Digital health: why is it a luxury good in a world crying for health as a commodity?

Why digital health still struggles to find its stride. Those of us in the healthcare field, especially Grizzled Pioneers, have been wondering for the past decade why Digital Health’s Year is always Next Year. Or Next Decade. 

Looking back only to 2000, we’ve had 9-11, a dot-com bust, a few years in between when the economy thrived and the seed money started to pollinate young companies, a prolonged recession that killed off many, and now finally a few good economic years where money has flooded into the sector, to good companies and those walking the fine line of mismanagement or fraud. We’ve seen the rise/fall/rise of sensors, wearables, and remote monitoring, giants like Google and Microsoft out and back in, the establishment of EHRs, acceptance by government and private payers, quite a bit of integration, and more. All one has to look is at the investment trends breaking all records, with funding rounds of over $10 million raising barely a notice–enough to raise fears of a bubble. Then there’s another rising tide–that of cyberattack, ransomware, insider and outsider hacking.

Is it this year? It may not be. Despite the sunshine, interoperability holds it all back. Those giant EHRs–Cerner, Epic, Athenahealth, Allscripts–are largely walled gardens and so customized by provider application that they barely are able to talk to their like systems. There are regional health exchanges such as New York’s SHIN-NY, Maryland’s CRISP, and others, but they are limited in scope to their states. The VA’s VistA, the granddaddy of the integrated system, died of old age in its garden. Paul Markovich, CEO of Blue Shield of California cites the lack of interoperability and being able to access their personal health data as a major barrier to both patients and to the large companies who want to advance AI and need the data for modeling. (China and its companies, as we’ve noted, neatly solve this problem by force. [TTA 17 Apr]) Apple is back in with Health Records, but Mr. Markovich estimates it may take 10 years to gather the volume of data it needs to establish AI modeling. Some wags demand that Apple buy Epic, as if Epic was up for sale. BSC, like others, is testing interoperability workarounds like Notable, Ooda Health, and Manifest MedEx. Mr. Markovich cites interoperability and scaling as reasons why healthcare is expensive. CNBC

And what about those thriving startups? Hold on. During the Google Cloud/Rock Health 3 June event, one of the panelists–from Partners HealthCare, which works both side of the street with Pivot Labs–noted that hospitals have figured out their own revenue models, and co-development with hospitals is key. Even if validated, not every tech is commercially ready or lowers cost. And employers are far worse than hospitals at buying in because they ultimately look at financial value, even if initially they adopt for other reasons. In addition, the bar moved higher. The new validation standard is now provider-centric–workload, provider satisfaction, and implementation metrics, because meeting clinical outcomes is a given. Mobihealthnews

And still another barrier–data breaches and cyberattack–is still with us, and growing. Quest Diagnostics’ data breach affects nearly 12 million patients. It was traced to an individual at a vendor, American Medical Collection Agency, and it involved Optum360, a Quest contractor and part of healthcare giant Optum. The unauthorized person had access to the network for eight months – between 1 August 2018, and 30 March 2019–and involved both financial and some health records. Quest now is in the #2 slot behind the massive 79 million person Anthem breach, which, based on a Federal grand jury indictment in Indianapolis in May, was executed by a Chinese group in 2015 using spearfishing and backdoors that gathered data and sent it to China. There were three other US businesses in the indictment which are not identified. Securing health data is expensive — and another limitation on the cost-lowering effects of interoperability. Healthcare IT News

Digital Health’s Year, for now, will remain Next Year–and digital health for now will remain fractional, unable to do much to commoditize healthcare or lower major costs.

Hackers hit another Blue Cross, put 10.5 million members at risk (Breaking)

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]BREAKING NEWS This time the data breach is at Excellus Blue Cross Blue Shield, which covers upstate New York (Rochester-Syracuse area). It was discovered by Excellus on 5 August but dated back to 23 Dec 13, and reportedly has compromised members’ names, addresses, telephone numbers, Social Security numbers, financial account information and in some cases sensitive medical information. According to the AP/NBC, it also breached other divisions of Excellus and the corporate parent, Lifetime Healthcare: Lifetime Benefit Solutions, Lifetime Care, Lifetime Health Medical Group, The MedAmerica Companies and Univera Healthcare. The source of the hack has not yet been determined.

Excellus joins fellow BCBS members Anthem [TTA 11 Feb], soon to be merging with Cigna, with 80 million; Premera Blue Cross [TTA 24 Mar] with 11 million, Care First with a ‘bag o’ shells’ 1.1. million [TTA 2 June]. The pattern has been such that the national Blue Cross Blue Shield Association (BCBSA) announced in July that it will offer all 106 million of its members identity protection starting next January. (Note for our mathematicians: Anthem has millions of non-BCBS members) Chinese hackers are suspected in the Anthem breach.

FierceHealthPayer broke the story, in this Editor’s estimation, to the healthcare trade area. Rochester Democrat & Chronicle. Excellus message to policyholders. The NBC/AP report also has a video interview with Eugene Kaspersky of the eponymous anti-virus software (and whose Kaspersky Lab was also a hacking victim earlier this year)

Updated via the Rochester Democrat & Chronicle:  FireEye is becoming the ‘go-to’ security company for health organization breaches–Excellus hired them in the wake of the Anthem breach and they discovered the vulnerability facilitating the breach.

Australian military health data went straight to China: report

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]The Australian Defence Department confirmed to the Sydney Morning Herald that protected health data of hundreds of Defence Forces personnel went to (guess where!) China. However, as breaches go, this was an easy hack–it was sent by a health contractor, Luxottica Retail Australia, which contracts with manufacturer Tristar Optical in Dongguan, Guangdong province. Those affected included soldiers posted overseas to Afghanistan and special forces commandos who went on to be deployed to Iraq. Luxottica has since lost its contract with principal contractor Medibank Health Solutions. Both Medibank and Defence have had a lot of ‘splainin’ to do with the Government. According to the SMH, “the revelations raised particular concern within the Defence establishment because of China’s extensive involvement in state-sponsored hacking and cyber-espionage, with Beijing showing a particular interest in accessing personal records of government workers in the US.” A ‘twin-spin’ of Data Insecurity: healthcare and military! Hat tip to Malcolm Fisk of Coventry University via LinkedIn updates.

Healthcare vulnerability in a concatenation of data breaches

Concatenation is one of those lovely English words that express far more than its simpler synonyms: sequence, series or chain of events. Perhaps we have experienced that concatenation of data breaches which connect and demonstrate a critical mass that motivate healthcare organizations, including insurers, to ensure that data security and privacy gets primacy in HIT. Our Readers know we’ve been on the case since 2010; we’ve been noting Ponemon Institute and ID Experts studies since then.

While simple, straightforward theft can be the cause of smaller breaches and not part of a Big Hack, it’s not as Three Stooges or Benny Hill-esque as perhaps the JAMA study earlier this year made it out to be, especially if it’s your personal record, or your patient’s, which is breached, identity and financials damaged. (See this Security Intelligence article on a minor health breach and how it affected an individual who happens to be in IBM’s security arm.)

Just in the past few weeks, in the US we have experienced the following major and minor breaches:

  • CareFirst BlueCross BlueShield in Maryland–an insurer, not a hospital or practice–had a Big Hack of 1.1 million health records, with names, birth dates, email addresses and insurance identification numbers (but not SSI or credit card numbers) revealed.
  • Beacon Health Systems (Indiana) had a phishing attack into employee email boxes dating back to 2013. This was a Medium Hack that affected about 220,000 patients. Data taken included SSI and driver’s license. Health Data Management today.
  • Advantage Dental in Redmond, Washington had a 152,000 patient hack during three days in February.
  • Also in February, a New York City Health and Hospitals Corporation employee transferred patient files to her personal and new work email. 90,000 patients may have compromised data as a result. Becker’s

More breaches are listed today in iHealthBeat and the ever-growing list on Privacy Rights Clearinghouse.

Ponemon Institute’s 2015 Cost of a Data Breach Study: Global Analysis, with IBM, was published last week. (more…)

News highlights for Friday

AnthemHealth didn’t encrypt, Blueprint Health collects, HealthSpot funds again, Sense4Baby goes to Europe, Apple Health pilots in hospitals and buddi gets bigger still.

Another hack attack claimed major US health insurer AnthemHealth, the former WellPoint. It’s estimated that 80 million of its customers, former customers and employees had data breached: names, addresses, dates of birth, emails, employment information, income, medical IDs and SSIs. The Wall Street Journal reports that Anthem didn’t encrypt data for analytics reasons. It’s unconfirmed where the hackers originated but Bloomberg’s latest report tags the usual Chinese state-sponsored suspects. Unusually, it was reported within days of discovery; Anthem has called in Mandiant (FireEye) to beef up its cybersecurity. Other reports: WSJ, Modern Healthcare….The Blueprint Health accelerator has a new initiative, the Collective. It is designed to pair up major healthcare providers and payers with startups and early stage companies. So far signed up are Aetna, AstraZeneca, HP, Montefiore, North Shore LIJ, New York-Presbyterian, Samsung, EmblemHealth, Philips and Razorfish Healthware. More information here….The HealthSpot Station telehealth/telemedicine kiosk is readying a $11.6 million funding round from four investors soon, based on (more…)

Staying up at night with telemedicine (and telehealth)

Our readers have many things which keep them up at night, including that extra taco, but René Quashie of leading healthcare/life sciences law firm Epstein Becker Green adds a few more to the list. While muddling telemedicine (remote consults) with telehealth (vital signs tracking and monitoring), he outlines the legal pitfalls (and consequences) that both are facing: non-compliance with state prescribing and licensure laws (physical examination requirements); lack of highly developed protocols and guidelines (liability exposure); lack of greater coverage and reimbursement by payers (low credibility=low/no pay); HIPAA compliance in privacy and security (lack of protection against unauthorized data access). However, how many of these have already experienced accomodation by state regulators, or have started to modify to follow regulations?  Awake yet? This is only Part 1. Things That Should Keep the Telehealth Community Awake at Night (Part 1) (TechHealth Perspectives/EBG blog) Hat tip to reader Ellen Fink-Samnick of Ellen’s Ethical Lens.

VA networks breached from overseas; 20 million records affected (US)

Department of Veterans Affairs IT systems have been breached since 2010 by eight ‘nation-state-sponsored organizations’, affecting records of 20 million veterans, according to recent testimony in hearings held earlier this month by the House Veterans Affairs Oversight and Investigations Subcommittee. While the normal ‘hack’ is due to theft or an inside job for financial gain, these likely have a far more sinister nature. According to former VA Chief Information Security Officer Jerry Davis (now at NASA), the attacks continue from these countries, and according to Subcommittee Chairman Rep. Coffman, may include China and Russia. Testimony and evidence also revealed that those responsible for informing Secretary Shinseki may have understated the problem. The VA has certainly been taking its lumps with a Magic 8 Ball of late, with a derailed joint EHR project with the Department of Defense and wrangling on who’s leading integration [TTA 3 April; iHealthBeat]. VA Systems Hacked From AbroadWas VA Secretary Misled About Breaches? (HealthcareInfoSecurity)

Healthcare data breaches show 25% fraud risk: study

For healthcare institutions, that data breach can really cost. Javelin Strategy & Research has been tracking the cost of data breaches, including healthcare, for the past ten years. Using its data across all their industries tracked (data here), the threat of identity fraud as of 2012 is up to 1 in 4, from 1 in 9  in 2010. In commenting on the big breach last year at the Utah Department of Health (780,000 records, TTA 22 Dec), a Javelin spokesperson has made some news by estimating the additional fraud cost at $406 million–and that is in addition to the estimated $9 million that the state has spent on security audits, upgrades and credit monitoring for victims.  Hackers seem to be more targeted than ever, but often even simple precautions are not taken–in Utah, the factory password to the server was never changed. A cautionary note–no, symphony–to developers and to HIT departments. Healthcare IT News, Salt Lake Tribune, Javelin release

Could iris scans be a solution? Biometrics makers, such as Safran, Fujitsu, AOptix Technologies and M2Sys Technology, are finding new customers in hospitals and large providers. HCA Holdings, the largest US for-profit hospital chain, is testing Eye Controls’ system at their private clinics in London. Medical ID theft is also a problem in the UK, with ‘shame-based theft’ (to conceal an illness) and private billing the given reasons. Iris scanning units cost about $200-300–a moderate cost. According to the World Privacy Forum, iris scanning will rule out hacking, but not ‘inside jobs’–progress of a sort. But an open question is how this integrates into current EHRs. Iris Scans Seen Shrinking $7 Billion Medical Data Breach (Bloomberg)  Editor’s note: The Gimlet Eye is…envious.