Six degrees of IoT: In a hyper-connected world, how can health care and life sciences firms keep data safe?

My Take

Six degrees of IoT: In a hyper-connected world, how can health care and life sciences firms keep data safe?

By Amry Junaideen, Risk & Financial Advisory Life Sciences and Health Care leader, Deloitte & Touche LLP

Remember six degrees of separation? This is the idea that every person on the planet is no more than six social connections away from each other. If each person on the planet knows at least 44 others, the number of potential contacts tops 7 billion in just six steps (44 to the sixth power).¹

Similarly, the Internet of Things (IoT) can connect people, their devices, and their data to clinicians, health systems, pharmaceutical companies, researchers, medical device manufacturers, and other stakeholders via the internet. While this emerging era of interconnectivity could be a huge step forward, it also creates a substantially larger attack surface for cyber-attacks.

I recently moderated a webinar that looked at some of the potential risks created by this cyber-everywhere environment. We also discussed strategies life sciences and health care companies can use to identify and safeguard their digital crown jewels. During the presentation, my colleague John Lu explained that cyber is evolving into a living, learning, interconnected system where all players in the health ecosystem are beginning to work collectively toward a common objective of seamlessly trading information back and forth.

Just a few years from now, as many as 20 billion devices could be connected to the internet (personally, I think this estimate might be a bit low).² In health care, the information generated by connected devices could generate meaningful data that might help improve medical devices and pharmaceuticals, our level of understanding, and the health of consumers. A digitally enabled pacemaker, for example, could transmit a patient’s data to a physician’s office, which might be integrated with a health system. The data generated by the device might also be collected by the manufacturer, and at some point, that information could become part of a database tapped by researchers or other stakeholders.

Breaches can be disruptive, expensive, inevitable

In 2017, hackers gained control over an internet-connected fish tank in a Las Vegas casino and used it as a backdoor to enter the casino’s high-roller database.³ Internet-connected sensors regulated water temperature, food, and the cleanliness of the tank. The unprotected device allowed the hackers to access the casino’s database and transmit information to a device in a foreign country. While this might seem like an Oceans 11 plot, it is not. It illustrates that any unsecured internet-connected device could be an unlocked door for someone with criminal intent. This is even more critical as the costs associated with cyberattacks continue to escalate.

The cost of a cyberattack in life sciences and health care can be particularly devastating—especially in markets where revenues are flat or declining—and costs can add up quickly. Across all industries, the average cost of a security breach is about $3.9 million. This assumes an average of 26,000 records per breach multiplied by the average cost of each record, which is about $150. The costs are dramatically higher in health care and life sciences where the average cost of a breach tops $6.5 million.⁴ That’s 65 percent higher than other industries. This is because patient records contain quite a bit of valuable information that can be exploited.

As I noted in a My Take last May, electronic health records (EHRs) can contain a wealth of exploitable information—everything from demographic information to work history to financial information. This information can be worth substantially more on the black market than financial records and other types of data.⁵

Additionally, the cost of a breach can be felt for years in terms of fewer patients, lost revenue, and recovery costs. Moreover, in a heavily regulated sector like health care, the costs to respond to questions can be dramatic.

Cyber should not be seen as an IT issue

Life sciences and health care organizations have historically viewed cybersecurity as an issue relevant only to the IT department. But as data becomes increasingly interconnected, cyber should be considered a first-order enterprise risk. Moreover, the cyber landscape appears to be evolving more quickly than cyber defenses. During the webinar, we discussed the following topics life sciences and health care professionals should consider when evaluating their cyber strategies:

• Define your most valuable digital assets: Organizations need to identify and prioritize their most valuable data that would likely disrupt the business if stolen. This can include patient data, applications, and systems. For hospital systems and health plans, this might be patient/member data. In life sciences, it could be intellectual property.
• Keep up with cyber-related regulations: Several federal government agencies have taken a renewed interest in cyber and have engaged the assistance of medical device manufacturers and other stakeholders within the health care community. For example, in October 2018, one agency released a revised draft guidance on premarket considerations for medical device cybersecurity.⁶ The guidance refines expectations related to the cybersecurity considerations a manufacturer should adhere to during the design and development of a medical device.
• Build threat intelligence and analytics capabilities: Stakeholders should understand potential threats and develop plans for responding. Consider penetration testing when designing devices or implementing new IT systems. The idea is to try to hack a device or system before it becomes connected to the internet to make sure it is resilient.
• Minimize internal threats: Health care is an industry where people inside the organization pose a bigger threat than outsiders. Nearly 60 percent of cyber-related incidents in the health sector involve someone from inside the organization. According to our research, Communicating the value of cybersecurity to boards and leadership, organizations identified hosting regular cyber threat simulations as a top practice for educating employees.

The internet is making the world a much smaller place by connecting all of us (and our devices and data) in fewer than six steps. While the benefits of a cyber-everywhere environment are enormous, cyber risk is now one of the biggest threats our health care and life sciences clients face. Once stakeholders understand the potential risks in this digital world, they can be better positioned to safeguard their data, their customers, and consumers.

Email | LinkedIn

¹ Are we really all connected by just six degrees of separation?, Science Alert, August 27, 2015
² Ericsson Mobility Report, November 2017
³ Is your fish tank listening? A roadmap to dipping your toes in the IoT waters, TechTarget, November 10, 2017
⁴ Cost of a Data Breach, IBM and the Ponemon Institute, 2019
⁵ Security trends in the healthcare industry, IBM X-Force Research
⁶ Statement on FDA’s efforts to strengthen the agency’s medical device cybersecurity program, October 1, 2018

Back to top

In the News

HHS proposes rules to encourage value-based care, modify Stark Law exceptions

On October 9, the US Department of Health and Human Services (HHS) Office of Inspector General (OIG) and the US Centers for Medicare and Medicaid Services (CMS) released two proposals to clarify and modernize regulations interpreting the Physician Self-Referral Law (Stark Law) and federal Anti-Kickback Statutes (AKS), which prohibit physician self-referral. The proposed rules seek to promote value-based care (VBC) by easing administrative burden on providers and by improving efforts to coordinate patient care while maintaining safeguards against fraud and abuse. The Stark Law was enacted in 1989 when most health care was provided on a fee-for-service basis. Some of the law’s provisions could discourage VBC, CMS said in a statement.

If enacted, the proposed rules would create new Stark Law exceptions for value-based arrangements—and would apply regardless of whether the arrangement relates to Medicare services. The proposed changes would allow specialty-physician practices to share patient information with primary-care physicians to help manage care or assist with hospital discharges. Additionally, the proposed rules would ease data-sharing limitations, which could make it easier for local hospitals to work collectively on cybersecurity issues.

The industry has been calling for relief from some Stark and anti-kickback provisions to help support new models for payment and delivery system reform for years. Early industry reaction was positive, though some stakeholders indicated they feel the draft regulations would not go far enough. Earlier this year, the House and Senate reintroduced legislation that would let CMS exempt alternative-payment models (APMs) from Stark Law provisions, and the HHS 2020 budget-in-brief indicated plans to reform the law (see the April 23, 2019 Health Care Current).

(Sources: HHS, HHS Proposes Stark Law and Anti-Kickback Statute Reforms to Support Value-Based and Coordinated Care, October 9, 2019; CMS, Modernizing and Clarifying the Physician Self-Referral Regulations Proposed Rule, October 9, 2019)

Back to top

HHS releases guide for discontinuing, tapering long-term patient opioid use

HHS on October 10 published new advice for physicians who are considering a change in a patient’s opioid dosage. According to HHS, once a patient is on opioids for a prolonged time, an abrupt change in the treatment regimen could put the patient at risk. HHS also said that providers have a responsibility to coordinate a patient’s pain treatment—and any problems related to opioids—with the patient’s care team. The Guide for Clinicians on the Appropriate Dosage Reduction or Discontinuation of Long-Term Opioid Analgesics contains recommendations from published guidelines and practices endorsed by peer-reviewed literature. It also addresses several issues for physicians to consider when changing a patient’s chronic-pain therapy, including the potential need to treat opioid-withdrawal symptoms and to provide behavioral-health support.

(Source: HHS, HHS Announces Guide for Appropriate Tapering or Discontinuation of Long-Term Opioid Use, October 10, 2019)

Back to top

Waste accounts for one-quarter of US health care spending, study finds

The US health care system spends between $760 billion and $935 billion a year (25 percent of total spending) on care of no value and in other wasteful ways, according to a new study published in the American Medical Association’s (AMA’s) internal medicine publication. The percentage is lower than an estimate in 2012 made by a different group of researchers, who estimated waste made up more than 30 percent of spending. The latest study not only uses more recent evidence for its estimates, it also took a more conservative approach to the calculations.

Similar to the previous study, the new one categorized the type and amount of waste into:

• Administrative complexity ($265.6 billion)
• Pricing failure ($230.7 billion to $240.5 billion)
• Failure of care delivery ($102.4 billion to $165.7 billion)
• Overtreatment or low-value care ($75.7 billion to $101.2 billion)
• Fraud and abuse ($58.5 billion to $83.9 billion)
• Failure of care coordination ($27.2 billion to $78.2 billion) 

The authors write that while experts agree that more needs to be done to reduce waste, especially on the administrative side, there is no clear agreement on the best solution.

(Source: Modern Healthcare, Waste accounts for one-quarter of healthcare spending, October 7, 2019)

Back to top

State health news roundup

• CMS approves New Jersey’s state-based exchange request: Following recent CMS approval, New Jersey announced plans to transition to a state-based insurance exchange for the 2020 plan year. While the state will continue to rely on the federal exchange platform for its health information technology services, it will operate its own enrollment-assistance programs. State insurance commissioner Marlene Caride said the move will allow New Jersey to focus on improving access to health coverage. The state will allocate up to $2 million in grants for insurance navigators and outreach programs to help boost enrollment across the state.
• Judges hear appeal on Arkansas and Kentucky Medicaid work requirements: On October 11, a three-judge panel on the DC Circuit Court of Appeals heard arguments against a March 2019 ruling that blocked the implementation of Medicaid community engagement requirements in Arkansas and Kentucky. In both states, a federal judge ruled that the 1115 waivers outlining the requirements were invalid because CMS failed to adequately consider the impact the policy would have on health coverage. The ruling was appealed by the administration, CMS, and both states.
• California enacts first-ever law prohibiting ‘pay-for-delay’ agreements: On October 7, California enacted Assembly Bill 824, the first law in the US prohibiting so-called ”pay-for-delay” agreements between competing pharmaceutical companies. The law aims to limit drug companies from engaging in collusive and anti-competitive agreements that could keep prices high, thereby harming patients. The law will allow regulators to investigate and take action against companies that engage in these practices.

Pay-for-delay agreements can delay generic drugs from coming to market, which means pharmaceutical companies that sell brand-name drugs are able to charge monopolistic prices and inflate company profits. The Federal Trade Commission estimates that such agreements cost consumers an additional $3.5 billion in drug costs each year. The California law is set to go into effect on January 1, 2020.

(Source: State of California Department of Justice, Attorney General Becerra, Assemblymember Wood: California Enacts First-in-the-Nation Law to Combat Pay-for-Delay Agreements that Inflate Drug Prices, October 7, 2019)

Back to top

ICER releases inaugural prescription drug price-increase report

On October 8, the Institute for Clinical and Economic Review (ICER), an independent non-profit research institute that analyzes drug effectiveness and value, published its inaugural report on unsupported price increases (UPI) of prescription medications in the US. ICER ranked drugs according to sales revenue. Using 24 months of data—from the beginning of 2017 to the end of 2018—ICER calculated whether prices increased by more than twice the annual medical consumer price index. The organization found that 10 drugs contributed to the largest net increase in drug spending in the US. It added one drug to this list of 10 following public nomination. Of the drugs on this list, ICER determined that seven did not have any new clinical evidence in the three years prior to support their price increases.

(Source: ICER, ICER Identifies Costliest US Drug-Price Hikes That Are Not Supported by New Clinical Evidence, October 8, 2019)

Back to top

Breaking Boundaries

To improve health outcomes, some hospitals are investing in housing for patients

Many hospitals around the country are investing in housing for patients who are homeless, face housing instability, or are too frail to live on their own after discharge. Increasingly, stakeholders across the health care system are exploring ways to address the social determinants of health—or drivers of health—that are typically outside the traditional health care system, such as housing, food insecurity, access to transportation, and social support.

Hospitals cannot legally or morally discharge a patient who has nowhere to go. As a result, some patients end up occupying hospital beds for weeks or months after their acute medical problem has been resolved. This can be expensive for hospitals and it means some patients might have to remain in the emergency room until an inpatient bed becomes available. Some hospitals are exploring ways to connect discharged patients to temporary housing.

Denver Health is repurposing a building on its campus into affordable senior housing, including about 15 apartments designated to help homeless patients transition out of the hospital. The building should be ready in 2021. A housing coordinator from the city’s Housing Authority will assist tenants who need help finding permanent housing. The hospital will also provide a case manager to help with physical and behavioral health needs.

Three Boston hospitals have agreed to pledge $3 million over three years to help low-income families stay in their homes as part of their Innovative Stable Housing Initiative. Half of the funds will be earmarked for families that are struggling with unstable housing, including those who are behind on rent and at risk of eviction. Stakeholders from the initiative acknowledged the challenges of getting adequate health care when housing is a concern.

The Center for Community Investment (CCI) is another initiative. Hospitals in four states are working with CCI to increase affordable housing options in their markets. Participating hospitals are sharing leading practices and combining their pre-development resources to provide technical support and assistance. CCI will help the hospitals understand local housing priorities and community needs and will help create a pipeline of affordable housing options.

Analysis: In his health care outlook for 2020, Deloitte’s US Health Care Leader Steve Burrill predicted that in the years to come, health systems and health plans will continue to place greater emphasis on the drivers of health. Health care stakeholders will come to recognize that the factors that influence our health often have less to do with our care and more to do with our environment, our stressors, our income and education, and our level of social interactions and sense of community. While health care organizations might be grappling with how to measure the return-on-investment of these efforts, they can be critical as we shift to a focus on wellness, he notes.

(Sources: Markian Hawryluk, Why hospitals are getting into the housing business, Kaiser Family Foundation, October 4, 2019; Christopher Cheney, How 6 major health systems and hospitals hope to boost housing, Health Leaders, March 4, 2019)

Back to top