Cybersecurity Saturday

David Ermer

I am an attorney who practices law in Washington DC. My practice has involved the Federal Employees Health Benefits Program since 1983.

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front

Harvard Business Review explains what U.S. business needs to know about the new U.S. cybersecurity policy.

  • While the 39-page document features bureaucratic buzzwords like “harmonize”, “stakeholders,” and “multilateral,” we’ve identified three concrete things business leaders should know about the new strategy.
    • “First, every company needs to identify their distinct vulnerabilities and risks.
    • “Second, companies then need to adopt measures that address those supply chain vulnerabilities, and
    • “Third, companies need to recognize that one size will not fit all when it comes to cybersecurity. An important subtext of the strategy is its focus on establishing more aggressive regulatory standards on larger business, critical infrastructure, and software providers.”

Dark Reading adds

  • “In order for cybersecurity initiatives to be effective in reducing security failures, Gartner, a research and consulting firm, finds that it will be essential for security and risk management leaders to turn to a human-centered approach.
  • “A human-centric approach in cybersecurity practices prioritizes the individual employee and their experience, which ultimately encourages better practices while also reducing friction and risk. 
  • In the past, there has been a focus in improving the technology or the many different processes that uphold security practices. Going forward, having a “human-centric talent management approach” means focusing on the employees that require these kinds of updates to technology and program processes to be made in the first place, and shifting from external hiring to internal or “quiet hiring,” according to Gartner.”

FedScoop reports

  • “The Cybersecurity and Infrastructure Security Agency, the FBI, the National Security Agency and cybersecurity authorities of other international allies on Thursday published joint guidance urging software manufacturers to bake secure-by-design and-default principles into their products. 
  • “The cybersecurity guidance is the first of its kind, and is intended to speed up cultural shifts within the technology industry that are needed to achieve a safe and secure future online. 
  • “Key principles of the new guidance include: taking ownership of security outcomes of products, embracing “radical transparency” and ensuring that companies have c-suite support to prioritize product security.
  • “Publication of the secure-by-design principles follows the publication in March of a new national cybersecurity strategy by the Biden administration, which sought to shift the responsibility for maintaining the security of computer systems further towards larger software makers.”

From the cyber vulnerabilities front

Healthcare Dive tells us

  • “The healthcare industry is “cyber poor” and the most targeted sector for data breaches over the past four years, according to a Moody’s Investors Service report from this week.
  • “Moody’s said healthcare’s vulnerable state makes it “target rich,” which could bring service disruptions and personal data disclosures.
  • “Nonprofit healthcare organizations received a “very high risk” rating, while corporate healthcare was deemed “high risk.” Providers must ramp up investment in cybersecurity to protect patient data and avoid interruption of critical operations, the report said.”

The Cybersecurity and Infrastructure Security Agency added to its catalog two known exploited vulnerabilities on April 10, one more on April 11, and two more on April 13.

From the ransomware front

  • Cybersecurity Dive relates, “Rorschach ransomware, with a rare encryption speed, makes it even harder for companies to respond. The potential impact and victims claimed by Rorschach remain unknown, but one expert said some yet-undetected attacks are likely underway.”
  • Cyberscoop informs us “Ransomware gangs increasingly deploy zero-days to maximize attacks; Microsoft issued a patch for a zero-day that researchers at Kaspersky said was used to deliver Nokoyawa ransomware.
  • The Bleeping Computer’s Week in Ransomware is back.

From the cyber defenses front

  • CISA released
    • “an update to the Zero Trust Maturity Model (ZTMM), superseding the initial version released in September 2021. ZTMM provides a roadmap for agencies to reference as they transition towards a zero-trust architecture. ZTMM also provides a gradient of implementation across five distinct pillars to facilitate federal implementation, allowing agencies to make minor advancements toward optimization over time.
    • “The objective of this update is to facilitate the distribution of the ZTMM Version 2 and educate federal civilian agencies on the updated ZTMM and its application to their zero-trust implementations. CISA encourages state, local, tribal, and territorial governments, and the private sector to use ZTMM as a baseline for implementing zero trust architecture.”
  • An ISACA expert points out “Five Key Considerations When Developing a Collaboration Strategy for Information Risk and Security.”

Late Week Miscellany

David ErmerACA, CDC, COVID-19, FDA, No Surprises Act, OPM, Rx coverage, SCOTUS, U.S. Healthcare
Photo by Josh Mills on Unsplash

Dear FEHBlog readers — The FEHBlog wrote a quick blog post for Thursday but overlooked hitting the publish button, so here are the two items from Thursday and the remainder from Friday.

Wednesday afternoon, the Affordable Care Act regulators issued ACA FAQ 59 about the Braidwood Management decision. The FAQs expressly endorsed OPM’s informal administration action last Friday using FEHB Act Section 8902(d) to endorse the U.S. Preventive Services Task Force recommendations that the decision rejected because they had no federal government endorsement. The FEHBlog wonders why HHS hasn’t pulled this page out of OPM’s playbook.

Wednesday night, the U.S. Court of Appeals for the Fifth Circuit (2-1 decision) stayed a portion of the abortion pill injunction on statute of limitations grounds in a 42-page opinion. The Fifth Circuit opinion allows the abortion pill to stay on the market with reinstated in-person medical visit prerequisites and without delivery by mail. The Attorney General has stated that he will ask the Supreme Court to weigh in. Axios reports that the Supreme Court would decide quickly.

Axios was correct because the Wall Street Journal reported that today

  • The Supreme Court temporarily blocked lower court orders that would have limited access to the abortion drug mifepristone beginning Saturday, preserving the pill’s availability while the justices weigh the Biden administration’s emergency request to leave current Food and Drug Administration approvals in place during a continuing legal battle with antiabortion groups.
  • In a pair of orders Friday, Justice Samuel Alito, who oversees emergency matters for the lower courts that limited or suspended approval of the widely used abortion pill, gave the antiabortion groups until noon Tuesday to file briefs in response to appeals by the FDA and Danco Laboratories LLC, which makes the branded version Mifeprex.
  • The temporary orders expire at 11:59 p.m. Wednesday, suggesting a high court decision on whether and to what extent mifepristone will remain available during litigation may come by then.

In other judicial news, the American Hospital Association informs us

  • The U.S. Supreme Court today unanimously reversed a 9th Circuit decision that impliedly stripped federal district courts of jurisdiction over constitutional challenges to the Federal Trade Commission structure, procedures and existence. Ruling in the FTC case and another case involving the Securities and Exchange Commission, the Supreme Court said, “The statutory review schemes set out in the Securities Exchange Act and Federal Trade Commission Act do not displace a district court’s federal-question jurisdiction over claims challenging as unconstitutional the structure or existence of the SEC or FTC.”
  • As a result of this decision, parties may bring claims in federal court alleging that “the structure, or even existence, of an agency violates the Constitution” without having to first go through costly and time-consuming administrative proceedings before the SEC or FTC.

Turning now to the federal employment front –

  • Govexec tells us
    • Office of Management and Budget guidance released Thursday tasks agencies with developing a new system to monitor their “organizational health and organizational performance” on an ongoing basis. With the new system comes an expectation that federal agencies will rely less on telework and remote work, although that must be balanced with the need to compete for talent with private sector employers who continue to offer similar workplace flexibilities, wrote OMB Deputy Director for Management Jason Miller in a blog post accompanying the memo.
  • Federal News Network reports OPM’s implementation of the Postal Service Health Benefits Program.

From the public health front

  • The Centers for Disease Control begins to bring down the curtain on its now bi-weekly review of its Covid statistics and updates us on the bird flu situation.
  • The Food and Drug Administration announced granting emergency use authorization to an improved Covid test.
  • The Robert Wood Johnson Foundation offers various perspectives on achieving joyful, healthy births for all, a worthy goal.
  • Medscape identifies troubling trends in colorectal cancer data recently released by the American Cancer Society.

From the regulatory front —

  • Mercer Consulting offers advice on the recent instructions concerning RxDC reporting for the 2022 reference year due June 1.
  • Healthcare Finance tells us
    • The Office of Civil Rights is providing a 90-day transition period for healthcare providers to come into compliance with the HIPAA Rules regarding telehealth, according to the Department of Health and Human Services OCR. 
    • The transition period will be in effect beginning on May 12 and will expire at 11:59 p.m. on August 9.
    • OCR said it would continue to exercise its enforcement discretion and not impose penalties on covered providers for noncompliance during the 90- day transition period. 
    • During the public health emergency, providers did not have to be licensed in the state where the patient was located. They were allowed to treat patients in other states. 
    • Also, under the PHE, non-HIPAA-compliant platforms were allowed as long as they were not public facing.
    • Both of these flexibilities are coming to an end with the PHE on May 11, with providers now getting a 90-day grace period.
    • Other telehealth provisions expire at the end of 2023 and 2024

From the Rx coverage front —

  • Fierce Healthcare informs us that Cigna’s Express Scripts unveiled two new programs on Thursday, Copay Assurance and ClearCare Rx, which reminds the FEHBlog of OPM’s transparent pharmacy pricing program.
  • The Institute for Clinical and Economic Research (ICER) published an
    • Evidence Report on Treatments for Non-Alcoholic Steatohepatitis [liver inflammation]
      • — Evidence suggests that both resmetirom and obeticholic acid improve liver histology without evidence yet demonstrating improved long-term outcomes; obeticholic acid has more concerning side effects —
      • — Current evidence suggests that resmetirom would achieve common thresholds for cost-effectiveness if priced between $39,600 – $50,100 per year, while obeticholic acid would achieve these thresholds if priced between $32,800-$40,700 per year —
      • — At the April 28 virtual public meeting, ICER’s independent appraisal committee will review the evidence, hear further testimony from stakeholders, and deliberate on the treatments’ comparative clinical effectiveness, other potential benefits, and long-term value for money —

From the U.S. healthcare business front

  • Beckers Payer Issues reports, “UnitedHealth Group posted revenues of $91.9 billion in the first quarter of 2023, up 15 percent from $80.1 billion over the same period last year, according to the company’s earnings report released April 14.”
  • Beckers Hospital Review ranks 29 physician specialties by annual compensation.

Midweek update

David ErmerCongress, HIPAA Privacy and Security Rules, Medical / Rx research, Mental health care, Rx coverage
Thanks to Alexandr Hovhannisyan for sharing their work on Unsplash.

From our Nation’s capital —

  • STAT News reports
    • “Senators are slightly delaying their latest legislative push on health care, but as they do, a clearer picture is emerging about what’s in — and out — of the mix.
    • “The Senate health committee was expected to mark up legislation related to generic drugs, pharmacy benefit managers, and some leftovers from the Food and Drug Administration’s user fee agreements next week, but leaders are planning to reschedule the meeting, several sources told STAT.
    • “But 17 health care industry lobbyists and Senate staffers said Democratic leadership is targeting relatively low-hanging fruit that is bipartisan, and already has established history in legislation [i.e., a $35 copay on insulin in the commercial market]”.
  • Beckers Payer Issues tells us that “the Justice Department has decided to seek a stay pending appeal of a Texas federal judge’s ruling that struck down an ACA provision requiring insurance companies to provide coverage for preventive services, CNN reported April 11.”
  • The Department of Health and Human Services proposed a HIPAA privacy rule change “to strengthen its protections by prohibiting the use or disclosure of protected health information (PHI) to investigate, or prosecute patients, providers, and others involved in the provision of legal reproductive health care, including abortion care.” The public comment period will end sixty days after April 17, 2023, the day on which the proposed rule will be published in the Federal Register.

From the public health front —

  • MedPage Today informs us
    • Fentanyl adulterated with xylazine is an “emerging drug threat” in the U.S. and requires immediate action, the Biden administration warned.
    • “This is the first time in a nation’s history that a substance is being designated as an emerging threat by any administration,” said Rahul Gupta, MD, director of the White House Office of National Drug Control Policy (ONDCP), during a phone call with reporters late Tuesday afternoon. “And it couldn’t come at a more critical time.”
  • ABC News reports
    • The number of sexually transmitted infections (STIs) in the United States shows “no signs of slowing,” new federal data shows.
    • A total of 2.53 million cases of chlamydia, gonorrhea and syphilis were recorded in 2021, according to a new report published Tuesday from the Centers for Disease Control and Prevention.
    • That’s a 5.8% increase from the 2.39 million cases reported in 2020 and a 7% increase from five years ago when 2.37 million STIs were recorded in 2017.
    • “I’d like people to understand that this data actually impacts them whether they think it does or not and it’s because STIs happen to everyone, regardless of socioeconomic, religious, political lifestyle,” Dr. Kameelah Phillips, an OBGYN in New York City, told ABC News. “I’d like them to really understand that routine testing at their health care office is super important … gonorrhea doesn’t care who you are.”
    • While certain STIs did not reach pre-pandemic levels, others — such as syphilis — are recording the highest numbers seen in more than 70 years.

From the mental healthcare front —

  • Benefits Pro highlights a survey finding that
    • 21% of workers at ‘high mental health risk’ and unaware of available [employer sponsored] counseling.
    • Employees often do not know the range of resources available to them in their benefits packages and are often unaware of counseling included in the company’s employee assistance program, according to a TELUS survey.

Federal agencies and the Postal Service sponsor EAPs, but the FEHBlog is unaware of OPM creating a connection between those programs and the FEHBP.

From the Rx coverage front —

  • Drug Channels offers a report on specialty pharmacies which informs us that “Drug Channels Institute (DCI) estimates that in 2022, retail, mail, long-term care, and specialty pharmacies dispensed about $216 billion in specialty pharmaceuticals prescriptions. That’s an increase of 12% from the 2021 figure.”  
  • The Institute for Clinical and Economic Research released
    • Protocol outlining how we will conduct our third annual assessment of how well major insurers’ prescription drug coverage policies align with a set of fair access standards developed by ICER with expert input from patient advocates, clinician specialty societies, payers, pharmacy benefit managers, and life science companies, and
    • Draft Evidence Report assessing the comparative clinical effectiveness and value of exagamglogene autotemcel (“exa-cel”, Vertex Pharmaceuticals and CRISPR Therapeutics) and lovotibeglogene autotemcel (“lovo-cel”, bluebird bio) for sickle cell disease.  The draft report represents the midpoint in ICER’s eight month long review process.

From the medical research developments front

  • STAT News reports, “A Parkinson’s ‘game changer,’ backed by Michael J. Fox, could lead to new diagnostics and, someday, treatments.” It’s a heartening medical research story about Mr. Fox’s productive efforts.
  • Medscape reports
    • Phototherapy is a safe, effective, noninvasive, and inexpensive way of boosting cognition for patients with dementia, new research suggests. It may be “one of the most promising interventions for improving core symptoms” of the disease.
    • A new meta-analysis shows that patients with dementia who received phototherapy experienced significant cognitive improvement compared to those who received usual treatment. However, there were no differences between study groups in terms of improved depression, agitation, or sleep problems.

Tuesday’s Tidbits

David ErmerEnd of the PHE, NE, Medicare, U.S. Healthcare, Uncategorized
Photo by Patrick Fore on Unsplash

From the U.S. healthcare business front —

  • STAT News reports
    • “UnitedHealth Group has acquired Crystal Run Healthcare, a prominent physician group in New York.
    • “The deal for Crystal Run, a network of almost 400 doctors, nurse practitioners, and other clinicians, closed in late February. There was no fanfare. Neither company issued a press release. The deal only came to light from an email obtained by the Mid-Hudson News.
    • “The move brings yet another large group of providers into UnitedHealth, which had more than 70,000 employed clinicians at the end of 2022. UnitedHealth is most-known for its health insurance arm, UnitedHealthcare. But the company has made a concerted effort over the past several years to buy physician groups, surgery centers, and other outpatient providers, and then funnel its insurance members to those entities as a way to keep more of the insurance premiums.”
  • Health Payer Intelligence tells us “58% of Payers Use Outcomes-Based Contracts for Prescription Drugs; While 10 percent of payers had between two and five outcomes-based contracts in place in 2022, 35 percent had 10 or more contracts.”
  • Fierce Healthcare relates “Evernorth’s Accredo specialty pharmacy arm has rolled out a new program that aims to assist members and plan sponsors in better managing the cost and complexity of therapies for rare conditions.”
  • Health Payer Intelligence reports
    • “Aetna launched a partnership with a virtual care company to provide chronic disease management for members with digestive issues.
    • “Aetna’s partner offers a virtual care platform dedicated to digestive health called Oshi.
    • “Oshi’s virtual-first, integrated approach to GI care aligns with our mission to invest in companies that are improving health for more people,” said Vijay Patel, managing partner at CVS Health Ventures. “Our collaboration with Oshi is a powerful example of how our investments in high-potential, early-stage companies are helping to make consumer health care more accessible, affordable and simpler.”
  • STAT News helpfully delves into the topic of how much a Medicare increase do hospitals need for the next federal fiscal year? It’s an enlightening read.

Sermonette — The squib from the lead story about UHG’s acquisition of Crystal Run ends with a cheap shot at the profit motive. As the FEHBlog noted at the time the ACA imposed the medical loss ratio on insurers, insurers will find a way to circumvent the MLR with other products which are not so limited. In this case, UHG has pulled a page out of Kaiser Permanente’s successful and admirable approach of pairing a medical group with a health plan to improve healthcare quality over time. Both the profit motive and the achieving quality goals underlie these business combinations, which the ACA’s MLR and other features invented.

From the end of the public health emergency front, the American Hospital Association informs us

  • “HIPAA enforcement discretion implemented for the COVID-19 public health emergency will expire with the end of the PHE on May 11, but covered health care providers will have until Aug. 9 to comply with the HIPAA rules with respect to telehealth, the Department of Health and Human Services’ Office for Civil Rights announced today.”
  • “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules,” explained OCR Director Melanie Fontes Rainer.
  • “OCR in 2020 implemented enforcement discretion policies under HIPAA and the Health Information Technology for Economic and Clinical Health Act for community-based testing sites; telehealth remote communications; use and disclosure of protected health information by business associates; and online scheduling for COVID-19 vaccination.”

Here is a link to the notice.

From the COB with Medicare front, here is a link to a March 29 CMS Webinar for group health plans on Section 111 compliance. Speaker notes can be found at the end of the slides.

Monday Roundup

David ErmerEnd of the PHE, NE, Medicare, U.S. Healthcare
Photo by Sven Read on Unsplash

From the end of the PHE/National Emergency (NE) front, yesterday President Biden signed into law a bill (HR 7) that ends the Covid NE immediately, instead of May 11, as the Administration planned. In addition, the NE law calls for a 60-day phase-out period following termination. Consequently, the statutory changes tied to the NE end will phase out on June 7, 2023.

The statutory changes about employer-sponsored health plans falling into this category directly impact employers and concern topics, e.g., COBRA continuation coverage and ERISA appeal rights, that do not affect FEHBP.

In contrast, the statutory changes tied to the end of PHE, e.g., no-cost Covid testing, preventive services etc., do not impact FEHB plans. The available guidance on that matter is found in ACA FAQ 58.

From the post-Dobbs front, the Wall Street Journal reports

  • “The Biden administration filed an emergency request Monday asking a federal appeals court to block a ruling that suspended approval of a widely used abortion pill, while some Democratic-led states announced contingency plans to stockpile abortion drugs.
  • “In a filing with the New Orleans-based Fifth U.S. Circuit Court of Appeals, the Justice Department said a federal judge in Texas engaged in an “extraordinary and unprecedented” usurpation of the U.S. Food and Drug Administration’s authority by ruling that the pill shouldn’t have been approved. 
  • “The department said U.S. District Judge Matthew Kacsmaryk in Amarillo, Texas, upended decades of reliance on the abortion pill, known as mifepristone, “based on the court’s own misguided assessment of the drug’s safety.”
  • “The drug’s brand-name manufacturer, Danco Laboratories, which sells mifepristone marketed as Mifeprex, filed a similar motion. The company said that in addition to the potential harm the ruling posed to millions of women who rely on the pill, it also threatened Danco’s livelihood as a one-drug company. 
  • “Hundreds of pharmaceutical industry leaders, meanwhile, weighed in, saying in an open letter that the Texas decision could threaten FDA regulation of medicines more broadly.”

From the Medicare front, Fierce Healthcare informs us

  • “The Centers for Medicare & Medicaid Services (CMS) released the proposed Inpatient Prospective Payment Systems (IPPS) rule and the Long-Term Care Hospital pay rule. In addition to changes to payment rates, the agency is proposing to measure hospitals on how they tackle health equity. 
  • “CMS is helping to build a resilient healthcare system that promotes good outcomes, patient safety, equity and accessibility for everyone,” said CMS Administrator Chiquita Brooks-LaSure in a statement. 
  • “Hospitals that participate in the IPPS Quality Reporting Program and meaningfully use electronic records are projected to get a 2.8% increase to payments for fiscal year 2024, which begins in October. The pay raise is based on a 3% projected hospital market basket update of 3%, which is “reduced by a projected 0.2 percentage point productivity adjustment,” according to a release on the rule. 
  • “Overall, this will lead to a $3.3 billion increase in inpatient payments. However, long-term care hospitals are expected to get reduced payments by 2.5%, or $59 million.
  • “Overall, CMS expects [long-term care] payments under the dual-rate payment system to decrease by 0.9%, or $24 million, primarily due to a projected decrease in high-cost outlier payments in FY 2024 compared to FY 2023,” the agency said.”
  • Hospital groups slammed the proposed payment rates for the IPPS and long-term care hospitals as inadequate.

From the Postal Service front, Federal News Network tells us that USPS marked the first anniversary of the Postal Reform Act by proposing a price increase on stamps for the summer of 2023.

  • “The agency announced Monday that it plans to raise rates again. The proposed rates would go into effect on July 9, and would raise the price of a first-class stamp to 66 cents.
  • “USPS said operating expenses fueled by inflation continue to rise, and that the agency making up for years of operating under a “defective pricing model.”
  • “USPS raised the price of a first-class stamp to 63 cents in January, after raising it from 58 cents to 60 cents in July 2022.”

In consumer health news, the Wall Street Journal discusses the impact of the new generation of weight loss drugs on the $76 billion diet industry and offers guidance on buying lower-priced hearing aids over the counter. Interesting tidbit, most OTC hearing aids include useful customer support.

Weekend update

David ErmerCongress, FDA, Mental health care, Rx coverage, SDOH, Telehealth, U.S. Healthcare
Photo by Eric Heininger on Unsplash

Congress remains on a District / State work break which concludes next Monday following the Easter and Passover holidays.

OPM has rescheduled the second day of the 2023 OPM AHIIP carrier conference for April 20, 2023 from 11 am to 4:15 pm ET.

From the public health front —

  • NPR Shots discusses the simple intervention that may keep Black moms healthier — daily home-administered blood pressure readings.
    • Blood pressure is just one way to measure a person’s health, but during pregnancy and soon after, it’s a critical metric. Unchecked, high blood pressure can contribute to serious complications for the pregnant woman and baby, and increase the risk of death.
  • Politico tells about new efforts underway to solve the crisis in mental health problems among children and adolescents that accompanied the Covid pandemic.
    • Sen. Bob Casey (D-Pa.) plans to introduce three bills aimed at improving mental health care for kids, one of his aides told POLITICO. One bill, set to be reintroduced soon, would create grants for children’s mental health services and make them more accessible. Another would help gather more accurate national data on mental health and children, and the third would focus on the mental health of kids in foster care.
    • And children’s health providers tell government leaders it’s now critical that the federal government step up support for an overburdened system, arguing for increased funding for graduate medical education programs and boosted government reimbursement rates for mental health services.

From the Rx coverage front —

  • USA Today discusses challenges related to using the new generation of weight loss drugs. “Drugmakers are working hard to convince Americans they need their next-generation weight loss medications. But many come with side effects – and the fact we don’t really know what happens long-term.”
  • The Wall Street Journal offers an essay about potential uses for inhalable therapies beyond asthma.
    • “We’re pushing the boundaries of delivery,” said Philip Santangelo, a professor of biomedical engineering at Emory University. 
    • Respiratory diseases that spread through the air are a key target. Dr. Santangelo and colleagues are developing inhalable drugs that use an RNA-editing tool known as CRISPR-Cas13 and messenger RNA to kill viruses such as Covid-19, influenza and respiratory syncytial virus or RSV. Using nebulizers that dispense medicine as mist via a mask, they have tested the delivery of some of the medicines on rhesus monkeys, cows, horses and pigs. The tests in pigs showed that getting the drugs to the lungs reduces the severity and spread of infections, Dr. Santangelo said. 

From the medical research front —

  • Forbes reports, “Researchers have uncovered an unusual way some cancer cells make nutrients they need to grow, a discovery that could hold the key to starving one of America’s deadliest cancers [pancreatic] with a drug we already possess and raising hopes for a powerful new treatment against a disease that is often caught late and has one of the lowest survival rates of any cancer.”
  • Fortune Well discusses new developments in cancer testing via blood studies.

Cybersecurity Saturday

David ErmerCybersecurity

In cybersecurity news —

  • Cyberscoop offers a commentary on Russian hackers — and how to stop them — after a year of cyberwar in Ukraine
  • The Health Sector Cybersecurity Coordination Center (HC3) released its first quarter 2023 healthcare cybersecurity bulletin.
    • “In Q1 of 2023, HC3 observed a continuation of many ongoing trends with regard to cyber threats to the Healthcare and Public Health community. Ransomware attacks, data breaches and often both together continued to be prevalent in attacks against the health sector. Ransomware operators continued to evolve their techniques and weapons for increasing extortion pressure and maximizing their payday. Vulnerabilities in software and hardware platforms, some ubiquitous and some specific to healthcare, continued to keep the attack surface of healthcare organizations open. Managed service provider compromise continued to be a significant threat to the health sector, as did supply chain compromise.”
  • The Cybersecurity and Infrastructure Security Agency launched National Supply Chain Integrity Month.

From the cyber vulnerabilities front —

  • Health IT Security tells us
    • “Threat actors are increasingly abusing cloud apps to deliver malware in healthcare settings, Netskope revealed in its latest Threat Labs Report. Cloud-delivered malware increased from 38 percent to 42 percent in the past 12 months, researchers found.”
    • “Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps,” the report stated. “Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering, or that do not inspect cloud traffic.”
  • HC3 released a sector alert about “DNS NXDOMAIN Attacks.”
    • “Through a trusted third party, information was shared with HC3 regarding a distributed denial-of-service (DDoS) attack, which has been tracked since November 2022. These attacks are flooding targeted networks and servers with a fake Domain Name Server (DNS) request for non-existent domains (NXDOMAINs).”
    • Health IT Security provides more background on these attacks.
      • “Their signature DDoS attacks on critical infrastructure sectors typically only cause service outages lasting several hours or even days,” HC3 noted. “However, the range of consequences from these attacks on the United States health and public health (HPH) sector can be significant, threatening routine to critical day-to-day operations.”
  • HC3 also released a presentation explaining “why electronic health records are still a top target for cyber threat actors.”
  • The Cybersecurity and Infrastructure Security Administration added five known exploited vulnerabilities. Bleeping Computer explains the action.

From the ransomware front —

  • Cybersecurity Dive reports
    • “Researchers at Check Point detected a highly sophisticated – and previously unnamed – ransomware strain which the company says may be the fastest ever, with an encryption speed almost twice as fast as LockBit. The ransomware, which Check Point dubbed “Rorschach,” was used in an attack against a U.S. company.
    • “The ransomware was deployed using a DLL-sideloading technique using Palo Alto Network’s Cortex XDR, which is a signed commercial security product. This technique has not commonly been used for ransomware. 
    • “Check Point has disclosed the information to Palo Alto, which will release new versions of Cortex XDR Agent next week to prevent misuse of the software.” 
  • Cybersecurity Dive adds
    • “Corporate leaders would be mistaken to interpret reports of fewer ransomware-related cyber insurance claims and decelerating premiums in 2022 as evidence of a diminished threat level, according to cybersecurity experts.”
    • “While the private sector and government have made some progress in the fight against ransomware, the threat is still serious and evolving, the experts warned.”
    • “I think hackers are always going to evolve, so we can’t rest on the laurels of 2022,” John Farley, managing director of the cyber practice at Gallagher, an insurance brokerage firm based in Rolling Meadows, Ill., told CFO Dive. “We have to be able to adapt quickly to this ever-evolving threat.”

From the cyberdefenses front —

  • Cybersecurity Dive informs us
    • Organizations that implement automated hardening techniques will have the best opportunity to prevent cyberattacks, according to a report released Thursday by Marsh McLennan. Those that apply baseline security techniques to servers, operating systems and other components are six times less likely to suffer a security breach.
    • Insurers have historically recommended three major controls to reduce cyber risk: endpoint detection and response, multifactor authentication and privileged access management. 
    • However, the report shows multifactor authentication only works when it is implemented across all access points for critical and sensitive data, including remote access and administrator account access points. 
    • Organizations using these methods are 1.4 times less likely to suffer damage from an attack. 
    • Another key control is patching highly-severity vulnerabilities within seven days of the initial patch release. More than half of organizations are patching critical vulnerabilities within the first seven days, but only 24% of organizations are patching high-severity vulnerabilities — rated with a CVSS score of 7.0 to 8.9 — in that same time period.
  • Beckers Hospital Review reports 
    • “Software giant Microsoft received a court order from the U.S. District Court for the Eastern District of New York that will allow the company to disrupt infrastructure used by ransomware gangs during hospital attacks.
    • “The court order allows Microsoft to cut off communication between hackers and a fake version of the cybersecurity software Cobalt Strike, used by hackers to breach hospital systems.
    • “The abuse of the cybersecurity software is a tactic used by Russian-speaking ransomware gangs Conti and LockBit, according to an April 6 Microsoft news release.”

Friday Factoids

David ErmerACA, CDC, COVID-19, FDA, Federal employment benefits, OPM, U.S. Healthcare
Photo by Sincerely Media on Unsplash

Happy 75th World Health Day!

OPM announced

Voice of America’s Asian American Changemakers series premiered its final episode recently, featuring the work of the U.S. Office of Personnel Management and the leadership of Director Kiran Ahuja. Asian American Changemakers is a character-driven docuseries highlighting the lives and experiences of Asian Americans in the political and public arena.  * * *

Watch the full Asian American Changemakers episode here and learn more about opportunities to serve at opm.gov.   

OPM also informed FEHB carriers that “The recent opinion in Braidwood Management, Inc. v. Becerra, — F. Supp. 3d —, 2023 WL  2703229 (N.D. Tex.), in the U.S. District Court for the Northern District of Texas, pertains to the preventive services requirement under the Affordable Care Act; it does not impact the preventive services requirements for FEHB Carriers.”  Regardless, and as the FEHBlog anticipated, writers in Health Affairs suggest sensible administrative law approaches to repairing the Braidwood management problem. For example, “the HHS Secretary could authorize the director of the Agency for Health Care Research and Quality or the CDC director to review and adopt the Task Force’s recommendations, which the CDC director now does before ACIP’s immunization recommendations become effective.” No wonder HHS appealed Braidwood Management to the Fifth Circuit without requesting a stay of the district court’s decision.

In other judicial news, the Washington Post reports

  • “A federal judge in Texas blocked U.S. government approval of a key abortion medication Friday, siding with abortion foes in an unprecedented lawsuit and potentially upending nationwide access to the pill widely used to terminate pregnancies.
  • “The highly anticipated ruling puts on hold the Food and Drug Administration’s approval of mifepristone, a medication first cleared for use in the United States in 2000. The ruling will not go into effect for seven days to give the government time to appeal.”

Later today, per the AP, “A federal judge in Washington state on Friday ordered U.S. authorities not to make any changes that would restrict access to the abortion medication mifepristone in 17 Democratic-led states that sued over the issue, countering a ruling by a judge in Texas on the same day that ordered a hold on federal approval of the drug.”

From the healthcare of the near future front —

  • Medscape relates
    • “US regulators may soon clear blood-based biomarker tests for colorectal cancer (CRC), expanding potential options for patients seeking more convenient forms of screening.
    • “Most recently, Guardant Health, Inc., announced the completion of its US premarket approval application for its Shield blood test to screen for CRC. Approval by the US Food and Drug Administration (FDA) would position Guardant to later secure Medicare coverage for its test.
    • “Rival companies, including CellMax Life, Freenome, and Exact Sciences, which already offers the stool-based Cologuard product, are pursuing similar paths in their development of blood tests for CRC.
    • I”f these companies succeed, clinicians and patients could have a choice of several FDA-approved tests in a few years.”
  • A Wall Street Journal essay digs into why “doctors are turning to artificial intelligence to help them make the best decisions for patients.

From the public health front –

  • Fierce Healthcare informs us “Black mothers living in the least vulnerable areas of the U.S. are more likely to die or have worse birth outcomes compared to white mothers living in the most vulnerable areas, a sweeping new study has found.”
  • Fierce Healthcare tells us “Reports of serious patient safety events among healthcare facilities in 2022 rose 19% from 2021 with falls, the most common such event, rising nearly 27%, according to data reported to The Joint Commission and released Tuesday.”

Thursday Miscellany

David ErmerCMS, COVID-19, Federal employment benefits, OPM, Rx coverage, U.S. Healthcare, Uncategorized
Photo by Josh Mills on Unsplash

Today is National Employee Benefits Day, a celebration created by the International Foundation of Employee Benefit Plans.

From inside the Capital Beltway —

  • OPM issued a press release on its interim final rule concerning Postal Service Health Benefits Program implementation. That IFR was published in the Federal Register today.
  • Federal News Network reports that members of Congress are pressuring OPM to fix the consistent delays in processing federal employee retirement applications. The straightest path to solving the delay problem is reconfiguring or replacing the current Federal Employee Retirement System that replaced an even more complex Civil Service Retirement System prospectively in the mid-1980s. That is Congress’s responsibility.
  • Govexec tells us that “The Internal Revenue Service will bring on about 30,000 employees over the next two years as it begins spending the $80 billion in new funds Congress provided last year, the Biden administration said in an operational plan it unveiled on Thursday.”
  • Govexec further informs us that
    • On Thursday, President Biden signed an executive order to improve the effectiveness of the regulatory review process and regulatory analysis, which implements his Day One memo.
    • “Parts of the federal regulatory review process haven’t been updated since the 1990s, and since then, we’ve seen substantial advances in scientific and economic knowledge,” wrote Richard Revesz, administrator of the Office of Information and Regulatory Affairs, in a blog post. “These new steps will produce a more efficient, effective regulatory review process that will help improve people’s lives—from protecting children from harmful toxins and lowering everyday costs for families to improving rail safety and growing our economy from the middle out and bottom up.”

From the Rx and medical devices coverage front

  • Fierce Healthcare reports
    • Health and Human Services’ highly publicized list of the first Medicare Part B prescription drugs hit with rebates under the Inflation Reduction Act discreetly dropped from 27 to 20, prompting critiques from the pharma lobby over the Biden administration’s swift implementation of the legislation’s drug controls.
    • As spotted by Endpoints, the press release and accompanying guidelines released by HHS were updated on March 30 with the removal of several previously listed drugs: Gilead’s Yescarta and Tecartus, Bausch + Lomb’s Xipere, Acrotech Biopharma’s Folotyn, Shionogi’s Fetroja, Kamada’s WinRho and Stemline Therapeutics’ Elzonris.
  • MedTech Dive reports
    • Abbott has initiated a recall for [4.2 million] reader [devices] for its FreeStyle Libre glucose monitoring systems, which are at risk of catching fire if improperly stored or charged, according to the Food and Drug Administration. 
    • The agency categorized the recall as Class I, the most serious category of problems with medical devices, which can cause serious injury or death. Abbott noted that users do not need to send the devices back to the company but can continue to use them as long as they use chargers and cables supplied by Abbott with the device. * * *
    • The company has set up a special website with more information for people who use the FreeStyle glucose readers.
    • Abbott said that users can replace the reader with a smartphone app. 
  • Beckers Hospital Review relates
    • The FDA withdrew its approval of Makena, the only preterm birth drug greenlit by the agency, on April 6 after research showed the treatment did not work better than a placebo. 
    • The repealed approval follows an FDA advisory panel voting in favor of removing Makena and the drugmaker announcing it would halt sales. 
  • Beckers Pharmacy News tells us
    • Mark Cuban Cost Plus Drug Co. now sells more brand-name drugs. 
    • After breaking into the brand-name market in March — over a year since launching its online wholesaler company — Cost Plus Drugs offers three brand-name products made by Janssen, a Johnson & Johnson business. Cost Plus Drugs sells about 1,000 generics and four brand-name drugs. 
    • The three products are Invokana (canagliflozin), Invokamet (canagliflozin-metformin HCl) and Invokamet XR (canagliflozin-metformin HCl), according to a Cost Plus Drugs tweet.
    • One of them, Invokana, is a Type 2 diabetes drug that typically costs more than $675, according to Cost Plus Drugs’ website. Mr. Cuban’s company’s price is $243.90. 

From the public health front —

  • JAMA announced the following study results
    • In the first year of the COVID-19 pandemic, 2 US studies suggested that people hospitalized for COVID-19 had nearly 5 times the risk of 30-day mortality compared with those hospitalized for seasonal influenza.1,2 Since then, much has changed, including SARS-CoV-2 itself, clinical care, and population-level immunity; mortality from influenza may have also changed. This study assessed whether COVID-19 remains associated with higher risk of death compared with seasonal influenza in fall-winter 2022-2023.
    • [Based on an examination of Veterans Administration electronic health records] there were 8996 hospitalizations (538 deaths [5.98%] within 30 days) for COVID-19 and 2403 hospitalizations (76 deaths [3.16%]) for seasonal influenza (Table). After propensity score weighting, the 2 groups were well balanced (mean age, 73 years; 95% male).
    • The death rate at 30 days was 5.97% for COVID-19 and 3.75% for influenza, with an excess death rate of 2.23% (95% CI, 1.32%-3.13%) (Figure). Compared with hospitalization for influenza, hospitalization for COVID-19 was associated with a higher risk of death (hazard ratio, 1.61 [95% CI, 1.29-2.02]).
    • The risk of death decreased with the number of COVID-19 vaccinations (P = .009 for interaction between unvaccinated and vaccinated; P < .001 for interaction between unvaccinated and boosted). No statistically significant interactions were observed across other subgroups 
  • The U.S. Preventive Services Task Force released its final research plan for “Vitamin D, Calcium, or Combined Supplementation for the Primary Prevention of Falls and Fractures in Community-Dwelling Adults: Preventive Medication.”
    • Community-Dwelling means “Community and primary care–relevant settings, including assisted and independent living facilities,” but not inpatient, SNF, or rehabilitation settings.

From the healthcare spending front —

  • Health Payer Intelligence reports
    • The average out-of-pocket spending per non-birth-related pediatric hospitalization was $1,313 for privately insured children, but spending varied depending on the time of the year, chronic condition prevalence, and plan generosity, a study published in JAMA Pediatrics found.
    • Non-birth-related pediatric hospitalizations occur 2.5 million times per year and can lead to high medical costs for privately insured families.
    • Researchers used claims data from 2017 to 2019 from the IBM MarketScan Commercial Database to assess out-of-pocket spending for these hospitalizations and which factors influence this spending.
  • Aon released on April 5
    • findings showing more U.S. employers are looking to steer employees to affordable, quality care options as a way to combat rising medical costs and improve health outcomes.
    • Aon’s 2022 Health Care Survey outlines employer priorities in health and benefits strategies and shows how they are responding to looming health care inflation, which Aon forecasts to rise 6.5% this year to more than $13,800 per employee on average.
    • Data show employers are eager to steer participants toward high-quality, cost-effective hospitals and physicians using a combination of narrow network strategies, plan design, provider guidance services and financial incentives. Thirty-seven percent of employers said they were interested in using plan design to steer members to optimal providers, while 35% already have these plan design features in place.
  • Fierce Healthcare interviews a WTW expert about ways employers can control rising healthcare costs.
    • Last June, the major tracker of inflation—the Consumer Price Index—hit 9.1% but has been receding ever since. Employers should be aware that the healthcare industry will not see a similar reduction in prices and, in fact, should expect costs to rise substantially, according to an expert at Willis Towers Watson.
    • Tim Stawicki, a WTW senior health and benefits consultant, said in a recent blog post that a different dynamic will function in the healthcare industry because contracts lock in negotiated prices, usually for one to three years.
    • When those contracts end, providers will want to make up for profits they may feel that they missed out on, and that’s especially the case in the wake of the COVID-19 pandemic. * * *
    • Stawicki advised employers that they can avoid the worst of this fallout through better management of utilization and reviewing physician networks to make sure that they coincide with an employer’s coverage area that may have changed because of COVID-19. In addition, employers should try to improve the employee experience and implement more cost-effective points of care by steering individuals to urgent care centers or making it easier to use virtual care and choose provider networks based on their geographic footprint.

Midweek Update

David ErmerCMS, COVID-19, Federal employment benefits, Medicare, OPM, Rx coverage, Telehealth, U.S. Healthcare
Photo by Manasvita S on Unsplash

Govexec and the Federal Times report about yesterday’s release of OPM’s Postal Service Health Benefits Program interim final rule.

Fedweek offers interesting observations on the federal workforce demographics:

“For years, [federal agencies] focused on the “retirement wave”—or still more sweeping, the “retirement tsunami”—when the Baby Boom population hit retirement eligibility. That view continues today, with the constant repetition of statistics such as that 15 percent of the federal workforce is already eligible to retire, and that in five years 30 percent of current employees will be eligible.

“That wave never happened and there is no reason to believe it will.

“What has actually happened is that federal retirements have been a fairly steady flow at around 60,000 to 70,000 each year from agencies apart from the Postal Service (which accounts for about 40,000 more on average). That’s around 3 percent per year, so when it’s five years later, 15 percent or so already have retired and there’s still only 15 percent who are eligible.

“Since those first soundings about a retirement wave, the workforce actually has been increasing in age. The average is now 47—five years older than the overall U.S. workforce—with about 28.7 percent age 55 or above, up by a half-point just in the last six years. The percentage aged 60 and older—which more or less equates to retirement eligibility—rose from 9.4 to 14.5 percent over the last 15 years.”

This is the demographic challenge facing the FEHB Program which is ameliorated by the coordination of benefits with Medicare beginning at age 65. OPM improved the opportunities for coordination of benefits with Medicare by allowing carriers to integrate Medicare Part D prescription drug plans for 2024.

From the public health front —

  • Dana Farber Cancer Institute offers insights into which States have the highest cancer rates.
  • The Department of Human Services announced making progress in the “whole of government” response to long Covid.

“[E]xperts say there is little public awareness about CMV compared to other viral infections that can infect a fetus in utero, such as HIV, Zika, and toxoplasmosis, all of which are far rarer than CMV infections. Professional societies recommend pre-pregnancy counseling and monitoring for HIV, but not for CMV. And testing for the infection in newborns isn’t widespread.”[E]xperts say there is little public awareness about CMV compared to other viral infections that can infect a fetus in utero, such as HIV, Zika, and toxoplasmosis, all of which are far rarer than CMV infections. Professional societies recommend pre-pregnancy counseling and monitoring for HIV, but not for CMV. And testing for the infection in newborns isn’t widespread.

“Through my entire career, it’s been so clear that this field is really lacking in progress,” said Laura Gibson, an infectious diseases physician at UMass Memorial Health. “It’s just been frustrating to all of us in the field over decades.”

“That is starting to change, as state public health committees and legislatures begin to debate whether to mandate doing more robust screening for CMV. In 2019, Ontario became the first region in the world to test every baby for CMV. This year, Minnesota followed suit.”

“Obesity and diabetes in mothers have traditionally been considered risk factors for the child to also develop obesity. But a new study suggests that more narrow measures of health during pregnancy could help better assess that risk.

“Researchers grouped pregnant women based on specific metabolic traits and found that insulin resistance was associated with the highest risk, compared with other traits such as high cholesterol and triglycerides, according to a study published in JAMA Network Open on Tuesday.

“The risk linked to insulin resistance was even higher than that associated with prepregnancy obesity, defined as a body mass index over 30, and with diabetes diagnosed in gestation, the study said.”

From the Rx coverage front —

  • AHIP offers a new resource that “highlights how biosimilars offer an effective, lower-cost alternative to a brand name biologic product. In the last 10 years, for example, $36 billion of biosimilar medication spending was associated with $56 billion in savings. And savings from biosimilars are expected to exceed $180 billion over the next 5 years — a more than 4-fold increase from the last 5 years.”
  • STAT News reports on cancer drug shortages that have plagued our country for years.

From the telehealth front, mhealth intelligence informs us that “According to the FAIR Health Monthly Telehealth Regional tracker, telehealth use increased [7.3%] across the country in January, with rates rising at the national level and in all US Census regions.” My word, telehealth use increased in the winter?!?

Finally, in Medicare Advantage and Part D News, CMS lowered the boom on Medicare Advantage and Part D plans with a new final rule to “strengthen Medicare Advantage and hold health insurance companies to higher standards for America’s seniors and people with disabilities by cracking down on misleading marketing schemes by Medicare Advantage plans, Part D plans and their downstream entities; removing barriers to care created by complex coverage criteria and utilization management; and expanding access to behavioral health care.” This action follows a payment policy and risk adjustment rule compromise last week.