Tag Archives: identity

Adherence and Identity

(Wildebeest patient image from Google Gemini)

Adherence

In healthcare, “adherence” refers to a patient who complies with the recommendations of a medical professional. For example, if a doctor tells a diabetic to lay off the Double Big Gulp soft drinks, the patient should comply. A National Library of Medicine study explains why this is important:

“Patient adherence is vital for the quality of health care outcomes and treatment efficacy, and reduces the economic burden on the healthcare system.”

So if you don’t practice adherence, you could experience adverse health care outcomes…like death.

You would think that would be persuasive enough, but we have to mention “the economic burden.” But it’s sadly true. If a patient is treated multiple times for the same preventable condition, that’s money down the drain. Or bedpan.

(Bedpan image from Google Gemini)

But there’s a big hole in adherence measurement.

Adherence measurement

Let’s say you are told to take 4 pills a day for 7 days, and the pharmacy gives you a prescription for 28 pills. A week later all the pills are gone.

Does this demonstrate patient adherence to health instructions?

Absolutely not.

Maybe you flushed all 28 pills down the toilet and didn’t ingest a single one.

Or maybe you have been giving some pills to your wildebeest.

(Medicated wildebeest image from Google Gemini)

In the ideal world, you would want to ensure that the medication was taken by the correct patient, not by a toilet or a wildebeest.

When adherence identity is important

I will grant that this is ridiculous for a vitamin.

But what about a chemotherapy drug? How will you know that the right patient is taking it and adhering to the medical plan?

Will you ask the patient for their name and date of birth, and consider your adherence monitoring job done?

Give me a…fracture.

Black Friday Fraud Reduction?

Black Friday fraud dipped in 2024? Maybe good news…maybe not.

Frank on Fraud shared a TransUnion report of a 30% decrease in fraud on Black Friday this year. (Links below.)

This in turn was shared and analyzed by Hilton McCall, who noted several theories as to why fraudsters apparently took Black Friday off.

“Tighter fraud prevention measures by merchants and platforms.”

That’s good news.

“Shifting fraud tactics targeting other high-value days like Cyber Monday.”

“A possible focus on new fraud methods, like account takeovers and loyalty point scams, rather than traditional purchase fraud.”

That’s bad news.

Remain vigilant—and if your firm offers a fraud-fighting solution, share your message.

Frank on Fraud: https://frankonfraud.com/fraud-trends/fraudster-vacation-fraud-plunges-on-black-friday/

TransUnion: https://www.globenewswire.com/news-release/2024/12/05/2992306/0/en/New-TransUnion-Analysis-Finds-More-Than-4-of-U-S-Attempted-Ecommerce-Transactions-Between-Thanksgiving-and-Cyber-Monday-Suspected-to-be-Fraudulent.html

Hilton McCall: https://www.linkedin.com/posts/hilton-mccall_fraudprevention-blackfriday-cybersecurity-activity-7272611182727909376-lsyD

KYV: Know Your (Healthcare) Visitor

Who is accessing healthcare assets and data?

Healthcare identity verification and authentication is often substandard, as I noted in a prior Bredemarket blog post entitled “Medical Fraudsters: Birthday Party People.” In too many cases, all you need to know is a patient’s name and birthdate to obtain fraudulent access to the patient’s protected health information (PHI).

But healthcare providers need to identify more than just patients. Providers need to identify their own workers, as well as other healthcare workers.

Know Your Visitor

Healthcare providers also need to identify visitors. When a patient is in a hospital, a rehabilitation facility, or a similar place, loved ones often desire to visit them. (So do hated ones, but we won’t go there now.)

I was recently visiting a loved one in a facility that required identification of visitors. The usual identification method was to present a driver’s license at the desk. The staffer would then print out a paper badge showing the visitor’s name and the validity date.

Like this…

John Bederhoft?

So John “Bederhoft” (sic) enjoyed access that day. Whoops.

Oh, and I could have handed my badge to someone else after a shift change, and no one would have been the wiser.

Let’s apply “somewhat you why”

There’s a more critical question: WHY was John “Berdehoft” visiting (REDACTED PHI)? Was I a relative? A friend? A bill collector? 

My proposed sixth factor of identity verification/authentication, “somewhat you why,” would genuinely help here. 

Somewhat you why “applies a test of intent or reasonableness to any identification request.” 

Maybe I should have said “and” instead of “or.”

  • Visiting a relative shows intent AND reasonableness.
  • Visiting a debtor shows intent but (IMHO) does NOT show reasonableness.

Do you need to analyze healthcare identity issues for your healthcare product or service? Or create go-to-market content for the same? Or proposals?

Contact me at Bredemarket’s “CPA” page.

Survey Says

So Deloitte announced the results of a survey earlier this month.

“The fifth annual Deloitte “Connected Consumer” survey reveals that consumers have a positive perception of their technology experiences and are increasingly embracing GenAI. However, they are determined to seek balance in their digital lives and expect trust, accountability, and transparency from technology providers.”

Deloitte conducted the survey BEFORE the RIBridges hack.

On the RIBridges Benefits System Hack

I originally worked with state benefits systems during my years at Printrak, and have performed analysis of such systems at Bredemarket. These systems store sensitive personal data of many Americans, including myself. And they are therefore a target for hackers.

The hack at RIBridges

A huge benefits system was hacked in Rhode Island, according to the State.

“On December 5, the State was informed by its vendor, Deloitte, that the RIBridges data system was the target of a potential cyberattack….”

That was just the beginning.

“On December 10, the State received confirmation from Deloitte that there had been a breach of the RIBridges system based on a screenshot of file folders sent by the hacker to Deloitte. On December 11, Deloitte confirmed that there is a high probability that the implicated folders contain personally identifiable information from RIBridges. On December 13, Deloitte confirmed there was malicious code present in the system, and the State directed Deloitte to shut RIBridges down to remediate the threat.”

RIBridges is…um…a bridge from Rhode Island residents to various Federally sponsored but State administered benefits programs, including:

  • Medicaid,    
  • Supplemental Nutrition Assistance Program (SNAP),    
  • Temporary Assistance for Needy Families (TANF),    
  • Child Care Assistance Program (CCAP),    
  • Health coverage purchased through HealthSource RI   
  • Rhode Island Works (RIW),    
  • Long-Term Services and Supports (LTSS), and    
  • General Public Assistance (GPA) Program

State benefits systems such as RIBridges are complex and often hosted on old infrastructure that requires modernization. (“Modernization” is a great buzzword to use to toss around when describing aging state computer systems, as I know from my years working with driver’s license and biometric identification systems.) The older and more complex the system, the easier to hack.

The history of RIBridges

This complexity is certainly true of Deloitte’s hacked RIBridges system.

As StateScoop noted in 2021:

“Gov. Daniel McKee…said the state will pay the firm $99 million over the next three years to manage and build out the RIBridges computer system….The firm has been developing the software, which handles the state’s Medicaid, SNAP and other welfare programs, since 2016, though delays and errors during (previous Governor) Raimondo’s administration caused the state to overspend by at least $150 million as of 2019, the last time the state renewed Deloitte’s contract.”

Why is Deloitte’s performance less than ideal? Anthony Kimerv of Biometric Update explains the issues facing RIBridges.

“Federal agencies, including the federal Centers for Medicare and Medicaid Services, had warned Rhode Island before the system’s launch that it was not ready for deployment….RIBridges proceeded despite clear operational risks, leading to immediate and widespread problems. The launch resulted in significant disruptions to benefits distribution, with thousands of residents experiencing delays in receiving critical assistance. Backlogs soared, with more than 20,000 cases piling up due to system malfunctions.”

After much time and effort the backlogs decreased, but the treasure trove of personally identifiable information (PII) remained a target.

“As a central repository for sensitive personal data, including financial information and health records, RIBridges became a potential target for cyberattacks. Security audits revealed vulnerabilities in the system’s defenses….Cybercriminals exploited weaknesses in RIBridges to access sensitive data. The attackers bypassed existing security measures, inserted malicious code, and obtained unauthorized access. The breach exposed flaws in the system’s technical defenses and highlighted issues with its oversight and vendor management.”

The consequences for RIBridges applicants

So now the system is down, applicants are using paper forms, and a cyber criminal is requesting a payout.

(Image by Google Gemini)

Musical Chairs, the Mid-December 2024 Edition (So Far)

There are fewer identity companies now.

  • It was just announced that SecureAuth is acquiring SessionGuardian.
  • Before that, LexisNexis Risk Solutions announced that it is acquiring IDVerse.

And that’s just in the last few days. Many more identity companies acquired new subsidiaries themselves, or were acquired.

I have no idea if these mergers and acquisitions will include layoffs of now-redundant staff, but I do know that one established company let some people go last Friday—only the latest round of layoffs in the last several months.

Why? Identity firms are buffeted by the same issues that beset the rest of tech. 

In addition, the “one trick pony” firms in the industry that only support one modality are finding that they cannot provide complete solutions. This is something Steve Craig just addressed on LinkedIn. His key takeaway:

“Document verification has become a feature, not a product”

And if all your company offers is a feature, you’d better broaden your offerings, acquire, be acquired, or die.

We’ve seen this before, when Robert LaPenta acquired a lot of one-trick ponies and forged a multimodal, multi-factor firm that was finally known as L-1 Identity Solutions before it was itself acquired. There were many other acquisitions around the same time, creating a dizzying array of musical chairs.

And in the game of musical chairs, whenever a chair is removed, someone doesn’t have a place to sit.

(Wildebeest musical chairs AI-generated image by Google Gemini)

The NIST Test You Choose Matters

(Baby smoking image designed by Freepik)

As I’ve mentioned before, when the National Institute of Standards and Technology (NIST) tests biometric modalities such as finger and face, they conduct each test in a bunch of different ways.

One of the ramifications of this is that many entities can claim that they are “the best, according to NIST.”

For example, when NIST released its first version of the age estimation tests, 5 of the 6 participating vendors scored first in SOME category.

But NIST doesn’t do this just to make the vendors happy. NIST does this because biometrics are used in many, many ways.

Let’s look at recent age estimation testing, which currently tests 15 algorithms rather than the original 6.

Governments and private entities can estimate ages for people at the pub, people buying weed, or people gambling. And then there’s the use case that is getting a lot of attention these days—people accessing social media.

Child Online Safety, Ages 13-16 (in my country anyway)

When NIST conceived the age estimation tests, the social media providers generaly required their users to be 13 years of age or older. For this reason, one of NIST’s age estimation tests focused upon whether age estimation algorithms could reliably identify those who were 13 years old vs. those who were not.

By Adrian Pingstone – Transferred from en.wikipedia, Public Domain, https://commons.wikimedia.org/w/index.php?curid=112727.

Which, by the way, basically means that the NIST age estimation tests are useless in Australia. After NIST started age estimation testing, Australia passed a law last month requiring social media users to be 16 years old or older.

Returning to America, NIST actually conducted several different tests for the 13 year old “child online safety” testing. I’m going to focus on one of them:

Age 8-12 – False Positive Rates (FPR) are proportions of subjects aged 8 to 12 but whose age is estimated from 13 to 16 (below 17).

This covers the case in which a social media provider requires people to be 13 years old or older, someone between 8 and 12 tries to sign up for the social media service anyway…AND SUCCESSFULLY DOES SO.

You want the “false positive rate” to be as low as possible in this case, so that’s what NIST measures.

Results as of December 10, 2024

The image below was taken from the NIST Face Analysis Technology Evaluation (FATE) Age Estimation & Verification page on December 10, 2024. Because this is a continuous test, the actual results may be different by the time you read this, so be sure to check the latest results.

From https://pages.nist.gov/frvt/html/frvt_age_estimation.html as of December 10, 2024.

As of December 10, the best performing algorithm of the 15 tested had a false positive rate (FPR) of 0.0467. The second was close at 0.0542, with the third at 0.0828.

The 15th was a distant last at 0.2929.

But the worst-tested algorithm is much better on other tests

But before you conclude that the 15th algorithm in the “8-12” test is a dud, take a look at how that same algorithm performed on some of the OTHER age estimation tests.

  • For the age 17-22 test (“False Positive Rates (FPR) are proportions of subjects aged 17 to 22 but whose age is estimated from 13 to 16 (below 17)”), this algorithm was the second MOST accurate.
  • And the algorithm is pretty good at correctly classifying 13-16 year olds.
  • It also performs well in the “challenge 25” tests (addressing some of the use cases I mentioned above such as alcohol purchases).
I think they’re over 13. By Obscurasky – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=7776157.

So it looks like this particular algorithm doesn’t (currently) do well with kids, but it does VERY well with adults.

So before you use the NIST tests as a starting point to determine if an algorithm is good for you, make sure you evaluate the CORRECT test, including the CORRECT data.

What Happens if the Crypto Exchanges Fail?

Some people who aren’t relying on gold to get through a possible banking system failure or other catastrophic event are placing their trust in crypto. 

ISectors, April 25, 2023:

“Bitcoin can be sent and received anywhere in the world, as long as there is an internet connection. This could be useful in a scenario where traditional banking systems fail and access to financial services is limited.”

But an internet connection isn’t the only thing you need to trade crypto.

  • You also need a crypto exchange, or some other way to trade crypto. 
  • And if that crypto exchange is hacked or goes bankrupt, you may lose your crypto…and there’s no FDIC.

A self custodial hardware wallet sounds great…at first. All you have to do is take your hardware wallet and walk up to the dude in camouflage selling canned Spam and holding his own hardware wallet. OK. Now trade it. On your own. With no help from a peer-to-peer (P2P) trading platform or a decentralized exchange. Google Gemini:

“Hardware wallets are primarily security devices, not trading platforms. They don’t have the functionality to directly swap one cryptocurrency for another….Directly exchanging crypto would require complex cryptographic operations and blockchain interactions, which are not typically handled by hardware wallets.”

I don’t know about you, but I don’t know how to interact with the blockchain all by myself without help. And very few people do. And even those who know this stuff are mostly helpless if the internet is non-operational.

So if the banks fail and/or some other catastrophe takes place, don’t count on crypto to survive.

Frankly we do better when there’s NOT a catastrophic event, protections guard us from fraud, and the bad effects of a fake identity are minimized.

(Post-apocalyptic image from Google Gemini)

Bredemarket Health Page Updates

Most of you who developed a sudden interest in healthcare this week WON’T be interested in this, so move along.

I’ve added 3 new posts (so far) to the Bredemarket Health page since November 2024:

  • Dr. Jones MD, NPE
  • Saving Money When Filling Prescriptions: Not You, The Companies
  • Medical Fraudsters: Birthday Party People

(And no, I have no real interest in addressing the recent murder of a healthcare executive. It’s a crime. End of discussion.)

I approach health and health product marketing from both an identity and technology perspective, recognizing the similarities and differences between biometrics and biometrics, and between PHI and PII.

Health

Know Your Recruiter “Kristen”

(4/14/2025 Fixed a typo. It’s KORN Ferry, not KORAN Ferry.)

Maybe it’s me, but I’m wondering if Kristen really works for SourceOwls. I know she has 980 followers and all, but yet…

Kristen Marty’s LinkedIn profile.

I’d post the link to Kristen’s profile, but it would probably be gone by the time you read this.

Anyway, she sent me an InMail, and I responded.

From LinkedIn.

I got my answer.

From LinkedIn.

Seriously, LinkedIn is filled with people who falsely claim that they work for SourceOwls, Korn Ferry, Kelly…even Amazon. And a verified profile doesn’t offer protection, because a verified profile only confirms identity—not employment.

Know your recruiter.