Athenahealth is asking federal regulators to create a fraud exemption that would allow doctors to pay “fair market value” for patient data, creating a business case for interoperability.
Such an approach would establish “a true functioning market for the exchange of health information,” Greg Carey, director of government and regulatory affairs at Athenahealth, wrote in a letter (PDF) to Inspector General Daniel Levinson. Carey said the payments would be “nominal.”
Responding to a request for information issued by the HHS Office of Inspector General in August seeking suggestions on how to reform the Anti-Kickback Statute and Stark Law, Carey argued that outdated fraud laws didn’t account for the value of data exchange. While other industries like finance pay for data, healthcare companies like Athenahealth are forced to shoulder the costs of secure, efficient data transfer that supports value-based care.
“It is our experience that information exchange occurs best when there is a business case and problem to solve,” Carey wrote. “We believe that new safe harbors to Stark and Anti-Kickback statute to allow for the fair market value payment for the exchange of health data will spur interoperability forward and allow the market to further realize the benefits of health IT on lowering costs and improving patient outcomes.”
Meanwhile, Cerner called on (PDF) OIG to broaden carve-outs for providers to donate EHRs and related healthcare technology that address population health management and care coordination. The company recommended that the OIG add explicit provisions to the EHR Safe Harbor to allow any risk-bearing entity in an advanced alternative payment model to donate EHRs to post-acute care providers, nursing facilities, long-term care hospitals and rehabilitation facilities.
Cybersecurity carve-out needed
Similarly, two IT groups advocated for an Anti-Kickback carve-out that would allow health systems to share cybersecurity tools with smaller providers.
Rather than modifying the existing EHR safe harbor, the College of Healthcare Information Management Executives requested (PDF) a separate exemption that would include program development, software and hardware, expertise in the wake of a cyberattack and staff time.
Cybersecurity experts have frequently pointed to this exemption as a way to get resources to smaller providers prone to attacks.
The Healthcare Sector Coordinating Council (HSCC) also threw its support behind a cybersecurity safe harbor, noting that a stronger cybersecurity posture across the industry would help facilitate the shift from volume to value by facilitating protected data exchange.
“The security of the healthcare system is only as strong as its weakest link, so it would benefit the entire healthcare industry to support the provision of cybersecurity resources outside of large health systems,” wrote (PDF) Greg Garcia, executive director for cybersecurity at HSCC. “Doing so would help to protect a community’s larger systems, as well as the affiliated small and medium-sized practices.”
Anthem has agreed to pay the Department of Health and Human Services (HHS) $16 million for a landmark 2015 breach that impacted nearly 79 million consumers.
It’s a record-setting settlement from the Office for Civil Rights (OCR), the HHS agency tasked with enforcing HIPAA. It’s nearly three times the agency’s previous highest settlement of $5.55 million paid by Advocate Health Care in 2016.
“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” OCR Director Roger Severino said in a statement. “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.”
“We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR,” he added.
An investigation by OCR found that the insurance giant failed to conduct an enterprise-wide risk analysis, regularly review system activity or identify and respond to a known threat.
OCR also determined that Anthem failed to implement the minimum security controls to prevent hackers from accessing sensitive patient information. The attack, which began as early as Feb. 18, 2014, wasn’t discovered by Anthem until Jan. 29, 2015, but most of the information was stolen between Dec. 2, 2014 and Jan. 27, 2015.
Anthem has also agreed to take “substantial corrective action,” according to OCR. As outlined its corrective action plan with the agency, Anthem must conduct a risk analysis, review its policies and procedures, provide annual reports to HHS for a two-year period and notify HHS of any reportable events involving employee noncompliance.
Last year, the insurer agreed to pay $115 million to settle a class-action lawsuit from members affected by the breach.
DAS Health’s Vice President of Technology Solutions Appointed to the USF Cybersecurity for Executives Advisory Committee
Kyle Mynatt brings extensive healthcare information technology knowledge to the innovative committee
TAMPA, Fla. (August 6, 2018) – Kyle Mynatt, Vice President of Technology Solutions for DAS Health, an industry leader in health IT and management, has been appointed to the USF Cybersecurity for Executives Advisory Committee. This committee contributes to the School in many ways including sharing invaluable knowledge to the faculty and students, as well as overseeing the Cybersecurity for Executives Certificate Program.
Kyle brings his extensive 17+ years of experience in technology to this esteemed committee. The last 7 of those years have been spent with DAS Health, where he currently oversees departments with responsibility for the cybersecurity of 8 million patients’ records and a real-time Disaster Recovery (DR) system that spans the continent, as well as other customer facing disciplines. Kyle also has 10 years of prior technical experience in the field; including his active duty in the Marines where he worked with the National Security Agency (NSA) in counter intelligence. During this time, he trained in multidiscipline intelligence collection and operations and became skilled in troubleshooting computer hardware and network issues. Kyle was honored as a 2017 Tampa Bay Business Journal Heroes at Work, an award that recognizes veterans who contributed to their community through their personal and professional endeavors.
“We are delighted for Kyle to be appointed to such a crucial advisory committee,” said David Schlaifer, President and CEO of DAS Health. “Kyle brings a unique background and approach to the committee through his experience in Health IT and the remarkable mentorship he provides to his team.”
Kyle will be part of a group of industry leaders that hold an expansive professional record ranging from start-ups to government intelligence. This impressive group will guide the course content and mentor the attending executives through an intense, two-day Executive Education Program that is designed to provide a ‘survival guide’ for the rising executives. Kyle will be utilizing the extensive knowledge he has gained to offer input on USF’s program, create potential internship programs, and visit classrooms and conferences.
- Americans are far less concerned about the security of their personal health data than breaches of financial information, a new SCOUT Rare Insights survey shows.
- Just under half (49%) of adults said they are extremely or very concerned about security of lab results, diagnoses and other health information, compared with 69% who said they are extremely or very concerned about the safety of their financial data.
- The news comes as healthcare organizations continue to face regular cyber threats and data security concerns.
As healthcare organizations amass more and more patient data and patients are pushed to engage with EHRs and patient portals, providers and payers will need to do more to make people aware of best practices and risks.
A study by Accenture and the American Medical Association found that four out of five physicians have experienced a cybersecurity attack. More than half worried such attacks could undermine patient safety, and roughly three-fourths thought future attacks could disrupt their clinical practices and compromise patient records.
In a recent Ponemon Institute survey, 62% of healthcare leaders said their organization experienced a cyberattack in the past year, and more than half said the event resulted in loss of patient data. Patient medical records and patient billing information were the top two targets of hackers.
In February, Partners HealthCare notified 2,600 patients that their personal information may have been compromised when an unauthorized third party introduced malware into its computer system. Banner Health contacted 3.7 million people in August 2016 to reveal that a cyberattack may have exposed their personal data.
“We need to be much more aware and concerned about the safety of our health data,” Raffi Siyahian, principal at SCOUT, said in a statement. “First, the risk of having our medical data exposed is pretty significant. And second, the consequences of someone gaining unauthorized access to your personal health information can be far more damaging than having someone illegally access your personal financial information.”
He noted that banks are typically quick to alert customer when their financial information is stolen, whereas breaches of healthcare data often aren’t spotted for months or years.
“We need to guard and monitor our health insurance cards and medical service statements as rigorously as we guard and monitor our credit cards and bank statements,” Siyahian said.
North Carolina-based LabCorp Diagnostics, one of the largest clinical laboratories in the U.S., was forced to shut down its network on Sunday after officials detected suspicious activity, according to a recent U.S. Securities and Exchange Commission filing.
Over the weekend of July 14, hackers got into LabCorp’s network. Officials immediately took certain systems offline as part of its breach response policy to contain the hack. As a result, test processing and customer access to test results was temporarily impacted.
According to its site, LabCorp services more than 115 million patient encounters annually, which potentially put all of those patient records at risk if they were located on the impacted network. LabCorp did not respond to a request for comment.
Officials have continued to restore full system functionality, with test result services “substantially resuming” on Monday. Additional systems and functions will be restored over the next few days.
“Some customers of LabCorp Diagnostics may experience brief delays in receiving results as we complete that process,” officials said.
The suspicious activity was only detected on LabCorp systems not Covance Drug Development, which the company bought for $6.1 billion in 2014. The company has also notified relevant authorities of the cyberattack.
In June, LabCorp successfully won its court battle over an alleged HIPAA violation. The company was accused of not providing enough privacy protection at its Providence Hospital computer intake system. LabCorp argued an individual can’t bring a lawsuit under HIPAA and filed a motion to dismiss. The judge agreed.
Healthcare providers and industry groups are warning Congress of an urgent need to improve standards and practices to protect medical devices and EHRs from cyberattacks.
Suggestions ranging from better coordination between organizations to federal help in covering the costs of protecting patient data are spelled out in nearly 300 pages of comments submitted to the House Energy and Commerce Committee. The panel in April issued a request for information on how to improve cybersecurity in the medical device sector. Congress is concerned that older “legacy” technologies may be more vulnerable to security threats than their modern counterparts.
The effort is part of a response to the 2017 global ransomware attack dubbed WannaCry that underscored the cybersecurity risks facing device makers, hospitals and healthcare facilities. The massive cyberattack froze computers at hospitals across the United Kingdom and disrupted businesses in more than 100 countries. Hundreds of thousands of devices were infected, according to the House committee.
Cybersecurity issues continue to hound healthcare organizations. The American Medical Association said 83% of physician practices report they have experienced some form of a cybersecurity attack, and the majority of doctors are concerned about future cyber attacks on their practices.
“The healthcare sector exchanges health information electronically more than ever before, putting the entire healthcare ecosystem at risk,” the AMA said in comments to the committee.
The AMA urged adoption of public policy that emphasizes greater transparency, physician educational resources, more equal distribution of liability risk and government enforcement between physicians, technology vendors and manufacturers, and positive incentives to encourage adoption of best practices.
A compromised EHR could prevent a physician from seeing a patient’s medical history, including drug allergies, historical blood pressure readings and previous medical treatments — which could lead to adverse outcomes, the American Alliance of Orthopaedic Executives said in its comments.
Devices including X-ray, MRI and ultrasound machines also need to interface with the EHR to store patient information for later reference or transfer to another provider.
“Healthcare is one of the few sectors of the economy in which a failure of our networks may mean the difference between life and death,” the group said.
Median technology costs for its members were $60,789 per practice in 2016. The executives suggested federal assistance such as tax breaks or an expense component to Medicare reimbursements to encourage adoption of new security protocols.
A cybersecurity risk could affect not only the security of sensitive patient information, but also the performance of medical devices that are life-sustaining, such as anesthesia machines, ventilators and therapy-delivery devices like infusion pumps, according to the American Hospital Association.
Many legacy devices were not built with cybersecurity in mind but are still clinically useful, the AHA said. For most hospitals and health systems, replacing these technologies is not financially feasible, and many can replace only about 10 percent of devices each year, the hospital group said.
Manufacturers must support end-users by wrapping security precautions around legacy devices, adding security tools and auditing capabilities, conducting regular updates, patching all software and communicating security vulnerabilities quickly through consistent channels, the AHA said.
Medical device lobby AdvaMed said any policies that would require its members to support legacy technologies indefinitely would slow development of new innovations and could influence the financial viability of smaller manufacturers.
The American College of Radiology, representing more than 35,000 radiologists, nuclear medicine physicians, radiation oncologists and medical physicists, urged Congress to “exercise restraint” in enacting any legislation that would put an undue burden on end-users such as radiologists.
“The ACR does not support government policies that would inappropriately shift more responsibility/liability associated with medical device cybersecurity away from manufacturers and onto physicians,” the group stated.
ECRI Institute, a research organization focused on cybersecurity for medical technologies, said manufacturers should be encouraged to proactively share device-specific security information such as patches and known vulnerabilities because healthcare organizations lack the knowledge to assess and manage the risk of legacy devices in their inventory.
Kaiser Permanente said policies to improve legacy system cybersecurity should strengthen the ability of healthcare delivery systems to counter current market dynamics, which it said strongly favors manufacturers.
“There are few incentives to encourage manufacturers to invest in supporting older versions of software when they can profit from the continuous need of the healthcare industry to upgrade hardware, software and (operating systems) due to obsolescence. A more level playing field will enhance cybersecurity across healthcare, help ensure greater patient safety, and improve the business value of clinical technology in healthcare delivery,” the healthcare organization said.
Device maker Becton Dickinson recommended manufacturers and healthcare organizations take a coordinated approach to improving transparency and making decisions on security patches and upgrades in response to new risks introduced during a product’s lifetime.