SCGhealth Blog

We Fired Amazon's Alexa

Wednesday, February 21, 2018

By Clay Dubberly, Intern 

Amazon’s Alexa is being criticized by the healthcare industry, not because of a design error, but because of its passive listening ability. This function led Jennifer Searfoss, CEO of SCG Health to ban Alexa from its premises.

Alexa is an “intelligent personal assistant” capable of voice interaction, music playback, making to-do lists, setting alarms, streaming podcasts, playing audiobooks, and offering other real-time information.

The way Alexa works is by listening for its wake word (its name) which prepares it to analyze a command. It then listens and responds to everything that it hears afterward. You can ask it questions about the weather, converting measurements, or even for help shopping. It can even be used as an intercom.

In a medical environment, it can be used to help physicians take notes, remotely monitor patients, or allow them to ask health-related questions.

Passive listening and hacking: The Downsides to Alexa

The problem is that Alexa is listening to its surroundings at all times. This means that 24/7, she can be picking up personal information, which is sent back to Amazon or a potential hacker.

“There’s too much risk to be hacked,” Jen Searfoss says. “SCG Health used to have the device in its building,” but “We kicked Alexa out of our office after considering the vulnerabilities of the passive listening technology.”

There isn’t just a “possibility” of being hacked; it’s a reality. There are already several documented instances of Alexa being compromised. One way is through a “Dolphin Attack,” which is when it picks up frequencies which humans are unable to hear.

In this type of attack, hackers increase the frequency of a voice command to over 20,000hz and can play it through another phone’s speaker. While humans can’t hear this, smartphones will pick it up. Another concern for users is that a device that’s been compromised looks no different from one that hasn’t been compromised.

After picking up the frequencies, Alexa can carry out the command without the user’s permission. All that’s needed to do this is a battery, a smartphone, an ultrasonic transducer and an amplifier. All of this is readily sold online for a low price.

After a successful attempt, invaders can open your garage door (granted the right technology is installed) or make calls.

Another way Alexa can be hacked involves pre-installing software onto the device which transforms it into a wiretap that records any sound picked up onto a computer at another location.

Forbes successfully tested this out. One of the disadvantages (to the hacker) is that it takes several hours of installation on the hacker’s part, but this still poses a threat to anyone that buys Alexa from a secondhand source.

In one of those less-concerning instances when hacking is used for something good (or at least something funny), Alexa was hacked into a Big Mouth Billy Bass -- one of those wall-mounted fish that sings songs like “Don’t Worry Be Happy” or “Take Me To The River.”

Alexa isn’t HIPAA compliant. Here is how Amazon plans to fix it.

Another big concern for Amazon’s Alexa (as if being hacked wasn’t big enough) is that it’s not HIPAA compliant. As such, its use in healthcare is extremely limited.

The idea of having a device which could be recording patient data presents a clear threat: “It’s collecting info that has PII,” Ms. Searfoss says.

To help Alexa reach HIPAA compliance guidelines, Amazon recently hired a HIPAA Compliance Agent to help them reach legal requirements, including Business Associate Agreements (BAA), federal and state laws, and standards and regulations. The Compliance Agent is expected to help ensure that “technology and business processes meet [Amazon’s] HIPAA BAA requirements, as well as all applicable federal and state laws, regulations and standards.”

Some healthcare organizations have begun testing the device’s capabilities despite the risk. WebMD allowed Alexa to deliver its web content to users at their own homes for example. The Beth Israel Deaconness Medical Center (BIDMC) ran a successful pilot study in an inpatient setting (without actual patient data). It eventually plans to use it in a clinical setting, but not until Amazon signs a BAA.

The Boston’s Children’s Hospital (BCH) also experimented with using Alexa to give info to its clinical staff, but because it didn’t have a BAA only non-identifiable health information was used. The BCH also created an Alexa skill called KidsMD, which allows users to ask advice for when their kids have a fever.

SCG Health will continue to stand strong and enforce its ban on Alexa -- at least until Amazon approves a business associate agreement.

New Secure Medicare Cards - What They Mean for You

Wednesday, November 01, 2017

By Audrey Landers, Intern

In April 2018, the Centers for Medicare & Medicaid Services (CMS) will be rolling out brand new ID cards without Social Security Numbers (SSN). This change is being made in reaction to the Medicare Access and CHIP Reauthorization Act (MACRA) which requires that SSNs be removed from Medicare cards by April of 2019. 

In order to help protect Medicare beneficiaries from identity theft, the SSN-based Health Insurance Claim Number (HICN) will be replaced by new Medicare Beneficiary Identifiers (MBI). These MBIs will be randomly generated 11-character alphanumeric codes with no specific meaning.

Source: Center for Medicare and Medicaid Services

CMS will be allowing an adjustment period from April 1, 2018 to December 31, 2019. SCG Health recommends that practitioners use this time to test, collect data from, and perfect their document management system (DMS) and claims submission system as well as remind patients of the change. During this time period, both the HICN as well as the new MBIs may be used to submit claims. Your practice will be expected to be able to use MBI exclusively by January 1, 2020 with limited exceptions. These exceptions include:

  • Appeals
  • Claim status query (Date of service before 1/1/2020)
  • Span-date claims (DOS before 1/1/2020)
  • Home health claims & Requests for Anticipated Payments (DOS before 1/1/2020)

Even when these exceptions apply, you are urged to use the new MBIs when possible.

Getting Ready
In order to be prepared for the transition period, your DMS and claims submission systems must be ready to accept MBIs no later than April 1, 2018. CMS is currently running a television ad campaign discussing the new cards and you can help spread awareness by making information about the new cards available in your offices. CMS suggests displaying posters and putting out pamphlets in waiting areas as well as discussing the new cards directly with your patients. They should be aware that the cards will be sent out automatically starting April 1, 2018 and all Medicare beneficiaries should have new cards by April 1, 2019. There is nothing they need to do to get a new card. You should also take the opportunity to keep your patients from getting scammed during the transition period by making sure they are aware of the following:

  • CMS will never call a beneficiary, nor will they ever ask for their SSN.
  • The new Medicare cards are free, CMS will never ask a beneficiary for payment for a new card.
  • If a beneficiary receives a phone call from someone who asks for their MBI, SSN or for payment, they should hang up immediately and call 1-800-MEDICARE
For more information on the new Medicare cards, you can visit CMS’s New Medicare Card Overview.

Patient identity theft to procure fraudulent medical services on the rise

Thursday, March 13, 2014

The identifying information of a patient with health insurance is an extremely valuable commodity for thieves looking to defraud health care payers by billing phony services and supplies and keeping the money. So you had better believe they’ll be snooping around medical offices looking for opportunities afforded by those who don’t properly secure patient identifying information. 

SCGhealth Resources: Video Podcast Handouts

About 3 percent of all identity theft cases involve medical services, according to data from the Federal Trade Commission. It makes sense – in order to file claims to defraud Medicare, Medicaid or another payer, there needs to be a patient on the claim that looks legitimate enough to get the payer to pay the claim. That’s where patient identity theft comes in to play.

In order to fight it, you need to be able to detect the behaviors of your staff that potentially expose your patient identifying information, implement safeguards to prevent it, know how to respond in the event it’s compromised to minimize the damage and reduce your risk by knowing how long you have to retain certain types of documentation. 

These are more than just best practices. While most providers and practice administrators and staff think of HIPAA for its requirements to protect patient privacy and have patients attest to your privacy practices, it also requires you to take steps to keep your patient identifying information secure. 

Violations can be costly. The HITECH Act of 2009 raised the potential penalties for even inadvertent HIPAA violations to $1.5 million, up from $250,000. If you knowingly sell or profit from transferring patient protected health information, you probably wouldn’t be reading a blog about not doing that, but the penalties are up to 10 years in prison and a $250,000 fine.

Where is it happening?
You’re at risk for medical identity theft regardless of where your practice is located, but a report from the World Privacy Forum suggests the highest-risk areas in the United States are Texas, Florida, Arizona, New York and Southern California.

You may remember that Texas was a major hotspot for patient identities being stolen a few years ago and used for the fraudulent procurement of power mobility devices. It led to a CMS demonstration that required patients in high-fraud areas to  to getting a power mobility device.

All of the above hotspots are on the prior authorization list except for Arizona. Illinois, Michigan and North Carolina – cited by CMS for high error and fraud rates – also appear on the CMS list.

Privacy a key consideration
While we’re focused on the security of patient identifying information, how you comply with the privacy aspects of HIPAA are a key driver in how much risk you are exposing yourself to when it comes to compliance with the security component. 

Here are some examples of privacy protections that also help to protect patient information from thieves:

Controlled layers of access: Patient PHI is generally shared throughout a medical group on a need-to-know basis, depending on the role of the person in the practice. Given the risk and prevalence of internal financial theft and loss that plagues medical practices, you would also have added protection from a rogue employee who might steal and sell patient information. In a 2009 Medical Group Management Survey, an astonishing 89 percent of respondents said they had at one point worked with someone who had stolen from a group practice.

Requests for additional documentation: When a payer asks for additional documentation as part of determining whether to pay a claim, the privacy rule dictates as part of the minimum necessary provision that you would send only the information necessary to help the payer adjudicate that claim. When you send the patient’s entire medical record, you take a risk that the information could end up compromised.

An example of how it works
To get a sense of how medical identity theft works, consider the unfortunate case of Brandon Reagin, whose medical identity was stolen prior to the HITECH Act, though that law may not have helped him much.

Reagin’s medical identity was stolen, which he didn’t realize until he was falsely accused of stealing a car. It gets worse. The thief, Arthur Watts, racked up more than $20,000 in hospital bills for hand surgery and for kidney treatments, posing as Reagin, causing hospitals to refer Reagin to collections and the state to seize his tax return.

Much of this was happening while he was serving in Iraq. What differentiates Reagin from many victims is that he was able to actually find out who the thief was, a small consideration as he fights years later to salvage his credit and continues to see collection notices.

Implications of patient identity theft
There are multiple impacts to patient identity theft on a medical group. When your practice has suffered a breach, the new HIPAA mega-rule that incorporates the HITECH Act changes presumes that the breach caused harm, and puts the onus on you to show that the breach could not have reasonably resulted in patient information being compromised.

At the very least, when your practice compromises patient information in a way that must be reported, you can expect the negative publicity of the breach being reported and the cost to ensure the credit of the impacted patients is not damaged.

You may also face a heavy fine. HHS has come down hard on recent violators, particularly those who have not acted swiftly to report and deal with breaches.

In December, a Massachusetts dermatology group paid a $150,000 fine and put in a risk assessment plan after suffering a breach that compromised the information of roughly 2,200 patients. 

One of the reasons that HHS came down so hard on the group is that the group failed to promptly report the breach and take corrective action. The result, in effect, was to leave the patients dangling out there without even knowing their information was compromised.

A medical group practice is more likely to be the victim of medical identity theft, not just for having its data stolen or compromised.

Consider that a patient may present to a group practice who is not all that he or she seems to be. When a medical identity is stolen, it is usually used to seek care or services by someone who is not the patient, as in the above case of Arthur Watts.

The practice renders the services in good faith, bills for them and gets paid. That opens up the practice to two risks.

First, the most obvious one, is that the practice is ultimately liable for repaying any insurance payments received for treating the patient who presented and was not the insured. When the payer finds out, expect it to seek prompt repayment.

The second is that medical identity thieves compromise your records. When you unwittingly provide a service for someone who misrepresents his or her identity, you end up creating a record for the person that could ultimately end up being commingled with records from other providers for the person who was the victim of the identity theft.

And sometimes, that person is in on the scam. Even as the economy struggles to recover and patients are spurred by the Affordable Care Act to find coverage, it’s not unusual for people to sell or give their medical identity to friends and loved ones who don’t have access to insurance. Sometimes, they’ll sell their own information for profit, with the buyer showing up at your practice to seek treatment.

Seek photo IDs, train staff The best protection against being victimized by patients showing up at your practice misrepresenting themselves is to look at what are known as the Red Flag Rules

Originally, the Red Flag Rules were to apply to medical group practices, until Congress clarified that they were for entitles who were granting loans and mortgages. Nonetheless, it’s a best practice to verify patient photo identifications at every visit and to authenticate change of address requests.

Don’t stop there. Make sure you have written policies in place to help detect, prevent and contain security breaches. Policies should be reviewed at least once a year by your physician board to make sure they are still current.

Appoint a privacy and security officer responsible for implementing and enforcing your privacy and security policies, as well as arranging training for new staff and refresher courses for your established staff. 

As we told you in our recent blog post on security – but it is worth repeating – make sure you are doing a thorough risk assessment of your practice at least once a year to spot and correct any vulnerabilities. You can be sure outsiders are regularly trying to hack into your system and get your patient identifying data, because it’s become too valuable for them to resist.

SCG Health blog by Email

Recent Posts



SCG Health is a tradename of the Searfoss Consulting Group, LLC. You may reproduce materials available on this site for your own personal use and for noncommercial distribution. For more information, please read the Content Sharing Policy. Art & design by SCG Health. DISCLAIMER: You should consult an attorney for individual advice regarding a particular set of facts and circumstances. SCG Health reserves the right to change the information on this website without notice.