Interconnectivity among Health Care Stakeholders could increase Cyber Threats

Health Care Current | March 6, 2018

This weekly series explores breaking news and developments in the US health care industry, examines key issues facing life sciences and health care companies and provides updates and insights on policy, regulatory, and legislative changes.

My Take

Interconnectivity among health care stakeholders could increase cyber threats

By Kevin Brault, Federal Health Sector Leader, Deloitte & Touche, LLP

The annual Healthcare Information and Management Systems Society (HIMSS) conference kicks off this week. Looking through the agenda, I see a good mix of session topics covering electronic health records (EHRs), advancement of medical devices and health IT, and interoperability of systems and applications to exchange patient data. There also are sessions devoted to the important issues of protecting patient data and enhancing cybersecurity.

Health care devices connect to the internet, which connect to hospital systems, which connect to each other. While the threat of a breach or known vulnerability has become a daily topic of discussion, stakeholders (providers, medical device manufacturers, laboratories, etc.) have varying levels of preparedness for dealing with these cybersecurity threats.

Among some providers, cybersecurity can be low on the priority list
For some health systems and physicians, the quality of patient care is the top priority, while cybersecurity near the bottom. However, the cybersecurity of devices and systems that support health care delivery is closely tied to patient safety. For example, cardiac rhythmic devices might transfer protected health information (PHI) through a smartphone, or a physician might transmit potentially lifesaving prescriptions to a pharmacy via the internet. If devices do not have protections in place to prevent cyber threats, the health and safety of the patient could be at risk. Recall August 2017, when the US Food and Drug Administration issued a voluntary recall of 465,000 pacemakers after cyber vulnerabilities were identified.1

Large hospital systems and health plans typically have more sophisticated tools, vendor relationships, and dedicated staff to ensure that patient data, PHI, and the systems and devices that support care delivery are as secure as possible. However, that same type of information also resides in the EHRs of a small physician practice, the computer system used by a mom-and-pop drug store, or the records of a rural dentist office. Smaller entities typically do not have the personnel, money, or resources needed to safeguard patient data, or to patch their systems enough to protect them from threats. Without targeted communications and education related to cybersecurity, these resource-constrained stakeholders might never see cyber threats emerge. This can make some smaller health care groups the weak links in defending the sector.

Creating a culture of change and collaboration within health care
The health care industry has a significant opportunity to advance its cybersecurity practices and increase communications even as technological capabilities grow. The Office of the Assistant Secretary for Preparedness and Response (ASPR)—which coordinates communications with states and health care stakeholders during natural disasters—has already established lines of communication with the health care sector, and could rapidly disseminate and gather information about cybersecurity threats. From my vantage point, closely partnering with ASPR, as well as other well-established groups—such as the HITRUST Alliance, the National Health Information Sharing and Analysis Center, and HIMSS—could extend the reach of stakeholders and reinforce their communication efforts.

When building a communications strategy for cyber threats, health care stakeholders should consider:

  • Which providers we are trying to reach?
  • When do we need to reach them? 
  • How often do we need to reach them? 
  • What services should we provide to them?
  • What form should communications take?

We also should determine if health care stakeholders need more than just information about potential threats. Do they also need education, information about leading practices, or guidelines to protect themselves? A web portal or toolkit, for example, could offer basic information about cyber threats in a one-stop-shopping environment.

Collaborative cybersecurity from a federal perspective
The 2015 Cybersecurity Information Sharing Act encourages businesses and the federal government to share cyber-threat information in the interest of national security. A provision of that law calls on the US Department of Health and Human Services (HHS) to assemble a panel of industry and government experts to answer questions related to cybersecurity in health care. This led to the June 2017 Report on Improving Cybersecurity in the Health Care Industry. Some notable recommendations from the report include the creation of a “cyber czar” within HHS to coordinate all cybersecurity efforts and push information and best practices out to the health care sector. The cyber czar would also work to increase outreach and education across the sector, secure legacy devices and systems, and create models to support small, medium, and rural organizations that do not have in-house cybersecurity resources.

Several of the report’s recommendations—such as the development of a software bill of materials—have gained traction. This bill of materials could inform patients and providers about the software installed on each medical device. It also could provide stakeholders with a way to reach out to manufacturers to patch potentially vulnerable devices.

Cybersecurity is part of patient safety
The US health sector has remained largely unscathed from recent high-profile cyber incidents such as WannaCry, Not Petya, and Meltdown/Spectre. However, the sector remains a target for malware, phishing, and ransomware attacks due to the diversity and depth of data, ease of access, and interconnectedness of the industry.

The health care industry has a great opportunity to use cybersecurity to protect the whole patient. This goes beyond the patient’s physical, mental, and emotional health, and addresses other measures of wellbeing (e.g., patient privacy, financial security, and socioeconomic status). The growing interconnectivity between medical devices, health IT, EHRs, wearable devices, and patient access to their own data has made the inclusion of cybersecurity a critical component of the patient safety and protection discussion.

PS: If you’re at HIMSS this week, send me a note or stop by our Deloitte booth (2821) to continue this conversation.

Email | LinkedIn | Twitter

1 FDA notice, August 29, 2017:


Subscribe to receive the Health Care Current via email

In the news

Congress increases focus on addressing opioid crisis

In back-to-back congressional hearings last week, lawmakers from the House and Senate heard details about the opioid crisis and explored strategies to address it. On February 27, the Senate Health, Education, Labor and Pensions (HELP) Committee held a hearing to discuss how technology, data, and electronic prescribing (e-prescribing) could be used to curb opioid abuse. Witnesses encouraged lawmakers to create an integrated data environment that could improve access to state and local information.

Witnesses suggested that integrating data could enhance predictive capabilities, which would give health care providers and health plans the ability to intervene earlier with at-risk patients. Integrated data also could help identify locations with high instances of opioid abuse so that more resources could be deployed to those areas. These calls for data sharing were not without concerns for privacy and security, however. Witnesses stressed the need for strict standards around data sharing.

E-prescribing was another key topic during the hearing. One witness noted that only 20 percent of physicians write electronic prescriptions, which leaves gaps in data analysis and creates a lack of visibility. She testified that mandatory e-prescribing of controlled substances could make it much harder for people to find pharmacies that will fill their prescription multiple times. Those opposed to mandatory e-prescribing cited concerns about putting more burden on physicians. The HELP Committee is scheduled to hold another hearing on March 8, “The Opioid Crisis: Leadership and Innovation in the States.”

On February 28, the House Energy and Commerce (E&C) Committee also held a hearing on opioids. The committee is considering a number of bills related to opioids that address the safe disposal of controlled substances, access to telemedicine services, mandatory provider education, and the control of illicit synthetic drugs.

Related: The two hearings were held during a week when other policymakers and agency leaders were focused on opioids.

  • On March 1, the White House convened cabinet members to discuss the opioid crisis. Attendees included secretaries from HHS, Department of Veterans Affairs, and the Department of Housing and Urban Development.
  • A bipartisan group of eight senators introduced a second version of the Comprehensive Addiction and Recovery Act (CARA) bill, which would authorize $1 billion a year to combat the opioid crisis.
  • Department of Justice (DOJ) Attorney General Jeff Sessions announced plans to file a statement of interest in the lawsuits against opioid manufacturers and distributors. The DOJ intends to argue that the federal government has borne costs from the opioid epidemic and seeks reimbursement.

Governors release bipartisan blueprint to build high-quality, low-cost health care

Governors from five states say bipartisanship and health reform are not mutually exclusive. In a “blueprint” released on February 23, Democrats John Hickenlooper (Colo.) and Tom Wolf (Pa.), Republicans John Kasich (Ohio) and Brian Sandoval (Nev.), and Independent Bill Walker (Alaska) outlined a series of strategies that they say all state leaders can use to improve their health care systems.

The authors of the blueprint based their strategies on principles for reform that both parties share. These values include making health care more affordable for all Americans, stabilizing the insurance markets, encouraging innovation, and instituting effective regulations.

The governors rejected the idea that there are only two ways to reform the health care system—a Republican way and a Democrat way. While certain strategies might differ from state to state, they said it is important to work toward a high-performing and affordable system overall. This includes the willingness to compromise. Additionally, both parties must accept responsibility for the outcomes—whether positive or negative—for whatever actions are taken, they explained in the blueprint.

20 states sue federal government over ACA

While bipartisan activity is taking place among some governors, Republican attorneys general from Texas and Wisconsin are leading a coalition of 20 states are challenging the constitutionality of the Affordable Care Act (ACA). In a lawsuit filed February 27, Texas Attorney General Ken Paxton said the administration’s recent decision to eliminate the individual mandate penalty renders the ACA unlawful. The tax reform law, which was enacted in late December, eliminated the tax penalty but not the mandate itself. The penalty, according to the lawsuit, is a core provision of the law. The US Supreme Court upheld the ACA in 2012 when it determined the penalty for people who did not have health coverage was a tax and allowed under the Constitution.

The DOJ has not yet publicly commented on the lawsuit.

MACPAC discusses Drug Rebate Program, substance use disorder confidentiality

At its March 1 meeting, the Medicaid and CHIP Payment and Access Commission (MACPAC) discussed ways to improve both the Medicaid Drug Rebate Program and privacy protections for patients who have substance use disorder (SUD).

The Medicaid Drug Rebate Program was created to reduce the cost of prescription drugs for state Medicaid programs. It requires drug manufacturers to provide states with rebates for the products covered by their Medicaid program. In return, state Medicaid programs generally cover all of a manufacturer’s drugs. Rebates for drugs classified as brand-name are larger than for those classified as generic.

According to the Office of the Inspector General, 3 percent of drugs were potentially misclassified. However, the only redress the government has for misclassification is to terminate its agreement with a manufacturer (and all of its covered drugs). While the agency does not have authority to address specific noncompliant drugs, presenters and MACPAC officials discussed a statutory revision that would allow the US Centers for Medicare and Medicaid Services (CMS) to suspend particular drugs or impose monetary penalties.

Following that discussion, MACPAC officials examined conflicting confidentiality regulations for SUD patients under the Health Insurance Portability and Accountability Act (HIPAA). One rule prohibits certain health information disclosures that HIPAA would allow, including to a patient’s physicians and health plan. In addition to potentially complicating care coordination, the conflicting rules can make it difficult for providers and health plans to determine financial risk. Moreover, as states amp up their prescription-drug monitoring programs in response to the opioid crisis, this situation could put some patients at risk. Presenters suggested that HHS could help by issuing guidance and offering technical assistance and education to providers, health plans, state Medicaid programs, and patients and their family members. Several MACPAC officials said it might be helpful if provisions that protect SUD patients from discrimination were incorporated into HIPAA.

MACPAC will revisit these topics at a future meeting.

Out-of-pocket health care costs can add up for Medicare beneficiaries

Some of the nearly 60 million seniors covered by Medicare devote more of their household income to health expenses than do non-Medicare enrollees, according to a report released March 1 by the Kaiser Family Foundation. Premiums, cost-sharing requirements, and gaps in coverage can add up to a significant expense for some Medicare enrollees, according to the report. In 2016, health expenses accounted for 14 percent of household spending among Medicare beneficiaries. By contrast, health care spending accounted for 6 percent of spending in households that did not have a Medicare member. The report excludes out-of-pocket spending related to nursing homes and other long-term care facilities, which can be a significant expense for Medicare enrollees.

Researchers also found that health care spending among Medicare beneficiaries increases with age as health care needs grow and spending on other items declines. Medicare beneficiaries under age 65, who qualify for coverage due to a permanent disability, spend a smaller percentage of household income on health expenses when compared to enrollees who are 65 or older. The report is based on data from the Bureau of Labor Statistics 2016 Consumer Expenditure Survey.

Severe flu season prompts FDA to explore why vaccine wasn’t more effective

This year’s unusually harsh flu season contributed to a record number of hospitalizations and nearly 100 pediatric deaths, according to the FDA. In response, the agency wants to look into why this year’s vaccine wasn’t more effective, and make improvements for next year, FDA Commissioner Scott Gottlieb, M.D., said February 26 in a prepared statement.

According to the US Centers for Disease Control and Prevention (CDC), preliminary vaccine effectiveness against one particular strain of influenza, H3N2, was 25 percent. While the vaccine was 51 percent effective in children between the ages of six months and eight years, it was just 17 percent effective in adults 65 years and older. The vaccine’s effectiveness against other flu strains (H1N1 and influenza B) was 67 percent.

The composition of next season’s flu vaccines was the subject of an FDA advisory committee meeting March 1. Each year, the FDA convenes this panel to consider recommendations from the World Health Organization (WHO) about what to include in the next batch of vaccines.

Scientists from the FDA are working with colleagues at CMS to analyze a database of 4 million people who received the vaccine to determine whether they were hospitalized for influenza or treated with antiviral medications for influenza-like symptoms, according to Gottlieb.

While the flu season appears to have peaked, the FDA warns that it could continue to cause illnesses into April.

ACOs appear to save more by spending less on inpatient, post-acute care

Accountable care organizations (ACOs) might save money in the long run by spending more on office visits and less on inpatient and post-acute care, according to a study in the March 2018 edition of The American Journal of Accountable Care.

The authors relied on public data from CMS to examine ACOs’ expenditures between 2013 and 2016. They found a 0.46 percent increase in savings for every 1 percent decrease in inpatient spending, and a 0.82 percent increase in savings for every 1 percent decrease in spending on skilled nursing facilities. Additionally, ACOs that saved tended to spend more on physician and hospice services than other ACOs.

Patients who receive more care in an office setting tend to need fewer hospitalizations than other patients, according to the study. Moreover, effectively transitioning between inpatient and post-acute care settings can reduce costs, the authors noted.

Breaking Boundaries

Voice assistants in health care could innovate many tasks

Voice assistants—including Amazon’s Alexa and Echo Dot, Siri® by Apple Inc., Google Home, and Microsoft Cortana—are becoming more prevalent in homes. A new report from Healthcare IT News highlights many of the ways hospitals and health systems are beginning to use these devices as well.

Beth Israel Deaconess Medical Center in Boston, Northwell Health in New York, and Libertana Home Health in Los Angeles are a few of the hospitals that are incorporating voice assistants into their workflow processes. Some hospitals are building skills—programming certain tasks—into the assistants. Some use cases allow inpatients to ask the assistant questions. For instance, what is on the lunch menu? Or when will the doctor be here? The assistants also can replace the decades-old pull cord, as well as more modern nurse call systems.

Some hospitals are experimenting with use cases in the home, where voice assistances can tell patients how long they might have to wait to be seen at emergency rooms or urgent care centers in their area. Home health providers are building applications that connect to virtual assistants, to continue to innovate aging at home. Uses in the home include giving patients “drop-in” visits with individuals who may want to check up on them in another part of their house, instead of having an intercom system. Patients can also sync the assistants to their calendars. They can remind patients to take medications, drink fluids, exercise, or to schedule doctor appointments. Assistants can also comfort patients at home—by streaming relaxing music, playing interactive cognitive games with them, and by providing directions for a task. The devices also give patients a way to contact the home health care staff directly, using only voice commands.

ROI of virtual assistants

There isn’t yet any hard return-on-investment data for hospitals and home health care organizations that integrate virtual assistants into their workflow and care processes. At this point, it seems that early adopters are excited to experiment and see what the technology can do. Learning how best to use the virtual assistants can take time. For now, many organizations are collecting data on patient satisfaction, ease of use, and whether patients feel empowered by the technology. As with many technologies, virtual assistants are likely to improve over time and adopt more skills.

For now, commercially available voice assistants are for group settings—meaning they may be used by multiple people in a house, or different patients who come and go from a hospital room—and are not recommended to transmit sensitive personal health information. While newer releases have shown that the assistants can get better at distinguishing the voices of multiple people in a household, the technology is not yet sophisticated enough for most health systems to securely transmit sensitive information through the devices.

Did you find this useful?