Identity proofing to prevent drug abuse

Fraud has no bounds, and as seen in the latest research on identity theft, it has taken a worse turn. Many bad actors have mastered fake and stolen identities for big payouts on loans or similar scores. They have seen hospitals, pharmacies, and doctors as another easy target. Online drug abuse is not something new but has been abused for a long time with the ability to purchase illegally obtained drugs. However, instead of unethical doctors or shady drug sites, the fraudsters assume doctors' identities. This action allows them more control and cuts out the middleman for accessing controlled substances.

Unfortunately, the healthcare industry has a massive security problem that has no easy solution for identity verification. It is tough for pharmacists and doctors to withhold a drug because they suspect fraud when it could be a life-saving prescription. There are multiple parties involved with each step of prescriptions, and each has a weak link that allows for continued abuse. However, with some analysis on the web, there should be more controls to stop this type of fraud. Allowing the abuse to continue makes the matter worse and becomes more accessible with growing fraud services. Accessing doctor DEA numbers which are supposed to be confidential, is a trivial task to fraud services online; some offer to do it for $100. A fraudster can now buy the entire package of a doctor's identity, including all the steps (DEA, NPI, SSN, Phone number, DL, etc.) and guides to prescribe a drug illegally. The fraudster then can prescribe multiple drugs to themselves or aliases. They appear to cycle through doctors' identities until they get caught. They even are bold enough to phone pharmacies directly to try and fill prescriptions.

Screenshot of services offering guides for illegal prescriptions. (Video proof of another)

The DEA has attempted to provide additional options for electronically prescribing (e-prescribe - eRx) drugs due to COVID. Before we dive into e-prescribe there is a worse method available: faxes easily faked, but they are fortunately being phased out for all drugs. Their interim final rule (IFR) guidance states, "Under NIST SP 800-63-3, the relevant identity proofing assurance level is Identity Assurance Level 2. Identity Assurance Level 2 of NIST SP 800-63-3, like Assurance Level 3 of NIST SP 800-63-1, allows either in-person or remote identity proofing." Achieving this level of assurance is trivial for these fraudsters, and in previous postings, we have detailed how they bypass identity checks. Adhering to a standard is a good starting point, and we will delve into some ideas to further secure the prescription process.

Identity proofing should not follow the same path for all doctors but adapts and matures according to their actions. Electronic Prescriptions for Controlled Substances (EPCS) policy should detect the abuse happening now and rapidly change with new layers of protection. There are additional resourcing factors that need to be in place to act upon abuse. Like how the financial sector has security teams constantly monitoring their systems for abuse, so should healthcare for controlled substances. EHR/eRx softwares that have worked with Trust Swiftly understand the need to use a system that can be powerful enough to identify cases of fraudulent doctors as non compliance results in significant fines.

Layering in more verifications with the additional use of machine learning can help track the patterns that fraudsters are committing. The current standards have a massive gap if they allow this type of drug fraud to expand into a service seen on fraud chat rooms. A live video session and physical mails would be a substantial step up identity proofing that could stop many fraud cases. More intensive proofing methods could be reserved for cases of high risk or suspected abuse in prescriptions. There will never be one verification method that defeats this fraud, so the industry needs to take a holistic approach with more remedies. This growing epidemic is complex and will take more effort than the current processes to get solved.