David Ermer, Author at Ermer and Suter PLLC

Monday Roundup

David Ermer–CMS, FDA, HIPAA Privacy and Security Rules, Medical / Rx research, U.S. Healthcare–April 22, 2024April 22, 2024

From Washington, DC,

American Hospital News reports
- “The Centers for Medicare & Medicaid Services April 22 finalized minimum staffing requirements for nursing homes that participate in Medicare and Medicaid. As proposed in September, the final rule will require nursing homes to provide a minimum of 3.48 hours of nursing care per resident day, including 0.55 hours of care from a registered nurse per resident day and at least 2.45 hours of care from a nurse aide per resident day, as well as 24/7 onsite RN services. CMS slightly expanded the opportunity for facilities to seek exemptions from the requirements from its original proposal. AHA had urged CMS not to finalize the proposal but instead develop more patient- and workforce-centered approaches focused on ensuring a continual process of safe staffing in nursing facilities.”

KFF adds
- “KFF estimates that 19% of nursing facilities would meet the minimum HPRD staffing standards under full implementation of the final rule with their current staffing levels (Figure 1). Nearly 60% of facilities would meet the interim requirement of an overall requirement of 3.48 HPRD, but fewer facilities would meet the RN and nurse aide provisions that are required when the rule is fully implemented (49% and 30% respectively; data not shown).”

HHS’s Office for Civil Rights announced a final amendment to the HIPAA Privacy rule concerning reproductive health. The final rule
- “Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
- “Requires a regulated health care provider, health plan, clearinghouse, or their business associates, to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
- “Requires regulated health care providers, health plans, and clearinghouses to modify their Notice of Privacy Practices to support reproductive health care privacy.
- “The Final Rule may be viewed here – PDF.
- “View The Final Rule Fact Sheet here.”

AHA News adds,
- “The rule will take effect 60 days after publication in the Federal Register and require covered entities to comply within 240 days. As requested by the AHA, OCR plans to issue a model attestation form before the compliance date.”

HHS’s Office of the National Coordinator of Health IT announced that
- “Common Agreement Version 2.0 (CA v2.0) has been released. The Common Agreement establishes the technical infrastructure model and governing approach for different health information networks and their users to securely share clinical information with each other – all under commonly agreed-to rules-of-the-road. The seven designated Qualified Health Information Networks™ (QHINs™) under the Trusted Exchange Framework and Common Agreement℠ (TEFCA℠) can now adopt and begin implementing the new version. Also published today is the Participant and Subparticipant Terms of Participation, which sets forth the requirements that each Participant and Subparticipant must agree to and comply with to participate in TEFCA.”Common Agreement Version 2.0 (CA v2.0) has been released.
- “The Common Agreement establishes the technical infrastructure model and governing approach for different health information networks and their users to securely share clinical information with each other – all under commonly agreed-to rules-of-the-road. The seven designated Qualified Health Information Networks™ (QHINs™) under the Trusted Exchange Framework and Common Agreement℠ (TEFCA℠) can now adopt and begin implementing the new version. Also published today is the Participant and Subparticipant Terms of Participation, which sets forth the requirements that each Participant and Subparticipant must agree to and comply with to participate in TEFCA.
- ?Notably, CA v2.0 includes enhancements and updates to require support for Fast Healthcare Interoperability Resources® (FHIR®) Application Programming Interface (API) exchange, which will allow TEFCA Participants and Subparticipants to more easily exchange information directly between themselves and will enable individuals to more easily access their own health care information using apps of their choice via TEFCA. These enhancements and updates mark a huge step forward for TEFCA as it meets the promise of seamless nationwide exchange at scale. Visit HealthIT.gov to view a list of key concepts that have evolved from Common Agreement v1.1 to v2.0.”

Federal News Network shared the results of survey of federal employee attitudes toward the push to return to office.
- “Of the 6,300 survey respondents, about 30% said they work entirely remotely, 6% work entirely in-person and 64% were working on a hybrid schedule — a mix of in-person work and telework.
- “Over half of employees said senior leadership at their agency had not clearly explained the purpose of returning to the office. More than a third were in strong disagreement.”

From MedTech Dive,
- “The Food and Drug Administration approved Lumicell’s breast cancer imaging tool, the company said Thursday.
- “Lumicell developed the Lumisystem imaging technology to enable surgeons to detect residual cancer in the breast cavity after performing a lumpectomy to remove the tumor.
- “An FDA advisory committee voted in March that the benefits of Lumisystem outweigh the risks, with one expert predicting the system will have the biggest impact on surgeons who have higher re-excision rates.”

From the public health and medical research front,

The New York Times asks and considers,
- Bird Flu Is Infecting More Mammals. What Does That Mean for Us?
- H5N1, an avian flu virus, has killed tens of thousands of marine mammals, and infiltrated American livestock for the first time. Scientists are working quickly to assess how it is evolving and how much of a risk it poses to humans. * * *
- “I never let my kids go to a state fair or animal farm, I’m one of those parents,” Dr. Lakdawala said. “And it’s mostly because I know that the number of interactions that we increase with animals, the more opportunities there are.”
- “Should H5N1 adapt to people, federal officials will need to work together and with their international counterparts. Nationalism, competition and bureaucracy can all slow down the exchange of information that is crucial in a developing outbreak.
- “In some ways, the current spread among dairy cows is an opportunity to practice the drill, said Rick Bright, the chief executive of Bright Global Health, a consulting company that focuses on improving responses to public health emergencies. But the U.S. Agriculture Department is requiring only voluntary testing of cows, and is not as timely and transparent with its findings as it should be, he said.
- “Dr. Rosemary Sifford, the department’s chief veterinarian, said the staff there were working hard to share information as quickly as they can. “This is considered an emerging disease,” she said.
- “Government leaders are typically cautious, wanting to see more data. But “given the rapid speed at which this can spread and the devastating illness that it can cause if our leaders are hesitant and don’t pull the right triggers at the right time, we will be caught flat-footed once again,” Dr. Bright said.
- “If we don’t give it the panic but we give it the respect and due diligence,” he added, alluding to the virus, “I believe we can manage it.”

MedPage Today discusses the ready availability of human vaccines for the H5H1 avian flu virus should the need arise.

Precision Vaccinations reminds us,
- “In April 2024, the United States observes the 15th Annual Oral Cancer Awareness Month, which emphasizes the significance of preventing human papillomavirus (HPV)- related oral cancers [with HPV vaccines].

HealthDay tells us,
- “The right diet may be the best medicine for easing the painful symptoms of irritable bowel syndrome (IBS), new research shows.
- “In the study, two different eating plans beat standard medications in treating the debilitating symptoms of the gastrointestinal disease. One diet was low in “FODMAPs,” a group of sugars and carbohydrates found in dairy, wheat and certain fruits and vegetables, while the second was a low-carb regimen high in fiber but low in all other carbohydrates.
- “Published April 19 in the journal Lancet Gastroenterology and Hepatology, the findings suggest that patients should first try dietary changes before moving to drugs for relief.”

MedScape informs us,
- “A new three-phase screening protocol that incorporates a PSA test, a four-kallikrein panel, and an MRI scan appears to improve the prostate cancer detection rate among men invited to participate in a single screening compared with those not invited, according to preliminary findings from the Finnish ProScreen randomized clinical trial.”

From the U.S. healthcare business front,

The Wall Street Journal reports,
- “UnitedHealth’s results beat Wall Street expectations on an adjusted basis, with the company noting that overall care patterns in the first quarter were“consistent with the company’s expectations.” Nothing to worry about here, executives repeatedly told investors, who promptly sent UnitedHealth’s stock soaring and hospital shares tanking. Then on Thursday, Elevance offered more relief, saying that costs were running as expected while raising its full-year earnings guidance.
- “Various monthly surveys are also showing a moderation in hospital volumes. TD Cowen’s survey, for instance, found that 305 hospitals reported only 1% year-over-year revenue growth in March, which was far weaker than 11% growth in February. Analysts led by TD Cowen’s Gary Taylor suggested that we could be at the start of a reversal of hospitals’ outperformance over managed care companies.
- “Investors will find out more this week as providers including Universal Health and HCA Healthcare, two large hospital chains, report earnings. HCA might still deliver solid results, as improvements in labor cost pressures and pricing should still positively influence earnings, notes UBS analyst A.J. Rice.
- And in any case, stabilization of healthcare utilization isn’t the same as a sharp drop-off. UnitedHealth and Elevance earnings may have signaled to investors that their views on providers were perhaps a bit too rosy, but they didn’t exactly demonstrate that cost pressures have eased. UnitedHealth noted that while it was no longer seeing the “aggressive acceleration” in medical utilization the industry saw in 2023, it hasn’t yet seen a major “step down.”

Per Fierce Healthcare,
- “UnitedHealth Group provided an update late Monday on its analysis of the data accessed in the cyberattack on Change Healthcare, and said it identified files that contain personal and health information.
- “The company said that the personal health information (PHI) and personally identifiable information (PII) found in the files “could cover a substantial proportion of people in America.” However, UHG said it has not yet uncovered evidence that full medical histories or doctors’ charts were among what was stolen.
- “UnitedHealth added that with the complexity of the review, it will likely take months of further analysis to identify and notify impacted customers. In the meantime, it’s offering two years of credit monitoring and identity theft protection to anyone who has been effected by the breach.
- “In addition, the company has also offered to make notifications and conduct required administrative steps on behalf of providers and customers.”

Per BioPharma Dive,
- “Bristol Myers Squibb is turning to a manufacturing startup to help produce cancer cell therapies faster, announcing Monday a partnership with the South San Francisco, California-based Cellares.
- “The deal, which reserves Cellares’ production capacity for Bristol Myers’ use, is worth up to $380 million in upfront and milestone payments. Cellares will handle technology transfer of certain Bristol Myers cell therapies to its automated manufacturing platform, dubbed the Cell Shuttle.
- :Bristol Myers currently sells two so-called CAR-T cell therapies, Breyanzi for lymphoma and Abecma for multiple myeloma, and has several others in development. In a statement, Lynelle Hoch, head of the pharmaceutical company’s cell therapy unit, said the Cellares deal would help it meet demand for CAR-T therapies “now and in the future.”

Weekend Update

David Ermer–Congress, OPM, U.S. Healthcare–April 21, 2024April 21, 2024

From Washington, DC,

In view of this week’s Passover holiday, the House of Representatives is not holding floor voting and has two outside of DC hearings scheduled. The Senate has no hearings scheduled but does plan floor voting on Tuesday.

The Government Accountability Office posted a report on public health preparedness.
- “Health and Human Services was initially charged with coordinating the federal response to a 2022 global outbreak of mpox—a smallpox-related virus.
- “State and local jurisdictions cited challenges in the federal response such as difficulty accessing and using vaccines and tests, which may have led to unnecessary suffering. We added HHS’s leadership and coordination of public health emergencies to our High Risk List earlier in 2022 due to similar issues in past responses.
- “We recommended that HHS adopt a coordinated, department-wide program that incorporates input from external stakeholders to identify and resolve challenges.”

FedSmith offers its take on OPM’s benefit administration letter about tightening FEHB eligibility oversight.
- “OPM will use its newly completed FEHB Master Enrollment Index (MEI) to run queries that can spot certain enrollment irregularities in existing enrollments. If any are found that raise questions, OPM will notify agencies to review those enrollments.”
- In the FEHBlog’s view, the Master Enrollment Index will not be reliable until OPM starts using the HIPAA 820 electronic enrollment roster transaction which will allow carriers to reconcile individual enrollments with premiums received.

From the public health and medical research front,

The Washington Post reports on ongoing efforts to create a global pandemic preparedness accord.
- “The United States has signaled its support for a legally binding agreement, including leveraging its purchasing power to expand access to medicines around the world. But the United States, like many European Union countries, is the object of mistrust because it is the seat of the powerful pharmaceutical industry, which is reluctant to relax control over manufacturing know-how.”

Fortune Well discusses how to keep your water bottle clean.
- “Like many people, Carl Behnke regularly totes a water bottle around throughout his day. From the office to the gym and back home again, Behnke is rarely without it. But Behnke is also an associate professor in the school of hospitality and tourism management at Purdue University, and when he discovered a “biofilm” on the inside of his water bottle while cleaning it, it got his wheels turning. “I realized I probably wasn’t as diligent about cleaning my water bottle as I should be,” he explains. “And that made me curious: if someone who knows about food safety isn’t diligent, what about everyone else?”
- “That question led to a study, conducted by Behnke and a cohort of academics and scientists into how reusable bottle contamination levels are affected by usage and cleaning behaviors. The group set about to measure contamination levels of water bottles, and to understand how those levels are affected by usage and cleaning behaviors. If you’re regularly drinking water from a reusable bottle, their findings might prompt you to reconsider your own water bottle handling practices. * * *
- “Dr. Yuriko Fukuta, assistant professor of medicine—infectious diseases at Baylor College of Medicine, agrees. “We’re constantly touching our water bottles with our mouths and hands, so it’s easy to transmit bacteria to them, and then it just grows,” she says “In some cases, this can make you sick, especially if you have a weaker immune system.” * * *
- According to Fukuta, your best bets are bottles with a wide mouth, which make them easy to clean and dry, those with a built-in straw that keeps your hands away if possible.
- If your goal is to keep your water bottle from turning into a germy breeding ground, the simplest approach is Behnke’s, which he changed after conducting the research. “I rinse my bottle once a day,” he says, “and wash it once a week, using good detergent, a bottle brush, and a spray of Clorox bleach.”

Fortune Well offers more food and nutrition tips:
- It’s not 8 glasses a day anymore. Here’s how much water you should drink each day
  - “The National Academy of Science, Engineering and Medicine recommends an average daily water intake of about 125 ounces for men and about 91 ounces for women. If you’re not filling up a bottle to exactly that amount every day, you’re probably still close or even over, because you also get water from food, says Scott.
  - “You can get a lot of hydration from foods like celery, oranges, strawberries, watermelon, and cucumbers,” she says. “All are hydrating foods that can actually help supplement your water intake.”
- Do turmeric supplements really treat pain, boost mood, and improve allergies? Experts say they work best for 2 conditions
- Does apple cider vinegar really help with weight loss and lower cholesterol? Experts explain the science-backed benefits and how much to take
- The dark side of daily vitamin D supplements: After a man died from an ‘overdose’ in the UK, experts explain how much is healthy

Cybersecurity Saturday

David Ermer–Cybersecurity, Generative AI, Uncategorized–April 20, 2024April 20, 2024

From the cybersecurity policy front,

Cyberscoop informs us,
- “FBI Director Christopher Wray warned Thursday that the threat posed by Chinese hacking operations to U.S. critical infrastructure has become more urgent, as intelligence agencies have said that groups like Volt Typhoon are preparing for the possibility of widespread disruptive actions as early as 2027.
- “Wray said during a speech at Vanderbilt University that China has targeted dozens of oil pipeline entities since 2011, in some cases ignoring business and financial information entirely while stealing data on control and monitoring systems.
- “More recently, Volt Typhoon has conducted broad targeting of American companies in the water, energy and telecommunications sectors, among others, which U.S. officials have described as “pre-positioning” for future attacks that could disrupt or halt systems responsible for critical services upon which Americans rely. Dragos, a private threat intelligence company that focuses on critical infrastructure, said in February that the group has also been observed targeting entities that provide satellite and emergency management services.
- “The ultimate purpose of this activity is to give Beijing “the ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” Wray said.”

The Hill reports,
- “Artificial intelligence (AI) is making ransomware faster and easier to use as the online crime hits record levels, experts said at a House Financial Services subcommittee hearing Tuesday.”Artificial intelligence (AI) is making ransomware faster and easier to use as the online crime hits record levels, experts said at a House Financial Services subcommittee hearing Tuesday.
- “We have tremendous concern about the future of AI and the direction it is allowing criminal actors to take, including more sophisticated deepfakes that ultimately form the first step in the chain of ransomware attacks,” said Megan Stifel, chief strategy officer at the Institute for Security and Technology.”

Cybersecurity Dive adds,
- The Institute for Security and Technology’s Ransomware Task Force threw cold water on the need for a ransomware payment ban in a report released Wednesday.
- The nonprofit Institute for Security and Technology rejects the viability of a ransom payment ban for multiple reasons, including:
  - Concerns about a ban’s impact on ransom payment reporting by victims.
  - The potential to drive more payments underground.
  - And the unintended consequences and practicalities of critical infrastructure exemptions.
  - Rather than a ban, the RTF detailed 16 milestones it asserts would be “the most reasonable and effective approach to reducing payments.”
- “While a ban may be an easier policy lift than activities designed to drive preparedness, it will almost certainly create the wrong kind of impact,” the RTF co-chairs said via email. “The number of organizations making payments is declining, which suggests we’re on the right path.”

HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, continues to update its “Change Healthcare Cybersecurity Incident Frequently Asked Questions” website.

The U.S. Government Accountability Office released a report titled “Cybersecurity: Implementation of Executive Order Requirements is Essential to Address Key Actions.”
- “In 2021, the President issued an executive order to help protect federal IT systems from cyberattacks. The order contains 55 leadership and oversight requirements. DHS’s Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget are responsible for implementing them.
- “These agencies have fully completed 49 of 55 requirements. Remaining requirements include improving software that is critical to the supply chain and ensuring that other agencies have sufficient resources to carry out the order.
- “We recommended that these agencies implement the order’s remaining requirements.”

The Cybersecurity and Infrastructure Security Administration Agency (CISA) announced,
- “CISA hosted the final round of the fifth annual President’s Cup Cybersecurity Competition this week and announced the winners today of the three competitions.
- “The President’s Cup is a national competition designed to recognize the top federal cybersecurity talent. Three separate competitions take place during each President’s Cup; two Individuals tracks -– Track A which focuses on defensive work roles and tasks from the NICE Framework, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, and Track B which focuses on offensive work roles and tasks, and a Teams competition comprised of defensive and offensive challenges. The first rounds of the competition began earlier this year in January.
- “This year’s winning team, known as Artificially Intelligent, was composed of members of the Department of Defense, U.S. Army, and the U.S. Air Force. Artificially Intelligent featured four members of last year’s winning teams, including one member who has been on every winning team since President’s Cup began five years ago. The winner of Individuals Track A was U.S. Army Major Nolan Miles, and the winner of the Individuals Track B was U.S. Marine Corps Staff Sergeant Michael Torres. SSG Torres also finished in second place of the Individuals Track A competition and is the first Individuals winner to repeat having won President’s Cup 3 Track A.”

From the cybersecurity vulnerabilities and breaches front,

Cybersecurity Dive reports,
- “Palo Alto Networks and security researchers said a growing number of attackers are targeting a command injection vulnerability in the PAN-OS operating system, which powers the security vendor’s firewall products.
- “Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability,” the company’s Unit 42 threat intelligence team said in a Tuesday update on its original threat brief. The vendor hasn’t disclosed how many devices are actively exploited, but said it observed 20 additional IP addresses attempting to exploit CVE-2024-3400.
- “Since releasing the initial advisory on Friday [April 12], the company expanded the range of PAN-OS versions that are impacted by the CVE and retracted a secondary mitigation action. “Disabling telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability,” the company said in an update.”

On April 18, HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued an update on the Palo Alto Networks Firewalls (CVE-2024-3400).
- On April 12, 2024, Palo Alto Networks issued a warning about CVE-2024-3400, a zero-day command injection vulnerability found in its firewalls operating PAN-OS v10.2, 11.0, and 11.1 with configurations for both GlobalProtect gateway and device telemetry enabled. There have been an increasing number of attacks observed against this vulnerability since its release. In the original advisory, it was believed that disabling device telemetry would work as an effective secondary mitigation, but the most recent update states that device telemetry does not need to be enabled for PAN-OS to be vulnerable to attacks. Hotfixes were also released starting on April 14, 2024. HC3 strongly encourages all organizations to review the updated security advisory and apply any mitigations to prevent serious damage from occurring to the Healthcare and Public Health (HPH) sector.
Per Cybersecurity Dive,
- “The rapid adoption of artificial intelligence tools is potentially making them “highly valuable” targets for malicious cyber actors, the National Security Agency warned in a recent report.
- “Bad actors looking to steal sensitive data or intellectual property may seek to “co-opt” an organization’s AI systems to achieve, according to the report. The NSA recommends organizations adopt defensive measures such as promoting a “security-aware” culture to minimize the risk of human error and ensuring the organization’s AI systems are hardened to avoid security gaps and vulnerabilities.
- “AI brings unprecedented opportunity, but also can present opportunities for malicious activity,” NSA Cybersecurity Director Dave Luber said in a press release.”

Dark Reading adds,
- “A slicker phishing lure and some basic malware was about all threat actors have been able to squeeze out of artificial intelligence (AI) and large language model (LLM) tools so far — but that’s about to change, according to a team of academics.
- “Researchers at the University of Illinois Urbana-Champaign have demonstrated that by using GPT-4 they can automate the process of gathering threat advisories and exploiting vulnerabilities as soon as they are made public. In fact, GPT-4 was able to exploit 87% of vulnerabilities it was tested against, according to the research. Other models weren’t as effective.
- “Although the AI technology is new, the report advises that in response, organizations should tighten up tried-and-true best security practices, particularly patching, to defend against automated exploits enabled by AI. Moving forward, as adversaries adopt more sophisticated AI and LLM tools, security teams might consider using the same technologies to defend their systems, the researchers added. The report pointed to automating malware analysis a promising use-case example.”
and
- “An ongoing, highly sophisticated phishing campaign may have led some LastPass users to give up their all-important master passwords to hackers.
- “Password managers store all of a user’s passwords — for Instagram, their job, and everything in between — in one place, protected by one “master” password. They unburden users from having to remember credentials for hundreds of accounts, and empower them to use more complicated, unique passwords for each account. On the other hand, if a threat actor gains access to the master password, they’ll have keys to every single one of the accounts within.
- “Enter CryptoChameleon, a new, hands-on phishing kit of unparalleled realism.
- “CryptoChameleon attacks tend not to be so widespread, but they’re successful at a clip largely unseen across the cybercrime world, “which is why we typically see this targeting enterprises and other very high-value targets,” explains David Richardson, vice president of threat intelligence at Lookout, which first identified and reported the latest campaign to LastPass. “A password vault is a natural extension, because you’re obviously going to be able to monetize that at the end of the day.”

Healthcare IT Security lets us know,
- “Healthcare organizations are 65% less likely to fully outsource their cybersecurity services than organizations in other sectors, Kroll researchers said in the new report, “The State of Cyber Defense: Diagnosing Cyber Threats in Healthcare.”
- “Their research maps out the cybersecurity threat landscape the healthcare sector currently operates in, looking at detection and response, cyber threat intelligence and offensive security.
- “The realities of healthcare IT’s complexities, “not to mention the extremely time-poor staff that need both maximum convenience and security from IT operations,” make it hard for the industry to protect itself, according to Devon Ackerman, Kroll’s global head of incident response and cyber risk.”

From the ransomware front,

SC Media reports,
- “The Akira ransomware group netted itself $42 million in payments in the last year from over 250 organizations, according to a joint advisory released April 18 by four leading cybersecurity agencies across Europe and the United States. [Here is a link to CISA’s Stop Akira Ransomware sire.]
- “The advisory, which said Akira was now attacking Linux machines as well as Windows, was posted by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, Europol’s European Cybercrime Center, and the National Cyber Security Centre in the Netherlands.
- “CISA said the advisory’s main goal was to help organizations mitigate these attacks by disseminating known Akira ransomware tactics, techniques and procedures, as well as indicators of compromise identified through FBI investigations as recent as February 2024.
- “Evolving from an initial focus on Windows systems to a Linux variant targeting VMware ESXi virtual machines, CISA said in August 2023 the double-extortion group started deploying the Rust-based code Megazord and Akira, written in C++, as well as Akira_v2, also Rust-based.”
and
- “Has ransomware hit a ceiling? We doubt it, but the pause outlined in a new report on active adversaries tells us ransomware has either saturated the available targets or enterprise defenses are starting to bear fruit.
- “In its active adversaries report for the first half of 2024, Sophos’ X-Ops team analyzed more than 150 incident response cases. Through such a large analysis, the report provides good insights into the current tactics, techniques and procedures attackers currently employ. This is useful for anyone trying to better defend their systems.
- “Sophos concludes that, despite a pause in the rise of ransomware, organizations are failing to take the steps necessary to adequately defend themselves against the increase in attacks to come. * * *
- “The report concludes that while the current threat landscape is relatively calm, defenders must urgently learn from previous mistakes and prioritize basic security practices. Failing to bolster defenses now will only ease attackers’ impending sieges as they continue sharpening their capabilities.”

TechTarget identifies the top 13 ransomware targets in 2024 and beyond.

Bleeping Computer’s the Week in Ransomware is back.

From the cybersecurity defenses front,

Here’s a link to Dark Reading’s CISO Corner.

“Healthcare Dive spoke with two cyber experts — Phil Morris and Chad Peterson, both managing directors at cybersecurity firm NetSPI — about how healthcare organizations can recover from the attack and what they need to do to protect themselves going forward.”
- “HEALTHCARE DIVE: A survey by the American Hospital Association found that 94% of respondents were financially impacted by the Change attack. Why were so many providers impacted by this breach?
- “PHIL MORRIS: The cyberattack at Change Healthcare is really like the Francis Scott Key Bridge incident in Baltimore. It’s at the nexus of a very complex ecosystem we call healthcare delivery and payment systems here in the U.S. They handle so many claims, [pharmacy benefit managers], imaging, analytics and revenue management.
- “It’s really a weak spot in the resiliency of healthcare because we have such a profit-driven healthcare system, that bringing that organization down had a rippling effect across not just hospitals but also network providers, pharmacies and patients. The ripple effects of this will go out across the healthcare system for some time.
- “CHAD PETERSON: Unfortunately, it’s a case of too many eggs in one basket, and it was the major choke point for a lot of healthcare systems that do their processing through [Change Healthcare]. So what they did is they basically hit the most vulnerable area to have the greatest impact.”

Healthcare Dive also reports on how cybersecurity took center stage at the American Hospital Association conference held last week.
- “The majority of healthcare attacks aren’t coming from domestic hackers, experts stressed.
- “Almost all cyberattacks against hospitals, including life-threatening ransomware attacks, originate from criminal gangs based in non-cooperative foreign jurisdictions,” AHA’s Riggi said. “That’s a euphemism, folks, for Russia, China, North Korea and Iran.”

On April 15, CISA issued joint guidance deploying AI systems securely.

Tech Target offers four tips on securing cybersecurity insurance this year.

An ISACA expert discusses “Evolving Threats to Cloud Computing Infrastructure and Suggested Countermeasures.”

Friday Factoids

David Ermer–CDC, COVID-19, FDA, Federal employment benefits, Generative AI, Medical / Rx research, Medicare, Mental health care, Obesity, U.S. Healthcare–April 19, 2024April 19, 2024

From Washington, DC,

Healthcare Dive informs us,
- “Providers and drugmakers are once again at odds over the 340B drug discount program: this time, over a rule finalized by the Biden administration on Thursday making changes to its dispute resolution process.
- “The final rule, which will become effective in mid-June, is meant to make dispute resolution more accessible and efficient, according to the Health Resources and Services Administration, or HRSA, the agency that oversees 340B. Along with lowering barriers to enter the process, the rule requires parties to make a good faith effort to resolve disputes before bringing them to arbiters and creates an appeals process if either party doesn’t like the result.
- “Provider groups the American Hospital Association and 340B Health said the rule should streamline the arbitration process and preserve the integrity of the controversial program. Meanwhile, pharmaceutical lobby PhRMA said the new process “panders to 340B hospitals” while ignoring drugmakers’ concerns.”

KFF lets us know,
- “Federal data from 2019 shows just 4% of potentially eligible enrollees participated in the program, a figure that appears to have held steady through 2023, according to a Mathematica analysis. About 12,000 physicians billed Medicare under the CCM mantle in 2021, according to the latest Medicare data analyzed by KFF Health News. (The Medicare data includes doctors who have annually billed CCM at least a dozen times.)
- “By comparison, federal data shows about 1 million providers participate in Medicare.
- Even as the strategy has largely failed to live up to its potential, thousands of physicians have boosted their annual pay by participating, and auxiliary for-profit businesses have sprung up to help doctors take advantage of the program. The federal data showed about 4,500 physicians received at least $100,000 each in CCM pay in 2021. * * *
- “This program had potential to have a big impact,” said Kenneth Thorpe, an Emory University health policy expert on chronic diseases. “But I knew it was never going to work from the start because it was put together wrong.”
- “He said most doctors’ offices are not set up for monitoring patients at home. “This is very time-intensive and not something physicians are used to doing or have time to do,” Thorpe said.”

Reg Jones offers “A Refresher Course on FEGLI Life Insurance” in FedWeek.

From the public health and medical research front,

The Centers for Disease Control reports today,
- “The amount of respiratory illness (fever plus cough or sore throat) causing people to seek healthcare continues to decrease across most areas of the country. This week, 2 jurisdictions experienced high activity compared to 1 jurisdiction experiencing high activity the previous week. No jurisdictions experienced very high activity.
- “Nationally, emergency department visits with diagnosed influenza are decreasing. Emergency department visits with COVID-19 and RSV remain stable at low levels.
- “Nationally, COVID-19, influenza, and RSV test positivity decreased compared to the previous week.
- “Nationally, the COVID-19 wastewater viral activity level, which reflects both symptomatic and asymptomatic infections, remains low.”

The National Institutes of Health announced,
- “Despite Food and Drug Administration (FDA)-approval of seven next-generation antibiotics to fight infections caused by resistant “gram-negative” bacteria, clinicians frequently continue to treat antibiotic-resistant infections with older generic antibiotics considered to be less effective and less safe, according to a study by researchers at the National Institutes of Health’s (NIH) Clinical Center. Researchers examined the factors influencing doctors’ preference for newer antibiotics over traditional generic agents to shed light on the decision-making processes among clinicians when treating patients with challenging bloodstream infections caused by gram-negative bacteria and significant comorbidities.
- “The study revealed that at a considerable proportion of hospitals, particularly smaller facilities located in rural areas, staff were reluctant to adopt newer antibiotics. Researchers identified a large cost disparity between older and newer classes of antibiotics; the newer drugs can cost approximately six times more than the older medications, which could disincentivize prescribing.
- “Researchers also highlight that next-gen agents are prescribed more often at hospitals where lab results that show the medications are effective against a patient’s bacterial infection are reported to prescribers. Scientists suggest that earlier and more widespread availability of such lab testing might improve use. Additionally, authors recommend that future public health policies and economic strategies on further development and use of similar antibiotics should be designed to identify and overcome additional barriers.
- “Gram-negative bacteria are a class of bacteria resistant to multiple drugs and increasingly resistant to most antibiotics. According to the Centers for Disease Control and Prevention, they are able to find new paths of resistant and pass along genetic material that enables other bacteria to become drug resistant.”

The American Hospital Association News adds,
- “In clinical trials involving 220,000 patients at 59 HCA Healthcare hospitals, algorithm-driven computerized alerts helped clinicians better identify the appropriate antibiotic for 28% of patients with pneumonia and 17% of patients with urinary tract infections, according to studies funded by the Centers for Disease Control and Prevention published April 19 in JAMA. To reduce antibiotic resistance, physicians treating patients with a low risk for antibiotic-resistant bacteria were prompted to give standard-spectrum antibiotics.”In clinical trials involving 220,000 patients at 59 HCA Healthcare hospitals, algorithm-driven computerized alerts helped clinicians better identify the appropriate antibiotic for 28% of patients with pneumonia and 17% of patients with urinary tract infections, according to studies funded by the Centers for Disease Control and Prevention published April 19 in JAMA. To reduce antibiotic resistance, physicians treating patients with a low risk for antibiotic-resistant bacteria were prompted to give standard-spectrum antibiotics.
- “Pneumonia and urinary tract infections are two of the most common infections requiring hospitalization and a major reason for overuse of broad-spectrum antibiotics,” said Sujan Reddy, M.D., medical officer in CDC’s Division of Healthcare Quality Promotion. “The INSPIRE trials have found a highly effective way to help physicians follow treatment recommendations to optimize antibiotic selection for each patient. These trials show the value of harnessing electronic health data to improve best practice.”

Health IT Analytics tells us,
- “Artificial intelligence (AI)-driven tools can improve the skin cancer diagnostic accuracy of clinicians, nurse practitioners and medical students, according to a study published last week in npj Digital Medicine.
- “The researchers underscored that AI-based skin cancer diagnostic tools are developing rapidly, and these tools are likely to be deployed in clinical settings upon appropriate testing and successful validation.”

From the U.S. healthcare business front,

Per BioPharma Dive,
- “Alvotech and U.S. commercial partner Teva have signed a “long-term agreement” with an unspecified company to boost access to their biosimilar version of AbbVie’s blockbuster drug Humira, Alvotech said Friday. An Alvotech spokesperson declined to provide specifics.
- “The deal comes seven weeks after the Food and Drug Administration approved Alvotech’s biosimilar, Simlandi, which the agency previously rejected multiple times. For patients to receive treatment, Alvotech and Teva must first cut deals with drug wholesalers, pharmacies and insurers that negotiate prices before agreeing to cover the therapy.
- “CVS Health, whose pharmacy benefit manager is the country’s largest by prescription claims, removed Humira from its national formularyon April 1. Wall Street analysts have already reported substantial declines in Humira prescriptions over the last few weeks, when compared to the same period in 2023.”

According to Beckers Hospital Review,
- “Change Healthcare has reinstated 80% of the functionality for its claims, payment and pharmacy services following a February ransomware attack, the company said.
- “Those three areas represent most of Change Healthcare’s customers and continue to be restored, according to an April 16 earnings call from parent company UnitedHealth Group.
- “Now we’ve still got work to do,” said Roger Connor, CEO of OptumInsight, the UnitedHealth unit that includes Change, during the call. “We’ve got another set of products coming online … in the coming weeks, but pleased with that progress.”

The AHA News reports,
- “Patients went out-of-network 3.5 times more often to see a behavioral health clinician than a medical/surgical clinician in 2021, and up to 20 times more often for certain behavioral health visits, according to a new study by RTI International. For example, patients went out-of-network 8.9 times more often to see a psychiatrist, 10.6 times more often to see a psychologist, 6.2 times more often for acute behavioral inpatient care, and 19.9 times more often for sub-acute behavioral inpatient care.”

The Wall Street Journal reports,
- “Social media is displacing physicians as the trusted authorities on whether patients should take one of the medicines. People are not only deciding to take a weight-loss drug—called GLP-1s— based on posts by friends and influencers but sometimes also skipping their doctor to go with one mentioned online.
- “The virtual word-of-mouth can come across as authentic and accessible. People say they appreciate the tips and support they get from other online users. But many influencers and friends on social media play up all the pounds a person lost while playing down side effects that can be nasty, such as painful headaches and bouts of vomiting. Some omit the risks altogether.
- “Unlike company drug advertisements, social-media posts don’t have to describe a drug’s side effects, suggest other resources or tell people to speak with their doctors.”
Ruh roh. This is why health plans are offering coaching services to these folks.

Thursday Miscellany

David Ermer–CDC, Congress, FDA, Medical / Rx research, Medicare, Mental health care, NIH, Rx coverage, SDOH, U.S. Healthcare–April 18, 2024April 18, 2024

From Washington, DC,

The U.S. National Guard Association informs us,
- “More than 100,000 drilling National Guardsmen and Reservists who are full-time federal employees would be eligible to purchase TRICARE Reserve Select health care under legislation introduced in both the House and Senate last week.
- “Most drilling Guardsmen and Reservists have been able to buy low-cost TRS for more than 15 years. But the 2008 law that created the current program excluded these service members from the more-expensive Federal Employees Health Benefits program. This exclusion includes the Guard and Reserve’s dual-status technicians. And while a provision in the fiscal 2020 National Defense Authorization Act lifts this prohibition, the change does not take effect until 2030.
- “The Servicemember Healthcare Freedom Act of 2024 would allow federal employees to enroll in TRS once the legislation is enacted. The bill was introduced by Sen. Richard Blumenthal, D-Conn., and co-sponsored by Sens. Kyrsten Sinema, I-Ariz., Tina Smith, D-Minn., and John Fetterman, D-Pa., in the Senate. Reps. Jen Kiggans, R-Va., and Andy Kim, D-N.J., introduced the measure in the House. Kim is the Democratic co-chair of the House National Guard and Reserve Caucus.
- “The legislation affects roughly 113,000 Guardsmen and Reservists, according to a fact sheet from Blumenthal’s office. This figure includes approximately 67,000 Guard and Reserve dual-status technicians, who must be drilling service members to maintain their full-time employment.
- “Cost is often the big difference between TRS and FEHBP. For example, the widely used FEHBP Blue Cross Basic Option costs $150 a month for a single adult, per Blumenthal’s office. The same TRS coverage is $51.95 a month. The average family of four spent $657.04 each month on health care though FEHBP last year, according to the same fact sheet. Family plans through TRS cost $246.87 a month. * * *
- “TRS also provides continuity of care during service members’ mobilizations and demobilizations.”

The Office of Personnel Management issued a press release about a “New Benefits Administration Letter to Promote the Integrity of the Federal Employees Health Benefits Program.” This was the action discussed in Federal Times and Federal News Network articles that the FEHBlog discussed yesterday. The press release adds,
- “OPM has proposed legislation in its FY2025 Congressional Budget Justification which would enable OPM consistent access to funds from the Employee Health Benefits Fund to build a Central Enrollment system for the FEHB Program. Current FEHB eligibility determination and enrollment is highly decentralized and requires cooperation between nearly 100 employing offices responsible for determining eligibility and enrolling more than 8 million members. These benefits are delivered by 68 health insurance carriers in 2024.    
- “Since 2022, and following passage of the Postal Service Reform Act, OPM began developing the Postal Service Health Benefits Program to include a centralized enrollment platform. The PSHB accounts for more than 20 percent of current FEHB enrollees. If funded, OPM could extend this same central enrollment system to all FEHB enrollments, which would allow OPM to manage and make consistent all FEHB enrollments and remove individuals who cease to be eligible for the program. ”   
OPM also should provide carriers with HIPAA 820 electronic enrollment rosters to systematically reconcile premiums to individual enrollees, thereby assuring that each enrollee is paying the appropriate premium.

WTW, a major consulting firm, posted an article about the final 2025 notice of benefits and payment parameters which calls attention to a point on which the FEHBlog has not yet focused.
- CMS adopted a rule to remove the regulatory prohibition on issuers from including routine non-pediatric dental services as an essential health benefit (EHB). This change would allow states to update their EHB-benchmark plans to add routine adult dental services as an EHB, removing regulatory and coverage barriers to expanding access to adult dental benefits.
- If a self-insured [or any FEHB] plan adopts a state benchmark plan that covers non-pediatric dental as an EHB and that plan covers non-pediatric dental, then the plan could not impose annual or lifetime dollar limits on that coverage (unless the coverage meets the requirements to be an excepted benefit or limited scope dental).

The American Hospital Association News reports,
- “The Federal Trade Commission, Justice Department and Department of Health and Human Services April 18 launched HealthyCompetition.gov, an online portal for the public to report potentially unfair and anticompetitive health care practices. The FTC and the Justice Department’s Antitrust Division plan to review complaints for the appropriate agency to investigate if it raises sufficient concern under antitrust laws or HHS authorities.”

HR Dive tells us,
- “The U.S. Supreme Court held Wednesday that employees challenging discriminatory transfers at work do not need to prove they suffered “significant” harm under Title VII of the Civil Rights Act of 1964; instead, they need only prove harm was done.
- “To demand ‘significance’ is to add words to the statute Congress enacted,” the high court ruled in Muldrow v. City of St. Louis. “It is to impose a new requirement on a Title VII claimant, so that the law as applied demands something more than the law as written. That difference can make a real difference for complaining transferees.”
- “In the case, a police sergeant alleged she was transferred out of the intelligence division because of her sex and given less “prestigious” duties, a worse schedule and fewer job perks.”

The U.S. Census Bureau reports,
- “The percentage of adults age 65 and older covered by both private health insurance and Medicare decreased from 47.9% in 2017 to 39.6% in 2022, reflecting older adults’ increased reliance on Medicare coverage alone.
- “Dual coverage rates decreased almost every year during that period, except from 2020 to 2021, while rates of Medicare coverage alone significantly increased during the same period, from 37.6% to 44.8%, according to a new analysis of data from the 2023 Current Population Survey Annual Social and Economic Supplement (CPS ASEC).
- “Much of the increase in the share of older adults relying solely on Medicare was driven by a drop in the share of those also receiving private coverage.”
Although OPM waited much too long to allow FEHB plans the opportunity to offer Part D EGWPs, OPM to its credit has not followed the lead of many private employers which leave their retirees to Medicare alone.

The Social Security Administration has made available an interview with its new Commissioner Martin O’Malley who discussed his top priorities: “1) Reduce call wait times, 2) Issue faster disability decisions, 3) Resolve inequities in overpayments and underpayments.”

From the public health and medical research front,

Per MedPage Today,
- “The CDC and FDA are warning about a multistate outbreak of Salmonella typhimuriumopens in a new tab or window infections linked to fresh basil sold at Trader Joe’s stores in over two dozen states.
- “Twelve cases have been reported across seven states as of April 17, including one hospitalization. Exposure to fresh organic basil from Trader Joe’s prior to illness was confirmed in seven of eight individuals with additional case information.
- “Miami-based Infinite Herbs, which makes the basil, has agreed to a voluntary recall, and the herbs have been pulled from store shelves.
- “If you already bought organic basil from Trader Joe’s and removed it from the packaging or froze it and cannot tell if it was Infinite Herbs-brand, do not eat or use it and throw it away,” the FDA said in its statementopens in a new tab or window.
- “The product was sold in a 2.5-oz clamshell-style container at Trader Joe’s stores in Washington, D.C., and 29 statesopens in a new tab or window, with most east of the Mississippi River. Cases have been reported in Florida, Georgia, Minnesota, Missouri, New Jersey, Rhode Island, and Wisconsin.
- “An investigation is ongoing to determine whether additional products are linked to the illnesses, the FDA noted.”

The NIH Director, in her blog, pointed out,
- “Pregnancy and childbirth are often thought of as joyful times. Yet, we know that mental health conditions including perinatal depression, anxiety, and post-traumatic stress disorder (PTSD) are common complications during and after pregnancy, and this is contributing to a maternal health crisis in this country.
- “Now, a trio of NIH-supported studies reported in the journal Health Affairs show that diagnosis and treatment of mental health conditions such as anxiety, depression, and PTSD during pregnancy and in the first year after giving birth rose significantly in Americans with private health insurance from 2008 to 2020. While these are encouraging signs of increasing mental health awareness and service use, these studies also showed that this increase hasn’t happened equally across all demographic groups and states, making it clear there’s more work to do to ensure that people from all walks of life have access to the care they need, regardless of their race, ethnicity, geographic location, financial status, or other factors. * * *
- “It will be important to learn in future studies more about those who may still not be receiving the mental health care they need. The researchers report plans to look deeper into changes that have taken place at the state level and the impact of the pandemic and the rise of telehealth since 2020. Other recent NIH-supported research suggests that relatively straightforward interventions to reduce postpartum anxiety and depression can be remarkably effective. The key step will be not only identifying interventions that work, but also figuring out how to deliver effective treatments to the people who need them.”

According to BioPharma Dive,
- “Cerevel Therapeutics, a biotechnology company in the midst of being acquired by AbbVie, on Thursday said a Parkinson’s disease treatment it’s developing succeeded in a late-stage clinical trial.
- “The treatment, called tavapadon, helped keep the disease’s disruptive motor fluctuations at bay, extending the total time of symptom control by just over one hour, compared to a placebo. This difference in “on” time was statistically significant, Cerevel said.
- “Tavapadon also significantly reduced the amount of “off” time that treated study participants experienced, meeting a secondary goal of the Phase 3 study. People with Parkinson’s often cycle between these “on” and “off” periods as the effects of mainstay drugs like levadopa and carbidopa wane. In Cerevel’s study, tavapadon was given as an adjunctive therapy, meaning it was added on top of levadopa.”

The Washington Post reports,
- “The nation’s largest coalition of obstetricians issued an urgent warning Thursday calling on doctors to expand testing for syphilis during pregnancy amid a surge of cases in recent years.
- “The American College of Obstetricians and Gynecologists updated its recommendations, advising a routine blood screening at the first prenatal visit and screenings in the third trimester of pregnancy and at birth. This contrasts with previous recommendations, which called for testing in the third trimester exclusively for individuals living in communities with high syphilis rates and for those at risk of syphilis exposure during pregnancy.
- “We’re always trying to create healthier families, and some of the diseases that we can easily diagnose and treat are things that we should prioritize, especially when they can be devastating to a baby,” said Laura E. Riley, chair of the obstetrician coalition’s immunization work group. Riley helped write the guidance. * * *
- “In April 2023, the Food and Drug Administration announced a shortage of penicillin in the United States attributed to increased demand.
- “To combat the ongoing shortages, the FDA granted temporary approval for a French drug, Extencilline, which is used for syphilis treatment but is not FDA-approved. While the Food, Drug, and Cosmetic Act prohibits importing unapproved drugs into the United States, the secretary of Health and Human Services can authorize temporary importation and distribution of such drugs to address shortages until domestic production returns to normal levels.
- “Riley said the updated guidance from the obstetricians group is essential because it makes physicians aware of the alternative treatment for syphilis amid the shortage.
- “In June 2023, the maker of penicillin, Pfizer, said it would prioritize making the drug available, with the shortage expected to be relieved within the next few months of this year.”

From the U.S. healthcare business front,

Beckers Payer Issues relates,
- “Elevance Health posted $2.2 billion in net income during the first quarter, a nearly 13% increase compared to the same period last year, according to the company’s earnings report published April 18.
- “First quarter results reflect disciplined execution of our strategic initiatives during a dynamic time for our industry,” President and CEO Gail Boudreaux said. “We are making significant progress expanding Carelon’s capabilities, scaling our flywheel for enterprise growth, and delivering results for all stakeholders. Given the solid start to the year, we have increased our outlook for full year earnings.”
- “Total revenues in the first quarter were $42.6 billion, a 1% increase year over year.
- “Total expenses in the first quarter were $39.6 billion, a 0.2% increase.
- “Net income was $2.2 billion in the first quarter, up 12.9% from the same period last year.
- “Elevance raised its full-year earnings outlook to $37.20 in earnings per share.”

Modern Healthcare lets us know,
- “CVS Health is opening Oak Street Health primary care clinics at its retail pharmacy stores — a move that hasn’t always worked out for competitors.
- “CVS acquired primary care provider Oak Street last May for $10.6 billion and announced plans to add 50 to 60 Oak Street clinics in 2024. Most of those clinics are expected to be standalone locations, including some located in closed CVS stores. But CVS also is piloting a setup that replaces much of the retail space in existing stores with clinics.
- “Walgreens executives say they remain confident in the VillageMD investment, although the focus has shifted away from expansion and more toward ramping up profitability in VillageMD’s strongest markets.
- “CVS may have a different experience. Its expansion plan for Oak Street has a slower pace than what Walgreens tried, said Jack Slevin, vice president of healthcare services equity research at Jefferies. CVS’ model is dedicating a lot of space to the Oak Street clinics and pharmacy operations, which would allow for more patient volume, he said.
- “[CVS is] giving them enough space that it feels like a true Oak Street location,” Slevin said. “If you look at the Walgreens strategy on the square footage side, it was very much more bolting on a smaller Village practice to a Walgreens store that was going to look very much the same.”

Beckers Hospital Review identifies many of the top 100 U.S. hospitals based on a Fortune analysis, “20 large health systems ranked by reputation score,” and the fifteen largest pharmacy chains in our country.

The FEHBlog also ran across the following consulting firm opinion pieces that are worth a gander:
- A Brown and Brown paper on the role of employers in advancing health equity.
- A RAND paper discussing why employers delay coverage for FDA newly approved drugs.
  - FEHBlog takeaway :”The FDA has steadily increased the speed at which it approves new drugs over the last two decades. In 2023, the agency approved 55 new drugs, up from 21 in 2003. The great majority of drugs are now approved through its accelerated program, leaving the FDA wide open to criticism that its standards are too low and that it is simply acting as a rubber stamp for pharmaceutical companies. Under the accelerated program, the FDA grants approval for the drug to be put on the market and later grants full approval after clinical trials confirm a drug’s effectiveness.”
- A McKinsey Health Institute paper on improving mental health services for children.
  - “As part of the McKinsey Health Institute’s (MHI’s) Conversations on Health series, Erica Coe and Kana Enomoto, coleaders at MHI, discussed this challenge and how to prioritize the mental health needs of children and adolescents with Zeinab Hijazi, PsyD, the global lead on mental health at UNICEF.”

Midweek Update

David Ermer–CDC, FDA, Federal employment benefits, Medical / Rx research, OPM, Rx coverage, U.S. Healthcare, Uncategorized–April 17, 2024April 17, 2024

From Washington, DC,

The Federal Times and Federal News Network discuss OPM’s plans to tighten internal controls over family member eligibility in the FEHBP. OPM’s actions will shift the burden of monitoring family member eligibility from the FEHB plans to employing agencies, which is where the responsibility belongs.
OPM also should be filling the greatest internal control gap in the FEHB – the fact that OPM does not allow carriers, which bear the insurance risk, to reconcile premium payments to individual enrollees. A cost effective solution is available by implementing the HIPAA 820 electronic enrollment roster transaction which systematically generates such reconciliations.

Per BioPharma Dive,
- “Alvotech and Teva on Tuesday won Food and Drug Administration approval for Selarsdi, the second biosimilar poised to challenge Johnson & Johnson’s blockbuster psoriasis drug, Stelara.
- “The FDA cleared Selarsdi for treatment of moderate to severe plaque psoriasis and active psoriatic arthritis in adults and children who are at least 6 years old. The companies said they expect to begin selling the medicine on or after Feb. 21, 2025, a delayed introduction due to a legal settlement with J&J.
- “The two companies are likely to enter the market after Amgen, which won approval for an interchangeable biosimilar called Wezlana in October. Amgen is also subject to a legal settlement, and the company has said its product will launch no later than Jan. 1, 2025.”

Healthcare Dive had the time to report on the CBO report on Medicare Accountable Care Organizations which the FEHBlog noted yesterday.
- “Accountable care organizations led by independent physicians save Medicare more money than other types of ACOs, according to a new Congressional Budget Office review of existing research.
- “Independent physician-led ACOs have clear financial incentives to reduce hospital care to lower spending, while hospital-led ACOs — which earn more revenue when patients are admitted — do not, the CBO found. Hospitals also have less direct control over what services patients receive.
- “ACOs with a larger proportion of primary care providers also saved Medicare more money, along with ACOs whose initial spending was higher than their peers in the same region, according to the report.”
The FEHBlog’s primary care provider practices in such an ACO.

From the public health and medical research front,

The New York Times reports,
- “A pill taken once a week. A shot administered at home once a month. Even a jab given at a clinic every six months.
- “In the next five to 10 years, these options may be available to prevent or treat H.I.V. Instead of drugs that must be taken daily, scientists are closing in on longer-acting alternatives — perhaps even a future in which H.I.V. may require attention just twice a year, inconceivable in the darkest decades of the epidemic.
- “This period is the next wave of innovation, newer products meeting the needs of people, particularly in prevention, in ways that we didn’t ever have before,” said Mitchell Warren, executive director of the H.I.V. prevention organization AVAC.
- “Long-acting therapies may obviate the need to remember to take a daily pill to prevent or treat H.I.V. And for some patients, the new drugs may ease the stigma of the disease, itself an obstacle to treatment.”

STAT News lets us know,
- “Eli Lilly reported positive results for its obesity drug Zepbound in obstructive sleep apnea, giving the medication a new edge in the highly competitive obesity market.
- “The results also pave the way for Zepbound to potentially become the first approved treatment for obstructive sleep apnea, or OSA, a common disorder characterized by breathing interruptions during sleep.
- “In one year-long Phase 3 study that looked at patients with obesity who were not on PAP therapy, a form of ventilation, those taking Zepbound experienced a reduction of 25.3 events per hour on the apnea-hypopnea index (AHI), a measure of the number of times breathing stops and becomes restricted while sleeping. That compares with a reduction of 5.3 events in patients on placebo, Lilly said in a press release Wednesday.
- “In another Phase 3 study in patients who were on PAP therapy, those on Zepbound had a reduction of 29.3 events per hour on the AHI, compared with a reduction of 5.5 events in patients on placebo.
- “Severe OSA is defined as having over 30 events per hour, and moderate OSA is defined as 15 to 30 events per hour.”

CNBC adds,
- “Most doses of Eli Lilly’s highly popular weight loss drug Zepbound and diabetes counterpart Mounjaro will be in short supply through the second quarter of this year due to increased demand, according to an update on the Food and Drug Administration’s drug shortage database.
- “A previous update said some doses of both treatments would have limited availability through April.
- “The new update suggests that the insatiable demand for a buzzy class of weight loss and diabetes drugs is still trouncing supply, even as Eli Lilly and Novo Nordisk work to increase production of those treatments.”

The Associated Press informs us,
- “For decades, patients seeking medication for pain have had two choices: over-the-counter drugs like aspirin or powerful prescription opioids like oxycodone.
- “Opioid prescriptions have plummeted over the last decade as doctors have become more attuned to the risks of addiction and misuse during the country’s ongoing drug epidemic.
- “Vertex Pharmaceuticals recently reported positive results for a non-opioid painkiller, one of several medications the Boston-based drugmaker has been developing for various forms of pain. Patients taking the drug after surgery experienced more pain relief than those getting a placebo, although the drug didn’t meet a secondary goal of outperforming treatment with an opioid.
- The AP interviews Vertex’s chief scientist Dr. David Altshuler about the company’s research and development plans.

Beckers Hospital Review tells us,
- “In recent months, parts of the U.S. have reported outbreaks of pertussis, or whooping cough. While some regional outbreaks are expected each year, health officials are underscoring the importance of boosters in adults to protect infants from severe illness, NBC News reported April 17. * * *
- “The TDap vaccine is recommended for children 11 and older who have not received the DTaP series. Adults should receive a Tdap booster dose every 10 years, according to the CDC.
- “Anyone who comes to see [a] new baby should have had a recent inoculation with Tdap vaccine to provide a cocoon of protection around that baby,” William Schaffner, MD, professor of infectious diseases at Nashville, Tenn.-based Vanderbilt University Medical Center, told NBC News.”

From the U.S. healthcare business front,

Healthcare Dive relates,
- “Steward Health Care is on the clock.
- “The Dallas-based healthcare network has until the end of the month to prove to lenders it has the cash on hand to begin repaying its significant debts — or it could face bankruptcy proceedings.
- “Demonstrating solvency could be a tall order because the health system owes a lot of parties a significant amount of money, according to analysts familiar with the system.
- “Should Steward fail, it would be one of the largest provider bankruptcies in decades, said Laura Coordes, professor of law at the Sandra Day O’Connor College of Law at Arizona State University.”

MedTech Dive notes, “Abbott looks to ‘highly productive’ device pipeline for future growth. CEO Robert Ford highlighted new and upcoming products throughout the earnings call, calling the recently approved Triclip valve a “billion-dollar opportunity.”

According to BioPharma Dive,
- “An experimental drug designed to improve brain function in people with nerve-degrading disorders has failed a mid-stage study that tested it against Parkinson’s disease.
- “The trial enrolled almost 90 participants, who once a day were given either a placebo or a drug from Sage Therapeutics called SAGE-718. Summary results released Wednesday showed no significant difference between the two groups in how their mental abilities changed over the course of six weeks, as measured by a scale clinicians use evaluate cognition. * * *
- “Sage is still testing SAGE-718 across three additional trials that should have data this year. One, codenamed “Lightwave,” is focused on people with mild cognitive impairment and mild dementia due to Alzheimer’s disease. The other two, “Surveyor” and “Dimension,” are investigating whether the drug can help Huntington’s disease patients with cognitive impairment.”

Beckers Hospital Review points out and names ten of twenty most popular drugs are in shortage.

OPM Director Resigns

David Ermer–AHRQ, Congress, COVID-19 vaccine, Medical / Rx research, Medicare, Mental health care, OPM, Rx coverage, U.S. Healthcare–April 16, 2024April 17, 2024

OPM Headquarters a/k/a the Theodore Roosevelt Building

From Washington, DC,

Federal News Network reports,
- Kiran Ahuja, director of the Office of Personnel Management, will be stepping down from her position in early May, OPM announced Tuesday. * * *
- Ahuja decided to leave the position due to ongoing health concerns and a recent death in the family, an agency spokesperson said. Once Ahuja vacates her position as the top-most OPM official in the coming weeks, OPM Deputy Director Rob Shriver will begin serving as acting director. * * *
- “Kiran leaves an incredible legacy as a strong and indefatigable champion of the 2.2 million public servants in the federal workforce,” OPM’s Shriver said in a statement. “Under Kiran’s leadership, OPM has bounced back stronger than ever and partnered with agencies across government to better serve the American people. Kiran represents the very best of the Biden-Harris administration, and I am honored to call her a dear colleague and friend.”

Here are links to today’s relevant House of Representatives Committee hearings — one “Examining Health Sector Cybersecurity in the Wake of the Change Healthcare Attack” and the other “ERISA’s 50th Anniversary: the Path to Higher Quality, Lower Cost Health Care.”

STAT News reports,
- “President Joe Biden’s administration will help 50 countries identify and respond to infectious diseases, with the goal of preventing pandemics like the Covid-19 outbreak that suddenly halted normal life around the globe in 2020.
- “U.S. government officials will offer support in the countries, most of them located in Africa and Asia, to develop better testing, surveillance, communication, and preparedness for such outbreaks in those countries.
- “The strategy will help “prevent, detect and effectively respond to biological threats wherever they emerge,” Biden said in a statement Tuesday.
- “The Global Health Security Strategy, the president said, aims to protect people worldwide and “will make the United States stronger, safer, and healthier than ever before at this critical moment.”

The Congressional Budget Office issued a report about past performance and future directions of Medicare Accountable Care Organizations.

One Digital tells us,
- “The 2023 EEO-1 Component 1 data collection window opens on April 30, 2024 and ends June 4, 2024. Private-sector employers with 100 or more employees or federal contractors with 50 or more employees must submit workforce demographic data. The EEO-1 Component 1 report is a mandatory annual data collection. Covered employers must submit data by job category and sex and race or ethnicity to the Equal Employment Opportunity Commission (EEOC). Updates to the data collection will be posted to the EEOC’s dedicated EEO-1 Component 1 website.
- “The 2023 EEO-1 Component 1 Instruction Booklet and 2023 EEO-1 Component 1 Data File Upload Specifications are available on the EEOC’s dedicated EEO-1 Component 1 website. Employers must file their information through the EEO-1 Component 1 Online Filing System (OFS) either through manual data entry or data file upload. The EEO-1 Component 1 online Filer Support Message Center (i.e., filer help desk) will also be available on Tuesday, April 30, 2024, to assist filers with any questions they may have regarding the 2023 collection.”

From the public health and medical research front,

Value Penguin lets us know,
- “Some much-needed good news for U.S. citizens: Between the first quarters of 2021 and 2023, the national age-adjusted death rate fell by 17.7%, according to the latest ValuePenguin study.
- “Our study also looked at death rates by cause and the leading causes by state. Perhaps unsurprisingly given increased vaccination access and herd immunity, COVID-19 deaths fell most precipitously over that time. Deaths from most other causes showed a decline, too.”

HHS’s Agency for Healthcare Quality and Research released a Medical Expenditure Panel Survey with the following highlights
- “In 2021, the top 1 percent of the population ranked by their healthcare expenditures accounted for 24 percent of total healthcare expenditures, while the bottom 50 percent accounted for less than 3 percent.
- “Persons in the top 1 percent expenditure tier had an average of $166,980 in healthcare expenditures in 2021, nearly $30,000 higher than in 2019 or 2018. In 2020, persons in the top 1 percent expenditure tier had average expenditures that were more than $20,000 higher than in 2019 or 2018.
- “Persons aged 65 and older and non-Hispanic Whites were disproportionately represented in the top expenditure tiers.
- “Inpatient stays accounted for about 26 percent of healthcare expenses for persons in the top 5 percent expenditure tier.
- “More than three-quarters of aggregate expenses for persons in the top 5 percent expenditure tier were paid for by private insurance or Medicare.
- “Among adults in the top 5 percent expenditure tier, 78.1 percent had two or more priority conditions.”

MedPage Today relates,
- “Independent reviewers confirmed a causal relationship between the first mRNA COVID-19 vaccines and myocarditis, and also determined that, more broadly, intramuscular shots can cause a series of shoulder injuries.
- “At the same time, the National Academies of Sciences, Engineering, and Medicine (NASEM) committee rejected a causal relationship between the Pfizer-BioNTech BNT162b2 and Moderna mRNA-1273 (Comirnaty and Spikevax, respectively) mRNA COVID vaccines and female infertility, Guillain-Barré syndrome, Bell’s palsy, thrombosis with thrombocytopenia syndrome (TTS), and myocardial infarction.”

According to the University of Minnesota’s CIDRAP,
- “A study yesterday in JAMA Internal Medicine demonstrates that 22% of hospitalized adults aged 50 years or older with respiratory syncytial virus (RSV) infection experienced an acute cardiac event—most frequently acute heart failure (16%). Moreover, 1 in 12 of infected patients (8.5%) had no documented underlying cardiovascular disease.
- “RSV is associated with annual totals of up to 160,000 US hospitalizations, 10,000 deaths, and $4 billion in direct healthcare costs among adults age 65 years or older.
- “Despite evidence of considerable RSV-associated morbidity, mortality, and health care expenditure, the potential severity of RSV infection in adults has historically been underappreciated by public health professionals and clinicians,” the authors write. RSV is rarely tested for in the clinical settings, and symptoms usually mirror other respiratory diseases, they add.”
and
- “New research conducted at US primary and urgent care sites shows that antibiotics didn’t provide any benefit for patients with a cough caused by an acute lower respiratory tract infection (LRTI).
- “In fact, the findings, published yesterday in the Journal of General Internal Medicine, show that receipt of an antibiotic was associated with a small but significant increase in the duration of cough overall compared with those who didn’t receive an antibiotic. Even for those patients with a confirmed bacterial infection, the time until illness resolution was the same whether or not the patients received an antibiotic.
- “Patients who received an antibiotic also had a higher overall disease severity over the entire course of their illness compared with those who didn’t.
- “The study authors say the results of the Enhancing Antibiotic Stewardship in Primary Care (EAST-PC) study, which is the largest observational study to date on LRTIs in US primary and urgent care settings, are yet another indication that clinicians should be more prudent about using antibiotics for LRTIs.”

BioPharma Dive informs us,
- “An antipsychotic drug from Intra-Cellular Therapies appears to also work as an add-on therapy for depression, according to clinical trial results the New York-based biotechnology company released Tuesday.
- “The large trial enrolled almost 500 patients with major depression and hit its main goal as well as “key secondary endpoints,” the company said in a statement. It found that, over a six-week period, depressive symptoms significantly declined in study volunteers given Intra-Cellular’s drug plus antidepressants compared to those given a placebo and antidepressants.”

From the U.S. healthcare business front,

Healthcare Dive reports,
- “UnitedHealth estimates costs from the Change Healthcare cyberattack could reach $1.6 billion this year, executives said on Tuesday. However, the managed care giant maintained its full-year earnings guidance, suggesting the financial fallout from the attack on the massive claims clearinghouse may be less serious than feared.
- “The hit comes from direct response efforts like recovering Change’s clearinghouse platform and paying higher medical costs after its insurance arm suspended some utilization management processes, in addition to the loss of Change’s revenue.
- “In the first quarter alone, the cyberattack cost UnitedHealth $872 million, according to financial results posted Tuesday.”

Beckers Payer Issues adds,
- “Rising medical cost trends aren’t going down, but they are stabilizing, UnitedHealth Group executives say.
- “CEO Andrew Witty told investors April 16 that pent-up demand and increased health system capacity following the COVID-19 pandemic drove rising costs through 2023, but the trend was a “one-off.”
- “We don’t see anything like that. We see much more stabilization. We haven’t seen a step-down from that trend, but we certainly see that kind of sustained activity without aggressive acceleration,” Mr. Witty said.
- “Every major insurer reported rising costs in the Medicare Advantage population in the last months of 2023. While a few insurers, including Humana and CVS Health, cut their 2024 earnings guidance based on the trend, UnitedHealth Group maintained it can weather the storm.
- “The company reported its first-quarter earnings April 16. UnitedHealthcare’s medical loss ratio was 84.3% in the first quarter, compared to 82.2% the year prior and down from 85% in the fourth quarter of 2023.”
and
- “UnitedHealth Group plans to bring Change Healthcare back stronger than it was before it suffered the largest cyberattack in the history of the U.S. healthcare system.
- “On an April 16 call with investors, UnitedHealth Group CEO Andrew Witty said it is “important for the country” that UnitedHealth Group owns Change.
- “Without UnitedHealth Group owning Change Healthcare, this attack likely would still have happened. It would have left Change Healthcare, I think, extremely challenged to come back,” Mr. Witty said. “Because it is a part of UnitedHealth Group, we’ve been able to bring it back. We’re going to bring it back much stronger than it was before.”

Medscape offers a slideshow on 2023 physician compensation.

Beckers Payer Issues notes,
- “Elevance Health will enter a partnership with private equity firm Clayton, Dubilier & Rice to develop advanced primary care models.
- “The joint effort will operate across multiple states and commercial, individual, Medicare and Medicaid markets, according to an April 15 news release. The payer-agnostic platform will serve more than 1 million members, the companies said.
- “The deal is financed primarily “through a combination of cash and our equity interest in certain care delivery and enablement assets of Carelon Health,” according to the news release. The two companies did not disclose the financial terms of the deal, and it is not expected to have a material impact on Elevance’s 2024 earnings.
- “The partnership will bring together two CD&R assets, digital platform Apree Health and Florida-based provider group Millennium Physician Group, and Carelon Health. Several Carelon Health clinics, part of Elevance Health, will provide care to members with chronic and complex conditions.”

Beckers Hospital Review lets us know,
- “About nine months after the FDA fully approved an Alzheimer’s drug for the first time, the medicine is trudging through insurance barriers and hesitations from potential patients, the Chicago Tribune reported April 12. * * *
- “One of its manufacturers, Eisai, predicted 10,000 patients would begin treatment by the end of March. Eisai executives have since backed away from that forecast, but they say sales are increasing, according to the Tribune.
- “CMS covers Leqembi, and so do about 75% of commercial plans in the U.S., a spokesperson for the drugmaker said. But, for the upwards of 6 million Americans who are diagnosed with Alzheimer’s disease, the medication has not made a splash as patients worry about side effects and contraindications.”
and
- “Multiple April bankruptcy court filings revealed that Camp Hill, Pa.-based Rite Aid has plans to shutter 53 additional locations across nine states after it filed for Chapter 11 bankruptcy and shared it will close 154 locations last October.
- “The “notice of additional closing stores” filings, obtained by Becker’s, revealed the stores are located in Pennsylvania, New Jersey, New York, Ohio, California, Massachusetts, Michigan, Virginia and Maryland.”

Monday Roundup

David Ermer–Congress, COVID-19 vaccine, FDA, Medical / Rx research, Mental health care, NIH, OPM, Rx coverage, U.S. Healthcare–April 15, 2024April 15, 2024

From Washington, DC,

Federal News Network tells us,
- “The Biden administration has now ended many of the policies that previously dictated agencies’ health and safety responses to the COVID-19 pandemic. But for federal employees, the administration is still offering some on-the-job flexibility for the foreseeable future.
- “One of the few remaining policies from a series of 2021 executive orders lets federal employees still take up to four hours of paid administrative leave to get COVID-19 vaccine booster shots, the Office of Personnel Management said in an April 12 memo.
- “The administration strongly encourages federal employees to get recommended doses of updated COVID-19 vaccines even when receiving those vaccines is not a job requirement,” OPM Director Kiran Ahuja said in the memo addressed to agency heads. “Vaccines remain the best tool we have in our toolbox to combat COVID-19. They are safe, effective and free.”
- “For federal employees, the offered administrative leave will cover the time it takes to get the COVID-19 booster shot, as well as feds’ travel time to and from the vaccination site. As is standard, employees should get approval from their supervisors before taking leave for this purpose, OPM said. Four hours is the maximum OPM is allotting, but federal employees should only take off as much time as they actually need to get the shot.”
OPM should take the same approach with cancer screening services, such as colonoscopies and mammographies.

The American Hospital Association News reports,
- “The Change Healthcare cyberattack was a significant event that caught many off guard, said the Centers for Medicare & Medicaid Services Administrator Chiquita Brooks-LaSure, reiterating the agency’s commitment to supporting impacted hospitals. Brooks-LaSure stated the Administration is listening to stakeholders and when possible, facilitating solutions, noting the importance of meeting the needs of providers.
- “In addition, Brooks-LaSure celebrated important improvements CMS made to promote greater transparency for prior authorization criteria. CMS took steps earlier this year finalizing new regulations to streamline and reduce burden associated with the prior authorization process in Medicare Advantage and fee-for-service and managed care programs for Medicaid and the Children’s Health Insurance Program.
- “CMS continues to hear from patients and providers over some commercial insurer prior authorization denials and delays, Brooks-LaSure said, noting that the volume of frustration has “just exploded.” The private sector, she said, has an opportunity to step up with solutions of their own to address concerns.
- “I’ve told the health plans this: it doesn’t have to all be regulated [by the federal government], there may be things that they can do,” Brooks-LaSure said.”

Beckers Payer Issues adds,
- “AHIP’s chief executive criticized the hospital lobby’s response to the Change Healthcare cyberattack as “opportunistic” and “maintaining the status quo.”
- “AHIP President and CEO Mike Tuffin pointed to comments that hospital lobbyists made to the media about the hack being “another talking point” to prevent health systems from implementing site-neutral payments, as well as an industry association’s opposition to cybersecurity mandates.
- “Insisting on maintaining the status quo simply makes the healthcare system a more inviting target for the ever-more sophisticated hacking operations targeting the sector,” Mr. Tuffin wrote in the April 12 article. “Instead of taking a constructive leadership role in what can be done to protect consumers and the system moving forward, the hospital lobby chooses to use the moment to point fingers and shirk responsibility.”
- “Rather than “playing politics,” all industry stakeholders should be focusing on preventing and preparing for future healthcare cyberattacks, he said.”

HR Dive reports,
- “The U.S. Equal Employment Opportunity Commission announced on Monday its final rule implementing the Pregnant Workers Fairness Act, clarifying that abortion is included under “pregnancy, childbirth or related medical conditions” that are protected under the PWFA.
- “EEOC said this interpretation of the law’s text is “consistent with the Commission’s and courts’ longstanding interpretation of the same phrase in Title VII.” It also noted that employees are entitled to the law’s provisions even if they have not worked for an employer for a specific length of time.
- “EEOC had originally slated the rule for publication at the end of 2023, but the commission’s deadline passed without a rule in place. The rule is scheduled to be published in the Federal Register Friday, and will take effect 60 days after publication, approximately mid-June.”

The Government Accountability Office released a report on selected States regulation of pharmacy benefit managers.

From the public health and medical research front,

The Washington Post considers why
- “Rural Americans ages 25 to 54 — considered the prime working-age population — are dying of natural causes such as chronic diseases and cancer at wildly higher rates than their age-group peers in urban areas, according to the report. * * *
- “The USDA researchers analyzed mortality data from the Centers for Disease Control and Prevention from two three-year periods — 1999 through 2001, and 2017 through 2019. In 1999, the natural-cause mortality rate for rural working-age adults was only 6 percent higher than that of their city-dwelling peers. By 2019, the gap had widened to 43 percent.” * * *
- “The USDA’s findings were shocking but not surprising, said Alan Morgan, CEO of the National Rural Health Association. He and other health experts have maintained for years that rural America needs more attention and investment in its health care systems by national leaders and lawmakers.”

“MedPage Today editor-in-chief Jeremy Faust, MD, talks with Monica Bertagnolli, MD, the 17th director of the National Institutes of Health (NIH), about the day-to-day work at the NIH on pandemic preparedness, the importance of looking for new approaches to testing, and the status of long COVID research.”

Healio points out,
- “Physical activity patterns that included vigorous exercise, housework or walking were associated with lower stroke risk.
- “Watching TV and commuting were linked to higher risk for stroke.”

Per Medscape,
- “Low- to moderate-intensity physical exercise in patients with severe mental illness is linked to improved medication adherence, regardless of medication type or duration of illness, new research shows.
- “The positive association between adherence and moderate physical activity emphasizes that physical activity improves overall health and functional status. Promoting physical activity can be a valuable and integrated strategy that can be easily implemented into our routine clinical practice,” said study investigator Rebecca Silvestro, MD, Department of Psychiatry, Università degli studi della Campania Luigi Vanvitelli in Naples, Italy.
- “The findings were presented at the European Psychiatric Association 2024 Congress.”

From the U.S. healthcare business front,

STAT News reports,
- “The number of new prescriptions written for biosimilar versions of the Humira rheumatoid arthritis treatment, one of the best-selling medicines in the U.S., surged to 36% from just 5% during the first week of April, thanks to the expanding reach that CVS Health has over the prescription drug market.
- “The big jump was attributed to one particular biosimilar called Hyrimoz, which is manufactured by Sandoz, a former unit of Novartis that is a leading supplier of generic and biosimilar medicines. However, Hyrimoz is jointly marketed with Cordavis, a new subsidiary that CVS created last August specifically to sell any number of biosimilar medicines in the U.S.
- “This connection is crucial to the sudden jump in Hyrimoz prescriptions. How so? On April 1, CVS Caremark, which is one of the largest pharmacy benefit managers in the U.S., removed Humira from its major national formularies for health plans that cover about 30 million lives. Formularies are the lists of medicines that are covered by health insurance.
- “The move quickly shifted market share to Hyrimoz. During the week ending March 29, the number of new prescriptions written for the biosimilar was about 640, but rose to nearly 8,300 in the week ending April 5, according to a report to investors by Evercore ISI analyst Elizabeth Anderson. That pushed the share for all Humira biosimilars to 36%, with Hyrimoz contributing 93% of the growth.”

Health Leaders Media discusses three ways that independent physician practices can maintain their independence.

According to BioPharma Dive,
- “Roche’s new dual-acting blood cancer drug Columvi combined with chemotherapy helped people with a type of lymphoma live longer than people given Rituxan and chemo, the company said Monday. The data could help Roche persuade the Food and Drug Administration to convert Columvi’s conditional OK into a full approval.
- “Roche didn’t disclose full data from the Phase 3 “Starglo” trial in people with diffuse large B-cell lymphoma whose disease advanced after initial treatment and who weren’t eligible for stem cell transplants. The results will be presented at an upcoming medical meeting, the company said.
- “Columvi is a new type of drug called a “bispecific” antibody that triggers an immune response to cancer cells. A competitor developed by Genmab and AbbVie has also gained accelerated approval and could have confirmatory data later this year, while the FDA rejected a bispecific from Regeneron because its confirmatory trial isn’t far enough advanced.”

MedTech Dive reports,
- “Abbott is recalling thousands of Heartmate II and Heartmate 3 left ventricular assist systems because biological material can build up and obstruct the devices, making them less effective at pumping blood, the Food and Drug Administration said Monday.
- “Reports of 273 injuries and 14 deaths have been linked to the problem, with the material typically taking two or more years to accumulate, according to the recall notice. The FDA identified the action as a Class I recall, the most serious type.
- “Heartmate devices are used to support patients with severe left ventricular heart failure who are awaiting a heart transplant, or the device can be permanently implanted when a transplant isn’t an option. In February, Abbott told customers in an urgent correction letter there is no need to return any products to the company.”

Weekend Update

David Ermer–Congress, Medical / Rx research, SCOTUS, U.S. Healthcare–April 14, 2024April 14, 2024

From Washington, DC,

The House of Representatives and the Senate are in session for Committee business and floor voting this week.

The Supreme Court holds its final two weeks of oral arguments for the current term this month.

From the public health and medical research front,

The Wall Street Journal discusses advances in Alzheimer’s Disease care.

NPR Shots explains new approaches to treating lung cancer.

Fortune Well lets us know –
- “Can’t focus on the task at hand or feeling sluggish beyond the afternoon slump? One possible cause: iron-deficiency anemia (IDA).
- “About 3 million Americans have anemia, according to the U.S. Centers for Disease and Prevention Disease and Prevention (CDC), and those are just the people who’ve been diagnosed. Many others live with the condition for years without realizing it. * * *
- “After figuring out the underlying cause, the next plan of action is treatment. For many, iron supplements are the answer. Your doctor may recommend over-the-counter iron pills to replenish the iron stores in your body. However, these tablets are not a one-size-fits-all solution.”

STAT News reports,
- “Amid the many demands of practicing medicine, doctors can have less time and energy for their patients, and those relationships can suffer. Yet research has shownthat when physicians show empathy, that can generally lead to better clinical outcomes, at least over the near-term. Now, a new study, published Thursday in JAMA Network Open, demonstrates that those benefits can extend longer and be even more effective than some clinical therapies in dealing with lower back pain, which affects half of the U.S. population in any given year.
- “Researchers at the University of North Texas Health Science Center at Fort Worth, observing patients with lower back pain over the course of 12 months, found that treatment by a “very empathic” physician was associated with better outcomes at the end of that year than treatment by a “slightly empathic” physician. And those positive outcomes were greater than those associated with nonpharmacological treatments (exercise therapy, yoga, massage therapy, spinal manipulation, acupuncture, cognitive behavioral therapy), opioid therapy, and lumbar spine surgery.”

From the U.S. healthcare business front,

Beckers Hospital Review lists “27 critical access hospitals to know for 2024.”
- “These hospitals are vital components of the overall healthcare delivery system, providing quality care to the residents and visitors of rural areas. The small but mighty organizations are working to expand access to specialty care, cut down on patient travel times, and improve community health.
- “Critical access hospitals are those that offer 24/7 emergency care and have no more than 25 inpatient beds. While compiling this list, the editorial team examined rankings and awards from several respected organizations, including Healthgrades, the National Rural Health Association and the Chartis Center for Rural Health.”

Fierce Healthcare reports,
- “A year ago, Blue Shield of California joined forces with Accolade and TeleMed2U to launch Virtual Blue, a new plan that centers on virtual care for members with the goal of boosting access.
- “And with that first year on the books, the insurer is seeing positive results in Virtual Blue, it revealed Friday. Members were more likely to visit their primary care doctors compared to those in a more traditional PPO plan. Blue Shield saw primary care claims increase by 31% in 2023 compared to 2022.
- “People who enroll in Virtual Blue are able to secure virtual visits with a $0 copayment and can schedule appointments online with their clinician, making it easier to fit critical visits into their daily lives. In-person care is available whenever appropriate or when the member prefers, Blue Shield said.”

Cybersecurity Saturday

David Ermer–Cybersecurity, Uncategorized–April 13, 2024April 13, 2024

From the cybersecurity policy front,

Cybersecurity Dive reports,
- “FBI Director Christopher Wray said state-linked threat groups are ramping up threat activity against the U.S., and pose a continued risk to key critical infrastructure sectors, in a speech Tuesday before the American Bar Association’s Standing Committee on Law and National Security.
- “Threat actors linked with the People’s Republic of China are continuing to build out offensive capabilities, setting up access to various sectors such as the water, energy and telecommunications industries, according to Wray.
- “We’re seeing hostile nation states become more aggressive in their efforts to steal our secrets and our innovation, target our critical infrastructure, export their aggression to our shores and front and center is China,” Wray said.”
and
- “The [NIST] National Vulnerability Database is so overwhelmed with a steadily increasing number of software and hardware flaws that the National Institute of Standards and Technology, which maintains the common vulnerabilities and exposures repository, called for a slight pause to regroup and reprioritize its efforts.”The National Vulnerability Database is so overwhelmed with a steadily increasing number of software and hardware flaws that the National Institute of Standards and Technology, which maintains the common vulnerabilities and exposures repository, called for a slight pause to regroup and reprioritize its efforts.
- “NIST scaled back the NVD program in mid-February, and is currently prioritizing analysis of the most significant or actively exploited vulnerabilities. The slowdown was precipitated by “an increase in software and, therefore, vulnerabilities, as well as a change in interagency support,” NIST said in the announcement.
- The federal agency is seeking more support from within the government and reassigning staff as it assembles a public-private consortium to address long-term challenges and determine how to improve the NVD program. In the interim, the temporary delays in CVE analysis will result in less detailed analysis of vulnerabilities deemed non-urgent. * * *
and
- “More than two dozen industry stakeholders, including the U.S. Chamber of Commerce, are seeking to extend the deadline to file comments on the Cyber Incident Reporting for Critical Infrastructure Act, according to a letter released Friday. The new deadline would be July 3 if the requested 30-day delay is granted.
- “The Cybersecurity and Infrastructure Security Agency issued the notice for CIRCIA, which will require critical infrastructure providers to report significant cyber incidents within 72 hours of discovery and report ransom payments within 24 hours. The notice was published Thursday in the Federal Register and currently has a June 3 deadline for public comments.
- “The letter, signed by a range of industry groups including the American Bankers Association, National Retail Federation and American Petroleum Institute, is asking for additional time to absorb the complex set of regulations involved in reporting covered cyberattacks and breaches as well as reporting payments to federal authorities.”

NextGov relates,
- “As intelligence agencies work to jettison Chinese cyberspies embedded in critical infrastructure and internet equipment throughout the U.S., a top cybersecurity CEO says that the hackers’ campaign is so robust and widespread that there will be victims targeted in the operation who won’t know they are impacted.
- “To me, Volt Typhoon is the natural progression of great … Chinese cyberespionage,” said Kevin Mandia, CEO of Google cybersecurity subsidiary Mandiant, who spoke in an exclusive interview with Nextgov/FCW at the Google Cloud Next conference in Las Vegas.”

“DoD, GSA, and NASA recently established Federal Acquisition Regulation (FAR) part 40, Information Security and Supply Chain Security. The intent of this RFI is to solicit feedback from the general public on the scope and organization of FAR part 40.” Comments for this case are due by June 10, 2024. For information on how to comment, please visit the Federal eRulemaking portal.

Federal News Network lets us know,
- “Sean Connelly, who has led many of the major federal cybersecurity initiatives over the last decade, is leaving federal service.
- “Connelly, whose official title is senior cybersecurity architect and Trusted Internet Connections (TIC) program manager for the Cybersecurity and Infrastructure Security Agency, has been instrumental in everything from a major chunk of the lifecycle of the TIC program to the development and advancement of the concepts behind zero trust to the integration of these initiatives with others, including the Einstein and continuous diagnostics and mitigation (CDM) programs.
- “Federal News Network has learned Connelly’s last day will be April 19. * * *
- “Sources say Connelly will be joining Zscaler to work on zero trust from an international compliance perspective. He will help non-U.S. governments move toward a zero trust architecture based on the experience of the federal agencies.
- “Connelly is now the second federal cyber executive to leave to join Zscaler in the last two weeks. Brian Conrad, the former acting director of the Federal Risk Authorization and Management Program (FedRAMP) joined the cyber company in early April to lead Zscaler’s international cloud security compliance program.”

From the cybersecurity vulnerabilities and breaches front,

Cyberscoop informs us,
- “The Cybersecurity and Infrastructure Security Agency published an emergency directive Thursday in response to a Russian intelligence-linked hacking campaign that breached Microsoft, telling affected federal civilian agencies whose emails were stolen or passwords accessed to reset authentication credentials.
- “CISA’s directive comes in the week after CyberScoop first reported its existence.
- “Microsoft and CISA have notified all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by Midnight Blizzard,” the directive reads, referring to Microsoft’s name for the hacking group. “In addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies.
- “Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” it continues.”

Cybersecurity Dive tells us,
- “Ivanti Connect Secure devices were exploited and compromised by more threat groups than previously thought, Mandiant said in research released Thursday.
- “Post-exploitation activity observed by Mandiant includes lateral movement with the aid of open-source tools and multiple custom malware families.
- “Mandiant said it observed “eight distinct clusters involved in the exploitation of one or more of” Ivanti’s vulnerabilities CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893, which the vendor first disclosed Jan. 10. This includes five China-linked espionage groups and three financially motivated attackers.”

Cyberscoop offers the reflections of Mandiant experts on this cybsercurity landscape.

Security Week lets us know,
- “Palo Alto Networks disclosed [a state-sponsored] vulnerability on Friday, warning that it was aware of limited in-the-wild exploitation and promising patches within the next two days.
- “Tracked as CVE-2024-3400 (CVSS score of 10/10), the security defect is described as a command injection issue allowing unauthenticated attackers to execute arbitrary code on impacted firewalls, with root privileges.
- “According to the vendor, all appliances running PAN-OS versions 10.2, 11.0, and 11.1 that have GlobalProtect gateway and device telemetry enabled are vulnerable. Other PAN-OS versions, cloud firewalls, Panorama appliances, and Prisma Access are not affected.”

CISA added new known exploited vulnerabilities to its catalog this week.
- April 11, 2024
  - CVE-2024-3272 D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
  - CVE-2024-3273 D-Link Multiple NAS Devices Command Injection Vulnerability
- April 12, 2024
  - CVE-2024-3400 Palo Alto Networks PAN-OS Command Injection Vulnerability
- FEHBlog note the CVE references are to the NIST National Vulnerability Database discussed above..

The HHS Health Sector Cybersecurity Coordination Center (HC3) posted its “March Vulnerabilities of Interest to the Health Sector.”
- “In March 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for March are from Ivanti, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.”

From the ransomware front,

TechTarget notes,
- “Sophos said the majority of cyberattacks it investigated in 2023 involved ransomware, while 90% of all incidents included abuse of remote desktop protocol.
- “The security vendor published its Active Adversary Report of 2024 Wednesday that drew on data from more than 150 incident response (IR) investigations it conducted in 2023. Breaking down the data set, 88% of the investigations were derived from organizations with fewer than 1,000 employees, while 55% involved companies with 250 employees or fewer. Twenty-six sectors were represented, and manufacturing remained the No. 1 sector to engage the Sophos IR team for the fourth consecutive year.
- “For the report, Sophos tracked attack types, initial access vectors and root causes, and found that trends have remained consistent for the past two years. While attackers frequently abuse remote desktop protocol (RDPs) and credential access to infiltrate a victim’s network, enterprises continue to leave RDPs exposed and often lack multifactor authentication (MFA) protocols.
- “Sophos added that enterprises also fell short regarding sufficient log visibility, which can hinder IR investigations.”

WIRED reports,
- “Since Monday [April 8, 2024], RansomHub, a relatively new ransomware group, has posted to its dark-web site that it has 4 terabytes of Change Healthcare’s stolen data, which it threatened to sell to the “highest bidder” if Change Healthcare didn’t pay an unspecified ransom. RansomHub tells WIRED it is not affiliated with AlphV and “can’t say” how much it’s demanding as a ransom payment. * * *
- “RansomHub initially declined to publish or provide WIRED any sample data from that stolen trove to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name.
- “While WIRED could not fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. “For anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories,” the RansomHub contact tells WIRED in an email.
- “We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data,” Change Healthcare said in an email to WIRED. “Our investigation remains active and ongoing. There is no evidence of any new cyber incident at Change Healthcare.”

From the cybersecurity defenses front,

MedCity News discusses four lessons learned from the Change Health cyberattack.

According to Dark Reading,
- The US Cybersecurity and Infrastructure Security Agency (CISA) has given organizations a new resource for analyzing suspicious and potentially malicious files, URLs, and IP addresses by making its Malware Next-Gen Analysis platform available to everyone earlier this week.
- The question now is how organizations and security researchers will use the platform and what kind of new threat intelligence it will enable beyond what is available via VirusTotal and other malware analysis services.
- The Malware Next-Gen platform uses dynamic and static analysis tools to analyze submitted samples and determine if they are malicious. It gives organizations a way to obtain timely and actionable information on new malware samples, such as the functionality and actions a string of code can execute on a victim system, CISA said. Such intelligence can be crucial to enterprise security teams for threat hunting and incident response purposes, the agency noted.

“NIST has released three self-guided online introductory courses on the NIST Special Publication (SP) 800-53 security and privacy control catalog, the SP 800-53A control assessment procedures, and SP 800-53B control baselines. The courses provide a high-level overview of foundational security and privacy risk management concepts based directly on their respective NIST SPs.”

According to Cybersecurity Dive,
- “CISOs and other management level cybersecurity executives are gaining more influence and importance as companies have begun to recognize the need for strong cyber governance and oversight, according to a report from Moody’s Ratings.
- “About 90% of cybersecurity managers now report to a top level company executive, compared with 62% in 2021. A higher percentage of these cybersecurity executives now report directly to company CEOs, according to the report, which is based on a survey of more than 2,000 organizations around the world that issue debt, including 1,100 in North America.
- “The role of the CISO has risen in seniority and visibility within organizations,” Steven Libretti, assistant VP and analyst at Moody’s Ratings, said via email. “This means more direct reporting lines from the cyber manager to the C-suite executives and more frequent cyber briefings to the CEO.”
- “Moody’s identified a more regular cadence within organizations of CISOs and other cybersecurity managers providing updates to the C-suite and board of directors. About 40% of cyber managers conduct monthly meetings with their CEO, according to the report.”

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.