Cybersecurity Saturday

Cybersecurity

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • On April 4, the Cybersecurity and Infrastructure Security Agency (CISA) published its proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements rule in the Federal Register. The public comment deadline is June 3, 2024.
  • Cybersecurity Dive summarizes what CISA wants to see in these CIRCIA reports.
  • Cybersecurity Dive reported on April 3,
    • “The state-linked intrusion on Microsoft Exchange Online that led to the theft of about 60,000 U.S. State Department emails last summer “was preventable and should never have occurred”, the Cyber Safety Review Board said Tuesday [April 2] in a report. 
    • “A series of operational and strategic decisions by Microsoft pointed to a corporate culture that deprioritized investments in enterprise security and rigorous risk management, despite the central role the company plays in the larger technology ecosystem, the report said. 
    • “The CSRB urged Microsoft to publicly share its plans to make fundamental, security focused reforms across the company and its suite of products. The board also recommended that all cloud services providers and government partners enact security-focused changes.
  • Cybersecurity Dive added on April 5,
    • “The Cybersecurity and Infrastructure Security Agency is working with Microsoft to investigate and mitigate Midnight Blizzard’s potential impacts on federal agencies. The Russia-linked threat group hacked into senior Microsoft executives’ accounts starting in late November and could pose a larger threat to federal agencies.
    • “As shared in our March 8 blog, as we discover secrets in our exfiltrated email we are working with our customers to help them investigate and mitigate any impacts,” a Microsoft spokesperson said Thursday via email. “This includes working with CISA on an emergency directive to provide guidance to government agencies.”
    • “CISA issued an emergency directive to federal agencies earlier this week on how to mitigate the potential threat from Midnight Blizzard, CyberScoop reported. But the agency has not yet made the directive public. 
    • “CISA officials did not comment on any directive, but confirmed to Cybersecurity Dive it’s working with Microsoft on how to respond to the threat.” 
  • Federal News Network lets us know,
    • “Amid the response to the Change Healthcare ransomware attack, the Department of Health and Human Services is aiming to better organize its healthcare cybersecurity resources and programs.
    • “HHS is creating a  “one-stop shop” for cyber at the department’s Administration for Strategic Preparedness and Response, according to Brian Mazanec, the deputy director for ASPR’s Office of Preparedness. ASPR leads U.S. health and medical preparedness for disasters and other public health emergencies.
    • “We’re really establishing ASPR as that one-stop shop to manage this information sharing across the department, with our partners in industry, with the interagency,” Mazanec said during a March 29 webinar hosted by the HHS-sponsored Regional Disaster Health Response System.”
  • The National Institutes of Standards and Technology announced,
    • “NIST is releasing the initial public draft of Special Publication (SP) 800-61r3 (Revision 3), Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile, for public comment. This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities, as described by CSF 2.0. Doing so can help organizations prepare for incident responses, reduce the number and impact of incidents that occur, and improve the efficiency and effectiveness of their incident detection, response, and recovery activities.
    • The public comment period is open through May 20, 2024. See the publication detailsfor a copy of the draft and instructions for submitting comments.”
  • NIST also issued “a [draft] mapping between the security controls within NIST Special Publication 800-53 Revision 5 and the Cybersecurity Framework version 2.0.”
  • NextGov tells us,
    • “Camille Stewart Gloster, a cyber and technology attorney who has led the White House’s cybersecurity workforce and tech ecosystem strategies since taking up her role in August 2022, will step down Tuesday [April 4].
    • “She told Nextgov/FCW on the sidelines of an International Association of Privacy Professionals event in Washington, D.C. she had no plans as of yet for where she will be heading next.”

From the cyber vulnerabilities and breaches front,

  • HHS’s Health Sector Cybersecurity Coordination Center (HC3) informs us about “Social Engineering Attacks Targeting IT Help Desks in the Health Sector.”
    • “HC3 has recently observed threat actors employing advanced social engineering tactics to target IT help desks in the health sector and gain initial access to target organizations. In general, threat actors continue to evolve their tactics, techniques, and procedures (TTPs) to achieve their goals. HC3 recommends various mitigations outlined in this alert, which involve user awareness training, as well as policies and procedures for increased security for identity verification with help desk requests.”
    • More on this threat can be found on the American Hospital Association news site.
  • On April 4, 2024, CISA added two known exploited vulnerabilities to its catalog.

From the ransomware front,

  • Bleeping Computer’s The Week in Ransomware is back at long last.
  • Cyberscoop reports,
    • “Six weeks after executing an attack that crippled parts of the U.S. health care system, the cybercrime gang linked to the incident has picked up the pace of laundering the proceeds of an alleged ransom payment, even as the hackers implicated in the breach continue to maintain a low profile.  
    • “The ransomware group ALPHV claimed responsibility for the Feb. 21 attack on Change Healthcare, a payment processor that touches 1 in 3 American patient records. The attack on Change limited the ability of pharmacies and health care providers to receive payments and has placed severe strain on the U.S. health care system.
    • “Earlier this month, cybercrime researchers reported that a bitcoin wallet linked to previous ALPHV ransoms had received $22 million, fueling speculation that Change’s parent company, UnitedHealth Group, had ponied up a ransom payment.
    • “Now, ALPHV appears to be moving to further obscure the destination of those funds. 
    • “According to blockchain intelligence firm TRM Labs, funds have recently been moved from bitcoin wallets linked to other ransoms paid to ALPHV, with these funds transferred to multiple other addresses and through a mixer, a tool used to obfuscate transactions that can be tracked on a public ledger. 
    • “Over the last week or so we have seen increased laundering activity,” Ari Redbord, TRM Labs’s global head of policy, told CyberScoop in an email. On March 27, for instance, TRM Labs observed 50 bitcoin — approximately $3.5 million — “move from wallets associated with the group to a mixing service. In addition, between March 22nd & 27th, we saw multiple withdrawals by wallets associated with the ransomware group and sent to a global exchange.”
    • “The FBI declined to comment on the status of its investigation of the incident.” 

From the cyberdefenses front,

  • Cybersecurity Dive relates,
    • “[E[ven as Change [Healthcare] begins to restore its systems, cyberattacks are going to remain a challenge for the industry as healthcare digitizes, creating more potential vulnerabilities for cybercriminals to exploit, experts say. 
    • “The healthcare sector needs to learn from the wide-ranging impacts from the Change attack — and prepare for the next one.
    • “As an industry, there’s been a lot of advancement in cybersecurity, but we’re still pretty far behind where we need to be,” said Steve Cagle, CEO of healthcare cybersecurity firm Clearwater. “We need to face the reality that this is an issue that is here to stay for a long time.”
  • Health IT Security discusses “[h]ow can payers be prepared to manage third-party security incidents. Payers should implement vendor management programs, incident response plans, and training processes to prepare for third-party security incidents.”
  • Security Week points out,
    • “The US National Institute of Standards and Technology (NIST) this week announced  $3.6 million in grants to help address the cybersecurity skills shortage.
    • “As part of the project, 18 education and community organizations across 15 states will be granted roughly $200,000 each to educate future cybersecurity employees.
    • “The agreements will be overseen by NICE, a partnership between organizations in the government, education, and private sectors, which focuses on building cybersecurity workforce through education and training.
    • “The 18 selected organizations will build Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development projects aligned with the needs of local business and nonprofit organizations.”
  • Per Tech Target,
    • “Microsoft officially launched Copilot for Security on Monday [April 1], and while the generative AI tool might bolster security operations, enterprises could face implementation and integration challenges.
    • “The tech giant unveiled Copilot for Security, originally called Security Copilot, in March 2023 to assist security and IT teams with threat detection and response. Following a series of rollout stages for the generative AI (GenAI) tool, Microsoft added a pay-as-you-go pricing model and new capabilities, such as knowledge base integrations and multilanguage support.
    • “Vasu Jakkal, corporate vice president of security, compliance, identity and management at Microsoft, announced the launch in a blog post last month and emphasized that enterprises can use Copilot for Security as a standalone portal or embed the AI tool into existing security products.”
  • HHS’s 405(d) Program now offers a
    • “New Resource: Healthcare Threat Identification Poster!
    • “Cyber hygiene poster highlights threats exist at every level of your organization. Be aware of the threats that face your organization in order to protect PHI.”

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • The Wall Street Journal reports,
    • “The U.S. Cybersecurity and Infrastructure Security Agency [CISA] on Wednesday [March 27, 2024] published long-awaited draft rules on how critical-infrastructure companies must report cyberattacks to the government.
    • “CISA developed the rules after President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law on March 15, 2022. Officials hope reports from companies in a range of industries will allow them to better spot attack patterns and determine tactics used by cybercriminals and nation-states to help improve defenses.
    • “Under the rules, companies that own and operate critical infrastructure would need to report significant cyberattacks within 72 hours and report ransom payments within 24 hours.  * * *
    • “The rules apply to any company owning or operating systems the U.S. government classifies as critical infrastructure, such as healthcare, energy, manufacturing and financial services. The rules will also apply to companies that don’t operate critical infrastructure, but whose systems may be vital to a particular sector, such as service providers.
    • “Reporting from a broad range of entities is necessary to provide adequate visibility of the cyber landscape across critical infrastructure sectors, which CIRCIA is meant to facilitate,” CISA said in its 447-page draft.
    • “There are exemptions for small organizations, with revenue and employee counts that qualify under the Small Business Administration’s criteria.” 
  • Here are a link to the CISA announcement and a link to the proposed rule.
  • Cyberscoop adds,
    • “While the rule is not expected to be finalized until 18 months from now or potentially later next year, comments are due 60 days after the proposal is officially published on April 4. One can be sure that the 16 different critical infrastructure sectors and their armies of lawyers will have much to say. The 447-page NOPR details a dizzying array of nuances for specific sectors and cyber incidents.
    • “For example, companies would only be required to report a distributed denial of service attack if it results in a service outage for an extended period. One that results in a “brief period of unavailability,” however, would not need to be reported.” * * *
    • “CISA expects the rules will cost industry and government combined around $2.6 billion between now and 2033 and anticipates receiving around 25,000 reports each year.
    • “Ranking member of the House Committee on Homeland Security Bennie Thompson, D-Mass., and Rep. Yvette Clark, D-N.Y., said in a joint statement that they’d like to see a reduction in compliance costs so that additional resources can be invested in security.” 
  • On March 28, 2024, the Defense Department released its “Defense Industrial Base Cybersecurity Strategy {which] plots a course for increased focus and collaboration between the Defense Department and the U.S. defense industrial base on cybersecurity initiatives amid what officials say are persistent cyberthreats.”

From the cyber-vulnerabilities and breaches front,

  • Per Security Week,
    • “While 2023 was a difficult year for cybersecurity teams, 2024 is likely to be worse. In just the first two months of 2024, threat intelligence firm Flashpoint has logged dramatic increases in all major threat indicators.
    • “By Flashpoint’s numbers, there were 6,077 recorded data breaches in 2023, with attackers accessing more than 17 billion personal records (up 34.5% on 2022’s figures). In the first two months of 2024, this increased by 429% over the first two months of 2023. * * *
    • “Despite the large numbers involved, one attack and one attacker stood out during 2023: the MOVEit attacks (leveraging CVE 2023-34362), and the LockBit ransomware group. The MOVEit attacks account for 19.3% of all reported 2023 attacks. LockBit claimed 1.049 victims, around 20% of all known ransomware attacks in 2023.”
  • Cybersecurity Dive tells us,
    • “Threat actors used phishing links or attacks in 71% of all security incidents in 2023, according to ReliaQuest’s Annual Cyber-Threat Report released Tuesday.
    • “Most of the tactics, techniques and procedures threat actors used last year to achieve initial access to a compromised environment were linked to user interaction or error, the report said. “This indicates attackers overwhelmingly gained initial access by exploiting the trust and vulnerability of unsuspecting individuals.”
    • “Phishing remains the most common route threat actors use to achieve initial access, accounting for 70% of all initial access related incidents last year, ReliaQuest said.”
  • Earlier this month, HHS’s Health sector Cybersecurity Coordination Center (HC3) posted the following two PowerPoints:
    • Credential Harvesting and Mitigations
      • “Cyberattacks against healthcare facilities can involve credential harvesting, which may lead to a disruption of operations. Credential harvesting, also known as credential stealing or credential phishing, is a technique that cybercriminals can use to obtain sensitive login credentials like usernames, passwords, and personal information. These credentials operate as the gateway to an individual’s digital identity, and can grant access to various types of information, such as online accounts and health data. The methods employed for credential harvesting are diverse, ranging from sophisticated phishing emails to fake websites and social engineering tactics.”
    • Defense and Mitigations from E-mail Bombing
      • E-mail bombing, also known as mail bomb or letter bomb attacks, occur when a botnet (a single actor or group of actors) flood an e-mail address or server with hundreds to thousands of e-mail messages. They are a type of Denial of Service (DoS) attack that allows attackers to bury legitimate transaction and security messages in an unsuspecting inbox by rendering the victim’s mailbox useless. By overloading a victim’s inbox, attackers hope that a victim will miss important e-mails like account sign-in attempts, updates to contact information, financial transaction details, or online order confirmations.
      • This type of attack is of particular importance to the Healthcare and Public Health (HPH) sector. In 2016, unknown assailants launched a massive cyber attack aimed at flooding thousands of targeted “dot-gov” (.gov) e-mail inboxes with subscription requests, rendering many unusable for days.
      • E-mail bombs are not only an inconvenience to the victim, but to everyone using that particular server. When an e-mail server is impacted by a DDoS, it can downgrade network performance and potentially lead to direct business downtime. This Sector Alert provides an overview of types of e-mail bomb techniques, as well as defenses and mitigations for targets of this type of attack.
  • Bleeping Computer adds that “Google’s Threat Analysis Group (TAG) and Google subsidiary Mandiant said they’ve observed a significant increase in the number of zero-day vulnerabilities exploited in attacks in 2023, many of them linked to spyware vendors and their clients.”

From the Change Healthcare situation front,.

  • HealthIT Security let us know on March 29.
    • “In a March 27th update, UnitedHealth Group said it had begun the process of determining whether any patient data was stolen during the cyberattack. UHG engaged a vendor to conduct a review of data that is “likely” to contain personally identifiable information and claims data. At this time, it is too soon to say with certainty the content of the data that the threat actor accessed.
    • “This is taking time because Change Healthcare’s own systems were impacted by the event and difficult to access, so it was not safe to immediately pull data directly from the Change systems,” UHG stated. “We recently obtained a dataset that is safe for us to access and analyze. Because of the mounting and decompression procedures needed as a first step, we have only recently reached a position to begin analyzing the data.”
    • “To date, UHG had not seen evidence of any data being published on the web.
    • “In other news, the US Department of State is offering a reward of up to $10 million for information or identification of ALPHV/BlackCat threat actors, who previously claimed responsibility for the Change Healthcare cyberattack.” 

From the ransomware front,

  • Beckers Hospital Review notes,
    • “A ransomware group that specializes in “double extortion” has claimed responsibility for a cyberattack on an Oklahoma hospital, HIPAA Journal reported.
    • “The Bian Lian hacking gang posted Lindsay (Okla.) Municipal Hospital to its data leak site and said the stolen data would be uploaded soon, according to the March 25 story.
    • “The hackers’ “double extortion” forte means they steal data then require ransom payments to both release the information and decrypt any encrypted files, the news outlet reported. HHS has warned that Bian Lian is targeting healthcare providers because of the group’s financial motivations.”

From the cybersecurity defenses front,

  • Cybersecurity Dive informed us on March 26, 2024,
    • “The Cybersecurity and Infrastructure Security Agency and FBI urged software manufacturers to take steps to eliminate SQL injection vulnerabilities in an alert issued Monday
    • “CISA and the FBI are asking leadership at software manufacturers to launch formal reviews of their code to find out whether they are susceptible to SQL injection compromises. If found, the agencies are asking the companies to take immediate steps to eliminate these defects from existing and future software.  
    • “The agencies cited the role SQL injection defects played in the widespread attacks linked to MOVEit file transfer software, which impacted thousands of organizations in 2023.”
  • The Wall Street Journal reports,
    • “Companies from the U.S. telecommunications, financial services and power sectors held a joint cybersecurity exercise with government agencies this week to test how their defenses held up against real attacks. [The report is dated March 29, 2024.)
    • “Security staff from AT&TLumen Technologies, Southern Co., Mastercard and Southern California Edison pitted defensive and offensive teams, known as blue and red teams, against each other on Wednesday and Thursday in Washington, D.C. * * *
    • “This week’s Tri-Sector Cyber Defense Exercise was an expanded version of a similar event held two years ago. While in the previous event individual teams from each participating company competed against each other, this year’s program drew staff from each participant into combined teams to learn from each other’s techniques. Those teams then assaulted and blocked attacks from fictitious entities in the various represented sectors, using the same tools and technology as they would in reality.”
  • and
    • “Cybersecurity leaders struggle to communicate with executives and boards of directors and often paint an overly positive image of their companies’ security, according to a new survey of C-suite executives. 
    • “With new regulations that require companies to disclose more details about cybersecurity, around half of those polled see an immediate need to improve security leaders’ communication skills. 
    • “Thirty-one percent of top executives said they believe their companies’ chief information security officers paint a more optimistic picture than reality, according to a new survey from communications advisory firm FTI Consulting * * *
    • “Executives want CISOs to improve how they communicate about cyber risks. The FTI survey found that 98% of executives support more funding for such training, and 45% said it is an immediate need.” 

Monday Roundup

David ErmerCybersecurity, Federal employment benefits, Medicare, Mental health care, Rx coverage, U.S. Healthcare
Photo by Sven Read on Unsplash

From Washington, DC,

  • STAT News reminds us,
    • “The public will soon find out whether the federal government is willing to meet the health insurance industry’s demands and deposit more money into the bank accounts of next year’s Medicare Advantage plans.
    • “Budget officials within the Biden administration started reviewing final payment regulations for 2025 Medicare Advantage plans last week after more than 42,000 public comments rolled into the federal government’s inbox. Those rules will come out no later than April 1.
  • Becker’s Hospital CFO Report adds,
    • “Onerous” authorization requirements and high denial rates have health systems considering whether to drop Medicare Advantage plans, according to a report from the Healthcare Financial Management Association and Eliciting Insights. 
    • “HFMA Health System CFO Pain Points Study 2024” is based on a survey of 135 health system CFOs conducted in January. 
    • According to the report, 16% of health systems are planning to stop accepting one or more Medicare Advantage plans in the next two years. Another 45% said they are considering the same but have not made a final decision.
    • Health systems have been increasingly pushing back on Medicare Advantage. Chris Van Gorder, president and CEO of San Diego-based Scripps Health, told Becker’s last year that “it’s becoming a game of delay, deny and not pay.” Scripps terminated Medicare Advantage contracts effective Jan. 1 for its integrated medical groups. The medical groups, Scripps Clinic and Scripps Coastal, employ more than 1,000 physicians, including advanced practitioners. Mr. Van Gorder said the health system was facing an annual loss of $75 million on MA contracts.  
    • “Providers are going to have to get out of full-risk capitation because it just doesn’t work — we’re the bottom of the food chain, and the food chain is not being fed,” he said.
    • Despite tensions with some health systems, the Medicare Advantage program had a 95% quality satisfaction rating among enrolled members in 2023.
  • The FEHBlog notes that MA plans are subject to the Affordable Care Act’s medical loss ratio. The medical loss ration encourages health plans to make payments to providers.
  • FedSmith lets us know,
    • The Federal Salary Council (FSC) recently proposed adding about 15,000 federal employees to existing locality pay areas for 2025 from the “Rest of the U.S.” Being added to a locality pay area usually results in higher pay for impacted employees.
    • FSC is recommending the Pay Agent add Wyandot County, OH, to the Columbus, OH, locality pay area and Yuma County, AZ, to the Phoenix, AZ, locality pay area. These recommendations do not create new locality pay areas. In this case, they are adding employees to existing pay areas using various techniques to reduce employees in the “Rest of the U.S.” and add more to higher-paying locality pay areas.
    • A proposal from the Federal Salary Council does not mean a decision to make these additions is finalized. The recommendations have to be approved by the President’s Pay Agent. That approval usually follows, although not necessarily in the recommended time frame. Once the Pay Agent decides to move ahead, the Office of Personnel Management has to issue a proposed change in the Federal Register and a final decision in the Federal Register a few months later.
  • Reg Jones, writing in Fedweek, discusses “Survivor Annuity Benefits for Children of Deceased Federal Employees and Retirees.”
  • KFF discusses Medicare spending on GLP-1 drugs, like Ozempic, to treat diabetes.
    • “Gross spending on Ozempic alone increased from $2.6 billion in 2021 to $4.6 billion in 2022, pushing it to 6th place among the top-selling drugs in Medicare Part D that year, up from 10th place the year before.  
    • “The fact that covering GLP-1s under Medicare Part D for authorized uses is already making a mark on total Part D program spending could be a sign of even higher spending to come as Part D plans are now able to cover Wegovy for its heart health benefits, and if new uses for GLP-1s are approved.”
  • CNBC adds,
    • “Americans can’t seem to get enough of weight loss drugs despite their limited insurance coverage and roughly $1,000 monthly price tags before discounts. 
    • “But some patients are willing to pay more out of pocket for those treatments than others — and it’s strongly correlated to their annual income.
    • “That’s according to a recent survey from Evercore ISI that focused on GLP-1s, which include Novo Nordisk’s weight loss injection Wegovy and diabetes counterpart Ozempic.

From the public health and medical research front,

  • The American Medical Association advises its members about measles, now at 64 cases, and tells patient what doctors wish they knew about vasectomies.
  • Medscape shares five things to know about Adult Respiratory Syncytial Virus (RSV) Infection.
  • The Washington Post features a Consumer Reports article on maintaining kidney health. “Hydration and exercise are just two of the keys to reducing the risk of kidney disease.”
  • The Society for Human Resource Management offers nine mental health questions for employee engagement surveys.
  • CNN reports,
    • “Drugmaker Eli Lilly warned this week that two of its formulations of insulin would be temporarily out of stock through the beginning of April, citing a “brief delay in manufacturing.”
    • “The 10-milliliter vials of Humalog and insulin lispro injection will be in short supply at wholesalers and some pharmacies, Lilly said in a statement posted online Wednesday [March 20]. The company said that prefilled pen versions of those medicines are still available in the US and that it continues to manufacture the 10-milliliter vials “and will ship them as soon as we can.”

From the U.S. healthcare business front,

  • The Wall Street Journal relates,
    • “Hospitals are adding billions of dollars in facility fees to medical bills for routine care in outpatient centers they own. Once an annoyance, the fees are now pervasive, and in some places they are becoming nearly impossible to avoid, data compiled for The Wall Street Journal show. The fees are spreading as hospitals press on with acquisitions, snapping up medical groups and tacking on the additional charges. 
    • “The fees raise prices by hundreds of dollars for widely used and standard medical care, including colonoscopies, mammograms and heart screening. 
    •  “Hospitals say facility fees help offset the extra costs that they incur to meet federal regulations. “It’s not as simple as same services, across-the-board,” said Jason Kleinman, director of federal relations for the American Hospital Association.” * * *
    • “Lawmakers and Congress have proposed limiting fees covered by Medicare, which advisers to the federal insurer have unanimously recommended. Under a bill passed by the House in December, Medicare would no longer pay hospital facility fees for chemotherapy and other drugs infused by doctors in clinics off a hospital campus, saving about $3.7 billion over 10 years. 
    • “The American Hospital Association opposes limiting the fees, saying restrictions would cut revenue to hospitals already squeezed financially by high labor costs and inflation.”   
  • Beckers Hospital CFO Report adds,
    • “Kaufman Hall’s latest “National Hospital Flash Report,” which is based on data from more than 1,300 hospitals, outlined three key areas that separate high-performing hospitals’ and low-performing hospitals when it comes to their operating performances: 
      • Outpatient revenue. In general, hospitals with higher and accelerating outpatient revenue are more profitable.
      • Contract labor. Hospitals that quickly reduced their percentage of contract labor demonstrate improved operating profitability. In addition, hospitals that aggressively marched down contract labor costs were correlated to rising wage rates for full-time staff. Rising wage rates appeared to attract and retain full-time staff, which has allowed those hospitals to decrease contract labor more quickly, all of which has led to increased profitability, according to the report. 
      • Average length of stay. A lower average length of stay corresponded with improved profitability. Hospitals that hyper-focused on patient throughput — which has led to appropriate and prompt patient discharge — have also proven this to be a solid financial strategy, according to the report.”
    • “Hospitals on the other end of the scale continue to struggle, with the poorest financially performing hospitals reporting negative margins from -4% to -19%, according to Kaufman Hall. Continuation of this level of performance is unsustainable and makes it impossible to reinvestment in community care.” 
  • Per BioPharma Dive,
    • “Novo Nordisk will pay as much as $1 billion to acquire RNA drug developer Cardior and its experimental treatment for heart failure, the companies announced Monday
    • “Cardior’s treatment, dubbed CDR132L, is currently being tested in a mid-stage study involving 280 people with heart failure who previously experienced a heart attack. Results are expected by September, according to a U.S. clinical trial database.
    • “In addition to that study, Novo said it plans to start another Phase 2 trial in heart failure patients whose heart muscle has become thick and stiff, also known as cardiac hypertrophy. Novo, which will pay an undisclosed upfront payment to Cardior per deal terms, expects the acquisition to close in the second quarter.”
  • and
    • “Abbvie is expanding its pipeline of inflammatory disease drugs, announcing Monday a small deal to acquire biotechnology company Landos Biopharma.
    • “Per the deal, Abbvie will buy Landos for $20.42 per share, or about $138 million. Abbvie has also agreed to pay a so-called contingent value right worth $11.14 per share, or another $75 million, if certain milestones are met. The upfront price represents a premium of about 155% to the closing price Friday of Landos stock.
    • “Landos is currently running a mid-stage trial of its lead drug, dubbed NX-13, in ulcerative colitis. Abbvie is also interested in NX-13’s potential in Crohn’s disease.”
  • Per Healthcare Dive,
    • “Change Healthcare said its largest claims clearinghouses would come back online over the weekend, more than a month after a cyberattack at the technology firm disrupted the healthcare sector. 
    • “More than $14 billion in charges have been prepared for processing, according to an update from parent company UnitedHealth Group on Friday. Change’s electronic payments platform has also been restored, and the company is working on payer implementations.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • Cyberscoop tells us,
    • “A bill proposed Friday in the Senate would allow health care providers who suffer cyberattacks to qualify for advanced and accelerated payments through government programs so long as they and their vendors met minimum cybersecurity standards.
    • “The legislation from Sen. Mark Warner, D-Va., comes a month after the ransomware attack that targeted Change Healthcare — a payment processor whose technology touches 1 in 3 American patient records — crippled the health industry and the ability for many health care facilities to bill insurance companies and receive payments.”
  • Healthcare Dive informs us,
    • “In a Thursday letter to the HHS’ Office for Civil Rights, hospital lobbying organizations sought to clarify who may need to provide data breach notifications to patients following the cyberattack on UnitedHealth’s Change Healthcare: the hospitals that contracted with Change, or the organization directly attacked. 
    • “The letter, penned by counsels for the American Hospital Association and the Federation of American Hospitals, said the onus should be on UnitedHealth and Change alone to report a breach, should one be found. 
    • “Requiring hospitals to also issue breach notifications could result in patients receiving duplicate notifications, leading to unnecessary “public confusion, misunderstandings and added stress,” the letter warned.”
  • The HIPAA privacy and security rules permit a covered entity health provider or health plan to treat healthcare claims clearinghouse as a fellow covered entity or a business associate. The article suggests that healthcare providers at least are treating Change Healthcare as a business associate. Of course, when Change Healthcare is provided services other than clearinghouse services to a healthcare provider or a health plan Change Healthcare would be acting as a business associate.
  • Speaking of which, a colleague shared with the FEHBlog with this PowerPoint presentation of the HHS Office for Civil Rights Updates & 2024 Priorities presented at HIPAA Summit 41 on Feb. 27, 2024.
  • Nextgov reports,
    • The federal government’s HR shop is pitching a legislative proposal to give federal agencies new authorities and flexibilities in how they hire and pay cybersecurity workers to members of Congress, but so far no member has stepped up to sponsor the bill.
    • The package is meant to allow agencies across the government to increase pay for in-demand cyber talent, as they look to recruit in a tight market. The Office of Personnel Management developed the proposal with the Office of Management and Budget and the Office of the National Cyber Director. 
    • The proposal is geared at solving the cyber workforce problem across the government so that hiring officials don’t have to seek agency-specific authorities to bring on such talent, OPM says. 
  • The Cybersecurity and Infrastructure Security (CISA) announced on March 18, 2024,
    • “the availability of the Repository for Software Attestation and Artifacts that software producers who partner with the federal government can use to upload software attestation forms and relevant artifacts. Last week, CISA and the Office of Management and Budget (OMB) announced the secure software development attestation form, which enables software producers serving the federal government to attest to implementation of specific security practices.  
    • “Software integrity is key to protecting federal systems from malicious cyber actors seeking to disrupt our nation’s critical functions. This new repository will help federal agencies employ software from producers that attest to using sound secure development practices.”  

From the Change Healthcare situation front,

  • United Healthcare Group offered a timeline for “key” product restoration on its Change Healthcare cyberattack website on March 22, 2024.

From the cyber vulnerabilites and breaches front,

  • HHS’s Healthcare Sector Cybersecurity Coordination Center (HC3) released its report about February 2024 vulnerabilities of interest to the health sector on March 19, 2024.
    • “In February 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for February are from Ivanti, ConnectWise, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian.
    • “A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available or if it is publicly disclosed.
    • “HC3 recommends patching all vulnerabilities, with special consideration given to the risk management posture of the organization.”
  • Cybersecurity Dive notes,
    • “Threat actors are going after broadly deployed enterprise software and network infrastructure, exploiting vulnerabilities in file-transfer services and VPNs at a significantly higher rate, according to Recorded Future’s annual threat analysis report.
    • “The number of high-risk vulnerabilities exploited in attacks against enterprise software and network infrastructure approximately tripled from 2022 to 2023, analysts in the cybersecurity company’s threat research division Insikt Group said in the Thursday report. 
    • “Analysts warned that businesses’ ongoing efforts to increase virtualization and migrate workloads to the cloud are narrowing the supply chain of vendors they rely on, introducing new security risks to the enterprise environment.”
  • and
    • Security researchers are warning about a novel variant of the AcidRain wiper, which was used to disrupt satellite communications during Russia’s invasion of Ukraine, according to a blog post released Thursday by SentinelLabs
    • The discovery of the new variant, dubbed AcidPour, coincides with the disruption of multiple telecom networks in Ukraine, which have been offline since March 13.
    • The AcidPour variant has capabilities beyond that of AcidRain, raising fears that embedded devices are at risk, including IoT, networking, large storage and even industrial control systems devices running Linux x86 distributions, according to SentinelLabs.
  • On March 21, 2024, “CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, to address the specific needs and challenges faced by organizations in defending against DDoS attacks. The guidance now includes detailed insight into three different types of DDoS techniques: 
    • “Volumetric, attacks aiming to consume available bandwidth. 
    • “Protocol, attacks which exploit vulnerabilities in network protocols. 
    • Application, attacks targeting vulnerabilities in specific applications or running services.” 
  • Dark Reading lets us know, “Apple has released iOS 17.4.1, its latest security update, just weeks after releasing iOS 17.4, but is being intentionally vague about details surrounding the new release.” Keep your Apple devices updated.

From the cybersecurity defenses front,

  • Tech Target discusses continuity / disaster planning best practices.
  • Forbes interviews Tomer Weingarten, the founder and CEO of SentinelOne.
    • “Traditional cyber defense tools and tactics have increasingly fallen short in the face of sophisticated digital threats. This pivotal realization has spearheaded a dramatic shift towards AI-driven defense strategies, marking a significant departure from the conventional paradigms of cybersecurity.
    • “Central to this transformation is [Tomer Weingarten’s] pioneering work * * *. Artificial intelligence and generative AI are pervasive now, but SentinelOne is a company that has been at the forefront of integrating AI into cybersecurity from its inception.”

Thursday Miscellany

David ErmerAHRQ, CDC, CMS, Congress, Cybersecurity, Electronic health records, FDA, HSA, Medical / Rx research, Medicare, Mental health care, NCQA, U.S. Healthcare
Photo by Josh Mills on Unsplash

From Washington, DC,

  • Roll Call reports,
    • “Lawmakers released a more than $1.2 trillion, six-bill appropriations package early Thursday morning, less than 48 hours ahead of a Friday night deadline for this second and final wrapup measure for the fiscal year that began Oct. 1. 
    • “Both parties were touting “wins” in the package well before unveiling the massive 1,012-page bill, which had already won President Joe Biden’s blessing and pledge to sign it “immediately.” That, plus the lure of a two-week recess, should help get the package over the finish line, though it seems likely to slip past the 11:59 p.m. Friday cutoff for the current stopgap spending law.
    • “But lawmakers weren’t really sweating the prospect of a weekend funding lapse, given its limited impact on government operations — especially with Friday’s expected House passage likely to be a strong signal of congressional intent to keep the lights on.”
  • The bill includes appropriations for OPM (pages 247 – 250) and its Inspector General (page 250) plus the three now standard appropriations measures:
    • A prohibition against imposing full Cost Accounting Standards coverage on FEHB carriers. Division B, Section 611, page 268.
    • The Hyde amendment limiting FEHB coverage of abortions to cases “where the life of the mother would be endangered if the fetus were carried to term, or the pregnancy is the result of an act of rape or incest.” Division B, Section 613 and 614, pages 268 – 269.
    • A contraceptive prescription drug coverage mandate with conscience protections for FEHB plans and healthcare providers. Division B, Section 726, page 298.
  • The American Hospital Association News discusses HHS appropriations, which also are included in this bill.
    • “The House may vote on the measure Friday, with Senate action expected over the weekend. A short government shutdown may occur over the weekend, depending how long it takes both chambers to pass the measure and for President Biden to sign it into law.” 
  • Govexec points out “the nine biggest agency and program reforms in the final FY24 spending package.”
  • The Wall Street Journal scoops,
    • “Some Medicare members could get help paying for the popular new weight-loss drug Wegovy—as long as they have a history of heart disease and are using it to prevent recurring heart attacks and strokes.
    • “Medicare Part D drug-benefit plans—which are administered by private insurers—may cover anti-obesity medications if the drugs receive approval for an additional use that is considered medically accepted under federal law, the Centers for Medicare and Medicaid Services told The Wall Street Journal on Thursday. * * *
    • “Some Medicare members could get help paying for the popular new weight-loss drug Wegovy—as long as they have a history of heart disease and are using it to prevent recurring heart attacks and strokes.
    • “Medicare Part D drug-benefit plans—which are administered by private insurers—may cover anti-obesity medications if the drugs receive approval for an additional use that is considered medically accepted under federal law, the Centers for Medicare and Medicaid Services told The Wall Street Journal on Thursday.”
  • STAT News adds,
    • “Early data regarding the use of GLP-1 medications like Ozempic and Wegovy to treat addiction is “very, very, exciting,” Nora Volkow, the director of the National Institute on Drug Abuse, said Thursday.
    • “But even as she expressed enthusiasm for the new drugs’ potential, Volkow criticized pharmaceutical companies for neglecting a moral imperative to develop new addiction treatments — but acknowledged that the health system more broadly doesn’t incentivize drug companies to treat the U.S. drug crisis with urgency.”
  • The U.S. Preventive Services Task Force finalized its research plan for re-evaluating its September 2019 recommendations on the topic of medications to reduce the risk of breast cancer.
  • Beckers Health IT interviews Alexandra Mugge, chief health informatics officer at CMS, about the agency’s efforts “to expedite prior authorizations, through digitization and better data exchange, saving the healthcare industry $15 billion over a decade — in the hopes of one day having the decisions made instantaneously, right in the EHR.”

From the Food and Drug Administration front,

  • Per a press release,
    • “Today, the U.S. Food and Drug Administration approved Duvyzat (givinostat) oral medication for the treatment of Duchenne Muscular Dystrophy (DMD) in patients six years of age and older. Duvyzat is the first nonsteroidal drug approved to treat patients with all genetic variants of DMD. It is a histone deacetylase (HDAC) inhibitor that works by targeting pathogenic processes to reduce inflammation and loss of muscle.
    • “DMD denies the opportunity for a healthy life to the children it affects. The FDA is committed to advancing the development of new therapies for DMD,” said Emily Freilich, M.D., director of the Division of Neurology 1, Office of Neuroscience in the FDA’s Center for Drug Evaluation and Research. “This approval provides another treatment option to help reduce the burden of this progressive, devastating disease for individuals impacted by DMD regardless of genetic mutation.”
  • MedTech Dive informs us,
    • Johnson & Johnson subsidiary Abiomed recalled its Impella left sided blood pumps for risk that the devices could perforate the heart during a procedure. The recall began on Dec. 27 with Abiomed updating its instructions for use.
    • The Food and Drug Administration identified the recall as a Class I event, the most serious type of recall, in a Thursday notice. The agency has received 129 reports of serious injuries, including 49 deaths, related to the problem. 
    • Abiomed’s Impella heart pumps, which are used to support the heart during procedures or during cardiogenic shock, were the subject of four Class I recalls last year, including the latest recall. The company also received an FDA warning letter for quality problems with Impella and software used in the device that had not been authorized by the agency.

From the public health and medical research front,

  • The CDC shares with us,
    • Data from the National Vital Statistics System
      • Life expectancy for the U.S. population in 2022 was 77.5 years, an increase of 1.1 years from 2021.
      • The age-adjusted death rate decreased by 9.2% from 879.7 deaths per 100,000 standard population in 2021 to 798.8 in 2022.
      • Age-specific death rates increased from 2021 to 2022 for age groups 1–4 and 5–14 years and decreased for all age groups 15 years and older.
      • The 10 leading causes of death in 2022 remained the same as in 2021, although some causes changed ranks. Heart disease and cancer remained the top 2 leading causes in 2022.
      • The infant mortality rate was 560.4 infant deaths per 100,000 live births in 2022, an increase of 3.1% from the rate in 2021 (543.6).
  • STAT News adds,
    • “The U.S. recorded 107,941 drug overdose deaths in 2022, according to a new federal report — a total that marks an all-time record but also shows signs that the country’s overdose rate may finally be leveling off after years of steady increase.
    • “The 2022 total marks only a slight increase from the drug death toll of 106,699 the year before, according to the Centers for Disease Control and Prevention. The flattening of drug death rates could provide a rare glimmer of hope amid the bleak U.S. drug crisis, which has seen overdose rates rise inexorably for the past two decades and especially during the Covid-19 pandemic.
    • “A large majority of those deaths were driven by the potent synthetic opioid fentanyl. Since emerging in the drug supply in the mid-2010s, fentanyl has increasingly come to dominate the U.S. illicit drug market. Even as fentanyl deaths have skyrocketed, the share of deaths involving other opioids — like heroin, methadone, and prescription painkillers — has decreased.”
  • The Washington Post reports,
    • “After once losing hope because of end-stage kidney disease, a 62-year-old man is now the first living person to receive a genetically edited kidney from a pig, according to doctors at Massachusetts General Hospital who performed the landmark surgery Saturday.
    • “Richard Slayman, whom doctors praised for his courage, is doing well after the four-hour surgery and is expected to be discharged from the Boston hospital soon, officials said.
    • “The advance, which builds on decades of work, gives hope to the hundreds of thousands of Americans who depend on dialysis machines to do the work of their failing kidneys. Each day, 17 Americans die awaiting a kidney transplant, a problem further complicated by unequal access given to Black and other patients. Doctors expressed hope that using pigs to vastly increase the supply of kidneys might correct the inequity.”
  • The Wall Street Journal lets us know,
    • “A new class of anticoagulant drugs on the horizon is taking fresh aim at one of cardiology’s toughest challenges: how to prevent blood clots that cause heart attacks and strokes, without leaving patients at risk of bleeding.
    • “At least a half-dozen experimental blood thinners are in development that inhibit a protein called factor XI, one of several blood factors that regulate how the body forms clots. * * *
    • “Any factor XI agent that reaches the market would likely represent an important advance over drugs called factor Xa inhibitors, a blockbuster class of medicines dominated by Eliquis and Xarelto. Since they were approved just over a decade ago, these drugs have supplanted warfarin as the standard-of-care anticoagulant to prevent stroke in patients with the heart-rhythm disorder atrial fibrillation as well as other indications.”
  • HealthDay informs us,
    • “About 1 in every 10 U.S. children ages 5 to 17 has been diagnosed with attention deficit hyperactivity disorder (ADHD), according to the latest government statistics.
    • “The data from the National Health Interview Survey covers the years 2020 through 2022 and came from in-person or phone interviews involving a representative sample of American homes.
    • “It found that 11.3% of school-age children have been diagnosed with ADHD, with boys more likely to have this diagnosis (14.5%) than girls (8%), according to report authors Cynthia Reuben and Nazik Elgaddal, of the National Center for Health Statistics (NCHS).
    • “ADHD is diagnosed more often among white children (13.4%) than Black youngsters (10.8%) or Hispanic (8.9%) kids, the survey also showed. 
    • “Family income seemed to matter, too:  As income levels rose, the rate of child ADHD diagnoses declined.”
  • WTW, an actuarial consulting firm, offers insights on hepatitis C, HPV vaccine and value based insurance design.

From the U.S. healthcare business front,

  • STAT News reports,
    • “The last decade has seen billions of dollars flow into digital health companies that promise to improve outcomes for the 38 million Americans living with type 2 diabetes. Their products aren’t cheap, but in the long term, they pitch to health plans and employers that these digital tools will help cut health care costs by preventing serious complications like amputation and kidney failure.
    • A systematic review by the Peterson Health Technology Institute found, though, that digital tools used to manage diabetes with the help of finger-stick blood glucose readings don’t result in clinically meaningful improvements over standard care. As a result, they don’t reduce health care spending — they drive it up.
    • “Most of the solutions in this category do not deliver clinical benefits that justify their cost,” Caroline Pearson, executive director of the institute, told STAT. Despite finding that some populations may benefit, the report concludes that current evidence doesn’t support broader adoption for most products.”
  • Plan Sponsor notes,
    • “In the face of rising health care expenditures and out-of-pocket spending, average health savings account balances have also steadily increased since the COVID-19 pandemic, according to new data from the Employee Benefit Research Institute.
    • “The average HSA balance rose to $4,418 at the end of 2022 from $2,711 at the start of the year, the most recent data available in EBRI’s database, given that participants can still contribute to 2023 HSAs until taxes are due in April.
    • “Jake Spiegel, a research associate at EBRI, says he sees this trend continuing in 2023 and into the start of 2024 as well.
    • “EBRI’s analysis revealed two predominant factors associated with higher average account balances. The first was that age is strongly associated with higher HSA balances: the older the accountholder, the higher the average balance.”
  • Beckers Hospital Review lets us know,
    • “Change Healthcare said it has reinstated Amazon cloud services for two of its platforms a month into a cyberattack against the company.
    • “The UnitedHealth Group and Optum subsidiary said March 20 it restored Amazon Web Services from backups for Assurance, a claims and remittance management program, and claims clearinghouse Relay Exchange. Change said it rebuilt authentication services for the solutions on a new network with the help of cybersecurity firms Palo Alto Networks and Mandiant, a Google subsidiary. The company said it is also testing the security of the external-facing parts of those applications.”
  • Per the Society for Human Resource Management,
    • “Employees are experiencing more mental health struggles and overall negative feelings about their work, underscoring an “urgent need” for employers to take more aggressive measures to help with their benefits offerings.
    • “Employees are now more likely to experience negative feelings at work, including stress (12 percent more likely) and burnout (17 percent more likely) than they were pre-pandemic (2019), according to new data from MetLife. Employees are also 51 percent more likely to feel depressed at work than they were pre-pandemic as they face what the insurer calls a “complex macro environment and permacrisis state”—a state which has included the pandemic, persistent high inflation, international turmoil and war, and more.
    • “Those are among the findings in MetLife’s 22nd annual U.S. Employee Benefit Trends Study, released March 18—data indicating that employers may have to revisit benefits offerings to not only support employees, but retain them.”
  • HR Dive explains “How menopausal and other reproductive health benefits can help retain women” and “Data shows that fertility treatments are extremely valuable to workers who need them. Here’s why one people officer is working on integrating them.”
  • STAT News relates,
    • “Just as Pfizer spooked Wall Street after its record pandemic revenue came parabolically back to earth, BioNTech, the company’s Covid-19 vaccine partner, is now dealing with investor malaise of its own.
    • “Shares in the German firm fell about 5% yesterday, hitting a 52-week low, after the company reported disappointing financials. BioNTech’s cut of Covid vaccine revenue fell by about more than three-quarters last year, missing analyst estimates and leading the company to lower its projections for 2024.
    • “Now BioNTech, much like Pfizer, is making the case that its future in oncology will compensate for the rapid erosion in demand for Covid vaccines. The company has more than 20 cancer medicines in its pipeline, including late-stage treatments for tumors of the breast and lung that could hit the market in the next two years.”
  • Per Healthcare Dive,
    • “Walgreens-backed VillageMD sold 11 locations in Rhode Island to Boston-based medical group management firm Arches Medical Partners for an undisclosed sumArches said Wednesday.
    • “The practices, which include about 75,000 patients, joined Arches on March 2, according to VillageMD’s website. 
    • “The deal follows VillageMD clinic closures. The primary care chain recently exited Florida — once one of chain’s largest markets — and plans to withdraw from its home state in Illinois next month.”

Midweek Update

David ErmerCMS, Congress, COVID-19, Cybersecurity, Employee Wellness Programs, FDA, Generative AI, Medical / Rx research, Mental health care, Obesity, OPM, Rx coverage, U.S. Healthcare
Photo by Manasvita S on Unsplash

From Washington, DC,

  • Roll Call reports,
    • “Speaker Mike Johnson, R-La., and his top lieutenants on Wednesday morning moved to quell reservations among their conference about the emerging $1.2 trillion-plus final spending package headed for a vote likely on Friday, while their Democratic counterparts did likewise in a separate meeting.
    • “Appropriators were scrambling under a tight timeline to finish drafting the measure, which is taking longer than expected due to a last-minute decision to write a full-year Homeland Security bill. But Johnson told reporters after a GOP conference meeting that text is expected as soon as Wednesday afternoon.
    • “Other sources expected the bill drop to slip to Thursday, with the standard “reading out” of the DHS title, to catch any errors before posting, not even expected to begin until later Wednesday. But no matter: Lawmakers said they expect the chamber to vote as soon as Friday, regardless of a 72-hour review rule. * * *
    • “Final passage wouldn’t come until this weekend at the earliest, and senators are working to accommodate Sen. Susan Collins, R-Maine, who has never missed a vote but will be attending her mother’s funeral on Saturday. That could push votes off until Sunday or Monday, though few are worried at this point about the effects of such a brief funding lapse. 
    • “I don’t think we’ll do a [continuing resolution],” Johnson said.”
  • The American Hospital Association (AHA) News informs us,
    • “The House Energy and Commerce Committee March 20 unanimously passed AHA-supported legislation to reauthorize through 2029 the Dr. Lorna Breen Health Care Provider Protection Act (H.R. 7153), which provides grants to help health care organizations offer behavioral health services for front-line health care workers. The bill also would reauthorize a national campaign that provides hospital leaders with evidence-based solutions to support worker well-being. Without congressional action, the law will expire at the end of this year.”
  • and
    • “Congress should address any statutory constraints that prevent the Centers for Medicare & Medicaid Services and Department of Health and Human Services from adequately helping hospitals and other health care providers impacted by the Change Healthcare cyberattack, AHA said a letter submitted to the House Ways and Means Committee for a hearing March 20 with HHS Secretary Xavier Becerra on fiscal year 2025 funding for HHS.”
  • Govexec tells us,
    • “The top senator with direct oversight of the U.S. Postal Service is calling on its leadership to pause its overhaul of the agency’s mailing network due to potential impacts they are having on delivery, rejecting USPS assertions that is has provided transparency. 
    • “USPS should not continue its nationwide operational reforms until it can prove the changes will not negatively impact mail service, Sen. Gary Peters, D-Mich., who chairs the Senate Homeland Security and Governmental Affairs Committee, said in a letter to Postmaster General Louis DeJoy. Agency leadership said in response to the letter it has offered volumes of documents and many staff-level briefings to Congress, though Peters said USPS ignored many of his requests for additional information on its efforts and left Congress uncertain about the fallout that could befall postal customers.”
  • On March 18, 2024, the Office of Management and Budget’s Office of Information and Regulatory Affairs received for final regulatory review an OPM proposed rule with additional requirements and clarifications for the Postal Service Health Benefits Program (RIN 3206-AO59).
  • The AHA News tells us,
    • “U.S. health care organizations should immediately transition away from using certain unauthorized plastic syringes made in China by Jiangsu Caina Medical Co. and Jiangsu Shenli Medical Production Co., and should only use other plastic syringes made in China until they can transition to alternatives, the Food and Drug Administration announced March 19, citing potential quality and performance issues. The recommendations do not apply to glass syringes, pre-filled syringes, or syringes used for oral or topical purposes, FDA said. The agency advises health care providers to confirm the manufacturing location by reviewing the labeling, outer packaging, or contacting the supplier or group purchasing organization.”
  • The Assistant Secretary of Labor for Employee Benefit Security, Lisa M. Gomez, posted on her blog about “Health and Money Smarts for Women.”
  • Fierce Healthcare lets us know,
    • “The Employee Retirement Income Security Act, or ERISA, is turning 50 this year and lawmakers are curious to hear about how the law could be updated to increase coverage affordability and care access.
    • “Payers and providers, it turns out, have very different ideas on where Congress should focus its efforts.
    • “In response to the House Committee on Education and the Workforce’s January request for information, lobbying groups representing both sides of the industry weighed in on the act that outlines federal guidelines for employee benefit plans, including employer-sponsored group health plans.”
    • The article delves into these comments.
  • Newfront offers insights about 2024 RxDC reporting considerations. The reports are due June 1, 2025.
  • The Congressional Budget Office released a presentation about “The Federal Perspective on Coverage of medications to treat obesity. Assuming Congress allows Medicare to cover anti-obesity medications (AOM),
  • “The future price trajectory of AOMs is highly uncertain.
    • “CBO expects semaglutide to be selected for price negotiation by the Secretary of Health and Human Services within the next few years, which would lower its price (and potentially the prices of other drugs in the AOM class).
    • “CBO expects generic competition for semaglutide and tirzepatide to start in earnest in the second decade of a policy allowing Medicare Part D to cover AOMs.
    • “New AOMs are expected to become available. The new drugs might be more effective, have fewer side effects, or be taken less frequently or more easily than current medications. Those improvements could translate to higher prices, on average, even if prices decline for drugs that exist today.”
  • See also the Beckers Hospital Review article below on the next generation of AMOs.
  • Healthcare Dive tells us,
    • “The Medicare Advisory Payment Commission, which advises Congress on Medicare policy, is recommending boosting hospital payment rates by 1.5% in 2025 and base physician payment rates by 1.3% above current law, according to its annual report released Friday. 
    • “MedPAC suggested tying the rate of physician payment increasesmoving forward to the Medicare Economic Index, an annual measure of practice cost inflation. MedPAC suggested payments increase “by the amount specified in current law plus 50% of the projected increase in the MEI.”
    • “Provider groups, including the Medical Group Management Association and American Medical Association, have said the proposed payment increases are inadequate.”

From the public health and medical research front,

  • The Washington Post reports,
    • “More than two-thirds of young children in Chicago could be exposed to lead-contaminated water, according to an estimate by the Johns Hopkins Bloomberg School of Public Health and the Stanford University School of Medicine.
    • “The research, published Monday in the journal JAMA Pediatrics, estimated that 68 percent of children under the age of 6 in Chicago are exposed to lead-contaminated drinking water. Of that group, 19 percent primarily use unfiltered tap water, which was associated with a greater increase in blood lead levels.
    • “The extent of lead contamination of tap water in Chicago is disheartening — it’s not something we should be seeing in 2024,” lead author Benjamin Huynh, assistant professor of environmental health and engineering at the Johns Hopkins Bloomberg School of Public Health, said in a news release.”
  • The Wall Street Journal relates,
    • “Debi Lucas had a tremor in her arm. Her feet froze when she tried to walk and she fell into her coffee table, busting her lip. 
    • “She went to a neurologist who thought she had Parkinson’s disease. Doctors normally diagnose the neurodegenerative condition by symptoms. Lucas, 59, had them. 
    • “But the neurologist, Dr. Jason Crowell, couldn’t be sure. The symptoms might be related to a traumatic brain injury Lucas suffered in a car accident decades earlier, he thought. Or they might be from her medications. 
    • “To find an answer, Crowell turned to a new test: a skin biopsy that can detect an abnormal protein people with Parkinson’s have inside their nerves. He took samples of skin near her ankle, knee and shoulder and sent them to a lab. 
    • “The results confirmed that Lucas has Parkinson’s. The diagnosis was scary, but Lucas finally knew what was causing her symptoms. “I was glad to have a name on it,” she said. 
    • “The test sped her diagnosis, said Crowell, a movement-disorders neurologist at the Norton Neuroscience Institute in Louisville, Ky. “It just gives me more confidence,” he said. 
    • “The skin test is an important part of progress researchers are making against Parkinson’s, the second-most common age-related neurodegenerative condition, which is on the rise and a major driver of disability, dementia and death. The test Lucas received, made by CND Life Sciences, a medical technology company in Scottsdale, Ariz., is one of a few in use or development to allow doctors to diagnose Parkinson’s based on biology rather than symptoms that can take years to appear“.
  • Medscape explains “why a new lung cancer treatment is so promising.”
  • MedPage Today notes,
    • “The FDA has approved aprocitentan (Tryvio), making it the first endothelin receptor antagonist for the treatment of high blood pressure (BP), Idorsia Pharmaceuticals announced on Wednesday.
    • “The once-daily oral medication is indicated in combination with other antihypertensive drugs to lower BP in adult patients who do not have their BP controlled with other therapies.
    • “It is believed that some people may respond better to the drug’s novel mechanism, as aprocitentan is a dual endothelin receptor antagonist that works differently than conventional diuretics, renin-angiotensin-aldosterone system antagonists, calcium channel blockers, and beta-blockers used to lower BP.”
  • Beckers Hospital Review considers the three generations of weight loss drugs.
    • “Anita Courcoulas, MD, defines GLP-1s as “generation one;” dual GLP-1 and GIPs as the second; and a triple threat of GLP-1, GIP and GCGRs as the third generation of weight loss drugs. 
    • “Dr. Courcoulas is chief of Pittsburgh-based UPMC’s minimally invasive bariatric and general surgery program. She told Becker’s the next class of anti-obesity medications are finally reaching weight loss outcomes seen from gastric sleeve and bypass procedures, the two most common surgeries for trimming pounds. * * *
    • “Dr. Courcoulas said the biggest unknown is long-term durability of these medications, a concern other bariatric experts have raised. 
    • “She expects GLP-GIP-GCGR medications to gain approval and enter the U.S. market next year. 
    • “I think it’s very exciting to realize there are medications that are under investigation now that could come to market that could have even better weight loss results than the two drug [classes] we’re seeing now,” Dr. Courcoulas said.”
  • The National Institutes of Health announced,
    • “SARS-CoV-2, the virus that causes COVID-19, can damage the heart even without directly infecting the heart tissue, a National Institutes of Health-supported study has found. The research, published in the journal Circulation, specifically looked at damage to the hearts of people with SARS-CoV2-associated acute respiratory distress syndrome (ARDS), a serious lung condition that can be fatal. But researchers said the findings could have relevance to organs beyond the heart and also to viruses other than SARS-CoV-2.
    • “Scientists have long known that COVID-19 increases the risk of heart attack, stroke, and Long COVID, and prior imaging research has shown that over 50% of people who get COVID-19 experience some inflammation or damage to the heart. What scientists did not know is whether the damage occurs because the virus infects the heart tissue itself, or because of systemic inflammation triggered by the body’s well-known immune response to the virus.
    • “This was a critical question and finding the answer opens up a whole new understanding of the link between this serious lung injury and the kind of inflammation that can lead to cardiovascular complications,” said Michelle Olive, Ph.D., associate director of the Basic and Early Translational Research Program at the National Heart, Lung, and Blood Institute (NHLBI), part of NIH. “The research also suggests that suppressing the inflammation through treatments might help minimize these complications.”
  • and
    • “An investigational gene therapy for a rare neurodegenerative disease that begins in early childhood, known as giant axonal neuropathy (GAN), was well tolerated and showed signs of therapeutic benefit in a clinical trial led by the National Institutes of Health (NIH). Currently, there is no treatment for GAN and the disease is usually fatal by 30 years of age. Fourteen children with GAN, ages 6 to 14 years, were treated with gene transfer therapy at the NIH Clinical Center and then followed for about six years to assess safety. Results of the early-stage clinical trial appear in the New England Journal of Medicine
    • “The gene therapy uses a modified virus to deliver functional copies of the defective GAN gene to nerve cells in the body. It is the first time a gene therapy has been administered directly into the spinal fluid, allowing it to target the motor and sensory neurons affected in GAN. At some dose levels, the treatment appeared to slow the rate of motor function decline. The findings also suggest regeneration of sensory nerves may be possible in some patients. The trial results are an early indication that the therapy may have favorable safety and tolerability and could help people with the rapidly progressive disease.
    • “One striking finding in the study was that the sensory nerves, which are affected earliest in GAN, started ‘waking up’ again in some of the patients,” said Carsten G. Bonnemann, M.D., senior author and chief of the Neuromuscular and Neurogenetic Disorders of Childhood Section at the National Institute of Neurological Disorders and Stroke (NINDS), part of NIH. “I think it marks the first time it has been shown that a sensory nerve affected in a genetic degenerative disease can actually be rescued with a gene therapy such as this.”
  • Lifesciences Intelligence reports,
    • “Recently, JAMA Network Open published a study analyzing the association between a healthy diet, sleep duration, and type 2 diabetes (T2D) risk. The study data revealed that habitual short sleep duration was linked to an increased probability of T2D by as much as 41%.
    • “Using data on 247,867 individuals from the UK biobank, researchers divided patients into groups based on their sleeping habits. The stratified groups included normal (7–8 hours per night), mildly short (6 hours per night), moderately short (5 hours per night), and extremely short (3–4 hours per night).
    • “Across all study participants, only 3.2% were diagnosed with T2D; however, the adjusted hazard ratios revealed that the prevalence of T2D was higher among shorter sleep groups. More specifically, the increased probability of T2D was identified in those who slept 5 hours or less per night. Those in the moderate short sleep group were 16% more likely to have a T2D diagnosis. Additionally, those in the extremely short sleep group had a 41% greater likelihood of being diagnosed with T2D.”

From the U.S. healthcare business front,

  • BioPharma Dive relates,
    • “Orchard Therapeutics said Wednesday it will offer a new gene therapy to children with a rare, devastating disease at a record-setting wholesale price of $4.25 million. 
    • “The therapy, Lenmeldy, won Food and Drug Administration approval on Monday to treat patients with early-onset metachromatic leukodystrophy, or MLD. The disease, which most often attacks infants between six months and two years of age, robs patients of the ability to walk, talk and function in the world, killing most of its earliest victims within five years of onset.
    • “Lenmeldy’s price tag will leapfrog those of the two most expensive gene therapies available in the U.S. Sarepta Therapeutics sells its Elevidys treatment for Duchenne muscular dystrophy for $3.2 million, while CSL and UniQure’s hemophilia treatment Hemgenix costs $3.5 million.”
  • MedPage Today lets us know,
    • “Despite being a growing percentage of the physician workforce, women physicians continued to be paid less than their male colleagues, a strong body of evidence shows.
    • “While the gender pay gap decreased by 2% from 2021 to 2022 — from 28% to 26% — the gap was still significant, according to online networking service Doximity’s 2023 physician compensation reportopens in a new tab or window.
    • “Women doctors in 2022 earned nearly $110,000 less per year than men physicians, on average, after adjusting for specialty, location, and years of experience. Data from individual states have backed up this figure, too. For instance, in 2022, the Maryland State Medical Society conducted a survey and found that women doctors in Maryland are paid about $100,000 less annually than men.”
  • Beckers Hospital Review lists ten common issues in pharmacies.
  • United Healthcare updated its Change Healthcare cyberattack response website today.
  • HR Daily Advisor explains how companies are exploring the limitations of employee assistance plans amid the country’s mental health crisis.
  • Forbes reports,
    • “Medical diagnosis and procedure codes are so numerous and varied that Debbie Beall, manager of coding at Houston Methodist in Texas, needs a 49-person team to translate the medical notes written by the system’s 1,600 clinicians into the codes needed to bill insurers.
    • “There is a medical code for every imaginable scenario – from “burn due to water-skis on fire” to “spacecraft collision injuring occupant” — and their specificity determines how much the insurance companies pay. Each team member processes anywhere from 70 to 250 claims per day, depending on the complexity, she said. That’s why Beall is so excited about the possibility of using artificial intelligence to speed up the job.
    • “There’s no way I’m ever going to replace coders completely with an AI system,” Beall told Forbes. But for run-of-the-mill procedures performed multiple times a day in a hospital, like X-rays and EKGs? “Yes, an AI engine can do that.”
    • “Beall was one of the first dozen or so people to test a prototype of an AI-powered medical coding tool from electronic health records giant Epic Systems, which had $4.6 billion in revenue in 2022. Based on GPT-4, the large language model that powers the viral chatbot ChatGPT, Epic’s coding assistant prototype ingests and summarizes clinician notes and then tees up the “most likely” diagnosis codes and procedures codes, along with suggestions of “other potential codes,” according to mock ups viewed by Forbes that did not include real patient information. * * *
    • “While Epic has so far focused on using generative AI in back office functions, it has also been working on a patient-facing application that wouldn’t require human review. Krause told Forbes a tool that would help explain the patient’s bill, including their deductible and outstanding balance, could be rolled out by November. “We feel like that’s a fairly benign place to start. It’s not about healthcare at that point, but it’s really about their billing,” he said. “That’s not going to harm a patient in any way.”

   

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy,

  • Cyberscoop reports,
    • “A cyberattack on a payment processor that has crippled large parts of the U.S. health care system is inspiring calls in Washington to urgently implement cybersecurity regulations for the sector, setting up a showdown with hospital and health care groups that are stridently arguing against such a move. 
    • “As these companies have become so large, it is creating a systemic cybersecurity risk,” Sen. Ron Wyden, an Oregon Democrat, said Thursday during a Senate Finance Committee hearing featuring Health and Human Services Secretary Xavier Becerra, whose agency is responsible for overseeing the health care industry’s digital security standards. * * *
    • “The incident has reinvigorated conversations among policymakers in Washington about how to improve the health care sector’s security posture. HHS has proposed a voluntary set of cybersecurity standards and is working to develop mandatory rules, but these are unlikely to come into effect soon. 
    • “Until mandatory rules are in place, industry critics like Wyden want sharper action. “The next step has got to be fines and accountability for negligent CEOs, which will enable HHS to protect patients and our national security,” he said Thursday.”
  • Cybersecurity Dive adds,
    • ‘Ransomware remains a persistent threat, despite law enforcement actions aimed at disrupting the infrastructure threat actors rely on to conduct their attacks, according to the Office of the Director of National Intelligence’s latest annual threat assessment.
    • “Transnational organized criminals involved in ransomware operations are improving their attacks, extorting funds, disrupting critical services and exposing sensitive data,” said the report, which was publicly released Monday. “Important U.S. services and critical infrastructure such as healthcare, schools and manufacturing continue to experience ransomware attacks.”
    • “National intelligence leaders warned that the ransomware problem is worsening and is growing more difficult to combat.”
  • In this regard, the Wall Street Journal considers “Why Are Data Breaches Still Rising If Companies Are So Focused on Cybersecurity.”
    • Evolving Ransomware Attacks * *. * First, after a slight drop [in 2022], [ransomware] attacks are on the rise again due to the emergence of ransomware gangs that franchise their malware and make it available to budding cybercriminals. This trend is allowing more criminals, even those with minimal computer knowledge, to get into the ransomware game.”
    • “Second, these attacks are becoming more damaging in that many attackers are now stealing their victims’ data, in addition to just locking it up. I refer to this new approach as Ransomware 2.0. The hackers threaten to disclose the private information if they don’t receive a ransom payment. This results in large leaks of corporate and consumer data that didn’t occur before.
    • Cloud misconfiguration: More companies now store and maintain their corporate data in the cloud via services such as Amazon Web Services, Google Cloud and Microsoft Azure to avoid the expense of having to own and operate their own data centers. This is making the cloud an attractive target for hackers. In fact, 82% of breaches in 2023 involved data stored in the cloud, according to a recent IBM report.
    • “Cybercriminals are taking advantage of the fact that many organizations migrated rapidly to the cloud without fully understanding all of the configuration settings and establishing procedures to keep their data safe. As a result, errors and glitches in these settings are common, and many companies have no idea that their sensitive information is exposed to the public internet until it is too late. Such misconfigurations have become one of the most common security issues when deploying new cloud-based applications.
    • Exploitation of vendor systems: Almost every company, especially large companies, rely on a network of vendors to provide services ranging from maintaining the air conditioning to updating software packages. These vendors often have special access to the company’s computers, which I refer to as “side doors,” similar to a passkey given to the cleaning crew. 
    • “As large companies have become better prepared to repel cyberattacks, hackers have shifted their attention to vendors, often much smaller companies with limited cyber defense resources and expertise. Attackers exploit those weaknesses to first get into the vendor’s system, then use the vendor’s privileged access to get into the computer systems of every company that uses the vendor.” 

From the cyber vulnerabilities and breaches front,

  • Cybersecurity Dive tells us,
    • “The Cybersecurity and Infrastructure Security Agency was hit by a cyberattack earlier this year after a yet-to-be identified threat actor intruded the agency’s systems by exploiting critical vulnerabilities in Ivanti products.
    • “About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson told Cybersecurity Dive Friday. Threat actors started widely exploiting a pair of zero-day vulnerabilities in Ivanti Connect Secure and other remote access VPNs in early December.
    • “The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” the spokesperson said.”
  • It happens to the best of us.
  • SC Media informs us,
    • “StopCrypt, the most common ransomware family of 2023, has a new variant leveraging more advanced evasion tactics.
    • “StopCrypt, also known as STOP/DJVU, surpassed the LockBit ransomware family in detections in 2023, according to Trend Micro’s 2023 Annual Cybersecurity Report published last week. STOP typically targets smaller targets with an average ransom payment size of $619 in the first half of 2023, according to a mid-year report by Chainalysis.
    • “SonicWall reported Tuesday that a new StopCrypt variant employes several evasion tactics in a multi-stage shellcode deployment process, including a long delay loop, dynamic API resolution and process hollowing, or the replacement of code in a legitimate executable to malicious code. * * *
    • “The STOP variant described by SonicWall bears similarities to a variant discovered by PCrisk researchers last year, which was originally submitted through VirusTotal. Similarities include the “.msjd” file extension and the ransom note, including the threat actor’s contact information.”
  • UHC continues to update it Change Healthcare cyberattack response site. The new feature is a “how-to video on the temporary funding process for UnitedHealthcare providers.”

From the cybersecurity defenses front,

  • Healthcare IT News offers an interview with Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance about early lessons learned from the Change Healthcare situation.
  • SC Media offers an expert article on the same topic.
  • Tech Target makes available ten best practices for deploying patches.

Midweek Update

David ErmerCMS, Cybersecurity, Federal employment benefits, Generative AI, Medical / Rx research, Mental health care, NIH, Obesity, OPM, U.S. Healthcare
Photo by Manasvita S on Unsplash

From Washington, DC,

  • Federal News Network builds on OPM’s March 12 press release about the Postal Service Health Benefits Program launch in January 2025.
  • STAT News calls attention to healthcare points that you might have missed in the President’s FY 2025 budget. For example,
    • “The budget proposes for the first time a change to the law that would let pharmacists fill prescriptions for brand-name biologics with biosimilars without doctor permission. The measure is part of the administration’s plan to lower drug costs. * * *
    • “Besides budget boosts for behavioral health services, research, and the 988 crisis hotline, the administration is asking Congress for legislative changes to make mental health care more accessible. Those include eliminating Medicare’s 190-day lifetime limit on psychiatric services in hospitals, which it estimates would cost the program $2.9 billion over 10 years. * * *
    • “Medicare would also have to cover three behavioral health visits without cost-sharing, a move that could cost $1.5 billion over a decade. Biden wants to extend this requirement to private insurers as well, at an estimated cost of $428 million over that time.”
  • HealthDay informs us,
    • The White House on Wednesday launched a nationwide call for more training and better access to the lifesaving opioid overdose drug naloxone.
    • Called the Challenge to Save Lives from Overdose, the initiative urges organizations and businesses to commit to train employees on how to use opioid overdose medications, to keep naloxone in emergency kits and to distribute the drug to employees and customers so they might save a life at home, work or in their communities.
    • “Today, we’re calling on organizations and businesses — big and small, public and private — across the country to help ensure all communities are ready to use this lifesaving tool to reduce opioid deaths,” the White House said in a fact sheet announcing the new initiative. “As the drug supply has gotten more dangerous and lethal, we’re asking allies to join us because we all must do our part to keep communities safe.”
  • The CDC is offering free webinars on the RxDC process on March 27 and April 3.

From the Change Healthcare situation front,

  • United Healthcare updated its Change Healthcare situation response website this afternoon.
  • The HHS Office for Civil Rights, which enforces the HIPAA Privacy and Security Rule, issued a Dear Colleague letter about the Change Healthcare situation and announced opening an investigation of UHC about cyberattack and its fallout.
  • The Congressional Research Service posted an insight report titled “The Change Healthcare Cyberattack and Response Considerations for Policymakers.’
  • The American Medical Association explained how providers can navigate the Change Healthcare situation.

From the public health and medical research front,

  • The New York Times reports,
    • “Early detection of colon cancer can prevent a majority of deaths from this disease, possibly as much as 73 percent of them. But just 50 to 75 percent of middle-aged and older adults who should be screened regularly are being tested.
    • “One reason, doctors say, is that the screening methods put many people off.
    • “There are two options for people of average risk: a colonoscopy every 10 years or a fecal test every one to three years, depending on the type of test.
    • “Or, as Dr. Folasade P. May, a gastroenterologist at UCLA Health puts it, “either you take this horrible laxative and then a doctor puts an instrument up your behind, or you have to manipulate your own poop.”
    • “But something much simpler is on the horizon: a blood test. Gastroenterologists say such tests could become part of the routine blood work that doctors order when, for example, a person comes in for an annual physical exam. * * *
    • “A study published on Wednesday in The New England Journal of Medicine found that a blood test searching for such [colon cancer] DNA called Shield and made by the company Guardant Health detected 87 percent of cancers that were at an early and curable stage. The false positive rate was 10 percent.
    • “But there is a caveat to the blood test: While it detects cancers, it misses most large polyps, finding just 13 percent of them. In contrast, the fecal test detects 43 percent and a colonoscopy finds 94 percent, Dr. Carethers said.
    • “While polyps are usually harmless, a few can turn into cancers, so doctors want to find all of them and remove them to prevent cancers from forming.”
  • The Department of Health and Human Services posted a fact sheet on in vitro fertilization across our country.
  • BioPharma Dive tells us,
    • “Merck on Wednesday announced plans to start clinical trials testing a newer version of its vaccine for human papillomavirus, or HPV, as well as a different regimen of the shot it currently sells.
    • “The trials are bids to improve upon vaccines Merck currently markets as Gardasil and Gardasil 9. One will test a shot meant to provide protection against more strains of HPV. The other will evaluate a single-dose regimen of Gardasil 9. Both studies should begin in the fourth quarter of this year. 
    • “Gardasil is approved for use against genital warts and to prevent several cancers caused by stains of HPV. The vaccine is one of Merck’s top-selling products and still growing. It generated $8.9 billion in sales in 2023, up 29% from the previous year.” 
  • STAT News informs us,
    • “For four decades, researchers and companies searched for ways to replace the broken blood-clotting genes that cause hemophilia, a multibillion dollar effort designed to turn a chronic, sometimes debilitating disease into a curable one. 
    • “But the first two gene therapies have so far been met with crickets. Only a handful of patients with hemophilia B, the rarer form of the disease, appear to have been treated worldwide since Hemgenix was approved in November 2022. After Roctavian was approved for hemophilia A last June, only three patients were treated through the rest of the year.
    • “The issue doesn’t appear to be access. Hemgenix and Roctavian, marketed by the Australian biotech CSL Behring and the San Francisco biotech BioMarin, are Malibu-mini-mansion expensive: $3.5 million and $2.9 million, respectively. But current hemophilia treatments can run over $1 million per year. So most insurers have been happy to pay the lump sum.
    • “​​You can’t blame the payers this time,” said Michael Sherman, former chief medical officer of the nonprofit insurer Harvard Pilgrim.” 
  • The National Cancer Institute posted research highlights.
  • The National Institutes of Health announced,
    • “Researchers at the National Institutes of Health (NIH) have discovered that symptoms of attention-deficit/hyperactivity disorder (ADHD) are tied to atypical interactions between the brain’s frontal cortex and information processing centers deep in the brain. The researchers examined more than 10,000 functional brain images of youth with ADHD and published their results in the American Journal of Psychiatry. The study was led by researchers at NIH’s National Institute of Mental Health and National Human Genome Research Institute. * * *
    • “The findings from this study help further our understanding of the brain processes contributing to ADHD symptoms—information that can help inform clinically relevant research and advancements.”
  • The Institute for Clinical and Economic Review published a “Final Evidence Report on Treatments for Paroxysmal Nocturnal Hemoglobinuria. — Independent appraisal committee voted that current evidence is not adequate to demonstrate a net health benefit for iptacopan over C5 inhibitor; committee voted that the evidence is adequate to demonstrate a net health benefit for add-on danicopan compared to C5 inhibitor alone.”
  • Medscape relates,
    • “Chronic smoking remains a major cause of premature mortality on a global scale. Despite intensified efforts to combat this scourge, a quarter of deaths among middle-aged adults in Europe and North America are attributed to it. However, over the past decades, antismoking campaigns have borne fruit, and many smokers have quit before the age of 40 years, enabling some case-control studies.
    • “Among those abstainers who made the right choice, the excess mortality attributable to smoking over a lifetime would be reduced by 90% compared with controls who continued smoking. The estimated benefit is clear, but the analysis lacks nuance. Is smoking cessation beneficial even at older ages? If so, is the effect measurable in terms of magnitude and speed of the effect? An article published online on February 8, 2024, in The New England Journal of Medicine Evidenceprovided some answers to these questions.”

From the HIMSS conference front,

  • Healthcare IT News reports “Samsung focuses on intuitive mobile tech and wearables at HIMSS24. These technologies can help cure healthcare worker burnout, patient confusion and inefficient communications between care teams, says a top exec and nurse.”
  • Forbes explains why AI is taking center stage at the conference.
    • “At the HIMSS conference in Orlando, healthcare leaders, including CIOs, CMIOs, CNIOs, and other C-suite members, were focused on AI as the central theme. They explored how healthcare organizations can better utilize their clinical data. They identified security, AI platforms, and workforce optimization as the three main areas for healthcare AI development.”
  • In related news, Health IT Analytics lets us know,
    • “Researchers from Mount Sinai have been awarded a four-year, $3 million grant from the National Heart, Lung, and Blood Institute of the National Institutes of Health (NIH) to develop artificial intelligence (AI)-driven prediction models to flag risk of cardiovascular disease events in patients with obstructive sleep apnea.
    • “The American Heart Association (AHA) indicates that obstructive sleep apnea increases patients’ risk of cardiovascular disease, including coronary artery disease, hypertension and stroke. The use of continuous positive airway pressure (CPAP) machines is often prescribed to treat sleep apnea, but evidence to suggest the benefits of CPAP use in relation to cardiovascular event rates is limited.
    • “To bridge this gap, the research team will build machine learning (ML) tools to identify obstructive sleep apnea patients at high risk for atherosclerosis progression and cardiovascular events like stroke and heart attack.”

In other U.S. healthcare business news,

  • The Wall Stree Journal reports,
    • “People seeking a popular new weight-loss drug will have a new home-delivery option from a familiar name: Amazon.com.
    • Amazon Pharmacy, which has sold prescription medicines online since 2020, will now handle some of the home delivery of anti-obesity therapy Zepbound and other Eli Lilly drugs that are ordered through the drugmaker’s new direct-to-consumer service, the companies said Wednesday.
    • “The service, called LillyDirect, connects patients with telehealth services specializing in obesity that can write prescriptions for Zepbound or another weight-loss drug. The service also arranges for a prescription to be processed and mailed directly to customers.” 
  • The Society for Human Resource Management notes,
    • “According to the latest Employer Costs for Employee Compensation report, released March 13 by the U.S. Bureau of Labor Statistics (BLS), employers spent 3.8 percent more on wages and benefits in December 2023 compared to September 2023.
    • “Total employer compensation costs for private-industry workers averaged $43.11 per hour worked in December 2023. Wages and salaries averaged $30.33 per hour worked and accounted for 70.4 percent of employer costs, while benefit costs averaged $12.77 per hour worked and accounted for the remaining 29.6 percent, according to the BLS report.
    • :That’s a significant jump from the total employer compensation costs for those same workers last fall, and one indicating that despite slowing compensation growth over the past year, bigger hikes are not yet over.”

Tuesday Tidbits

David ErmerCOVID-19, Cybersecurity, Electronic health records, FDA, Generative AI, Medical / Rx research, Medicare, NIH, Obesity, OPM, Patient safety, U.S. Healthcare
Photo by Patrick Fore on Unsplash

From Washington, DC,

  • Because this is the FEHBlog, the lede tonight necessarily is OPM’s announcement naming the carriers who are currently prepared Postal Service Health Benefit Program benefit and rate proposals. Good luck to them all.
  • FedWeek notes,
    • “President Biden has issued an open letter to federal employees thanking them for their “tireless service on behalf of our country.”
  • and
    • “While seeking a January 2025 raise of 2 percent (see related story), the White House’s fiscal 2025 budget proposal cites several initiatives related to federal pay.
    • “In addition to year-to-year pay increases, the Administration is pursuing structural reforms to enhance the competitiveness of the Federal pay system,” it says.
  • Reg Jones, writing in Fedweek, fills us in on benefits available upon the death of a federal employee or annuitant.
  • The Department of Health and Human Services provided a readout from “Biden-Harris Administration Convening with Health Care Community Concerning Cyberattack on Change Healthcare. Leaders from HHS, White House, DOL, and the health care community convened to discuss ways to mitigate harms to patient and providers caused by the cyberattack.”
  • The Food and Drug Administration “advised consumers in Some Medicines and Driving Don’t Mix to make sure they know if their prescription or over-the-counter medication can cause side effects that may make it unsafe to drive. Most medications won’t affect consumers’ ability to drive safely or operate other heavy machinery, but some do.”
  • The Buck consulting firm points out why “maintaining creditable coverage may prove difficult for some employer sponsored plans in 2025.”
  • STAT News discusses the treatment impact of new federal methadone rules.
    • “The federal government is reforming methadone care for the first time in over two decades. But how far do the changes actually go?
    • “To many methadone clinics, the Biden administration’s recent refresh of the rules governing opioid treatment programs represents an unprecedented opportunity to offer care that is more compassionate and responsive to patients’ needs. To many patient advocates, however, it simply nibbles around the edges. 
    • “The reality is likely somewhere in between: It will depend, in large part, on whether state-level regulators embrace the changes, and whether individual clinics actually implement them. In reform-oriented states, and at patient-centered clinics, the new rules could make a world of difference for people seeking addiction treatment.” 
  • The Office of National Coordinator for Healthcare Information Technology, Micky Tripathi, in his blog, looks forward to “HTI-2 & ONC’s Commitment to Furthering the Vision of Better Health Enabled by Data.”

From the public health and medical research front,

  • BioPharma Dive reports,
    • “Roche’s experimental Alzheimer’s disease drug trontinemab showed “best-in-class” potential based on its ability to quickly clear clumps of amyloid protein from the brains of patients enrolled in a small clinical trial, the company said Monday.
    • “A majority of patients receiving the highest dose of the drug, which is specially designed to penetrate brain tissue, saw their amyloid levels drop below detectable levels after 12 weeks, Roche executives said in an investor presentation on the pharmaceutical giant’s neurology pipeline.”
  • Reuters tells us, “Pfizer  said on Tuesday its drug, Adcetris, extended survival in patients with the most common type of lymphoma in a late-stage study, bolstering efforts to expand the use of the treatment gained through its $43 billion purchase of Seagen [in 2023].
  • MedPage Today lets us know,
    • “Pragmatic implementation of an automated online behavioral obesity treatment program that included 9 months of active maintenance helped people with overweight or obesity lose a clinically significant amount of weight by 12 and 24 months, a randomized trial showed. * * *
    • “This pattern persisted at 24 months, reported J. Graham Thomas, PhD, of the Weight Control and Diabetes Research Center in Providence, Rhode Island, and colleagues in JAMA Internal Medicine.
    • “This study shows that a fully automated online obesity treatment program can produce beneficial results for many patients in real-world primary care settings,” Thomas told MedPage Today. “We were encouraged to find that the online weight-loss program performed just as well in real-world primary care practices as it does in our previous highly controlled clinical trials.”
    • “These patients lost weight “at rates comparable” to those seen in studiesopens in a new tab or window in which the researchers were completely hands-on in every aspect of the program, he added.
    • “Because the treatment program is online and fully automated, Thomas said it is quite practical for widespread implementation across primary care practices. “The data show that the primary care clinicians were able to implement the program independently, and patients were able to use it successfully.”
  • Beckers Hospital Review adds,
    • “Hospital transplant departments have strict cutoffs for patients with higher body mass indexes because of the increased risk of complications, but GLP-1s such as Ozempic and Wegovy are helping more patients be eligible for surgery. 
    • “Potential transplant donors and diabetic patients who otherwise would not be able to undergo surgery because of their BMI are now quickly dropping weight. Popular GLP-1s, including Ozempic, and GLP-1s and glucose-dependent insulinotropic polypeptides, such as Mounjaro and Zepbound, are dramatically helping these weight loss efforts.” 
  • Medscape cautions,
    • “Novo Nordisk’s CEO on Friday said the company was working with authorities in several countries to tackle counterfeit versions of its popular diabetes drug Ozempic, as new reports emerge of patient harm across the world.
    • “This is something we take very seriously,” Lars Fruergaard Jorgensen, CEO of the Danish drugmaker, told Reuters. * * *
    • “Jorgensen, echoing comments from the FDA’s Califf, also said compounded semaglutide in the United States was a serious health issue, and that the raw materials, or active pharmaceutical ingredients (API), for these products were coming from unregulated facilities in Asia and elsewhere. 
    • “We don’t know them, and we have really no insights or ability to understand what the API is in a certain compounded product,” he said.
    • “While fake drugs often do not contain any of the medication advertised, compounded drugs are custom-made medicines that are based on the same ingredients as branded drugs. Because Wegovy and Ozempic are in short supply, they can be legally produced by licensed pharmacies in the U.S.
    • “Further reports obtained by Reuters through FOIA requests show that one person died last year from abnormal blood clotting after taking a drug that was advertised as compounded semaglutide. Three others suffered severe vomiting and nausea, sensory loss in their legs, and a drop in blood platelet levels.”
  • The U.S. Census Bureau announced,
    • “An additional 573,000 people died in the United States during the first year of the COVID-19 pandemic but “excess mortality” at the national level masks substantial variations by state, age, sex, and race and ethnicity, according to new U.S. Census Bureau research recently published in Demography.
    • “Excess mortality” refers to deaths from any cause above what is expected from recent mortality trends.
    • “This research shows the pandemic widened the mortality gap between the nation’s Black and White populations and completely erased the mortality advantage of the Hispanic population in relation to the non-Hispanic White population.”
  • The National Institutes of Health announced‘,
    • “Two phase 2 clinical trials to test the safety and effectiveness of three treatments for adults with autonomic nervous system dysfunction from long COVID have begun. The autonomic nervous system acts largely unconsciously and regulates bodily functions, such as heart rate, digestion and respiratory rate. Symptoms associated with autonomic nervous system dysfunction have been among those that patients with long COVID say are most burdensome. The trials are part of the National Institutes of Health’s Researching COVID to Enhance Recovery (RECOVER) Initiative, a nationwide research program to fully understand, diagnose and treat long COVID. Other RECOVER phase 2 clinical trials testing treatments to address viral persistence and neurological symptoms, including cognitive dysfunction (like brain fog), launched in July 2023. * * *
    • “People 18 years of age and older who are interested in learning more about these trials can visit https://trials.RECOVERCovid.org/autonomic or ClinicalTrials.gov and search identifier NCT06305793, NCT06305806 and NCT06305780. Please do not contact the NIH media phone number or email to enroll in these trials.”
  • The Wall Street Journal warns,
    • “Ultra-processed foods may not only affect our bodies, but our brains too.
    • “New research suggests links between ultra-processed foods—such as chips, many cereals and most packaged snacks at the grocery store—and changes in the way we learn, remember and feel. These foods can act like addictive substances, researchers say, and some scientists are proposing a new mental-health condition called “ultra-processed food use disorder.” Diets filled with such foods may raise the risk of mental health and sleep problems
    • “The science is still early and researchers say there is a lot they don’t know. Not all ultra-processed foods are equal, some scientists say, adding that some might be good for you. A diet high in ultra-processed foods has been linked with obesity, Type 2 diabetes, cancer and cardiovascular disease, but researchers are still figuring out exactly why, beyond calorie counts and nutrient composition. 
    • “Makers of foods such as processed meats and muffins defend their products, and note that there isn’t a consistent, universally accepted definition of ultra-processed food.”

From the HIMSS Conference in Orlando,

  • HIMSS offers an article about “Google Cloud’s debut of new genAI advancements for healthcare at HIMSS24. In total, the company is offering its cloud clients updates to Vertex AI Search, Healthcare Data Engine and MedLM, designed to improve patient care.”

From the U.S. healthcare business front,

  • HR Dive reports,
    • “Nearly half of U.S. workers don’t have the benefits they need at work, according to the results of a survey by Perceptyx, an employee experience company. Of the 1,500 full-time employees surveyed, 59% said they had “benefits envy” of friends’ and family members’ healthcare coverage.
    • “When it comes to benefits equity, the survey found that medical, maternity and mental health are the “magic trifecta,” Emily Killham, senior director of people analytics, research and insights at Perceptyx, said. “When employees have access to all three, women and men feel equally that their needs are met.”
    • “Yet 53% of those surveyed said they don’t have mental health coverage, 51% don’t have maternity leave, and 25% don’t have any medical benefits, per the results.”
  • Beckers Hospital Review informs us,
    • “Healthgrades recognized 832 hospitals with its 2024 Patient Safety Excellence Awards and Outstanding Patient Experience Award. Only 79 of those hospitals received both awards. 
    • “The dual recipients spanned 27 states. Texas had the most dual recipients with 13 honorees — including four Baylor Scott and White Health and four Houston Methodist hospitals.”
    • The article lists the dual recipients.
  • Beckers Payer Issues relates,
    • “Selective contracting with primary care physicians may be one factor behind lower per-patient expenses in Medicare Advantage, a study published in the March edition of Health Affairs found. 
    • “The study examined 4,456,037 traditional Medicare patients who visited 151,679 primary care physicians. The physicians who participated in Medicare Advantage networks had $433 lower costs per patient than the regional average of physicians. 
    • “The quality measures for physicians participating in Medicare Advantage were similar to the regional average, the study found. 
    • “Physicians who did not participate in any MA networks cost $1,617 more per patient per year than those participating in MA networks, and they had lower quality measures. 
    • “The findings suggest that “managed care tools, particularly selective contracting with primary care physicians” contribute to lower costs in Medicare Advantage, the authors concluded. Though the differences in cost are most likely attributable to differences in practice style, that could also serve as a mechanism for plans to select healthier patients, the authors wrote.” 
  • Health Payer Intelligence adds,
    • “The average Medicare Advantage premium has remained low and stable, with many beneficiaries choosing plans with a zero-dollar monthly premium, according to data from eHealth, Inc.
    • “eHealth’s seventh annual Medicare Index Report includes data from over 190,000 applications for Medicare insurance products submitted to eHealth during the annual enrollment period for 2024 coverage.
    • “The average monthly premium for Medicare Advantage plans chosen by eHealth customers for 2024 is $9, the same as last year and up slightly from $6 in 2022. The popularity of plans with zero-dollar premiums contributed to the low average.”
  • HealthDay informs us,
    • “The cost to American families of caring for a child with a mental health condition jumped by almost a third between 2017 and 2021.
    • “It now costs an average $4,361 more per year for a U.S. family to care for a child with a mental health condition, compared to families without such children, a new study has found.” 

Weekend Update

David ErmerCDC, CMS, Congress, Cybersecurity, Medical / Rx research, Medicare, Rx coverage, U.S. Healthcare
Photo by Tomasz Filipek on Unsplash

From Washington, DC,

  • Reuters adds, “U.S. President Joe Biden will put forth his proposed U.S. spending plan [tomorrow] March 11, according to the White House Office of Management and Budget.”
  • Today, the Department of Health and Human Services posted a letter to healthcare leaders about the Change Healthcare cyberattack.
    • We urge insurance companies and other payers to:
      • Make interim payments to impacted providers. Larger payers in particular have the balance sheet stability to advance payments. Payers have the opportunity to stop-gap the cash flow concerns by stepping in with bridge payments [FEHBlog note — assuming that the payer doesn’t rely on Change Healthcare for backend claims processing.}
      • In particular, for Medicaid plans, consider making interim payments to impacted providers.
      • Ease the administrative burden on providers by simplifying electronic data interchange requirements and timelines and by accepting paper claims. 
      • Pause prior authorizations and other utilization management requirements; use all available leeway on deadlines.
  • The Washington Post further reports,
    • “Federal health officials on Saturday said they would offer emergency funding to physicians, physical therapists and other professionals that provide outpatient health care, following a cyberattack that crippled the nation’s largest processor of medical claims and left many organizations in financial distress.
    • “The Centers for Medicare and Medicaid Services also announced that it would make advance payments available to suppliers that bill through Medicare Part B, which serves a wide array of health-care organizations. Officials had previously announced a similar program to make emergency payments available for hospitals that had been ensnared by the Feb. 21 hack of Change Healthcare, a unit of UnitedHealth Group, and have struggled to get paid for more than two weeks. The emergency funds represent upfront payments made to health-care providers and suppliers based on their expected future claims. * * *
    • “It’s going to help significantly,” added Farzad Mostashari, the CEO of Aledade, the nation’s largest network of independent physician practices. Mostashari had previously warned that as many as 25 percent of physician practices were in financial distress.”

From the public health and medical research front,

  • According to the Centers for Disease Control,
    • “Activity Levels Update:
      • “The amount of respiratory illness (fever plus cough or sore throat) causing people to seek healthcare is elevated across many areas of the country. This week, 20 jurisdictions experienced high or very high activity compared to 26 jurisdictions previous week.
      • “Nationally, emergency department visits with diagnosed COVID-19, influenza, and RSV are decreasing.
      • “Influenza test positivity remained stable nationally. COVID-19 and RSV test positivity decreased compared to the previous week.
      • “Nationally, COVID-19 wastewater viral activity levels, which reflects both symptomatic and asymptomatic infections, has decreased to moderate.
    • Reported on Friday, March 8th, 2024.
  • Fortune Well offers advices on pregnancy in advance maternal age (at age 35 or older).
  • The Washington Post tells us,
    • “Tai chi, a gentle Chinese martial art involving slow movements, outperformed moderate aerobic exercise in lowering blood pressure in a recent clinical trial.
    • “An analysis, published in JAMA Network Open, tracked 342 18- to 65-year-olds with prehypertension, or blood pressure that is slightly higher than normal, between late July 2019 and mid-January 2022. * * *
    • “These findings support the important public health value of Tai Chi to promote the prevention of cardiovascular disease in populations with prehypertension,” the researchers conclude. Other research continues to explore the potential benefits of tai chi. The exercises are associated with better balance, fall reduction, and benefits for patients with conditions such as arthritis and fibromyalgia.”
  • Bloomberg discusses measles prevention practices for adults born after 1957.
    • “[Katrine Wallace, an epidemiologist at University of Illinois Chicago] says, adults are sufficiently protected from the measles if one of these four things applies to you:
      • “You had measles at some point in your life.
      • “You were born before 1957.
      • “You’ve had two doses of a measles-containing vaccine if you spend time in a high-risk setting for transmission, like schools or hospitals. 
      • Y”ou’ve had one dose of a vaccine if you don’t spend time in high-risk settings. 
      • “Kids and teens need one or two doses for protection depending on their age.” 
    • If you aren’t sure whether you’ve been vaccinated or had the measles, you can get what’s called an MMR titer test, which is available commercially at various labs for about $129, Wallace advises.
  • The Wall Street Journal delves into the development of individual body organ tests.
    • “Measuring organ age is the latest frontier in the world of biological age, the idea that your body’s physical age can be different from its chronological one. For example, a 50-year-old man hypothetically might have physical health that more closely resembles that of a 53-year-old, with, say, a 51-year-old heart and a 54-year-old brain.
    • “Knowing the age of your organs might one day help you prevent and treat disease. In theory, if you knew that your heart was aging too fast, you could take steps to ward off heart disease.
    • “Heart aging predicts future heart disease, and brain aging predicts future dementia,” says Hamilton Oh, one of the paper’s lead authors and a graduate student at Stanford.
    • “Walking into your doctor’s office and getting a simple test to determine your organ age is likely still a ways off, but the concept is gaining interest among researchers, doctors and people focused on their own longevity and health. Scientists caution that more research is needed before such a technology might be ready for mainstream use. Some also say that parts of the recent study made too many assumptions.”

From the U.S. healthcare business front,

  • The Dispatch informs us,
    • “A 2021 study published by the RAND Corporation found that, even after rebates and other discounts, U.S. prescription drug prices were, on average, nearly twice as high as those in countries including Canada, France, Germany, Japan, and the United Kingdom. A 2024 study, also conducted by the RAND Corporation for the Office of the Assistant Secretary for Planning and Evaluation, similarly found that 2022 drug prices in the U.S. were nearly three times higher than those in the 33 Organisation for Economic Co-operation and Development (OECD) countries used in the comparison.
    • “However, the study also found that, on average, unbranded generic drugs were about a third cheaper in the U.S. than in other comparison countries, meaning Americans are actually paying less for these drugs than they would elsewhere. “This finding suggests that robust price competition in U.S. unbranded generic markets continues to drive savings for consumers and health care payers relative to spending on these drugs in other countries,” the study said. Even though generic drugs make up 90 percent of U.S. prescription volume, the substantially higher cost for brand-name drugs still results in a higher average cost for all drugs in the U.S. than elsewhere, according to the report.”
  • HR Dive lets us know,
    • “Judge J. Campbell Barker of the U.S. District Court for the Eastern District of Texas vacated the National Labor Relations Board’s joint employer rule late Friday. The rule was set to go into effect Monday.
    • “The new rule would be “contrary to law” and “arbitrary and capricious,” Barker ruled. The court had been considering a legal challenge brought in November by the U.S. Chamber of Commerce, along with other business groups. 
    • “Federal agencies and employers now await a possible court decision on the U.S. Department of Labor’s independent contractor rule, also set to go in effect Monday.”