Short takes: states curbing healthcare cyberattack liability, North Korean hospital ransomwareiste indicted, Walmart leases out 23 clinics to Humana’s CenterWell, Nuro robot delivery revives, $100M Series E for Spring Health

News that class-action specialist law firms won’t like. States are considering limiting hospital cyberattack liability if they adopt cybersecurity measures. Currently, four states–Tennessee, Connecticut, Ohio, and Utah–have laws that curb liability for cyberattacks and data breaches. A fifth state, Florida, is considering it with the governor, Ron DeSantis, pushing for a tougher version to encourage strong cybersecurity adoption. The state lawmakers’ rationale centers on the admission that cyberattacks on hospitals are inevitable and that when hospitals have security in place, they are not negligent. On the opposite side, law firms that specialize in consumer class-action lawsuits argue that hospitals would rather profit than put into place expensive protection for consumer data. 

This Editor’s view tends to be even stronger than that of Governor DeSantis. How can state regulators actually know that a hospital has strong, effective cybersecurity? Hospitals not only have to spend money to constantly update their monitoring, but also have to hire the humans to implement it. In other words, what people or agency on the state level can assess that a hospital or health system has adequate cybersecurity in place and is acting in good faith to protect consumers against predatory data breaches or ransomware? The article in Politico is unfortunately very scant on how these laws work, the liability limitations, and the mechanisms for judging hospital cybersecurity. More to come on this. Also DataBreaches.net–this Editor’s go-to spot for research.

A North Korean ransomwareiste indicted, but he’ll be hard to serve if convicted.  A grand jury in the Federal District Court for the District of Kansas has indicted Rim Jong Hyok of ransomware attacks on 17 hospitals and systems across 11 states plus attacks on government entities from May 2021 through April 2023. The US Department of Justice (DOJ) charge is that Mr. Rim was working for the North Korean intelligence agency, the Reconnaissance General Bureau (RGB), in a cyberhacking group known as Andariel. Andariel developed the Maui ransomware type and used it to attack healthcare and governmental entities.  The ransoms collected from the hospitals were then used to fund cyber attacks and data exfiltration on government agencies, military bases, and multiple companies supporting the US military. The State Department is offering a reward of up to $10 million to locate Rim and others infiltrating US systems. It is highly unlikely that even with a conviction, Rim will serve any US time, but a conviction could initiate sanctions and other national measures. FierceHealthcare, US District Court indictment, US State Department ‘Rewards for Justice’ release

Walmart gives Humana a crack at reopening in-store clinics. After their well-publicized failure in retail health, Walmart is leasing out nearly half of their former Supercenter clinics over to Humana’s CenterWell healthcare services operation. By first half 2025, 23 of the 51 closed Walmart Health clinics in Florida, Georgia, Missouri, and Texas will convert to CenterWell Senior Primary Care and Conviva Care Centers. The focus will be on senior coordinated care with a staff of board-certified physicians, nurse practitioners, medical assistants, social workers, and other staff. Clinics are planned for Tampa/St Petersburg, Orlando, Jacksonville, Atlanta, Dallas/Fort Worth, and Kansas City. Medicare Advantage plans and Original Medicare will be accepted, though no mention is made of the ‘duals’ who are on both Medicare and Medicaid. Walmart will continue to operate pharmacy and optical locations. The CenterWell/Conviva network at present serves 318,000 seniors in about 300 centers across 15 states. Financial terms of the agreement were not disclosed. In retrospect, they should have done this several years ago. CenterWell release, MedCityNews

Another revival–the Nuro robot vehicle delivery service. Some years back, these driverless cars were envisioned to carry everything from pharmacy deliveries to groceries to prepared food, but the robot vehicles had problematic fully autonomous driving software that proved to be unsuitable for crowded urban areas as well as satisfactorily retrofitting or specially designed EVs. Now in another AI-assisted generation with the R3, about 100 retrofitted Toyota Priuses able to go up to 45 mph will be tested in the California Bay Area in Mountain View, Palo Alto, Los Altos, and Menlo Park. Other vehicles to be upgraded to the new software are from Chinese EV manufacturer BYD, which has become famous for exploding cars in its home market. Timing after the California Motor Vehicle approval now is set for Uber Eats deliveries in test in early fall. TechCrunch

Telemental health fundings continue on a roll with Spring Health. Their $100 million Series E has increased their valuation from $2.5 billion to $3.3 billion. This round was led by Generation Investment Management with participation from existing investors, including Kinnevik, William K Warren Foundation, RRE, and Northzone. Their $71 million Series D was in drought-ridden April 2023. Their total funding now is $466.5 million. Spring Health’s concentration is in mental health support and care management as part of employer benefits and for payers, covering 10 million lives through 450 directly contracted employers, strategic payer relationships, and 27,000 groups that access the solution through a channel partner. As noted in Rock Health’s H1 report [TTA 30 July], the competitive telemental health category still leads by far as the most funded clinical category, with about $700 million in raises, over double that of cardiovascular and oncology, and will likely surpass 2023. Release, Mobihealthnews, FierceHealthcare

Mid-week roundup: UK startup Anima gains $12M, Hippocratic AI $53M, Assort Health $3.5M; Abridge partners with NVIDIA; VillageMD sells 11 Rhode Island clinics; $60 for that medical record on the dark web

It may be a little chilly out, but it feels like Springtime For Early Round Funding and Big Partnerships.

Anima, a London-based startup fresh out of Y Combinator, now has a $12 million Series A raise. It was led by Molten Ventures, with participation from existing investors Hummingbird Ventures, Amino Collective and Y Combinator. Its platform combines online consultation with productivity tools for integrated care enablement in one dashboard for primary care. Their founders position it as a single source for patient truth across care settings, avoiding missed diagnoses. As of today, Anima is deployed in over 200 NHS clinics in England caring for a combined 2 million patients and a monthly request volume of over 400,000 requests. They also claim to halve the time the time practices spend on coding, processing, and filing documents and resolve 85% of patient inquiries within a day. Shun Pang, co-founder and CEO of Anima, who trained as a doctor at Cambridge University, told TechCrunch. “The entire clinic collaborates in a real-time multiplayer dashboard, like Figma, and can ping cases to each other, and chat with a Slack-like UX.” he said. He also added that Anima’s processing system can “autonomously ingest any document, like handwritten, diagrams, imaging, and output a summary, with structured fields.” Anima has not entered the US market yet. Anima blog/release, Tech.EU

Hippocratic AI raised a jumbo $53 million Series A for what they term the first safety-focused Large Language Model (LLM) for healthcare. AI of course is the hottest funding area in healthcare. With two previous rounds raised in mid-2023, their total funding is $118 million (Crunchbase), creating a valuation estimated at $500 million. Investors were co-led by Premji Invest and General Catalyst with participation from SV Angel and Memorial Hermann Health System as well as existing investors Andreessen Horowitz (a16z) Bio + Health, Cincinnati Children’s, WellSpan Health, and Universal Health Services (UHS). Their product is a novel staffing marketplace where health systems, payors, and others can “hire” auto-pilot generative AI-powered agents to conduct low-risk, non-diagnostic, patient-facing services to help solve the massive healthcare staffing crisis. This is now being released for phase three safety testing with 5,000 licensed nurses, 500 licensed physicians, and the company’s health system partners. Release

San Francisco-based startup Assort Health now has a seed round of $3.5 million to advance its generative AI approach to healthcare call centers. Its goal is to eliminate front desk stress and call center/service holds. Their system in development uses AI and NLP (natural language processing) to understand a caller’s intent, then to integrates with the medical providers’ EHR, including Epic, to resolve patient inquiries without human intervention. Funding was led by Quiet Capital (!) joined by Four Acres, Tau Ventures, and a number of angel investors from tech companies. Release

Another generative AI company with a substantial Series C under its belt, Abridge, is partnering with super-hot NVIDIA.  The partnership also comes with undisclosed funding from NVIDIA’s VC arm, NVentures, to add to last month’s $150 million raise. Abridge is developing conversational AI technology using LLM and speech recognition to ease the burden of taking notes during the doctor’s appointment, with fluency in 14 languages across 55 medical specialties. Abridge’s technology is designed to capture clinician-patient conversations and structure the scribing. NVIDIA’s partnership will give Abridge access to NVIDIA’s computing resources, foundation models, and expertise in efficiently deploying AI systems at scale. Release

Another episode in the continuing Walgreens Restructuring Saga has VillageMD selling 11 practices to Arches Medical Partners. The practices are located in the Providence metro area of Rhode Island and consist of three urgent cares and eight offices with a total of 50 physicians and 75,000 patients. It is unusual because it is the first time that VillageMD sold their practices instead of closing the offices, which they are doing with 85 to 90 offices. Transaction cost was not disclosed but closed on 2 March. Arches is based in Cambridge, Massachusetts. They acquired these practices but also deploy software from its wholly-owned technology subsidiary, New Era Medical Operations (NEMO), to enable IPAs to negotiate and manage global risk contracts. Arches release, Becker’s, Crain’s Chicago Business

Wondering why ransomwareistes, their affiliates, and hackers in general are attracted to healthcare? It’s the value of a medical record. Going rates on the ‘dark web’ are now topping $60, according to CNBC’s source, a cybersecurity researcher Jeremiah Fowler. By comparison, Social Security number are a bargain $15 and a credit card number but $3. It’s also easier to hack than ever due to affiliate relationships termed ransomware-as-a-service or RaaS. The ransomware is supplied, the affiliate hackers do the work, and they share in the rewards–most of the time (see ‘notchy’ being scammed by BlackCat/ALPHV on the Change Healthcare cyberattack TTA 5 Mar). But this doubles or triples the potential for company extortion, with multiple ‘actors’ attacking a company, extorting a ransom, and then keeping healthcare data and selling it through their channels.

The article concludes that healthcare execs need to get very, very serious about protecting their data. Yet this year has marked healthcare downsizing IT departments in order to save money. This is as security software has proliferated–but has to be purchased and managed. Another distressing fact: this Editor only last week attended a major NYC conference on cybersecurity. Healthcare was mentioned only in passing as a market. Worse, till this Editor questioned a speaker from the floor, was the massive Change Healthcare attack even mentioned–and unfortunately she knew more about it than the speaker!

Weekend reading: AI cybersecurity tools no panacea, reality v. illusion in healthcare AI, RPM in transitioning to hospital-at-home, Korean study on older adult health tech usage

A potpourri of current articles. Hope you don’t feel like Pepper the Robot after you read them!

AI won’t boost cybersecurity, that’s cutting corners (Cybernews)

AI tools that make cybersecurity more effective and faster in response are increasingly available. They are estimated in a Techopedia article rounding up multiple studies to be a global market of over $133 billion by 2030. IBM claims that organizations with AI cybersecurity took 100 days less to identify and contain data breaches. Yet AI can also leave organizations more vulnerable to cyberattack. Hackers and ransomwareistes have been using AI for years in phishing and vishing (phone-based social engineering) attacks–now using OpenAI. What’s vulnerable? Large language models (LLMs) used in generative AI (AI with the ability to create content) can be corrupted and fed false information [TTA 7 Feb] or create deepfake images–Google Gemini is the latest example (not in article). FTA: “We need human critical thinking to use AI to solve and prevent problems. We’re adopting AI far faster than we have the ability to understand how to adopt it properly.” Another approach is to think like a cybercriminal and use AI to better understand how criminals can break into your systems.

What is real and what is illusion with healthcare AI? (03:16 video, Healthcare IT News)

This is a preview of a HIMSS24 talk on 11 March by Dr. Jonathan Chen, assistant professor at the Stanford Center for Biomedical Informatics Research. Patient care and outcomes are dependent on discerning what is real and what is not, especially in the use of chatbots in patient notes. Generative AI can be very convincing even if it’s not accurate, and that is not what is wanted in patient care. We are at the Gartner Peak of Inflated Expectations when it comes to AI–and we’ve been there before.

RPM strategies for moving from discharge to hospital-at-home care (Healthcare IT News) 

How can the home be better treated as a fundamental care setting? Understanding this is key to transitioning patients from in-hospital acute care to hospital-at-home, which is in reality not being discharged and requires managing a significant number of complex layers. Interview with Cindy Gaines, RN, chief clinical transformation officer at Lumeon, a clinical automation company.

Tailor fit digital health tech to the elderly’s needs: study (Mobihealthnews)

This summarizes a South Korean study that compared the usage of digital devices, such as smartphone apps, health apps, and wearables, among healthy and pre-frail/frail Koreans aged 65+. Smartphone use is nearly universal in South Korea, but wearables are only lightly used. Frailer respondents used social media more than healthy ones and used more healthcare apps on their phones. From the study: “There was a notable difference in the services used by pre-frail and frail respondents compared to healthy respondents. Therefore, when developing digital devices for pre-frail and frail older adults, it is crucial to incorporate customized services that meet their unique needs, particularly those services that they frequently use.”

505 participants completed the survey, with 153 (30.3%) identified as pre-frail or frail and 352 (69.7%) as healthy. Full study in the Journal of Korean Medical Science 27 November 2023

News roundup: Bright Health now NeueHealth; breached patient records double, RCM as vector for hacking; Amazon’s CCM marketplace; JPM reflects the new reality; fundings for Vita Health, Turquoise, CardioSignal

Bright Health Group switches off, takes on NeueHealth name. Now that Bright Health has sold its remaining operating health plans to Molina Healthcare [TTA 3 Jan] with others closed down or insolvent like Texas [TTA 12 Dec 23], they have smartly pivoted to the name of their remaining value-based primary care operation, NeueHealth. (Inexpensive, too) Accordingly, on 29 January, their NYSE listing will convert from BHG to NEUE. The stock value closed today at $13.25, well down from its 52-week high of $79.04. NeueHealth’s operations are divided into NeueCare, which is comprised of their owned clinics and partnerships with affiliated providers, and NeueSolutions, which is a management services entity that organizes independent providers and physician groups into performance-based ACA Marketplace, Medicare, and Medicaid-based ACOs models, including the advanced performance ACO REACH program which covered 60,000 beneficiaries in 2023. Unsurprisingly, the company HQ is moving from chilly Minneapolis to much warmer Doral, Florida, nearer to three of their major clinic networks and 150,000 of its claimed 275-295,000 ‘health consumers’ forecast for 2023. 2023 revenue forecasts for NeueCare are $250-275 million and NeueSolutions $890 million. They have also stated that the corporate move will not affect jobs remaining in Minneapolis, which may be few.

As to the bills coming due for CMS liabilities and debt owed to New Enterprise Associates now that JP Morgan has been paid…not a word. We continue to hand it to Bright, now NeueHealth, for the Best Gordian Knots in Healthcare. Release, Healthcare Dive

Patient records exposed in data breaches doubled in 2023 versus 2022. According to an analysis by cybersecurity firm Fortified Health Security of HHS’ Office of Civil Rights (OCR), which tracks data breaches, in 2023 there were 116 million patient records exposed, topping the over 100 million of 2015, with over 655 breaches, a decrease from 2022’s peak of 721. Of that 116 million, over 112 million were from three health plan breaches: Anthem, Premera Blue Cross, and Excellus, Ten-year total? A stunning 489 million. What also increased over those 10 years by 143% were breaches stemming from business associates–vendors providing services to the covered entity. The just-published Horizon Report (free, available for download here) also reveals that the average recovery cost for a breach is $9.48 million. And health plans and systems are cutting IT staff?  Healthcare Dive

One way that hackers are finding their way into healthcare organizations is via ‘social engineering’, but not always of employees. They’re targeting business associates at revenue cycle management (RCM) companies serving health systems and hospitals. The American Hospital Association is warning members that hackers are cannily evolving their tactics to defeat security procedures such as multi-factor authentication and they have to anticipate hacker tactics. From Becker’s, hackers “steal the identities of revenue cycle employees or other finance staffers, calling IT help desks and correctly answering security questions. They then request to reset their passwords and enroll new devices, getting full access to the employees’ accounts and diverting payments to fraudulent bank accounts.” These are based in the US and then diverted overseas. The AHA recommends at minimum a call back to the employee on these new device enrollments, a call to the person’s supervisor, or as in the case of one health system, a physical appearance at the help desk. AHA article

Amazon enters the chronic care management field through a tried-and-true (for them) vector–e-commerce. Search for a health device like a glucose monitor, a blood pressure cuff, or pulse oximetry, and receive a ‘direction’ to a management service that they may be eligible for at no or low cost through their employer or private health insurance. The kickoff partner with Amazon is chronic care management company Omada Health in the diabetes prevention, diabetes, and hypertension categories. Omada claims 20 million eligible members across 1,900 enterprises. This mode may get better traction with Amazon shoppers than directly providing them with health services such as Amazon Pharmacy, One Medical (primary care), and Amazon Clinic (asynchronous telemedicine). Omada didn’t disclose the revenue model. Omada release, Healthcare Dive

Wrapping up the JP Morgan healthcare conference, the New Reality permeated it, even if some didn’t want to admit it. As this Editor projected back in December, the board is being cleared of the also-rans and never-should-have-beens. You see a general cleansing of the cant and hype infecting a sector, which is initially unnerving. We are cycling through this stage fairly rapidly to emerge…where, we don’t quite know yet. Unlike some other publications, MedCityNews can never be mistaken for an industry cheerleader (even if you have to read between the lines). Their extensive coverage confirmed this emerging view of 2024.

  • Katie Adams didn’t make it to SF for her article on nine JPM takeaways, but she sussed out that life sciences isn’t ready for AI, GLP-1 drugs won’t solve obesity, transactional telehealth for urgent and behavioral care is over, founders are trying to figure out fundraising timelines, and retail clinics are suddenly Not All That. And more.
  • Arundhati Parmar profiled a companyone of all too many–that cycled from high to low–Butterfly Health. They started in 2011 to develop the first point-of-care handheld ultrasonic probe using a semiconductor chip that connected to a smartphone, became a unicorn by 2018, went public via a SPAC in 2021 at over $19, cracked hard, and now trades around $1. Their new CEO used the JPM platform to explain that their 2023 revenue slide wasn’t so bad because they were working their way through the longer-than-they-ever-imagined adoption curve by cutting $200 million in costs out of the company and building up their cash reserve. They may survive, or not, given that competition has names like GE Healthcare, Philips, and Siemens. But their ideas around selling the technology of the semiconductor chip to healthcare companies outside of ultrasound and opening their POCUS to developers (like Apple) are clever. It sounds like a company that could fit into a PE portfolio, if only some wallets and checkbooks opened.

And another marker of the New Reality: Scripps Health in San Francisco, hit hard by a cyberattack in 2021, announced at JPM that they hired Todd Walbridge, recently retired from the FBI as their supervising agent in their San Diego cybersecurity hub, as senior director for corporate and system safety and security. He had worked with Scripps on their cyberattack during his diverse career with the FBI. Mr. Walbridge is not only in charge of cyber, but also of physical security as workplace violence and assaults on staff have soared. FierceHealthcare

And we’ll wind up with some fundings, modest ‘green shoots’ in winter:

  • Vita Health, based in Connecticut, secured $22.5 million from seven investors for their suicide prevention and therapeutic telehealth platform. An 2022 seed raise totaled $8.38 million. Release, Mobihealthnews
  • Turquoise Health, based in San Diego, gained a $30 million Series B investment from four investors for expansion of its healthcare pricing platform used by 160 healthcare organizations. 2021-22 seed and Series A raises totaled $25 million. Price transparency is a 2024 hot button issue from government to enterprises to payers. Release, FierceHealthcare  
  • CardioSignal raised another $10 million in a Series A from three investors, bringing total funding to $23 million. Based in Finland and Palo Alto, CardioSignal uses a smartphone’s accelerometer and gyroscope sensors to analyze precordial micro-vibrations caused by cardiac motion. The initial analysis is completed in one minute and after a transfer to their cloud site for additional analysis, is returned in about one minute. Release, Mobihealthnews

New York State drafting proposed cybersecurity regulations for hospitals, allocates $500M for upgrades

New York State is imposing new regulations that would establish cybersecurity policies and procedures for hospitals in the state. According to the NYS release, “hospitals will be required to establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks, use defensive techniques and infrastructure, implement measures to protect their information systems from unauthorized access or other malicious acts, and take actions to prevent cybersecurity events before they happen.” The draft regulations, announced last week, will be published by the Department of Health on 6 December, and will complement existing Federal standards under HIPAA. 

The proposed regulations will mandate:

  • Response plans to a cybersecurity incident
  • Notification to appropriate partners
  • Testing of response plans to ensure continuity of patient care while systems are restored to normal operations
  • Written procedures, guidelines, and standards to develop secure practices for in-house applications
  • Policies and procedures for evaluating, assessing, and testing the security of externally developed applications used by the hospital
  • Multi-factor authentication (MFA) implemented to access internal networks from outside networks
  • Establishment of a Chief Information Security Officer (CISO) if one doesn’t exist presently in order to enforce the new policies, plus annual reviews and updates 

The draft regulations are scheduled to be published on 6 December with a 60-day public comment period ending on 5 February 2024. After the finalization and adoption of the new regulations, hospitals have exactly one year to comply.

Included in the state’s FY24 budget is $500 million in funding for modernization of clinical tech, cybersecurity tools, EMRs and other technological upgrades. They will be part of an upcoming statewide capital program call for applications to improve quality of care, patient experience, accessibility, and efficiency. Given the size of NY state and number of hospitals, plus the time frame, this fund may be spread thin indeed. NYS release, MedCityNews

This Editor attended the Official Cybersecurity Summit New York 2023 last Friday, with a security briefing by NY State’s deputy chief cyber officer for operations, Jesse Sloman. He described the overall strategy of the state agency, the first ever, as building a unified, resilient, and prepared cybersecurity strategy across all agencies in the state, with a single point for operations including law enforcement, military, transportation, and of course healthcare. Certainly, internally instigated breaches, ransomware attacks, DDOS, and nation-state/transnational cyberattacks by Russian ransomwareistes like CLOP are expensive. He quoted a five-year loss of $27.6 billion with 3.2 million complaints–with 2022 alone costing $10.3 billion.

What’s his biggest concern? A multi-state, multi-sector geopolitical event that threatens multiple operations.

Mid-week roundup: Colorado terms Friday Health Plans; Cano 3 continue to savage board; Amazon Pharmacy layoffs; hacking attacks: QuickBlox, Barts Health; Phreesia buys MediFind; financing pops for K Health, Amino

Colorado liquidates, terminates insolvent insurtech Friday Health Plans. The Colorado Division of Insurance (DOI) had placed it into receivership in June after the company declared it would close, unable to find funds to operate its plans. On Monday, the DOI moved to liquidate its operations and terminate the plan effective 31 August. Their 30,000 policyholders on individual Affordable Care Act (ACA) exchange plans will be scrambling to find new coverage. In the receivership move, DOI had hoped that Friday had enough funds to keep the state plan solvent through end of year, but they did not. According to the Colorado Sun, Friday still owed unpaid Federal taxes as well as roughly $2 million in fee payments to the state’s insurance exchange, Connect for Health Colorado, which left the DOI without much hope. Friday had previously just about shut down its headquarters in Alamosa. This leaves not only 30,000 individuals scrambling, but also out eight months and perhaps thousands of dollars in deductibles as these plans tended to be high deductible. Colorado DOI opened a special enrollment period (SEP) for Friday policyholders and insurance brokers starting immediately through 31 October.  Providers are protected somewhat through the state’s Colorado Insurance Guaranty Association but many stopped taking Friday-covered patients last month. Friday’s crash-and-burn is the worst example of an insurtech’s demise to date and not promising for policyholders in other states such as Texas, Georgia, Oklahoma, and Nevada. Healthcare Dive

The Cano 3 attack in the continuation war with the Cano Health board. In the latest episode of this telenovela, resigned directors Barry Sternlicht, Elliot Cooperstone, and Lewis Gold, who among them have about 35% of the company’s shares, are still supporting interim CEO Mark Kent but pressing hard to oust three of the directors reelected at the last shareholder meeting, including Marlow Hernandez, the founder and former CEO. What’s new is that they have declared war on Sol Trujillo as chairman and Angel Morales as chair of the audit committee as allies of Dr. Hernandez. In addition to divesting five directors and the interim chief legal officer plus ending their high monthly equity awards, they support divesting non-core assets. Mark Kent will have to be Clark Kent ducking into the phone booth to succeed in this. Press release  Mr. Sternlicht cannot be in a good mood, as Starwood Capital Group is in default on a $212.5 million mortgage on an Atlanta office property, Tower Place 100, in the continuing souring of the commercial real estate market. Fortune

Amazon Pharmacy has laid off 80 employees, mostly pharmacy technicians and team leaders, in continuing cutbacks there. This is the former PillPack. One would think that it would be expanding based on the growing medical needs of One Medical and Amazon Clinic. About the latter which was to roll out nationally today but was questioned on data privacy grounds, as of today there is no update announcement. To date, Amazon has released an amazing 27,000 workers. Semafor, Becker’s

Cybersecurity also racked up some hacks in the past week or so:

  • A popular software framework used in telehealth and financial applications, QuickBlox, was found to have several critical security flaws. The QuickBlox SDK (Software Development Kit) and API (Application Programming Interface) that are used for developing chat and video applications had a vulnerability that led researchers to take over multiple accounts and compromise the user database and extract PHI. The vulnerability also permitted a hacker to impersonate a physician or patient and alter health records. This was reported by Team82 and Check Point Research (CPR) teams but have since been fixed. Blow-by-blow with screenshots in Cybersecuritynews and overview in Becker’s.
  • Barts Health NHS Trust was hacked by BlackCat, a/k/a ALPHV. What was stolen was about 70 terabytes of data, which BlackCat claims as the largest breach in UK medical history. ALPHV listed the stolen data, including employee identification documents, including passports and driver licenses, and internal emails labeled “confidential”, around 30 June. Barts runs five London-based hospitals and serves more than 2.5 million patients. The Barts Health hack adds to NHS misery with an earlier attack on a University of Manchester NHS dataset with information on 1.1 million patients across 200 hospitals. The same CLOP Russian ransomware gang that got Johns Hopkins [TTA 19 July] also got Ofcom, the UK’s communications regulator.  TechCrunch

Yes, there is good news in M&A and funding:

Phreesia is buying MediFind. No purchase price or management transition was disclosed. Phreesia is a patient intake platform that grew from a tablet used in practices for scheduling and patient check-in to a fully featured platform for workflow, claims, outreach and patient education. MediFind uses machine learning and analytics to connect patients with leading experts, clinical trials, health systems, and healthcare technologies. Phreesia is one of the few 2019 vintage IPOs to not crater–it’s trading on the NYSE at above $32 though as recently as end of 2021 its share price was double. Phreesia release.

K Health gained an unlettered venture round of $59 million from Cedars-Sinai, its new partner, plus current investors, including Valor Equity Partners, Mangrove Capital Partners, and Pico Venture Partners. This brings funding for this Israeli company to $330 million through a Series E. K Health’s platform uses a chat function that pre-screens patients with symptoms, uses AI to suggest possible diagnoses based on that person’s medical history, age, and gender, and will connect with a doctor or nurse if needed–which sounds somewhat like Babylon Health and Zipnosis. The chat can be used for primary care, some pediatric areas, urgent and chronic care management. K Health claims that 10 million individuals have interacted with K Health’s AI, and 3.1 million patients in 48 states have chatted with a doctor or nurse. FierceHealthcare

Amino, a navigation platform, received $42 million in credit financing from Oxford Finance. This was the final part of its $80 million venture raise in May. Amino connects physical and mental healthcare providers and benefits programs with members at self-insured employers and health plans, managed by third-party administrators, brokers, and human resources. Members access recommendations for providers and relevant benefits. Amino’s total funding is $125 million, mostly in venture rounds. Its last letter round was a Series C in 2017. It’s a busy sector with similar companies like Accolade, Rightway, and Transcarent.  Mobihealthnews

Who’s buying, selling, funding wrapup: athenahealth IPO deux?, NextGen EHR buys reseller TSI for $68M, Cloudwave buys Sensato; fundings for Lumen, UpStream, Aide Health

athenahealth may go public a second time. This was teased by CEO Bob Segert in the Boston Globe (paywalled) earlier this week. He claimed in the article that since the company went private in 2019, they have added nearly 2,000 clients each year of the past three and that revenues are in the billions. Healthcare IT News recaps some of their moves from going from public to private and downsizing to today. Their other news is that they have instituted a clinical advisory board of 30 members (!) to provide feedback and guidance on clinical features and direction to athenahealth’s product team. One hopes that the sharper members advise a change in the first letter of their name from the oh-so-twee lowercase to an uppercase ‘A’. 

NextGen Healthcare, an EHR/EMR and revenue cycle management software provider for medical/dental practices, is acquiring reseller partner TSI Healthcare. The agreement is for $68 million in cash upfront, with a contingent consideration of up to $22 million in cash if TSI meets certain goals by March 2025. TSI has been a NextGen reseller for 16 years. The acquisition will enable NextGen to expand in key specialties including rheumatology, pulmonology, and cardiology. No mention is made of management or staff transition, nor of SEC review as NextGen is a publicly traded company on Nasdaq. Hat tip to HISTalk 2 Dec. Release, BusinessJournals Triangle

Massachusetts-based Cloudwave is acquiring Sensato Cybersecurity to increase cybersecurity capabilities. Cloudwave provides cloud services hosting with cybersecurity capabilities exclusively to healthcare organizations. Sensato adds cybersecurity-as-a-service (CaaS) to manage security needs, determine where security gaps are, and threat intelligence. Transaction price and details were not disclosed, but Sensato’s founder John Gomez will join CloudWave as chief security and engineering officer. Healthcare IT News  Cybersecurity continues to be top-of-mind for healthcare organizations. The latest Big Data Breach at CommonSpirit Health system hospitals got even worse, with the third-party breach of an undisclosed number of patient records at their Franciscan Health hospitals in September and October. This followed the ransomware attack on other CommonSpirit system hospitals’ EHRs in October. Healthcare IT News

As we near the end of the year, funding is wrapping up with a flurry in some surprising areas such as optimizing metabolism and care coordination for chronic conditions, reducing burden on primary care practices/GPs. One is for an early-stage company in the UK for the latter.

  • Lumen’s $62 million Series B was led by Pitango Venture Capital with Hanwha Group and Resolute Ventures.   Lumen measures metabolism via a handheld, breathalyzer-like device equipped with a CO2 sensor that analyzes whether the body is burning fats or carbs for fuel which can promote weight loss, energy for fitness, and sleep. With that data, the app delivers to users personalized meal plans and nutrition along with when to eat. The new funding will be used to expand these nutrition and lifestyle coaching services. The device is sold direct to consumers, with the app services sold on a SaaS basis: three yearly plans with a range of services from $249 to (on sale) $349.  Mobihealthnews, MedCityNews
  • Another Series B raise of $140 million went to UpStream, for total funding of $185 million. UpStream is in the decidedly unsexy area of care coordination, workflow, and financial platform technology for groups of advanced primary care practices enrolled in value-based full-risk care models, most of which are centered around Medicare and Medicare Advantage. They also deploy pharmacist-led care teams into primary care practices. Their platform and services are free to the practice, with a risk-sharing agreement that pays UpStream through savings (upside risk) but also holds them accountable if savings are below the benchmark (downside risk). Practices are paid on quality during the performance year versus having to wait for CMS to pay in Q3-4 of the following year. This is an MSO (management services organization) ‘in a box’ versus organizing ACOs that is mainly technology-based, a new wrinkle for this Editor who used to be in marketing this area. MedCityNews, Mobihealthnews
  • Aide Health is a clinician-to-patient platform for better management of chronic conditions now bolstered with £1 million in pre-seed funding. Founded by Ian Wharton, CEO, and Brian Snyder, COO, the platform measures physical, mental, and social wellbeing markers for more proactive care. Aide is piloting with the NHS for asthma or Type 2 diabetes with a cohort aged 18 to 75.  Funding was led by Hambro Perks through its EIS fund, with participation from Fuel Ventures, 1818 Ventures, and APX. BusinessCloud (UK)

News roundup: cybersecurity benchmarking study, Tyto Care’s Home Smart Clinic, Long Island’s $2.6B life sciences hub, Singapore’s Speedoc raises $28M, NantHealth’s sinking feeling, Hims & Hers revenue up 95%

Censinet, the American Hospital Association (AHA), and KLAS Research announced at industry confab CHIME22 Fall Forum a benchmarking study on health system cybersecurity. The study, currently enrolling hospital and health system participants, according to the release will enable a comparison of cybersecurity investments, resources, performance, and maturity to peer organizations across key operational cyber metrics. It will also cover NIST Cybersecurity Framework (NIST CSF) and Health Industry Cybersecurity Practices (HICP). Censinet provides healthcare risk management solutions, consolidating enterprise risk management and operations capabilities. Hat tip to HISTalk 9 Nov.

TytoCare’s latest is the rollout of the Home Smart Clinic, a platform that combines TytoCare’s FDA-cleared handheld for remote physical exams; Tyto Insights, their AI-powered diagnostic support that aids diagnosis in remote physical exams; Tyto Engagement Labs, a suite of user engagement services including behavioral science-backed blueprints, consulting services, and marketing tailored to each specific program and cohort; and support for multiple provider models and different patient populations. The new platform is targeted to health plans and providers. Release (Yahoo)

Long Island NY’s proposed Midway Crossing project, creating a life sciences hub in quaintly named Ronkonkoma, would cost about $2.55 billion, but create an estimated 4,300 science, technology, engineering, and healthcare positions. They’d also be lucrative, with salaries mostly well over $100,000 a year. The proposal was authored (sic) by Michael Dowling, president of Northwell Health, and James Hayward, PhD, president and CEO of Applied DNA Sciences, and appeared in Newsday (paywalled). Its 179 acres would include a STEM educational center, research labs, biotech manufacturing facilities, health care offices, a hotel and convention center plus connect to the LIRR and Long Island-MacArthur airport. While approved by local authorities, it now needs funding. Becker’s

Traveling to the far Pacific…Speedoc, a home health company based in Singapore, raised $28 million. Speedoc offers app-based video consults and home visits, non-emergency ambulance transport, and remote monitoring for several chronic conditions. It is available in nine cities in Singapore and Malaysia. According to Mobihealthnews, it is also one of the technology partners for the two-year pilot of the Mobile Inpatient Care@Home initiative by the Ministry of Health’s Office for Healthcare Transformation. The pre-Series B funding round was led by its new investors Bertelsmann Investments, Shinhan Venture investment, and Mars Growth. Vertex Ventures Southeast Asia & India, which led its $5 million Series A funding round in 2020, also participated. 

Our Readers with very long memories will remember that transformative health darling, NantHealth. This Patrick Soon-Shiong NantWorks company, originally in genetic sequencing for cancer research, was caught en flagrante in a ‘pay to play’ scheme with the University of Utah funding NantHealth and providing data that would prove useful to other Soon-Shiong companies [TTA 18 April 2017]. It’s long since pivoted to payer/provider data solutions (NaviNet). What’s not improved is their bottom line. It lost $13.7 million, or $0.12 cents per share, increasing loss by 26% from 3Q 2021. Shares on NasdaqGS are trading at $0.31. Yahoo!Finance/SimplyWallSt. Another tip of the cap to HISTalk 9 Nov.

And who said all of telehealth is suffering? Online direct-to-consumer marketer Hims & Hers posted a third consecutive $100 million+ quarter in revenue. Their Q3 revenue was up 95% versus Q3 last year, reaching $144.8 million. They also gained 70,000 new online subscribers for a total of 991,000, up 80% year over year. Q4 guidance is up to $159 million to $162 million, with a full-year revenue forecast of $519 million to $522 million. And yes–they’re profitable. Their embarrassing TV spots notwithstanding, they seem to have found The Magic Formula. FierceHealthcare

Weekend reading: HHS Office of Information Security presentation on security risks in AI, 5G, nanomedicine, more

Earlier this month, the US Department of Health and Human Services (HHS) Office of Information Security’s Health Sector Cybersecurity Coordination Center issued a presentation/paper that discussed the cybersecurity risks for healthcare organizations in implementing artificial intelligence, 5G cellular, nanotechnologies in medicine (nanomedicine), ‘smart hospitals’, and quantum computing.

Each area is defined, benefits listed, and then security concerns.

Highlights of the cybersecurity risks:

  • AI: requires very large collections of data in order to learn; privacy and security concerns regarding personal health information (PHI); de-identified data can be re-identified (as TTA posited several years ago!)
  • 5G overlaps with IoMT (internet of medical things) tech: both devices and data need to be secured end-to-end as they connect to the network and on devices themselves; design and implementation of the software in medical devices should include a specification of cybersecurity features and validation of those features; regular updating needed
  • Nanomedicine: remote connectivity leading to ransomware and the disruption of nanotechnology devices with theoretically fatal consequences; weaponized inhalable particles as a delivery system for bioterrorism
  • Smart hospitals: an expanded attack service; considerations same as above; resilience and continuous monitoring critical
  • Quantum computing: affects all cryptographic algorithms, requiring review and updating of those that are part of  information infrastructure

Emerging Technology and the Security Implications for the Health Sector (34 slides)  Also Becker’s Health IT

Week-end news roundup: Fold Health launches OS ‘stack’; admin task automator Olive cuts 450 workers; 38% of UK data breaches from cyber, internal attacks; hacking 80% of US healthcare breaches; does AI threaten cybersecurity?

Startup Fold Health launched this week. It’s developed a suite of modular tools that are interoperable with existing EHRs or platforms to enable them to work better, together. Fold’s main claim is to “move primary care beyond the constraints of a 15-minute visit and provide a revolutionary consumer first experience through micro, automated workflows and campaigns of care.” There is an athenahealth connection, in that the founders were from Praxify, a virtual assistant/patient engagement app bought by athenahealth for $65 million in 2017. It has a $6 million seed investment from athenahealth. FierceHealthcare

On the other side of the funding mountain,  Olive, an AI-enabled data cruncher that automates routine administrative healthcare processes such as revenue cycle management, has pink-slipped 450 employees, about one-third of its staff. In a letter to employees excerpted in Axios, Olive cites ‘missteps’ and ‘lack of focus’. It follows hiring freezes, major staff departures, and overpromising/underdelivering, including not using AI or machine learning for automating tasks, featured in an April Axios investigation. Olive has gone through over $850 million in nine rounds of funding (the last July 2021, Series H–Crunchbase). FierceHealthcare

Cyber attacks with internal breaches account for 38% of UK organizations’ (of all types) data losses in 2022. This is based on the Data Health Check survey of 400 IT decision makers compiled by Data Barracks, a cloud-based business continuity organization. The second and third reasons for data loss are human error and hardware failure. Of those surveyed, over half have experienced a cyber attack, most commonly caused by ransomware. 44% paid the ransom, 34% didn’t and used backups. Their recommendations include frequent backups and keeping track of how many data versions–both will minimize downtime and data loss. Release, full report

By contrast, returning to the US and healthcare, malicious hacking activity accounts for nearly 80% of all breaches. Fortified Health Security’s mid-year report on the state of healthcare cybersecurity, reviewing HHS Office for Civil Rights (OCR) data,  noted that in first half 2022:

  • Healthcare data breaches primarily originated at providers– 72%. The remainder were at business associates at 16% and health plans at 12%.
  • The number of records affected was 138% higher than the first half of 2020 at over 19 million records
  • Breaches were concentrated in relatively few organizations: Seven entities experienced breaches of more than 490,000 records each, in total 6.2 million records or 31% to date.  
  • OCR’s data breach portal recorded 337 healthcare data breaches that each impacted more than 500 individuals, a small decline from 2021’s 368
  • Hacking incidents rose to 80% from 72% in 2021. Unauthorized access/disclosure incidents totaled 15%; loss, theft, or improper disposal accounted for only 5 percent of breaches.
  • AI and ML-enabled security offerings can bolster cyber infrastructure. Organizations should also look at how IT staff shortages impact their planning and security.    HealthITSecurity

Can AI (and machine learning-ML) lessen breaches–or open the door to worse problems, such as algorithmic bias, plus data privacy and security concerns? Vast quantities of data pumped through AI or ML algorithms are harder to secure. If the algorithms are built incorrectly–such as eliminating or underrepresenting certain populations–what comes out will be skewed and possibly misleading. In the Healthcare Strategies podcast, Linda Malek of healthcare law firm Moses & Singer, who chairs their healthcare, privacy, and cybersecurity practice group, discusses the problems. She suggests some best practices around transparency, security, privacy, and accuracy when developing an AI algorithm, including collecting as much data as possible, and as diverse as possible, for accuracy. Additionally, the design should incorporate privacy and security from the start. HealthcareExecIntelligence

Predictions, predictions for telehealth, digital health, and all those cybersecurity risks

crystal-ballJanuary is the month for predicting what’s ahead, and while this Editor has no pretensions to be Sibyl the Soothsayer despite the picture, let’s look at what others see in their cloudy crystal balls.

Frank McGillin, CEO of The Clinic by Cleveland Clinic, works intensively with telehealth in this joint venture between Cleveland Clinic and Amwell. His prediction: telehealth will evolve towards concierge care, as providers reduce “platform sprawl”, coordinate the virtual care experience, and provide multidisciplinary virtual care.

  • Telehealth is now “a permanent mode of access”, though the pandemic created “platform sprawl” as providers reached for any and all modes and providers which could be implemented quickly
  • Healthcare providers and plans now have to scale back and reconcile all this to “design a digital trajectory with intention”
  • This means developing a personalized approach to telehealth delivery and to provide a seamless, highly coordinated care experience
  • Their approach is to focus on multidisciplinary virtual visits and case analysis for patients with complex conditions, such as their Virtual Second Opinions program for conditions such as brain tumors and prostate cancer.
  • Virtual multidisciplinary support reduces the risk of suboptimal treatment plans and can eliminate long travel times and exposure to COVID-19 for vulnerable patients. For payers and employers, this can add up to better outcomes and reduced cost of care.
  • “Intelligent” remote monitoring also removes another layer of risk in providing the right care at the right time
  • Continuation of relaxed interstate licensure requirements are needed to provide fast access to medical experts, particularly for primary care providers.

Interview with Healthcare IT News 

Healthcare Dive has been running a series on industry trends, and this installment focuses on digital health.

  • Healthcare will become more predictive and proactive, with insights fed by connected devices and analytics (commonly lumped under AI) that enable organizations to collect, analyze, and act on massive amounts of data.
  • But algorithms don’t have judgment and data can have bias, leading to poor decisions, such as the distribution of vaccines. Expect more oversight from the Federal level down on AI research and policymaking, 
  • Virtual care will continue to grow in virtual diagnostics, patient-reported outcomes applications, and digital homecare platforms
  • Telehealth and digital health is integrating into the traditional delivery and payment model–partnerships with health systems, payers, and employers.
  • Virtual care access is booming in niche areas such as women’s health, hospital at home, and mental health, with investment dollars flowing in. Telemental health is moving into consolidation.
  • Cybersecurity will become more of a focal point for healthcare companies in 2021, with hackers finding their way into all these contact tracing apps designed in a hurry, plus digital health systems, many of which are poorly protected. Targeted attacks have skyrocketed.

And speaking of cybersecurity, over at HealthITSecurity, they rounded up the experts to opine on All Those Security Risks that fast implementation of telehealth and moving devices out of the hospital walled garden have created. Remote patient management is now an asset, no longer a ‘nice to have’, for providers, setting up a situation where patients are increasingly both the beneficiaries of more convenient health delivery and victims of security breaches and ransomware.

  • ‘Out of hospital’ care means that data is being transmitted between multiple points. Network security isn’t guaranteed. So attacks can originate at the weak points–either the home or hospital environment.
  • The fast implementation of telehealth during the pandemic meant not only did systems not work together well, it also meant multiple points of vulnerability
  • Over 80% of surveyed healthcare providers globally harbor concerns about data security and privacy (Kaspersky/Arlington Research). And a shocking 70% admitted that their practice used outdated legacy operating systems, exposing them to security vulnerabilities.
  • “A culture of security” means maintaining endpoint security and BYOD policies across the organization’s network, identity management and zero trust tactics, and yes, security consciousness on patients’ parts.
  • Patients should not be responsible for security, providers partly, which leaves the responsibility with the vendor. But healthcare organizations are responsible for evaluating their vendors, and how they are interacting with and storing their data.  

Weekend reading: 1/3 of global healthcare orgs ransomwared, 50%+ mobile privacy problems–BMJ study, med device insecurity

Weekend reading to make you feel insecure, indeed. Healthcare continues to be one of the most vulnerable sectors to hacking, breaches, ransomware. (It likely was one of the top 5 on the list handed to Mr. Putin in Geneva a week ago.) It doesn’t help that many organizations from providers to payers, legacy devices to apps, figuratively have a ‘Welcome Hackers’ neon sign on their doors, virtual and otherwise.

Three articles from the always interesting Healthcare Dive, two by Rebecca Pifer and the third by veteran Greg Slobodkin, will give our Readers a quick and unsettling overview:

  • According to cybersecurity company Sophos in their 16-page report, 2020 was an annus horribilis for healthcare organizations and ransomware, with 34 percent suffering a ransomware attack, 65 percent confirming the attacks encrypted their data, but only 69 percent reported that the encrypted data was restored after the ransom was paid. Costs were upward of $1 million. Their conclusion: assume you will be hit, and at least three backups. Dive 24 June
  • The BMJ found that lax or no privacy policies were a key problem with over half of mobile health apps. 23 percent of user data transmissions occurred on insecure communication protocols and 28.1 percent of apps provided no privacy policies. There’s a lot to unpack in the BMJ study by the Macquarie University (Sydney) team. Our long-time Readers will recall our articles about insecure smartphone apps dating back to 2013 with Charles Lowe’s article here as an example. Dive 16 June
  • Old medical devices, continuing vulnerability that can’t be fixed. Yes, fully functioning and legacy medical devices, often costing beaucoup bucks, are shockingly running on Windows 98 (!), Windows XP, outdated software, and manufacturers’ passwords. It’s hard to believe that Dive is writing about this as it’s been an issue this Editor’s written about since (drumroll) 2013 when TTA picked up on BBC and other reports of ‘murderous defibrillators and pacemakers’. If too far back, try 2015 with Kevin Fu’s and Ponemon’s warnings then to ‘wash their hands’ of these systems even if they’re still working. Chris Gates quoted in the article: “You can’t always bolt-on security after the fact, especially with a legacy piece of equipment — I’ve literally handed checks back to clients and told them there’s no fixing this.” Dive 23 June

What to do?

  • If you are a healthcare organization, think security first. Other organizations in finance and BPO do, locking down to excruciating points. And yes, you’ll have to pay a premium for the best IT security people, up your budgets, and lower your bureaucracy to attract them. Payers are extremely vulnerable with their wealth of PHI and PII, yet tend to skimp here.
  • Consider bringing in all your IT teams to your home country and not offshoring. Much of the hacking occurs overseas where it’s tougher to secure servers and the cloud reliably and fully.
  • Pay for regular and full probes and audits done by outside experts.
  • If you supply a mobile app–design with security and privacy first, from the phone or device to the cloud or server, including data sharing. There are companies that can assist you with this. One example is Blue Cedar, but there are others.
  • If you supply hardware and software for medical devices, think updates, patches, and tracking every bit you sell to make sure your customers do what they need to do. Even if your customer is a past one.

(Side message to NHS Digital–don’t rush your GPDPR upload to the summer holidays. Make it fourth quarter. Your GPs will thank you.)

Suggestions from our Readers wanted! While your Editor has been covering security issues since early days here, she is not an expert, programmer, or developer, nor has stayed at a Holiday Inn Express lately.

Do Huawei and ZTE present security threats to the US and global communications networks? The FCC says yes.

In two little-noted decisions formally announced yesterday (30 June), the Federal Communications Commission (FCC) banned the funding by the FCC Universal Service Fund (USF) of the purchase or use of equipment or services provided by China’s Huawei and ZTE. The USF funds rural internet, Lifeline for low-income consumers, Indian Tribal initiatives, schools and libraries, and the Rural Health Care program–a substantial part of the national network which will also discourage private companies from use of their equipment as Verizon, Sprint, et al participate in these programs.

Both Huawei and ZTE have been found by the US government–and many others–to be extensively tied to the Chinese government and military, obligating these two companies to permit their systems to be used for espionage, plus numerous known cybersecurity risks and vulnerabilities in their equipment. Other national governments have felt likewise including the UK, which is reevaluating its former permission for their participation in the 5G rollout. FCC release, Huawei order, ZTE order, ZDNet (UK)

DARPA’s $5.1M contract with Kryptowire to develop passive smartphone health monitoring, predictive analytics

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2018/04/washfigure2.jpg” thumb_width=”250″ /]Truly unobtrusive health monitoring on the horizon? The Defense Advanced Research Projects Agency (DARPA) has contracted with cybersecurity firm Kryptowire to develop a health monitoring and analytics app to assess the health and readiness of warfighters (to us civilians–soldiers, sailors, airmen, and Marines) especially in the field. The WASH program–Warfighter Analytics using Smartphones for Health–will use the data from smartphone sensors like microphones, cameras, pedometers, thermometers, and accelerometers (see DARPA illustration, left above). Through sensor-based information, physiological and cognitive symptoms can be captured and analyzed.

Based on their information, most of the assessment will be passive rather than actively diagnostic, and with an emphasis on predictive health and a real-time approach to disease detection and biomarker identification. Part of the challenge will be to filter out the ‘noise’–extraneous information also captured by these sensors on a daily and extraordinary basis. Security, of course, is a major concern. (Where better than to award the app development to a cybersecurity company?)

DARPA is fond of commercializing its technologies (remember something called DARPANET?) so this is planned for commercial release in due time. Usage in clinical trials is an area mentioned. One day we may all be wearing smartphones which unobtrusively monitor our health and positive behaviors. (I’ll leave it to our Readers to say Yay or Nay to this notion.)

The award is for $5.1 million. A development timeframe is not mentioned. Business Wire, DARPA WASH page, HealthcareITNews, Daily Mail (which amusingly tries to paint this as a spy program through an ACLU representative quote).

MediBioSense and Blue Cedar take a new approach to secure medical wearable data (UK/US)

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2018/01/VitalPatch_Header_Photo_Tablet.jpg” thumb_width=”150″ /]Doncaster UK-based MediBioSense Ltd. has partnered with San Francisco-based Blue Cedar to protect their VitalPatch app on smartphones and tablets. MediBioSense uses VitalPatch in their MBS HealthStream system marketed in the UK in acute care and long-term care setting. Blue Cedar is securing the app through their patented code-injected technology which protects the VitalPatch-collected data from the app to the provider database. The system with Blue Cedar’s security is available directly from MediBioSense.

VitalPatch is a single-use adhesive biosensor patch applied to the patient’s chest (see left above). It monitors eight vital signs and activity signs: heart rate, respiration, ECG, heart rate variability, temperature, body posture including fall detection/severity, and steps as an indicator of activity. MediBioSense contracted with the US-based developer, VitalConnect, to sell the system in the UK. VitalPatch is US FDA-cleared (Class II) and CE Marked for the EU.

One impetus, according to the release (PDF), is the GDPR (General Data Protection Regulation), the pan-European/UK data-protection law slated to take effect in May. This not only applies to European Union citizens’ personal data but also requires reports on how organizations safeguard that data. 

Blue Cedar, which this Editor has previously profiled [TTA 3 May 17], has developed code-injection technology that secures data from the app to the provider location on their servers or in the cloud. It secures the app without the device being managed. Devices have their own vulnerabilities when it comes to apps even when secured, as 84 percent of cyberattacks happen at the application layer (SAP). Blue Cedar’s security also enables tap-and-go from an icon versus multiple security entries, thus quick downloading from app stores or websites. For companies, the secured app provides granular analytic reports about users, app usage, devices, and operating systems which are useful for GDPR requirements.

Blue Cedar’s latest release of app security is Enforce, to secure existing mobile apps using in-app embedded controls to enforce a broad range of security policies. It is sold on the Microsoft Azure cloud platform and is primarily targeted to the value-added reseller (VAR) market. 

All the more reason to use all means to secure devices and apps. When as of last week Allscripts‘ EHR for e-prescribing was hit with a ransomware attack (FierceHealthcare), yet another hospital (Hancock Regional in Indianapolis) paid $5,000 to hackers to get back online (Digital Health), and Protenus/DataBreaches.net tracks a breach a day [TTA 29 Dec 17], cybersecurity has become Job #1 for anyone in the healthcare field. (And Big Healthcare now votes for security. Protenus today announced their $11 million Series B led by Kaiser Permanente Ventures and F-Prime Capital Partners. Release.)

Ericsson report: will 5G close the healthcare gap from hospitals into the home?

Ericsson, one of Europe’s leading telecom companies, earlier this month published its latest ConsumerLab report, “From Healthcare to Homecare” on the next generation of healthcare enabled by the greater speed and security of 5G–the fifth generation of wireless mobile. Their key findings among consumers and industry decision makers contained surprises:

  • Growing frustration with hospital wait times. 39 percent prefer an online consult with a doctor versus waiting for the face-to-face.
  • Wearables are perceived as better ways to monitor and even administer medication for chronic conditions–nearly two in three consumers want them. But medical grade wearables will be required.
    • Yet the current state doesn’t lend itself to these wishes. “55 percent of healthcare decision makers from regulatory bodies say these devices are not sufficiently accurate or reliable for diagnosis. In addition, for liability reasons it will be very difficult to rely on patients’ smartphones for connectivity….medical-grade wearables will be required. Such devices could also automatically dispense medicine and offer convenience to those recovering from surgery.”
  • +/- 60 percent of surveyed consumers believe that wearables will improve lifestyles, provide personalized care, and put people in control of their own health.
  • There’s real security concerns that 5G is expected to access: “61 percent of consumers say remote robotic surgery is risky as it relies on the internet….47 percent of telecom decision makers say that secure access to an online central repository [of medical records] is a key challenge and expect 5G to address this.” Surprisingly, only 46 percent of cross-industry decision makers consider data security to be an issue. Battery power is also a significant concern for over half in wearables, a problem that over 40 percent will be helped by 5G.
  • Even more surprising is the lack of desire for consumer access to their medical records–only 35 percent of consumers believe that it will help them easily manage the quality and efficiency of their care. In contrast, 45 percent of cross-industry experts consider the central repository as a breakthrough in healthcare provisioning.

Decentralizing care into the home is seen as worthwhile by a majority of industry decision makers 

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2017/06/healthcare-to-homecare-fig3_rgb.jpg” thumb_width=”250″ /] (more…)