Cybersecurity Saturday

Generative AI

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • Cybersecurity Dive lets us know,
    • “Legislators slammed UnitedHealth Group CEO Andrew Witty over the cyberattack on subsidiary Change Healthcare at two Congressional hearings on Wednesday, raising concerns about the technology firm’s lack of cybersecurity and the potentially huge breach of Americans’ health data.”
  • The American Hospital News reports
    • “The Biden Administration April 30 released a memo announcing updated critical infrastructure protection requirements, which include the Cybersecurity & Infrastructure Security Agency acting as the National Coordinator for Security and Resilience, and heightening the importance of minimum security and resilience requirements within health care and other critical infrastructure sectors, consistent with the National Cybersecurity Strategy.”  
  • and
    • “The Cybersecurity and Infrastructure Security Agency May 3 extended the comment period to July 3 for the April 4 proposed rule that would implement cyber incident and ransom payment reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The rule would require critical infrastructure organizations, including hospitals and health systems, to report a covered cyber incident to the federal government within 72 hours and ransom payments within 24 hours, among other requirements.”
  • Cyberscoop adds.
    • “A draft rule for cyber incident reporting asks far too much of critical infrastructure entities and of the agency tasked with carrying out the law, trade groups representing the electric, telecommunications and finance sectors said during a House hearing Wednesday.
    • “The cyber incident reporting mandate is one of the Cybersecurity and Infrastructure Security Agency’s biggest forays into a regulatory role — and it is proving to be a thorny one. The 447-page draft rule, released in March, would require select critical infrastructure companies to report significant cyber incidents within 72 hours and any ransomware payments within 24 hours. The rule was established largely for the government to better understand the cyber landscape after multiple major cyberattacks — such as the SolarWinds espionage campaign — highlighted the fact that many attacks go unnoticed.
    • “Witnesses before the House Homeland Security’s cybersecurity subcommittee were largely in agreement that the rule is an important step for broader cyber awareness but also too broad, increasing the likelihood of CISA becoming overwhelmed by reports. Meanwhile, front-line defenders — particularly smaller organizations — could be hampered by trying to both file reports and deal with an attack. CISA will not be able to keep up with the amount of data due to the broad definition of cyber incidents and who should report, the witnesses argued.”
  • Health IT Security informs us,
    • “The Federal Trade Commission (FTC) finalized updates to its Health Breach Notification Rule (HBNR) with the goal of clarifying the rule’s applicability to health apps and other technologies that fall outside HIPAA’s purview.
    • “The FTC issued the HBNR more than a decade ago, when health apps were not as embedded into the US healthcare landscape as they are now. The HBNR requires vendors of personal health records (PHRs), PHR-related entities, and third-party service providers that are not subject to HIPAA to notify the FTC and impacted individuals in the event of a health data breach.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive tells us,
    • “A ransomware group accessed Change Healthcare’s systems with compromised credentials, UnitedHealth Group CEO Andrew Witty said in written testimony prepared for a Wednesday hearing before the House Energy and Commerce Committee Subcommittee on Oversight and Investigations
    • “On Feb. 12, the AlphV ransomware group used those compromised credentials to “remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” Witty said in his prepared remarks. “The portal did not have multifactor authentication.” 
    • “Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later,” Witty said.”
  • and
    • “The exploitation of vulnerabilities almost tripled as an initial access vector in 2023, fueled in part by the MOVEit breach, Verizon said in its Data Breach Investigations Report released Wednesday.
    • “Ransomware actors increasingly targeted zero-day vulnerabilities in IT systems, Verizon found. About a third of all breaches in 2023 included some type of extortion, and MOVEit involved Clop ransomware exploiting zero-day vulnerabilities in the file-transfer service.
    • T”he report shows 15% of breaches involved a third party, which includes data custodians, software vulnerabilities and direct or indirect supply chain issues, according to the report. This figure represented a 68% increase from the prior year, Verizon said.”
  • and
    • “Pro-Russia hacktivists are targeting operational technology systems in the water, energy and agricultural sectors by exploiting poor cyber hygiene techniques, the Cybersecurity and Infrastructure Security Agency warned Wednesday. CISA issued a joint fact sheet with the FBI, National Security Agency and multiple international agencies.”Pro-Russia hacktivists are targeting operational technology systems in the water, energy and agricultural sectors by exploiting poor cyber hygiene techniques, the Cybersecurity and Infrastructure Security Agency warned Wednesday. CISA issued a joint fact sheet with the FBI, National Security Agency and multiple international agencies.
    • “Threat groups are looking to compromise industrial control systems at small-scale operations in North America and Europe that are exposed to the internet and use default passwords or lack multifactor authentication, officials warned.
    • “The targeting thus far has involved unsophisticated techniques that target components like human-machine interfaces. The agencies urged providers to immediately change to more complex passwords and implement multifactor authentication.” 
  • SC Media offers five takeaways from the Verizon report.
  • Bleeping Computer tells us,
    • “The NSA and FBI warned that the APT43 North Korea-linked hacking group exploits weak email Domain-based Message Authentication Reporting and Conformance (DMARC) policies to mask spearphishing attacks.
    • “Together with the U.S. State Department, the two agencies cautioned that the attackers abuse misconfigured DMARC policies to send spoofed emails which appear to come from credible sources such as journalists, academics, and other experts in East Asian affairs.”
    • “The DPRK leverages these spearphishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting DPRK interests by gaining illicit access to targets’ private documents, research, and communications,” the NSA said.”
  • CISA added the following known exploited vulnerabilities to its catalog this week.
    • On April 30, CVE-2024-29988 Microsoft SmartScreen Prompt Security Feature Bypass Vulnerability, and
    • On May 1, CVE-2023-7028 GitLab Community and Enterprise Editions Improper Access Control Vulnerability.
  • Tech Republic adds, “Researchers from the University of Illinois Urbana-Champaign found that OpenAI’s GPT-4 is able to exploit 87% of a list of vulnerabilities when provided with their NIST descriptions.”

From the cybersecurity defenses front.

  • Here is a link to Dark Reading’s CISO Corner.
  • Security Week reports, “In the wake of a scathing US government report that condemned Microsoft’s weak cybersecurity practices and lax corporate culture, security chief Charlie Bell is pledging significant reforms and a strategic shift to prioritize security above all other product features.”
  • ISACA released its 2023 annual report. “Access ISACA’s annual report here.”
  • Mercer Consulting considers how to modernize HR data strategy to address cybersecurity risks.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI, Uncategorized

From the cybersecurity policy front,

  • Cybersecurity Dive reports,
    • “The U.S. government and its partners have slowed the swell of ransomware over the last three years, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said Wednesday at an event.
    • “But the cyclical and persistent threat ransomware poses requires new ways of thinking, Easterly said, speaking at the Institute for Security and Technology’s annual ransomware task force event. Defenders and stakeholders have to turn the lens to software and hardware vendors, according to Easterly.
    • “There’s a lot about the villains. There’s a lot about victims. We do not talk enough about vendors,” she said.
    • “The way we are going to actually drive down the number of attacks, and the number of successful attacks, is if we go upstream and ensure that technology that is deployed and delivered is in fact prioritized to be secure,” Easterly said. “Not features, not speed to market, not driving down costs, but secure.”
  • Here is a link to a related blog post from the CISA Director on this important topic.
  • Cyberscoop adds,
    • ‘The Cybersecurity and Infrastructure Security Agency’s vulnerability warning program has issued more than 2,000 alerts to date to organizations that are running software with vulnerabilities being exploited by ransomware gangs, the agency’s director, Jen Easterly, said Wednesday.
    • “Currently running in a pilot phase, the program is mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and aims to reduce the number of ransomware attacks by getting the owners and operators of vulnerable systems to patch them before they can be infiltrated. 
    • “The warning pilot is focused on reducing the prevalence of ransomware by using our vulnerability scanning tools to let businesses know if they have vulnerabilities that need to be patched,” Easterly said at an event hosted by the Institute for Security and Technology.
    • “Easterly said that since the pilot was launched in January of last year, it has expanded to include CISA’s database of known exploited vulnerabilities as well as common misconfigurations that can be linked to ransomware attacks. 
    • “In a Thursday blog about the warning pilot, CISA found that of the more than 1,700 notifications of vulnerable devices in 2023, 49% were mitigated through either patching, taking offline, or through other measures. The blog also said organizations reduce cyber risk when using CISA’s free cyber hygiene vulnerability scanning service, which monitors the web for vulnerable devices.
    • “Organizations participating in this no-cost service typically reduce their risk and exposure by 40% within the first 12 months and most see improvements in the first 90 days,” CISA said.”

From the cyber vulnerabilities and breaches front,

  • Cybersecurity Dive tells us,
    • “UnitedHealth Group said [on April 22] it paid hackers a ransom in an attempt to protect patient information from disclosure after a cyberattack against its subsidiary Change Healthcare in Februarythe company confirmed to Healthcare Dive on Monday. 
    • “The healthcare behemoth also said patient data was compromised. UnitedHealth found files involved in the cyberattack containing protected health information or personally identifiable information that “could cover a substantial proportion of people in America,” according to a press release. 
    • “UnitedHealth also said 22 screenshots of allegedly stolen files, some containing patient health information, were posted on the dark web for about a week. The healthcare giant said it’s continuing to monitor the internet and the dark web for stolen data. * * *
    • “The company also said it would take on breach reporting and notification requirements for customers whose data may have been exposed in the attack — a big concern for provider groups.”
  • Tech Crunch reports,
    • “U.S. health conglomerate Kaiser is notifying millions of current and former members of a data breach after confirming it shared patients’ information with third-party advertisers, including Google, Microsoft and X (formerly Twitter).
    • “In a statement shared with TechCrunch, Kaiser said that it conducted an investigation that found “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”
    • “Kaiser said that the data shared with advertisers includes member names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service and how members “interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia.”
    • “Kaiser said it subsequently removed the tracking code from its websites and mobile apps. ***
    • “Kaiser spokesperson Diana Yee said that the organization would begin notifying 13.4 million affected current and former members and patients who accessed its websites and mobile apps. The notifications will start in May in all markets where Kaiser Permanente operates, the spokesperson said.
    • “The health giant also filed a legally required notice with the U.S. government on April 12 but made public on Thursday confirming that 13.4 million residents had information exposed.”
  • Help Net Security informs us,
    • “More organizations hit by ransomware gangs are starting to realize that it doesn’t pay to pay up: “In Q1 2024, the proportion of victims that chose to pay touched a new record low of 28%,” ransomware incident response firm Coveware has found.
    • “Victim organizations are increasingly able to withstand an encryption attack and restore operations without the need for a decryption key, they said, and the stolen data is often leaked or traded even after the victims have paid the ransom, which repeatedly proves that paying up is no guarantee.
    • “LockBit was found to still be holding the stolen data of victims that had paid a ransom, and we have also seen prior Hive victims that had paid the extortion, have their data posted on the Hunters International leak site (a reboot / rebrand of Hive),” the company said, noting that “future victims of data exfiltration extortion are getting more evidence daily that payments to suppress leaks have little efficacy in the short and long term.”

From the cybersecurity defenses front,

  • Cybersecurity Dive lets us know,
    • “Global median dwell times — measured as the time that hackers remain undetected inside a targeted environment — have fallen to their lowest levels in more than a decade, according to the annual M-Trends report from Google Cloud’s Mandiant, released Tuesday. 
    • “Organizations were able to detect intrusions within a median of 10 days in 2023, compared with 16 days in 2022. Notably the largest improvements came in the Asia-Pacific region, where median dwell times fell to nine days in 2023, compared with 33 in 2022.  
    • :Zero-day vulnerabilities are a hot target for espionage actors as well as financially motivated threat groups. Zero-day usage rose 50% in 2023, compared with the prior year.”
  • and
    • “The majority of companies, 4 in 5, have suffered a cyberattack that wasn’t fully covered under their cyber insurance policy, according to an analysis by cyber risk quantification firm CYE.
    • “On average, each insurance gap left more than three-quarters of a breach uncovered, CYE said in a report released Wednesday. The research, which analyzed 101 breaches across various sectors, revealed an average of $27.3 million in uncovered losses per incident.
    • “This study underscores how many companies rely on cyber insurance to cover the losses incurred as a result of cyber incidents and are then taken by surprise when they find that their insurance only covers a small portion,” Nimrod Partush, vice president of data science at CYE, said in a press release.” 
  • Here is a link to Dark Reading’s latest CISO Corner.
  • SC Media considers whether the Change Healthcare case finally will make providers do a business impact analysis.

Friday Factoids

David ErmerACA, CDC, COVID-19, COVID-19 vaccine, Generative AI, Medical / Rx research, NIH, Rx coverage, U.S. Healthcare
Photo by Sincerely Media on Unsplash

From Washington, DC,

  • Perhaps the most convoluted provision in the Affordable Care Act is its individual non-discrimimination clause, Section 1557. The Obama Administration issued an implementing rule. The Trump Administration replaced the Obama Administration’s rule, and today the Biden Administration has replaced the Trump Administration rule.
    • Of note, “[f]or the first time, the Department will consider Medicare Part B payments as a form of Federal financial assistance for purposes of triggering civil rights laws enforced by the Department, ensuring that health care providers and suppliers receiving Part B funds are prohibited from discriminating on the basis of race, color, national origin, age, sex and disability.”
    • HHS will refer FEHB and FEDVIP complaints to OPM.
  • The Washington Post reports,
    • “Medtronic said Friday that the U.S. Food and Drug Administration has approved a new spinal-cord implant that relieves chronic pain, a bid to expand into a patient population that relies heavily on medications like opioids.
    • “The new device works by delivering an electrical pulse to the spinal cord, interrupting pain signals before they reach the brain in patients suffering from back, cervical and nerve damage. While earlier versions of the device provided a constant level of stimulation, Medtronic’s new product can read signals from nerve fibers and automatically adjust the intensity — a feature designed to avoid uncomfortable jolts when a patient sneezes, coughs or laughs.
    • “It’s like listening for whispers at a rock concert,” David Carr, a Medtronic vice president, said in an interview. * * *
    • “Medtronic’s Inceptiv contains a lithium battery that can be recharged through the skin, and two leads with electrodes — some to read the signals from nerve fibers, and others to deliver the electrical pulse. The device can adjust the level of stimulation 50 times a second, according to the company.
    • “Inceptiv is “the world’s smallest and thinnest fully implantable” spinal-cord stimulator, Medtronic said.”
  • Per BioPharma Dive,
    • “The Food and Drug Administration on Friday approved a new gene therapy for hemophilia, clearing Pfizer’s Beqvez for certain people with the less common “B” form of the bleeding condition.
    • “Beqvez is for adults with moderate to severe hemophilia B who currently use drugs to prevent bleeds or have repeated, spontaneous bleeding. Eligible individuals also must be tested to determine whether they have antibodies that neutralize Beqvez’s effects.
    • “Pfizer set the treatment’s list price at $3.5 million, a company spokesperson confirmed. That matches the cost of Hemgenix, the other available gene therapy for hemophilia B. Pfizer will offer insurers a warranty providing “financial protections” if Beqvez doesn’t work or its effects don’t last, the spokesperson wrote in an email, without providing details.”

From the public health and medical research front,

  • The Centers for Disease Control lets us know today,
    • “The amount of respiratory illness (fever plus cough or sore throat) causing people to seek healthcare continues to decrease across most areas of the country. This week, 0 jurisdictions experienced high activity compared to 1 jurisdiction experiencing high activity the previous week. No jurisdictions experienced very high activity. 
    • “Nationally, emergency department visits with diagnosed influenza are decreasing. Emergency department visits with COVID-19 and RSV remain stable at low levels.  
    • “Nationally, COVID-19, influenza, and RSV test positivity decreased compared to the previous week. 
    • “Nationally, the COVID-19 wastewater viral activity level, which reflects both symptomatic and asymptomatic infections, remains low.” 
  • American Hospital Association News adds,
    • “Adults age 65 and older are encouraged to receive an updated dosage of the COVID-19 vaccine, the Centers for Disease Control and Prevention announced April 25. The update provides protection against the JN.1 and other circulating variants of the virus, and should be administered at least four months following the previous dosage. The CDC’s Advisory Committee on Immunization Practices recommended the additional dose in February.”
  • On a related note, the CDC reports today
    • H5N1 bird flu is widespread in wild birds worldwide and is causing outbreaks in poultry and U.S. dairy cows with one recent human case in a U.S. dairy worker.
    • While the current public health risk is low, CDC is watching the situation carefully and working with states to monitor people with animal exposures.
    • CDC is using its flu surveillance systems to monitor for H5N1 activity in people.
  • Medscape tells us,
    • “The glucagon-like peptide 1 (GLP-1) receptor agonist semaglutide (Wegovy) not only induced weight loss but also improved knee pain in people with knee osteoarthritis (OA) and obesity, according to results from the STEP 9 study reported at the World Congress on Osteoarthritis (OARSI 2024).
    • “From baseline to week 68, the mean change in knee pain assessed using the Western Ontario and McMaster Universities Arthritis Index (WOMAC) pain score was a reduction of 41.7 points for semaglutide and a decrease of 27.5 points for a matching placebo. The estimated treatment difference of 14.1 points between the groups was statistically significant (< .001).
    • “As for weight loss, this also fell by a significantly greater amount in the people treated with semaglutide vs those given placebo, with respective reductions of 13.7% and 3.2% from baseline, with an estimated 10.5% greater weight loss with semaglutide.
    • “The interesting thing is whether there’s a specific action of GLP-1 receptor agonists on the joint, not through the weight loss but by itself,” principal study investigator Henning Bliddal, MD, DMSc, told Medscape Medical News ahead of reporting the results at OARSI 2024.”
  • The National Institutes of Health (“NIH”) Director writes in her blog,
    • “In Alzheimer’s disease, a buildup of sticky amyloid proteins in the brain clump together to form plaques, causing damage that gradually leads to worsening dementia symptoms. A promising way to change the course of this disease is with treatments that clear away damaging amyloid plaques or stop them from forming in the first place. In fact, the Food and Drug Administration recently approved the first drug for early Alzheimer’s that moderately slows cognitive decline by reducing amyloid plaques. Still, more progress is needed to combat this devastating disease that as many as 6.7 million Americans were living with in 2023.
    • Recent findings from a study in mice, supported in part by NIH and reported in Science Translational Medicine , offer another potential way to clear amyloid plaques in the brain. The key component of this strategy is using the brain’s built-in cleanup crew for amyloid plaques and other waste products: immune cells known as microglia that naturally help to limit the progression of Alzheimer’s. The findings suggest it may be possible to develop immunotherapies—treatments that use the body’s immune system to fight disease—to activate microglia in the brains of people with Alzheimer’s and clear amyloid plaques more effectively.
    • In their report, the research team—including Marco Colonna , Washington University School of Medicine in St. Louis, and Jinchao Hou, now at Children’s Hospital of Zhejiang University School of Medicine in Zhejiang Province, China—wrote that microglia in the brain surround plaques to create a barrier that controls their spread. Microglia can also destroy amyloid plaques directly. But how microglia work in the brain depends on a fine-tuned balance of signals that activate or inhibit them. In people with Alzheimer’s, microglia don’t do their job well enough.  * * *
    • [O]verall, these findings add to evidence that immunotherapies of this kind could be a promising way to treat Alzheimer’s. This strategy may also have implications for treating other neurodegenerative conditions characterized by toxic debris in the brain, such as Parkinson’s disease, amyotrophic lateral sclerosis (ALS), and Huntington’s disease. The hope is that this kind of research will ultimately lead to more effective treatments for Alzheimer’s and other conditions affecting the brain.
  • NIH announced
    • “One injected dose of an experimental malaria monoclonal antibody was 77% effective against malaria disease in children in Mali during the country’s six-month malaria season, according to the results of a mid-stage clinical trial. The trial assessed an investigational monoclonal antibody developed by scientists at the National Institutes of Health (NIH), and results appear in The New England Journal of Medicine.
    • “A long-acting monoclonal antibody delivered at a single health care visit that rapidly provides high-level protection against malaria in these vulnerable populations would fulfill an unmet public health need,” said Dr. Jeanne Marrazzo, director of the National Institute of Allergy and Infectious Diseases, part of NIH.”
  • and
    • “In a new analysis of genetic susceptibility to kidney cancer, an international team of researchers has identified 50 new areas across the genome(link is external) that are associated with the risk of developing kidney cancer. These insights could one day be used to advance our understanding of the molecular basis of kidney cancer, inform screening efforts for those at highest risk, and identify new drug targets. The study was led by scientists at the National Cancer Institute (NCI), part of the National Institutes of Health (NIH).”

From the U.S. healthcare business front,

  • Berkeley Public Health informs us,
    • “Does paying more to have your outpatient surgery done at a hospital, rather than at a freestanding surgical center, lead to better care? A new study led by James C. Robinson, professor of health economics at UC Berkeley School of Public Health, says no.
    • “In an investigation published in the April issue of The American Journal of Managed Care, Robinson and his team found that the higher prices typically charged by hospitals for four common surgeries were not justified by higher quality, as measured by the rate of post-surgical complications.
    • “The researchers analyzed more than 2 million national Blue Cross Blue Shield insurance claims from 2019-2020 for patients aged 18 to 65 who received a colonoscopy, knee or shoulder arthroscopy, or cataract removal surgery, and calculated the prices and rates of complications for each procedure.
    • “They found large differences in price, but very little difference in the rate of post-surgery complications.”
  • Health IT Analytics tells us about the top twelve ways that artificial intelligence will be used in healthcare.
  • HR Dive offers a tracker of state and local laws requiring employers to disclose pay or pay ranges.
    • “Pay disclosure laws have taken several forms. Some require employers to provide the minimum and maximum pay, or a pay range, for a given job upon the request of an applicant. Others mandate this practice without requiring candidates to ask first. The latest wave of laws now require employers to include this information in all applicable job postings.”
  • Per Biopharma Dive,
    • “U.S. Humira sales fell 40% year over year during the first three months of 2024, to about $1.8 billion, as biosimilar copycats put pressure on AbbVie’s top-selling drug, the company said Friday in its first quarter earnings report.
    • “The declines were “in line” with what the company had anticipated for its inflammatory disease drug, AbbVie commercial chief Jeffrey Stewart said in a call with investors. Humira now faces 10 copycat competitors in the U.S., the first of which launched Jan. 31, 2023.
    • “Stewart said the company also expected a recent decision by CVS Health, whose pharmacy benefit manager is the country’s largest by prescription claims, to remove Humira from its national pharmacy effective April 1. Although that has meant Humira’s market share dropped from 96% to 81% over two weeks, Stewart said some of the shift went to other branded medicines, like AbbVie’s products Skyrizi and Rinvoq.”
  • Beckers Payer Issues points out,
    • Centene reported nearly $1.2 billion in net income in the first quarter and a more than 18% decrease in Medicaid membership year over year, according to its first-quarter earnings posted April 26.
    • Total revenues in the first quarter were $40.4 billion, up 3.9% year over year.
    • Total net earnings in the first quarter were nearly $1.2 billion, up 2.9% since the same period last year.
    • The company raised its year-end adjusted EPS guidance to at least $6.80.
    • The company’s medical loss ratio was 87.1% in the first quarter and 87% during the same period last year.”
  • According to Fierce Healthcare,
    • “The new year is “off to a good start,” for Community Health Systems, which reported a somewhat narrowed $41 million net loss (-$0.32 per diluted share) and a solid uptick in operating revenues for its first quarter.
    • “The 71-hospital for-profit system had logged a $51 million net loss during the same period last year, which, at the time, CHS attributed to a bump in Medicare Advantage patient volume.
    • “After excluding adjustments related to impairment losses and business transformation costs, the company landed at a net loss of $0.14 per share, which was about in line with consensus estimates.
    • “However, CHS shared a rosier picture when it came to operating revenues. Its three-month net of $3.14 billion beat estimates by about $50 million and was a 1% increase over last year.”
  • Healthcare Dive reports,
    • “Universal Health Services delivered first quarter earnings results Wednesday that beat analysts’ estimates on stronger than expected revenue and volume metrics across its behavioral health and acute service lines.”Universal Health Services delivered first quarter earnings results Wednesday that beat analysts’ estimates on stronger than expected revenue and volume metrics across its behavioral health and acute service lines.
    • “UHS increased its same facility net revenues for its acute care and behavioral care service lines by 9.6% and 10.4%, respectively, during the first quarter of 2024 compared to the same period last year.
    • “However, the operator could suffer a “material” financial hit should the operator fail to lower a March $535 million judgment against a subsidiary, UHS disclosed in its earnings report. The for-profit health system is currently appealing the judgment in post-trial motions, said CFO Steve Filton during the earnings call.”

Midweek Update

David ErmerCongress, FDA, Federal employment benefits, Generative AI, Medical / Rx research, Mental health care, NIH, OPM, U.S. Healthcare, Uncategorized
Photo by Mel on Unsplash

From Washington, DC,

  • Here’s a link to a the brief text of Senate bill 4811 that would allow over 100,000 reservists and National Guard members who also are federal employees to transfer from the FEHB to the lower cost Tricare Reserve Select healthcare program effective January 1, 2025.
  • Kevin Moss, writing in Govexec, points out the advantages of FEHB high deductible health plans.
  • Beckers Hospital Review alerts us,
    • “A Senate committee opened an investigation into Novo Nordisk’s list prices for Ozempic and Wegovy, Novo Nordisk’s diabetes and weight loss drugs. 
    • “In an April 24 letter to Novo Nordisk’s CEO, the Senate Committee on Health, Education, Labor, and Pensions said Ozempic and Wegovy are “exorbitantly expensive,” which restricts access to the drugs for millions of Americans. 
    • “In the U.S., a four-week supply of Ozempic costs $969, and Wegovy is $1,349. That’s up to 15 times more than what Novo Nordisk charges in Canada, Europe and Japan, the letter said. 
    • “In 2023, pharmacies, clinics and hospitals spent more than $38 billion on the two products, which contain the same drug, semaglutide. They were the No. 1 pharmaceutical expense for U.S. healthcare, according to research published April 24.”
  • STAT News confirms,
    • “Spending on GLP-1 drugs like Ozempic and Wegovy ballooned last year and they’re set to cost the U.S. health care system and the federal government still more this year and beyond, two new reports released Wednesday show.
    • “One study from the American Society of Health-System Pharmacists found that GLP-1 treatments were a main driver of the increase in overall drug spending by health entities such as pharmacies and hospitals last year. In particular, expenditures on Novo Nordisk’s semaglutide — sold as Ozempic for diabetes and Wegovy for obesity — doubled to $38.6 billion, making the drug the top-selling medicine in 2023.
    • “The other report, by health policy research organization KFF, looked at the impact of the recent approval of Wegovy to prevent cardiovascular complications. Medicare is barred from covering drugs for weight loss purposes, but the new approval means the federal payer can now cover Wegovy when prescribed to reduce heart risks. As a result, Medicare could spend $2.8 billion in a year on the single drug, the researchers conservatively estimate.
    • “Taken together, the reports provide a window into the pressure that GLP-1 drugs could place on overall health care spending going forward, especially as more people take the medications. The treatments have been in short supply, but drugmakers are ramping up manufacturing capacity to meet the unprecedented demand from patients. The pharma companies are also seeking approval for even more indications like heart failure and sleep apnea.”
  • The New York Times reports,
    • “The Food and Drug Administration on Wednesday approved the sale of an antibiotic for the treatment of urinary tract infections in women, giving U.S. health providers a powerful new tool to combat a common infection that is increasingly unresponsive to the existing suite of antimicrobial drugs.
    • “The drug, pivmecillinam, has been used in Europe for more than 40 years, where it is often a first-line therapy for women with uncomplicated U.T.I.’s, meaning the infection is confined to the bladder and has not reached the kidneys. The drug will be marketed in the U.S. as Pivya and will be made available by prescription to women 18 and older. * * *
    • Utility Therapeutics, the U.S. company that acquired the rights to pivmecillinam, said it would be available in 2025. The company is also seeking F.D.A. approval for an intravenous version of the drug that is used for more serious infections and is usually administered in a hospital setting.
    • “Health practitioners said they were elated to have another tool in their arsenal given the growing challenge of antimicrobial resistance, which makes existing medications less effective as pathogens mutate in ways that allow them to survive a course of antibiotics.”
  • As we learned yesterday, “Day One Biopharmaceuticals drug Ojemda is now FDA-approved for advanced pediatric low-grade glioma, the most common type of brain cancer in children. The regulatory decision for Ojemda covers a broader swath of patients than a drug combination from Novartis approved for treating this childhood cancer.” MedCity News adds,
    • “Ojemda is available as an immediate-release tablet or an oral suspension, both administered once weekly. Dosing of the Day One drug is according to body surface area, which is consistent with dosing for other pediatric medications, Blackman said. Day One has set a $33,816 wholesale price for a 28-day supply. That means the annual cost of the therapy will top $440,000. Ojemda’s price is the same for all packages of the drug and will not change as a child grows and needs higher doses, Chief Commercial Officer Lauren Merendino said.
    • “The two formulations of Ojemda can be taken at home, which minimizes disruption to the lives of patients and families, Merendino said. Day One’s goal is to establish Ojemda as the physician’s first choice of therapy for pLGG. Merendino said the drug should become available in about two weeks.”

From the public health and medical research front,

  • The Washington Post reports,
    • “Dairy cows must be tested for bird flu before moving across state lines, under a federal order issued Wednesday, as evidence mounts that the virus is more widespread than feared among cows in the United States.
    • Biden administration officials said the move is meant to contain transmission of the virus known as H5N1 and to reduce the threat to livestock, but they maintained that the risk to humans remains low. * * *
    • “An order issued by the U.S. Agriculture Department that takes effect Monday requires every lactating dairy cow to be tested before moving across state lines. Cows carrying the virus would have to wait 30 days and test negative before being moved, officials said. Positive test results would trigger additional requirements for herd owners to disclose information, including the movement of animals, to aid epidemiologic investigations, and for laboratories and state veterinarians to report cases to the USDA.
    • “Requiring positive test reporting will help USDA better understand this disease and testing before interstate movement will limit the spread of the virus,” Mike Watson, administrator of the USDA’s Animal and Plant Health Inspection Service, told reporters.
    • “This is an evolving situation, and we are treating it seriously and with urgency,” he said.”
  • The International Foundation of Employee Benefit Plans discusses “What Health Plan Sponsors Should Know About the Emerging Mental Health Needs of Youth.”
  • The National Cancer Institute released its latest Cancer Information Highlights.
  • The National Institutes of Health announced,
    • “In a proof-of-concept study, researchers demonstrated the effectiveness of a potential new therapy for Timothy syndrome, an often life-threatening and rare genetic disorder that affects a wide range of bodily systems, leading to severe cardiac, neurological, and psychiatric symptoms as well as physical differences such as webbed fingers and toes. The treatment restored typical cellular function in 3D structures created from cells of people with Timothy syndrome, known as organoids, which can mimic the function of cells in the body. These results could serve as the foundation for new treatment approaches for the disorder. The study, supported by the National Institutes of Health (NIH), appears in the journal Nature.
    • “Not only do these findings offer a potential road map to treat Timothy syndrome, but research into this condition also offers broader insights into other rare genetic conditions and mental disorders,” said Joshua A. Gordon, M.D., Ph.D., director of the National Institute of Mental Health, part of NIH.”
  • A primary care expert writing in Medscape offers a commentary on the new Shield blood test available for colon cancer screening.
    • “We will need to be clear [to patients] that the blood test is not yet endorsed by the USPSTF or any major guideline group and is a second-line test that will miss most precancerous polyps. As with the stool tests, it is essential to emphasize that a positive result must be followed by diagnostic colonoscopy. To addend the cancer screening maxim I mentioned before, the blood test is not the best test for CRC, but it’s probably better than no test at all.”
  • Health IT Analytics tells us,
    • “Researchers from the University of Virginia (UVA) have developed a machine learning tool designed to assess and predict adverse outcome risks for patients with advanced heart failure with reduced ejection fraction (HFrEF), according to a recent study published in the American Heart Journal.
    • “The research team indicated that risk models for HFrEF exist, but few are capable of addressing the challenge of missing data or incorporating invasive hemodynamic data, limiting their ability to provide personalized risk assessments for heart failure patients.
    • “Heart failure is a progressive condition that affects not only quality of life but quantity as well,” explained Sula Mazimba, MD, an associate professor of medicine at UVA and cardiologist at UVA Health, in the news release. “All heart failure patients are not the same. Each patient is on a spectrum along the continuum of risk of suffering adverse outcomes. Identifying the degree of risk for each patient promises to help clinicians tailor therapies to improve outcomes.”

From the U.S. healthcare business front,

  • The Wall Street Journal reports,
    • “Prices for surgery, intensive care and emergency-room visits rise after hospital mergers. The increases come out of your pay. 
    • “Hospitals have struck deals in recent years to form local and regional health systems that use their reach to bargain for higher prices from insurers. Employers have often passed the higher rates onto employees. 
    • “Such price increases added an average of $204 million to national health spending in the year after mergers of nearby hospitals, according to a study published Wednesday by American Economic Review: Insights. 
    • “Workers cover much of the bill, said Zack Cooper, an associate professor of economics at Yale University who helped conduct the study. Employers cut into wagesand trim jobs to offset rising insurance premiums, he said. “The harm from these mergers really falls squarely on Main Street,” Cooper said. 
    • “Premiums are rising at their fastest pace in more than a decade, driven up by persistently high inflation across the economy. Rising costs have fueled contentious negotiations that have led some hospitals and insurers to cancel contracts, leaving patients in the lurch. 
    • “Hospital mergers make the price pressures worse.” 
  • Per BioPharma Dive,
    • “Biogen has seen “encouraging early trends” in the launch of its postpartum depression pill Zurzuvae, revealing in first quarter earnings drug sales that surpassed the estimates of Wall Street analysts.
    • “Biogen said sales of Zurzuvae between January and March hit $12 million, up from $2 million in the fourth quarter of 2023 and doubling consensus estimates of $5 million to $6 million. The company didn’t, however, reveal the number of prescriptions filled for Zurzuvae, making demand for the drug difficult to track. 
    • “Zurzuvae, which was discovered by Biogen partner Sage Therapeutics and approved by the Food and Drug Administration last August, is the only pill available specifically meant to treat postpartum depression, or PPD. But its sales prospects are uncertain, as the condition often goes undiagnosed, and many who are diagnosed don’t receive treatment.”  
  • STAT News tells us,
    • “A year ago, when Novo Nordisk announced it would cut the price of multiple insulin products by up to 75%, President Biden, lawmakers, and patient groups all counted the move as a win.
    • But several months later, Novo decided to discontinue one of those products, the basal insulin Levemir.
    • “Though the insulin won’t officially be off the market until the end of this year, patients are already running into supply disruptions and insurance cutoffs, leaving them with few options. The discontinuation, which is happening only in the U.S., has now drawn alarm from some Democratic senators, who sent a letter to Novo last week demanding an explanation.
    • “The turn of events highlights a key gap in policy efforts: Even if officials can get drugmakers to cut prices, the companies can choose to just pull a drug off the market, without guaranteeing that other manufacturers will continue to make the compound.”
  • Beckers Payer Issues informs us,
    • “Humana reported $741 million in net income in the first quarter of 2024. 
    • “The company published its first quarter earnings report April 24, beating investor expectations. In Q1 2023, Humana posted $1.2 billion in net income.
    • “Total revenue in the first quarter was $29.6 billion, up 10.7% year over year. 
    • “Humana’s medical loss ratio was 88.9% in the first quarter, which the company projects will rise to about 90% for the full year.”
  • Beckers Hospital Review notes,
    • “Cleveland Clinic’s eHospital program has expanded and now monitors 248 patient beds in ICUs and other units across the organization’s network.
    • “The eHospital program launched in 2014 as a pilot in one intensive care unit. The program is centered around a component known as the “bunker,” an operations center on Cleveland Clinic’s main campus. The operations center is staffed from 7 p.m. to 7 a.m. daily by a team consisting of two critical care nurses and a physician. Their primary responsibility is to monitor patients across various ICU units within the Cleveland Clinic network.”
  • and identifies the 25 most expensive hospital drugs.
    • “Keytruda (pembrolizumab) was nonfederal hospitals’ costliest drug expense in 2023, according to research published April 24 in the American Journal of Health-System Pharmacy
    • “In 2021 and 2022, COVID-19 drug Veklury (remdesivir) was the No. 1 pharmaceutical expense for the nation’s hospitals. Most medicines on the list saw modest changes from the prior year except for TNKase (tenecteplase), a cardiovascular therapy that cost hospitals 87.9% more in 2023.” 

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI, Uncategorized

From the cybersecurity policy front,

  • Cyberscoop informs us,
    • “FBI Director Christopher Wray warned Thursday that the threat posed by Chinese hacking operations to U.S. critical infrastructure has become more urgent, as intelligence agencies have said that groups like Volt Typhoon are preparing for the possibility of widespread disruptive actions as early as 2027.
    • “Wray said during a speech at Vanderbilt University that China has targeted dozens of oil pipeline entities since 2011, in some cases ignoring business and financial information entirely while stealing data on control and monitoring systems.
    • “More recently, Volt Typhoon has conducted broad targeting of American companies in the water, energy and telecommunications sectors, among others, which U.S. officials have described as “pre-positioning” for future attacks that could disrupt or halt systems responsible for critical services upon which Americans rely. Dragos, a private threat intelligence company that focuses on critical infrastructure, said in February that the group has also been observed targeting entities that provide satellite and emergency management services.
    • “The ultimate purpose of this activity is to give Beijing “the ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” Wray said.”
  • The Hill reports,
    • “Artificial intelligence (AI) is making ransomware faster and easier to use as the online crime hits record levels, experts said at a House Financial Services subcommittee hearing Tuesday.”Artificial intelligence (AI) is making ransomware faster and easier to use as the online crime hits record levels, experts said at a House Financial Services subcommittee hearing Tuesday.
    • “We have tremendous concern about the future of AI and the direction it is allowing criminal actors to take, including more sophisticated deepfakes that ultimately form the first step in the chain of ransomware attacks,” said Megan Stifel, chief strategy officer at the Institute for Security and Technology.”
  • Cybersecurity Dive adds,
    • The Institute for Security and Technology’s Ransomware Task Force threw cold water on the need for a ransomware payment ban in a report released Wednesday.
    • The nonprofit Institute for Security and Technology rejects the viability of a ransom payment ban for multiple reasons, including: 
      • Concerns about a ban’s impact on ransom payment reporting by victims. 
      • The potential to drive more payments underground. 
      • And the unintended consequences and practicalities of critical infrastructure exemptions.
      • Rather than a ban, the RTF detailed 16 milestones it asserts would be “the most reasonable and effective approach to reducing payments.” 
    • “While a ban may be an easier policy lift than activities designed to drive preparedness, it will almost certainly create the wrong kind of impact,” the RTF co-chairs said via email. “The number of organizations making payments is declining, which suggests we’re on the right path.”
  • HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, continues to update its “Change Healthcare Cybersecurity Incident Frequently Asked Questions” website.
  • The U.S. Government Accountability Office released a report titled “Cybersecurity: Implementation of Executive Order Requirements is Essential to Address Key Actions.”
    • “In 2021, the President issued an executive order to help protect federal IT systems from cyberattacks. The order contains 55 leadership and oversight requirements. DHS’s Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget are responsible for implementing them.
    • “These agencies have fully completed 49 of 55 requirements. Remaining requirements include improving software that is critical to the supply chain and ensuring that other agencies have sufficient resources to carry out the order.
    • “We recommended that these agencies implement the order’s remaining requirements.”
  • The Cybersecurity and Infrastructure Security Administration Agency (CISA) announced,
    • “CISA hosted the final round of the fifth annual President’s Cup Cybersecurity Competition this week and announced the winners today of the three competitions.
    • “The President’s Cup is a national competition designed to recognize the top federal cybersecurity talent. Three separate competitions take place during each President’s Cup; two Individuals tracks -– Track A which focuses on defensive work roles and tasks from the NICE Framework, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, and Track B which focuses on offensive work roles and tasks, and a Teams competition comprised of defensive and offensive challenges. The first rounds of the competition began earlier this year in January.
    • “This year’s winning team, known as Artificially Intelligent, was composed of members of the Department of Defense, U.S. Army, and the U.S. Air Force. Artificially Intelligent featured four members of last year’s winning teams, including one member who has been on every winning team since President’s Cup began five years ago. The winner of Individuals Track A was U.S. Army Major Nolan Miles, and the winner of the Individuals Track B was U.S. Marine Corps Staff Sergeant Michael Torres. SSG Torres also finished in second place of the Individuals Track A competition and is the first Individuals winner to repeat having won President’s Cup 3 Track A.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive reports,
    • “Palo Alto Networks and security researchers said a growing number of attackers are targeting a command injection vulnerability in the PAN-OS operating system, which powers the security vendor’s firewall products. 
    • “Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability,” the company’s Unit 42 threat intelligence team said in a Tuesday update on its original threat brief. The vendor hasn’t disclosed how many devices are actively exploited, but said it observed 20 additional IP addresses attempting to exploit CVE-2024-3400.
    • “Since releasing the initial advisory on Friday [April 12], the company expanded the range of PAN-OS versions that are impacted by the CVE and retracted a secondary mitigation action. “Disabling telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability,” the company said in an update.”
  • On April 18, HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued an update on the Palo Alto Networks Firewalls (CVE-2024-3400).
    • On April 12, 2024, Palo Alto Networks issued a warning about CVE-2024-3400, a zero-day command injection vulnerability found in its firewalls operating PAN-OS v10.2, 11.0, and 11.1 with configurations for both GlobalProtect gateway and device telemetry enabled. There have been an increasing number of attacks observed against this vulnerability since its release. In the original advisory, it was believed that disabling device telemetry would work as an effective secondary mitigation, but the most recent update states that device telemetry does not need to be enabled for PAN-OS to be vulnerable to attacks. Hotfixes were also released starting on April 14, 2024. HC3 strongly encourages all organizations to review the updated security advisory and apply any mitigations to prevent serious damage from occurring to the Healthcare and Public Health (HPH) sector.
  • Per Cybersecurity Dive,
    • “The rapid adoption of artificial intelligence tools is potentially making them “highly valuable” targets for malicious cyber actors, the National Security Agency warned in a recent report.
    • “Bad actors looking to steal sensitive data or intellectual property may seek to “co-opt” an organization’s AI systems to achieve, according to the report. The NSA recommends organizations adopt defensive measures such as promoting a “security-aware” culture to minimize the risk of human error and ensuring the organization’s AI systems are hardened to avoid security gaps and vulnerabilities.
    • “AI brings unprecedented opportunity, but also can present opportunities for malicious activity,” NSA Cybersecurity Director Dave Luber said in a press release.”
  • Dark Reading adds,
    • “A slicker phishing lure and some basic malware was about all threat actors have been able to squeeze out of artificial intelligence (AI) and large language model (LLM) tools so far — but that’s about to change, according to a team of academics.
    • “Researchers at the University of Illinois Urbana-Champaign have demonstrated that by using GPT-4 they can automate the process of gathering threat advisories and exploiting vulnerabilities as soon as they are made public. In fact, GPT-4 was able to exploit 87% of vulnerabilities it was tested against, according to the research. Other models weren’t as effective.
    • “Although the AI technology is new, the report advises that in response, organizations should tighten up tried-and-true best security practices, particularly patching, to defend against automated exploits enabled by AI. Moving forward, as adversaries adopt more sophisticated AI and LLM tools, security teams might consider using the same technologies to defend their systems, the researchers added. The report pointed to automating malware analysis a promising use-case example.”
  • and
    • “An ongoing, highly sophisticated phishing campaign may have led some LastPass users to give up their all-important master passwords to hackers.
    • “Password managers store all of a user’s passwords — for Instagram, their job, and everything in between — in one place, protected by one “master” password. They unburden users from having to remember credentials for hundreds of accounts, and empower them to use more complicated, unique passwords for each account. On the other hand, if a threat actor gains access to the master password, they’ll have keys to every single one of the accounts within.
    • “Enter CryptoChameleon, a new, hands-on phishing kit of unparalleled realism. 
    • “CryptoChameleon attacks tend not to be so widespread, but they’re successful at a clip largely unseen across the cybercrime world, “which is why we typically see this targeting enterprises and other very high-value targets,” explains David Richardson, vice president of threat intelligence at Lookout, which first identified and reported the latest campaign to LastPass. “A password vault is a natural extension, because you’re obviously going to be able to monetize that at the end of the day.”
  • Healthcare IT Security lets us know,
    • “Healthcare organizations are 65% less likely to fully outsource their cybersecurity services than organizations in other sectors, Kroll researchers said in the new report, “The State of Cyber Defense: Diagnosing Cyber Threats in Healthcare.”
    • “Their research maps out the cybersecurity threat landscape the healthcare sector currently operates in, looking at detection and response, cyber threat intelligence and offensive security.
    • “The realities of healthcare IT’s complexities, “not to mention the extremely time-poor staff that need both maximum convenience and security from IT operations,” make it hard for the industry to protect itself, according to Devon Ackerman, Kroll’s global head of incident response and cyber risk.”

From the ransomware front,

  • SC Media reports,
    • “The Akira ransomware group netted itself $42 million in payments in the last year from over 250 organizations, according to a joint advisory released April 18 by four leading cybersecurity agencies across Europe and the United States. [Here is a link to CISA’s Stop Akira Ransomware sire.]
    • “The advisory, which said Akira was now attacking Linux machines as well as Windows, was posted by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, Europol’s European Cybercrime Center, and the National Cyber Security Centre in the Netherlands.
    • “CISA said the advisory’s main goal was to help organizations mitigate these attacks by disseminating known Akira ransomware tactics, techniques and procedures, as well as indicators of compromise identified through FBI investigations as recent as February 2024.
    • “Evolving from an initial focus on Windows systems to a Linux variant targeting VMware ESXi virtual machines, CISA said in August 2023 the double-extortion group started deploying the Rust-based code Megazord and Akira, written in C++, as well as Akira_v2, also Rust-based.”
  • and
    • “Has ransomware hit a ceiling? We doubt it, but the pause outlined in a new report on active adversaries tells us ransomware has either saturated the available targets or enterprise defenses are starting to bear fruit.
    • “In its active adversaries report for the first half of 2024, Sophos’ X-Ops team analyzed more than 150 incident response cases. Through such a large analysis, the report provides good insights into the current tactics, techniques and procedures attackers currently employ. This is useful for anyone trying to better defend their systems.
    • “Sophos concludes that, despite a pause in the rise of ransomware, organizations are failing to take the steps necessary to adequately defend themselves against the increase in attacks to come. * * *
    • “The report concludes that while the current threat landscape is relatively calm, defenders must urgently learn from previous mistakes and prioritize basic security practices. Failing to bolster defenses now will only ease attackers’ impending sieges as they continue sharpening their capabilities.”
  • TechTarget identifies the top 13 ransomware targets in 2024 and beyond.
  • Bleeping Computer’s the Week in Ransomware is back.

From the cybersecurity defenses front,

  • “Healthcare Dive spoke with two cyber experts — Phil Morris and Chad Peterson, both managing directors at cybersecurity firm NetSPI — about how healthcare organizations can recover from the attack and what they need to do to protect themselves going forward.”
    • “HEALTHCARE DIVE: A survey by the American Hospital Association found that 94% of respondents were financially impacted by the Change attack. Why were so many providers impacted by this breach?
    • PHIL MORRIS: The cyberattack at Change Healthcare is really like the Francis Scott Key Bridge incident in Baltimore. It’s at the nexus of a very complex ecosystem we call healthcare delivery and payment systems here in the U.S. They handle so many claims, [pharmacy benefit managers], imaging, analytics and revenue management.
    • “It’s really a weak spot in the resiliency of healthcare because we have such a profit-driven healthcare system, that bringing that organization down had a rippling effect across not just hospitals but also network providers, pharmacies and patients. The ripple effects of this will go out across the healthcare system for some time.
    • CHAD PETERSON: Unfortunately, it’s a case of too many eggs in one basket, and it was the major choke point for a lot of healthcare systems that do their processing through [Change Healthcare]. So what they did is they basically hit the most vulnerable area to have the greatest impact.”
  • Healthcare Dive also reports on how cybersecurity took center stage at the American Hospital Association conference held last week.
    • “The majority of healthcare attacks aren’t coming from domestic hackers, experts stressed.
    • “Almost all cyberattacks against hospitals, including life-threatening ransomware attacks, originate from criminal gangs based in non-cooperative foreign jurisdictions,” AHA’s Riggi said. “That’s a euphemism, folks, for Russia, China, North Korea and Iran.” 
  • On April 15, CISA issued joint guidance deploying AI systems securely.
  • Tech Target offers four tips on securing cybersecurity insurance this year.
  • An ISACA expert discusses “Evolving Threats to Cloud Computing Infrastructure and Suggested Countermeasures.”

Friday Factoids

David ErmerCDC, COVID-19, FDA, Federal employment benefits, Generative AI, Medical / Rx research, Medicare, Mental health care, Obesity, U.S. Healthcare
Photo by Sincerely Media on Unsplash

From Washington, DC,

  • Healthcare Dive informs us,
    • “Providers and drugmakers are once again at odds over the 340B drug discount program: this time, over a rule finalized by the Biden administration on Thursday making changes to its dispute resolution process.
    • “The final rule, which will become effective in mid-June, is meant to make dispute resolution more accessible and efficient, according to the Health Resources and Services Administration, or HRSA, the agency that oversees 340B. Along with lowering barriers to enter the process, the rule requires parties to make a good faith effort to resolve disputes before bringing them to arbiters and creates an appeals process if either party doesn’t like the result.
    • “Provider groups the American Hospital Association and 340B Health said the rule should streamline the arbitration process and preserve the integrity of the controversial program. Meanwhile, pharmaceutical lobby PhRMA said the new process “panders to 340B hospitals” while ignoring drugmakers’ concerns.”
  • KFF lets us know,
    • Federal data from 2019 shows just 4% of potentially eligible enrollees participated in the program, a figure that appears to have held steady through 2023, according to a Mathematica analysis. About 12,000 physicians billed Medicare under the CCM mantle in 2021, according to the latest Medicare data analyzed by KFF Health News. (The Medicare data includes doctors who have annually billed CCM at least a dozen times.)
    • “By comparison, federal data shows about 1 million providers participate in Medicare.
    • Even as the strategy has largely failed to live up to its potential, thousands of physicians have boosted their annual pay by participating, and auxiliary for-profit businesses have sprung up to help doctors take advantage of the program. The federal data showed about 4,500 physicians received at least $100,000 each in CCM pay in 2021. * * *
    • “This program had potential to have a big impact,” said Kenneth Thorpe, an Emory University health policy expert on chronic diseases. “But I knew it was never going to work from the start because it was put together wrong.”
    • “He said most doctors’ offices are not set up for monitoring patients at home. “This is very time-intensive and not something physicians are used to doing or have time to do,” Thorpe said.”
  • Reg Jones offers “A Refresher Course on FEGLI Life Insurance” in FedWeek.

From the public health and medical research front,

  • The Centers for Disease Control reports today,
    • “The amount of respiratory illness (fever plus cough or sore throat) causing people to seek healthcare continues to decrease across most areas of the country. This week, 2 jurisdictions experienced high activity compared to 1 jurisdiction experiencing high activity the previous week. No jurisdictions experienced very high activity. 
    • “Nationally, emergency department visits with diagnosed influenza are decreasing. Emergency department visits with COVID-19 and RSV remain stable at low levels.  
    • “Nationally, COVID-19, influenza, and RSV test positivity decreased compared to the previous week. 
    • “Nationally, the COVID-19 wastewater viral activity level, which reflects both symptomatic and asymptomatic infections, remains low.” 
  • The National Institutes of Health announced,
    • “Despite Food and Drug Administration (FDA)-approval of seven next-generation antibiotics to fight infections caused by resistant “gram-negative” bacteria, clinicians frequently continue to treat antibiotic-resistant infections with older generic antibiotics considered to be less effective and less safe, according to a study by researchers at the National Institutes of Health’s (NIH) Clinical Center. Researchers examined the factors influencing doctors’ preference for newer antibiotics over traditional generic agents to shed light on the decision-making processes among clinicians when treating patients with challenging bloodstream infections caused by gram-negative bacteria and significant comorbidities.
    • “The study revealed that at a considerable proportion of hospitals, particularly smaller facilities located in rural areas, staff were reluctant to adopt newer antibiotics. Researchers identified a large cost disparity between older and newer classes of antibiotics; the newer drugs can cost approximately six times more than the older medications, which could disincentivize prescribing.
    • “Researchers also highlight that next-gen agents are prescribed more often at hospitals where lab results that show the medications are effective against a patient’s bacterial infection are reported to prescribers. Scientists suggest that earlier and more widespread availability of such lab testing might improve use. Additionally, authors recommend that future public health policies and economic strategies on further development and use of similar antibiotics should be designed to identify and overcome additional barriers.
    • “Gram-negative bacteria are a class of bacteria resistant to multiple drugs and increasingly resistant to most antibiotics. According to the Centers for Disease Control and Prevention, they are able to find new paths of resistant and pass along genetic material that enables other bacteria to become drug resistant.”
  • The American Hospital Association News adds,
    • “In clinical trials involving 220,000 patients at 59 HCA Healthcare hospitals, algorithm-driven computerized alerts helped clinicians better identify the appropriate antibiotic for 28% of patients with pneumonia and 17% of patients with urinary tract infections, according to studies funded by the Centers for Disease Control and Prevention published April 19 in JAMA. To reduce antibiotic resistance, physicians treating patients with a low risk for antibiotic-resistant bacteria were prompted to give standard-spectrum antibiotics.”In clinical trials involving 220,000 patients at 59 HCA Healthcare hospitals, algorithm-driven computerized alerts helped clinicians better identify the appropriate antibiotic for 28% of patients with pneumonia and 17% of patients with urinary tract infections, according to studies funded by the Centers for Disease Control and Prevention published April 19 in JAMA. To reduce antibiotic resistance, physicians treating patients with a low risk for antibiotic-resistant bacteria were prompted to give standard-spectrum antibiotics.
    • “Pneumonia and urinary tract infections are two of the most common infections requiring hospitalization and a major reason for overuse of broad-spectrum antibiotics,” said Sujan Reddy, M.D., medical officer in CDC’s Division of Healthcare Quality Promotion. “The INSPIRE trials have found a highly effective way to help physicians follow treatment recommendations to optimize antibiotic selection for each patient. These trials show the value of harnessing electronic health data to improve best practice.”
  • Health IT Analytics tells us,
    • “Artificial intelligence (AI)-driven tools can improve the skin cancer diagnostic accuracy of clinicians, nurse practitioners and medical students, according to a study published last week in npj Digital Medicine.
    • “The researchers underscored that AI-based skin cancer diagnostic tools are developing rapidly, and these tools are likely to be deployed in clinical settings upon appropriate testing and successful validation.”

From the U.S. healthcare business front,

  • Per BioPharma Dive,
    • “Alvotech and U.S. commercial partner Teva have signed a “long-term agreement” with an unspecified company to boost access to their biosimilar version of AbbVie’s blockbuster drug Humira, Alvotech said Friday. An Alvotech spokesperson declined to provide specifics.
    • “The deal comes seven weeks after the Food and Drug Administration approved Alvotech’s biosimilar, Simlandi, which the agency previously rejected multiple times. For patients to receive treatment, Alvotech and Teva must first cut deals with drug wholesalers, pharmacies and insurers that negotiate prices before agreeing to cover the therapy.
    • “CVS Health, whose pharmacy benefit manager is the country’s largest by prescription claims, removed Humira from its national formularyon April 1. Wall Street analysts have already reported substantial declines in Humira prescriptions over the last few weeks, when compared to the same period in 2023.”
  • According to Beckers Hospital Review,
    • “Change Healthcare has reinstated 80% of the functionality for its claims, payment and pharmacy services following a February ransomware attack, the company said.
    • “Those three areas represent most of Change Healthcare’s customers and continue to be restored, according to an April 16 earnings call from parent company UnitedHealth Group.
    • “Now we’ve still got work to do,” said Roger Connor, CEO of OptumInsight, the UnitedHealth unit that includes Change, during the call. “We’ve got another set of products coming online … in the coming weeks, but pleased with that progress.”
  • The AHA News reports,
    • “Patients went out-of-network 3.5 times more often to see a behavioral health clinician than a medical/surgical clinician in 2021, and up to 20 times more often for certain behavioral health visits, according to a new study by RTI International. For example, patients went out-of-network 8.9 times more often to see a psychiatrist, 10.6 times more often to see a psychologist, 6.2 times more often for acute behavioral inpatient care, and 19.9 times more often for sub-acute behavioral inpatient care.”
  • The Wall Street Journal reports,
    • “Social media is displacing physicians as the trusted authorities on whether patients should take one of the medicines. People are not only deciding to take a weight-loss drug—called GLP-1s— based on posts by friends and influencers but sometimes also skipping their doctor to go with one mentioned online.
    • “The virtual word-of-mouth can come across as authentic and accessible. People say they appreciate the tips and support they get from other online users. But many influencers and friends on social media play up all the pounds a person lost while playing down side effects that can be nasty, such as painful headaches and bouts of vomiting. Some omit the risks altogether.
    • “Unlike company drug advertisements, social-media posts don’t have to describe a drug’s side effects, suggest other resources or tell people to speak with their doctors.”
  • Ruh roh. This is why health plans are offering coaching services to these folks.

Friday Factoids

David ErmerCDC, COVID-19, FDA, Generative AI, HSA, Medical / Rx research, Obesity, OPM, U.S. Healthcare
Photo by Sincerely Media on Unsplash

From Washington, DC

  • The Washington Post reports,
    • On Thursday, FDA Commissioner Robert Califf appeared before the panel for the first time this Congress, facing a roughly four-hour grilling on a wide range of issues, from the infant formula crisis to tobacco regulation to an abortion pill. 
    • * * * Of note,
      • “The composition of a highly pathogenic strain of bird flu doesn’t appear to be resistant to current treatments already on the market for the flu, Califf said. This comes after a dairy worker in Texas was recently treated for bird flu, which has been identified in dairy cattle for the first time. 
      • “It’s always the case that when you have an actual illness you have to empirically prove that it works,” Califf said. “Fortunately right now, there’s really only one infected human that we know of, so it’s not something that we can test. But it looks good at this point.”
  • House Budget Committee Health Care Task Force (HCTF) Chair Rep. Michael C. Burgess, M.D. (R-TX) wrote an op-ed in the Hill about how to pay for 21st Century medicine.
    • “Medical advances have opened a new world of hope for patients suffering from serious and life-threatening diseases. We need to match our 21st century science with 21st century payment models and offer patients hope without breaking the budget.
    • “My legislation, the Preventive Health Savings Act, offers another new tool to help Congress identify the long-term savings generated by some of these novel therapies and assist in implementing new payment pathways.
    • “We can keep marching forward and saving lives, or we can turn the clock back. Congress needs to address these challenges by anticipating the future instead of wallowing in the past.”
  • Fierce Healthcare adds,
    • Instead of enacting public option plans, states should target reinsurance programs, a new report from the Partnership for America’s Health Care Future argues.
    • The group includes a collection of health plans, hospital groups and pharma companies brought together largely to oppose Medicare for All. This study was authored by three policy experts with the Hoover Institution at Stanford University.
  • OPM could encourage Congress to create a reinsurance pool for gene therapy treatments within FEHBP and PSHBP using the unused portion of the 1% surcharge on FEHB premiums intended to fund OPM’s FEHB / PSHB administrative costs.
  • Assistant Secretary of Labor for Employee Benefit Security Lisa Gomez wrote in her blog about how to unlock the power of prevention in the fight against cancer.
  • The Washington Post points out,
    • “Covid forced the public health field and health-care sector to work toward a shared goal of keeping people from becoming so ill that they overwhelm hospitals. Now, a group of health-care leaders — the Common Health Coalition, which represents physicians, hospitals and insurers — is trying to build upon these collaborations to better prepare localities for future health threats.”
  • Govexec.com informs us,
    • “The Office of Personnel Management issued a final rule Friday that would cull Social Security numbers from any mailed document in an effort to prevent fraud. 
    • “The rule, which was published in the Federal Register, is part of the implementation of the 2017 Social Security Number Fraud Prevention Act and is designed to help protect the identifiers, which can be used in various forms of identity theft. 
    • “The theft and fraudulent use of SSNs can result in significant repercussions for the SSN holder, as well as the entities from which SSNs were stolen,” OPM officials said in the Federal Register notice. “This direct final rule formalizes in regulation OPM’s current practice of safeguarding SSNs in mailed documents and will support efforts to protect individual privacy.”

From the public health and medical research front,

  • The Centers for Disease Control let us know earlier today,
    • “The amount of respiratory illness (fever plus cough or sore throat) causing people to seek healthcare continues to decrease across most areas of the country. This week, 1 jurisdiction experienced high activity compared to 6 jurisdictions experiencing high activity the previous week. [The outlier jurisdiction is North Dakota.]  No jurisdictions experienced very high activity. 
    • “Nationally, emergency department visits with diagnosed influenza are decreasing.  Emergency department visits with COVID-19 and RSV remain stable at low levels.  
    • “Nationally, COVID-19, influenza, and RSV test positivity decreased compared to the previous week. 
    • Nationally, the COVID-19 wastewater viral activity level, which reflects both symptomatic and asymptomatic infections, remains low.”
  • The Washington Post offers detailed background on prostate cancer following former NIH Director Francis Collins announced that he has the disease.
  • The Wall Street Journal reports,
    • “The European Union’s drug regulator found no link between the class of medicines behind 
    • Novo Nordisk’s blockbuster Ozempic and Wegovy treatments and reports of suicidal thoughts in patients.
    • “A study by a European Medicines Agency committee had been looking at potential links between the popular weight-loss and diabetes drugs and reports of suicidal and self-harming thoughts from people using them, but it said Friday that the evidence doesn’t support a causal association.
    • “The U.S. Food and Drug Administration came to the same conclusion in January while British health authorities are carrying out their own review.”
  • Today, the FEHBlog heard an OptumRx speaker at a local conference describe the following demographic characteristics of members of employer sponsored plans who use GLP-1 weight loss drugs.
    • 4 out of 5 are women
    • Average age range is 35-54 with a concentration in the 45 to 54 age range.
    • Average BMI is 35. According to the Cleveland Clinic, “Class III obesity, formerly known as morbid obesity, is a complex chronic disease in which a person has a body mass index (BMI) of 40 or higher or a BMI of 35 or higher and is experiencing obesity-related health conditions.”
  • Bear in mind that most employer sponsored plans do not cover retirees while the FEHBP does. The FEHBlog expects that the speaker provided a useful perspective on GLP-1 use among active employees participating the FEHP. KFF remind us the there are plenty of Medicare beneficiaries using GLP-1 drugs for diabetes.
    • In 2022, Medicare gross total spending reached $5.7 billion on Ozempic (semaglutide), Rybelsus (semaglutide), and Mounjaro (tirzepatide), all of which it covered for diabetes that year, according to just-released Medicare drug spending data [before manufacturer rebates]. That was up from $57 million in 2018. 
  • The Optum speaker also remarked that biosimilar competition caused Abbvie to lower the price of its blockbuster Humira drug by 30% in 2023. He explained that it takes time for biosimilars to gain market share when the brand drug drops its price substantially.
  • Per Fierce Healthcare,
    • “Approximately 40,000 women die of breast cancer in the U.S. each year.
    • “One way of reducing that number is ensuring access to preventive screenings such as mammograms. But health-related social needs can have an impact on a woman’s chance of being up to date with her mammogram. For example, women are less likely to get a mammogram if they feel socially isolated, have lost a job or don’t have reliable transportation, according to a recent Centers for Disease Control and Prevention (CDC) Vital Signs report.”
  • The New York Times provides expert opinions on whether artificial intelligence mammograms are worth the cost.
    • “The Food and Drug Administration has authorized roughly two dozen mammography A.I. products. Some of these are being rolled out to patients in a small number of clinics and tested by other hospitals that want to be certain of the value these tools provide before offering them to patients. 
    • “There is currently no billing code that radiologists can use to charge insurance providers for the technology. That means some centers may punt the cost to patients, charging between $40 to $100 out of pocket for an A.I. analysis. Other hospitals may absorb the cost and offer the additional analysis for free. Still others may keep the technology for research until they are more certain of the value it can provide to patients.
    • “It will take some time for A.I. to become part of routine care, which would lead insurance companies to consider reimbursing their cost. Until then, most patients don’t need A.I. for their mammograms, said Dr. Katerina Dodelzon, a radiologist who specializes in breast imaging at NewYork-Presbyterian/Weill Cornell Medical Center, though it might provide some extra reassurance for those who are particularly anxious about their results.”
  • Medscape tells us,
    • “Early data suggested that several new multicancer early detection (MCED) tests in development show promise for identifying cancers that lack routine screening options.
    • “Analyses presented during a session at the American Association for Cancer Research annual meeting, revealed that three new MCED tests — CanScan, MERCURY, and OncoSeek — could detect a range of cancers and recognize the tissue of origin with high accuracy. One — OncoSeek — could also provide an affordable cancer screening option for individuals living in lower income countries.
    • “The need for these noninvasive liquid biopsy tests that can accurately identify multiple cancer types with a single blood draw, especially cancers without routine screening strategies, is pressing. 
    • “We know that the current cancer standard of care screening will identify less than 50% of all cancers, while more than 50% of all cancer deaths occur in types of cancer with no recommended screening,” said co-moderator Marie E. Wood, MD, of the University of Colorado Anschutz Medical Campus, in Aurora, Colorado.”

From the U.S. healthcare business front,

  • Healthcare Dive reports,
    • “More than three-fourths of all U.S. doctors are now employed by hospitals, health insurers, private equity or other corporate entities, as rampant consolidation continues to shrink the number of independent physicians, according to new data.
    • “Between 2019 and 2024, more than 44,000 medical practices were acquired, according to the report published Thursday by Avalere Health, commissioned by the Physicians Advocacy Institute. As a result, nearly 60% of medical practices are now owned by corporations.
    • “As of January 2024, physician practice ownership by corporations — including health insurers, pharmacy chains and PE firms — exceeded ownership by hospitals and health systems for the first time, 30.1% to 28.4%. However, hospitals employ more than half of all U.S. physicians, while other corporations employ a little over one-fifth.”
  • MedTech Dive informs us,
    • “Roche has received the Food and Drug Administration’s breakthrough device designation for a blood test to support earlier diagnosis of Alzheimer’s disease, the Swiss drug and diagnostics company said Thursday.
    • “The test, once approved, could help healthcare providers identify whether amyloid pathology, a marker for Alzheimer’s disease, is present or absent in patients.
    • “The Elecsys pTau217 plasma biomarker test is being developed as part of an ongoing partnership between Roche and Eli Lilly. * * *
    • “New and emerging Alzheimer’s therapies aimed at slowing cognitive decline in the earlier stages of the disease call for confirmation of amyloid pathology, yet the only methods currently cleared for that task are cerebrospinal fluid (CSF) tests and amyloid positron emission tomography, or PET, scan imaging, according to Roche.”
  • Per BioPharma Dive, while “new postpartum depression drugs are here, diagnosis, treatment hurdles still stand in the way. Two Sage Therapeutics medicines are approved for the condition. But uptake of the first has been minimal, while the launch of the second [which is a pill] is still getting off the ground.”
  • The Employee Benefit Research Institute made available a new paper on high deductible health plans with health savings accounts.
    • “The purpose of this paper is to examine the impact of plan type on use of health care services and spending. The analysis focuses on enrollees in HSA plans and PPO enrollees who are in health plans with deductibles large enough to be HSA eligible as a way of isolating the impact of the HSA on use of health care services.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • On April 4, the Cybersecurity and Infrastructure Security Agency (CISA) published its proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements rule in the Federal Register. The public comment deadline is June 3, 2024.
  • Cybersecurity Dive summarizes what CISA wants to see in these CIRCIA reports.
  • Cybersecurity Dive reported on April 3,
    • “The state-linked intrusion on Microsoft Exchange Online that led to the theft of about 60,000 U.S. State Department emails last summer “was preventable and should never have occurred”, the Cyber Safety Review Board said Tuesday [April 2] in a report. 
    • “A series of operational and strategic decisions by Microsoft pointed to a corporate culture that deprioritized investments in enterprise security and rigorous risk management, despite the central role the company plays in the larger technology ecosystem, the report said. 
    • “The CSRB urged Microsoft to publicly share its plans to make fundamental, security focused reforms across the company and its suite of products. The board also recommended that all cloud services providers and government partners enact security-focused changes.
  • Cybersecurity Dive added on April 5,
    • “The Cybersecurity and Infrastructure Security Agency is working with Microsoft to investigate and mitigate Midnight Blizzard’s potential impacts on federal agencies. The Russia-linked threat group hacked into senior Microsoft executives’ accounts starting in late November and could pose a larger threat to federal agencies.
    • “As shared in our March 8 blog, as we discover secrets in our exfiltrated email we are working with our customers to help them investigate and mitigate any impacts,” a Microsoft spokesperson said Thursday via email. “This includes working with CISA on an emergency directive to provide guidance to government agencies.”
    • “CISA issued an emergency directive to federal agencies earlier this week on how to mitigate the potential threat from Midnight Blizzard, CyberScoop reported. But the agency has not yet made the directive public. 
    • “CISA officials did not comment on any directive, but confirmed to Cybersecurity Dive it’s working with Microsoft on how to respond to the threat.” 
  • Federal News Network lets us know,
    • “Amid the response to the Change Healthcare ransomware attack, the Department of Health and Human Services is aiming to better organize its healthcare cybersecurity resources and programs.
    • “HHS is creating a  “one-stop shop” for cyber at the department’s Administration for Strategic Preparedness and Response, according to Brian Mazanec, the deputy director for ASPR’s Office of Preparedness. ASPR leads U.S. health and medical preparedness for disasters and other public health emergencies.
    • “We’re really establishing ASPR as that one-stop shop to manage this information sharing across the department, with our partners in industry, with the interagency,” Mazanec said during a March 29 webinar hosted by the HHS-sponsored Regional Disaster Health Response System.”
  • The National Institutes of Standards and Technology announced,
    • “NIST is releasing the initial public draft of Special Publication (SP) 800-61r3 (Revision 3), Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile, for public comment. This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities, as described by CSF 2.0. Doing so can help organizations prepare for incident responses, reduce the number and impact of incidents that occur, and improve the efficiency and effectiveness of their incident detection, response, and recovery activities.
    • The public comment period is open through May 20, 2024. See the publication detailsfor a copy of the draft and instructions for submitting comments.”
  • NIST also issued “a [draft] mapping between the security controls within NIST Special Publication 800-53 Revision 5 and the Cybersecurity Framework version 2.0.”
  • NextGov tells us,
    • “Camille Stewart Gloster, a cyber and technology attorney who has led the White House’s cybersecurity workforce and tech ecosystem strategies since taking up her role in August 2022, will step down Tuesday [April 4].
    • “She told Nextgov/FCW on the sidelines of an International Association of Privacy Professionals event in Washington, D.C. she had no plans as of yet for where she will be heading next.”

From the cyber vulnerabilities and breaches front,

  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) informs us about “Social Engineering Attacks Targeting IT Help Desks in the Health Sector.”
    • “HC3 has recently observed threat actors employing advanced social engineering tactics to target IT help desks in the health sector and gain initial access to target organizations. In general, threat actors continue to evolve their tactics, techniques, and procedures (TTPs) to achieve their goals. HC3 recommends various mitigations outlined in this alert, which involve user awareness training, as well as policies and procedures for increased security for identity verification with help desk requests.”
    • More on this threat can be found on the American Hospital Association news site.
  • On April 4, 2024, CISA added two known exploited vulnerabilities to its catalog.

From the ransomware front,

  • Bleeping Computer’s The Week in Ransomware is back at long last.
  • Cyberscoop reports,
    • “Six weeks after executing an attack that crippled parts of the U.S. health care system, the cybercrime gang linked to the incident has picked up the pace of laundering the proceeds of an alleged ransom payment, even as the hackers implicated in the breach continue to maintain a low profile.  
    • “The ransomware group ALPHV claimed responsibility for the Feb. 21 attack on Change Healthcare, a payment processor that touches 1 in 3 American patient records. The attack on Change limited the ability of pharmacies and health care providers to receive payments and has placed severe strain on the U.S. health care system.
    • “Earlier this month, cybercrime researchers reported that a bitcoin wallet linked to previous ALPHV ransoms had received $22 million, fueling speculation that Change’s parent company, UnitedHealth Group, had ponied up a ransom payment.
    • “Now, ALPHV appears to be moving to further obscure the destination of those funds. 
    • “According to blockchain intelligence firm TRM Labs, funds have recently been moved from bitcoin wallets linked to other ransoms paid to ALPHV, with these funds transferred to multiple other addresses and through a mixer, a tool used to obfuscate transactions that can be tracked on a public ledger. 
    • “Over the last week or so we have seen increased laundering activity,” Ari Redbord, TRM Labs’s global head of policy, told CyberScoop in an email. On March 27, for instance, TRM Labs observed 50 bitcoin — approximately $3.5 million — “move from wallets associated with the group to a mixing service. In addition, between March 22nd & 27th, we saw multiple withdrawals by wallets associated with the ransomware group and sent to a global exchange.”
    • “The FBI declined to comment on the status of its investigation of the incident.” 

From the cyberdefenses front,

  • Cybersecurity Dive relates,
    • “[E[ven as Change [Healthcare] begins to restore its systems, cyberattacks are going to remain a challenge for the industry as healthcare digitizes, creating more potential vulnerabilities for cybercriminals to exploit, experts say. 
    • “The healthcare sector needs to learn from the wide-ranging impacts from the Change attack — and prepare for the next one.
    • “As an industry, there’s been a lot of advancement in cybersecurity, but we’re still pretty far behind where we need to be,” said Steve Cagle, CEO of healthcare cybersecurity firm Clearwater. “We need to face the reality that this is an issue that is here to stay for a long time.”
  • Health IT Security discusses “[h]ow can payers be prepared to manage third-party security incidents. Payers should implement vendor management programs, incident response plans, and training processes to prepare for third-party security incidents.”
  • Security Week points out,
    • “The US National Institute of Standards and Technology (NIST) this week announced  $3.6 million in grants to help address the cybersecurity skills shortage.
    • “As part of the project, 18 education and community organizations across 15 states will be granted roughly $200,000 each to educate future cybersecurity employees.
    • “The agreements will be overseen by NICE, a partnership between organizations in the government, education, and private sectors, which focuses on building cybersecurity workforce through education and training.
    • “The 18 selected organizations will build Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development projects aligned with the needs of local business and nonprofit organizations.”
  • Per Tech Target,
    • “Microsoft officially launched Copilot for Security on Monday [April 1], and while the generative AI tool might bolster security operations, enterprises could face implementation and integration challenges.
    • “The tech giant unveiled Copilot for Security, originally called Security Copilot, in March 2023 to assist security and IT teams with threat detection and response. Following a series of rollout stages for the generative AI (GenAI) tool, Microsoft added a pay-as-you-go pricing model and new capabilities, such as knowledge base integrations and multilanguage support.
    • “Vasu Jakkal, corporate vice president of security, compliance, identity and management at Microsoft, announced the launch in a blog post last month and emphasized that enterprises can use Copilot for Security as a standalone portal or embed the AI tool into existing security products.”
  • HHS’s 405(d) Program now offers a
    • “New Resource: Healthcare Threat Identification Poster!
    • “Cyber hygiene poster highlights threats exist at every level of your organization. Be aware of the threats that face your organization in order to protect PHI.”

Tuesday Tidbits

David ErmerACA, CMS, FDA, Generative AI, Medical / Rx research, Obesity, U.S. Healthcare
Photo by Patrick Fore on Unsplash

From Washington, DC,

  • Per HHS press releases
    • Today, the Biden-Harris Administration, through the U.S. Department of Health and Human Services (HHS)’s Centers for Medicare & Medicaid Services (CMS), announced policies for the Affordable Care Act Marketplaces that make it easier for low-income people to enroll in coverage, provides states the ability to increase access to routine adult dental services, and sets network adequacy standards for the time and distance people travel for appointments with in-network providers. Finally, the rule will standardize certain operations across the Marketplaces to increase reliability and consistency for consumers. The 2025 [ACA] Notice of Benefit and Payment Parameters final rule builds on the Administration’s previous work expanding access to quality, affordable health care and raising standards for Marketplace plans nationwide.
  • and
    • Today, the U.S. Department of Health and Human Services’ (HHS) Office of the Assistant Secretary for Planning and Evaluation (ASPE) released new research showing how key Inflation Reduction Act provisions will lower costs for women enrolled in Medicare, including nearly 30 million women enrolled in Part D. Also, today, HHS announced that the Centers for Medicare & Medicaid Services (CMS) responded to counteroffers from all manufacturers participating in Medicare drug price negotiations – which the Inflation Reduction Act made possible – and invited them to participate in further discussions.
  • and
    • Today, the U.S. Department of Health and Human Services (HHS) released a white paper highlighting steps HHS has taken to prevent and mitigate drug shortages and proposing additional solutions for policymakers to consider. Drug shortages have occurred in the nation’s health care system for several decades, largely due to market failures and misaligned incentives. With today’s white paper, HHS offers solutions and stands ready to work with Congress to ensure no patient faces the devastating consequences of drug shortages or goes without needed medicines.
  • With respect to the 2025 Notice of Benefit and Payment Parameters, here is a link to the CMS fact sheet and a related ACA FAQ 66.
    • “FAQ 66 puts large group market plans (all FEHB plans are large market plans) and self funder ERISA plans on notice that the regulators will be subjecting these plans and the small group and individual market plans to a new rule applying the prohibition against lifetime and annual dollar limits to prescription drugs classified as essential health benefits.  
    • “Under the law, large group market and self funded ERISA plans must select a state benchmark to apply this limit to essential health benefits other than prescription drugs. For 2025, the EHB prescription drugs also must be considered.” 
  • CMS posted the Final 2025 Actuarial Value Calculator Methodology.
  • CMS also issued an update to its Section 111 Group Health Plan User Guide. The update seeks to prevent overlapping drug records.

From the public health and medical research front,

  • Health Affairs Forefront gives us access to “The CMS Innovation Center’s Strategy To Support Person-Centered, Value-Based Specialty Care: 2024 Update.”
  • STAT News reports,
    • “An AI algorithm to detect heart failure, embedded in a digital stethoscope, earned clearance from the Food and Drug Administration on Tuesday. The goal is to help primary care doctors more easily identify the often-hidden condition.
    • “The stethoscope is the result of a collaboration between Mayo Clinic researchers, who built the algorithm, and the startup Eko Health, which built the hardware. Mayo Clinic is an investor in Eko, which has raised $128 million over the past six years. Eko’s stethoscopes currently use two predictive AI algorithms: one for atrial fibrillation and one for structural heart murmur. The difference with heart failure, though, is how much more difficult it is for doctors to catch. 
    • Nearly 6.5 million Americans have heart failure, meaning their hearts are unable to pump blood properly. The illness is typically visible via heart ultrasounds, or echocardiograms, but these tests are expensive. Catching the condition early and non-invasively at a primary care checkup could save lives. 
    • “We’re moving from what’s human visible to what’s almost human invisible,” said Connor Landgraf, CEO of Eko Health. “The signals that we’re identifying in the heart sounds in an ECG are so subtle that humans wouldn’t even be able to pick them up.”
  • Beckers Hospital Review tells us,
    • “Among nearly 1 million patients who underwent upper or lower endoscopy procedures, those prescribed GLP-1s, such as Ozempic or Wegovy, were 33% more likely to experience aspiration pneumonia than other patients. 
    • “This finding was detailed in a study conducted by researchers at Los Angeles-based Cedars-Sinai. The risk of GLP-1 patients aspirating and regurgitating under anesthesia was first addressed in June 2023, when the American Society of Anesthesiologists recommended halting a patient’s last dose before an elective surgery. 
    • “The recommendation was based on anecdotal evidence at the time, and physicians across the U.S. soon implemented new perioperative workflows. Now, data from January 2018 through December 2020 shows an association between GLP-1 use and aspiration pneumonia, or pneumonia caused by foreign objects entering the lungs, according to a Cedars-Sinai news release.
    • “The researchers considered other variables that could affect surgery outcomes, the release said. Results were published March 27 in Gastroenterology.”
  • MedPage Today lets us know,
    • “A few simple interventions boosted flu vaccine uptake for patients waiting at the emergency department [ED], according to the cluster-randomized, controlled PROFLUVAXED trial.
    • “People in ED waiting areas who consented to view a 3-minute video with a scripted message, read a one-page flyer, and have a short discussion with an ED clinician about the flu vaccine had a 30-day follow-up vaccination rate of 41% versus 15% among patients that received no messaging about the vaccine.
    • “Even just asking people in the ED “Would you accept the influenza vaccine in the emergency department today if your doctor asked you to get it?” resulted in a 30-day vaccination rate of 32%, Robert Rodriguez, MD, of the University of California San Francisco, and colleagues reported in NEJM Evidence.”
  • The Washington Post and Consumer Reports discuss “What to know about 6 important blood tests for your health.”

From the U.S. healthcare business front,

  • Fierce Healthcare informs us,
    • “Kaiser Permanente’s Risant Health has closed its acquisition of Geisinger Health, notching the first step on its ambitious plan to form a multisystem, multiregional value-based care organization.
    • “Oakland, California-based Kaiser Permanente announced the deal alongside the formation of Risant Health and its broader strategy nearly a year ago. The acquisition has been approved by state and federal regulatory agencies and closed March 31, Kaiser Permanente said in a Tuesday release.
    • “Danville, Pennsylvania-based Geisinger, which runs 10 hospitals, was highlighted as an ideal inaugural partner for the budding value-based care platform due to the system’s experience running a roughly 600,000-member health plan.
    • “Through Risant Health, we will leverage our industry-leading expertise and innovation to increase the country’s access to high-quality and evidence-based health care, which we know improves care quality and the patient and member experience,” Kaiser Permanente CEO Greg A. Adams, who is also the board chair of Risant Health, said in Tuesday’s announcement. “We will also learn and benefit from Geisinger and the additional health systems that become part of Risant Health in the future, to help them grow in new ways, be more affordable and bring value-based care to more people.”
    • “Jaewon Ryu, M.D., Geisinger’s president and CEO since 2019, is now stepping into the role of Risant Health CEO, according to the announcement. Terry Gilliland, M.D., will fill Ryu’s post at Geisinger once the transition is complete.”
  • and
    • “Intermountain Health shuttered Saltzer Health, a multispecialty group the system acquired less than four years ago, after it failed to find a buyer for the provider.
    • “Based in southwest Idaho, Saltzer Health had been one of the state’s oldest and largest primary care groups. in operation for 63 years, the company had 450 employees and clinicians spread across 11 locations.” 
  • Per Biopharma Dive,
    • “Abbott said Tuesday it received the Food and Drug Administration’s approval to market a transcatheter device for repairing the tricuspid valve in patients who are unable to withstand open-heart surgery.
    • “The go-ahead from the FDA paves the way for Abbott’s Triclip repair system to compete in the U.S. against Edwards Lifesciences’ recently approved transcatheter tricuspid valve replacement device, Evoque.
    • “Triclip uses the same clip-based technology to treat tricuspid regurgitation as Abbott’s Mitraclip for mitral valve regurgitation, a device the company has credited with driving double-digit growth in its structural heart business.”
  • USA Today reports,
    • “Costco and its low-cost health care partner are expanding into weight-loss management.
    • “Costco will begin offering its members in the U.S. access to a weight loss program through Sesame, a health care marketplace, Sesame exclusively told USA TODAY. The service, which will cost $179 every three months, is scheduled to become available April 2.”
  • Medical Economist notes,
    • “Data exchange, or interoperability, among electronic health records (EHRs) is getting easier but still has a long way to go before primary care doctors are completely satisfied with it, a new study concludes. * * *
    • “Broken down by information type, the highest level of satisfaction—34%– was ability to receive lab reports from external organizations. The lowest level—21%—was for information on preventive care. Overall, 11% said they were not at all satisfied with at least half the information types they received, about 25% reported they were very satisfied with at least half the information types and 11% were very satisfied with all the information types.
    • “Fewer than one in ten (8%) said information from EHR developers different from their own was very easy to use, compared with 38% who said data from the same EHR developer was very easy to use.
    • “The authors say their findings highlight the need for different initiatives to improve interoperability depending on the challenges faced by different physician populations. For example, physicians serving vulnerable populations said they often lack the resources to address patients’ social needs, and thus could benefit from initiatives making it easier for them to join an exchange network.”
    • “Taken together,” they conclude, “these data suggest a need for diverse and targeted approaches to complete progress toward universal, high-value interoperability.”

Tuesday Tidbits

David ErmerAHRQ, FDA, Generative AI, Medical / Rx research, Obesity, Rx coverage, U.S. Healthcare
Photo by Patrick Fore on Unsplash

From Washington, DC,

  • The Wall Street Journal reports,
    • “The Supreme Court appeared likely to preserve access to the abortion pill mifepristone, following arguments Tuesday in which justices suggested that protecting doctors who oppose abortion wasn’t enough justification to roll back access to the drug.
    • “Several justices, including some who voted to overrule Roe v. Wade two years ago, focused their questioning on whether the doctors and medical associations that brought the case in fact have the right to sue. Those doctors and groups don’t prescribe mifepristone, don’t perform abortions and have no legal obligation to help women end unwanted pregnancies. 
    • “Just to confirm,” said Justice Brett Kavanaugh, “under federal law, no doctors can be forced against their consciences to perform or assist in an abortion, correct?”
    • “Yes,” answered U.S. Solicitor General Elizabeth Prelogar, who argued on behalf of the Biden administration. “We think that federal conscience protections provide broad coverage here.” 
  • American Hospital Association News tells us,
    • “This April through June under the Inflation Reduction Act, Medicare will reduce the coinsurance amount for 41 Part B prescription drugs from 20% to somewhere between 3.8% and 19.9%, depending on the drug, the Centers for Medicare & Medicaid Services announced March 26. Medicare will pay health care providers the difference between the Medicare allowed amount and the adjusted beneficiary coinsurance, after applying the Part B deductible and prior to sequestration, if applicable.
    • “The IRA requires drug companies to pay rebates to Medicare when prices for certain single-source and biosimilar prescription drugs covered under Part B increase faster than the rate of inflation. Part B drugs impacted by a coinsurance adjustment may change quarterly. For more information, see the CMS fact sheet.” 
  • HHS’s Agency for Healthcare Research and Quality released its latest medical expenditure panel survey results,
    • “Dental utilization and expenditures in the United States declined in the first year of the COVID-19 pandemic. Total dental expenditures declined by 16.1% from 2019 to 2020; the number of people using dental services declined by 12.5%, and the total number of dental visits decreased by 19.0%.
    • “In 2020, around 131 million persons utilized dental care (40.8% of the total U.S. civilian noninstitutionalized population aged 2 and over), 18 million fewer people than the year before (149 million; 46.7%).
    • “In 2020, the monthly dental visit volume dipped substantially for three consecutive months compared to the same months in 2019.
    • “Between 2019 and 2021, the average—inflation-adjusted—annual expenditures for dental care among persons with any dental care did not differ significantly.”
  • Per an FDA press release,
    • “The U.S. Food and Drug Administration is warning consumers not to use certain over-the-counter analgesic (pain relief) products that are marketed for topical use to relieve pain before, during or after certain cosmetic procedures, such as microdermabrasion, laser hair removal, tattooing and piercing. The agency issued warning letters to six companies for marketing these products in violation of federal law.
    • “Some of these products are labeled to contain ingredients, such as lidocaine, at concentrations that are higher than what is permitted for over-the-counter, topical pain relief products. When these products that contain high concentrations of lidocaine intended to be used before or during certain cosmetic procedures are applied in ways that could lead to increased absorption of the drug product through the skin, it may lead to serious injury such as irregular heartbeat, seizures and breathing difficulties. These products may also interact with medications or dietary supplements a consumer is taking.
    • “These products pose unacceptable risks to consumers and should not be on the market,” said Jill Furman, J.D., director of the Office of Compliance in the FDA’s Center for Drug Evaluation and Research. “We are committed to using all available tools to stop the sale of these illegal high-risk products.”

From the public health and medical research front,

  • Nature lets us know,
    • “A team led by Google scientists has developed a machine-learning tool that can help to detect and monitor health conditions by evaluating noises such as coughing and breathing. The artificial intelligence (AI) system1, trained on millions of audio clips of human sounds, might one day be used by physicians to diagnose diseases including COVID-19 and tuberculosis and to assess how well a person’s lungs are functioning.
    • “This is not the first time a research group has explored using sound as a biomarker for disease. The concept gained traction during the COVID-19 pandemic, when scientists discovered that it was possible to detect the respiratory disease through a person’s cough2.
    • “What’s new about the Google system — called Health Acoustic Representations (HeAR) — is the massive data set that it was trained on, and the fact that it can be fine-tuned to perform multiple tasks.
    • “The researchers, who reported the tool earlier this month in a preprint1 that has not yet been peer reviewed, say it’s too early to tell whether HeAR will become a commercial product. For now, the plan is to give interested researchers access to the model so that they can use it in their own investigations. “Our goal as part of Google Research is to spur innovation in this nascent field,” says Sujay Kakarmath, a product manager at Google in New York City who worked on the project.”
  • The Institute for Clinical and Economic Review announced,
    • “releasing a Draft Evidence Report assessing the comparative clinical effectiveness and value of 3,4-Methylenedioxymethamphetamine-assisted psychotherapy (MDMA-AP; Lykos Therapeutics) for the treatment of post-traumatic stress disorder (PTSD).
    • This preliminary draft marks the midpoint of ICER’s eight-month process of assessing these treatments, and the findings within this document should not be interpreted to be ICER’s final conclusions.
    • “PTSD can be a severe condition affecting nearly all aspects of an individual’s life,” said ICER’s Chief Medical Officer David Rind, MD. “Current therapeutic options are insufficient for many people with PTSD. While MDMA-AP may be a promising therapy for PTSD, functional unblinding in the clinical trials and additional concerns around trial design and conduct leave many uncertainties about the balance of benefits and harms. It will be incumbent on regulators with complete access to primary data to carefully assess whether MDMA-AP has been proven safe and effective.”
    • The Draft Evidence Report and Draft Voting Questions are now open to public comment. All stakeholders are invited to submit formal comments by email to publiccomments@icer.org, which must be received by 5 PM ET on April 22, 2024. 
  • Healio informs us,
    • “Around one in eight hospitalized adults treated for community-acquired pneumonia in a Michigan study were inappropriately diagnosed, and most of those patients received unneeded antibiotics, according to a study.
    • “For patients at high risk of poor outcomes from delayed treatment of community-acquired pneumonia (CAP), it may be pertinent to empirically prescribe antibiotics while finishing diagnostic evaluation,” Ashwin B. Gupta, MD, a clinical associate professor at University of Michigan Health, and colleagues wrote.
    • “However, according to Gupta and colleagues, “For patients at high risk of poor outcomes from delayed treatment of CAP, it may be pertinent to empirically prescribe antibiotics while finishing diagnostic evaluation. In these populations, guidelines recommend reconsideration, de-escalation, and cessation of antibiotics within 48 to 72 hours once infection has been ruled out. In the present study, we found little evidence of antibiotic cessation.”
  • American Hospital Association News notes,
    • “A new report from the National Academies of Sciences, Engineering, and Medicine calls for developing better diagnostics, vaccines and treatments to enhance U.S. readiness for an outbreak or attack involving smallpox or related diseases, and systems and policies that would allow public health and health care systems to respond quickly and effectively.
    • “It is now possible to engineer variola virus, the virus that causes smallpox, raising the possibility of accidental or intentional release,” the press release notes. “Furthermore, illnesses related to smallpox such as mpox, Alaskapox, and cowpox are increasingly found in humans, presenting the need for medical countermeasures that can detect, treat, and prevent these diseases.”

From the U.S. healthcare business front,

  • Beckers Payer Issues calls attention to the biggest investments that payer and healthcare system executives are making this year.
  • Beckers Hospital Review lists the 21 most innovative health systems according to Fortune.
  • The Wall Street Journal reports,
    • Merck is making a big bet that its new drug, approved Tuesday in the U.S. for a potentially fatal lung disease, will take the company a long way toward heading off a massive revenue decline later this decade.
    • “The drug, which will sell under the name Winrevair, treats a condition called pulmonary arterial hypertension that affects nearly 40,000 people in the U.S. In 2021, Merck paid $11.5 billion for the company developing the medicine. Some analysts estimate sales as high as $7.5 billion a year.
    • “Merck is counting on the blockbuster performance. More than 40% of the drug company’s revenue, some $25 billion last year, comes from cancer treatment Keytruda. The immunotherapy is the world’s top-selling drug. Merck’s main U.S. patent for it expires in 2028, opening the door for lower-cost versions to eat into sales.
    • “Winrevair will list for a price of $14,000 a vial, which for about two-thirds of patients will be the amount given every three weeks. That translates into about $242,000 for a full year, though Merck said the cost would vary by patient because dosage is weight-based.”
  • BioPharm Dive relates,
    • “A dual-acting weight loss pill from Viking Therapeutics helped people with obesity lose up to 5% of their body weight over four weeks in a small trial designed to identify a dose for more advanced studies, the company said Tuesday.
    • “The news helped Viking rebound from a stock slump that followed Novo Nordisk’s announcement a similar weight loss pill it’s developing drove double-digit weight loss over three months in a larger, more advanced trial.
    • “One Wall Street analyst noted the Viking drug’s “exceptional tolerability” may separate it from medicines being developed by Novo, Eli Lilly and Amgen. Only a small number of Viking trial participants reported gastrointestinal side effects, a principal problem people have with weight loss drugs like Novo’s Wegovy and Lilly’s Zepbound.”
  • Bloomberg adds,
    • “Patients, doctors and pharmacists across the US are struggling to get their hands on Eli Lilly & Co.’s powerful new obesity drug Zepbound, as demand for the weight-loss shot soars. * * *
    • “The [FDA] doesn’t consider Zepbound to be in shortage, a spokesperson said. However, nine pharmacists and technicians in six states at CVS, Walgreens and Walmart told Bloomberg News that some or all of the doses of Zepbound were on backorder. Two CVS pharmacies in Ohio have been unable to fill prescriptions for Zepbound’s smallest dose for at least 10 days, two pharmacy technicians said. Amazon Pharmacy, which has a partnership with Lilly, is also listing multiple doses of Zepbound as currently unavailable. None of the pharmacy chains or Amazon responded to requests for comment.” 
  • Fierce Healthcare looks at both sides of the dispute over the value of digital diabetes tools.
  • The AMA News headlined this RevCycle Intelligence article this morning because it trashes health plan claims processing. Health plans are paid to monitor spending and it shouldn’t be surprising that they deny claims.