Midweek update

Generative AI

Midweek update

David ErmerCongress, COVID-19, Federal employment benefits, Generative AI, NIH, OPM, Rx coverage, Telehealth, U.S. Healthcare
Mount Rushmore

From Washington, DC —

  • STAT News reports
    • “Senators on the Finance Committee on Wednesday nearly unanimously passed a bill to clamp down on drug middlemen but kicked the can down the road on some of the more challenging policies.
    • “The bill would offer some more transparency into the business practices of pharmacy benefit managers, ensure PBMs aren’t skimming off of the money they send to insurers, prohibit them from overcharging insurers, and ensure certain fees in the Medicare program aren’t tied to a drug’s price.”
  • From the Senate Finance Committee, “click here for more information on the legislation, including a description of the Chairman’s Mark and a section-by-section summary.”
  • The House Ways and Means Committee relates,
    • “Congresswoman Nicole Malliotakis, a member of the House Committee on Ways and Means, today announced her legislation, the Protecting Patients from Middlemen Act, passed out of the full committee and will be included in the committee’s Health Care Price Transparency Act of 2023.
    • “Specifically, Malliotakis’ legislation, which was introduced in partnership with Rep. Brad Wenstrup (OH-02), would prohibit prescription drug plans and Pharmacy Benefit Managers (PBMs) in Medicare Part D or Medicare Advantage from charging patients more in drug cost-sharing that the net price of the drug.”
  • AHA News tells us,
    • “The House Ways and Means Committee July 26 voted 25-16 to pass the Health Care Price Transparency Act (H.R. 4822), legislation that would impose additional site-neutral payment cuts and regulatory burdens on off-campus hospital outpatient departments, impose additional Medicare sequester cuts on hospitals, and codify and make changes to hospital price transparency regulations. * * *
    • “In other action today, the committee voted 23-17 to pass the Providers and Payers COMPETE Act (H.R. 3284), AHA-opposed legislation that would impose new regulatory responsibilities on the Department of Health and Human Services regarding consolidation.”
  • Federal News Network informs us,
    • “Federal retirees, and employees looking to retire, have some new resources to help them through the often long and thorny retirement process.
    • “A new series of video tutorials from the Office of Personnel Management lays out, step by step, a couple of key items on the federal retirement to-do list.
    • “With the three new videos, OPM said it hopes to reduce the number of errors from federal retirees when trying to log in to manage their online retirement accounts. And in theory, the videos should also help reduce wait times at retirement services call centers, OPM said, now that more detailed information is readily available to feds who get caught up in some of the early steps of the process.”
  • Forbes reports
    • “The FDA has approved Octapharma’s drug Balfaxar, which is used by patients who require surgery but have seen a reduction in blood clotting factors due to being treated with the blood thinner warfarin.” 

From the public health front —

  • Employee Benefits News offers expert views on the current state of Covid.
  • The National Institutes of Health announced
    • “Researchers have found that people with obstructive sleep apnea have an increased cardiovascular risk due to reduced blood oxygen levels, largely explained by interrupted breathing. Obstructive sleep apnea has long been associated with an increased risk of cardiovascular issues, including heart attack, stroke, and death, but the findings from this study, partially supported by the National Institutes of Health and published in the American Journal of Respiratory and Critical Care Medicine, show the mechanism mostly responsible for the link.
    • “These findings will help better characterize high-risk versions of obstructive sleep apnea,” said Ali Azarbarzin, Ph.D., a study author and director of the Sleep Apnea Health Outcomes Research Group at Brigham and Women’s Hospital and Harvard Medical School, Boston. “We think that including a higher-risk version of obstructive sleep apnea in a randomized clinical trial would hopefully show that treating sleep apnea could help prevent future cardiovascular outcomes.”
  • Medscape considers where exercise boosts cognition.
  • Fierce Healthcare lets us know,
    • “One in three counties in the U.S. is considered a maternal healthcare desert.
    • “Since that statistic was dropped back in October 2022 by March of Dimes, care in corners of the country has only continued to dry up. In response to the crisis, providers are using every seed in their seed bag and looking to “multimodal” technology strategies to predict health emergencies before they happen.
    • “Those multimodal approaches combine telehealth, remote patient monitoring (RPM) and text messages to identify high-risk patients. High blood pressure monitoring and hypertension screening are currently recommended for pregnant patients by the U.S. Preventive Services Task Force, as heart disease and stroke are two of the leading causes of maternal mortality.
    • “Lucienne Ide, M.D., is the CEO of the digital health company Rimidi. She sees the country teetering on an inflection point.
      • “We’re at this fork in the road of looking at what we could do with technology, identifying high-risk women and getting them into the programs where we’re proactively and earlier identifying something dangerous and doing something about it,” Ide told Fierce Healthcare.
      • “But the alternate narrative is really, really bad, and it’s going to get worse. It’s not like, ‘Here we are today, and we could do better.’ No, here we are today, and it’s going to get worse, but we can actually do better,” she said.

From the U.S. healthcare business front —

  • Per Fierce Healthcare,
    • “As hospitals acquire ambulatory care centers, consumers are more likely to be forced to pay outpatient facility fees for routine care traditionally covered by physician offices at lower costs.
    • “These new costs, appearing seemingly out of nowhere to the average consumer through out-of-pocket spending and premium increases, can add up to hundreds or thousands of dollars in additional expenses for a patient, according to a report from Georgetown University’s Center on Health Insurance Reforms.
    • “Outpatient facility fees cover a hospital’s operational expenses. But when hospitals acquire physician practices, that usually generates another outpatient facility bill, eventually passing on the cost to the patient. Consumers are often unaware that they are now responsible for an extra cost.”
  • Healio reports that the growth of telehealth in cancer care continued after the initial surge during the COVID-19 pandemic.
  • Per Healthcare Dive, the path toward reducing physician burnout is widening.
    • “Amazon has become the latest tech giant to announce a clinical documentation service that allows providers to automatically create medical notes using generative AI.
    • “The Amazon Web Services tool announced Wednesday, called HealthScribe, allows providers to build clinical applications that use speech recognition and generative AI to create transcripts of patient visits, identify key details and create summaries that can be entered into an electronic health record.
    • “HealthScribe is being previewed for two specialties: general medicine and orthopedics. An Amazon spokesperson said AWS could expand to additional specialties based on client feedback. HealthScribe costs users a set amount per second of audio processed each month.”

Weekend update

David ErmerCongress, Employee Wellness Programs, Generative AI, Mental health care, U.S. Healthcare
Photo by Michele Orallo on Unsplash

From Washington, DC —

From the mental health coverage front —

  • Fierce Healthcare tells us,
    • “The United Health Foundation, the company’s philanthropic arm, each year releases America’s Health Rankings, which dive into major healthcare trends across the country. The latest analysis of that data examines how different populations are experiencing the rising tide of mental health concerns.
    • “For example, adults with disabilities were 3.5 times more likely to report frequent mental distress and 3.5 times more likely to have had a major depressive episode in the last year.
    • “This data is highlighting the need to take a closer look,” said Yusra Benhalim, M.D., senior national medical director at Optum Behavioral Health Solutions, in an interview. “I think we need to kind of lean in a little bit more and understand what the experience is like for individuals with disabilities.”
  • Health Affairs Forefront considers whether the private sector lead in addressing this mental health equity crisis. The FEHBlog thinks it can.

From the generative AI front —

  • The Wall Street Journal reports,
    • “Hundreds of doctors across the U.S. have entrusted recordings of their private talks with patients to a startup promising to turn the conversations into usable medical records through artificial intelligence.
    • “The technology makes multiple errors while producing the reports, such as failing to use correct medical terminology and adding medicines a patient isn’t taking, according to current and former workers.
    • “To fix those errors, health-tech startup DeepScribe relies on 200 human contractors to listen to the medical conversations and revise the records, the company’s founders said. The workers also use Google searches to find billing codes.”
  • This reminds the FEHBlog of a situation that occurred nearly thirty years ago. A client decided to use then new scanning technology to feed paper claims into its claims system for auto-processing. The client wound up needing at least a hundred people to correct errors in the scans. Over time the technology improved, and human assistance dropped off to reasonable levels. The FEHBlog is certain that, in due time, generative AI will be able to create these reports without human assistance.

From the U.S. healthcare business front, NPR warns providers have begun to bill patients and their health plans for responding to messages posted on the provider’s patient portal. Before long, generative AI will be able to reply on the doctor’s behalf.

From the wellness front, Fortune Well shares expert advice on four habits that aging folks need to adopt, besides exercise, to stay fit.

Check out last Monday’s Econtalk episode in which Russ Roberts interviews Lydia Dugdale about her book, the Lost Art of Dying.

Friday Factoids

David ErmerGenerative AI, HIPAA Privacy and Security Rules, HSA, OPM, Patient safety, U.S. Healthcare
Photo by Sincerely Media on Unsplash

From Washington, DC,

  • Govexec tells us, “The Office of Personnel Management on Friday proposed new regulations aimed at granting federal agencies greater flexibility in selecting new federal employees during the hiring process.” The public comment deadline is September 19, 2023.
  • Federal News Network offers a table of federal government return-to-office policies.
  • The Society for Human Resource Management informs us,
    • “The U.S. Citizenship and Immigration Services (USCIS) announced Friday a new Form I-9—which has been streamlined and shortened—that employers should use beginning Aug. 1, 2023.
    • “Employers may continue to use the older Form I-9 (Rev. 10/21/19)  through Oct. 31., 2023. After that date, they will be subject to penalties if they use the older form. The new version will not be available for downloading until Aug. 1.  
    • “Additionally, the U.S. Department of Homeland Security (DHS) issued a final rule that allows the agency to create a framework under which employers could implement alternative document examination procedures, such as remote document examination. The new form subsequently has a checkbox to indicate when an employee’s Form I-9 documentation was examined using a DHS-authorized alternative procedure.
    • “At this time, the final rule only allows employers using E-Verify to use alternative verification methods.”
  • Healthcare Dive notes
    • “The Federal Trade Commission and the HHS’ Office for Civil Rights are warning hospitals and telehealth companies about embedding online tracking technologies on their websites or apps, saying the trackers risk exposing consumers’ personal health data to third parties. 
    • “The trackers, like the Meta Pixel or Google Analytics, collect identifiable information about users and could reveal information about health conditions, diagnoses, treatments, frequency of visits and more, the agencies wrote in a letter to about 130 health systems and telehealth providers.
    • “The warning marks the latest move from regulators regarding the healthcare industry’s use of tracking technologies, which monitor user behavior on websites. Sharing consumers’ health data with third parties, like advertisers, has been a recent target of FTC oversight.”

Following up on the tornado that struck a Pfizer factory in Rocky Mount, NC, STAT News reports

  • “Pfizer says a tornado that ripped through a key manufacturing plant in North Carolina does not appear to have caused “any major damage” to areas that produce medicines.
  • “The company reported most damage from the storm occurred at a warehouse that stores raw materials, packaging supplies, and finished medicines awaiting release by quality assurance personnel. As a result, it remains unclear about the extent to which destruction at the facility — which produces nearly 8% of all sterile injectables used in U.S. hospitals — will exacerbate a growing shortage of prescription drugs across the country.”

The Food and Drug Administration also issued a report on the incident.

From the medical malpractice front, STAT News points out

  • “A new study published this week in BMJ, * * * estimates that “371,000 people die every year following a misdiagnosis, and 424,000 are permanently disabled — a total of 800,000 people suffering “serious harm,” said David Newman-Toker, the lead author of the paper and a professor of neurology at Johns Hopkins School of Medicine and director of its Center for Diagnostic Excellence. Settling on an exact number is hard because many cases of misdiagnosis go undetected, he said. It could be fewer than his study identified or more — between half a million and a million — though in any event, it would be the most common cause of death or disability due to medical malpractice. 
  • “He likens the issue of misdiagnosis to an iceberg, saying cases leading to death and disability are but a small fraction of the problem. “We focused here on the serious harms, but the number of diagnostic errors that happen out there in the U.S. each year is probably somewhere on the order of magnitude of 50 to 100 million,” he said. “If you actually look, you see it’s happening all the time.” 
  • “But misdiagnoses typically don’t lead to severe consequences because, most times, people aren’t visiting the doctor with a serious condition. “The risk level just walking through the door in the doctor’s office that something horrible is going to happen to you because of a diagnostic error is actually quite low,” said Newman-Toker.”

In related news “[The American Hospital Association] AHA today released its quarterly Health Care Plan Accountability Update, featuring the latest news on AHA efforts to hold commercial health insurers accountable for policies that can delay care for patients, burden health care providers and add unnecessary costs to the health care system. READ MORE.”

From the factoid front —

  • HealthEquity suggests three ways to drive health savings account plan adoption.
  • Beckers Payer Issues points out how seven payers are using artificial intelligence.
  • MedTech Dive reports, “Intuitive Surgical posted strong robotic volume growth in the second quarter and raised its full-year procedure outlook but said patient interest in new weight-loss drugs is curbing demand for bariatric surgeries.”

Tuesday Tidbits

David ErmerACA, Generative AI, Rx coverage, Telehealth, U.S. Healthcare
Photo by Patrick Fore on Unsplash

From the public health front,

  • Health Affairs reports
    • “National health expenditures are projected to grow 5.4 percent, on average, over the course of 2022–31 and to account for roughly 20 percent of the economy by the end of that period. The insured share of the population is anticipated to exceed 92 percent through 2023, in part as a result of record-high Medicaid enrollment, and then decline toward 90 percent as coverage requirements related to the COVID-19 public health emergency expire. The prescription drug provisions of the Inflation Reduction Act of 2022 are anticipated to lower out-of-pocket spending for Medicare Part D enrollees beginning in 2024 and to result in savings to Medicare beginning in 2031.”
  • The U.S. Preventive Health Services Task Force gave an inconclusive grade to screening for lipid disorders in children and adolescents 20 years or younger.
  • The Wall Street Journal offers ways to protect yourself and your family against the ill effects of forever chemicals that may be in your tap water or else in your homes.

From the regulatory front,

  • The Food and Drug Administration “publishedsafety communication to warn consumers not to use ultrasound medical devices manufactured and distributed by RoyalVibe Health, CellQuicken, and Well-Being Reality. The devices have not been reviewed by the FDA. The safety and effectiveness of these devices have not been established to diagnose, treat, or cure medical conditions.”
  • HMFA informs us
    • “Hospital price transparency regulations are undergoing changes heading into their fourth year as CMS seeks to step up enforcement while making compliance more straightforward.
    • “As part of the 2024 proposed rule for hospital outpatient payments, CMS is adding to the requirement for hospitals to maintain a machine-readable file of their charges for services. In addition, enforcement actions against hospitals would be publicized even before assessment of civil monetary penalties.
    • “CMS said the impetus for the proposed technical requirements is feedback from “interested parties” that the files would be more beneficial if they were more standardized.
    • “In particular, IT specialists have indicated that the current flexibilities and lack of encoding specifications hinder the machine-readability of the data in the files, presenting a barrier to the intended use of the data,” CMS wrote. “Additionally, hospitals have asked us for more specificity on how they should publicly display their standard charge information, with an emphasis on how they should explain and display their payer-specific negotiated charges.”
    • “The agency also said enforcement would be easier if the files were more consistent.”

From the U.S. healthcare business front,

  • Fierce Healthcare lets us know,
    • “In the past 10 years, there has been a dramatic shift in physician practice ownership as less than half of doctors now work in private practices, according to a new analysis.
    • “Between 2012 and 2022, the share of physicians working in private practices fell by 13 percentage points from 60.1% to 46.7%.
    • “In contrast, the share of physicians working in hospitals as direct employees or contractors increased from 5.6% to 9.6% in the same 10-year time period, and the share of physicians working in practices at least partially owned by a hospital or health system increased from 23.4% to 31.3%, according to a benchmark analysis the American Medical Association. * * *
    • “In 2022, 4.5% of physicians worked in a practice owned by a private equity group, similar to the percentage in 2020 when the AMA first added private equity to the analysis.
    • “According to the analysis, there also has been a redistribution of physicians from small to large practices. The share of physicians in small practices (10 or fewer physicians) shrank from 61.4 % to 51.8% between 2012 and 2022. Conversely, the share of physicians in large practices (50 physicians or more) grew from 12.2% to 18.3% in the same 10-year time period.
    • “The shares of physicians in mid-sized practices (those with 11 to 24 and 25 to 49 physicians) remained relatively stable over the last decade.”
  • BioPharma Dive informs us,
    • “Biotechnology startup creator Flagship Pioneering is teaming up with Pfizer to develop 10 new drug candidates, with each company pledging to invest $50 million in the new effort.
    • “Together, Flagship and Pfizer will take stock of the technologies available to the former firm and its affiliated startups, hunting for opportunities to develop medicines aligned with Pfizer’s research priorities. Per deal terms announced Tuesday, Pfizer will fund the development of selected medicines, each of which it can choose to acquire later.
    • “The collaboration involves Flagship’s “Pioneering Medicines” initiative, which has struck similarly structured deals in the recent past with Novo Nordisk and the Cystic Fibrosis Foundation.”
  • Healthcare Dive relates,
    • “Teladoc Health is expanding its partnership with Microsoft, announcing plans to add artificial intelligence tools for clinical documentation to its telehealth platform for hospitals and health systems.
    • “The companies will work to integrate Microsoft Azure’s OpenAI Service and Cognitive Services and Microsoft-owned Nuance’s Dragon Ambient eXperience into its Solo platform, allowing physicians to automatically transcribe clinical notes during virtual patient exams.
    • “Teladoc’s medical group also plans to use DAX Express, a version of the medical scribe that uses the large language model GPT-4 and doesn’t require human authentication, the New York-based telehealth vendor said. Financial terms of the deal were not disclosed.”

From the Rx coverage front, the Drug Channel blog delves into the biosimilars’ challenge to Humira. The article illustrates the relatively new distinction between low-list drug prices and high-list drug prices. Low list prices do not include a manufacturer rebate. The FEHBlog understands that the distinction is driven by the Inflation Reduction Act.

Monday Roundup

David ErmerACA, COVID-19, FDA, Generative AI, Rx coverage, Telehealth, U.S. Healthcare
Photo by Sven Read on Unsplash

From the public health front —

  • The Wall Street Journal reports
    • “Parents have a new tool to protect their newborns from a common but potentially deadly respiratory virus that sends tens of thousands of babies to the hospital each year.
    • “The Food and Drug Administration on Monday approved the first drug to protect all infants against respiratory syncytial virus. RSV is the leading cause of hospitalization of infants in the U.S., killing as many as 300 children under the age of 5 each year.  
    • “The FDA said it approved the drug Beyfortus from Sanofi and AstraZeneca based on studies that found it safely prevented the lower respiratory tract infections caused by the virus. * * *
    • “While Beyfortus isn’t a vaccine, it has a similar objective. The injection gives infants antibodies to neutralize the virus before their immune systems are mature enough to generate them on their own.  * * *
    • “Sanofi plans to make Beyfortus available in time for this year’s RSV season. Before the drug can become widely available, CDC advisers will need to recommend the drug’s use.”  
  • The FEHBlog’s favorite columnist on Covid, the New York Times David Leonhardt, let us know, “The United States has reached a milestone in the long struggle against Covid: The total number of Americans dying each day — from any cause — is no longer historically abnormal.” Consequently, the pandemic era is over.
  • In other Covid news, Medscape tells us,
    • “An air monitor made by researchers at Washington University in St. Louis can detect COVID-19 virus in a room with an infected person within 5 minutes. 
    • “The project was a collaboration among researchers from the university’s engineering and medical schools. Nature Communications published the results of their work in the journal’s Monday edition. * * *
    • “The team tested their device both in laboratory experiments where they released aerosolized SARS-CoV-2 into a room-sized chamber, as well as in the apartments of two people who were COVID-positive.
    • “There is nothing at the moment that tells us how safe a room is,” Washington University neurology professor John Cirrito, Ph.D., in a statement. “If you are in a room with 100 people, you don’t want to find out 5 days later whether you could be sick or not. The idea with this device is that you can know essentially in real-time, or every 5 minutes if there is a live virus in the air.”
    • “Their goal is to develop a commercially available air quality monitor, the researchers said.” 
  • Cigna discusses how to help women to stay on track with screenings for common cancers.
  • KFF explains why different BMI standards apply to older folks. For example,
    • “Epidemiologic research suggests that the ideal body mass index (BMI) might be higher for older adults than younger adults. (BMI is a measure of a person’s weight, in kilograms or pounds, divided by the square of their height, in meters or feet.)
    • “One large, well-regarded study found that older adults at either end of the BMI spectrum — those with low BMIs (under 22) and those with high BMIs (over 33) — were at greater risk of dying earlier than those with BMIs in the middle range (22 to 32.9).
    • “Older adults with the lowest risk of earlier deaths had BMIs of 27 to 27.9. According to World Health Organization standards, this falls in the “overweight” range (25 to 29.9) and above the “healthy weight” BMI range (18.5 to 24.9). Also, many older adults whom the study found to be at the highest mortality risk — those with BMIs under 22 — would be classified as having “healthy weight” by the WHO.
    • “The study’s conclusion: “The WHO healthy weight range may not be suitable for older adults.” Instead, being overweight may be beneficial for older adults, while being notably thin can be problematic, contributing to the potential for frailty.”
  • According to STAT News,
    • “At the turn of the century, nearly 18 million women in the United States were battling hot flashes, night sweats, and other symptoms of menopause with hormones. But in 2002, the therapy went into a free-fall when a landmark trial suggested treating menopause with estrogen and progesterone increased the risk of breast cancer and cardiovascular disease. The study was shut down early — and a year later, prescriptions had plummeted to nearly half what they had been in 2001.
    • “More than two decades later, menopause experts have come to think about the results of the trial very differently. Newer research points to more benefits than risks for many healthy women under 60 treating menopause symptoms with hormone therapy. But many women who are good fits still aren’t getting treatment. “The pendulum has been slowly — too slowly — swinging back,” said OB-GYN Mike Green, chief medical officer of menopause telehealth company Winona
    • “Winona is part of a new generation of virtual-first health care companies aiming to give that pendulum a push. In the last five years, more than a dozen telehealth companies have started up to serve women in and approaching menopause, including with hormone therapy. 
    • “Women fall through the cracks,” said internist Lisa Larkin, president-elect of The Menopause Society and founder of concierge women’s health network Ms. Medicine. “That’s why the telemedicine business is booming.” 

From the Alzheimer’s Disease front,

  • Medscape tells us,
    • “Eastern and southeastern areas of the US have the highest rates of Alzheimer’s disease (AD), new research shows.
    • “Investigators at Rush University in Chicago, Illinois, found AD prevalence was highest in Maryland, New York, Mississippi, and Florida. At the county level, Miami-Dade in Florida, Baltimore in Maryland, and the Bronx in New York were among the US counties with the highest prevalence of the disease.
    • “Such geographical variations may be due to the unique make-up of regional populations, study investigator Kumar Rajan, PhD, professor of Medicine and director of Rush Institute for Healthy Aging, Rush University Medical Center, in Chicago, told Medscape Medical News.”
  • STAT News relates,
    • Medicare on Monday proposed ending restrictions on how many PET scans patients can receive to detect amyloid plaques in their brains, which will offer physicians more options as they treat patients with a new drug to slow the progression of dementia.
    • The agency that oversees Medicare had previously restricted coverage to a single scan for patients who participated in clinical studies. Advocates had warned that it could cause issues related to a new class of Alzheimer’s drugs designed to clear those plaques.
  • BioPharma Dive calls our attention to
    • “A closely watched experimental drug for Alzheimer’s disease slowed the decline patients typically experience by about half a year in a key clinical trial, according to new results released Monday.
    • “The drug, called donanemab, is being developed by Eli Lilly and works in a similar way as two other medicines recently approved in the U.S. to treat Alzheimer’s. These therapies are designed to break up clusters of “amyloid beta,” a mutated protein that forms toxic brain plaques and has long been viewed as a root cause of the disease. * * *
    • “Along with its presentation, Lilly disclosed it had completed its approval application to the FDA and expects a verdict by the end of the year. The results were also published in the medical journal JAMA.”
  • Reuters adds,
    • “Alzheimer’s disease experts are revamping the way doctors diagnose patients with the progressive brain disorder – the most common type of dementia – by devising a seven-point rating scale based on cognitive and biological changes in the patient.
    • “The proposed guidelines, unveiled by experts on Sunday in a report issued at an Alzheimer’s Association conference in Amsterdam, embrace a numerical staging system assessing disease progression similar to the one used in cancer diagnoses. They also eliminate the use of terms like mild, moderate and severe.”

From the generative AI front, Fierce Healthcare explains how Blue Cross licensee HCSC is using AI to speed up prior authorization.

From the U.S. healthcare business front,

  • The American Hospital Association informs us,
    • “The Federal Trade Commission July 14 voted 3-0 to withdraw two antitrust policy statements related to enforcement in health care markets, calling the 1996 and 2021 statements outdated. The Department of Justice withdrew the same statements in February.  
    • “AHA is deeply disappointed that the FTC made the same mistake as the DOJ in withdrawing antitrust guidelines for hospitals and other health care providers,” said AHA General Counsel & Secretary Melinda Hatton. “Over the years, AHA has urged both federal antitrust agencies to modernize the guidelines to accommodate the need for more flexibility in enforcement actions to support hospitals’ ability to navigate a changing healthcare landscape. And AHA was instrumental in securing appropriate ACO guidance that allowed hospitals to fully participate in that important program. Withdrawing all the guidance without consultation with the field is both unnecessary and reckless.”
  • According to STAT News,
    • “Sanofi will license a new CRISPR enzyme from the startup Scribe Therapeutics in a bid to be the first to develop a safer, simpler, and more scalable cure for sickle cell disease.
    • “The French drugmaker will pay Scribe $40 million upfront and promise another $1.2 billion in potential milestones to license a DNA-cutting enzyme called CasX for use in a potential single-infusion treatment for the serious blood disorder — what’s known as in vivo therapy. CasX was discovered in CRISPR pioneer Jennifer Doudna’s lab, which subsequently spun out Scribe. * * *
    • “The company will have competition on tackling sickle cell in new ways. In 2021, Novartis started collaborating with the Gates Foundation to develop an in vivo therapy. The base editing company Beam Therapeutics has presented data on an approach that still requires cells to be edited outside the body but is much less toxic. And Sana Biotechnology has a program that hopes to target stem cells with virus-like particles. None of the companies, however, have yet begun clinical trials. 

In employment news,

  • HR Dive reports,
    • “The Occupational Safety and Health Administration published Friday its final electronic recordkeeping rule requiring employers with 100 or more employees in certain industries to submit information from the agency’s Forms 300 and 301 once per year.
    • “OSHA’s rule also updates its system for determining which industries are subject to the information submission requirement. In a departure from the proposed rule, OSHA has retained the requirement for employers with 250 or more employees to electronically submit information from Form 300A once per year. Additionally, employers with 20 to 249 employees in certain designated industries will continue to be required to electronically submit information from Form 300A once per year.
    • “Per the rule, the agency will post data gathered via these submissions on a public website, with identifying information — such as employees’ names and contact information — removed. The final rule is effective Jan. 1, 2024.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front —

  • Homeland Security Today reports
    • “This week, U.S. Senators Gary Peters (D-MI), Chairman of the Homeland Security and Governmental Affairs Committee, and Josh Hawley (R-MO), along with U.S. Representatives James Comer (R-KY) and Jamie Raskin (D-MD), Chairman and Ranking Member of the Committee on Oversight and Accountability, and Nancy Mace (R-SC) and Gerald E. Connolly (D-VA), Chairwoman and Ranking Member of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation, introduced bicameral, bipartisan legislation to protect federal information technology systems. 
    • “The Federal Information Security Modernization Act (FISMA) of 2023 would improve coordination across the federal government to help civilian federal agencies and contractors protect their networks against cybersecurity threats. It also clarifies roles and responsibilities for key agencies that lead federal information security policy and operations.”
  • Cybersecurity Dive tells us,
    • The Biden administration released its implementation plan for the national cybersecurity strategy Thursday, delegating cyber initiatives to a smattering of government agencies.
    • The plan, which is designed to guide the government’s completion of the national cybersecurity strategy, comes four months after the policy blueprint was unveiled.
    • “If the strategy represents the president’s vision for the future, then this implementation plan is the roadmap to get there,” Kemba Walden, acting national cyber director, said Wednesday during a press briefing.
    • “Fundamentally, we are publishing this plan because we will only achieve our goals with a whole-of-society approach,” Walden said. * * *
    • The 57-page document divides the five pillars and 27 objectives of the national cybersecurity plan into a broader series of initiatives.
    • While the implementation plan calls for the majority of initiatives to be completed before the end of fiscal year 2024, 11 are slated to be done in FY23, which closes at the end of September.
  • Cyberscoop adds
    • “As a concept, I generally like the idea of pushing to try and harmonize regulations. There are so many different regulations for different sectors out there that it can be a little bit confusing for owner-operators,” said Will Loomis, associate director of the Atlantic Council’s Cyber Statecraft Initiative.
    • “In pushing for one big set of regulation for all critical infrastructure, you kind of risk missing a lot of the nuance that exists in the differentiation and the realities of different critical infrastructure sectors,” Loomis said.
    • “And as the U.S. government works to assess the scope of the Chinese hacking campaign that utilized a flaw in Microsoft’s cloud computing systems, Loomis said he was disappointed that the implementation plan did not look more closely at cloud security.”
  • The Wall Street Journal points out,
    • “The hack of email accounts of senior U.S. officials including the commerce secretary is the latest feat from a network of Chinese state-backed hackers whose leap in sophistication has alarmed U.S. cybersecurity officials. 
    • “The espionage was aimed at a limited number of high-value U.S. government and corporate targets. Though the number of victims appeared to be small, the attack—and others unearthed in the past few months linked to China—demonstrated a new level of skill from Beijing’s large hacker army and prompted concerns that the extent of its infiltration into U.S. government and corporate networks is far greater than currently known.”
  • In sum, crafting an effective cybersecurity strategy is a tall order.

From the cybersecurity vulnerabilities and breaches front —

  • Bleeping Computer reported on July 11,
    • “HCA Healthcare disclosed a data breach impacting an estimated 11 million patients who received care at one of its hospitals and clinics after a threat actor leaked samples of the stolen data on a hacking forum.
    • “HCA Healthcare is one of America’s largest healthcare facility owners and operators, with 182 hospitals and 2,200 care centers across 21 U.S. states and the United Kingdom.
    • “As first reported by DataBreaches.net, on July 5th, 2023, a threat actor began selling data allegedly belonging to HCA Healthcare on a forum used to sell and leak stolen data. This forum post includes samples of the stolen database, which they claim consists of 17 files and 27.7 million database records.
    • “The threat actor claims that the stolen data consists of patient records created between 2021 and 2023.
    • “The threat actor initially did not offer the database for sale but instead used the post to blackmail HCA Healthcare, giving them until July 10th to” “meet the demands.” This is likely related to financial demands, although it wasn’t explicitly mentioned.
    • “However, after not receiving a response from HCA, the hacker began selling the full database, with other threat actors expressing interest in purchasing the data.”
  • Cybersecurity Dive offers an update on the slow-moving MOVEit file transfer disasters.
    • “More than 300 organizations have been impacted by Clop’s mass exploitation of a zero-day vulnerability that Progress Software first disclosed in late May, according to threat analysts and researchers. Five additional vulnerabilities in the file-transfer service have subsequently been discovered.”
  • Speaking of zero-day vulnerabilities, Security Week reported on July 11
    • “In an unusual move, Microsoft documented “a series of remote code execution vulnerabilities” impacting Windows and Office users and confirmed it was investigating multiple reports of targeted code execution attacks using Microsoft Office documents.
    • “Redmond’s security response pros tagged the unpatched Office flaws with the CVE-2023-36884 identifier and hinted that an out-of-band patch may be released before next month’s Patch Tuesday.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) added five known exploited vulnerabilities to its catalog on July 11 and two more on July 13.
  • HHS’s Health Sector Cybersecurity Coordination Center released its report on June Vulnerabilities of Interest to the Health Sector.
    • “In June 2023, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for June are from Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMWare, and MOVEit. A vulnerability is given the classification as a zero-day if it is actively exploited with no fix available or is publicly disclosed. HC3 recommends patching all vulnerabilities with special consideration to the risk management posture of the organization.”
  • HC3 also posted a PowerPoint titled “Artificial Intelligence, Cybersecurity and the Health Sector.”
  • Health IT Security points out
    • The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) issued a new publication entitled “Health Industry Cybersecurity Coordinated Healthcare Incident Response (HIC-CHIRP).”
    • HIC-CHIRP provides healthcare organizations with a template for navigating a coordinated incident response when faced with disruptive cyber incidents. Specifically, the publication seeks to address healthcare-specific gaps in existing incident response resources.

In ransomware news,

  • Bleeping Computer lets us know,
    • “Data from the first half of the year indicates that ransomware activity is on track to break previous records, seeing a rise in the number of payments, both big and small.
    • “According to a report by blockchain analysis firm Chainalysis, ransomware is the only cryptocurrency crime category seeing a rise this year, with all others, including hacks, scams, malware, abuse material sales, fraud shops, and darknet market revenue, recording a steep decline.”

From the cybersecurity defenses front —

  • CSO Online shares best practices for an effective cybersecurity strategy.
  • Tech Republics discusses Gartner’s 2023-24 cybersecurity outlook.
  • Forbes offers twenty cybersecurity training tips designed to make the training “stick.”

Thursday Miscellany

David ErmerCongress, COVID-19, COVID-19 vaccine, Generative AI, Medicare, Mental health care, U.S. Healthcare
Photo by Josh Mills on Unsplash

From Washington DC —

  • The Food and Drug Administration announced
    • approve[ing] Opill (norgestrel) tablet for nonprescription use to prevent pregnancy— the first daily oral contraceptive approved for use in the U.S. without a prescription. Approval of this progestin-only oral contraceptive pill provides an option for consumers to purchase oral contraceptive medicine without a prescription at drug stores, convenience stores and grocery stores, as well as online.
  • The New York Times adds,
    • The pill’s manufacturer, Perrigo Company, based in Dublin, said Opill would most likely become available from stores and online retailers in the United States in early 2024.
  • The OTC contraceptive will be available with no member cost sharing from FEHB plan network pharmacies due to the Affordable Care Act’s contraceptive mandate. Per the New York Times,
    • The company did not say how much the medication would cost — a key question that will help determine how many people will use the pill — but Frédérique Welgryn, Perrigo’s global vice president for women’s health, said in a statement that the company was committed to making the pill “accessible and affordable to women and people of all ages.”
  • The American Hospital Association informs us
    • “The Centers for Medicare & Medicaid Services July 13 issued a proposed rule that would increase Medicare hospital outpatient prospective payment system rates by a net 2.8% in calendar year 2024 compared to 2023. This includes a proposed 3.0% market basket update, offset by a 0.2% cut for productivity.”
  • and
    • “The Centers for Medicare & Medicaid Services July 13 released its calendar year 2024 proposed rule for the physician fee schedule. The rule proposes a decrease to the conversion factor by 3.34%, to $32.75 in calendar year 2024, as compared to $33.89 in CY 2023. This reflects the expiration of the 2.5% statutory payment increase for CY 2023; a 1.25% statutory payment increase for 2024; a 0.00% conversion factor update under the Medicare Access and CHIP Reauthorization Act; and a -2.17% budget-neutrality adjustment.  * * * 
      “CMS also proposes several provisions to advance access to behavioral health services. For example, it would create a new benefit category for marriage and family therapists and mental health counselors under Part B. In addition, CMS would establish new payment codes for mobile psychotherapy for crisis services.”\
  • The public comment deadline for both proposed rules is September 11, 2023.
  • STAT News reports
    • “A key Senate health care panel has developed a plan to tackle reforms to middlemen in the pharmacy drug payment system, according to bill text obtained by STAT.
    • “The draft legislation, authored by Senate Finance Chair Ron Wyden (D-Ore.) and ranking member Mike Crapo (R-Idaho), includes several measures to regulate how pharmacy benefit managers are paid by health plans to negotiate with drugmakers.
    • “The most significant measure is a bill from Sens. Bob Menendez (D-N.J.) and Marsha Blackburn (R-Tenn.) that would prohibit PBMs from getting any income outside of service fees, and prohibits those service fees from being related to drugs’ list prices.
    • “Other provisions include a bill from Sens. Catherine Cortez Masto (D-Nev.) and Thom Tillis (R-N.C.) to require PBMs to send annual reports to Medicare insurance plans about their rebate and price negotiations, a policy that would ban PBMs from charging Medicaid more than they pay for drugs (a practice called spread pricing), and a mandate for the Department of Health and Human Services to outline acceptable performance measures for pharmacies.”

From the public health front

  • The Wall Street Journal reports
    • Two different arms of the World Health Organization released separate findings on the widely used sweetener aspartame—one calling it safe and the other identifying it as a possible cancer hazard.
    • Here’s what you need to know:
    • Is it safe to drink Diet Coke?
      • Yes, in moderate amounts. Food regulators around the world agree that aspartame is safe. Aspartame has been studied for decades. The WHO reaffirmed its recommendation that people consume no more than 40 milligrams of aspartame a day for each kilogram they weigh—which would be a lot of soda.
      • With around 200 mg of aspartame per 12-ounce can of Diet Coke, that is roughly 16 cans a day for a 175-pound person. People get aspartame from some other food sources, though, and often the presence or amounts of aspartame in them aren’t disclosed. The WHO and other health experts also caution against consuming large amounts of sweetened products, including soda. They recommend drinking water instead.
      • “This is particularly important for young children” whose tastes are developing, said Dr. Francesco Branca, director of the WHO’s department of nutrition and food safety.
    • Obviously, the article continues on with other FAQs, but this is the one that caught the FEHBlog’s attention.
  • The U.S. Preventive Services Task Force finalized its research plan for chronic kidney disease screening.
  • STAT News tells us
    • “Amid ongoing controversy over the cost of medicines, a key Biden administration official told Covid-19 vaccine manufacturers that their next round of shots should be priced reasonably, a move that comes after two key suppliers were accused of price gouging.”
  • The CMS Administration informed insurers and others
    • “As we look toward efforts to provide updated COVID-19 vaccines this fall, we know you may have questions about the shift away from U.S. Government purchasing of vaccines to a more traditional commercial market. To be clear, that shift has not yet occurred, and the currently authorized and approved COVID-19 vaccines continue to be free and widely available nationwide. We also wanted to send these reminders from the Centers for Medicare & Medicaid Services (CMS) about COVID-19 vaccine coverage and encourage you to start planning now for the fall vaccination campaign.
    • “[M]ost private health insurance, like employer-sponsored plans, Marketplace plans, and other individual market coverage that is subject to the Affordable Care Act (ACA) market reforms are required to cover vaccines for COVID-19 authorized for emergency use or approved by the FDA and recommended by the ACIP and their administration, without patient cost-sharing.”
  • Fierce Healthcare relates
    • The Centers for Medicare & Medicaid Services (CMS) is recommending preexposure prophylaxis (PrEP) with oral or injectable antiretroviral therapy to people at risk of HIV without patient cost sharing. * * *
    • Currently, Medicare beneficiaries are only guaranteed access to daily oral PrEP through Part D, facing out-of-pocket costs, said Carl Schmid, executive director of the HIV+Hepatitis Policy Institute. Injectable PrEP has not been covered traditionally.
  • Roll Call points out
    • “One year after the creation of the three-digit crisis hotline known as 988, officials say the next step is expanding awareness and local crisis care.
    • “More than 4 million people have called, texted or chatted the suicide prevention hotline in the year since its creation, according to Laurel Stine, executive vice president and chief policy officer for the American Foundation for Suicide Prevention.
    • “She estimates that number will grow in the next fiscal year to 9 million contacts.
    • “We have to be mindful that Rome was not built in a day,” she said. “We’ve had a fragmented mental health behavioral health crisis system for a number of years.”
  • Forbes reports on the “worsening” cancer drug shortage which it describes as a resolvable public health emergency.

From the generative AI front —

  • Healthcare Dive notes
    • Generative artificial intelligence could capitalize on the healthcare industry’s wealth of unstructured data, alleviating provider documentation burden and improving relationships between patients and their health plans, according to a new report by consulting firm McKinsey.
    • The report argues generative AI could help payers quickly pull benefits material for members or help call center workers aggregate information during conversations about claims denials. Providers could use AI to take conversations with patients and turn them into clinical notes, create discharge summaries or handle administrative questions from workers at health systems.
    • But healthcare leaders should start planning now if they want to use generative AI, as the risks can be high, the report said. Data fidelity and accuracy is key, so executives should begin assessing the quality of their AI tech stacks and considering potential problems like bias and privacy concerns, according to McKinsey.
  • Econtalk host Russ Roberts held an informative interview with Marc Andreessen about generative AI.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity breaches and vulnerability front —

  • Cybersecurity Dive informed us on July 5,
    • “The widely exploited vulnerability in Progress Software’s MOVEit file transfer service has impacted nearly 200 organizations, according to Brett Callow, a threat analyst at Emsisoft.
    • “The scope of damage caused by Clop’s mass exploit of a zero-day vulnerability in MOVEit continues to snowball as third-party vendors expose multiple downstream victims. Progress discovered the zero-day over Memorial Day weekend on May 28.
    • “Despite the number of victims so far, experts anticipate more will come forward. “While many organizations have made a disclosure, a significant number have yet to do so,” Callow said via email.
    • “Progress on Wednesday released another update, including security fixes, and said it will consistently release MOVEit product updates every two months going forward.”
  • Here is a Cybersecurity and Infrastructure Security Agency (CISA) link about the Progress Software MOVEit patch.
  • CISA added another known exploited vulnerability yesterday.
  • On July 6, CISA issued a “Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants.”
    • “The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA), Increased Truebot Activity Infects U.S. and Canada Based Networks, to help organizations detect and protect against newly identified Truebot malware variants. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the four organizations assess cyber threat actors leveraged the malware through phishing campaigns containing malicious redirect hyperlinks.
    • “Additionally, newer versions of Truebot malware allow malicious actors to gain initial access by exploiting a known vulnerability with the Netwrix Auditor application (CVE-2022-31199). As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organizations in the U.S. and Canada.
    • “CISA, FBI, MS-ISAC, and the CCCS encourage all organizations to review this joint advisory and implement the recommended mitigations contained therein—including applying patches to CVE-2022-31199, to reduce the likelihood and impact of Truebot activity, as well as other ransomware-related incidents.” 
  • Bleeping Computer reports
    • “CISA ordered federal agencies today to patch a high-severity Arm Mali GPU kernel driver privilege escalation flaw added to its list of actively exploited vulnerabilities and addressed with this month’s Android security updates.
    • “The flaw (tracked as CVE-2021-29256) is a use-after-free weakness that can let attackers escalate to root privileges or gain access to sensitive information on targeted Android devices by allowing improper operations on GPU memory.
    • “A non-privileged User can make improper operations on GPU memory to gain access to already freed memory and may be able to gain root privilege, and/or disclose information,” Arm’s advisory reads.”
  • and
    • “Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word installers.
    • “Two samples of the malware have been analyzed before by cybersecurity company Fortinet, who looked at the infection vector and how the malware executes.
    • “Today [July 8], Trend Micro published a technical report on Big Head that claiming that both variants and a third they sampled originate from a single operator who is likely experimenting with different approaches to optimize their attacks.”
  • Cybersecurity Dive points out
    • “More than two-thirds of Fortinet’s FortiGate firewalls remain at risk of exploits through a vulnerability the company disclosed on June 12, according to research Bishop Fox released Friday.
    • “Researchers at Bishop Fox, an offensive security testing firm, identified 490,000 affected SSL VPN interfaces exposed to the internet and determined 69%, around 338,000, of those FortiGate firewalls are unpatched.
    • “The heap-based overflow vulnerability, CVE-2023-27997, could allow a remote attacker to execute arbitrary code or commands and has a CVSS score of 9.8 out of 10.”
  • ISACA warns us
    • “In the US, the FBI and FCC recently warned that free USB charging stations in public spaces, such as airports, hotels, hospitals, business buildings and any other type of publicly available location, can have devices hidden within them to steal data, spread malware and commit other malicious activities broadly referenced as juice jacking. The term “juice jacking” started being used several years ago to mean that while individuals using USB charging ports to charge (or “juice”) their phones, they were also having their data highjacked (“jacked”) through malicious, unnoticed skimming tech. I actually started covering this risk at a few onsite security and privacy training courses in 2010 when I first became aware of what was then an emerging new threat from a business friend, an electrical engineer, who I think may have invented what the first juice jack blocker—a data blocker for USB ports was.
    • “The malicious USB charging connection not only gives access to the phone apps and data, but it creates a connection to all the networks that the phone is connected to that do not have active access controls and blocks established when the phone was connected to the USB charger. So, malicious USB charging ports, cables and possibly other components of the public charging stations can also be used to plant ransomware, keystroke loggers and other types of malware, GPS tracking and audio eavesdropping. They can also take control of the device being charged. All these malicious activities can occur not only on the device being charged (phone, laptop, tablet, etc.) but also on devices and network components within those other connected networks.”
  • The FEHBlog notes the ISACA article offers the following suggestions plus policy advice
    • “Juice jack blockers attach to the end of your USB cable to protect against skimmers when you charge your devices in public places. This is not as bulky as hauling around most portable chargers and extra cables. I’ve purchased USB juice jack blockers for as low as two for US$12. They’re small and easily fit in a pocket without any bulkiness.
    • “It’s also a good idea to travel with personal charging devices. While not as small as juice jack blockers, they have become much smaller, with much more power, and less expensive in recent years. They limit the need to use public chargers at all.
    • “Ideally, it would be best to make sure only non-data power-only ports and cables are used in public areas. However, most cables used to support data transfer, and there is not an easy way for most folks to visually tell if a cable is charge-only.”

From the cybersecurity defenses front —

  • Cybersecurity Dive discusses “the role for AI in cybersecurity; generative AI can be an ally for new security professionals. For more seasoned security analysts, it can offer time to refine their skills through automation of repetitive tasks.” Check it out.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front

  • Cybersecurity Dive reports
    • “The White House outlined its cybersecurity budget priorities for fiscal year 2025 in a memorandum sent to executive departments and agencies Tuesday.
    • “The Biden administration is looking to connect cybersecurity investments to the five pillars of the national cybersecurity strategy it released in early March, the document shows.
    • “The letter, signed by Acting National Cyber Director Kemba Walden and Office of Management and Budget Director Shalanda Young, advises federal agencies to prioritize spending on critical infrastructure defense, disrupting and dismantling threat actors, software that is secure by design, resiliency and international partnerships. * * *
    • “Agencies that bear responsibility for disrupting ransomware are advised to submit budgets that prioritize staff resources to investigate ransomware, disrupt ransomware infrastructure and participate in interagency task forces focused on cybercrime.”
  • The Government Accountability Office issued a report on launching and implementing the national cybersecurity strategy.
    • “Federal agency information systems and national critical infrastructure are vulnerable to cyberattacks.
    • “This Snapshot covers the status of the National Cybersecurity Strategy. The strategy’s goals and strategic objectives provide a good foundation, but the Administration needs to establish specific objectives and performance measures, resource requirements, and roles and responsibilities.
    • “It will be difficult to implement the strategy when the specific details have yet to be issued. The continued vacancy in the role of National Cyber Director is also a challenge.”

From the cybersecurity vulnerabilities and breaches front —

  • Health IT Security breaks down the breach reports submitted to the HHS portal in the first six months of 2023.
    • HealthITSecurity has compiled a list of the top ten biggest healthcare data breaches reported to the HHS Office for Civil Rights (OCR) data breach portal this year as of late June 2023, based on the number of individuals impacted for each event. It is important to note that this list refers to breaches reported to OCR in 2023, but a few occurred in 2022 or earlier.
    • “Some of the biggest breaches so far this year stemmed from known cybersecurity vulnerabilities in Fortra’s GoAnywhere managed file transfer (MFT) solution and attacks on other third-party vendors, while others involved direct cyberattacks against healthcare organizations.”
  • Cybersecurity Dive tells us
    • “Fallout from Clop’s mass exploit of a zero-day vulnerability in Progress Software’s MOVEit file transfer service continues to ensnare additional victims. The prolific ransomware actor is listing new compromised systems on its leak site daily and some organizations are still disclosing breaches.
    • “At least 108 organizations, including seven U.S. universities, have been listed by Clop or disclosed as having been impacted thus far, according to Brett Callow, threat analyst at Emsisoft.
    • “The University of California, Los Angeles, is the latest organization to disclose a breach of its MOVEit platform. The school’s IT security team discovered malicious activity on June 1, a spokesperson told Cybersecurity Dive. * * *
    • “Organizations are disclosing breaches weeks after Progress first acknowledged the MOVEit vulnerability and cybersecurity experts warned about mass exploits. Two additional vulnerabilities in the file-transfer service have subsequently been discovered. * * *
    • “Some organizations have been impacted due to their direct use of MOVEit while others have been exposed as a result of third-party vendors’ use of the file transfer service, including PBI Research Services and Zellis.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) informs us
    • “The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2023 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. The CWE Top 25 is calculated by analyzing public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two calendar years. These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working. 
    • “The 2023 CWE Top 25 also incorporates updated weakness data for recent CVE records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog (KEV)
    • “CISA encourages developers and product security response teams to review the CWE Top 25 and evaluate recommended mitigations to determine those most suitable to adopt. Over the coming weeks, the CWE program will be publishing a series of further articles on the CWE Top 25 methodology, vulnerability mapping trends, and other useful information that help illustrate how vulnerability management plays an important role in Shifting the Balance of Cybersecurity Risk.”
  • On June 29, 2023, CISA added eight known exploited vulnerabilities to its Catalog.
  • The Cybersecurity and Infrastructure Security Agency advises us
    • “CISA is aware of open-source reporting of targeted denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against multiple organizations in multiple sectors. These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible.
    • “If you think you or your business is experiencing a DoS or DDoS attack, it is important to contact the appropriate technical professionals for assistance.
    • “Contact your network administrator to confirm whether the service outage is due to maintenance or an in-house network issue. Network administrators can also monitor network traffic to confirm the presence of an attack, identify the source, and mitigate the situation by applying firewall rules and possibly rerouting traffic through a DoS protection service.
    • “Contact your internet service provider to ask if there is an outage on their end or if their network is the target of an attack and you are an indirect victim. They may be able to advise you on an appropriate course of action.
    • “Organizations can take proactive steps to reduce the effects of an attack—See the following guidance for more information:

From the ransomware front, here is a link to Bleeping Computer’s the Week in Ransomware.

From the cybersecurity defenses front —

  • Venture Beat reports
    • “Forrester’s recent report, The State of Cloud in Healthcare, 2023, provides an insightful look at how healthcare providers are fast-tracking their cloud adoption with the hope of getting cybersecurity under control. Eighty-eight percent of global healthcare decision-makers have adopted public cloud platforms, and 59% are adopting Kuber netesto ensure higher availability for their core enterprise systems. On average, healthcare providers spend $9.5 million annually across all public cloud platforms they’ve integrated into their tech stacks. It’s proving effective — to a point.
    • “What’s needed is for healthcare providers to double down on zero trust, first going all-in on identity access management (IAM) and endpoint security. The most insightful part of the Forrester report is the evidence it provides that continuing developments from Amazon Web ServicesGoogle Cloud PlatformMicrosoft Azure and IBM Cloud are hitting the mark with healthcare providers. Their combined efforts to prove cloud platforms are more secure than legacy network servers are resonating.”
  • CISA released cloud services guidance and resources.
  • Cybersecurity Dive points out that “Long before a data breach, well-prepared companies set up incident response teams with workers from multiple departments.”

Thursday Miscellany

David ErmerCDC, FDA, Generative AI, HSA, Mental health care, Rx coverage, SCOTUS, U.S. Healthcare
Photo by Josh Mills on Unsplash

From Washington DC, where the air quality index was code red today —

  • The Supreme Court is down to its final four pending decisions from the October 2022 term. The final decision day is tomorrow morning
  • The EEOC Chair made the following noteworthy comment on today’s Supreme Court decision on affirmation action in college admissions:
    • “Today’s Supreme Court decision effectively turns away from decades of precedent and will undoubtedly hamper the efforts of some colleges and universities to ensure diverse student bodies. That’s a problem for our economy because businesses often rely on colleges and universities to provide a diverse pipeline of talent for recruitment and hiring.  Diversity helps companies attract top talent, sparks innovation, improves employee satisfaction, and enables companies to better serve their customers”.
    • “However, the decision in Students for Fair Admissions, Inc. v. President & Fellows of Harvard College and Students for Fair Admissions, Inc. v. University of North Carolina does not address employer efforts to foster diverse and inclusive workforces or to engage the talents of all qualified workers, regardless of their background. It remains lawful for employers to implement diversity, equity, inclusion, and accessibility programs that seek to ensure workers of all backgrounds are afforded equal opportunity in the workplace.”
  • Govexec tells us
    • “The Supreme Court on Thursday ruled against the U.S. Postal Service in its attempts to require any employee to work on Sundays, even when it conflicted with their religious observances. 
    • “In a unanimous decision [interpreting Title VII of the Civil Rights Act of 1964], the top court reversed decades of precedent in determining that employers like USPS have to demonstrate more than a de minimis burden to avoid their otherwise mandated obligations to provide reasonable religious accommodations. The justices sent the case back to a lower court to determine whether, given the specifics of the case, the Postal Service could come up with other means to keep a letter carrier on the payroll without requiring him to work on Sundays.”

From the public health front —

  • The American Hospital Association informs us
    • “As proposed by its Advisory Committee on Immunization Practices, the Centers for Disease Control and Prevention [(CDC)] today recommended a single dose of the GSK or Pfizer Respiratory Syncytial Virus vaccine for people aged 60 and older who decide with their health care provider that the vaccine would benefit them. The Food and Drug Administration last month approved the vaccines for use in individuals 60 and older. The first U.S.-licensed vaccines to protect against RSV, they are expected to be available this fall.”
  • The CDC announced
    • “CDC Director Rochelle P. Walensky, M.D., M.P.H. adopted the 2023-2024 Advisory Committee on Immunization Practices’ (ACIP) recommendations on annual influenza (flu) vaccination for everyone 6 months and older in the United States on June 27, 2023.  There were small changes to the annual recommendations around flu vaccination, including an acknowledgement of the updated flu vaccine composition for the 2023-2024 flu season and a change in the recommendations for vaccination of people with egg allergies. Dr. Walensky’s adoption of the ACIP recommendations makes them official CDC policy. * * *
    • The recommended timing of flu vaccination has not changed. September and October are the best times for most people to get vaccinated.
  • The Department of Health and Human Services announced
    • “[Its] Office of the Assistant Secretary for Health (OASH) is releasing a draft framework to support and accelerate smoking cessation, building on supports that are already in place for people who want to quit. This framework will be a roadmap to enhance collaboration and coordination across HHS—and with federal and nonfederal stakeholders—to drive further progress toward smoking cessation and to deliver equitable outcomes for all persons in America. HHS is seeking public input on the framework before it is finalized.
    • “The public comment period will be open for 30 days starting June 30, 2023, through July 30 at 11:59 PM ET. HHS is committed to transparency and providing opportunities for public participation during the development of the Framework.
    • “Anyone can comment. Each responding entity (person or organization) is requested to submit only one response via email to HHSSmokingCessationFramework2023@hhs.gov as a Word document, Portable Document Format (PDF), or in the body of an email. Please include “Request for Information: Draft HHS 2023 Framework to Support and Accelerate Smoking Cessation” in the subject line of the email message.”
  • The Society for Human Resource Management offers employers strategies for reducing record-level employee stress.
  • Roll Call reports
    • “Only one-third of individuals diagnosed with hepatitis C have been cured in the decade since cures for the disease became available, according to a study published Thursday from the Centers for Disease Control and Prevention.
    • “Hepatitis C is a viral inflammation of the liver that can be asymptomatic yet spread through blood or other bodily fluids. Without treatment, hepatitis C is a chronic condition that can lead to liver cancer, liver failure or other comorbidities. 
    • “The Food and Drug Administration approved the first highly effective direct-acting antiviral drugs to cure hepatitis C in 2013. Treatment occurs over the course of 8 to 12 weeks and has a 95 percent success rate.
    • “But almost 15,000 Americans still die from hepatitis C annually. * * *
    • “Francis Collins, the former longtime NIH director who leads the White House National Hepatitis C Elimination Program, said the data “highlights an urgency for a bold response to hepatitis C.”

From the health plan design front

  • Fierce Healthcare discusses
    • “Following the COVID-19 pandemic, the rising tide of mental health concerns—particularly among children and adolescents—has been a major focus in the industry.
    • “But it’s not a new problem. Behavioral health needs have been on the rise for some time, and that’s why in 2018 the team at Elevance Health’s Carelon established the Suicide Prevention Program, which deploys data and predictive models to identify people at risk sooner and avoid potential self-harm or suicide events. 
    • “Suicide is the second-leading cause of death for young people, and rates have increased by 56% in the last 20 years. Through the prevention program, Carelon saw a reduction of more than 20% in suicidal events among adolescents and young adults with commercial coverage.
    • I”n addition, this corresponded to a 30% decrease in per member per month behavioral health spending.”
  • The Society for Human Resource Management identifies four ways to boost employee satisfaction with high deductible plans connected with health savings accounts.

From the generative AI front,

  • Beckers Hospital Review notes,
    • “Johnson City, Tenn.-based Ballad Health is using artificial intelligence to identify potential medication errors and improve pharmacy workflows, the health system said June 29. 
    • “Ballad is using a medication safety monitoring platform from MedAware for this effort. The platform monitors drug prescriptions in real-time and compares this information against patient data from the health system’s EHR to flag potentially dangerous or fatal drug interactions. 
    • “The Ballad Health Innovation Center and Ballad Ventures, the system’s venture capital subsidiary, is funding the project with MedAware.

From the healthcare spending front —

  • Healthcare Dive relates
    • “Healthcare costs are expected to rise 7% next year as inflation drives providers to seek rate increases from insurers and pharmaceutical costs rise, according to PwC’s annual report.
    • “The consultancy, which surveyed actuaries at insurers that offer group and individual plans, said the increase outstrips its predictions for 2022 and 2023, which were 5.5% and 6% respectively.
    • “Some trends are pushing costs down, like the availability of more biosimilar drugs and a shift toward cheaper outpatient care. A number of other factors are expected to be cost neutral but key to watch, including health plans’ investment in value-based care, COVID-19 impacts, behavioral healthcare utilization, health equity initiatives, price transparency rules and Medicaid redeterminations, PwC said.
  • and
    • “Primary care physicians saw their compensation rise faster than other medical and surgical specialties in 2022, as significant E/M coding changes enacted by the CMS kicked into gear and volume stabilized coming out of the pandemic.
    • “Medical groups and healthcare organizations reported a 6.1% increase in primary care compensation in 2022 compared to 2021 in the AMGA’s most recent compensation survey published on Wednesday. That’s compared to 1.5% and 1.6% increases for medical and surgical specialties, respectively.
    • “Medical groups’ revenue increased faster than compensation gains for physicians, a trend the AMGA said could be due to groups using more revenue to address higher expenses as supply and labor costs soared.”
  • Health Payer Intelligence points out
    • “Individuals with depression, anxiety, or both who are enrolled in large employer-sponsored health plans have higher out-of-pocket spending than individuals without such diagnoses, according to an issue brief from the Peterson-KFF Health System Tracker.
    • “These findings of higher health spending among privately insured individuals receiving treatment for depression and/or anxiety come at a time of rising health costs. Health insurance is already expensive for enrollees with private insurance, and treatment for mental health conditions can further escalate these costs,” the brief noted.
    • “The researchers used large employer health plan claims from the 2021 MerativeMarketScan Commercial Database. Nine percent of adult, large employer-sponsored health plan enrollees had a depression or anxiety diagnosis or both.
    • “Members with a generalized anxiety disorder (anxiety) diagnosis, a depression diagnosis, or both spent, on average, $1,501 per year in out-of-pocket costs. This was nearly double the $863 in average annual out-of-pocket healthcare spending that individuals without one of these diagnoses spent.
    • “Moreover, total annual spending, including out-of-pocket healthcare costs, was 1.9 times higher for individuals with one of these diagnoses than those without one. Utilization was also twice as high for those diagnosed, who typically visited a provider’s office 7.4 times per year, while those without a diagnosis visited 3.2 times per year on average.

From the Food and Drug Administration (FDA) front —

  • The Wall Street Journal reports
    • “The promise of gene therapy has arrived for thousands of Americans with the most common and severe form of hemophilia.
    • “The U.S. Food and Drug Administration approved the first gene therapy for hemophilia A on Thursday, giving patients a long-awaited option for avoiding the burden of regular infusions and injections.
    • “That’s a complete game-changer for quality of life,” said Mike Reutershan, a 38-year-old medicinal chemist with hemophilia who lives in suburban Boston. “You don’t have to carry a bag of medicine around with you.” 
    • “The FDA approved the new gene therapy, called Roctavian and made by BioMarin Pharmaceutical, for adults with a severe form of the disease. Roctavian is infused just once.  
    • “Priced at $2.9 million, the drug now ranks among the most expensive in the world. But the price is in line with the cost of other new gene therapies, a groundbreaking type of treatment that replaces a missing or faulty gene.”
  • Cardiovascular Business informs us
    • “Just eight days after approving the first anti-inflammatory drug for cardiovascular disease, the U.S. Food and Drug Administration (FDA) has made another historic approval focused on cardiovascular health. 
    • “The agency announced Wednesday, June 29, that it has approved donislecel, a new pancreatic islet cellular therapy made from the pancreatic cells of deceased donors, for the treatment of type 1 diabetes among adult patients with severe hypoglycemia. Donislecel is marketed and sold by Chicago-based CellTrans under the brand name Lantidra
    • “This represents the first time the FDA has approved a cellular therapy for type 1 diabetes.”
  • Biopharma Dive calls attention to ten clinical trials to watch in the second half of this year.