Wednesday, October 25, 2006

Cheaper for hospitals to provide free primary care than free emergency care

NYTimes

October 25, 2006
To Lower Costs, Hospitals Try Free Basic Care for Uninsured
By ERIK ECKHOLM

AUSTIN, Tex. — Unable to afford health insurance, Dee Dee Dodd had for years been mixing occasional doctor visits with clumsy efforts to self-manage her insulin-dependent diabetes, getting sicker all the while.

In one 18-month period, Ms. Dodd, 38, was rushed almost monthly to the emergency room, spent weeks in the intensive care unit and accumulated more than $191,000 in unpaid bills.

That is when nurses at the Seton Family of Hospitals tagged her as a “frequent flier,” a repeat visitor whose ailments — and expenses — might be curbed with more regular care. The hospital began offering her free primary care through its charity program.

With the number of uninsured Americans reaching a record 46.6 million last year, up by 7 million from 2000, Seton is one of a small number of hospital systems around the country to have done the math and acted on it. Officials decided that for many patients with chronic diseases, it would be cheaper to provide free preventive care than to absorb the high cost of repeated emergencies.

With patients like Ms. Dodd, “they can have better care and we can reduce the costs for the hospital,” said Dr. Melissa Smith, medical director of three community health centers run by Seton, a Roman Catholic hospital network that uses its profits and donations to provide nearly free care to 5,000 of the working poor. Over the last 18 months, Ms. Dodd’s health has improved, and her medical bills have been cut nearly in half.

Reaching out to uninsured patients, especially those with chronic conditions like diabetes, hypertension, congestive heart failure or asthma, is a recent tactic of “a handful of visionary hospital systems around the country,” said Karen Davis, president of the Commonwealth Fund, a foundation in New York that concentrates on health care. These institutions are searching for ways to fend off disease and large debts by bringing uninsured visitors into continuing basic care.

The public hospital systems in New York and Denver, for example, have both worked to steer uninsured patients to community clinics, charging modest fees, if any. New York’s public system, the Health and Hospitals Corporation, has assigned some 240,000 uninsured patients to personal primary care doctors. A computerized system tracks those with chronic conditions, and when necessary, social workers contact patients to make sure they get checkups and follow medical advice.

“For most preventive efforts there is an upfront expense,” said Alan D. Aviles, president of the corporation. “But over the long term it saves money.”

Denver’s public system, Denver Health, has 41,000 uninsured patients enrolled in its clinics. Officials there calculate that for every dollar they spend on prenatal care for uninsured women, they save more than $7 in newborn and child care.

The “safety net” plan of the Seton system in Central Texas accepts people making 150 percent to 250 percent of the federal poverty limit and has resources to support 5,000 patients. (People below the poverty line, which is $13,200 a year for a family of two in the contiguous states, can obtain care through the public clinic system.)

Officials scrutinize the records of plan members to see who is still overusing the emergency room or being repeatedly hospitalized — these high-cost patients total some 40 each month — then assign them caseworkers to help improve care and bring down costs.

A special effort to educate 631 asthma patients saved the plan $475,000 in one year, Seton officials said.

In a more unusual step, Seton officials also look for frequent emergency room users who do not qualify for the hospital’s charity plan because they live in a different county, like Ms. Dodd, or have incomes just above the threshold. In a dozen cases so far, all involving diabetics, a committee has judged that it makes financial sense to bring these people into the charity plan anyway and provide intensive support.

Other answers to the insurance crisis are being tried around the country, including the creation of subsidized, bare-bones policies for small businesses. Vermont, Maine and especially Massachusetts are using combinations of state and federal money and employer mandates to extend insurance.

Still, only a fraction of the uninsured, in Central Texas and in most other states, are benefiting.

“All these local efforts are commendable, but they are like sticking fingers in the dikes,” Ms. Davis of the Commonwealth Fund said, noting that the larger trend was hospitals’ seeking to avoid the uninsured.

Nowhere is the problem more acute than in Texas, where nearly a quarter of the population is uninsured, the nation’s highest rate. Small businesses here are unlikely to offer benefits, and the state government’s unusually stringent restrictions on Medicaid for adults leave many of the working poor at risk.

Even without counting the large immigrant population, Texas has the country’s highest share of uninsured, at 21 percent, according to the Center for Public Policy Priorities in Austin.

“All the hospitals here provide some uncompensated care, and they are eating it and passing the costs along to the payers,” said Patricia A. Young Brown, president of the Travis County Healthcare District, which was set up last year to oversee care of the indigent through public clinics, drawing on property taxes to pay.

“So insurance rates go up, and then more businesses drop insurance,” Ms. Young Brown continued, describing a trend unfolding nationwide. “It’s hard to see where it will end. We hear a cry for national and state leadership.”

The private People’s Community Clinic, supported in part by the St. David’s Hospital system, gives primary care to 11,000 people in Austin who are uninsured or on Medicaid and related programs.

“I think we are a good Band-Aid for those able to come to our clinic,” Regina Rogoff, director of the clinic, said. “But it’s not a solution to have such a ragtag, makeshift system.”

Austin hospitals and charity clinics have also joined in a pioneering data-sharing system to track visits by uninsured patients and fight unnecessary use of the emergency room. But rural counties in Texas offer little aid, and rural residents with serious maladies end up traveling to urban emergency rooms.

The current patchwork also pits different levels of government against each other.

Natavidad Martinez, 51, who used to work as a bookbinder for $7 an hour and never had insurance, has found herself in a bureaucratic nightmare.

In March 2005, Ms. Martinez, a Seton patient, was found to have liver cancer. She was put on Medicaid, applied for federal disability and was put in line for a liver transplant, without which, doctors said, she had six months to two years to live. Through the summer of 2005, she made the hour-and-a-half drive from her home to San Antonio for preparatory tests.

That August, she was awarded disability payments of $561 a month. But because her income surpassed the $535 limit for Medicaid in her circumstances, she said, she was told by the state that her coverage had ended, and the hospital said it could not proceed with a transplant.

“I asked Social Security if they couldn’t just reduce my payments by $30 a month,” she said, “but they said it doesn’t work that way.”

In another twist, by federal rules, she will qualify for Medicare two years after the initial finding of disability. She awaits the start of Medicare coverage next March, when she can rejoin the transplant line.

In Texas, as throughout the country, the coverage of poor children through Medicaid and related programs expanded greatly over the last decade. But a majority of states do not provide Medicaid to parents making even poverty-line incomes, and Texas is one of the least generous: here, a working parent of two does not qualify for coverage if he or she makes more than $3,696 in a year, leaving people like Ms. Dodd to fend for themselves.

Ms. Dodd, who worked as a dental assistant, is married to a truck driver, has four children and lives on a country road in Hays County, south of Austin. Ten years ago, after her weight fell to 82 pounds, she learned that she was a “brittle diabetic,” subject to rapid and dangerous changes in blood sugar. She saw a doctor only sporadically because visits cost $120 — money she did not have.

“I had to stop working, so then I couldn’t afford to go to the doctor, and then I had to go to the emergency room,” Ms. Dodd said.

She was having repeated episodes of ketoacidosis, a chemical imbalance that sometimes put her into life-threatening comas. Years of poor care had weakened her and led to side effects like esophogeal ulcers that could probably have been prevented, her doctors said.

Ms. Dodd still has problems, but the use of a $3,200 insulin pump paid for by Seton, which automatically adjusts her insulin levels, along with access to an endocrinologist and home counseling have reduced their severity. Her care in the last 18 months has cost Seton $104,697, far below the $191,277 for the previous period. More important, the later figures include less hospital time and more medicines and expert advice.

“The money we save,” Dr. Smith, of Seton, said, “money that is not hemorrhaging through the I.C.U., is money we can do so much more with to help her upfront.”

Tuesday, October 24, 2006

No-swipe credit card security risks

NYTimes

October 23, 2006
Researchers See Privacy Pitfalls in No-Swipe Credit Cards
By JOHN SCHWARTZ

AMHERST, Mass. — They call it the “Johnny Carson attack,” for his comic pose as a psychic divining the contents of an envelope.

Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers.

Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.

The demonstration revealed potential security and privacy holes in a new generation of credit cards — cards whose data is relayed by radio waves without need of a signature or physical swiping through a machine. Tens of millions of the cards have been issued, and equipment for their use is showing up at a growing number of locations, including CVS pharmacies, McDonald’s restaurants and many movie theaters.

The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate “128-bit encryption,” and J. P. Morgan Chase has said that its cards, which it calls Blink, use “the highest level of encryption allowed by the U.S. government.”

But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder’s name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.

They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50.

And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. “Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?” Mr. Heydt-Benjamin, a graduate student, asked.

Companies that make and issue the cards argue that what looks shocking in the lab could not lead to widespread abuse in the real world, and that additional data protection and antifraud measures in the payment system protect consumers from end to end.

“This is an interesting technical exercise,” said Brian Triplett, senior vice president for emerging-product development for Visa, “but as a real threat to a consumer — that threat really doesn’t exist.”

The finding comes at a time of strong suspicion among privacy advocates and consumer groups about the security of the underlying technology, called radio frequency identification, or RFID. Though the systems are designed to allow a card to be read only in close proximity, researchers have found that they can extend the distance.

The actual distance is still a matter of debate, but the claims range from several inches to many feet. And even the shortest distance could allow a would-be card skimmer to mill about in a crowded place and pull data from the wallets of passersby, or to collect data from envelopes sitting in mailboxes.

“No one’s going to look at me funny if I walk down the street and put a flier in everybody’s mailbox,” Mr. Heydt-Benjamin said.

The experiment was conducted by researchers here working with RSA Labs, a part of EMC, an information management and storage company. The resulting paper, which has been submitted to a computer security conference, is the first fruit of a new consortium of industry and academic researchers financed by the National Science Foundation to study RFID.

Security experts who were not involved in the research have praised the paper, and said that they were startled by the findings. Aviel D. Rubin, a professor of computer security at Johns Hopkins University, said, “There is a certain amount of privacy that consumers expect, and I believe that credit card companies have crossed the line.”

The companies, however, argue that testing just 20 cards does not provide an accurate picture of the card market, which generally uses higher security standards than the cards that were tested. “It’s a small sample,” said Art Kranzley, an executive with MasterCard. “This is almost akin to somebody standing up in the theater and yelling, ‘Fire!’ because somebody lit a cigarette.”

Chips like those used by the credit card companies can encrypt the data they send, but that can slow down transactions and make building and maintaining the payment networks more expensive. Other systems, including the Speedpass keychain device offered by Exxon Mobil, encrypt the transmission — though Exxon came under fire for using encryption that experts said was weak.

Though information on the cards may be transmitted in plain text, the company representatives argued, the process of making purchases with the cards involves verification procedures based on powerful encryption that make each transaction unique. Most cards, they said, actually transmit a dummy number that does not match the number embossed on the card, and that number can be used only in connection with the verification “token,” or a small bit of code, that is encrypted before being sent.

“It’s basically useless information,” said David Bonalle, vice president and general manager for advanced payments at American Express. “You can’t steal that data and just play it back and expect that transaction to work.”

While the researchers found that these claims were true for some of the cards they tested, other cards gave up the actual credit card number and did not use a token or change data from one transaction to another. They also took data in from some cards and transmitted it to a card-reader in the lab and tricked it into accepting the transaction. Mr. Heydt-Benjamin, in fact, was able to purchase electronic equipment online using a number skimmed from a card he ordered for himself and which was sealed in an envelope.

(None of the cards transmits the additional number on the front or back, known as the card validation code, that some businesses require for online purchases; Mr. Heydt-Benjamin chose a store that does not require the code.)

Mr. Kranzley said the MasterCard-issuing banks decided how much security they wanted to implement, but said that with 10 million of the company’s chip-bearing cards on the market, some 98 percent of them used the highest standards.

“Today, there’s an extremely small percentage of cards that have the characteristics that RSA has looked at in this report,” he said. Visa and American Express representatives said all their cards conformed to the highest security standard.

Beyond the security on the cards themselves, the companies said, they have deployed fraud detection and prevention measures that block suspect purchases. And each company stressed that cardholders were not liable for fraud.

Dr. Fu acknowledged that the research involved a small sample, and added, “We would be happy to examine cards that have better security so that we can verify these claims.” He added, however, that all of the cards they tested were issued this year, and all were felled by at least one of the attacks that they attempted.

Tom O’Donnell, a senior vice president at Chase, the largest issuer of the new cards, said that the attacks described in the paper would be too cumbersome in the real world. And the researchers said that other kinds of fraud, like so-called phishing scams in which criminals trick people into revealing credit card information through misleading e-mail messages and Web sites, were currently more effective.

Still, John Pescatore, vice president for Internet security at Gartner, a technology market research firm, said he was surprised by the lack of security in transmitting personal data. He said it was a mistake that companies often made in rolling out early versions of a technology.

“It’s the classic ‘Let’s depend on security through obscurity — who’s going to look?’ ” he said. “Then, whoops! As soon as somebody does look, you roll out the security.”

All of the card companies said that they were in the process of deleting names from the stream of data transmitted to the card readers. “As a best practice, issuers are not including the cardholder name,” Mr. Triplett of Visa said.