Friday, June 19, 2009

Stewart Baker moves his blog

If you've been looking here, at Homeland Reading List, for imprudent Baker blogs, please note that I've moved to a new address:

"Skating on Stilts" is the working title of a forthcoming book on DHS and technology.

Sunday, June 14, 2009

A European abuse of human rights that couldn't happen in America, but will happen to Americans

UK libel law has always been a great way for the wealthy to bankrupt their critics.  Now it's not just being used by terror financiers and their friends.  Chiropractors are suing to shut up their critics, and it appears that U.K. judges are enthusiastically stacking the deck against Internet critics of chiropractors' dubious claims.  This kind of human rights violation could not happen in the US, but UK courts are surprisingly willing to impose their values on the rest of the Internet, so it can happen to Americans who have the temerity to use the Internet. 

You might almost think that Europe is the seat of legal imperialism and unilateralism. 

Saturday, June 13, 2009

Do hospitals and governors make money off medical identity theft?

OK, here I'll go out on a limb. I would appreciate some help from any readers, because I'm a little out of my area of expertise, but I've been doing some more thinking about medical identity theft, and there's a scary possibility that hospitals and governors might actually profit from some forms of medical identity theft.

Here's my thinking. Contradictions welcome:

Let's start with something I know for sure. If you're an illegal immigrant in the United States, you're not supposed to work here. With some modest exceptions, though, illegal workers have found that they can beat the system if they steal the name and Social Security Number of an American. And in many industries, such as meat-packing, identity theft by illegal workers is endemic. All of those workers, then, have IDs in the name of an American and they also have that American's social security number, which they used to get their job.

Now suppose you're an illegal worker who's just been laid off from an Iowa meat packing company when you discover you've got a serious disease -- heart problems or cancer or diabetes, say. You can't afford treatment for such a thing. So you go to the local hospital, and they tell you that, under federal law, only legal immigrants can get subsidized nonemergency treatment.

This is a problem for you, and for the hospital. You still want treatment, and the hospital is full of people who would feel pretty bad about themselves if they turned you away. You might die untreated or go home to get what they consider substandard care. Doctors don't like to think they would turn away anyone just because they can't pay, but realistically they can't afford to treat all the poor illegal immigrants in the community. Most of them probably think Congress made a terrible mistake in refusing treatment to anyone in the U.S. But not strongly enough so they want to provide the care without reimbursement.

That tension sends the hospitals back to the rule book. Is there a loophole? Well, maybe. Exactly what, they ask, do you need to do to prove that you are a legal immigrant? In 1996, Congress said you had to produce actual evidence that you were here legally -- a passport or a birth certificate, mainly. But that was a hassle for Americans and for hospitals. Not to mention illegal immigrants. So Congress decided last year to ease the requirement. Now you only have to produce proof of identity, plus a social security number that matches your name.

That's good for deserving poor people who've lost their documents. But it's even better for illegal workers, many of whom have already obtained a driver's license in the name of some poor American, whose SSN they've also borrowed. If the illegal worker presents that license and SSN, everyone's problems are solved. The illegal immigrant gets treatment, the hospital workers feel good about themselves, plus they don't have to pay a price for feeling good about themselves, because Medicaid is picking up the tab. And the State, which is on the hook for reimbursing the hospital, can pass the cost on to the the federal government. Everybody wins, except for the federal budget and the poor schlub whose medical records will be screwed up forever.

In short, the state and the hospital have a powerful economic incentive to look the other way when patients use stolen identities to get medical treatment. If no one looks too closely, the hospital and the state will come out fine. They'll all get paid, and the patient will get treated. But if the state or the hospital cracks down on fraud and stolen identities, they'll end up stuck with patients who can't easily be turned away but whose care will go unreimbursed, costing the hospital or the state a lot of money.

So, what could mess this sweet deal up? Well, better security standards for driver's licenses could. The harder it is to get a license using a fake name, the more likely it is that illegal immigrants will not be able to fake their way into the Medicaid program. And that will put hospitals and state reimbursement authorities back in the moral and economic dilemma of how to handle illegal immigrants with serious diseases.

So getting rid of REAL ID and making sure that driver's license security continues to be bad may save the states money in two ways. First, they won't have to pay for things like validating breeder documents. And second, by making identity theft easier, it will allow states and hospitals to get federal reimbursement after they treat people who aren't actually eligible for Medicaid. As long as they don't look too closely at their patients' actual legal status.

So the complaint by governors that REAL ID will cost them billions might actually be true. Of course, not having REAL ID will cost federal taxpayers those same billions, but that's not the governors' problem.

Oh, and the risk that your medical records will be contaminated by an identity thief's blood type, allergies, and health conditions? Also not the governors' problem. They've got budget problems to worry about, and this is a twofer. What, did you think they were elected to worry about you?


OK, that's harsh. And maybe I've missed something in the way the incentives of the Medicaid and Medicare programs work; that's not my field. I'm happy to correct myself if I've been too cynical about the way all this fits together. Let me know.

Wait! Does that mean the National Governors Association is going to kill us?

The medical identity theft report I cited earlier shows a startling connection between medical identity theft, REAL ID, and the National Governor's Association.

The report contains this charmingly clueless passage about what health care providers are doing to stop medical ID theft.
Some providers at Kaiser Permanente, a health network with 30 medical centers and 431 medical offices, now ask to see a driver’s license in addition to the program’s health card. The University of Connecticut Health Center, concerned after a case of medical identity theft occurred there, began checking patient driver’s licenses.

That would be a great idea if driver's licenses were actually a secure form of identification. But they aren't. They suffer from a variety of bad security practices that make it easy to get a real license issued in a false name. That's something that REAL ID was designed to fix. To take one example, it would have required states to actually perform an electronic validation of "breeder documents," like birth certificates, before the documents could be used to obtain a license.

But the National Governors Association doesn't want states to have to spend money improving driver's license security, and it bridles at the federal government setting standards for license security. NGA is leading the charge to repeal REAL ID and substitute a new driver's license law that would among other things eliminate any need for states to validate breeder documents. The NGA is likely to win that battle.

If they succeed, of course, it will remain easy for people to get driver's licenses in other people's names. And then to get medical treatment in other people's names. And in the process to change the blood types on record for the poor sucker whose identity they've stolen with that driver's license.

(The privacy advocates who neglected identity theft when HIPAA was passed are playing an even worse role here. The ACLU and others are campaigning to repeal REAL ID, and they've laid down covering fire for the NGA's attack. So in the name of protecting privacy, they're making the world safer for what could be deadly forms of privacy invasion.)

So if you're wondering whether your governor is trying to kill you, the fairest answer is "Not exactly." That's just a side effect of the effort to unravel REAL ID.

Identity theft can kill you?

Yep. How so? Well, first, medical ID theft is a growing problem. Here's a fascinating report on this undercovered problem:

It turns out that doctors and nurses with a drug problem make fake entries in patient files to justify prescriptions that they fill for themselves. Medicare and Medicaid fraudsters concoct entire courses of treatment for real people and bill for them. And illegal immigrants who wouldn't be eligible for services on their own use the identities they've already stolen to get jobs as a way of getting treatment.

That's bad, but what's especially troubling for ordinary citizens is the way it screws up their medical records. They may only find out about the fraud when they're told they've used up the lifetime health insurance limits they paid for. Or, worse, they could go in for treatment unconscious and be given a transfusion of the wrong blood type because their records had been altered to match the blood type of the identity thief. That's a pretty heavy price to pay for identity theft. And it's likely to get worse as the Administration's electronic medical record initiative takes hold, and medical records are increasingly consolidated into a single electronic patient history that is accessible by all providers.

HIPAA, perhaps unsurprisingly, is more or less useless in addressing the problem. The privacy advocates who helped draft it were so busy abusing pharmaceutical companies and insurers that they evidently didn't have time to think about privacy violations that might kill us.

Does hacking fund terrorism? Maybe so

I'm still waiting to see evidence that music and move piracy has been used to fund terrorism, but the Post has a remarkable story about hacking that may have funded terrorism.

The story also shows how hard it will be to deal with this problem. The scam featured a Jordanian and a bunch of Pakistanis and Filipinos operating out of the Philippines and Italy; they hacked into PBXes with weak security and then charged calls around the world to the unsuspecting companies that owned the PBXs. The calls were made from Italian call centers and generated profits that the authorities suspect went to terrorist groups in the Philippines.

But after a three-year FBI investigation, the Bureau arrested exactly zero suspects, and the indictment filed by Justice will sit in the NJ district court while the authorities in Italy and the Philippines decide what to do with the people they arrested. For a law enforcement culture that values busts and convictions, this can't be an entirely satisfying conclusion to a heavy investment in resources. But without that investment, our infrastructure will be increasingly at the mercy of organized crime and perhaps even terrorists.

Missing the point on cyber security

The Washington Post decides that the new cyber-command is mainly interesting because it is an opportunity to raise privacy concerns. Here's the lead:

The Pentagon's development of a "cyber-command" is prompting questions
about its role in the larger national strategy to protect government
and private-sector computer networks and whether privacy can be
protected. And the command is fueling debate over the proper rules to
govern a new kind of warfare in which unannounced adversaries using
bits of computer code can launch transnational attacks.

We're actually closer to 1984 than most people realize. Antidemocratic forces have the ability to turn on cameras in our homes and offices -- to monitor our every action and every keystroke. That's the lesson of the ghostnet report.

But you won't find any sign of that problem in today's story.

That's because the 1984ish powers aren't being exercised by the US government or NSA. And apparently there's no room in the Post for a story that doesn't make the US and NSA the chief privacy villains.