For health and life sciences companies, cybersecurity is not just an IT issue

My Take

For health and life sciences companies, cybersecurity is not just an IT issue

By Amry Junaideen, Risk & Financial Advisory Life Sciences and Health Care leader, Deloitte & Touche LLP

In a My Take earlier this month, I explained that cybersecurity and risk should be part of the conversation when life sciences and health care leaders discuss their long-term business strategies. But communicating the value of investments in cybersecurity to senior leaders and board members can be challenging because cyber is often perceived as being highly technical. Moreover, some leaders might see cybersecurity as an IT issue rather than a critical component of business strategy. While we are seeing a shift in the mindset among many board members and executives, there is considerable room for further evolution.

Cyber criminals tend to see tremendous value in the patient data collected and stored by health and life sciences organizations. Electronic health records (EHRs), for example, could contain a wealth of exploitable information—everything from demographic information to work history to financial information. This information can be worth substantially more on the black market than bank records and other types of data.¹ While there is tremendous value in patient data (and in other types of sensitive information, such as drug-development pipelines), there are often fewer safeguards to protect it when compared to other industries. This has made health and life sciences companies prime targets for cyberattacks. At the same time, pressure to reduce health care and health coverage costs could make it difficult to get leadership’s attention when it comes to cybersecurity. Moreover, the proliferation of connected medical devices, wearables, and data-gathering health apps could create a bigger opening for threats.

In 2018, health care led all industries in the volume of cybersecurity breaches—accounting for about 25 percent of more than 750 reported incidents, according to a report released last month.² That year, about 15 million patient records were impacted—nearly triple the number reported just one year earlier.³

Seven strategies for creating a culture of cybersecurity

So what works and what doesn’t work when it comes to communicating key priorities around cybersecurity? The Deloitte Center for Health Solutions recently posed that question to chief information security officers (CISOs), chief information officers (CIOs), and C-suite executives from biopharma, medical device manufacturers, health plans, and health systems who are involved in making decisions around cybersecurity. Our interviewees agreed that having a cyber-literate board and cyber-savvy leaders is important. From our conversations, we distilled seven themes that could help prepare boards and senior leaders to make the decisions needed to counter growing cyberthreats.

1. Create a dialogue to engage leadership and build trust: Our interviewees told us that they want to provide senior leaders and board members with the information they need to make operational and strategic decisions. They agreed that it takes time to help leaders understand how cybersecurity impacts specific business functions. Our interviewees said their role is to provide leaders with a deeper understanding of the core elements of cybersecurity. They also need to build the credibility and trust so board and senior leaders feel comfortable making decisions based on recommendations from the security team.
2. Use the power of storytelling: Storytelling can be more powerful than PowerPoint when addressing leadership. Industry experts, as well as many of our participants, suggest building a “story inventory” to help illustrate relevant situations to board members and senior leaders.⁴ One interviewee from a life sciences organization said he and his team typically prepare for board meetings by building stories around a few recent cyber incidents that occurred in the organization. Connecting specific incidents with specific business functions can help organization leaders make better decisions around addressing risks and managing processes.
3. Use simulations to illustrate that a “cyber everywhere” mentality is the new norm: As health care and life sciences organizations expand their digital footprint and store more data in the cloud, cyber risk expands to every department and could impact all patients and customers. Cyber risk management can no longer be assigned to the IT members. Our interviewees agreed that cyber-risk simulations can help an organization stress-test its readiness, identify capability gaps, and determine where additional training or preparation might be needed. Wargaming is an increasingly important strategy to create plausible scenarios and develop collective buy-in.
4. Explain how the cyber team collaborates with organizations inside and outside of the industry: Many of our interviewees said leadership is often interested in how their security team collaborates with teams at other life sciences and health care companies. While health and life sciences companies compete with each other, they don’t compete on cyber security. Collaboration among CISOs and their equivalents is a big factor in many cybersecurity strategies. This can occur through a combination of official and informal channels—such as the Health Information Sharing and Analysis Center (H-ISAC), consortia, meetings, and just having other CISOs on speed dial. Cross-industry collaboration is another important strategy. Businesses and governments can collaborate to leverage lessons learned and leading practices. Some industries are working together to develop strict standards for cybersecurity. A few of the CISOs we interviewed said they look to Silicon Valley and other creative hubs to stimulate thinking on cybersecurity innovation.
5. Use metrics to quantify risk: Putting cybersecurity into financial terms can help executives make more informed decisions. While there is no standardized way to quantify risk, our interviewees agreed that a metrics-driven approach can help connect the dots back to the mission of the organization, and back to specific business functions. They noted that their role is to help make leadership comfortable with the reality that everything cannot be protected equally. Organizations should have clear agreement and an understanding about which data are most critical to the enterprise, where data resides, how it is collected and shared, and the potential impact if it is compromised.
6. Be prepared to answer and defend questions related to cybersecurity investments: Company leaders often ask CISOs how much the organization should invest in cybersecurity. But no amount of money can make the risk disappear, as one interviewee noted. While the long-term costs associated with data breaches can be difficult to quantify, brand, reputation, patient safety, and consumer trust can all be affected. Interviewees noted that while funding usually isn’t a problem, there are some concerns that leadership and board members could become numb to the constant headlines and discussions of threats. Many organizations have had cyber incidents, but those events might have had minimal financial implications. Some of the CISOs and CIOs said it is important that they effectively explain how the threat landscape is evolving. The metrics they report on and the context they provide should strike the right balance between the threat landscape and what they can do to manage the risk.
7. Regularly assess talent models and their potential impact on the organization: Attracting and retaining skilled talent was a top-of-mind concern for many of our interviewees. While growing talent is often part of the job for CIOs and CISOs, many of our interviewees said traditional recruiting and retention models were failing them. Some organizations are paying less attention to formal education in favor of on-the-job training. One popular strategy is to recruit people who have business and communication skills and train them on the technical skills and knowledge. Indeed, the technical elements of cybersecurity are sometimes easier to teach than the skills needed to effectively communicate with leadership.

While organizations should take measures to prevent breaches, the reality is not all cyberattacks will be prevented. Part of a cybersecurity plan should be to minimize the damage from potential breaches by having documented and tested resilience and crisis-management strategies. The role of CISOs and CIOs has expanded beyond the walls of the IT department, and these professionals could play an invaluable part when it comes to helping board members and leadership understand potential threats and respond to them appropriately.

Email | LinkedIn

¹ Security trends in the healthcare industry, IBM X-Force Research (https://www.ibm.com/downloads/cas/PLWZ76MM)
² Data Security Incident Response Report
³ Erin Dietsche, 11 cybersecurity tips from the first federal chief information security officer, Med City News, February 13, 2019
⁴ Frederick Schnoll, Better security through storytelling, CSO Online, January 30, 2017

Back to top

In the News

House, Senate legislation would prohibit ‘surprise billing’

On May 14, the House Energy and Commerce Committee released bipartisan legislation to curb surprise medical billing practices. The No Surprises Act, introduced by Chairman Frank Pallone (D-N.J.) and Ranking Member Greg Walden (R-Ore.), would prohibit balance billing for emergency and scheduled health care services. Members of the House and Senate have pushed for solutions to reduce unexpected medical bills, which can contribute significantly to medical debt (see the February 12, 2019 Health Care Current). Surprise medical bills can occur when a patient is unable to choose an in-network provider, such as during an emergency or when care is delivered in a medical facility with a limited number of network clinicians. The legislation would require that patients who are scheduled to receive care are given written and oral notice of their provider’s network status at the time of scheduling. Further, the legislation sets a benchmark payment rate for settling out-of-network care payment disputes based on the average in-network payment rate in the service area. The House Ways and Means Committee is holding a hearing on surprise medical bills on May 21.

On May 16, several weeks after reaching out to health plans, hospitals, and other stakeholders for feedback, a bipartisan Senate working group led by Bill Cassidy (R-La.) released a different bill aimed at preventing surprise billing. Unlike the legislation proposed by the House Energy and Commerce Committee, this bill contains “baseball-style” arbitration for addressing out-of-network services—each side would propose a price and an arbiter would choose a rate that both parties would have to accept (see the April 9, 2019 Health Care Current). The Senate bill, called Stopping the Outrageous Practice (STOP) of Surprise Bills Act, would prevent providers from issuing balance bills:

• If emergency services are provided by an out-of-network facility or by an out-of-network clinician
• If a patient requires additional medical care at an out-of-network facility after an emergency but can’t travel
• If an elective service is provided in an in-network facility by an out-of-network clinician

Under STOP, patients would be liable for what they would pay in-network, plans would pay providers at the median in-network rate, and health systems and hospitals would absorb the difference. The bill would give plans and providers 30 days to appeal or initiate a dispute resolution process—which would not affect what consumers pay. During a dispute, the US Department of Health and Human Services (HHS) would certify “unbiased” arbiters, who would base their decisions on “commercially reasonable” rates for in-network payments in the area.

Back to top

House passes legislative package aimed at drug costs, health law

On May 16, House Democrats and five Republicans voted to pass House Resolution 987, a legislative package of seven bills. Three of the bills are bipartisan measures targeting prescription-drug costs, including a proposal restricting anti-competitive activity from pharmaceutical manufacturers (see the May 7, 2019 Health Care Current). The remaining four bills in the package address health insurance by restoring funding for outreach efforts to help consumers purchase health plans through insurance exchanges and banning short-term, limited-duration (STLD) plans.

Back to top

CMS drops proposal that would have allowed Part D drug exclusions

In a final rule issued May 16, the US Centers for Medicare and Medicaid Services (CMS) reversed course on a proposal that would have allowed Medicare Part D plans to exclude a protected drug class from their formularies. Today, Part D plans must include all drugs from the six protected classes: (1) antidepressants, (2) antipsychotics, (3) anticonvulsants, (4) immunosuppressants for treatment of transplant rejection, (5) antiretrovirals, and (6) antineoplastics. In a proposed rule last November, the agency proposed allowing plans to omit some drugs because of price increases or if a drug is a new formulation of an existing therapy. CMS said it abandoned the proposal in response to industry pressure.

Reducing drug prices continues to be a priority for the administration, which issued its Blueprint to Lower Drug Prices and Reduce Out-of-Pocket Costs in May 2018 (see the October 16, 2018 Health Care Current). The final rule also highlights the agency’s efforts to accelerate the use of electronic Real Time Benefit Tools (RTBT) in the Part D program. CMS is requiring each Part D plan to adopt one or more RTBT that can integrate with at least one prescriber’s ePrescribing system or EHR no later than January 1, 2021.

(Source: CMS, Medicare Advantage and Part D Drug Pricing Final Rule (CMS-4180-F), May 16, 2019)

Back to top

CMS issues guidance limiting ‘spread pricing’ in Medicaid and CHIP managed care plans

On May 15, CMS released new guidance for Medicaid and Children’s Health Insurance Plan (CHIP) managed-care plans regarding medical-loss ratio (MLR) calculations. The agency has expressed concern that “spread pricing” is not accurately represented and reported in the calculation. Spread pricing occurs when pharmacy benefit managers (PBMs) charge health plans a specific amount for a drug, reimburse pharmacies at a lower rate, and then keep the difference—resulting in a spread between the payment and reimbursement amounts. MLR, a provision of the Affordable Care Act (ACA), refers to the percentage of premium revenue that goes toward clinical services and quality improvement, rather than administrative costs and profits.

CMS requires Medicaid and CHIP managed-care plans to exclude prescription-drug rebates from the cost of health services used to calculate MLR. The new guidance further clarifies that “prescription-drug rebates” means any discount received by the health plan or its PBM, regardless of who pays the rebate.

Spread pricing has been an ongoing topic of discussion in Congress. During a Senate Finance Committee hearing last month, Senators Charles Grassley (R-Iowa) and Ron Wyden (D-Ore.) told witnesses, all of whom represented PBMs, that they’d asked HHS to investigate spread pricing (see the April 16, 2019 Health Care Current).

(Source: CMS, CMS Issues New Guidance Addressing Spread Pricing in Medicaid, Ensures Pharmacy Benefit Managers are not Up-Charging Taxpayers, May 15, 2019)

Back to top

Americans filled 5.8 billion prescriptions in 2018, study finds

Americans filled 5.8 billion 30-day equivalent prescriptions in 2018 (17.6 prescriptions per person), up 2.7 percent from the prior year, according to the IQVIA Institute for Human Data Science’s report, Medicine Use and Spending in the U.S.

According to the 60-page report:

• More than two-thirds of prescriptions are for chronic conditions, which are increasingly filled with 90-day prescriptions and are thought to result in better adherence to prescribed regimens
• Retail and mail pharmacies dispensed 127 million specialty prescriptions last year, an increase of 15 million since 2014
• While specialty drug prescriptions increased more than 5 percent between 2017 and 2018, these drugs make up just 2.2 percent of all prescriptions.

The report also notes that patient out-of-pocket costs increased in 2018 to an estimated $61 billion, with Medicare patients facing higher annual out-of-pocket costs than patients in commercial plans or those enrolled in Medicaid. Nearly 9 percent of all patients—and 20 percent of Medicare Part D patients—have out-of-pocket costs of more than $500 a year, according to the report.

(Source: IQVIA, Medicine Use and Spending in the U.S., A Review of 2018 and Outlook to 2023, May 9, 2019)

Back to top

State health news

• On May 13, Washington state Governor Jay Inslee (D) signed the nation’s first public health insurance option bill into law. The legislation requires the Washington Health Benefit Exchange—the state-run insurance exchange—to contract with one or more health insurers to create bronze, silver, and gold plans, which will be sold through the exchange beginning in January 2021 (see the January 15, 2019 Health Care Current).
• Maryland Governor Larry Hogan (R) signed 181 bills into law on May 13, including legislation that will allow uninsured individuals to apply for health coverage using their tax returns (see the April 2, 2019 Health Care Current). The state’s new income tax-return forms will include a box for uninsured Marylanders to check. The state’s treasury can then send this form to the Maryland Health Connection insurance exchange to determine whether an individual qualifies for federal premium subsidies. Another new law will allow the state-run exchange to provide tax credit subsidies to small businesses that offer health coverage benefits to their employees.
• During a May 14 round-table meeting with small-business owners, California Governor Gavin Newsom (D) announced his plan for the state to offer health insurance subsidies (of $100 per month) to people who earn up to 600 percent of the federal poverty level (FPL). According to Newsom’s budget, the state would create the subsidies by implementing a statewide individual mandate that would require uninsured Californians to pay a penalty. Although the 2017 Tax Cuts and Jobs Act zeroed out the individual-mandate penalty, several states have enacted legislation requiring residents to purchase health insurance (see the January 29, 2019 My Take).

Back to top

Breaking Boundaries

Can tech companies and apps help cut smoking rates?

Reducing smoking rates among Medicaid recipients by just 1 percent could save the program $2.6 billion in just one year, according to a recent study published by the University of California, San Francisco. More than 50 years have passed since the US Surgeon General issued the landmark report on the health effects of smoking. While smoking rates have fallen dramatically since then, 14 percent of all adults—and 24.5 percent of adult Medicaid recipients—smoke.

Most Medicaid plans, Medicare Advantage (MA) plans, and commercial health plans offer evidence-based approaches to smoking cessation. These include a mix of prescription medications, over-the-counter drugs, and counseling. A number of technology-focused companies are developing apps and services to increase access and uptake of these services among the millions of people who are trying to quit. Health technology company Ro charges a monthly subscription fee for its Zero Quit Kit—a multi-pronged, end-to-end approach to quitting. The service creates a personalized program that combines evidence-based strategies, such as medications, counseling, and other supportive tools.

Digital health company Carrot Inc. offers Pivot, an app that incorporates lessons, activities, and coaching (via in-app chat) to personalize the experience to each user’s needs and readiness to quit. The app can be paired with a Bluetooth-enabled mobile sensor that measures carbon monoxide in the user’s breath. Carbon monoxide (one of the toxins in cigarette smoke) clears from the body rapidly, and Pivot users can watch this number fall as they go longer without smoking. The company says it offers one of the only apps that provides this real-time feedback, which can be motivational.

Related: The US health care system has long been criticized for focusing on acute care and waiting until a person develops symptoms or a chronic condition before intervening. Public health and prevention-minded stakeholders say the current system is not doing enough to prevent illness and save money on health care spending. Earlier this month, lawmakers put forth a bipartisan, bicameral effort to change the way the Congressional Budget Office (CBO) scores savings from health-related bills. CBO typically looks at 10 years’ worth of savings when it scores a bill, but some stakeholders say that to accurately capture the savings from smoking cessation programs, a longer look is likely needed. The bill would have CBO consider up to 30 years’ worth of possible savings when scoring future health bills.

Back to top