Sunday, June 22, 2008

Fear Factor: Your Social Insecurity Card

"We don't want to scare them."

"They" are the more than 40 million Americans who carry Medicare cards. And the comment above is one of the reasons Charlene M. Frizzera, chief operating officer of the Centers for Medicare and Medicaid Services, says her agency does not want to remove Social Security numbers from those cards, even though an inspector general's report has warned that they make participants in the federal health program vulnerable to ID theft.

Cost is another reason for not removing the Social Security numbers, officials from the federal health program tell Robert Pear of the New York Times. Creating new Medicare cards would be a "huge undertaking" that would take eight years and perhaps cost $500 million, the officials said.

As it happens, bipartisan legislation approved by the House Ways and Means Committee last year would force Medicare administrators and others in the public and private sector to do more to protect Social Security numbers.

However, as I point out in my latest "Futurist" column for Congressional Quarterly (Your Insecurity Card, CQ Weekly, June 23) the widespread use of the numbers over seven decades makes such efforts a bit like trying to put salt back into a shaker through the little holes on top.

The Ways and Means bill does take a stab at a more complicated notion: banning the use of Social Security numbers as an way to "authenticate" identity.

Using Social Security numbers for authentication is the equivalent of trying to use one's name, phone number or other equally obvious or accessible piece of personal data as a secret password. But plenty of organizations continue to do just that. As an example, I mention my local cable provider, which asks subscribers for the last four digits of their Social Security numbers as part of an automated process for contacting technical support over the phone.

The Ways and Means measure calls for the National Research Council to examine such practices and evaluate alternative forms of authentication. My column mentions a couple of options, some of which are widely used today.

By the way, that $500 million price tag offered by the Medicare officials in the New York Times story is questionable. A Congressional Budget Office analysis of the Ways and Means bill estimated the cost of issuing new Medicare cards without Social Security numbers would be $25.5 million over four years. That estimate assumes that the Centers for Medicare and Medicaid Services would continue using Social Security numbers behind the scenes to process and pay claims, even after it removed the numbers from the Medicare cards. CBO did note that changing Medicare computer systems in order to stop using Social Security numbers entirely "would be more expensive than removing the claim number from the card," but the report does not say by how much.

Other good resources on issues related to protecting Social Security numbers include the Electronic Privacy Information Center; congressional testimony last year from the U.S. Government Accountability Office; and a 2005 AARP research report: "Protecting Social Security Numbers from Identity Theft."

(Social Security card image above: House Ways and Means Committee)

No comments: