single network to support all the executive agencies. “If we didn’t have that, and HHR was paying for that service by themselves and standing it up, it would be your typical siloed agency application that’s very difficult to share with anyone else.”

But with VITA operating the system on Virginia’s enterprise network, CAS can work as a cloudlike service available to all state agencies. “They will be able to avail themselves of that capability without having to make any kind of capital investment,” Nixon said. And HHR — the system’s original user — can enjoy its benefits without bearing the full cost for maintenance and operations, he said. “That will be shared with others. So everybody wins under that arrangement.”

*Editor’s note: the story was corrected to indicate that the E-MOU is still awaiting approval from the attorney general. The quote was corrected to attribute it to David Burhop.

View the original article here

Identity Management: A New Way to Fight Health Care Fraud, Waste and Abuse

December 26, 2012 By Clint Fuhrman, National Director of Government Health Care Programs, LexisNexis Risk Solutions

Government health-care fraud, waste and abuse has been a major news story for the past year — and with good reason.

In 2010, the U.S. federal government issued $125 billion in “improper payments,” defined as overpayments, underpayments, inadequately documented payments and fraud. While there are many contributing factors, government agencies don’t always know who they’re dealing with, which can result in the wrong individuals receiving and/or providing benefits. Identity theft is the fastest growing crime in the U.S., and with 30 billion connected devices in use, it can be very difficult to ensure that personal information is kept private. 

When it comes to moving services online to streamline processes, reduce costs and increase convenience and efficiency, government has seized the moment. Unfortunately, the functionality that yields these benefits is what creates challenges for maintaining the integrity of the system.

That said, it is possible to leverage the Internet to its fullest potential, while mitigating negative outcomes. Take the Florida Department of Children and Families, which implemented online self-service portals to augment traditional channels. This move enabled the agency to improve its error rate to -0.5 percent, the best in the nation, while achieving a 250 percent boost in productivity. In fact, 95 percent of clients utilize the online system. Certainly these numbers are impressive, but how are they achieved?

The answer is a robust identity proofing management. Government agencies must invest in identity verification and authentication at the front-end of benefit administration. The right identity-proofing strategy must be anchored by robust master data management and rules-based solutions, as well as comprehensive identity management. This type of rigorous identity management involves two processes:

Verifying, through electronic or manual means, that an individual is who they say they are; andAuthenticating that identity through knowledge-based mechanisms, i.e. questions that only they can answer.

Employing this type of system enables government agencies to mitigate fraud, reduce improper payments, increase service delivery and efficiency, and address privacy concerns.  

Identity management requirements will vary from agency to agency depending on the mission. There is no one-size-fits-all strategy. The mission of a federal agency that provides disaster relief services is to ensure efficiency delivery of benefit payments to residents who have been displaced. This must be done while meeting strict regulatory requirements for timely payments, and maintaining processes that prevent fraud and improper payments. An agency has specific identity proofing requirements – functionality that is speedy and the ability to answer questions related to property ownership. In addition, in this scenario, the information needed at the beginning of the relationship, a simple “Who are you?” is different than the information required downstream, “Were benefits received?”

We can contrast the above scenario to the case of an agency providing retirement benefits. In this scenario, identity proofing is designed to improve customer service over repeat visits. Instead of requiring a user to repeat the same steps very time they log on, a “data minimization” process will be utilized so that the system only asks what it needs to know to facilitate the transaction. The first time an individual registers with an online retirement system, he/she will be asked to provide his/her name and ID number, and upon registering, will answer several knowledge-based authentication questions. During subsequent visits, interactions will be “fast-tracked” since the individual’s identity has already been proven. The system will perform an invisible check to confirm his/her identity using two-factor authentication, thus requiring less effort from the user while increasing efficiencies.

Regardless of the scenario, there are four technology fundamentals that should be encompassed by any comprehensive identity management solution: 

In the identity management process, data that is broad and deep is key to maximum results. The accuracy with which you can verify that individuals are who they say they are, and the percentage of the population that can be accurately verified, depends in part on the amount and variety of data your identity management system can access. Consider what you could do with data far beyond standard demographic information and what can be gleaned from a credit bureau check. Best-in-class solutions tap billions of public records that allow them to verify hundreds of millions of individuals and provide more interesting data better suited to knowledge-based authentication, such as the model of a car the consumer owned during a certain year. 

While data is necessary to create a robust identity management system, it is only meaningful if it can be leveraged to provide insights. It is essential to have the ability to link familial relationships to the identity of an individual that they have verified. In general, an identity proofing solution should be able to:

Locate data relevant to the identity being presented by your constituent;Match it with current constituent inputs, such as answers to knowledge-based questions, a voice or fingerprint, or a one-time pattern-based PIN;Normalize and fuse data to eliminate redundancies and improve consistency and efficiency for better real-time performance; andFilter and organization information into a multifaceted view that provides what you need to know for a particular transaction with confidence.

Analytics can provide further insight into data by detecting patterns of behavior, such as suspicious patterns of identity verification failure indicative of fraud or data integrity problems. Analytics can also be used to quantify identity risk by scoring the level of identity fraud risk associated with a particular transaction. The score will be given when your system’s rules and thresholds trigger an action; for benefits claims, these decisions would include things like accept, needs review, refuse, etc. This type of scoring provides an objective, consistent and reputable way of making complex decisions in a high volume scenario. By configuring rules within your identity management solutions, you enable it to make intelligent, dynamic decisions based on the information present and the level of risk you are willing to undertake.

Today’s business environment demands that organizations that engage in identity-reliant transactions ensure the security of the critical information that they collect. In addition to a high level of security, organizations also need an equal degree of flexibility to support a wide variety of organizational platforms and end-user devices. To accomplish this goal, it is best to choose an identity management solution that can provide services across various operational systems, channels and devices. They will also support many different ways for identities to be asserted, verified and authenticated, and can apply the appropriate degree of security based on the type of transaction. 

Due to the number of constituents they deal with on a daily basis, government agencies need to ensure that they are following best practices for identity proofing and using the most advanced solutions available to them. In addition, identities are often viewed at one point in time, but it is critical that agencies stay apprised of any changes to an individual’s status that may change his or her eligibility for benefits. Individuals will continue to try to perpetrate fraud and a robust identity proofing system is the best line of defense.

Clint Fuhrman is the National Director of Government Health Care Programs for LexisNexis Risk Solutions. Fuhrman joined LexisNexis in 2009 after serving as Deputy Secretary of the Florida Agency for Health Care Administration, where he helped direct agency strategy and operations in the areas of legislative affairs, communications, Medicaid policy, and health information technology.

Image courtesy of Shutterstock

You may use or reference this story with attribution and a link to
http://www.govtech.com/health/Identity-Management-A-New-Way-to-Fight-Health-Care-Fraud-Waste-and-Abuse.html

View the original article here