Cybersecurity Saturday

Cybersecurity Saturday

From the cybersecurity policy front,

  • Cyberscoop informs us,
    • “FBI Director Christopher Wray warned Thursday that the threat posed by Chinese hacking operations to U.S. critical infrastructure has become more urgent, as intelligence agencies have said that groups like Volt Typhoon are preparing for the possibility of widespread disruptive actions as early as 2027.
    • “Wray said during a speech at Vanderbilt University that China has targeted dozens of oil pipeline entities since 2011, in some cases ignoring business and financial information entirely while stealing data on control and monitoring systems.
    • “More recently, Volt Typhoon has conducted broad targeting of American companies in the water, energy and telecommunications sectors, among others, which U.S. officials have described as “pre-positioning” for future attacks that could disrupt or halt systems responsible for critical services upon which Americans rely. Dragos, a private threat intelligence company that focuses on critical infrastructure, said in February that the group has also been observed targeting entities that provide satellite and emergency management services.
    • “The ultimate purpose of this activity is to give Beijing “the ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” Wray said.”
  • The Hill reports,
    • “Artificial intelligence (AI) is making ransomware faster and easier to use as the online crime hits record levels, experts said at a House Financial Services subcommittee hearing Tuesday.”Artificial intelligence (AI) is making ransomware faster and easier to use as the online crime hits record levels, experts said at a House Financial Services subcommittee hearing Tuesday.
    • “We have tremendous concern about the future of AI and the direction it is allowing criminal actors to take, including more sophisticated deepfakes that ultimately form the first step in the chain of ransomware attacks,” said Megan Stifel, chief strategy officer at the Institute for Security and Technology.”
  • Cybersecurity Dive adds,
    • The Institute for Security and Technology’s Ransomware Task Force threw cold water on the need for a ransomware payment ban in a report released Wednesday.
    • The nonprofit Institute for Security and Technology rejects the viability of a ransom payment ban for multiple reasons, including: 
      • Concerns about a ban’s impact on ransom payment reporting by victims. 
      • The potential to drive more payments underground. 
      • And the unintended consequences and practicalities of critical infrastructure exemptions.
      • Rather than a ban, the RTF detailed 16 milestones it asserts would be “the most reasonable and effective approach to reducing payments.” 
    • “While a ban may be an easier policy lift than activities designed to drive preparedness, it will almost certainly create the wrong kind of impact,” the RTF co-chairs said via email. “The number of organizations making payments is declining, which suggests we’re on the right path.”
  • HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, continues to update its “Change Healthcare Cybersecurity Incident Frequently Asked Questions” website.
  • The U.S. Government Accountability Office released a report titled “Cybersecurity: Implementation of Executive Order Requirements is Essential to Address Key Actions.”
    • “In 2021, the President issued an executive order to help protect federal IT systems from cyberattacks. The order contains 55 leadership and oversight requirements. DHS’s Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget are responsible for implementing them.
    • “These agencies have fully completed 49 of 55 requirements. Remaining requirements include improving software that is critical to the supply chain and ensuring that other agencies have sufficient resources to carry out the order.
    • “We recommended that these agencies implement the order’s remaining requirements.”
  • The Cybersecurity and Infrastructure Security Administration Agency (CISA) announced,
    • “CISA hosted the final round of the fifth annual President’s Cup Cybersecurity Competition this week and announced the winners today of the three competitions.
    • “The President’s Cup is a national competition designed to recognize the top federal cybersecurity talent. Three separate competitions take place during each President’s Cup; two Individuals tracks -– Track A which focuses on defensive work roles and tasks from the NICE Framework, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, and Track B which focuses on offensive work roles and tasks, and a Teams competition comprised of defensive and offensive challenges. The first rounds of the competition began earlier this year in January.
    • “This year’s winning team, known as Artificially Intelligent, was composed of members of the Department of Defense, U.S. Army, and the U.S. Air Force. Artificially Intelligent featured four members of last year’s winning teams, including one member who has been on every winning team since President’s Cup began five years ago. The winner of Individuals Track A was U.S. Army Major Nolan Miles, and the winner of the Individuals Track B was U.S. Marine Corps Staff Sergeant Michael Torres. SSG Torres also finished in second place of the Individuals Track A competition and is the first Individuals winner to repeat having won President’s Cup 3 Track A.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive reports,
    • “Palo Alto Networks and security researchers said a growing number of attackers are targeting a command injection vulnerability in the PAN-OS operating system, which powers the security vendor’s firewall products. 
    • “Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability,” the company’s Unit 42 threat intelligence team said in a Tuesday update on its original threat brief. The vendor hasn’t disclosed how many devices are actively exploited, but said it observed 20 additional IP addresses attempting to exploit CVE-2024-3400.
    • “Since releasing the initial advisory on Friday [April 12], the company expanded the range of PAN-OS versions that are impacted by the CVE and retracted a secondary mitigation action. “Disabling telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability,” the company said in an update.”
  • On April 18, HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued an update on the Palo Alto Networks Firewalls (CVE-2024-3400).
    • On April 12, 2024, Palo Alto Networks issued a warning about CVE-2024-3400, a zero-day command injection vulnerability found in its firewalls operating PAN-OS v10.2, 11.0, and 11.1 with configurations for both GlobalProtect gateway and device telemetry enabled. There have been an increasing number of attacks observed against this vulnerability since its release. In the original advisory, it was believed that disabling device telemetry would work as an effective secondary mitigation, but the most recent update states that device telemetry does not need to be enabled for PAN-OS to be vulnerable to attacks. Hotfixes were also released starting on April 14, 2024. HC3 strongly encourages all organizations to review the updated security advisory and apply any mitigations to prevent serious damage from occurring to the Healthcare and Public Health (HPH) sector.
  • Per Cybersecurity Dive,
    • “The rapid adoption of artificial intelligence tools is potentially making them “highly valuable” targets for malicious cyber actors, the National Security Agency warned in a recent report.
    • “Bad actors looking to steal sensitive data or intellectual property may seek to “co-opt” an organization’s AI systems to achieve, according to the report. The NSA recommends organizations adopt defensive measures such as promoting a “security-aware” culture to minimize the risk of human error and ensuring the organization’s AI systems are hardened to avoid security gaps and vulnerabilities.
    • “AI brings unprecedented opportunity, but also can present opportunities for malicious activity,” NSA Cybersecurity Director Dave Luber said in a press release.”
  • Dark Reading adds,
    • “A slicker phishing lure and some basic malware was about all threat actors have been able to squeeze out of artificial intelligence (AI) and large language model (LLM) tools so far — but that’s about to change, according to a team of academics.
    • “Researchers at the University of Illinois Urbana-Champaign have demonstrated that by using GPT-4 they can automate the process of gathering threat advisories and exploiting vulnerabilities as soon as they are made public. In fact, GPT-4 was able to exploit 87% of vulnerabilities it was tested against, according to the research. Other models weren’t as effective.
    • “Although the AI technology is new, the report advises that in response, organizations should tighten up tried-and-true best security practices, particularly patching, to defend against automated exploits enabled by AI. Moving forward, as adversaries adopt more sophisticated AI and LLM tools, security teams might consider using the same technologies to defend their systems, the researchers added. The report pointed to automating malware analysis a promising use-case example.”
  • and
    • “An ongoing, highly sophisticated phishing campaign may have led some LastPass users to give up their all-important master passwords to hackers.
    • “Password managers store all of a user’s passwords — for Instagram, their job, and everything in between — in one place, protected by one “master” password. They unburden users from having to remember credentials for hundreds of accounts, and empower them to use more complicated, unique passwords for each account. On the other hand, if a threat actor gains access to the master password, they’ll have keys to every single one of the accounts within.
    • “Enter CryptoChameleon, a new, hands-on phishing kit of unparalleled realism. 
    • “CryptoChameleon attacks tend not to be so widespread, but they’re successful at a clip largely unseen across the cybercrime world, “which is why we typically see this targeting enterprises and other very high-value targets,” explains David Richardson, vice president of threat intelligence at Lookout, which first identified and reported the latest campaign to LastPass. “A password vault is a natural extension, because you’re obviously going to be able to monetize that at the end of the day.”
  • Healthcare IT Security lets us know,
    • “Healthcare organizations are 65% less likely to fully outsource their cybersecurity services than organizations in other sectors, Kroll researchers said in the new report, “The State of Cyber Defense: Diagnosing Cyber Threats in Healthcare.”
    • “Their research maps out the cybersecurity threat landscape the healthcare sector currently operates in, looking at detection and response, cyber threat intelligence and offensive security.
    • “The realities of healthcare IT’s complexities, “not to mention the extremely time-poor staff that need both maximum convenience and security from IT operations,” make it hard for the industry to protect itself, according to Devon Ackerman, Kroll’s global head of incident response and cyber risk.”

From the ransomware front,

  • SC Media reports,
    • “The Akira ransomware group netted itself $42 million in payments in the last year from over 250 organizations, according to a joint advisory released April 18 by four leading cybersecurity agencies across Europe and the United States. [Here is a link to CISA’s Stop Akira Ransomware sire.]
    • “The advisory, which said Akira was now attacking Linux machines as well as Windows, was posted by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, Europol’s European Cybercrime Center, and the National Cyber Security Centre in the Netherlands.
    • “CISA said the advisory’s main goal was to help organizations mitigate these attacks by disseminating known Akira ransomware tactics, techniques and procedures, as well as indicators of compromise identified through FBI investigations as recent as February 2024.
    • “Evolving from an initial focus on Windows systems to a Linux variant targeting VMware ESXi virtual machines, CISA said in August 2023 the double-extortion group started deploying the Rust-based code Megazord and Akira, written in C++, as well as Akira_v2, also Rust-based.”
  • and
    • “Has ransomware hit a ceiling? We doubt it, but the pause outlined in a new report on active adversaries tells us ransomware has either saturated the available targets or enterprise defenses are starting to bear fruit.
    • “In its active adversaries report for the first half of 2024, Sophos’ X-Ops team analyzed more than 150 incident response cases. Through such a large analysis, the report provides good insights into the current tactics, techniques and procedures attackers currently employ. This is useful for anyone trying to better defend their systems.
    • “Sophos concludes that, despite a pause in the rise of ransomware, organizations are failing to take the steps necessary to adequately defend themselves against the increase in attacks to come. * * *
    • “The report concludes that while the current threat landscape is relatively calm, defenders must urgently learn from previous mistakes and prioritize basic security practices. Failing to bolster defenses now will only ease attackers’ impending sieges as they continue sharpening their capabilities.”
  • TechTarget identifies the top 13 ransomware targets in 2024 and beyond.
  • Bleeping Computer’s the Week in Ransomware is back.

From the cybersecurity defenses front,

  • “Healthcare Dive spoke with two cyber experts — Phil Morris and Chad Peterson, both managing directors at cybersecurity firm NetSPI — about how healthcare organizations can recover from the attack and what they need to do to protect themselves going forward.”
    • “HEALTHCARE DIVE: A survey by the American Hospital Association found that 94% of respondents were financially impacted by the Change attack. Why were so many providers impacted by this breach?
    • PHIL MORRIS: The cyberattack at Change Healthcare is really like the Francis Scott Key Bridge incident in Baltimore. It’s at the nexus of a very complex ecosystem we call healthcare delivery and payment systems here in the U.S. They handle so many claims, [pharmacy benefit managers], imaging, analytics and revenue management.
    • “It’s really a weak spot in the resiliency of healthcare because we have such a profit-driven healthcare system, that bringing that organization down had a rippling effect across not just hospitals but also network providers, pharmacies and patients. The ripple effects of this will go out across the healthcare system for some time.
    • CHAD PETERSON: Unfortunately, it’s a case of too many eggs in one basket, and it was the major choke point for a lot of healthcare systems that do their processing through [Change Healthcare]. So what they did is they basically hit the most vulnerable area to have the greatest impact.”
  • Healthcare Dive also reports on how cybersecurity took center stage at the American Hospital Association conference held last week.
    • “The majority of healthcare attacks aren’t coming from domestic hackers, experts stressed.
    • “Almost all cyberattacks against hospitals, including life-threatening ransomware attacks, originate from criminal gangs based in non-cooperative foreign jurisdictions,” AHA’s Riggi said. “That’s a euphemism, folks, for Russia, China, North Korea and Iran.” 
  • On April 15, CISA issued joint guidance deploying AI systems securely.
  • Tech Target offers four tips on securing cybersecurity insurance this year.
  • An ISACA expert discusses “Evolving Threats to Cloud Computing Infrastructure and Suggested Countermeasures.”

Midweek Update

Photo by Manasvita S on Unsplash

From Washington, DC,

  • The Federal Times and Federal News Network discuss OPM’s plans to tighten internal controls over family member eligibility in the FEHBP. OPM’s actions will shift the burden of monitoring family member eligibility from the FEHB plans to employing agencies, which is where the responsibility belongs.
  • OPM also should be filling the greatest internal control gap in the FEHB – the fact that OPM does not allow carriers, which bear the insurance risk, to reconcile premium payments to individual enrollees. A cost effective solution is available by implementing the HIPAA 820 electronic enrollment roster transaction which systematically generates such reconciliations.
  • Per BioPharma Dive,
    • “Alvotech and Teva on Tuesday won Food and Drug Administration approval for Selarsdi, the second biosimilar poised to challenge Johnson & Johnson’s blockbuster psoriasis drug, Stelara.
    • “The FDA cleared Selarsdi for treatment of moderate to severe plaque psoriasis and active psoriatic arthritis in adults and children who are at least 6 years old. The companies said they expect to begin selling the medicine on or after Feb. 21, 2025, a delayed introduction due to a legal settlement with J&J.
    • “The two companies are likely to enter the market after Amgen, which won approval for an interchangeable biosimilar called Wezlana in October. Amgen is also subject to a legal settlement, and the company has said its product will launch no later than Jan. 1, 2025.”
  • Healthcare Dive had the time to report on the CBO report on Medicare Accountable Care Organizations which the FEHBlog noted yesterday.
    • “Accountable care organizations led by independent physicians save Medicare more money than other types of ACOs, according to a new Congressional Budget Office review of existing research.
    • Independent physician-led ACOs have clear financial incentives to reduce hospital care to lower spending, while hospital-led ACOs — which earn more revenue when patients are admitted — do not, the CBO found. Hospitals also have less direct control over what services patients receive.
    • “ACOs with a larger proportion of primary care providers also saved Medicare more money, along with ACOs whose initial spending was higher than their peers in the same region, according to the report.”
  • The FEHBlog’s primary care provider practices in such an ACO.

From the public health and medical research front,

  • The New York Times reports,
    • “A pill taken once a week. A shot administered at home once a month. Even a jab given at a clinic every six months.
    • “In the next five to 10 years, these options may be available to prevent or treat H.I.V. Instead of drugs that must be taken daily, scientists are closing in on longer-acting alternatives — perhaps even a future in which H.I.V. may require attention just twice a year, inconceivable in the darkest decades of the epidemic.
    • “This period is the next wave of innovation, newer products meeting the needs of people, particularly in prevention, in ways that we didn’t ever have before,” said Mitchell Warren, executive director of the H.I.V. prevention organization AVAC.
    • “Long-acting therapies may obviate the need to remember to take a daily pill to prevent or treat H.I.V. And for some patients, the new drugs may ease the stigma of the disease, itself an obstacle to treatment.”
  • STAT News lets us know,
    • “Eli Lilly reported positive results for its obesity drug Zepbound in obstructive sleep apnea, giving the medication a new edge in the highly competitive obesity market.
    • “The results also pave the way for Zepbound to potentially become the first approved treatment for obstructive sleep apnea, or OSA, a common disorder characterized by breathing interruptions during sleep.
    • “In one year-long Phase 3 study that looked at patients with obesity who were not on PAP therapy, a form of ventilation, those taking Zepbound experienced a reduction of 25.3 events per hour on the apnea-hypopnea index (AHI), a measure of the number of times breathing stops and becomes restricted while sleeping. That compares with a reduction of 5.3 events in patients on placebo, Lilly said in a press release Wednesday.
    • “In another Phase 3 study in patients who were on PAP therapy, those on Zepbound had a reduction of 29.3 events per hour on the AHI, compared with a reduction of 5.5 events in patients on placebo.
    • “Severe OSA is defined as having over 30 events per hour, and moderate OSA is defined as 15 to 30 events per hour.”
  • CNBC adds,
    • “Most doses of Eli Lilly’s highly popular weight loss drug Zepbound and diabetes counterpart Mounjaro will be in short supply through the second quarter of this year due to increased demand, according to an update on the Food and Drug Administration’s drug shortage database.
    • “A previous update said some doses of both treatments would have limited availability through April.
    • “The new update suggests that the insatiable demand for a buzzy class of weight loss and diabetes drugs is still trouncing supply, even as Eli Lilly and Novo Nordisk work to increase production of those treatments.” 
  • The Associated Press informs us,
    • “For decades, patients seeking medication for pain have had two choices: over-the-counter drugs like aspirin or powerful prescription opioids like oxycodone.
    • “Opioid prescriptions have plummeted over the last decade as doctors have become more attuned to the risks of addiction and misuse during the country’s ongoing drug epidemic.
    • “Vertex Pharmaceuticals recently reported positive results for a non-opioid painkiller, one of several medications the Boston-based drugmaker has been developing for various forms of pain. Patients taking the drug after surgery experienced more pain relief than those getting a placebo, although the drug didn’t meet a secondary goal of outperforming treatment with an opioid.
    • The AP interviews Vertex’s chief scientist Dr. David Altshuler about the company’s research and development plans.
  • Beckers Hospital Review tells us,
    • “In recent months, parts of the U.S. have reported outbreaks of pertussis, or whooping cough. While some regional outbreaks are expected each year, health officials are underscoring the importance of boosters in adults to protect infants from severe illness, NBC News reported April 17.  * * *
    • “The TDap vaccine is recommended for children 11 and older who have not received the DTaP series. Adults should receive a Tdap booster dose every 10 years, according to the CDC. 
    • “Anyone who comes to see [a] new baby should have had a recent inoculation with Tdap vaccine to provide a cocoon of protection around that baby,” William Schaffner, MD, professor of infectious diseases at Nashville, Tenn.-based Vanderbilt University Medical Center, told NBC News.” 

From the U.S. healthcare business front,

  • Healthcare Dive relates,
    • “Steward Health Care is on the clock. 
    • “The Dallas-based healthcare network has until the end of the month to prove to lenders it has the cash on hand to begin repaying its significant debts — or it could face bankruptcy proceedings. 
    • “Demonstrating solvency could be a tall order because the health system owes a lot of parties a significant amount of money, according to analysts familiar with the system. 
    • “Should Steward fail, it would be one of the largest provider bankruptcies in decades, said Laura Coordes, professor of law at the Sandra Day O’Connor College of Law at Arizona State University.” 
  • MedTech Dive notes, “Abbott looks to ‘highly productive’ device pipeline for future growth. CEO Robert Ford highlighted new and upcoming products throughout the earnings call, calling the recently approved Triclip valve a “billion-dollar opportunity.”
  • According to BioPharma Dive,
    • “An experimental drug designed to improve brain function in people with nerve-degrading disorders has failed a mid-stage study that tested it against Parkinson’s disease.
    • “The trial enrolled almost 90 participants, who once a day were given either a placebo or a drug from Sage Therapeutics called SAGE-718. Summary results released Wednesday showed no significant difference between the two groups in how their mental abilities changed over the course of six weeks, as measured by a scale clinicians use evaluate cognition. * * *
    • “Sage is still testing SAGE-718 across three additional trials that should have data this year. One, codenamed “Lightwave,” is focused on people with mild cognitive impairment and mild dementia due to Alzheimer’s disease. The other two, “Surveyor” and “Dimension,” are investigating whether the drug can help Huntington’s disease patients with cognitive impairment.”
  • Beckers Hospital Review points out and names ten of twenty most popular drugs are in shortage.

Cybersecurity Saturday

From the cybersecurity policy front,

  • Cybersecurity Dive reports,
    • “FBI Director Christopher Wray said state-linked threat groups are ramping up threat activity against the U.S., and pose a continued risk to key critical infrastructure sectors, in a speech Tuesday before the American Bar Association’s Standing Committee on Law and National Security
    • “Threat actors linked with the People’s Republic of China are continuing to build out offensive capabilities, setting up access to various sectors such as the water, energy and telecommunications industries, according to Wray. 
    • “We’re seeing hostile nation states become more aggressive in their efforts to steal our secrets and our innovation, target our critical infrastructure, export their aggression to our shores and front and center is China,” Wray said.”
  • and
    • “The [NIST] National Vulnerability Database is so overwhelmed with a steadily increasing number of software and hardware flaws that the National Institute of Standards and Technology, which maintains the common vulnerabilities and exposures repository, called for a slight pause to regroup and reprioritize its efforts.”The National Vulnerability Database is so overwhelmed with a steadily increasing number of software and hardware flaws that the National Institute of Standards and Technology, which maintains the common vulnerabilities and exposures repository, called for a slight pause to regroup and reprioritize its efforts.
    • “NIST scaled back the NVD program in mid-February, and is currently prioritizing analysis of the most significant or actively exploited vulnerabilities. The slowdown was precipitated by “an increase in software and, therefore, vulnerabilities, as well as a change in interagency support,” NIST said in the announcement.
    • The federal agency is seeking more support from within the government and reassigning staff as it assembles a public-private consortium to address long-term challenges and determine how to improve the NVD program. In the interim, the temporary delays in CVE analysis will result in less detailed analysis of vulnerabilities deemed non-urgent. * * *
  • and
    • “More than two dozen industry stakeholders, including the U.S. Chamber of Commerce, are seeking to extend the deadline to file comments on the Cyber Incident Reporting for Critical Infrastructure Act, according to a letter released Friday. The new deadline would be July 3 if the requested 30-day delay is granted. 
    • “The Cybersecurity and Infrastructure Security Agency issued the notice for CIRCIA, which will require critical infrastructure providers to report significant cyber incidents within 72 hours of discovery and report ransom payments within 24 hours. The notice was published Thursday in the Federal Register and currently has a June 3 deadline for public comments.
    • “The letter, signed by a range of industry groups including the American Bankers Association, National Retail Federation and American Petroleum Institute, is asking for additional time to absorb the complex set of regulations involved in reporting covered cyberattacks and breaches as well as reporting payments to federal authorities.”
  • NextGov relates,
    • “As intelligence agencies work to jettison Chinese cyberspies embedded in critical infrastructure and internet equipment throughout the U.S., a top cybersecurity CEO says that the hackers’ campaign is so robust and widespread that there will be victims targeted in the operation who won’t know they are impacted.
    • “To me, Volt Typhoon is the natural progression of great … Chinese cyberespionage,” said Kevin Mandia, CEO of Google cybersecurity subsidiary Mandiant, who spoke in an exclusive interview with Nextgov/FCW at the Google Cloud Next conference in Las Vegas.”
  • “DoD, GSA, and NASA recently established Federal Acquisition Regulation (FAR) part 40, Information Security and Supply Chain Security. The intent of this RFI is to solicit feedback from the general public on the scope and organization of FAR part 40.” Comments for this case are due by June 10, 2024. For information on how to comment, please visit the Federal eRulemaking portal.
  • Federal News Network lets us know,
    • “Sean Connelly, who has led many of the major federal cybersecurity initiatives over the last decade, is leaving federal service.
    • “Connelly, whose official title is senior cybersecurity architect and Trusted Internet Connections (TIC) program manager for the Cybersecurity and Infrastructure Security Agency, has been instrumental in everything from a major chunk of the lifecycle of the TIC program to the development and advancement of the concepts behind zero trust to the integration of these initiatives with others, including the Einstein and continuous diagnostics and mitigation (CDM) programs.
    • “Federal News Network has learned Connelly’s last day will be April 19. * * *
    • “Sources say Connelly will be joining Zscaler to work on zero trust from an international compliance perspective. He will help non-U.S. governments move toward a zero trust architecture based on the experience of the federal agencies.
    • “Connelly is now the second federal cyber executive to leave to join Zscaler in the last two weeks. Brian Conrad, the former acting director of the Federal Risk Authorization and Management Program (FedRAMP) joined the cyber company in early April to lead Zscaler’s international cloud security compliance program.”

From the cybersecurity vulnerabilities and breaches front,

  • Cyberscoop informs us,
    • “The Cybersecurity and Infrastructure Security Agency published an emergency directive Thursday in response to a Russian intelligence-linked hacking campaign that breached Microsoft, telling affected federal civilian agencies whose emails were stolen or passwords accessed to reset authentication credentials.
    • CISA’s directive comes in the week after CyberScoop first reported its existence.
    • “Microsoft and CISA have notified all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by Midnight Blizzard,” the directive reads, referring to Microsoft’s name for the hacking group. “In addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies.
    • “Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” it continues.”
  • Cybersecurity Dive tells us,
    • “Ivanti Connect Secure devices were exploited and compromised by more threat groups than previously thought, Mandiant said in research released Thursday.
    • “Post-exploitation activity observed by Mandiant includes lateral movement with the aid of open-source tools and multiple custom malware families. 
    • “Mandiant said it observed “eight distinct clusters involved in the exploitation of one or more of” Ivanti’s vulnerabilities CVE-2023-46805CVE-2024-21887 and CVE-2024-21893, which the vendor first disclosed Jan. 10. This includes five China-linked espionage groups and three financially motivated attackers.”
  • Cyberscoop offers the reflections of Mandiant experts on this cybsercurity landscape.
  • Security Week lets us know,
    • Palo Alto Networks disclosed [a state-sponsored] vulnerability on Friday, warning that it was aware of limited in-the-wild exploitation and promising patches within the next two days.
    • “Tracked as CVE-2024-3400 (CVSS score of 10/10), the security defect is described as a command injection issue allowing unauthenticated attackers to execute arbitrary code on impacted firewalls, with root privileges.
    • “According to the vendor, all appliances running PAN-OS versions 10.2, 11.0, and 11.1 that have GlobalProtect gateway and device telemetry enabled are vulnerable. Other PAN-OS versions, cloud firewalls, Panorama appliances, and Prisma Access are not affected.”
  • CISA added new known exploited vulnerabilities to its catalog this week.
    • April 11, 2024
      • CVE-2024-3272 D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
      • CVE-2024-3273 D-Link Multiple NAS Devices Command Injection Vulnerability
    • April 12, 2024
      • CVE-2024-3400 Palo Alto Networks PAN-OS Command Injection Vulnerability
    • FEHBlog note the CVE references are to the NIST National Vulnerability Database discussed above..
  • The HHS Health Sector Cybersecurity Coordination Center (HC3) posted its “March Vulnerabilities of Interest to the Health Sector.”
    • “In March 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for March are from Ivanti, Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, VMWare, Adobe, Fortinet, and Atlassian. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.”

From the ransomware front,

  • TechTarget notes,
    • “Sophos said the majority of cyberattacks it investigated in 2023 involved ransomware, while 90% of all incidents included abuse of remote desktop protocol.
    • “The security vendor published its Active Adversary Report of 2024 Wednesday that drew on data from more than 150 incident response (IR) investigations it conducted in 2023. Breaking down the data set, 88% of the investigations were derived from organizations with fewer than 1,000 employees, while 55% involved companies with 250 employees or fewer. Twenty-six sectors were represented, and manufacturing remained the No. 1 sector to engage the Sophos IR team for the fourth consecutive year.
    • “For the report, Sophos tracked attack types, initial access vectors and root causes, and found that trends have remained consistent for the past two years. While attackers frequently abuse remote desktop protocol (RDPs) and credential access to infiltrate a victim’s network, enterprises continue to leave RDPs exposed and often lack multifactor authentication (MFA) protocols.
    • “Sophos added that enterprises also fell short regarding sufficient log visibility, which can hinder IR investigations.”
  • WIRED reports,
    • “Since Monday [April 8, 2024], RansomHub, a relatively new ransomware group, has posted to its dark-web site that it has 4 terabytes of Change Healthcare’s stolen data, which it threatened to sell to the “highest bidder” if Change Healthcare didn’t pay an unspecified ransom. RansomHub tells WIRED it is not affiliated with AlphV and “can’t say” how much it’s demanding as a ransom payment. * * *
    • “RansomHub initially declined to publish or provide WIRED any sample data from that stolen trove to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name.
    • “While WIRED could not fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. “For anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories,” the RansomHub contact tells WIRED in an email.
    • “We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data,” Change Healthcare said in an email to WIRED. “Our investigation remains active and ongoing. There is no evidence of any new cyber incident at Change Healthcare.”

From the cybersecurity defenses front,

  • MedCity News discusses four lessons learned from the Change Health cyberattack.
  • According to Dark Reading,
    • The US Cybersecurity and Infrastructure Security Agency (CISA) has given organizations a new resource for analyzing suspicious and potentially malicious files, URLs, and IP addresses by making its Malware Next-Gen Analysis platform available to everyone earlier this week.
    • The question now is how organizations and security researchers will use the platform and what kind of new threat intelligence it will enable beyond what is available via VirusTotal and other malware analysis services.
    • The Malware Next-Gen platform uses dynamic and static analysis tools to analyze submitted samples and determine if they are malicious. It gives organizations a way to obtain timely and actionable information on new malware samples, such as the functionality and actions a string of code can execute on a victim system, CISA said. Such intelligence can be crucial to enterprise security teams for threat hunting and incident response purposes, the agency noted.
  • According to Cybersecurity Dive,
    • “CISOs and other management level cybersecurity executives are gaining more influence and importance as companies have begun to recognize the need for strong cyber governance and oversight, according to a report from Moody’s Ratings
    • “About 90% of cybersecurity managers now report to a top level company executive, compared with 62% in 2021. A higher percentage of these cybersecurity executives now report directly to company CEOs, according to the report, which is based on a survey of more than 2,000 organizations around the world that issue debt, including 1,100 in North America. 
    • “The role of the CISO has risen in seniority and visibility within organizations,” Steven Libretti, assistant VP and analyst at Moody’s Ratings, said via email. “This means more direct reporting lines from the cyber manager to the C-suite executives and more frequent cyber briefings to the CEO.”
    • “Moody’s identified a more regular cadence within organizations of CISOs and other cybersecurity managers providing updates to the C-suite and board of directors. About 40% of cyber managers conduct monthly meetings with their CEO, according to the report.” 

Weekend Update

Today is World Health Day.

  • McKinsey & Co. tells us,
    • “The good news: People are living longer. The bad news: People are spending more time in poor health. Global longevity has risen substantially in the past 60 years, increasing life spans by 20 years on average, but every additional year of life is paid for with an average of six months in ill health. According to a recent report from the McKinsey Health Institute (MHI), a focus on immediately influenceable interventions at the city level can add approximately 20 billion to 25 billion years of higher-quality life at a global level—that’s an average of five additional years per person living in urban areas. All organizations across sectors have a role to play to capture this opportunity, write McKinsey’s Hemant AhlawatErica Hutchins CoePooja Kumar, and Drew Ungerman.”
  • On April 5, 2024, “House Committee on Oversight and Accountability Chairman James Comer (R-Ky.) announced a markup will take place on Wednesday, April 10 at 10:00 am ET to consider a series of legislation,” including
    • H.R. 7868, the FEHB Protection Act: The bill requires federal agencies to verify that an employee is eligible to add a family member to their Federal Employees Health Benefits Program (FEHBP) health coverage plan. This bill also requires the Office of Personnel Management (OPM) to consider coverage of ineligible individuals when conducting FEHBP fraud risk assessments and requires a comprehensive audit be conducted of employee family members currently enrolled in the FEHBP. Finally, the bill requires OPM to disenroll any ineligible individual found to be receiving FEHBP coverage.
  • Congress should be including in H.R. 7868 a provision requiring federal agencies to use the HIPAA 820 electronic enrollment roster transaction which would allow carriers to systematically reconcile individual enrollees with their premium payments. None of the provisions in HR 7868 would provide a greater improvement in internal controls than implementing the HIPAA 820 because half of the FEHB enrollment is self only. Moreover, what is the sense of confirming family member enrollment if the enrollee in question is not paying for family coverage?
  • The current premium reconciliation process known as CLER was implemented in 2001, eleven years before the HIPAA 820 was introduced. The time has long passed for CLER to be replaced by the much more efficient HIPAA 820.

From the FEHB front,

  • FedWeek highlights how FEHB plans coordinate their benefits with other coverage.
  • Tammy Flanagan writing in Govexec discusses the importance of knowing Medicare and FEHB coordination of benefit rules before requesting agency help.
  • In the Federal Times, Reg Jones answers the following question “Will my spouse be covered once I qualify for Medicare Part B?

From the public health and medical research front,

  • The National Institutes of Health announced today,
    • “Adults with heart disease risks who received daily reminders or incentives to become more active increased their daily steps by more than 1,500 after a year, and many were still sticking with their new habit six months later, according to a study supported by the National Institutes of Health that published in Circulation(link is external).
    • “The improvements, which also resulted in an extra 40 minutes of moderate exercise each week, correlated with a 6% reduced risk of premature death and a 10% reduced risk of cardiovascular-related deaths, compared to data from prior studies. The Department of Health and Human Services recommends(link is external) that most adults should get at least 150 minutes of moderate aerobic exercise per week, such as brisk walking, or 75 minutes of vigorous exercise, like fast cycling, or a combination of the two, paired with twice-weekly strength sessions.
    • “Researchers found that while a simple daily reminder was effective in helping people move more, offering financial incentives or point-based rewards, such as in a game, was even more effective. However, combining the two incentives proved most effective. Participants who got both were still logging improvements in activity levels six months after the rewards stopped.
    • “Even moderate exercise can drastically reduce cardiovascular risk, so finding low-cost ways to get people moving and stay in a fitness program that they can do at home is a huge win for public health,” said Alison Brown, Ph.D., R.D., a program officer at the National Heart, Lung, and Blood Institute (NHLBI), part of NIH.”
  • The New York Times offers an interview with Dr. Nora Volkow, the director of the National Institute on Drug Abuse.
    • What’s the big picture on teens and drug use?
      • People don’t really realize that among young people, particularly teenagers, the rate of drug use is at the lowest risk that we have seen in decades. And that’s worth saying, too, for legal alcohol and tobacco.
    • What do you credit for the change?
      • One major factor is education and prevention campaigns. Certainly, the prevention campaign for cigarette smoking has been one of the most effective we’ve ever seen.
      • Some of the policies that were implemented also significantly helped, not just making the legal age for alcohol and tobacco 21 years, but enforcing those laws. Then you stop the progression from drugs that are more accessible, like tobacco and alcohol, to the illicit ones. And teenagers don’t get exposed to advertisements of legal drugs like they did in the past. All of these policies and interventions have had a downstream impact on the use of illicit drugs. * * *
      • “But we don’t want to become complacent. The supply of drugs is more dangerous, leading to an increase in overdose deaths. We’re not exaggerating. I mean, taking one of these drugs can kill you.”
  • Fortune Well explores the non-invasive colorectal cancer screening alternatives to a full blown colonoscopy.
  • The Washington Post reports,
    • “Black and White patients face significant disparities in access to kidney transplants depending on whether their residential neighborhoods and transplant centers were racially segregated, a recent study has found.
    • “The study, published in JAMA Internal Medicine, looked at 162,587 first-time live-donor kidney transplantation candidates in the national transplant registry from January 1995 through December 2021. Participants were tracked for an average of 1.9 years. * * *
    • “Overall, 7.1 percent of Black candidates in segregated neighborhoods received a live kidney transplant over a three-year period, while 9 percent of their Black counterparts in less segregated areas received a transplant. The percentage of White candidates who received similar transplants was similar in highly segregated neighborhoods and more diverse areas during the period — 19.7 percent and 20.1 percent, respectively. * * *
    • “The analysis adds to a growing body of literature about social disparities that affect Black patients’ access to kidney transplantation in the United States. Overall, Black patients are likelier to develop kidney failure than their White counterparts, yet they experience treatment delays and are less likely to get kidneys from live donors.”

From the U.S. healthcare business front,

  • Fierce Healthcare lets us know,
    • “Four in 10 therapists are planning to raise their fees in 2024, a new survey has found.
    • “Heard, a bookkeeping and accounting firm for therapy practices, surveyed more than 2,260 therapists across all 50 states and D.C. The findings were published in a report on the financial state of private practices. It found that half of therapists are somewhat or very concerned about the economy impacting their practice in the coming year.
    • “At the same time, in last year’s report, 64% of therapists said they were planning to raise their fees in 2023. Yet only a third did.
    • “Despite cash pay popularity, three-quarters of therapists still accept some form of insurance. Aetna was the most common payer with which therapists paneled, followed by Cigna, Blue Cross Blue Shield, Anthem and Oxford. Aetna also had the highest average reimbursement rate at $141 per session, while Humana had the lowest at $96.’ 

Thursday Miscellany

From Washington, DC,

  • Per an HHS press release,
    • Today, the U.S. Department of Health and Human Services (HHS), through the Centers for Medicare & Medicaid Services (CMS), is finalizing policies that continue to strengthen enrollee protections and guardrails to ensure Medicare Advantage and Medicare Part D (Part D) prescription drug plans best meet the needs of people with Medicare. The Contract Year (CY) 2025 Medicare Advantage and Part D final rule builds on existing CMS policies to promote competition, increase access to care, including important behavioral health services, and protect individuals from inappropriate marketing and prior authorization. * * *
    • [For example,] CMS is finalizing greater flexibility for Part D plans to substitute, more quickly, lower cost biosimilar biological products (biosimilars) for their reference products so that enrollees may have faster access to equally effective, but potentially more affordable, drug treatment options. * * *
    • View a fact sheet on the final rule at cms.gov/newsroom.
  • From the AHA News,
    • “Primary care providers who commit to practicing two years in a health professional shortage area can initially receive up to $75,000 in loan repayment under the National Health Service Corps Loan Repayment Program, $25,000 more than previously and the first significant increase in 30 years, the Health Resources and Services Administration announced April 4. Participants who extend their service beyond two years can receive additional funding under the program. HRSA also will offer up to $5,000 in additional loan repayment to participants who can demonstrate fluency in Spanish and commit to practice in a high-need area serving patients with limited English proficiency.”
  • The International Foundation of Employee Benefit Plans lets us know,
    • “The Paul Wellstone and Pete Domenici Mental Health Parity and Addiction Equity Act (MHPAEA) requires group health plans that provide mental health or substance use disorder (MH/SUD) benefits to offer parity between coverage of physical health conditions and mental health conditions. The Department of Labor (DOL) Employee Benefits Security Administration (EBSA) enforces MHPAEA and reports annually to Congress on how agency investigators are working with plan sponsors and administrators to bring them into compliance.
    • “Recent DOL reports on MHPAEA enforcement indicate several pitfalls that self-funded plan sponsors and their administrative service providers should avoid in order to be compliant with mental health parity rules. A new priority in the 2023 report was impermissible exclusions of key treatments for MH/SUD.
    • One-Minute Summary
      • Recognize that autism spectrum disorder, opioid use disorder and eating disorders are mental health conditionsand therefore treatment of these disorders are mental health benefits covered by mental health parity laws.
      • Blanket exclusions of ABA therapy for autism spectrum disorder, nutritional counseling for eating disorders, and medication-assisted treatment (MAT) and medications for opioid use disorder (MOUD) are impermissible.
      • Methods that participants use to access care should be in parity. Prior authorization, gatekeepers such as EAP referrals and telehealth are impermissible barriers to access mental health benefits.
  • Per an OPM press release,
    • In the first week of the Biden-Harris Administration, President Biden revoked an Executive Order issued by the previous Administration that risked altering our country’s long-standing merit-based civil service system, by creating new excepted service schedule, known as “Schedule F,” and directing agencies to move potentially large swathes of career employees into this new excepted service status. This attempt would have stripped career civil servants of their civil service protections that ensure that decisions to hire and fire are based on merit, not political considerations.  
    • The [OPM] final rule [released today] advances these important policy goals by:  
      • Clarifying that the status and civil service protections an employee has accrued cannot be taken away by an involuntary move from the competitive service to the excepted service, or from one excepted service schedule to another. Once a career civil servant earns protections, that employee retains them unless waived voluntarily.  
      • Clarifying that the phrase “confidential, policy determining, policymaking, or policy-advocating” positions—a term of art to describe positions that lack civil service protections—means noncareer, political appointments. This rule prevents that exception from being misapplied to career civil servants.  
      • Establishing procedural requirements for moving positions from the competitive service to the excepted service and within the excepted service. This change both creates transparency and establishes an appeals process for federal employees when any such movement is involuntary and characterized as stripping employees of their civil service protections.   

From the public health and medical research front,

  • The Society for Human Resources Management tells us,
    • “Anxiety has skyrocketed in recent years, now becoming the top mental health issue plaguing workers, new data shows.
    • An analysis of more than 300,000 U.S. cases from mental health provider ComPsych found that nearly a quarter of people (24 percent) who reached out to ComPsych for mental health assistance in 2023 did so to get help with anxiety.
    • “That makes anxiety the No. 1 presenting issue reported by U.S. workers, topping depression, stress, relationship issues, family issues, addiction and grief, ComPsych said.”
  • MedPage Today notes,
    • New U.S. hepatitis C infections dropped slightly in 2022, a surprising improvement after more than a decade of steady increasesopens in a new tab or window, federal health officials said Wednesday.
    • Experts are not sure whether the 6% decline is a statistical blip or the start of a downward trend. Seeing 2023 and 2024 data, when it’s available, will help public health officials understand what’s going on, said Daniel Raymond, director of policy at the National Viral Hepatitis Roundtable, an advocacy organization.
    • “We’ve had a decade of bad news … I am cautiously encouraged,” he said. “You always want to hope something like this is real, and a potential sign that the tide has turned.”
  • STAT News reports,
    • “The booming class of GLP-1 drugs that includes Ozempic and Wegovy is not only effective for diabetes and obesity, but is also showing early potential to help with conditions involving the brain, like mental health disorders, Alzheimer’s, and even, as new study results suggest — Parkinson’s disease.
    • “In a Phase 2 trial, patients with early Parkinson’s disease taking an older GLP-1 diabetes drug called lixisenatide experienced no worsening of motor symptoms over a year, in contrast to patients on placebo who did, according to the study, published Wednesday in the New England Journal of Medicine.
    • “The difference between the groups — as measured by a test looking at someone’s tremors and rigidity — was small, almost but not quite reaching what is deemed to be a clinically significant difference. Still, the authors said they were encouraged that patients on the drug did not get worse, and the findings add to a growing body of research that suggests this class of medications holds potential as a new way of addressing Parkinson’s, a slow-moving, debilitating disorder that currently lacks any treatments that can halt disease progression.”
  • and
    • “Moderna may be best known for its Covid-19 vaccine, but since its start, it’s always been set on developing therapies.
    • It’s run into some hurdles as it’s pioneered turning mRNA — the strand of genetic material that’s at the heart of Moderna’s approach — into medicines. But the company’s vision of making cells into their own drug factories is showing signs of progress.
    • “On Wednesday, scientists reported interim results from an early study of Moderna’s most advanced rare-disease therapy, a treatment for propionic acidemia, a metabolic condition in which the body makes defective versions of enzymes that are required to break down fats and proteins. While the study primarily focused on safety and testing different doses, some patients — most of the participants were children — saw a reduction in the life-threatening metabolic emergencies that can crop up with the disease.
    • “And while most patients reported such side effects as fever and vomiting, they broadly wanted to stay on the drug even after the trial period wrapped up, according to the study, published in the journal Nature.”

From the U.S. healthcare business front,

  • American Hospital Association News informs us,
    • “Almost half of rural hospitals had negative total margins in 2022 and negative patient care margins both before and after the COVID-19 pandemic, according to a report prepared for the AHA by faculty at the Virginia Commonwealth University College of Health Professions. When provider relief funds are excluded from margins, the average total margin for rural hospitals was lower in 2022, the most recent year with data available, than in any year since 2017.” 
  • Mercer Consulting looks at the performance of exclusive provider organizations.
    • “We’re seeing growing adoption of network configurations that differ from the traditional broad PPO network. This might mean eliminating out-of-network benefits, offering a plan with a narrow network of high-performing providers, or both. According to our Survey on Health and Benefit Strategies for 2024, 24% of large employers (those with 500 or more employees) now offer a medical plan option with a High-Performance Network curated by a carrier. Most often, these are plans offered by a national carrier in which the providers are a subset of the carrier’s larger Preferred Provider Organization network and are selected based on quality and cost metrics. A few independent provider networks (for example, Centivo and Imagine Health) have gained some traction as well. The largest employers are moving the fastest – 38% of companies with 20,000 or more employees offer some type of high-performance network.” 
  • Healthcare Dive reports,
    • “Walmart is pushing back expansion plans for its health center superstores, as retail giants struggle to right-size their primary care networks.
    • “The company plans to open 22 health centers this year, according to a Walmart spokesperson. Previously, the retail giant said it would open more than 30 locations in 2024.
    • “Walmart plans to open 18 centers in Texas and another four in the Kansas City metro area, the spokesperson said. The clinic openings will start this month in Houston, and run throughout the fall.”
  • According to BioPharma Dive,
    • “Amylyx Pharmaceuticals is pulling from market one of the few approved treatments for ALS.
    • “Rarely do drugmakers voluntarily withdraw products. In Amylyx’s case, the decision comes just weeks after a large clinical trial meant to confirm the benefits of its medicine instead found it no better than a placebo at slowing the fatal, nerve-destroying disease.
    • “Starting Thursday, the medicine, which is sold as Relyvrio in the U.S. and Albrioza in Canada, will no longer be available for new patients. Those who are taking it and wish to continue may enter a free drug program. Additionally, a phase of that large trial that allows participants to continue on Relyvrio remains ongoing.”
  • MedTech Dive points out,
    • “The Food and Drug Administration granted de novo clearance to an AI tool to help clinicians predict and diagnose sepsis, the first time the agency has authorized such a tool.
    • “The Sepsis Immunoscore software, developed by Chicago-based Prenosis, provides a risk score for clinicians on a patient having or developing sepsis within 24 hours. The score is based on 22 parameters, including respiratory rate, blood pressure and white blood cell count. 
    • “Hospitals already use early sepsis detection tools, despite lacking FDA review. The agency clarified in a final guidance in 2022 that clinical decision support software that provides a risk score or probability of a condition should be regulated as a medical device.”

Weekend update

Wildflowers currently blooming in Central Texas

Happy St. Patrick’s Day.

From Washington, DC,

  • No later than this Friday March 22, Congress must enact the second package of six FY 2024 appropriations measures to avoid a partial government shutdown. Roll Call tells us
    • “The Biden administration is objecting to congressional leaders’ earlier plans to fund Homeland Security appropriations with a stopgap measure through Sept. 30, throwing a wrench into efforts to release the final fiscal 2024 appropriations package Sunday, sources familiar with the delay said. 
    • “The White House’s late ask for an extra $1.56 billion in border-related resources and reluctance to otherwise back the full-year continuing resolution under discussion for DHS was behind the latest hangup, these people said.
    • “However, White House and congressional staff were meeting Sunday to discuss options, and sources said offers are being exchanged as lawmakers continued to work toward a solution.”  
  • MedPage Today reports,
    • “Hospital inpatient and outpatient services should get 1.5% more in 2025 Medicare payments, skilled nursing homes should receive 3% less, base payment rates for home health agencies should drop by 7%, and physicians should receive what current law allows plus 50% of the projected increase in the Medicare Economic Index, the Medicare Payment Advisory Commission (MedPAC) said in its annual March report to Congress.
    • “In two of the report’s 15 chapters, which took up 20% of the 561-page report, the commission addressed major problems with private Medicare Advantage (MA) plan quality and payments, which have been frequent topics of regular meetings. Commissioners reiterated that “a major overhaul of MA policies is urgently needed” to address lack of quality and overpayments compared with fee-for-service (FFS) plans.
    • “Other issues include the need for Medicare to change policies that disadvantage FFS beneficiaries who don’t want to use MA provider networks or undergo prior authorization. The commission advised Congress to push harder for information that is lacking about the value of MA plans’ “extra benefits.”
    • “The lack of information about the use and value of many MA supplemental benefits prevents meaningful oversight of the program such that we cannot ensure that enrollees are getting value from those benefits,” the report noted.”

From the public health and medical research front,

  • The Washington Post reports,
    • “Healthy lifestyles are associated with better cognitive function in older adults — even those whose brains show signs of dementia, according to research published in JAMA Neurology last month. The study suggests a healthy lifestyle could buffer older adults against cognitive decline and boost their “cognitive reserve.”
    • “Researchers used data from the Rush Memory and Aging Project, a long-term study that looked at patients’ lifestyles and health and analyzed autopsy data from 1997 to 2022. * * *
    • “Among all the patients, higher healthy lifestyle scores in five domains — diet, late-life cognitive activity, physical activity, smoking cessation and low alcohol intake — were associated with better cognitive function before their deaths. The association held even when the autopsies showed signs of brain changes consistent with dementia.”
  • Medscape offers five keys to helping long term COVID patients recover and points on Opill, the new OTC female contraceptive pill, for doctors to share with their patients.

From the U.S. healthcare business front,

  • The Washington Post reports,
    • “People over 65 use more health care than other age groups and make up nearly half of hospital admissions. But there are just 7,300 board-certified geriatricians in the United States, which is fewer than 1 percent of all physicians, according to the American Geriatrics Society. By contrast, more than 60,000 pediatricians were practicing in 2021, according to the Association of American Medical Colleges (AAMC).
    • “Yet research suggests that geriatricians more effectively and efficiently manage older patients than doctors without such training — leading to lower inpatient death rates, shorter hospital stays and reduced patient costs. Right now, the United States has roughly 1 geriatrician for every 10,000 older patients. Only 41.5 percent of geriatric medicine fellowship positions were filled in late 2023, down from 43 percent in 2022. Meanwhile, the number of people over 65 is expected to grow by nearly 40 percent within the decade.
    • “The vast majority of older people are getting care from people who have little to no training in the care of older adults,” said Louise Aronson, a professor of geriatric medicine at the University of California at San Francisco and the author of “Elderhood: Redefining Aging, Transforming Medicine, Reimagining Life.” * * *
    • “Experts highlight creative ways to boost financial incentives and exposure. “[Rosanne M.] Leipzig[, a professor and vice chair emerita in the Brookdale Department of Geriatrics and Palliative Medicine at the Icahn School of Medicine at Mount Sinai in New York” pointed out that since Medicare funds part of residencies and fellowships, regardless of the specialty, “why doesn’t Medicare require that these trainees demonstrate basic competency in the geriatric field?” Making program funding contingent on this would ensure some knowledge of geriatric issues for residents across specialties. Aronson suggested student loan forgiveness programs for doctors who specialize in geriatrics, similar to medical school loan forgiveness offered to doctors at qualifying nonprofit or government hospitals.
    • “Leipzig pointed to a new pilot program in the works to encourage more geriatric expertise by creating a midcareer pathway for general internists, similar to executive MBA programs. Some experienced internists will be able to pursue intensive short-term geriatric training without sacrificing their salaries or established practices.”
  • MedPage Today informs us,
    • “A much-awaited treatment for postpartum depression, zuranolone (Zurzuvae), hit the market in December, promising an accessible and fast-acting medication for a debilitating illness. But most private health insurers have yet to publish criteria for when they will cover it, according to a new analysisopens in a new tab or window of insurance policies.
    • “The lack of guidance could limit use of the drug, which is both novel — it targets hormone function to relieve symptoms instead of the brain’s serotonin system, as typical antidepressants do — and expensive, at $15,900 for the 14-day pill regimen.
    • “So far [and the article was published today], only one of the country’s six largest private insurers, Centene, has set a policy for zuranolone.”
  • Last Tuesday, the Wall Street Journal reported,
    • After the [Change Healthcare] hack, Availity set up a pared-down claims-processing service on Feb. 23 that medical providers can use for six months at no cost. The company has set up around 300,000 medical providers so far and has a backlog of at least 50 health systems waiting to start using the platform, Thomas said.
    • Availity’s CEO said he didn’t want to charge desperate healthcare companies in the middle of a crisis, and negotiating contracts would have meant a lot of work for the company’s employees. After the six-month contract-for-free service ends, Thomas said customers can decide if they want to keep using Availity’s platform or want to return to Change. “This event is going to sort of forever change the dynamics in this space,” he said. 

Thursday Miscellany

Photo by Josh Mills on Unsplash

From Washington, DC

  • Think Advisor lets us know,
    • “The U.S. House of Representatives voted 211-208 on Wednesday to pass H.R. 485, the Protecting Health Care for All Patients Act of 2023.
    • “The bill would prohibit federal health programs — including Medicare, Medicaid and the Federal Employees Health Benefits Program — from using a “quality-adjusted life year” measure or similar measures when allocating resources.
    • “All Republicans who voted supported the bill, and all Democrats who voted opposed it.
    • “The bill was introduced by Rep. Cathy McMorris Rodgers, R-Ore.”
  • Roll Call reports,
    • “House Energy and Commerce Chair Cathy McMorris Rodgers, a 10-term Republican from Washington state who has been a strong advocate for people with disabilities, announced Thursday she would not seek reelection this year.
    • “It’s been the honor and privilege of my life to represent the people of Eastern Washington in Congress. They inspire me every day,’’ Rodgers said in a statement. “After much prayer and reflection, I’ve decided the time has come to serve them in new ways. I will not be running for re-election to the People’s House.”
    • “The announcement comes as Rodgers is leading negotiations with the Senate on a wide-ranging health care package that touches all parts of the industry. The legislation would implement more transparency in data and pricing for prescription drugs and other medical services.”
  • BioPharma Dive informs us,
    • “The CEOs of three major drugmakers defended the prices they charge U.S. patients in a Senate [Health Education Labor and Pensions] committee hearing Thursday, claiming Americans gain access to cutting-edge medicines months or years earlier than people in countries that pay a fraction of the U.S. costs. * * *
    • “Sen. Ben Ray Luján, D-N.M., asked the CEOs to pledge to not block entry of generics or biosimilars to the respective drugs in the spotlight when their primary patents expire, which Merck and Bristol Myers agreed to. That question in the case of Bristol Myers Squibb was focused Opdivo, its cancer immunotherapy rival to Keytruda.
    • “For Merck, Davis committed to open competition with any forthcoming biosimilars of intravenous Keytruda. But he didn’t mention the company is trying to develop and launch a subcutaneous, or under-the-skin, version that would likely extend its market advantage beyond the anticipated 2028 expiration of its main patent. Bristol Myers is also working on subcutaneous Opdivo.
    • “Questioned by Luján on settlements that have pushed the launch of biosimilar Stelara to 2025, J&J’s Duato said the price of the drug will be lower when that happens and added that prices net of rebates have dropped ahead of biosimilar competition.”
  • Bloomberg reports,
    • “The pharmaceutical industry, Trump and Obama administration officials, and others are urging the Biden administration to reconsider a controversial plan for seizing patents on a drug when its cost gets too high, claiming the approach misinterprets decades-old law and threatens the delicate pipeline that produces innovative, life-saving drugs.
    • “Over 500 comments were filed by the Feb. 6 deadline for groups and individuals to weigh in on the Biden administration’s framework for the federal government to use its march-in rights. The proposal lays out the Biden administration’s stance in a longstanding debate over whether price is a justifiable reason for the government to “march in” and take over a patent on technology developed with the help of taxpayer dollars and then license it to an outside manufacturer.
    • “The Biden plan is already drawing blowback from a broad swath of players in the innovation space. A collection of former US Patent and Trademark Office directors and other government officials under the George W. Bush, Obama, and Trump administrations wrote to warn that the proposed framework, if adopted, would prove destabilizing.”
  • Per an HHS press release
    • “The Department of Health and Human Services’ Office of Intergovernmental and External Affairs (IEA) will be hosting a stakeholder webinar TOMORROW, February 9, 2024, from 2 – 3 PM ET to provide an update on patient privacy.  
    • “Today, the U.S. Department of Health and Human Services, through its Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), finalized modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”), which protect the privacy of patients’ SUD treatment records. Specifically, today’s final rule increases coordination among providers treating patients for SUDs, strengthens confidentiality protections through civil enforcement, and enhances integration of behavioral health information with other medical records to improve patient health outcomes.
    • “Today’s rule was informed by the bipartisan Coronavirus Aid, Relief, and Economic Security Act (CARES Act) that, among other things, required HHS to bring the Part 2 program into closer alignment with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules.
    • “The final rule includes the following modifications to Part 2:
      • “Permits use and disclosure of Part 2 records based on a single patient consent given once for all future uses and disclosures for treatment, payment, and health care operations.
      • “Permits redisclosure of Part 2 records by HIPAA covered entities and business associates in accordance with the HIPAA Privacy Rule, with certain exceptions.
      • “Provides new rights for patients under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.
      • “Expands prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings.
      • “Provides HHS enforcement authority, including the potential imposition of civil money penalties for violations of Part 2.
      • “Outlines new breach notification requirements applying to Part 2 records.”
    • “A fact sheet on the final rule may be found at: https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html
    • Register in advance for this webinar: REGISTER HERE  
  • Govexec tells us,
    • “The U.S. Postal Service was $2 billion in the red in the first three months of fiscal 2024—typically its busiest and most profitable period of the year—doubling its loss from the same period in the previous year. 
    • “The accelerated losses during the holiday season continue a longstanding trend of poor financial performance for the mailing agency, but mark a troubling sign as its leadership team undertakes significant operational transformations with a promise to right the ship.
    • “In a positive development, however, USPS turned a net profit of $472 million when accounting only for the part of the ledger postal management deems within its control. That figure, which does not include fluctuations in workers’ compensation and amortized payments toward employee retirement accounts, grew from $187 million in the first quarter of the prior year.” 
  • The U.S. Office of Personnel Management announced,
    • “[t]he Finalists for this year’s Presidential Management Fellows (PMF) Program, the federal government’s premier leadership development program. In total, 825 Finalists were selected from more than 7,000 applicants from around the world. 
    • “Presidential Management Fellows are the next generation of federal government leaders,” said Kiran Ahuja, Director of OPM. “The PMF Program gives Fellows the leadership skills and exposure they need to make a difference in government and an impact within their community. Congratulations to all the 2024 PMF finalists. We cannot wait to see what you will accomplish in public service.” 

From the public health and medical research front,

  • Medscape points out,
    • “Brain fog is one of the most common, persistent complaints in patients with long COVID. It affects as many as 46% of patients who also deal with other cognitive concerns like memory loss and difficulty concentrating. 
    • “Now, researchers believe they know why. A new study has found that these symptoms may be the result of a viral-borne brain injury that may cause cognitive and mental health issues that persist for years.
    • “Researchers found that 351 patients hospitalized with severe COVID-19 had evidence of a long-term brain injury a year after contracting the SARS-CoV-2 virus. The findings were based on a series of cognitive tests, self-reported symptoms, brain scans, and biomarkers.” 
  • STAT News reports,
    • “People receiving a double dose of naloxone are no more likely to survive an opioid overdose than people receiving a standard, 4-milligram nasal spray, according to a new study.
    • “The new paper, published Thursday in the Centers for Disease Control and Prevention’s Morbidity and Mortality Weekly Report, showed no significant difference in survival rates between people who were revived using 4- and 8-milligram sprays of naloxone, commonly known by the brand name Narcan. People receiving the smaller dose also did not require a higher total number of sprays, despite having received just half the initial amount. The researchers found only one major contrast between those receiving different dose sizes: Those who received a double dose were over 2.5 times more likely to experience severe withdrawal symptoms, like vomiting.
    • “The study comes as pharmaceutical companies continue to market expensive high-dose formulations of naloxone, arguing that amid record drug death levels resulting from potent synthetic opioids like fentanyl, it’s essential to deliver as much of the overdose-reversal medication as possible. Public health experts and harm-reduction groups have pushed back, however, charging that the companies have used Americans’ fear of fentanyl as an excuse to sell needlessly expensive naloxone products to cash-strapped public health agencies.”
  • Beckers Hospital Review reports,
    • “Patients who take Ozempic, Mounjaro and Wegovy are less likely to be diagnosed with anxiety or depression compared to those who don’t receive the popular diabetes and weight loss drugs, according to a new study
    • “A review of more than 4 million patient records conducted by Epic Research found that diabetic patients are less likely to have anxiety if they are taking any glucagon-like peptide-1 receptor agonist. 
    • “The researchers analyzed five different GLP-1s: tirzepatide (Mounjaro, Zepbound), semaglutide (Ozempic, Wegovy, Rybelsus), dulaglutide (Trulicity), liraglutide (Saxenda, Victoza) and exenatide (Byetta, Bydureon). 
    • “The patients taking GLP-1s for weight loss were compared with those receiving another kind of weight loss drug, and diabetic patients were compared with people not taking a GLP-1.”
  • The American Hospital Association News notes how you can “[l’earn how hospitals and health systems are improving maternal and child health outcomes in this synopsis of the latest resources from AHA’s Better Health for Mothers and Babies initiative. READ MORE.”
  • The NIH Director discusses in her blog “What’s Behind that Morning Migraine? Community-Based Study Points to Differences in Perceived Sleep Quality, Energy on the Previous Day.”

From the U.S. healthcare business front,

  • The Wall Street Journal reports,
    • AstraZeneca sees its revenue and core earnings per share growing by double-digit percentages in 2024, the pharmaceuticals major said as it reported fourth-quarter core earnings per share below expectations on higher costs, sending the stock lower.
  • CNBC discusses how “Novo Nordisk, Eli Lilly are tackling weight loss drug supply woes.”
    • “Last week, the Danish drugmaker [Novo Nordisk] said it had more than doubled its supply of lower-dose versions of its weight loss injection Wegovy in January compared to previous months. Supply shortages forced Novo Nordisk to restrict the availability of those lower doses in the U.S. since May. 
    • “But why are those lower doses important? It’s because people are supposed to start Wegovy at a low dose and gradually increase the size over time to mitigate side effects such as nausea. So, more of those low “starter” doses means more new patients can begin treatment with Wegovy. 
    • “The company plans to “gradually” increase the overall supply of Wegovy throughout the rest of the year, executives added on the company’s fourth-quarter earnings call Wednesday.”
  • Per Healthcare Dive,
    • “UnitedHealth’s chief operating officer Dirk McMahon is retiring after more than two decades at the company.
    • McMahon plans to retire on April 1, the payer said in a Wednesday filing with the Securities and Exchange Commission on Wednesday.
    • “UnitedHealth has yet to name a replacement for McMahon.”
  • and
    • “Walgreens has named a new head of its healthcare unit as the pharmacy chain works to improve its halting finances and shift to delivering more healthcare services.
    • “John Driscoll, the current executive vice president and president of the U.S. Healthcare segment, will be replaced by Mary Langowski, who previously held the chief executive role at chronic condition management company Solera Health. Driscoll will serve in a senior advisory role, Walgreens announced Thursday.”
  • and
    • “Molina Healthcare lost half a million Medicaid members due to redeterminations by the end of 2023, executives said Thursday.
    • “States resumed checking beneficiaries’ eligibility for the safety-net program in April following a pause during the COVID-19 public health emergency. Some 16 million Americans have been disenrolled from Medicaid to date because of the redeterminations. The process is disproportionately impacting insurers with a heavy Medicaid presence like Molina, which brings in 80% of its revenue from the program.
    • “Molina still expects to retain 40% of its Medicaid membership once redeterminations are complete. However, on Thursday the insurer raised its estimate of members gained during COVID from 800,000 to 1 million because of new business adds. That implies a net member loss of 600,000 once redeterminations are complete.” 
  • and
    • “Tenet Healthcare beat Wall Street expectations for revenue in the fourth quarter of 2023 on continued cost control measures and sustained demand for services, particularly in its ambulatory care unit, executives said during an earnings call on Thursday.
    • “CEO Saum Sutaria told investors that Tenet was entering a “new era” in which a higher proportion of its performance was generated by its ambulatory surgical business. Same-facility revenue for ambulatory services grew 9.2% during 2023, above Tenet’s long-term goal of 4% to 6% top line growth.
    • “The Dallas-based for-profit will continue a careful watch on its debt levels, executives said. The company has recently taken steps to reduce its leverage, last week finalizing the sale of three hospitals to Novant Health and announcing the sale of four additional hospitals to UCI Health.”
  • Beckers Payer Issues discusses why it appears that insurers are split in two camps over rising Medicare Advantage costs.

Tuesday Tidbits

Photo by Patrick Fore on Unsplash

From Washington, DC,

  • The Hill reports,
    • “Congress is struggling to lock down a deal on government funding with just days until lawmakers are set to leave town for the rest of the year, as both chambers appear to have given up on passing their own spending bills.
    • “Lawmakers had been hopeful leadership would strike a deal last week on an overall top-line level for government funding in fiscal 2024 as part of the annual appropriations process. But as negotiations continue, lawmakers say leadership is cutting it close. Congress is staring down a shutdown deadline next month, with little legislative time on the calendar.” 
  • Healthcare Dive explains the features of the Lowers Costs, More Transparency bill passed last night by the House of Representatives. The wide bi-partisan margin supporting the bill gives it more likelihood of success in the Senate.
  • American Hospital Association News tells us,
    • “The House Dec. 12 voted 386-37 to pass AHA-supported legislation (H.R. 4531) that would reauthorize key SUPPORT Act programs for patients with substance use disorder and permanently extend required Medicaid coverage for medication-assisted treatments. The Senate Health, Education, Labor & Pensions Committee today advanced its own SUPPORT Act reauthorization bill (S. 3393).”
  • Healthcare Dive informs us,
    • “Nationwide health data exchange under TEFCA, the Trusted Exchange Framework and Common Agreement, is now operational, the HHS’ Office of the National Coordinator for Health Information Technology announced on Tuesday.
    • “Five Qualified Health Information Networks, or QHINs, completed the onboarding process and are ready for data exchange: eHealth Exchange, Epic Nexus, Health Gorilla, KONZA and MedAllies.
    • “The go-live marks a significant milestone that’s been years in the making, HHS leaders said at a signing event. “I feel like we’re watching the Big Bang occur in 2023,” said Secretary Xavier Becerra.”
  • Yippee! Now, true interoperability begins. Bye, bye fax machines.
  • HHS also announced,
    • “release[ing] HHS’s National Plan to Address Alzheimer’s Disease: 2023 Update – PDF. The National Plan is a roadmap of strategies and actions of how HHS and its partners can accelerate research, expand treatments, improve care, support people living with dementia and their caregivers, and encourage action to reduce risk factors. It highlights the progress made in 2023, which was an historic year for the treatment of Alzheimer’s disease and related dementias (ADRD) and care for people with this condition.”
  • The U.S. Preventive Services Task Force is proposing to retain its Grade B recommendation that
    • “Clinicians provide or refer children and adolescents age six years or older with a high body mass index (BMI) (≥95th percentile for age and sex) to comprehensive, intensive behavioral interventions.”
    • The public comment period is open until January 16, 2024.
  • MedPage adds that
    • “To reap the “moderate net benefit,” kids should have 26 or more contact hours with the behavioral interventions for up to a year, [the USPSTF] advised.
    • “USPSTF fell short of recommending pharmacologic therapy, citing a lack of evidence. This did not mean the group recommended against this type of treatment; however, behavioral interventions should be the primary effective intervention for kids’ weight loss, the task force said.”
  • The CDC offers five healthy eating tips for the holidays.
  • The GAO issued a report on the rocky implementation of the No Surprises Act’s independent dispute resolution process.

From the public health and medical research front,

  • Beckers Hospital Review points out the fifteen states (and New York City), up from ten the previous week, with the highest rates of respiratory disease.
    • “Two states — Louisiana and South Carolina — reported “very high” respiratory virus activity levels. Thirteen states — Alabama, California, Colorado, Florida, Georgia, Mississippi, Nevada, New Jersey, New Mexico, North Carolina, Tennessee, Texas and Wyoming — and New York City reported “high” activity levels, which are a measure of the weekly percentage of visits to an outpatient healthcare provider or emergency department for fever and cough or sore throat.” 
  • Per STAT News,
    • “The sickle cell community has for the past few days been buzzing with news of the first-ever approved gene therapies for the devastating disease. Meanwhile, researchers at the American Society of Hematology meeting on Tuesday are reporting advances in a less expensive and more established strategy proven to cure patients: bone marrow transplant.
    • “This approach has been around for decades but required patients to have a well-matched donor and endure a hefty dose of chemotherapy, ruling out transplant as an option for the vast majority of patients. In a mid-stage trial, however, researchers said sickle cell patients who were given a gentler course of chemo and an infusion of half-matched cells fared well: They had less pain, and 95% of participants were alive two years after transplant and only 7% of recipients experienced a severe reaction caused by transplanted immune cells attacking their new home.”
  • and
    • “One of the toughest subtypes of acute leukemia involves a genetic alteration in the KMT2A gene. Many cancers with this genetic alteration end up relapsing or don’t respond to treatment, but new data presented at the annual American Society of Hematology meeting offer hope of a new targeted therapy for these patients.
    • “The study, called the Phase 2 Augment-101 trial, tested Syndax’s revumenib in patients with relapsed or refractory leukemia with these KMT2A genetic rearrangements. Overall, about 63% of the patients responded to the treatment, with many able to receive a potentially curative stem cell transplant later on, which is often the ultimate goal for patients with relapsed or refractory patients, said Ibrahim Aldoss, a hematologist-oncologist at City of Hope and the study’s presenter, in an interview.”
  • The New York Times asks why since 2009 pedestrian deaths at night continue climb?
    • “[P]ut together, it’s clear that there’s been a particularly American mix of technological and social changes over the past decade and a half. And they have all come on top of a road system and an ingrained culture that prioritizes speed over safety. Whatever has happened over this time has reversed years of progress on daytime pedestrian fatalities, too, leading to a modest increase in deaths. Nighttime, however, has the potential to amplify so many of these new risks.
    • “A transportation system that’s safer by design — as in many European countries — might better absorb any one of these dangers. Distracted drivers are safer at lower speeds. People out at night are safer with well-lit crosswalks.”
  • The New York Times furthermore reports,
    • Zepbound, the newly approved weight loss drug, hit the market this month. People seeking out the medication may have to stay on it for the foreseeable future — potentially, for the rest of their lives — if they want to keep the weight off, new research confirms.
    • “A study published Monday followed 670 people who had taken tirzepatide, the compound in Zepbound and the diabetes drug Mounjaro, for 36 weeks. Eli Lilly, the company that makes both drugs, funded the study. Tirzepatide regulates insulin levels and slows down the emptying of the stomach. It also acts on areas of the brain that control hunger and appetite. As a result, people can lose significant weight: On average, the study participants lost around 20 percent of their body weight during that time.
    • “After that, half of the participants continued to take a high dose of tirzepatide for a year while the other half received a placebo shot. Those in the study also underwent lifestyle counseling, ensuring that they were eating fewer calories and exercising regularly.
    • “People who continued taking tirzepatide for an additional year lost, on average, another 5.5 percent of their body weight. Those who were switched to the placebo, however, gained 14 percent of their body weight on average. Those on the placebo also tended to have higher cholesterol, blood sugar and blood pressure than they did while taking tirzepatide, said Dr. Louis Aronne, the lead author on the study and the director for the Comprehensive Weight Control Center at Weill Cornell Medicine.”

From the U.S. healthcare business front,

  • Per Fierce Healthcare,
    • “Optum Rx is launching a new weight management program aimed at improving outcomes and addressing affordability.
    • “The cost of GLP-1 drugs amid continued high demand is a key focus for pharmacy benefit managers and plan sponsors, especially as individual therapies can top $10,000 per year. Through the Optum Rx Weight Engage program, the PBM is aiming to support employers and other clients in designing benefits for their membership.
    • “The team will review the client’s goals to build a tailored program that will deploy clinical solutions as well as patient monitoring and motivation and support tools, the company said. Members can connect to an obesity management specialist who will direct them to the appropriate clinical services.”
  • Healthcare Dive reports,
    • “Healthcare prices typically rise faster than inflation, but 2023 may have bucked that trend.
    • “The cost of shoppable medical services at hospitals increased 2% in the first three quarters of the year, according to new data from Turquoise Health released Tuesday. That’s in line with the 1.9% overall growth of the economy.
    • “The findings — some of the first from new price transparency data disclosing the once-secret negotiated rates between health insurers and providers — illustrate how overall economic inflation could be catching up to faster health cost growth.”
  • STAT News notes,
    • “In its latest bid to police the pharmaceutical industry, the U.S. Federal Trade Commission sought to block Sanofi from licensing a Pompe disease treatment made by another drug company. And in response, Sanofi is ending the deal.
    • “Sanofi sought the rights to the medication from Maze Therapeutics, but the regulator argued the deal — valued at $775 million — would eliminate a “nascent competitor” that could, otherwise, challenge the monopoly Sanofi has in the market for Pompe disease treatments, according to an FTC statement. The agency had filed a complaint in a federal court in Boston and also planned to seek a preliminary injunction.”
  • BioPharma Dive adds,
    • “The scuttled deal came on the same day that the regulator gave final clearance to Pfizer’s $43 billion acquisition of Seagen, which had faced close scrutiny from the antitrust regulator. To ease the FTC’s concerns, Pfizer has agreed to donate royalties from sales of the cancer drug Bavencio to the American Association for Cancer Research.”
  • Beckers Hospital Review points out six innovative hospitals.
  • According to BioPharma Dive,
    • “AstraZeneca on Tuesday reached a deal to acquire vaccine developer Icosavax in a deal worth up to $1.1 billion. 
    • “Per deal terms, AstraZeneca will acquire Icosavax’s shares at $15 apiece, and could add another $5 per share to the buyout if certain milestones and sales targets are met. The upfront payment from AstraZeneca represents an equity value of about $838 million and a premium of about 43% to Icosavax’s closing price on Monday. The acquisition would reach $1.1 billion if AstraZeneca eventually makes the future payouts, which are known as “contingent value rights.”  
    • “Icosavax has been developing an experimental shot that simultaneously targets respiratory syncytial virus and human metapneumovirus, another lung infection. The biotech released Phase 2 study results on Tuesday showing the vaccine spurred an immune response against both viruses without causing any serious adverse events. AstraZeneca will now take over late-stage development, and, if successful, commercialization.”  

Thursday Miscellany

From Washington, DC,

  • The U.S. Office of Personnel Management released its Fiscal Year 2023 Agency Financial Report today. Worth reading is the OPM Director’s response to the OPM Inspector General’s Top Management Issues letter.
  • The Department of Health and Human Services (HHS) issued its proposed 2025 benefit and payment parameters notice. Here is the government’s fact sheet on the proposed rule. Published alongside the proposed rule is HHS’s final guidance on Maximum Annual Limitation on Cost Sharing for the 2025 Benefit Year, which does apply to FEHB plans.
    • “Under 45 CFR 156.130(a)(2), for the 2025 calendar year, cost sharing for self-only coverage may not exceed the dollar limit for calendar year 2014 increased by an amount equal to the product of that amount and the premium adjustment percentage for 2025. For other than self-only coverage, the limit is twice the dollar limit for self-only coverage. Under § 156.130(d), these amounts must be rounded down to the next lowest multiple of $50. Using the premium adjustment percentage for 2025 of 1.4519093322, and the 2014 maximum annual limitation on cost sharing of $6,350 for self-only coverage, which was published by the Internal Revenue Service on May 2, 2013, the 2025 maximum annual limitation on cost sharing is $9,200 for self-only coverage and $18,400 for other than self-only coverage. This represents an approximately 2.6 percent decrease from the 2024 parameters of $9,450 for self-only coverage and $18,900 for other than self-only coverage.”
  • Per MedTech Dive,
    • “Congress included a one-year delay to Medicare reimbursement cuts for clinical laboratory services in the short-term funding bill passed this week, granting a reprieve in targeted payment reductions of up to 15%.
    • “The stopgap bill to keep the government open, passed by the House on Tuesday and the Senate on Wednesday, provides a one-year reprieve from Medicare cuts that would have gone into effect in January for about 800 laboratory services.
    • “The American Clinical Laboratory Association (ACLA), a trade group whose members include Labcorp and Quest Diagnostics, called the delay “critically needed” to preserve patient access to many of the most commonly ordered lab tests.”
  • HHS also reminds us that
    • “Today [the agency] celebrates National Rural Health Day and recognizes the creativity and innovation of leaders across the country working to ensure access to high quality care for over 60 million Americans living in rural communities. National Rural Health Day is the third Thursday of every November and recognizes the efforts of rural providers, communities, organizations, state offices of rural health, and others dedicated to addressing the unique health care needs of rural America.” 

In FEHB Open Season news, Tammy Flanigan discusses Open Season and tax savings in Govexec.

From the public health and research front,

  • The New York Times points out the differences between Influenza A and Influenza B.
  • NCQA released its Quality Talks newsletter.
  • STAT News informs us,
    • “History just happened.
    • “For the first time, a regulator has cleared a treatment using CRISPR, the gene-editing technology, for patients. The regulator is the United Kingdom’s Medicines and Healthcare products Regulatory Agency. The product is Casgevy, a treatment for sickle cell disease and beta thalassemia, two blood disorders. It was developed by CRISPR Therapeutics, the Swiss company co-founded by Nobel laureate Emmanuelle Charpentier, and Vertex Pharmaceuticals, a large Boston-based biotech firm.”
    • The article covers questions and answers about this significant development.
  • Smileyscope has made history by becoming the first virtual reality (VR) device to receive FDA Class II clearance for acute pain. This approval recognizes Smileyscope’s innovative Procedural Choreography™ technique, which uses positive virtual stimuli to reduce pain and anxiety during medical procedures. With this milestone, Smileyscope aims to revolutionize pain and anxiety management, partnering with hospitals and clinicians globally to enhance patient experiences and improve clinical workflows.”

Monday Roundup

Photo by Sven Read on Unsplash

From Washington, DC,

  • The American Medical Association News tells us,
    • “President Biden, Oct. 30, directed federal agencies to take certain actions to protect Americans from the potential risks of artificial intelligence systems while promoting innovation and competition. The executive order calls for the Department of Health and Human Services to establish a safety program to regulate healthcare AI practices and for developers of high-risk AI systems to share their safety testing results and other relevant information with the federal government. Among other actions, the order urges Congress to enact data privacy safeguards for Americans, and requires federal agencies to develop best practices to investigate and prosecute AI-related discrimination and guidelines to prevent fraudulent and deceptive AI-generated content.”
  • Federal News Network adds
    • “The Biden administration is calling for a “governmentwide AI talent surge” across the federal workforce to build up its capacity to lead on this emerging technology.
    • “President Joe Biden, in an executive order Monday, is requiring agencies to set comprehensive policies for how they will use AI tools internally to further the business of government.
    • “The White House, in a fact sheet, said the executive order also “directs the rapid hiring of AI professionals, as part of a governmentwide AI talent search.”
    • “Biden, speaking at the White House, said that “without the right safeguards in place, AI can lead to discrimination, bias and other abuses.”
  • MeriTalk points out,
    • “The Office of Personnel Management (OPM) is getting close to releasing a proposal that would offer “equity around pay and flexibilities in the workplace” for Federal government tech and cybersecurity personnel, OPM Director Kiran Ahuja said today.
    • “Speaking at ACT-IAC’s Imagine Nation conference in Hershey, Pa., the OPM director talked about the soon-to-be-issued proposal as part of a reply to a question about what she’s most proud of accomplishing at the agency since taking the helm at OPM in 2021.
    • “One of those points of pride, she said, was “that we’ve spent a lot of time thinking about cyber and tech talent,” including OPM’s efforts to recruit private sector tech and cyber personnel into service with the government.”
  • On a related note, the AHA News reports,
    • “The Department of Health and Human Services, Oct. 30, released a proposed rule intended to create disincentives for health care providers to interfere with the access, exchange or use of electronic health information. Under the rule, which implements a provision of the 21st Century Cures Act, healthcare providers that HHS’ Office of Inspector General determines have committed information blocking and refer that determination to the Centers for Medicare & Medicaid Services would be ineligible for certain incentives under the Medicare Promoting Interoperability Program and Shared Savings Program, HHS said. The agency will publish the proposed rule in the Nov. 1 Federal Register with comments accepted through Jan. 2.”  
  • The Food and Drug Administration announced the recall of certain eye drop products due to the risk of serious infection.
  • AHA News calls attention to the fact that
    • “The Food and Drug Administration, the week of Oct. 23, cleared for marketing the first over-the-counter test to detect fentanyl in urine. The five-minute test provides only preliminary results and includes a pre-addressed mailing box for shipping samples to the manufacturer’s laboratory for confirmation testing using an alternative chemical method. The agency expedited its review of the Alltest Fentanyl Urine Test Cassette, clearing it only 16 days after the submission was received.
    • “Opioid abuse, misuse and addiction is one of the most profound public health crises facing the U.S. today,” said Jeff Shuren, M.D., director of FDA’s Center for Devices and Radiological Health. “…This test is an example of the FDA’s continued commitment to authorize tools that can reduce deaths associated with overdoses.”
  • On a related note, the Wall Street Journal calls our attention to effective over-the-counter treatments for congestion.

In FEHB news,

  • Govexec discusses the availability of Medicare Part D PDPs in nine “first out of the gate” FEHB plans (seventeen options) for 2024.

From the public health front,

  • The Institute for Clinical and Economic Review released a “Final Evidence Report on Gene Therapy for Metachromatic Leukodystrophy
    • The Independent appraisal committee voted that across all patient subpopulations, arsa-cel demonstrated a net health benefit when compared to usual care; arsa-cel would achieve common thresholds for cost-effectiveness if priced between $2.3M and $3.9M.
  • The New York Times reports on a new surgical technique called component separation to resolve hernia conditions. A surgeon must undergo specialized training before operating on a living patient. Apparently, some surgeons jumped the gun, no doubt leading to malpractice lawsuits.
  • The American Health Association announced,
    • “Cardiovascular deaths from extreme heat in the United States are projected to increase by 162% by the middle of the century, based on a hypothetical scenario where currently proposed U.S. policies to reduce greenhouse gas emissions have been successfully implemented.
    • “A more dire scenario forecasts cardiovascular deaths from extreme heat could increase by 233% in the next 13-47 years if there are only minimal efforts to reduce emissions.
    • “The percentage increase in deaths will be greater among elderly people and non-Hispanic Black adults in either scenario.”

From the U.S. healthcare business front,

  • Per Healthcare Dive,
    • “Prices negotiated by health insurers vary widely between geographies — even for the same insurer, according to a new study that authors said is the first of its kind relying on federally mandated price transparency data.
    • Humana members paid more for medical care in the Upper Midwest and Southeast than in the Central U.S. and Florida, according to the research published in JAMA Health Forum last week.
    • “More than half of Americans are covered by private insurers, which negotiate rates in local markets. The variability in cost between markets could be due to a number of factors, including imbalances in market power and negotiation leverage, anti-competitive practices and actual variation in clinical quality, study authors said.”
  • BioPharma Dive tells us,
    • “An experimental kidney disease drug Novartis acquired via a $3 billion deal earlier this year succeeded in a late-stage trial, the Swiss pharmaceutical company said Monday.
    • “The drug, called atrasentan, reduced protein in the urine of people with IgA nephropathy by significantly more than placebo, meeting the Phase 3 trial’s goal. IgA nephropathy is a leading cause of chronic kidney disease and often causes persistently high urine protein, or proteinuria.
    • “With the positive data in hand, Novartis plans to submit an application to U.S. regulators for accelerated approval of the drug. The company’s trial will continue to run for another two years to assess changes in kidney function over time.”
  • Fierce Healthcare explains how “Amazon Pharmacy’s focus on making it faster and more convenient for patients to get prescription medications comes as brick-and-mortar drugstores are limiting pharmacy hours and even closing locations across the country.”