Combatting the health sector’s two biggest fraud risks

Healthcare fraud is increasingly draining resources and compromising patient safety, with identity theft and cyber fraud the biggest issues, according to professional services firm RSM Australia. 

RSM’s national health lead Jayesh Kapitan and head of fraud and forensic services Roger Darvall-Stevens said the lucrative nature of health data makes the sector an appealing hunting ground for fraudsters, with the potential to compromise patient data, disrupt critical services and impose substantial financial burdens.  

RSM has released a Healthcare Fraud white paper, discussing the impact of fraud and the standards required to prevent, detect and respond to risks of fraud, theft and corruption.

Mr Kapitan said Australia’s healthcare system is a complex mix of public and private funding sources which creates fraud opportunities, as billing and reimbursement processes can be challenging to navigate and to monitor effectively. 

“Healthcare fraud can take various forms, including billing for services that were never provided, falsifying patient records, kickbacks and pharmaceutical fraud. However, in our opinion, the sector’s two biggest fraud issues are identity theft perpetrated via cyberattacks along with cyber fraud via false invoice, where criminals prey on unsuspecting, and often very busy, hospital staff,” Mr Kapitan said. 

“It’s a numbers game. Fraudsters might send thousands of false invoices and only need a few to be paid to make it worthwhile for them, but this one lapse in vigilance can damage a healthcare organisation’s reputation and trust.” 

According to the Office of the Australian Information Commissioner, healthcare was the most targeted sector for data breaches in January-June 2023, with 15% of all reported breaches occurring in the sector. 

Mr Darvall-Stevens said it's crucial for healthcare organisations to prioritise putting in place robust processes and even then, the most robust systems can be bypassed by human error.  

“Staff training and awareness programs go hand in hand with robust processes and ongoing proactive measures to mitigate fraud risks,” he said.  

“That's the challenge – if your organisation is not keeping up with the latest fraud trends and with government and community expectations, the reputation risk is high. We are increasingly working with clients on the prevention aspect.” 
 

Manage risks: no purchase order, no payment 

As the healthcare landscape evolves, so do the methods of fraud.  

Staying vigilant and implementing comprehensive strategies to prevent and combat healthcare fraud are essential to ensure the continued integrity of the healthcare system and the well-being of patients.  

Mr Kapitan said health industry operators weigh these risks against trying to keep costs under control. 

“Cyber fraud risk is increasing in the health sector, and even though organisations have greater awareness of what to look out for unfortunately perpetrators are making more sophisticated attacks,” he said. 

“Some of the fictitious invoices produced look very authentic and that's where controls need to kick in - if you get an invoice without a valid purchase order or relevant supporting documentation included, then that invoice should be investigated before being processed.” 

As reliance on electronic health records increase and sensitive patient information is shared amongst providers, cybercriminals target these records through tactics like ransomware attacks, data breaches and phishing schemes. Scamwatch has reported ‘Phishing’ as the leading scam category reported in 2023.  

“A breach of electronic health records not only jeopardises patient privacy but also has the potential to lead to identity theft, fraudulent medical billing and unauthorised access to prescription medications or government benefits, causing serious harm to individuals,” Mr Darvall-Stevens said. 

“Concerningly, the reliance on telehealth appointments, especially during and post the COVID-19 pandemic, has opened new avenues for fraudsters to impersonate healthcare providers or infiltrate video consultations. 

“Our healthcare sector must remain vigilant in bolstering its cybersecurity measures, training staff to recognise cyber threats, and adopting robust encryption and access controls to mitigate these cyberfraud risks and ensure the integrity of healthcare services and patient data.” 

Prevention and detection of healthcare fraud 

The Australian Standard AS 8001:2021 Fraud and Corruption Control (“AS8001:2021”) has been Australia’s nation’s pre-eminent guide for government and corporates on how to prevent, detect and respond to risks of fraud and corruption. Mr Darvall-Stevens said the key is implementing a robust anti-fraud program, creating and regularly updating policies and procedures that clearly outline the organisation’s approach to fraud prevention and detection.  

“We recommended regular risk assessments to identify areas where fraud is most likely to occur – for example, evaluating billing processes, financial transactions and data security. Staff should receive regular training on recognising types of fraud and how to report suspicions,” he said. 

Another effective detection method is to implement fit-for-purpose whistleblower reporting mechanisms. The Association of Certified Fraud Examiners (ACFE) Occupational Fraud 2022 Report found 58% of fraud in the Asia-Pacific region is detected by a tip.

“It’s imperative for healthcare organisations to provide avenues for employees, contractors and other stakeholders to report suspected fraud and corruption. Establish secure, anonymous and easily accessible reporting channels where individuals can safely report concerns,” Mr Darvall-Stevens said. 

“In addition, ensure your organisation has a robust data analytics program, used as an early detection tool to identify unusual patterns and anomalies in claims, billing, and patient data. This can help prevent fraudulent activities before they escalate, reducing financial losses. 

“Data analytics can also be used for predictive modelling to forecast fraud risks based on historical data, allowing healthcare organisations to take pre-emptive measures to prevent fraud.” 

Healthcare fraud is a growing trend in Australia, with various areas of vulnerability. As the healthcare landscape evolves, so do the methods of fraud. Mr Kapitan and Mr Darvall-Stevens agree that staying vigilant and implementing comprehensive strategies to prevent and combat healthcare fraud are essential to ensure the continued integrity of the healthcare system and the well-being of patients.  

“The risks are high, making fraud a significant issue for the sector. There is a definite need for ongoing proactive measures to mitigate risks,” they said.