Cybersecurity Saturday

Cybersecurity Saturday

Following up on the President’s signature of the Consolidated Appropriations Act on March 15, Cybersecurity Dive discusses the new critical infrastructure cyberattack reporting requirements. Those requirements will take effect after the Cybersecurity and Infrastructure Security Agency issues implementing regulations. Those regulations, in turn, will let us know whether and to what extent healthcare entities are part of the critical infrastructure subject to the new reporting requirements.

From the vulnerability front, the HHS Cybersecurity Program released its February 2022 vulnerability bulletin on March 18.

Tech Republic reviews the latest vulnerabilities that CISA has added to its catalog.

More specifically, Bleeping Computer informs us

The Federal Bureau of Investigation (FBI) warns of AvosLocker ransomware being used in attacks targeting multiple US critical infrastructure sectors.

This was disclosed in a joint cybersecurity advisory published this week in coordination with the US Treasury Department and the Financial Crimes Enforcement Network (FinCEN).

“AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors,” the FBI said [PDF].

Cybersecurity Dive adds

The FBI and Cybersecurity and Infrastructure Security Agency on Tuesday warned U.S. organizations about Russian state-sponsored threat actors exploiting the PrintNightmare vulnerability, as well as misconfigured account settings used in multifactor authentication (MFA) to launch attacks. 

The threat actors were able to launch an attack against a non-government organization (NGO) dating back to May 2021 using a misconfigured MFA setting set to default. They used the flaw to enroll a new device and gained network access, according to the bulletin. The attackers later exploited the PrintNightmare vulnerability to steal documents after gaining access to the cloud and email accounts. 

Separately, ESET researchers are warning about a third data wiping malware called CaddyWiper, which destroys user data and partition information. The wiper was found Monday on several dozen systems in a limited set of organizations in Ukraine, but does not share code similarities with either HermeticWiper or IsaacWiper.

From the ransomware front

  • Here’s a link to the latest The Week in Ransomware” from the Bleeping Computer.

In early September, researchers with Google’s Threat Analysis Group started tracking a financially motivated hacking group exploiting a since-patched Microsoft vulnerability to gain access to targeted computers. 

Later it became clear that the group is what’s known as an initial access broker — a crew specializing in gaining entry to high-value networks and selling that access to other cybercriminals — and that it is closely affiliated with the notorious Conti ransomware organization.

In findings published Thursday, the Google researchers detail how the group they’re calling “Exotic Lily” employed relatively novel tactics to gain access to targets, and how, at its peak, the hackers sent an estimated 5,000 emails per day to as many as 650 targeted organizations globally.

From the cyberdefense front

  • The HIPAA Journal assesses the March 2022 cybersecurity newsletter from HHS’s Office for Civil Rights, the agency that enforces the HIPAA Privacy and Security Rules.

As the government looks to tighten procurement regulations for critical software, the National Institute of Standards and Technology issued a special publication detailing appropriate ways to assess an organization’s adherence to the agency’s go-to list of enhanced security requirements for protecting controlled but unclassified information.  

“Assessors obtain evidence during the assessment process to allow designated officials to make objective determinations about compliance to the CUI enhanced security requirements,” reads NIST guidance—SP 800-172A—published Tuesday. “The evidence needed to make such determinations can be obtained from various sources, including self-assessments, independent third-party assessments, government-sponsored assessments, or other types of assessments, depending on the needs of the organization establishing the requirements and the organization conducting the assessments.”

  • The Wall Street Journal offers an article by Stuart Madnick, who is the John Norris Maguire Professor of Information Technologies, Emeritus, at the MIT Sloan School of Management and the founding director of the Cybersecurity at MIT Sloan (CAMS) research consortium. Mr. Madnick explains why “[u]nless organizations fix the internal decision-making that allowed a cyberattack to occur, they could be vulnerable to further breaches, researchers say.”

Following up on last week’s post on Google’s acquistion of Mandiant, Cybersecurity Dive puts that transaction in perspective.

“Let’s face it, Google’s in a sort of a death race with AWS and Azure in terms of cloud supremacy, right,” said Garrett Bekker, a principal research analyst with S&P Global’s 451 Research. “To some extent, security is a tool that helps them get there more than an end in and of itself.”

Google’s gobbling up of Mandiant is the latest in a sector feeding frenzy. There were more than 200 M&A deals last year, with aggregate disclosed deal valuations exceeding $55 billion. In the past five years, there were more than 1,000 cybersecurity M&A deals, data from CB Insights show. 

This week recorded a $616.5 million acquisition, with SentinelOne’s plans to add Attivo Networks’ identity security to its XDR suite. 

Friday Stats and More

Based on the Centers for Disease Control’s Covid Data Tracker and using Thursday as the first day of the week, here is the FEHBlog’s latest weekly charts of new Covid cases and deaths (a lagging indicator):

The CDC observes in its weekly review of its Covid statistics

COVID-19 caseshospitalizations, and deaths all continue to decrease in the United States. According to CDC’s COVID Data Tracker, as of March 16, 2022, 76.7% of the total U.S. population has received at least one dose of a COVID-19 vaccine, and 65.3% has completed their primary series. However, only about half of the booster-eligible population has received a booster dose and is considered up to date on their COVID-19 vaccines.

Two new studies show the effectiveness of COVID-19 vaccines and boosters across periods of three variants of concern (Alpha, Delta, and Omicron). CDC released a study today showing that, among adults hospitalized with COVID-19 during the Delta and Omicron waves, those who received two or three doses of the Pfizer-BioNTech or Moderna vaccine had 90–95% less risk of dying or needing a ventilator compared with adults who were not vaccinated. Protection was highest in adults who received a third COVID-19 vaccine dose. A study published in the British Medical Journalexternal icon found that vaccines gave a high level of protection against hospitalization for all variants, but not as much for Omicron among adults who received only a primary series. However, boosters increased protection against Omicron. The study also showed that hospital patients who were vaccinated had much lower disease severity than patients who were not vaccinated.

These studies emphasize the importance of staying up to date with vaccinations—they are our best protection against severe COVID-19 illness. Vaccination is also the safest way to reduce the chance that new variants will emerge. Find a vaccine provider and get your booster dose as soon as you can.

In that regard, here is the FEHBlog weekly chart of Covid vaccinations distributed and administered from the beginning of the vaccination era in late 2020:

Here’s a link to the Food and Drug Administration’s March 18 round of its Covid related activities.

While the bulk of Covid care spending goes to hospitals, Becker’s Hospital Review reports that a “sizable minority” have a significant amount out-of-pocket spending for this care, according to a study published in the American Journal of Managed Care March 16.”

It’s worth adding that the Wall Street Journal reports that

The biggest credit-reporting firms will strip tens of billions of dollars in medical debt from consumers’ credit reports, erasing a black mark that makes it harder for millions of Americans to borrow.

Equifax Inc.,  Experian  PLC and TransUnion are making broad changes to how they report medical debt beginning this summer. The changes, which have been in the works for several months, will remove nearly 70% of medical debt in collections accounts from credit reports.

Beginning in July, the companies will remove medical debt that was paid after it was sent to collections. These debts can stick around on a consumer’s credit report for up to seven years, even if they are paid off. New unpaid medical debts won’t get added to credit reports for a full year after being sent to collections.

The firms are also planning to remove unpaid medical debts of less than $500 in the first half of next year. That threshold could rise, according to people familiar with the matter.

From the compliance front —

  • The Internal Revenue Services issued a notice on how to calculate the No Surprises Act’s Qualified Payment Amount when the health plan does not have enough data to calculate a January 2019 median.
  • The Department of Labor is offering a webinar on March 30 at 11 am that “will help employers, service providers, and benefit professionals understand how the provisions of [the federal mental health partity act] apply to employer-sponsored group health plans and provide information on how to avoid common problems. The webinar runs about 45 minutes to an hour and is limited to 200 participants.

From this week’s healthcare conferences front

  • Fierce Healthcare discusses the electronic medical records interoperability theme of the HIMSS conference.
  • Fierce Healthcare also offers a wrap report on “the most interesting innovations at SXSW 2022: From holograms to the future of psychedelics.”

From the telehealth front

  • Becker’s Payer Issues reports that most consumer driven plans have taken advantage of the IRS offered flexibility to cover telehealth before the “high” annnual deductible.
  • Forbes informs us “Telehealth Accounts For One In Three Mental Health Visits Two Years Into Pandemic.” Whoopee.

From the good works department, the American Medical Association tells us about a North Carolina physician who is talking the diabetes problem.

Dr. [Brian] Klausner is the medical director of WakeMed’s Community Population Health program in Raleigh. He also is a physician champion for DiabetesFreeNC. That is the statewide initiative where AMA partnered with the North Carolina Medical Society and others to support collaborative efforts to end type 2 diabetes in the Tar Heel State.  

Rather than think of the pandemic as having “derailed” diabetes prevention or other population health efforts, Dr. Klausner said that “COVID-19 expedited new perspective in how we can do a better job addressing historic roadblocks to community health initiatives, including those related to diabetes and prevention.”

Thursday Miscellany

Photo by Josh Mills on Unsplash

From the Omicron and siblings front, STAT News reports why “It’s not clear what will happen [with Covid] in the near future in the United States.”

Politico tells us

President Joe Biden announced Thursday that Ashish Jha will be the next White House Covid-19 response coordinator, installing a well-known public health commentator on the administration’s pandemic team.

Jha, the dean of Brown University’s School of Public Health, has been a regular guest across cable and network news throughout the Covid-19 pandemic. He will replace Jeffrey Zients, who has headed the Biden administration’s coronavirus response since January 2021 and will return to private life in April.

The Boston Globe reports “Moderna said late Thursday that it asked the Food and Drug Administration for emergency authorization of a second booster of its coronavirus vaccine for all adults, a significantly broader request than Pfizer and BioNTech filed for their shot this week.”

The White House also announced “launching the Clean Air in Buildings Challenge, a key component of the President’s Plan, that calls on all building owners and operators, schools, colleges and universities, and organizations of all kinds to adopt key strategies to improve indoor air quality in their buildings and reduce the spread of COVID-19. “

From the substance use disorder front, the American Medical Association informs us

CNN (3/16, McPhillips) reports, “Annual drug overdose deaths have reached another record high in the United States as deaths from fentanyl and other synthetic opioids surge to unprecedented levels,” investigators concluded. In fact, “an estimated 105,752 people died of drug overdoses in the 12-month period ending October 2021, according to provisional data published” March 16 by the CDC’s National Center for Health Statistics.

From the public health front, the National Institutes of Health announced

Nearly 100,000 highly diverse whole genome sequences are now available through the National Institutes of Health’s All of Us Research Program. About 50% of the data is from individuals who identify with racial or ethnic groups that have historically been underrepresented in research. This data will enable researchers to address yet unanswerable questions about health and disease, leading to new breakthroughs and advancing discoveries to reduce persistent health disparities.

“Until now, over 90% of participants from large genomics studies have been of European descent. The lack of diversity in research has hindered scientific discovery,” said Josh Denny, M.D., chief executive officer of the All of Us Research Program. “All of Us participants are leading the way toward more equitable representation in medical research through their involvement. And this is just the beginning. Over time, as we expand our data and add new tools, this dataset will become an indispensable resource for health research.”

The genomic data is available via a cloud-based platform, the All of Us Researcher Workbench, and also includes genotyping arrays from 165,000 participants. Whole genome sequencing provides information about almost all of an individual’s genetic makeup, while genotyping arrays, the more commonly used genetic testing approach, capture a specific subset of the genome.

The FEHBlog does participate in All of Us surveys but took a pass on genome sequencing study.

From the healthcare business front, Beckers Payer Issues lets us know

UnitedHealth Group is mounting its defense against the Justice Department’s challenge to its proposed $13 billion acquisition of Change Healthcare, arguing the government’s case is “flawed.”  * * *

“The government’s case rests entirely on speculation and theories unsupported by any past conduct, i.e., that Optum will somehow exploit Change Healthcare’s products and services to secure an unfair advantage for UnitedHealthcare’s health insurance business,” UnitedHealth said in its statement

“Optum’s business model and financial success is dependent on providing products and services to external customers, not just UnitedHealthcare,” the company added. “Put simply, any misuse of customer [competitively sensitive information] would be economic suicide for Optum because its sophisticated external customer base would simply cease using Optum’s services and turn to any number of Optum competitors.”

The Justice Department also argued the acquisition would give UnitedHealthcare a monopoly in claims-editing technology, but UnitedHealth said it has agreed to divest the business and plans to ink a purchase agreement in “a matter of weeks.”

Midweek update

From the FEHB front, the Office of Personnel Management released the 2023 call letter for benefit and rate proposals and the related technical guidance letter.

OPM is to be congratulated for releasing the two letters simultaneously. Historically, OPM has released the call letter weeks or months before the technical guidance letter. As a result, carriers cannot start preparing their benefit and rate proposals, due May 31, until they receive both letters.

From the Omicron (and sibling) front, the American Medical Association informs us

The New York Times (3/15, Mandavilli) reports about “17 million Americans received the Johnson & Johnson Covid vaccine, only to be told later that it was the least protective of the options available in the United States.” However, “new data suggest that the vaccine is now preventing infections, hospitalizations and deaths at least as well as the Pfizer-BioNTech and Moderna vaccines.” The reasons are unclear, “and not all experts are convinced that the vaccine has vindicated itself.” Still, “the accumulating data nonetheless offer considerable reassurance to recipients of the vaccine and, if confirmed, have broad implications for its deployment in parts of the world.”

From the mental health care front, the American Hospital Association tells us

The Substance Abuse and Mental Health Services Administration yesterday released a toolkit to help health care providers and others prepare for the July 16 launch of 988, the new phone number for anyone experiencing suicidal thoughts or a mental health or substance use crisis to speak, text or chat with a trained crisis counselor. Authorized by the National Suicide Hotline Designation Act of 2020, the three-digit number will operate through the National Suicide Prevention Lifeline’s network of over 200 crisis centers.

“In the longer term, our vision is to build a robust crisis care response system across the country that links callers to community-based providers who can deliver a full range of crisis care services, if needed (like mobile crisis teams or stabilization centers),” SAMHSA notes.

To access the toolkit and other suicide prevention resources, visit SAMHSA’s new 988 website

From the U.S. healthcare front, Healthcare Dive reports

The long-term shift from hospital-based care toward more treatment delivered in the home and ambulatory centers picked up pace during the COVID-19 pandemic and is expected to continue to gain momentum, pressuring revenue growth and margins in the hospital sector, according to new research from Moody’s Investors Service.

Reimbursement changes, risk-sharing, investment in outpatient services including ambulatory surgery centers, advances in drugs and medical devices and greater use of at-home acute care services are among the forces driving the movement away from more expensive hospital inpatient care.

Medicare telehealth visits increased 63-fold during 2020, Moody’s said, citing HHS data. Although hospitals are reporting that telehealth use is receding as more patients return to in-person physician visits, it will likely remain above pre-COVID levels, the ratings agency said.

Kaiser Health News looks at the No Surprises Act from the patient’s perspective. It’s an important article because health plans should help their members keep the new law’s billing protections in perspective.

From the provider of the future front, mHealth Intelligence reports

Though a majority (63 percent) of clinicians worldwide expect most of their consultations to be remote within the next decade, 51 percent believe that telehealth will negatively impact their ability to demonstrate empathy with their patients, a new report revealed.

Developed by Elsevier Health and Ipsos, the Clinician of the Future report includes a quantitative survey, qualitative interviews, and roundtable discussions with nearly 3,000 practicing physicians and nurses worldwide. Of the total number of respondents, 434 were from the US. * * *

Empathy from physicians is becoming increasingly important for patients. A vast majority of clinicians (82 percent) surveyed said that soft skills like listening and displaying empathy have become more critical in the last decade. In the US, 76 percent of clinicians agreed with this statement.

Though the importance of soft skills has grown, the report notes that technical skills will be key in the future.

From the HIMSS Conference in Orlando, Florida, Healthcare Dive holds an interview concerning the FEHBlog leading interoperability innovation of 2022, TEFCA:

Healthcare Dive caught up with Mariann Yeager to talk TEFCA at the HIMSS annual healthcare conference in Orlando on Monday. Yeager is CEO of the Sequoia Project, a nonprofit that was selected in 2019 to serve as the recognized coordinating entity (RCE) charged with developing, updating and maintaining the common agreement and overseeing QHINs.

Yeager shared more details on the timeline of TEFCA implementation, why organizations should join the voluntary framework and how the Sequoia Project and the Office of the National Coordinator for Health IT are at the beginning of a long process of monitoring and modernizing a living document that, given uptake, could shape the future of health data exchange for decades into the future.

“We’re really proud of the work that we’ve done,” Yeager said.

Check out the full interview.

Tuesday Tidbits

Photo by Patrick Fore on Unsplash

Happy Ides of March. The President signed the Consolidated Appropriations Act 2022 into law today. The Postal Reform Act of 2022 continues to await the President’s signature.

From the Omicron front, David Leonhardt reports on COVID surges in China and Europe. He concludes

Even if [Covid] cases rise [in the U.S. again], as seems likely, there are good reasons not to panic. Vaccination tends to turn Covid into a mild illness, especially for people who have received a booster. For the unvaccinated and unboosted, BA.2 is another reason to get a shot.

It’s also a reason for the federal government and states to expand access to both Evusheld — a drug that can help protect the immunocompromised — and Paxlovid — a post-infection treatment. Finding either is often difficult today. (If you’re looking for one of them, click on this link for Evusheld and this one for Paxlovid.)

The bottom line: Covid isn’t going away, but vaccination and other treatments can keep future increases manageable. The biggest problem remains the millions of people who remain unvaccinated, many of them by choice. That’s the case in the U.S., in Hong Kong and across much of EuropeAfrica and the rest of the world.

Inducing more people to get shots — through persuasion or mandates — would probably save more lives than any other Covid policy.

What is the FDA’s hold up in reviewing the standard Covid vaccines for which emergency use authorizations have been filed? As previously noted, the traditional vaccines may be appealing to those resistant to the state-of-the-art mRNA vaccines.

The Wall Street Journal reports

Pfizer Inc. and partner BioNTech SE have asked U.S. health regulators to authorize a second booster dose of its Covid-19 vaccine for people 65 years and older.

The companies said Tuesday that they had filed the application. The Food and Drug Administration is expected to make a decision in time for the Biden administration to begin a potential fall vaccine campaign.

The FDA has been reviewing data and looking at potentially authorizing a fourth dose of the shot for use in the fall, The Wall Street Journal reported last month.

From the Rx coverage front —

STAT News informs us

The prices pharmacy benefit managers and insurers pay for Sanofi medicines have decreased for a sixth consecutive year, yet patient out-of-pocket costs are rising. Once again, there is further evidence that focusing solely on lowering the list price of medicines doesn’t guarantee lower costs for patients. Sanofi pulls back the curtain on the impact of list and net prices and more in its annual pricing report.

and

Back in 2019, when the Senate Finance Committee called seven drug industry CEOs to testify, it seemed like proof that Washington was within striking distance of actually reining in the industry’s high prices. “It’s past time to get beyond the excuses and make prescription drugs affordable,” Sen. Ron Wyden, the top Democrat on the committee, told drugmakers that day. Tomorrow, almost exactly three years later, Wyden will chair another hearing on prescription drug pricing. He’s billing the hearing as “an opportunity for members to discuss how high drug prices have impacted seniors and families in their states and identify solutions” — even though lawmakers have had more than a dozen such hearings to “discuss” high drug prices over the past three years. STAT’s Nicholas Florko tallies what’s at stake in STAT+.

In FDA News, the agency reports approving today “the first generic of Symbicort (budesonide and formoterol fumarate dihydrate) Inhalation Aerosol for the treatment of two common pulmonary health conditions: asthma in patients six years of age and older; and the maintenance treatment of airflow obstruction and reducing exacerbations for patients with chronic obstructive pulmonary disease (COPD), including chronic bronchitis and/or emphysema. This complex generic drug-device combination product, which is a metered-dose inhaler, should not be used to treat acute asthma attacks.”

From the opioid epidemic front, “the Department of Health and Human Services (HHS), through the Substance Abuse and Mental Health Services Administration (SAMHSA), announced two grant programs totaling $25.6 million that will expand access to medication-assisted treatment for opioid use disorder and prevent the misuse of prescription drugs. By reducing barriers to accessing the most effective, evidence-based treatments, this funding reflects the priorities of HHS’ Overdose Prevention Strategy, as well as its new initiative to strengthen the nation’s mental health and crisis care systems.”

From the patient front, HHS’s Agency for Healthcare Research and Quality announced the agency’s

Support for Patient Safety Awareness Week. Ongoing investments in safety research, the development of safety toolkits and training resources, and a growing emphasis on improving diagnostic safety are all part of a mission to make healthcare safe for all Americans. Access more information about AHRQ’s support of Patient Safety Awareness Week, including a special introductory video from Jeff Brady, M.D., director of the Center for Quality Improvement and Patient Safety; information about how to get involved in Patient Safety Awareness Week activities; and recent patient and diagnostic safety resources, including:

Diagnostic Safety Supplemental Items for the Surveys on Patient Safety Culture (SOPS) Medical Office Survey

Safer Together: A National Action Plan to Advance Patient Safety

Making Healthcare Safer III: A Critical Analysis of Existing and Emerging Patient Safety Practices

— AHRQ QuestionBuilder App (also available in Spanish

From the HIMSS conference in Orlando, Healthcare Dive tells us

The Biden administration has been working on additional rulemaking to address issues with the payer-to-payer data exchange requirements set out in sweeping interoperability rules finalized in early 2020, and “we look forward to sharing this rule with you soon,” CMS administrator Chiquita Brooks-LaSure told attendees at the HIMSS annual conference in Orlando on Tuesday.

CMS decided not to enforce those provisions when they kicked in this year, after health insurers raised concerns about operational challenges and risks to data quality given a lack of specificity in the rule.

The new rule will incorporate extensive public comment to try to address stakeholder concerns, and will standardize how payers exchange data through application programming interfaces, Brooks-LaSure said.

and

An online tool that allows patients in markets across the country to compare prices for hundreds of hospital services before getting treatment has launched in its beta development stage.

Turquoise Health’s platform uses cost data from machine-readable files made public by hospitals as part of compliance with a federal price transparency rule that went into effect in January 2021.

The San Diego-based startup’s platform includes a scorecard that lets users assess price transparency compliance with the CMS requirements for nearly 6,000 hospitals, Turquoise Health said Monday. Hospitals receive a score based on an algorithm-driven five-star rating system.

Fierce Healthcare reports from the SXSW Conference in Austin, TX.

Samsung and Best Buy executives shared why they place big bets on tech to help elderly Americans age at home.

Experts are laying out the business case to invest in care for underserved communities.

Leaders in women’s health say empowering female patients is key to addressing gender biases in healthcare.

Monday Roundup

Photo by Sven Read on Unsplash

From the Omicron front

Medpage Today offers an interesting discussion of the test to treat program.

The Wall Street Journal informs us

A new Covid-19 pill from Merck & Co. and Ridgeback Biotherapeutics LP has been more widely used than expected since rolling out late last year, though regulators and many doctors consider it a last resort. 

Many doctors and health officials anticipated a rival pill, Pfizer Inc.’s Paxlovid, would be the Covid-19 drug of choice. Paxlovid was found to be far more effective than Merck-Ridgeback’s molnupiravir in clinical trials, and regulators and guidelines recommended using Paxlovid if possible.

Prescriptions for the two antivirals have been running about equal since their authorization in December, however. The larger-than-expected use is a sign of the high demand for easy-to-use coronavirus treatments that can be taken at home, especially during surges like the recent Omicron wave.

Govexec tells us

Federal agencies are not restricted on the size of events they host, unless under certain conditions, according to new guidelines. 

The Biden administration’s Safer Federal Workforce Task Force issued updated and new guidance on March 11, most of which reflects the Centers for Disease Control and Prevention’s new framework released in late February. That framework “moves beyond just looking at cases and test positivity to evaluate factors that reflect the severity of disease, including hospitalizations and hospital capacity, and helps to determine whether the level of COVID-19 and severe disease are low, medium, or high in a community,” as CDC Director Dr. Rochelle Walensky said on a briefing call. 

There are no “restrictions on the size of agency-hosted in-person meetings, events, or conferences,” said one of the new “frequently asked question” prompts. “Should an agency intend to host a meeting, conference, or event that will be attended in-person by more than 50 participants at a facility in a county where the COVID-19 Community Level is HIGH, the agency should first seek the approval of its agency head or official to which this responsibility has been delegated, in consultation with the agency’s COVID-19 coordination team.” 

From the Rx coverage front –

BioPharma Dive reports good news

The Food and Drug Administration has approved AstraZeneca and Merck & Co.’s drug Lynparza for people with a genetic form of early breast cancer, a decision that could spur greater use of DNA testing in diagnosing and treating the disease.

Lynparza is already used to treat metastatic breast cancer in patients with so-called BRCA gene mutations. The new approval makes Lynparza available earlier in their disease, after surgery to remove a tumor and standard drugs like chemotherapy and radiation. People with cancers that are “HER2-negative” and at a high risk of relapsing are eligible for treatment.

The decision is based on the results of a large study published last year in The New England Journal of Medicine last year. In it, Lynparza reduced the risk of disease progression or death by 42% versus placebo after a median of 2.5 years of follow-up. Updated results show the drug cut the risk of death by about a third, a finding the companies will detail at a medical meeting on Wednesday.

The National Institutes of Health announced launching “a Phase 1 clinical trial evaluating three experimental HIV vaccines based on a messenger RNA (mRNA) platform—a technology used in several approved COVID-19 vaccines.” mRNA developers were working on HIV vaccines before the pandemic struck. Fingers crossed.

Healthcare Dive reports from Capitol Hill

Sen. Chuck Grassley (R Iowa) is urging the Federal Trade Commission to “find consensus” and vote again to launch a study into the business practices of pharmacy benefit managers, according to a letter he sent to FTC Chairwoman Lina Khan dated March 9.

“PBMs operate with little to no transparency, making it very difficult if not impossible to understand the flow of money in the prescription drug marketplace,” the Republican senator from Iowa said in his letter, nodding to the bipartisan consensus for such an examination.

Grassley urged the commissioners to come up with a more targeted focus for the study and suggested narrowing a review to the impact on consumers and their out of pocket costs.

From the patient safety front, Beckers Hospital Review explains

Staffing shortages are the top threat to patient safety in 2022, according an annual report on patient safety concerns from ECRI, an organization that conducts independent medical device evaluations, published March 14. 

Researchers identified the top threats to patient safety by analyzing a wide range of data, including scientific literature, patient safety events or concerns reported to or investigated by ECRI. 

Ten top patient safety concerns this year: 

1. Staffing shortages

2. COVID-19 effects on healthcare workers’ mental health

3. Bias and racism in addressing patient safety 

4. Vaccine coverage gaps and errors

5. Cognitive biases and diagnostic error

6. Nonventilator healthcare-associated pneumonia 

7. Human factors in operationalizing telehealth

8. International supply chain disruptions

9. Products subject to emergency use authorization

10. Telemetry monitoring 

From the mental healthcare front, the Department of Health and Human Services announced

A new U.S. Department of Health and Human Services (HHS) study published in the American Medical Association’s journal JAMA Pediatrics  reports significant increases in the number of children diagnosed with mental health conditions. The study, conducted by the Health Resources and Services Administration (HRSA), finds that between 2016 and 2020, the number of children ages 3-17 years diagnosed with anxiety grew by 29 percent and those with depression by 27 percent. The findings also suggest concerning changes in child and family well-being after the onset of the COVID-19 pandemic.

No bueno.

Weekend Update

From Capitol Hill, the House of Representatives and the Senate will be in session this week for floor voting and Committee business.

Healthcare Dive reminds us that the Healthcare Information and Management Systems Society will hold its annual conference in Orlando, Florida, this week. In addition, Healthcare Dive notes several headliner presentations planned for that conference.

From the health equity front, the Wall Street Journal reports

The fatal overdose rate among Black people surpassed that for white people in the first year of the pandemic, as an increasingly lethal drug supply and Covid-19’s destabilizing effects exacted a heavy toll on vulnerable communities in the U.S.

The proliferation of the potent opioid fentanyl, and a pandemic that has added hazards for people who use drugs, are driving new records in U.S. overdose deaths, and Black communities have been hit especially hard. Black people often have uneven access to healthcare including effective drug treatment, putting them at high risk, researchers and public-health experts say. 

The most recent full-year of federal data, through 2020, shows the rate of drug deaths among Black people eclipsed the rate in the white population for the first time since 1999, researchers at the University of California, Los Angeles recently demonstrated.

What is an effective treatment for substance use disorder? The Journal adds

Researchers at the University of Michigan examining outpatient visits for substance use in recent years found white patients were three to four times as likely as Black patients to receive buprenorphine, a prescription medication to treat opioid dependence that is more readily available to people with health insurance or the means to pay out of pocket.

Health providers are more likely to direct Black patients to methadone, which is delivered by highly regulated opioid-treatment programs that often require daily visits to obtain the medication, researchers have found.

According to Sam Quinones’s books on the opioid and fentanyl problems plaguing our country, drug dealers hang out at methadone clinics.

On a related note, The Psychiatric Times informs us

The positive implications for screening for and treating individuals with SUDs are vast, from preventing HIV and hepatitis in injection-drug users to improving patients’ physical health, mental health, employment, and housing.

Elisa Gumm, DO, who is presenting on “Screening for Addiction in a 20-Minute Appointment” at the “Psychiatry for Non-Psychiatrists: The University of Arizona Update in Behavioral Medicine for Primary Care” conference, stated that “offering addiction interventions at every level reduces the overall costs to the person and society

Also, the New York Times reports on today’s front page about the serious logistical problems facing the federal and state governments as they seek to launch the new 988 suicide hotline on July 1, 2022.

Fierce Healthcare discusses the advantages of using teledentistry with rural patients.

Teledentistry enables rural access to care, lowers costs and helps provide preventive services, a new study has found. 

The CareQuest Institute looked at data for patients in Oregon and Washington. The study included data from more than 60,100 individuals who had a dental visit either in person or through teledentistry in the second half of 2020.

Most (79%) patients with a teledentistry visit had a follow-up visit sometime in 2021, the vast majority of which were in person. Most (60%) had this visit within three weeks of their teledentistry visit, which primarily consisted of diagnostic and restorative services. 

Cybersecurity Saturday

Cyberscoop reports

The Senate cleared legislation Thursday evening that would make the Cybersecurity and Infrastructure Security Agency (CISA) a hub to receive mandatory industry reports about major cyber incidents and ransomware payments, as well as boost its budget 22% over last year.

Security Week adds

[The new law] requires any entity that’s considered part of the nation’s critical infrastructure, which includes the finance, transportation and energy sectors, to report any “substantial cyber incident” to the government within three days and any ransomware payment made within 24 hours.

[It] also empowers CISA to subpoena companies that fail to report hacks or ransomware payments, and those that fail to comply with a subpoena could be referred to the Justice Department for investigation.

The FEHBlog examined the new’s law definition of a covered entity and it appears to be sufficiently broad to encompass healthcare.

The FEHBlog learned that the cyber reporting provisions are found in Division Y of the Consolidated Appropriations Act, 2022 (the new law’s official name) and the cyber reporting requirements will take effect following CISA promulgation of implementing rules.

In related news, Bleeping Computer reports

The US Securities and Exchange Commission (SEC) has proposed rule amendments to require publicly traded companies to report data breaches and other cybersecurity incidents within four days after they’re determined as being a material incident (one that shareholders would likely consider important).

“In some cases, the date of the registrant’s materiality determination may coincide with the date of discovery of an incident, but in other cases the materiality determination will come after the discovery date,” the Wall Street watchdog explained.

According to newly proposed amendments to current rules, listed companies would have to provide information in periodic report filings on policies, implemented procedures, and the measures taken to identify and manage cybersecurity risks on Form 8-K.

The amended rules would also instruct companies to provide updates regarding previously reported security breaches.

In cybersecurity business news, the Wall Street Journal informed us on March 8

Google said it reached a deal to buy cybersecurity company Mandiant Inc.for nearly $5.4 billion, aiming to bolster its cloud unit with more cybersecurity offerings at a time when businesses have seen a wave of attacks on their systems.

The deal is the second-largest in history for the Alphabet Inc.GOOG -1.66% unit and comes as the company is facing antitrust lawsuits from the Justice Department and multiple states for allegedly anticompetitive practices. 

In buying Mandiant, Google provides a boost to its cloud business, which is rapidly growing but remains smaller than its key rivals. In the most recent quarter, the business saw revenue rise by about 45% to $5.54 billion, or about 7% of the company’s total quarterly revenue.

Thomas Kurian, chief executive of Google Cloud, said that Google wanted to draw from the insights of Mandiant’s threat research in how it applies security solutions to its products, and that the computing giant intended to retain the Mandiant brand. * * *

The companies said the deal is expected to close later this year. Google has faced intense regulatory scrutiny for smaller acquisitions. It took more than a year for Google to close its $2.1 billion acquisition of Fitbit LLC as regulators took a close look at the deal.

From the cyberthreat front, the HHS Cybersecurity Program this past week issued alerts on “PTC Axeda agent and Axeda Desktop Server Vulnerabilities” and a Conti ransomware update. Health IT Security reported on the Conti ransomware update here.

Conti actors typically gain initial access via spearphishing campaigns, stolen Remote Desktop Protocol (RDP) credentials, fake software promoted via search engine optimization, or common asset vulnerabilities.

CISA updated the advisory to include new indicators of compromise, including new domains that had registration and naming characteristics that were similar to those used by Conti in the past.

US organizations, especially in the healthcare sector, should remain on high alert and implement technical safeguards to prevent cyberattacks. Organizations should adopt multi-factor authentication, network segmentation, and frequent vulnerability scanning.

In addition, the advisory recommended that organizations remove unnecessary applications, implement endpoint and detection response tools, restrict access to RDP, and secure user accounts.

In other cybersecurity news, Health IT Security tells us

Although cyberattacks and data breaches have bombarded the healthcare sector in recent years, recent research from Immersive Labs found that healthcare conducts cyber incident response exercises far less than other industries.

Immersive Labs analyzed 35,000 members of the cybersecurity workforce from a variety of industries and found that the healthcare sector conducted only two cyber crisis exercises per year on average. The technology and financial services sectors conducted nine and seven crisis exercises per year on average, respectively.

It makes sense that highly targeted industries like technology and finance would prepare accordingly. But healthcare is an equally high-profile and highly regulated cyberattack target, making the lack of crisis response exercises troubling.

Friday Stats and More

Based on the Centers for Disease Control’s Covid Data Tracker and using Thursday as the first day of the week, here is the FEHBlog’s updated weekly chart of new Covid cases:

Not quite as low as we were in early July but very much moving in the right direction. So is the FEHBlog’s updated weekly chart of new Covid deaths, which is considered a lagging indicator.

The epidemiologists have a keen eye out for new worrisome variants. For example, for other troubling variants, Becker’s Hospital News tells us about a relatively new combination of Delta and Omicron known as Deltacron.

The recombinant variant appears unlikely to spread as easily as delta or omicron, William Lee, PhD, vice president of science at Helix, told USA Today. “We have not seen any change in the epidemiology with this recombinant,” WHO COVID-19 technical lead Maria Van Kerkhove, PhD, said of deltacron during a March 9 media briefing. “We haven’t seen any change in severity. But there are many studies that are underway.” 

Here’s the FEHBlog’s weekly chart of Covid vaccinations distributed and administered from the start of the Covid vaccination era in late 2020 until the week ended this past Wednesday.

It is noteworthy that this week, the percentage of Americans aged 18 and older who are fully vaccinated (two doses of mRNA vaccine) cracked 75%. The same cadre is closing in on being 50% boostered. The most at risk, over age 65 cadre is 89% fully vaccinated and 66.7% boostered.

The American Hospital Association adds

In a study of 1,364 children aged 5-15, two doses of the Pfizer COVID-19 vaccine reduced the risk of omicron infection by 31% in those under 12 and 59% in older children, the Centers for Disease Control and Prevention reported today. CDC said the study reinforces the importance of vaccination to keep children and teens protected from severe disease, noting that another recent study found the vaccine 92%-94% effective against COVID-19 hospitalization in adolescents during the delta surge and 74% effective against hospitalization in younger children during omicron.

Here’s a link to the CDC’s weekly review of its Covid statistics. This week’s issue focuses on protecting folks at high risk for Covid, such as the immunocompromised.

Who is most likely to become very sick or die from COVID-19?  Your chances increase with age and underlying medical conditions like cancer, diabetes, heart conditions, dementia, and obesity, particularly if you’re not up to date on vaccinations. People with weakened immune systems,* some disabilities, some mental health conditions, and some chronic diseases are also at higher risk. A lot of people might not know they’re at risk for severe illness—review the list to find out if you could be.

Here’s a link to the CDC’s weekly Fluview report, which states that flu activity is increasing in “most of the country.” In this regard, the American Medical Association inform us

Healio (3/10, Downey, Gallagher) reports “interim estimates published Thursday in” the CDC’s Morbidity and Mortality Weekly Report “indicate that this season’s influenza vaccine has not been effective.” Based on the data “from more than 3,600 children and adults,” researchers “estimated that the vaccine has been 16% effective against mild or moderate influenza caused by the predominant circulating virus, influenza A(H3N2), with a 95% confidence interval…that suggests vaccination ‘did not significantly reduce the risk of outpatient medically attended illness’ caused by H3N2.”

From Capitol Hill and closing the loop on Thursday’s post, the Senate did pass the fiscal year 2022 omnibus appropriations act Thursday night. Roll Call reports

On a 68-31 vote, the Senate passed the 2,700-page, $1.5 trillion omnibus containing all 12 fiscal 2022 spending bills, $13.6 billion in supplemental appropriations to address the crisis in Ukraine and a lengthy list of unrelated measures fortunate enough to ride on the must-pass vehicle. 

From the No Surprises Act front, the FEHBlog had been concerned that the federal regulators were giving up on using the Qualified Payment Amount as a rebuttable presumption in NSA arbitrations which would help tremendously to control out of network benefit and plan legal costs. The FEHBlog therefore was encouraged to find that the federal government has filed a brief with the federal district court for the District of Columbia defending that position in a case raising the same issue. An oral argument on this issue will be heard by District Judge Richard Leon on March 21, 2022, at 3 pm. The FEHBlog will keep an eye on this and the other federal cases raising this issue.

From the electronic health record front, MedCity News interviews the CEO of Epic Systems at the Vive conference. The interview covers interoperability, artificial intelligence and other timely topics.

From the opioid epidemic front, STAT News reports

It was in the mid-2010s, the researchers heard, when “tranq dope” — opioids that contained the veterinary tranquilizer xylazine — took off in Philadelphia. But now, in some places across the U.S., it was appearing in 1 in 5 overdose deaths. A recent study also found the powerful synthetic opioid fentanyl in nearly every xylazine-involved death as well, indicating it wasn’t just the tranquilizer causing these overdoses. Experts are still trying to understand the risks of xylazine, but they’re worried because the drug is not an opioid but acts as a sedative, which can increase the risk of a fatal overdose. It might also make it harder to reverse those overdoses with naloxone, which is designed to work on opioids. STAT’s Andrew Joseph has more on how adulterated — and in turn, increasingly dangerous — the U.S. drug supply has become.

Rur roh.

Thursday Miscellany

From Capitol Hill, the Hill reports

The Senate has locked in a deal to quickly pass a massive government funding bill that includes $13.6 billion in Ukraine aid.

The agreement, announced by Senate Majority Leader Charles Schumer (D-N.Y.), puts the funding bill on a glide path to pass on Thursday night, capping off hours of would-they-won’t-they drama. 

Mazaal tov to Congress.

Also on Capitol Hill today, the Senate Homeland Security and Governmental Affairs Committee held a confirmation hearing for Krista Boyd, the President’s nominee to serve as OPM Inspector General. Fedweek notes that “Ms. Boyd is a senior staff member of the House Oversight and Reform Committee with long experience on Capitol Hill in federal workplace matters.”

From the Omicron front, Becker’s Hospital Review informs us “The rate of new COVID-19 cases involving the omicron subvariant BA.2 appears to be slowing in the U.S., according to variant proportion estimates from the CDC.”

Also, the Justice Department announced “Effective immediately, Associate Deputy Attorney General Kevin Chambers will serve as the Director for COVID-19 Fraud Enforcement.”

From the litigation front, Reuters reports “The judge overseeing Purdue Pharma’s bankruptcy on Wednesday approved a $6 billion opioid settlement funded by its Sackler family owners, overruling objections from the Department of Justice and 20 states that opposed the deal.”

From the healthcare business front

Healthcare Dive tells us

Anthem plans to change its name to Elevance Health, if the move is approved by shareholders, the company said Thursday.

The new name is meant to reflect the company’s offerings beyond traditional health insurance. “Elevance Health’s companies will serve people across the entire care journey, connecting them to the care, support, and resources they need to lead healthy lives,” Anthem CEO Gail Boudreaux said in a statement.

Elevance was chosen as a combination of the words “elevate” and “advance.” There will not be any changes to leadership or organizational structure accompanying the new name.

If approved, the Elevance name will start being used at the end of the second quarter of this year. Anthem Blue Cross and Blue Shield plans will still use the Anthem name.

From the telehealth front, Healthcare Dive reports

[Virtual care vendor] Amwell and LG Electronics are teaming up to jointly develop new digital health devices and tools, starting with hospital care in the U.S., the companies announced Wednesday.

South Korea-based LG, which manufactures a wide range of devices from refrigerators to computer monitors, already provides smart TVs for inpatient rooms.

Now, through the partnership, LG will also create devices that can host services from Amwell’s virtual care platform, Converge.

PYMTS.com reports this electronic health records news from the Vive conference being held in Miami

Electronic health records containing some of the most guarded personal data about people are making headlines again as a consortium of players join forces to create a universal single sign-in, allowing patients secure access to unified health data via digital identity.

Coming out of the ViVE health technology conference happening this week in Miami Beach, the effort is led by consumer-directed healthcare advocacy group the CARIN Alliance, working together with the Department of Health and Human Services (HHS) and other stakeholders.

On Tuesday (Mar. 8), Politico reported that HHS “is working with several health systems, insurers and health tech groups to roll out a single way for patients to log in and access their medical records across multiple systems. The launch later this month will set up a test environment for integrating the technology, said Ryan Howells, principal at Leavitt Partners and program manager at the CARIN Alliance, which is spearheading the efforts.”

CARIN is working with the Office of the National Coordinator for Health Information Technology and the Centers for Medicare and Medicaid Services (CMS), which will act as “government observers.”

From the FEHB front, benefits consultant Tammy Flanagan writes in Govexec about the Postal Service Health Benefits Program which will launch in 2025 as part of the Postal Reform Act of 2022. She observes

The version of the postal bill that eventually passed balances the risk pools, and the Office of Personnel Management now estimates premiums should go down for postal and non-postal employees and retirees alike.

The new law keeps all postal workers in FEHB, in their own group. All workers will be able to keep their current plans and avail themselves of the annual open season to choose other options within FEHB. 

Future postal retirees will be required to enroll in Medicare A and B at 65. Retiree health coverage will then become a combination of Medicare and FEHB. 

The question now is whether that requirement will eventually be extended to all federal employees, and what effect that would have on the premiums retirees pay. If that happens, at least federal employees will face one less tough decision at the time of retirement.

The FEHBlog expects that PSHBP premiums will be materially lower than FEHB premiums because PSHBP will accept Medicare funding for prescription drug benefits in the form of Part D EGWPs. Federal law has permitted the FEHB to offer premium-reducing Part D EGWPs for nearly twenty years. Nevertheless, OPM and a string of Administrations from George W. Bush to Joe Biden have refused to implement that law. Implementing that law in 2005 when it first took effect likely would have avoided the balkanization of the FEHB that we will soon experience with the PSHBP.

The FEHBlog does not expect the FEHB to adopt the mandatory Part B approach being taken by the PSHBP. Fewer retiring federal employees are picking up Part B because of the income-adjusted Part B premiums. As basic and income-adjusted Part B premiums continue to climb and climb, the FEHBlog expects that the PSHBP will liberalize, and then do away with, mandatory Part B. Meanwhile, the PSHBP’s undoubtedly favorable experience with Medicare funding of prescription drugs will lead OPM to allow FEHB the same opportunity.

With both branches of the Program using Part D EGWPs and integrated Medicare Advantage plans, everyone will enjoy reasonable premiums for high-quality healthcare. That in turn could lead to a reunion of the two branches. Hopefully, the PSHBP will be a relatively brief experiment that leaves the FEHB Program stronger.

The saving grace of the FEHB Program is that everyone in a plan option pays the same premium and the premiums are pooled to cover all plan option enrollees. That’s the bedrock principle of group health insurance that the FEHB Program has shown to work.