MIS5208 Spring 2018

DATA ANALYTICS FOR IT AUDITORS AND CYBERSECURITY

You are here: Home / Blogs & Posts

Blogs & Posts

Healthcare Fraud Investigations on the Rise

by

https://wirskyelawfirm.com/healthcare-fraud-investigations-on-the-rise/#comment-2

By Sarah Q. Wirskye – On February 6, 2018

Healthcare fraud is a government priority.  While there are variations depending on the industry, the government generally focuses on the same basic conduct in healthcare fraud cases.  In light of that, there are some things that a healthcare provider can do in order to minimize their liability if they are under audit or investigation.

While healthcare fraud is generally a major government focus, there are certain areas that the government is particularly focused on.  According to the Department of Health and Human Services Office of Inspector General is (“HHS-OIG”), the following five areas are under scrutiny: (1) controlled and non-controlled prescription drugs; (2) home health, personal care and home and community-based services; (3) ambulance transportation; (4) durable medical equipment; and (5) diagnostic radiology and laboratory testing.

All of the below potentially problematic conduct potentially applies to these industries.  However, the government is particularly focused on these types of entities’ relationship with referral sources and kickbacks.

POTENTIALLY PROBLEMATIC CONDUCT

Kickbacks and Bribes

The government is extremely focused on kickbacks or bribes. Kickbacks can be gifts or benefits to referral sources, beneficiaries, or employees.  These are typically easier cases for the government to prove than cases that turn largely on expert testimony regarding complex medical procedures.  It is good practice not to make any gifts to referral sources or beneficiaries, such as rebates or gift cards.  The government also sometimes takes the position that employee compensation based upon revenue is a kickback.

In healthcare fraud investigations, the government usually examines a provider’s marketing practices, and will review advertising and mailed materials.  Providers need to ensure that their marketing professionals know what is appropriate in the healthcare field – what is generally accepted in many other industries may be illegal in the healthcare industry.

While the Federal Criminal Anti-Kickback Statute prohibits remuneration for referrals wholly or partially paid for by government funds, Texas law is much broader.  The Texas Patients’ Solicitation Act prohibits any remuneration for soliciting or securing a patient or patronage for or from a person licensed, certified, or registered by a state healthcare regulatory agency.  There are also recent federal cases where the government has indicted healthcare providers under the Federal Travel Act and state commercial bribery statutes when there were little or no federal funds involved.  Therefore, not taking government pay is not a shield from the government bringing a bribery case against a provider.

Services Not Rendered

The government often examines whether services that were billed were actually rendered.  One of the government’s favorite techniques for doing so is examining the amount of time the provider spends with each patient.  In other words, the government divides the number of hours the provider is in the office by the number of patients seen during that day.  If the time per patient is unreasonable in the government’s opinion, it frequently takes the position that the provider did not see all of the patients and/or did not see the patients long enough to adequately provide the service.  The government has an even stronger case in situations where the billing codes are time based.  The government will frequently examine a provider’s travel and credit card records to determine which days he or she was in the office, and compare that analysis with their billing records.

Services not rendered are perhaps one of the most critical issues that the government will examine.  If the government concludes that unqualified personnel must be treating patients because of the number of patients seen and/or the provider is not spending adequate time with each patient, the government views this as a quality of care issue.  When there is a quality of care issue, the government is much more likely to suspend payments.  If services are not being rendered at all, a criminal indictment is also more likely.

The provider needs to ensure that he or she is spending adequate time with each patient.  It is also helpful to have the appropriate provider document and sign the charts contemporaneously upon treatment instead of at a later time.  Such a policy can help “prove” that the provider personally provided the service.

Necessity

Necessity is another critical issue in government investigations.  If the government can successfully challenge the determination of necessity, then in certain areas, the government can take the position that all charges paid for a patient were improper.

The person making the determination of necessity must be qualified.  If the requirement in a particular area is that a doctor must make the determination, this task cannot be delegated to an assistant.  The government will also examine how and if the person making the determination of necessity is compensated.  If it is an unrelated individual, the government will examine whether there are improper payments, or kickbacks.  If it is someone affiliated with the entity, the government will examine whether the professional is being paid fair market value and whether the compensation is based on the number of patients approved for treatment or revenue.  Again, such compensation arrangements can be viewed as a kickback.

Upcoding and Unbundling

The government often examines whether a provider is consistently coding a more complex procedure, for which the reimbursement is higher, rather than a less complex version of that same procedure.  This is called upcoding.  It is critical that the documentation in the patient chart supports the level of service that is being provided.

Unbundling is where one procedure is split up and billed as a number of individual procedures to maximize reimbursement.  When two procedures are performed together and there is one lower paying “combination” billing code, that code must be used.

PROACTIVE MEASURES

Because of what is at stake, it is imperative that healthcare providers be very careful.  In addition to severe monetary sanctions, the government has the ability to require a provider to have a corporate monitor, place a monetary hold or suspend payments to a provider, exclude a provider from government programs, and even bring criminal charges against a provider.  The collateral consequences from a government investigation may also implicate licensure issues with State Boards.

Healthcare providers should have a compliance plan.  In fact, they are required in many industries now.  Moreover, they should have an attorney or consultant available to address issues that arise in their day to day operations.  Successfully addressing or attempting to address an issue goes a long way in defeating government’s allegations of intent if there is a subsequent investigation.

With the government’s focus on kickbacks and relationships, a provider should examine all of their practices designed to increase business. This definitely includes the use of marketers and a review of the marketing material.  It also includes relationships, gifts and benefits to any referral sources.  The government is taking an extremely broad view of what constitutes kickbacks, and healthcare providers need to keep this in mind when examining their marketing practices.

Also, one of the most basic things a provider can do to minimize liability is to accurately chart.  Often, because a provider is busy, the level of detail in patient records does not support what was billed.  Providers and their staff must also take the time to learn and follow the often complex rules.  They need to make sure they are following every procedure in order to minimize their liability if they find themselves in the government’s sights.

Social Media Fraud and the Real-World Effects

by

Over the past several weeks, American news has been flooded with the revelation of a sophisticated disinformation campaign conducted by the Internet Research Agency, a company directed by a close ally of the Russian government. Of interest for fraud investigators is the use of social media to create social movements as a form of information warfare. Of particular note is the use of event pages. Investigators discovered the IRA used Facebook’s event creation and coordination capability to organize rallies for and against Donald Trump after his inauguration. The purpose of this was geopolitical in nature, but the technique could soon be seen amongst corporations, state governments and criminal organizations.

Consider a hacker group wishing to steal from Verizon. Causing physical disruption in the form of anti-telecom protests might be an effective way to disorient the management at a given location. This provides a potential avenue into theft of information or even physical assets. Perhaps in another example, a corporation is interested in starting operations in a given locality. By organizing anti-tax protests, they might gain leverage in negotiations. These possibilities show that using the power of groups – a time-honored political tool – can also be used for financial gain or simple disruption.

Security and fraud analysts should assess such risks when conducting an environmental assessment. Though this may seem less integral to the firm and thus less important, I would argue that the correct approach is one of vigilance, as the technique has been seen, and it has succeeded. Where the IRA perhaps started, many other governments and corporations will follow.

Defense One Article

 

Mobile Commerce and the Challenges of Fraud Mitigation

by

Mobile devices are ubiquitous. Most people have conducted business transactions of varied types via smartphones. Mobile devices have changed the way we do business with regard to e-commerce and consumers’ ability to issue mobile means of payments.

Many banks now offer mobile transactions; thus consumers can conduct banking transactions in the comfort of their homes. Retailers alike are not left out of this expansive growth as most retailers now have dedicated mobiles sites or mobile apps, all in the bid to improve the usability and the interaction with their offerings and products.[i]

The exciting ease of mobile commerce transactions is not all seamless and sans risk. Indeed, it is expected that fraudsters will take advantage of the many vulnerabilities and security control lapse inherent in mobile transactions and e-commerce. The security standards in smartphones is gaining more traction however, there still exists an elevated level of malware attacks on mobile devices thereby weakening the security controls that will necessarily prevent a fraudulent attack.

Based on the foregoing, it is inherent that businesses strategize and focus on the adoption of fraud mitigation strategies for Mobile commerce. Mobile devices have come to stay and the growth will continue to expand to more areas of our everyday living thus the need for fraud mitigation. The need for robust fraud mitigation solutions that will combat fraudulent transactions as well as curb potential losses. Businesses who fail to be proactive in seeking this solution will be exposed to loss of revenue.

Financial institutions are leading the way with adopting fraud mitigation standards to thwart criminal efforts at stealing money via mobile payments and e-commerce transactions. Velocity controls, one-time passcode, mobile geo-location data or GPS – Global Positioning System are some of the mitigation standard practices.

In summary, the best approach to mobile payment fraud is the adoption of the right tools as well as the application of a layered approach. The combination of the right tools paired with predictive analysis will provide deeper insights to customer profiles, transaction trends and the type of frauds an organization may be exposed to.[ii]

 

[i] https://en.wikipedia.org/wiki/User_experience_design

[ii] http://technews.tmcnet.com/mobilecommerceinsider/topics/mobilecommerceinsider/articles/403641-fighting-mobile-fraud.htm

Week 3 blog post: Understanding data to find fraud

by

Today auditors and investigators can read multiple types of data thanks to audit software. The CAATTs computer-assisted audit tools and techniques outlines the firsts steps needed to ensure that the auditor understands how the data can be used to address specific audit objectives. The first step in finding the information needed for fraud detection is to identify the goals of the investigation. Then audit management needs to find the skills and technical capabilities required to proceed with the investigation.

The continuous improvement of auditing software gives auditors and investigators better tools to better interpret the data. There is a a variety of analysis techniques that can be used to understand the data and also to find fraud. This also encourages auditors to think about potentially new auditing applications to use in their operational environment.

 

Week 2 blog post: The Use of Data analysis in Fraud detection

by

In today’s business environment, productivity increase is required from every part of the company. Fortunately the needs for an increased efficiency can be solved with data analysis. As IT is constantly growing, there will be more and more Computer aided fraud.

However modern software and computer assisted tools help auditors do their job better by focusing on areas that pause the greatest threats. Computer-aided tools however are not only used by auditors or fraud investigators. One great advantage of using audit software is being able to develop custom best practices for the audit of various business processes. Chapter 3 of David Coderre’s Computer-aided fraud shows how we can use computer-assisted techniques to detect fraud.

Understanding fraud and its prevention

by

Studies have shows that the slightest change in the fraud triangle is the one thing that makes a difference between honest to dishonest behavior. When there is a perceived opportunity to get an unearned benefit there can be Fraud. The Fraudster is then tries to rationalize the behavior as acceptable. Ethics and fraud awareness training is the most effective way to prevent the fraud from happening. This shows all employees that the company takes Fraud really seriously, and how they should handle a case of fraud.

Internal controls has an important role in detecting Fraud. The preconditions for detecting frauds apply not only to auditors but to fraud investigators as well. A general knowledge of controls is still required for fraud investigators even though they only intervene when there is a case of known fraud. It is important to determine who can take advantage of control weaknesses opportunity. Audit managers know that it is equally important to make sure that management keeps a strong Fraud policy as it is to have strong control systems.

PwC Found Liable for $2B Colonial Bank Fraud

by

A judge rules the accounting firm failed to meet professional standards in its audits of Colonial’s mortgage warehouse lending division.

| CFO.com | US
Recommended Stories:

PwC gave the bank’s parent, Colonial BancGroup, a clean audit for years before it emerged that huge chunks of Colonial’s loans to TBW were secured against assets that did not exist. Colonial collapsed in August 2009.

In the malpractice case, U.S. District Judge Barbara Jacobs Rothstein agreed with the Federal Deposit Insurance Corporation that PwC failed to meet professional accounting standards in its audits of Colonial. The FDIC sued the firm after incurring $2.8 billion from Colonial’s collapse.

“PwC did not design its audits to detect fraud and PwC’s failure to do so constitutes a violation of the auditing standards,” Rothstein ruled. The fraud, which centered in Colonial’s mortgage warehouse lending division, was orchestrated by Lee Bentley Farkas, the chairman of TBW, with the aid of Catherine Kissick, the head of the Colonial’s MWLD, and other Colonial employees. PwC said it was duped by Farkas, who skimmed millions of dollars from Colonial to buy a private jet, vintage cars and a vacation home. But Rothstein faulted PwC for, among other things, failing to inspect or even request to inspect the underlying documents for some TBW mortgages.

“PWC argues that even if it had attempted to inspect the underlying loan documents, it would not have uncovered the fraud because the fraudsters would simply have created fake documents,” Rothstein noted. “This, of course, is something that we will never know. However, what we do know is that Ms. Kissick, one of the key fraudsters, testified that if PWC had asked to see even just ten loan files ‘[t]he jig would be up.’” The case now moves into a damages phase, where the FDIC is seeking, according to one pre-trial document, as much as $2.1 billion.

Source: Heller, M. (2018). PwC Found Liable for $2B Colonial Bank Fraud. CFO.

Board Oversight

by

Issue 90 of Board Perspectives: Risk Oversight published by Protiviti Inc. (“Protiviti”) addresses the role of Boards of Directors (“Boards”) in ensuring cybersecurity capabilities are continuously improving in the organizations they serve.  Protiviti sites cyber as being amongst the top five risks for many businesses across industries, largely due to innovative IT transformation initiatives (e.g. mobile device usage, cloud computing solutions).

Research conducted by Protiviti indicates that Board engagement in security matters has improved, and they presented the following eight “business realities” for Boards to consider in order to maintain this trend:

  1. The organization must be prepared for success.  Protiviti recommends Boards ensure cybersecurity is managed in a manner that allows organizations to benefit from technological innovation through resilient policies and systems rather than overly managing cyber risk at the expense of technical evolution.
  2. It is highly probable that the company is already breached and doesn’t know it.  Cyber risk events may have already occurred and/or are underway at companies that don’t have the ability to detect them.  Protiviti suggests organizations become resistant to cyber events to protect their reputation and brand image.  They recommend that periodic simulations of attacks be performed and the effectiveness of defenses assessed, and that Boards focus on the length of time it takes for organizations to detect and respond to breaches.
  3. The board should focus on adverse business outcomes that must be managed.  Protiviti suggests Boards encourage focus on organizational strategies and objectives when assessing security risks as opposed to only protecting the underlying “key” systems/applications.
  4. Cyber threats are constantly evolving.  Protiviti stresses the need for evolutional protection measures in order for organizations to stay ahead of threat profiles and recommends Boards become aware of how management identifies and responds to new cyber threats.
  5. Cybersecurity is like a game of chess, so play it that way.  Protiviti cautions that reliance on technology to effectively monitor security is unsafe in today’s computing environment, and suggests organizations improve their methods of delivering protective services to create enterprise-wide cyber awareness.
  6. Cybersecurity must extend beyond the four walls.  In light of collaboration with third parties and increases in access extended to channel partners (e.g. vendors) and customers, Protiviti recommends Boards hold management responsible for assessing associated vulnerabilities and proactively implementing cost effective solutions.
  7. Cyber issues cannot dominate the IT budget.  Protiviti warns Boards that they should not allow cybersecurity spend to disproportionately suppress technological advancements, cautioning that insufficient funding for innovation could result in insolvency due to the organizations failure to remain competitive against new market entrants.
  8. Directors should gauge their confidence in the advice they’re receiving.  Protiviti recommends Boards consider adding technology savvy members or advisors to assess the adequacy of expertise the Board relies on regarding cybersecurity matters.

Protiviti also reported that cybersecurity program offices are emerging for the purpose of successfully managing large security projects in organizations that are not readily capable of managing cyber risks.

In closing, Protiviti reiterated the need for companies to target protection investments on business outcomes, maintain awareness/understanding of the changing threat landscape, and prepare for inevitable incidents since cyber risks will continually evolve and become increasingly difficult to manage.

My favorite sentence in the article was: “It is always less expensive to build security into a system’s design early rather than to retrofit it later.”  What’s yours?

Edward Tufte ‘s Principles of Graphical Integrity

by

Who is Edward Tufte?

Edward Tufte is an analytical design theorist, educator, and landscape sculptor best known for his self-published books on analytical design. Furthermore, Edward Tufte was famously known for noting his writings and impact on information design such as scatter graphs, bar charts and line graphs including so many more graphical graphs , and also Edward Tufte was a pioneer of data visualisation meaning how data (a.k.a information) is presented as graphical content for important use.

Image result for edward tufte

Measuring Misrepresentation

The lie factor is calculated by dividing the size of the effect shown in the graphic by the size of the effect in the data.

If the lie factor is GREATER THAN 1 the graph OVERSTATES the effect.

Related image

Principles of Graphical Integrity

  1. The representation of numbers, as physically measured on the surface of the graph itself, should be directly proportional to the numerical quantities represented.
  2. Clear, detailed and thorough labeling should be used to defeat graphical distortion and ambiguity. Write out explanations of the data on the graph itself. Label important events in the data.
  3. Show data variation, not design variation
  4. In time-series displays of money, deflated and standardized units of monetary measurement are nearly always better than nominal units.
  5. The number of information carrying (variable) dimensions depicted should not exceed the number of dimensions in the data. Graphics must not quote data out of context.
  6. Graphics must not quote data out of context

Source:

http://classes.engr.oregonstate.edu/eecs/spring2015/cs419-001/Slides/tufteDesign.pdf

What Makes A Good Blog

by

Focus, personality and reader comments are key to building an audience, say popular bloggers

By William Kraska Spring 2005

The Internet contains nearly 3 million active blogs, according to one recent count, with topics ranging from politics to movies, to food, to the emotional ramblings of high-school teens. With so many blogs, how does one become popular? What qualities will distinguish a blog from the massive congestion in the blogosphere? Blogs become successful because of specificity and passion, according to Kevin Donahue, co-creator of Fanblogs, a college football blog described by Forbes.com as the best blog dedicated to a single sport. “Repeat visitors feel an ownership and loyalty to the blog. They will police comments, pointing out when someone is out of line.” “Have a single focus about a topic you really enjoy, and put a little of yourself into it,” he says. Fanblogs prospers because college football already has a loyal fan base. “And that passion translates into a loyal readership.” Reader comments are a significant factor in blog popularity, according to several bloggers. Hart Brachen, creator of the snarky, ironic blog The Soxaholix says, “People who leave comments build the community aspect that really helps a site become more than just one blogger writing into space. Comments let you know what’s working and what’s not, and inspire you to keep at it.”

Daniel Kasman, a writer for the popular film discussion blog MilkPlus, agrees. Posted comments will keep a blog “fresh and full of discourse,” he says. Lockhart Steele, the managing editor of blog publisher Gawker Media, says that after a blog develops an audience, readers will submit tips and fact-check stories. They basically “do all of the work for you.”

Dedicated readers also keep a blog’s integrity in check. “Repeat visitors feel an ownership and loyalty to the blog,” observes Fanblogs’ Donahue. “They will police comments, pointing out when someone is out of line.” But before a blog is able to rely on its readers to help it succeed, a blogger must sometimes wait months, or even years, before a regular following develops. While some bloggers believe that they’re going to attract regular commenters within days of launching their blogs, Holiday of Fanblogs says, “it doesn’t happen like that.”

Modifying a quote from the movie “Field of Dreams,” he says: “If you build it, they will come … slowly.”

ORIGINAL SOURCE: Kraska, W. (2005). What Makes a Good Blog. Retrieved from http://journalism.nyu.edu/publishing/archives/notablog/story/good_blog/