OPM has posted additional FAQs about the data breach and the Washington Post provided more background here. The Post reports this afternoon that the OPM Inspector General has raised  with Congress“’serious concerns’ about a proposed $91 million computer overhaul of OPM networks [to prevent future breaches], saying it had not followed management guidelines and relied on a no-bid contract to a single vendor.”

Yesterday, the House Appropriations Committee cleared by a 30-20 vote the Financial Services and General Government Appropriations bill that funds the FEHBP. Here’s a link to the Week in Congress which reports that the House approved several health care / benefits related bills this week.

In a spot of good news, Healthcare Informatics reports that American consumers are hungry for healthcare pricing information, and Fierce Healthpayer offers health plans a special report about the benefits and challenges of reference pricing, an approach the FEHBlog favors.

Buck Consultants offers employers and health plans a report on the latest Internal Revenue Service guidance about ACA reporting under IRC § 6055 and 6056 (IRS Forms 1095-B and 1095-C). Section 6055 reports, which health plans must submit, provides the IRS with information to support individual taxpayer claims about compliance with the ACA’s individual shared responsibility mandate. Section 6056 reports, which applicable large employers much submit,provides the IRS with information about the compliance with the ACA’s shared responsibility mandate.  These reports present a major, annual headache for health plans and employers.

The FEHBlog watched (thanks to the Internet) most of the nearly three hour long Congressional hearing on the OPM data breach.  The FEHBlog’s takeaway (as a small businessperson) was the importance of a reliable IT security expert because there are a lot of moving parts to this problem. Also be careful about what you store on the computer. If you simply need to store sensitive documents, use a filing cabinet, at least for the time being.

OPM at the hearing contended that the root of its problem is outdated computer networks. However, according to media reports, which the FEHBlog previously has noted, the hackers who “exfiltrated” data from OPM also exfiltrated data from Anthem and Premera which certainly have modern systems and like OPM heavy security.

The fallout from the hearing has not not been favorable for OPM as Federal News Radio reports.  The Washington Post reports about widespread and valid criticism of OPM’s remedial approach of sending breach notification emails to affected individuals.

Yesterday CVS announced that it had struct a virtually permanent deal with Target stores to replace Target owned pharmacies located in their stores with CVS pharmacies according to this Forbes report. “The deal will increase CVS’s presence in key cities across the west, including Denver, Seattle, Portland, and Salt Lake City.”  Filling in these geographic gaps in the CVS pharmacy chain is helpful for FEHBP carriers that use the CVS Caremark prescription benefit management service.

Finally, and it’s an earthquake alert, the Wall Street Journal is reporting this morning that United Healthcare is bidding to purchase Aetna and Anthem is bidding to purchase CIGNA.  Those are the four largest health insurers in the U.S.

UnitedHealth made a preliminary takeover approach to Aetna Inc. in the last few days, people familiar with the matter said. Given Aetna’s market value of about $42 billion, any deal for the company would likely be valued at least that high. UnitedHealth has a market value of more than $110 billion. Aetna has been eyeing Humana Inc., which is exploring a sale. 

Meanwhile, Anthem and Cigna Corp. have been in discussions about a deal for months, though Cigna has rebuffed Anthem’s advances, according to people familiar with the matter. Based on the per-share price Anthem offered, a deal would be valued at some $45 billion.

Holy moley, batman.

As the FEHBlog mentioned on Friday Congress is in session on Capitol Hill this week. The Supreme Court has three more decision Mondays and conference Thursdays scheduled for this month, the last of its current session. The New York Times is keeping track of the major decisions here.

Here’s the latest Federal News Radio report on the OPM breach. The FEHBlog did not realize until he read this article that the government has discovered two breaches at OPM. The second breach involved security clearance forms.  The greatest irony here in the FEHBlog’s view is that this astounding data loss never would have occurred if we were living without the internet. The paper records or microfiched rolls would be safely stored in a large cave in Pennsylvania.  In retrospect (and what after all is a risk assessment other than the careful application of the retrospectoscope) it appears that the security clearance forms never should have been scanned into the computer network. We simply have many more years of experience in successfully securing paper documents than we have successfully securing computer files.  The FEHBlog trusts that everyone will be cutting back on these mega-databases until we can get this hacking problem solved.

Roll Call reports that the Senators from Maryland and Virginia have sent a letter to the OPM Director about the security breach. —  “criticizing the agency for a lack of transparency surrounding the breach affecting executive branch workers and failing to properly encrypt Social Security numbers.” But as the FEHBlog has pointed out it’s not currently feasible to encrypt sensitive databases that are constantly in use as explained in this article.  The article concludes

Protecting large databases like Anthem’s is a challenge. We need better software security, and we need better structural tools to isolate the really sensitive data from average, poorly protected machines. There may even be a role for encryption, but simply encrypting the social security numbers isn’t going to do much.

Here’s a link to a Modern Healthcare blog article breaking down Medicare Part B payments to specialists. CMS recently released the 2013 Medicare Part B payment data to doctors.  Oncologists get the paid the most on average and internists and general practitioners the least. No surprise there.

Here’s a link to The Week in Congress’s account of this week’s activities on Capitol Hill. Congress is back at it next Monday.

This afternoon, the ACA regulators announced that the finalization of the revised summary of benefits and coverage rule. The SBC of course is the ACA’s approach to creating transparency in health insurance shopping and the FEHBlog actually has seen one person use the SBCs for that purpose.  It is unfortunate but not surprising that the ACA did not require doctors to provide information about, for example, the networks in which they participate,  New York State recently implemented a no healthcare surprises law which does impose this requirement on providers.

The next SBC shoe to drop is the release of revised versions of the templates which, according to the announcement, are expected next year. The new templates would be used for the 2017 plan year.

The OPM data breach is now being referred to as a cyber Pearl Harbor by FCW. Here are recent reports from the the Wall Street Journal, Washington Post, and Wired magazine which illustrate the aptness of the description,  The FEHBlog was stunned by this Wall Street Journal report referenced in the Wired article:

“[F]our people familiar with the investigation said the breach was actually discovered during a mid-April sales demonstration at OPM by a Virginia company called CyTech Services, which has a networks forensics platform called CyFIR. CyTech, trying to show OPM how its cybersecurity product worked, ran a diagnostics study on OPM’s network and discovered malware was embedded on the network. Investigators believe the hackers had been in the network for a year or more.”

The OPM Director appeared before a closed session of the House Intelligence Committee last night to discuss the data breach.  A Democratic Congressman spoke with the Hill about the session here.

Arstechnica.com has a very detailed and interesting article about the scope and likely causes of the breach. The simple fact of the matter is that the Chinese government backed hackers linked to the Anthem, Premera, and OPM hacks currently have an advantage over our defenses.  The arstechnica.com article discusses this problem.  The FEHBlog does think that the best solution now under development is an encryption solution that preserves the searchability of the data. However, the country needs to improve its hacking defenses. Easier said than done.

The American Medical Association installed its new president this week. Dr. Steven A. Stack is an emergency room doctor from Tennessee. Dr. Stack, who is 43 years old, is the AMA’s youngest president.  The FEHBlog heard Dr. Stack speak at a WEDI conference last fall, and he was very impressed. Take 6.28 minutes to watch this Modern Healthcare interview of Dr. Stack. He explains that the AMA’s goals are to improve outcomes in diabetes and hypertension, bring medical education into the current century, and restore joy to the practice of medicine. Good luck, Dr. Stack.

A Food and Drug Administration Advisory Committee this week is reviewing the marketing applications for a new and of course expensive speciality drug designed to reduce cholesterol levels when statins don’t work.  The Wall Street Journal explains that

This new class of medicines is often called PCSK9-inhibitors, because they block a protein called PCSK9, which interferes with the liver’s ability to clear so-called bad cholesterol from the bloodstream. That cholesterol, called LDL, is linked to cardiac disease, albeit imperfectly.

The Journal reports that the advisory committee recommended that the FDA approve Sanofi’s marketing application for a limited class of patients.  The committee takes up an Amgen marketing application today.

Congress remains in session this week. The House Oversight and Government Reform Committee has a new website which reminds the FEHBlog of the recently refreshed HHS.gov website. Small world.

The Federal Times, which also has a recently refreshed website which the FEHBlog dislikes, reports on Congress reaction to the OPM data breach. Nextgov.com reports that the Government’s $3 billion Einstein 3.0 anti-hacking program did not prevent breach even though it was installed on the Interior Department’s shared services network.

The tool only looks at the traffic coming into the network as it traverses the Internet service provider, said Ron Gula, chief executive officer of Tenable Network Security, a major contractor for agencies that perform continuous monitoring. DHS is offering all agencies sensors, consulting services and other network surveillance tools under a $6 billion contract.

“The fact that EINSTEIN saw the attack or observed the network traffic from a long time ago is different from the fact that it was recognized as an attack only recently,” he said. Essentially, EINSTEIN cannot act as a real-time detection system unless it knows the specific malware exists in the world. 

“At the end of the day, I actually give the federal government high marks for detecting this and reporting it,” Gula said. “It was caught relatively quickly. The reality is, you are not going to keep out all intruders. It’s not a reasonable expectation in today’s day and age.” 

If the FEHBlog managed Einstein’s estate, he would be asking that Einstein’s name be taken off this software. NPR posted an interview of several information security executives about the OPM breach. Here is the concluding snippet:

SHAHANI: OPM is offering victims 18 months of free credit monitoring and cyber-insurance. Jason Lewis, with the security firm Lookingglass, criticizes this offer, calls it knee-jerk.

JASON LEWIS: They offer that creditor monitoring like that is somehow going to protect people. There’s no protection from anything.

SHAHANI: He says in this new era where our digital lives are being stolen, credit monitoring doesn’t hurt, but it also doesn’t help. Aarti Shahani, NPR News.

If Mr. Lewis is implying that there is a way to prevent these attacks (other than encrypting data in motion which the FEHBlog understands is not yet feasible), the FEHBlog asks how? The FEHBlog does consider these credit monitoring services to be helpful.

Sitting between the drug manufacturers and the pharmacies, including the PBMs’ mail order pharmacies are the drug wholesalers.  Drug Channels reports on recent consolidation in that important sector.

The FEHBlog expects a lot out of personalized medicine. Therefore he was happy to see the Wall Street Journal’s report that a major personalized medicine study was announced at last week’s convention of the American Society of Clinical Oncologists.

The National Cancer Institute is launching a major trial in which it will play matchmaker between 1,000 advanced cancer patients and the growing cadre of drugs that can target tumors by their genetic mutations, not just where they occur in the body. 

The study, called NCI-Match, seeks to advance the emerging field of precision medicine by helping to spur development of drugs that precisely target mutations linked to tumor growth. At least 10 pharmaceutical companies will provide a total of more than 20 treatments to be tested—all under the structure of a single study. 

A key driver of the strategy is the fact that the same cancer-causing molecular traits are often found in a variety of tumor types, raising hope that a drug effective against the target in, say breast cancer, would be effective in a tumor originating in another organ. Indeed, Roche Holding AG’s breast-cancer drug Herceptin, which targets a receptor called Her2, turned out to be effective—and was eventually approved—for gastric tumors that have high levels of Her2. 

But the drug Zelboraf, which is especially effective against the skin cancer melanoma with a certain mutation in a gene called BRAF, turns out to have essentially no effect against colon cancer harboring the same mutation.
“It’s a much more complicated issue than most people would like to hear,” said Richard Pazdur, chief of oncology at the U.S. Food and Drug Administration and a supporter of the studies. “I would have some element of caution” toward assuming broad success in the approach.

Of course, Rome was not built in a day.

Finally the U.S. Supreme Court has four more decision days calendared for this term.  The FEHBlog will be watching the old Scotusblog on Mondays this month. But it’s possible that the Court could add a decision day particularly to the last week. The 2012 decision on the constitutionality of the ACA was handed down on Wednesday as the FEHBlog recalls.

Groups of hackers working for the Chinese government have to date compromised the networks of the Office of Personnel Management, which holds data on millions of current and former federal employees, as well as health insurance giant Anthem, among other targets, the researchers said.

“They’re definitely going after quite a bit of personnel information,” said Rich Barger, chief intelligence officer of ThreatConnect, a Northern Virginia cybersecurity firm. “We suspect they’re using it to understand more about who to target, whether electronically or via human recruitment [for espionage].”

In other words, the OPM, Anthem, and Premera hacks, among others, represent a significant national security issue which requires nationwide cooperation between government and industry to defeat the hackers, not finger pointing. That will not be easy, but it has to be done.

Here’s a link to a the latest report from the Week in Congress, dated today. Congress will be in session on Capitol Hill again next week.

Modern Healthcare had two interesting articles on surveys:

• One article reports that Accenture found by survey that consumers prefer quality over choice in health plan provider networks.  Furthermore, 

Consumers are more loyal to their preferred airline or hotel chain than their doctors, he added. Only 26% of the 1,980 adults surveyed said they would definitely leave a network if their doctor stopped participating in it. Ninety-four percent said access to their medical records was the single most important piece of information-sharing.

They also valued things such as the ability to talk to their physician during and after business hours and tools such as online scheduling. “The assumption is that consumers are going to stay in these networks if their doctors are in the network,” Stephan said. “(But) it’s not about the doctor, it’s about the network experience.”

That is surprising to the FEHBlog.  

• The other reports that bioethicists are concerned that the current Medicare driven focus on patient satisfaction with hospital care may be leading to bad medical practices. 

The current metrics used to rate, rank and evaluate hospital quality continue to undergo scrutiny as the field of quality measurement advances in healthcare. Improvements are more frequently gained on easily tracked process measures, like using checklists and giving discharge instructions. But many have questioned whether focusing on those priorities will lead to improvements in patient outcomes such as lower mortality and lower readmission rates or result in unintended consequences.

That could likely be the case for patient satisfaction, the Hastings researchers suggest. “Pressure to tell patients what they want to hear and accede to unreasonable requests may increase the provision of unnecessary care,” and ultimately “lead healthcare astray, undermining the provision of optimum care for all.”

That does not surprise the FEHBlog.  

There were three articles in the Wall Street Journal today that caught the FEHBlog’s eye.

1. CMS released data on 2013 Medicare Parts A and B payments to hospitals, doctors, and other providers today.  The Journal which brought a successful lawsuit to force the annual release of this data observes that 

The top 1% of billers of the federal insurance program for the elderly and disabled in 2013 reaped 17.5% of all payments that year. That same cluster of doctors and other individual providers received 16.6% of the program’s payments in 2012, figures show.

      2.   The Journal also reported on shortages of oncology and painkilling drugs in the U.S.

Interviews with company executives, hospital pharmacists and regulators point to several causes of the shortages. Companies have failed to build enough production capacity, haven’t maintained equipment, and failed to ward off contamination in aging plants. A U.S. Food and Drug Administration crackdown on shoddy quality unintentionally worsened the shortages because some companies responded by shutting down plants or scaling back production during renovations.

Many of the scarce drugs are older, injectable treatments that can be complex and costly to manufacture, but which command relatively low prices because they aren’t protected by patent. Hospitals and doctors’ offices are the main buyers of the drugs. Companies can’t easily increase prices because insurers reimburse many generic hospital-administered drugs under a payment system that is more frugal than for other medicines.

             Perhaps insurers can re-evaluate this payment system.

3.   At the annual  meeting of the American Society of Clinical Oncologists, Leonard Saltz,  MD,  chief of gastrointestinal oncology at Memorial Sloan Kettering Cancer Center spoke truth to power (big pharma finances this conference) by criticizing the high price of oncology drugs according to this Journal report.  “Cancer-drug prices are not related to the value of the drug,” Dr. Saltz said. “Prices are based on what has come before and what the seller believes the market will bear.”  This cock-eyed pricing philosophy which drug manufacturers apply across the board is bankrupting the country.  

Congress returns to Washington this week. (In fact the Senate is in session now.)  June will be the last month of the Supreme Court’s current term. There are five Mondays in June on which opinions can be delivered, including the important ACA related decision in King v. Burwell.

Last Thursday, the Bipartisan Policy Center issued a set of recommendations on preventive healthcare  decision making focused on incorporating cost efficacy and community health concerns therein.   Modern Healthcare reflects on those recommendations here (note — the article’s headline is out of synch with its substance).

Last Friday, the FEHBlog noted that HHS is seeking public comment on the HIPAA health plan identifier which is now in a state of limbo (not an unusual status for HIPAA standards). Here’s a Health Data Management overview of that situation.  Here is recent provider testimony to HHS’s National Committee of Vital and Health Statistics (“NCVHS”) on the utility of a health plan ID.  What’s puzzling to the FEHBlog given all of the Congressional buzz over adding interoperability to electronic medical records is why isn’t HHS urging Congress to fund the adoption of a HIPAA patient ID. That certainly would aid interoperability.

The FEHBlog also found this update on CAQH CORE operating rules on the NCVHS website.  Congress as part of the ACA doubled down on HIPAA by incorporating into that law these privately developed rules intended to facilitate electronic claim transactionx. NCVHS is holding a two day hearing on the HIPAA standards and operating rules on June 16 and 17,