Weekend reading: 1/3 of global healthcare orgs ransomwared, 50%+ mobile privacy problems–BMJ study, med device insecurity

Weekend reading to make you feel insecure, indeed. Healthcare continues to be one of the most vulnerable sectors to hacking, breaches, ransomware. (It likely was one of the top 5 on the list handed to Mr. Putin in Geneva a week ago.) It doesn’t help that many organizations from providers to payers, legacy devices to apps, figuratively have a ‘Welcome Hackers’ neon sign on their doors, virtual and otherwise.

Three articles from the always interesting Healthcare Dive, two by Rebecca Pifer and the third by veteran Greg Slobodkin, will give our Readers a quick and unsettling overview:

  • According to cybersecurity company Sophos in their 16-page report, 2020 was an annus horribilis for healthcare organizations and ransomware, with 34 percent suffering a ransomware attack, 65 percent confirming the attacks encrypted their data, but only 69 percent reported that the encrypted data was restored after the ransom was paid. Costs were upward of $1 million. Their conclusion: assume you will be hit, and at least three backups. Dive 24 June
  • The BMJ found that lax or no privacy policies were a key problem with over half of mobile health apps. 23 percent of user data transmissions occurred on insecure communication protocols and 28.1 percent of apps provided no privacy policies. There’s a lot to unpack in the BMJ study by the Macquarie University (Sydney) team. Our long-time Readers will recall our articles about insecure smartphone apps dating back to 2013 with Charles Lowe’s article here as an example. Dive 16 June
  • Old medical devices, continuing vulnerability that can’t be fixed. Yes, fully functioning and legacy medical devices, often costing beaucoup bucks, are shockingly running on Windows 98 (!), Windows XP, outdated software, and manufacturers’ passwords. It’s hard to believe that Dive is writing about this as it’s been an issue this Editor’s written about since (drumroll) 2013 when TTA picked up on BBC and other reports of ‘murderous defibrillators and pacemakers’. If too far back, try 2015 with Kevin Fu’s and Ponemon’s warnings then to ‘wash their hands’ of these systems even if they’re still working. Chris Gates quoted in the article: “You can’t always bolt-on security after the fact, especially with a legacy piece of equipment — I’ve literally handed checks back to clients and told them there’s no fixing this.” Dive 23 June

What to do?

  • If you are a healthcare organization, think security first. Other organizations in finance and BPO do, locking down to excruciating points. And yes, you’ll have to pay a premium for the best IT security people, up your budgets, and lower your bureaucracy to attract them. Payers are extremely vulnerable with their wealth of PHI and PII, yet tend to skimp here.
  • Consider bringing in all your IT teams to your home country and not offshoring. Much of the hacking occurs overseas where it’s tougher to secure servers and the cloud reliably and fully.
  • Pay for regular and full probes and audits done by outside experts.
  • If you supply a mobile app–design with security and privacy first, from the phone or device to the cloud or server, including data sharing. There are companies that can assist you with this. One example is Blue Cedar, but there are others.
  • If you supply hardware and software for medical devices, think updates, patches, and tracking every bit you sell to make sure your customers do what they need to do. Even if your customer is a past one.

(Side message to NHS Digital–don’t rush your GPDPR upload to the summer holidays. Make it fourth quarter. Your GPs will thank you.)

Suggestions from our Readers wanted! While your Editor has been covering security issues since early days here, she is not an expert, programmer, or developer, nor has stayed at a Holiday Inn Express lately.

Why ‘masking up’ isn’t such a great idea–more than a false sense of security, a possible gateway to harm

The signs and reminders to wear a mask outside the home, lest those COVID-19 germs get in (or out), are everywhere. You could be strolling on the beach, with hardly anyone in sight, or in a park with everyone more than 6′ away, and you’re made to feel guilty for wanting to breathe fresh, unimpeded air. This Editor has seen people driving cars solo–with masks on, steaming up their glasses, and restricting their vision (and apparently hearing as one hears mainly one’s breathing) for a dangerous combination in driving safety. And even in a short visit to a supermarket, a fabric mask of the type most common to us civilians can make you feel a little light-headed, as you breathe in less O2 and more of your own CO2, like breathing in and out of a paper bag–as you touch the cheese and the detergent. It all begins to appear a little less than logical, a belief shared with medical professionals with whom I’ve spoken.

Along comes the BMJ to confirm exactly these concerns–and add a few more. A team from University College London and UCL Institute of Epidemiology and Health Care responded to a BMJ editorial that advised that “surgical masks should be worn in public to prevent some transmission of covid-19 [sic], adding that we should sometimes act without definitive evidence, just in case, according to the precautionary principle”. The authors of the ‘Rapid Response’ article note that the ‘precautionary principle’ also should prevent the neglect of potentially harmful side effects of any intervention, including the wearing of masks in public.

The two acknowledged (by most) side effects are: a false sense of security that may lead some to neglect proven infection control measures like hand (and face–Ed.) washing and inappropriate use of a face mask including facial touching and infrequent washing. The writers added five others:

  • Speech is compromised, leading people to come closer simply to hear each other, and increasing contact risk
  • The face mask propels exhaled air into the eyes, leading a person to touch their eyes and possibly contaminate them
  • “Face masks make breathing more difficult. For people with COPD, face masks are in fact intolerable to wear as they worsen their breathlessness.” The rebreathed CO2 also may increase breathing frequency and deepness, thus more contaminated air exhaled in the infected, and conversely increasing their viral load.
  • If face masks are already infected, these points are amplified
  • Reduction in innate immunity that limits the spread of pathogens through the body. “If face masks determine a humid habitat where the SARS-CoV-2 can remain active due to the water vapour continuously provided by breathing and captured by the mask fabric, they determine an increase in viral load and therefore they can cause a defeat of the innate immunity and an increase in infections.”

In short, despite all the ‘stay safe’ and ‘mask up’ admonishments, there are both positive and negative effects of mask-wearing–and risks –and they certainly are not the cure-all for COVID spread. (We will, of course, see if COVID outbreaks in the next few weeks appear in the cities where demonstrations have been rampant and mask-wearing/physical distancing have been noticeably absent.–Ed. Donna)

Humana-Omada Health diabetes prevention program could cut $3 bn in Medicare expense: study

A study performed by insurer Humana using the Omada Health program for diabetes prevention effectively lowered weight, improved cholesterol, blood glucose and mood. 500 volunteer subjects from Humana’s Medicare Advantage program, enrolled during 2015, lost an average of 13 to 14 pounds over a year (7.5 to 8 percent). They also saw improvements in cholesterol levels, blood glucose levels and subjective measures of moods and self-care. Individuals were chosen from administrative medical claims based on metabolic syndrome diagnosis or a combination of three of four of the following diagnoses: prediabetes, hypertension, dyslipidemia, and obesity. Based on the researchers’ calculations, this type of prevention program among this group if widely implemented among overweight adults could reduce Medicare costs by $3 bn over 10 years, not only for diabetes but also heart disease and high blood pressure.

Omada Health’s program included an online small group support, personalized health coaching, digital tracking tools, and a weekly behavior change curriculum. These one-hour lessons focused on a single topic were delivered via laptop, tablet, or smartphone, and included interactive games or exercises, written reflections, and goal-setting activities. The content was approved by the CDC Diabetes Prevention Recognition Program. Data was gathered via wireless scale, pedometer for physical activity, online food intake logging and standard lab results. “In conclusion, this study demonstrated that older adults who agreed to participate in this program were able to engage meaningfully and gain important health and wellness benefits during a relatively short time frame.”

While the cost reduction estimate is exactly that, other studies directionally confirm health improvement and savings: the National Diabetes Prevention Program (NDPP) which is the model for the Omada program, the BMJ/Noom Health study, and the Fruit Street/VSee telehealth program being used by St. Jude Children’s Research Hospital, University of South Florida and University of Michigan. mHealth Intelligence, study (full text in Journal of Aging and Health/Sage Journals)

Widespread remote GP consultations getting closer; no shortage of implementation advice

Following our previous item on the topic, on January 16th, Tim Kelsey made it very clear to this editor at a PICTFOR event that the £1b promised to GPs for premises improvement included a strong requirement that GPs also invest in electronic support, including remote consultation technology.

It is therefore particularly pleasing to see in yesterday’s Pulse Today, an item on a Skype trial in Central London that both patients and GPs seem to love. Some key quotes:

Almost all patients surveyed about their experience of the remote consultation service said they ‘would use it again’ (95%).

Although patients were warned that ‘the security of Skype isn’t 100%’, 83% also said (more…)

Healthcare Apps 2014 – a few impressions

This event was held on April 28th-30th in Victoria in London. It was organised by Pharma IQ and clearly had a strong pharma focus (including the charge which at £1995 for industry attendees clearly discriminated in favour of those with big-pharma sized budgets). It was also held just a few days after the significantly lower-priced Royal Society of Medicine event, and in the middle of a London Tube strike, all of which doubtless contributed to the relatively modest attendance (26 paid). I am most grateful to the organisers for kindly inviting me as one of speaker Alex Wyke’s guests.

As mentioned in an earlier post, there was a similarity with the RSM agenda, so I won’t repeat comments made by the same speaker before. The first up was the 3G Doctor, David Doherty, who gave another of his excellent presentations, although the sound engineer sadly made some of it inaudible. After a review of how we had got to where we are, he suggested that the Internet is about to become a device-dominated network. He drew a parallel between (more…)

WSD QALY paper published – cost worse than expected (UK)

Since one of the Whole Systems Demonstrator (WSD) let drop at the King’s Fund conference last March that the telehealth Quality Adjusted Life Years (QALY) cost calculation was coming out at £80,000 the actual paper has been ‘eagerly’ awaited, with speculation and concern that the calculation included management and other study-related costs that would not apply in a normal service setting. The paper is published by the BMJ today and a) such costs were excluded and b) the QALY figure is actually £92,000. Well, that’s the headline figure that is already being headlined by Pulse but, of course, the calculations are more nuanced. Foe example:

Whether telehealth is considered to be cost effective will depend on the willingness to pay for the outcomes generated. Figure 1 presents the probability that telehealth would be seen as cost effective as an addition to usual care, using an acceptability curve for different values of willingness to pay. At the £30,000 threshold (associated with NICE recommendations), the probability of cost effectiveness was 11%. Figure 1 also shows the probability of cost effectiveness if costs related to project management were excluded: at the £30,000 threshold, the probability of cost effectiveness was 17%. Indeed, this probability including management costs only exceeded 50% at threshold values of willingness to pay above £90,000. Excluding project management costs, the probability exceeded 50% only at values above about £79,000.

The discussion is also worth reading carefully, as is the final conclusion:

A community based, telehealth intervention is unlikely to be cost effective, based on health and social care costs and outcomes after 12 months and the willingness to pay threshold of £30,000 per QALY recommended by NICE. A reduced cost of telehealth per QALY may be possible by combining the effects of equipment price reductions and increased working capacity of services; On the assumption of reduced equipment costs and increased working capacity, the probability that telehealth is cost effective would be about 61%, assuming a willingness to pay threshold of £30,000 per QALY.

BMJ paper: Cost effectiveness of telehealth for patients with long term conditions (Whole Systems Demonstrator telehealth questionnaire study): nested economic evaluation in a pragmatic, cluster randomised controlled trial BMJ 2013;346:f1035

Related items
Mike Clark’s Updated list of WSD results papers.
Interview with Professor Martin Knapp As “telehealth” grows, experts question cost benefits Reuters.
David Brindle, in The Guardian anticipated these results last month and, in a follow up article commented “Fourteen months on from its launch, 3millionlives seems to be going nowhere. Intuitively, telecare/telehealth feels like a key pillar of the future care system. To be that, however, it does need a credible evidence base.”
3millionlives press release: 3millionlives – enabling change to benefit patients and carers. (PDF)
GP Online Telehealth ‘not good use of NHS money’, finds DH-backed study.
NHS Choices Are benefits of telehealth care worth the cost?