As health care plugs in, consumers want to know medical information is safe | Deloitte US has been added to your bookmarks.
As health care plugs in, consumers want to know medical information is safe
Health Care Current | September 26, 2017
This weekly series explores breaking news and developments in the US health care industry, examines key issues facing life sciences and health care companies and provides updates and insights on policy, regulatory, and legislative changes.
As health care plugs in, consumers want to know medical information is safe
By Greg Reh, Vice Chairman, US and Global Life Sciences Leader, Deloitte Consulting LLP
Technology and the internet have dramatically altered the way we communicate with each other and how we access the world around us. Through an app, I can check the score of the Philadelphia Eagles game, adjust the temperature in my house, or see who rang the doorbell…all while sitting in a window seat 39,000 feet in the air and a thousand miles away. But as consumers have grown increasingly comfortable with, and reliant upon, this level of connectivity, many remain dubious about the use of technology in health care – particularly when it comes to the security of their personal medical information.
This week, several of my colleagues will be in the heart of the Silicon Valley, attending the annual MedTech Conference powered by AdvaMed. They will be covering a wide range of topics including two events devoted to cybersecurity. Russell Jones, our national co-leader on medical device safety and security, will lead a session on establishing a culture of cybersecurity excellence.
As connectivity increases, so do vulnerabilities
As patients and their doctors become more connected to – and through – technology, many medical device manufacturers are making it possible for their products to link to the internet, hospital networks, mobile products, and connect with other patients. Analysts project the global Internet of Things-based health care market will to grow by 38 percent between 2015 and 2020.1 This emerging category of connected medical devices often goes beyond what has traditionally been considered vulnerable to cyber threats – expanding from networked devices to standalone technology that might be at risk through interfaces such as USB ports.
A diagnostic device connected to the internet, for example, could allow a physician on the other side of the world to view an HIV patient’s case in real-time and implement a treatment plan. While this technology infinitely extends a physician’s reach, someone with malicious intent could exploit that same connection to access the device, and gain access to someone’s medical information or a health system’s network.
Although many consumers are growing more comfortable with the idea of technology-aided care, health care providers and medtech manufacturers should affirm to them that the quality of care won’t suffer, and that their personal information is protected.
Cyber security has become a chess match
The security of connected medical devices is being featured more frequently in the news, as we witnessed during the WannaCry ransomware incident last spring. Although this didn’t directly impact medical devices, their increased connectivity, combined with a heightened awareness of vulnerabilities, can increase the likelihood of an attack. This risk will likely continue to grow until manufacturers of these devices – and the health care providers that use them – work together to build security throughout the lifecycle of the devices.
For medical device manufacturers, keeping up with cyber criminals has become almost like a chess match: every six to nine months, as device manufacturers develop ever-more secure systems, threat actors manage to stay a few steps ahead in understanding how to circumvent the latest safeguards.
Some medical devices, such as MRIs, might be plugged into a hospital network. A continuous positive airway pressure (CPAP) machine could have cellular functionality, and a pacemaker might be equipped with radio frequency or Bluetooth technology.
Not all medical devices can connect to a network or the internet. However, many of the security incidents that occur in the field today are due to devices running on outdated operating systems, which may be placed on hospital networks without proper security controls. As a result, medical device manufacturers and health care providers are increasingly being asked to conduct security risk assessments and technical security tests to identify the security vulnerabilities of the legacy systems. During a recent webinar sponsored by Deloitte, many of our surveyed participants said that identifying and mitigating risks associated with legacy devices is the greatest cybersecurity challenge facing the connected medical device industry.
Many health care providers are starting to build security into device procurement and are holding medical device manufacturers accountable for building security into the design of their connected products. This can lead to a challenging procurement process for many device manufacturers, with some resulting in termination due to insufficient security safeguards.
Medtech companies should consider a three-layer defense
Some medical device manufacturers and health care providers have mature medical device security programs in place. Those that don’t should consider leaving an ad hoc and device-specific security approach for a universal framework for addressing security risks.
We think connected medical device security risk should be an executive management issue, requiring commitment and funding to develop proactive processes to help ensure the safety and security of devices prior to and once fielded. A three-layer defense can help protect patient safety and safeguard information. Key steps include:
- Establishing a clear, sustainable, and consistent documentation hierarchy that can provide employees, managers, and auditors with an understanding of the structure, ownership, maintenance, and locations of medical device security documentation.
- Developing a mature product security risk-management process that can help the organization define, evaluate, and document potential threats and vulnerabilities that could impact their medical devices. This should not only be conducted for new medical devices, but can be used for legacy devices.
- Launching an investigations process that can help the organization effectively and efficiently respond to a security incident, and remain resilient against future incidents. Understanding the motivation of an attacker, the impact they are targeting, as well as the vulnerability that allowed them to carry out their attack, can help the organization to remain proactive in guarding against future attacks.
As consumers have grown increasingly comfortable with connectivity, many remain dubious about the use of technology in health care – particularly when it comes to the security of their medical information. The security of health information was cited as the second biggest issue related to health IT, according to the Deloitte 2016 Survey of US Health Care Consumers. Only concerns about health care quality ranked higher.
As more medical devices connect to the internet, to hospitals and physicians, and to each other, private patient information could become more vulnerable. Unless a new programmatic approach is implemented to secure connected medical devices throughout their lifecycle, the same technology that makes it possible for doctors to heal patients, could end up harming them.
In the news
Congress has until September 30, 2017 to move a health care reform bill forward under the reconciliation process (see the September 19, 2017 Health Care Current). The Senate Finance Committee held a hearing on Monday, September 25 to help members better understand the authors’ goals for the legislation. The bill would transition Medicaid to a block grant program and use a formula to redistribute savings and costs among states. At the time of publication of this issue, it was unclear where the bill will go from here.
The US Centers for Medicare and Medicaid Services (CMS) released an initial analysis of the impact of the bill on states. It projects that federal health care spending would be $18 billion lower in 2026 under the bill than under current law.
In a preliminary assessment of the Graham-Cassidy health care bill, the Congressional Budget Office (CBO) and the Joint Committee on Taxation said that the amount appropriated for block grants – $1.2 trillion from 2020 to 2026 – is roughly $230 billion less than subsidies appropriated under current law. CBO noted it will not be able to provide a complete analysis – including more specific point estimates of the bill’s effect on the deficit, health insurance coverage, or premiums – until after September 30, the deadline to pass it using budget reconciliation.
Related: CBO reduced estimates of how many people the ACA will cover
In a report released earlier this month, CBO reduced its estimate of how many people will purchase health insurance via an exchange over the next ten years under existing law. In last year’s report, CBO estimated that between 15 million and 19 million people would buy exchange-based coverage each year between 2017 and 2026. This year, it lowered that estimate to between 10 million and 12 million people each year between 2018 and 2027 because of increases in employer-sponsored coverage and less outreach for the exchanges.
In the same report, the CBO said it expects premiums of the benchmark silver-tier plans to rise by about 15 percent next year. It attributed this increase to short-term market uncertainty, particularly surrounding federal funding for cost-sharing reduction (CSR) payments. However, it expects premiums to drop in 2019, when this uncertainty will likely be resolved.
CMS sends Part D proposal to White House for review
On September 13, CMS sent proposed programmatic and operational changes for Medicare Part D and Medicare Advantage to the White House’s Office of Management and Budget for final approval before publishing.
Other than the annual rate notice and call letters, this is CMS’s first proposed rule change to Part D since 2014. While the specific policies in the rule will not be public until the proposed regulation is on display at the Federal Register, some drug companies fear the rule could change their ability to determine prices and some patient advocates worry it could eliminate or change protected drug classes.
CMS Innovation Center requests information on patient-centered care reforms
The CMS Center for Medicare and Medicaid Innovation (the Innovation Center) is requesting stakeholder input on how the Innovation Center should promote patient-centered care and market-driven reforms to empower beneficiaries.
The Innovation Center lists guiding principles for new model design. These include:
- Consumer choice and competition in the market
- Provider choice and incentives
- Patient-centered care
- Benefit design and price transparency
- Transparent model design and evaluation
- Small-scale testing
The Innovation Center says it will test models in the following areas:
- Increased participation in Advanced Alternative Payment Models (APMs)
- Consumer-directed care and market-based innovation models
- Physician specialty models
- Prescription drug models
- Medicare Advantage (MA) innovation models
- State-based and local innovation, including Medicaid-focused models
- Mental and behavioral health models
- Program integrity
In an accompanying op-ed in the Wall Street Journal, CMS Administer Seema Verma said the Center wants to encourage a shift away from fee-for-service, but noted that it will assess all Innovation Center models to decide what should continue and what should not. The deadline for submitting comments is November 20, 2017.
Employer-sponsored insurance premiums increased 3 percent in 2016
The average premium for employer-sponsored health insurance increased 3 percent from 2015 to 2016 according to a recent survey by Kaiser Family Foundation and Health Research Educational Trust. Including both employer and employee contributions, average premiums reached $6,435 for individual coverage, and $18,413 for family coverage in 2016. Since 2011, the average family premium has increased 20 percent.
In 2016, on average, employees covered 18 percent of the cost of premiums for individual coverage and 30 percent for family coverage. These percentages were similar to recent years, according to the report.
Overall, 56 percent of employers offered some type of health care coverage, and most organizations had at least one plan that included prescription drug coverage. In another trend, researchers noted that 39 percent of large employers offered telehealth services through their largest health plan.
(Source: Gary Claxton, Matthew Rae, et al., “Health benefits in 2016: Family premiums rose modestly, and offer rates remained stable,” Health Affairs, October 2016)
Sanders introduces ‘Medicare for all’ bill with 16 cosponsors
On September 13, Vermont Senator Bernie Sanders (I) introduced a bill (S.1804) to transform and expand the Medicare program. The bill would broaden both the people covered as well as the benefits offered through Medicare, while ending most other forms of coverage.
The bill would expand eligibility to children, and would make coverage available to people over the age of 55 after one year. In the second year, the program would be expanded to include those over age 45, those over 35 after three years, and most everyone after four years. The bill would also eliminate the Federal Employees Health Benefits Program, the TRICARE program, and the Affordable Care Act (ACA) exchanges, but it would leave the Department of Veterans Affairs and the Indian Health Service as is. Additionally, the bill would prohibit the sale of private health plans that cover the same benefits as the new Medicare program. The sale of plans that cover different benefits would still be allowed.
It would eliminate deductibles, copays, and premiums, and cover vision and dental benefits. The essential benefit categories are largely in line with current law under the ACA. The Department of Health and Human Services (HHS) would be directed to determine if changes to the benefits are needed as current medical practice and research evolves.
Medicaid and Children’s Health Insurance Program (CHIP) benefits would become obsolete except for long-term care and other services covered by a state Medicaid program as of September 1, 2017.
To accompany the bill, Sanders released a white paper detailing potential funding options. These included:
- A 7.5 percent payroll tax on employers
- A 4 percent individual income tax and various taxes on the wealthiest Americans and corporations
- Savings generated by the elimination of health insurers
The white paper says these funding mechanisms could generate $16 trillion over 10 years. However, a 2016 report by the Urban Institute estimated his campaign's "Medicare for All" plan would cost roughly $32 trillion over 10 years. Under the proposal, some people would pay more (if they are taxed more than they spend on health care), and some would pay less (if they are taxed less than spend on health care).
(Source: John Holahan et al., “The Sanders Single-Payer Health Care Plan,” Urban Institute, May 2016)
FDA proposes biosimilar sponsors use risk-based approach to demonstrate similarity
The Food and Drug Administration (FDA) proposed biosimilar product sponsors use a risk-based approach to demonstrate analytical similarity to a reference product. Specifically, the draft guidance outlined:
- The type of information a proposed biosimilar product sponsor should obtain about the reference product
- How the information should be used to demonstrate analytical similarity, and
- The statistical methods recommended for evaluating analytical similarity
The draft guidance said that biosimilar product sponsors should obtain information about the structural/physicochemical and functional attributes of the reference product including:
- A recommended 10 or more reference product lots: To demonstrate meaningful similarity the FDA recommends sponsors use at least 10 reference product lots
- Variation in the acquired reference product lots: The agency said that the reference product lot should represent the shelf life of the product
The FDA also said that sponsors should consider:
- Developing a risk-based assessment of quality and similarity attributes
- Differences in age of the reference product
- Multiple testing results and differences in attributes that could be acceptable if it would not be expected to have a clinical impact.
Comments on the draft guidance are due by November 22, 2017.
Making progress in integrating social determinants of health into the EHR
Health care stakeholders have long recognized that factors outside the health care system –the social determinants of health (SDoH) – influence an individual’s health and well-being. Many hospitals, health systems, and health plans are navigating the challenges of effectively linking data related to the SDoH and clinical services to improve health outcomes in the long term. The SDoH are sometimes described as the economic and social conditions that impact health, such as the environment in which people are born, grow, live, work, and age.
Clinical systems are not currently designed to collect that kind of data in a way that can be easily accessed and acted upon to make an impact. However, due in part to the shift from fee-for-service to value-based care, stakeholders are recognizing that they need these data for better clinical decision support, quality measurement, care coordination, and population health management. This summer, the Office of the National Coordinator held a public webinar on how to leverage health information technology to support SDoH. And earlier this year, CMS launched its Accountable Health Communities Model, to provide funding, over the course of five years, to 32 provider organization to act as bridges between clinical and community services. The hope is that this model and other programs around the country will provide lessons learned and leading practices.
Challenges to integrating SDoH information into the health care system include lack of standardized data that can be easily integrated, and the lack of a full set of medical terminology codes that capture SDoH data. Some health IT stakeholders have emphasized the need for representing patient-reported and community-level SDOH using common vocabulary standards that take into account data on genetics, lifestyle variables, and environmental factors.
One bright spot is the Protocol for Responding to and Assessing Patients’ Assets, Risks, and Experiences (PRAPARE) – a multi-year effort between several health care associations and pioneering health center networks across the country to pilot test and promote a national standardized patient risk assessment protocol to assess and address the SDoH. PRAPARE is a screening tool combined with a patient engagement tool, and a compendium of implementation and response resources. It is designed to be integrated into the electronic health record (EHR) to facilitate assessment and intervention. The EHR vendors that are set up to use PRAPARE represent about 60 percent of the health centers in the country, and more vendors and health center networks are in the process of adopting the system in response to growing demand from providers and health plans to have these data integrated into the EHR.
This spring, the Deloitte Center for Health Solutions surveyed nearly 300 hospitals and health systems around the country to learn about health system initiatives and investments in SDOH to date. The survey showed that value-based care appears to be driving better alignment of clinical care and SDoH. However, many health care organizations are not yet able to support sophisticated capabilities to collect relevant data from the patient population and across the health care system, identify methods to integrate the data and measure performance, and develop relationships with community organizations that are also addressing social needs in their communities. The survey showed that less than one-third of hospitals are integrating social needs into the EHR for most of their target population. In supplementary stakeholder interviews, some hospitals that are integrating SDoH into the EHR said that much of the data can get missed by the care team if it comes in the form of notes.
Although EHRs have the potential to provide critical information to providers who treat patients with such social needs, SDoH data has not been linked to clinical practice until recently. Further integration of data into the EHR, and strategies for making this data more useful for the care team, may help hospitals improve their population health strategies in the future.
Looking ahead: The Institute of Medicine and other organizations have recommended the types of measures and domains health systems should consider integrating into the EHR. They are looking at the opportunities for linking EHRs to public health departments, social service agencies, or other relevant non-health care organizations. Some forward-thinking organizations and leaders are starting to think about linking grocery purchases, retail purchases of over-the-counter medical products, data from remote monitoring devices or wearables, as well as environmental data such as weather patterns, and water and air quality, to get a fuller picture of someone’s risks. To realize this vision, the health care system will need to overcome challenges around data-sharing, governance, and privacy concerns.
Are you at The MedTech conference this week in San Jose? Be sure to check out our website for more information on Deloitte’s presence this year.
A view from the Center: When it comes to medical research, it’s time to stop, listen, and learn from patients
How can the "stop, listen, and learn" approach reshape the way we think about patient input? Read how some organizations are utilizing a patient-centered methodology.