Politico: massive hacking of health records imminent

July 2, 2014 | by

Politico is a website (and if you’re in Foggy Bottom-ville, a magazine) much beloved by the ‘inside government’ crowd and the media ‘chattering classes’. With some aspirations to be like Private Eye but without the leavening sharp satire, the fact that they’ve turned their attention to–gasp!–the potential hackathon that is health records is amazing. They mention all the right sources: Ponemon, HIMSS, the American Medical Association, BitSight, AHIMA. In fact, the article itself may be a leading indicator that the governmental classes might actually do something about it. This Editor applauds Politico for jumping on our battered Conestoga wagon with the other Grizzled Pioneers. We’ve only been whinging on about data breaches and security since 2010 and their researchers could benefit from our back file.

And speaking of 2010, the Department of Health & Human Services (HHS) is doing its part to close the budget deficit by collecting data breach fines–$10 million in the past year. A goodly chunk will be coming from New York-Presbyterian Hospital/Columbia University Medical Center: $4.8 million for a 6,800 person breach (iHealthBeat) where sensitive records showed up online, readily available to search engines. And yes, we covered this back on 29 Sept 2010 when breaches were new and hushed up. Politico: Big cyber hack of health records is ‘only a matter of time’

Oddly, there is nary a mention of Healthcare.gov.

HHS draft report on health IT framework published

April 5, 2014 | by

Another part of the 2012 FDA Safety and Innovation Act (FDASIA) clicked into place with the US Department of Health and Human Services (HHS) publishing a draft report proposing strategy and recommendations for what is rather grandly termed a “health IT framework”. Basically it defines more unified criteria, based on risk to the patient and function of what the device does, not the platform (mobile, software, etc.). It then separates products into three broad categories. Excerpted from the FDA release and the FDASIA Health IT Report:

  1.  Products with administrative health IT functions, which pose little or no risk to patient safety and as such require no additional oversight by FDA. Examples: billing software, inventory management.
  2. Products with health management health IT functions. Examples: software for health information and data management, knowledge management, EHRs, electronic access to clinical results and most clinical decision support software. This will be coordinated largely by HHS’s Office of the National Coordinator for Health IT (ONC) as part of their activities (including their current voluntary EHR certification program), but the private sector is also cited in establishing best practices.
  3. Products with medical device health IT functions, which potentially pose greater risks to patients if they do not perform as intended. Examples: computer-aided detection software, software for bedside monitor alarms and radiation treatment software. The draft report proposes that FDA continue regulating products in this last category. (Illustration on page 13 of report.)

The report also recommends the creation of a public-private entity under ONC, the Health IT Safety Center, which “would serve as a trusted convener of stakeholders and as a forum for the exchange of ideas and information focused on promoting health IT as an integral part of patient safety.” The private sector is duly noted as a ‘stakeholder’.

The report was developed by FDA “in consultation” with ONC and, not unexpectedly, the Federal Communications Commission (FCC). Another recommendation (page 28) is the establishment of a ‘tri-Agency memorandum of understanding (MOU)’ to further determine their working relationship in this area. There’s a 90 day comment period on the 34 page report, which is perfect for weekend reading (!) How this onion will eventually be peeled, rather than quartered, remains to be seen, as does anything emanating from Foggy Bottom.  FDA release. Report. FierceMobileHealthcare.

Update 8 April: A good summary of criticism and approval of the framework to date appears in iHealthBeat from the California Health Care Foundation. The two US Senators sponsoring the PROTECT Act [TTA 28 Feb, 6 Mar] stated there is still too much regulation of low-risk technologies, and Bradley Thompson of Epstein Becker/mHealth Regulatory Coalition believes the report is weak on the issues around clinical decision support software. With praise: HIMSS, Health IT Now Coalition and ACT, which claims to represent about 5,000 mobile application developers and IT firms, but has no locatable website.

Previously in TTA: FDA finally issues proposed rule simplifying medical device classification

FCC sharply elbows up to the mHealth regulatory table

March 6, 2014 | by

That other three-letter agency, the Federal Communications Commission (FCC), which has shown a distinctly competitive face versus the FDA on Federal healthcare tech policy over the past three years and more, has formed–drum roll–a task force to examine adoption of wireless technologies by health care organizations. Connect2HealthFCC will “identify regulatory barriers and incentives to expand the use of wireless health technologies; and strengthen partnerships with stakeholders in the telehealth and mobile health industries.” If this an accurate statement of the task force’s purpose, the parade not only has gone by, but it’s also three counties away. Yet going back in our files, this Editor notes that the FCC has vigorously fenced not only with the FDA, but also with HHSNIH, NIST and Congress for its place in the Federal HIT regulatory firmament. With issues such as ‘net neutrality’, wireless bandwidth and rural broadband, the FCC has a heaping healthcare helping on its plate just in assuring national access and removing conflicts in frequency demands by devices. However, the task force is headed by Michele Ellison, lately the FCC’s top regulatory enforcer with, as The Hill notes, 6,000 actions under her belt. In Foggy Bottom, things are never what they seem. iHealthBeat

US, UK agreement on HIT

January 25, 2014 | by

Edited from the HHS releaseUS Health & Human Services (HHS) Secretary Kathleen Sebelius and UK Secretary of State for Health Jeremy Hunt on Thursday 23 January signed a bi-lateral agreement for the use and sharing of health IT information and tools. The agreement strengthens efforts to cultivate and increase the use of health IT tools and information designed to help improve the quality and efficiency of the delivery of health care in both countries.  The two Secretaries signed the agreement at the Annual Meeting of the HHS Office of the National Coordinator (ONC) for Health Information Technology. It concentrates on four key areas identified at the joint June 2013 summit:

  • Sharing Quality Indicators
  • Liberating Data and Putting It to Work
  • Adopting Digital Health Record Systems
  • Priming the Health IT Market

Collaboration efforts will be showcased at the Health Innovation Expo conference at Manchester Central 3-4 March (two weeks before HC2014) and the Health Datapalooza on 1-3 June in Washington, DC. A possible good sign for telehealth as there’s a great deal of mention of ‘preventive interventions’, ‘accessing and sharing data’ and the ‘health IT marketplace’.

Full memorandum of understanding text here. Also iHealthBeat.

Data insecurity in Obamacare insurance exchanges (US)

October 8, 2013 | by | 2 Comments
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/10/keep-calm-and-enter-at-own-risk-3.png” thumb_width=”175″ /]The warning that should appear as the main page of 50 state health exchanges.

Subsumed under the ‘government shutdown’ (affecting in reality a distinct minority of Federal government employees) is the significant concern that the state-based online exchanges now selling individual insurance, effective 1 Jan 2014, much trumpeted under the Affordable Care Act and baked into it two years ago, already present significant vulnerabilities in securing the vital data of millions: Social Security number, date of birth, addresses, tax and earnings information. These state-based exchanges are also dependent on information from a Federal data ‘Hub’ which “acts as a conduit for exchanges to access the data from where they are originally stored.” (HHS Office of Inspector General report August 2013, page 2) If improperly secured, this opens up other Federal agencies to further upstream identity theft mayhem.

Already information is in the hands of thousands of call center staff and so-called ‘navigators’ who may or may not have gone through security verifications. Insurance customer information has already leaked outside of exchanges (see below). (more…)

Telehealth Soapbox: Medical device tax finally under fire; implications many (US)

September 26, 2013 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/09/gizmodo-the-top-10-rube-goldberg-machines-featured-on-film-rube-goldberg.jpg” thumb_width=”180″ /]A key part of the Rube Goldberg (or Heath Robinson)-esque funding of the Accountable Care Act (ACA, a/k/a Obamacare) is a punitive medical device tax of 2.3 percent levied on gross sales (not profits) of hip, knee, cardiac implants, many dental materials, diagnostics such as scanners, radiotherapy machines, catheters and more. Since it went into effect on 1 January, it has raised $1 billion according to the Medical Imaging & Technology Alliance, the Advanced Medical Technology Association and the Medical Device Manufacturers Association in July–for a program that does not start till 2014. According to The Hill, senior Senators Orrin Hatch, Barrasso and Hoeven are pushing for a repeal amendment to be attached to the stopgap spending bill. The reasons why the tax deserves to be tossed out on its ear are: (more…)

Is nothing private in your EHR? Another disturbing trend out of Swampland.

September 18, 2013 | by

According to a solicitation posted by the Department of Health and Human Services (HHS-Ed.) on Sept. 4, the CMS (Centers for Medicare and Medicaid Services) is commissioning the National Academy of Sciences (NAS) to study how best to add social and behavioral factors to electronic health record reporting.  Washington Free Beacon

So a non-profit online publication, which one would site on the conservative or libertarian side (part of the Center for American Freedom), breaks a huge story, way ahead of the mainstream media, which has major implications for privacy, data security, public health, how goes your doctor or hospital visit and the level of care you receive. Is this EHR TMI (too much information)? The Federal inclusion is being linked to Stage 3 of the Meaningful Use program and reimbursement under Medicare, Medicaid and the Children’s Hospital Insurance Program (CHIP). The NAS already is working on this with the Institute of Medicine to draft suggestions for collecting this behavioral data and identifying “core social and behavioral domains to be included in all EHRs.”

With linking the data to outside Nosey Parkers agencies such as public health entities, the possibilities for identified data becoming insecure or compromised increase dramatically. Will it be accessed (abused) by other entities involved in ACA such as the IRS, state Medicaid databases and Social Security? How much of this data will accidentially leak out in non-deidentified files? Will breaches of millions of non-encrypted records become the norm? Another important and oft-overlooked factor is the additional workload on already overworked hospital and clinical staff, who presently struggle to get comprehensive vital data correctly into multiple fields and screens on present EHRs–a major pain point among many speakers and participants at this past week’s iHT2 Health IT Summit. Finally, there’s the patient. He or she will be pressed to answer, due to penalties baked into the ARRA/HITECH MU3 incentives, the most personal questions about their life and behavior particularly if the diagnosis is one of what euphemistically was called a ‘social disease’. Having spoken this week to those in public health both at iHT2 and at Health 2.0 NYC, this Editor can see it as a deterrent to getting the care they need–or choosing evasion rather than truth with their doctor because there are no more confidences. Even the California Healthcare Foundation, hardly on the right wing, sounds an alarm in iHealthBeat.

An ‘Office of mHealth’ a solution for FDA gridlock? (US)

May 13, 2013 | by

The ‘FDA Office of mHealth‘ bill (H.R. 6626) as sponsored by Mike Honda, Silicon Valley’s House Representative (California 17th District), which expired with last year’s Congress [TTA 18 Dec] will be revived with revisions, according to MedCityNews. (Rep. Honda will be keynoting on the second day of MedCityNews’ ENGAGE conference in Washington D.C. in June.) Formerly dubbed HIMTA (Healthcare Innovation and Marketplace Technologies Act) will now include how that office will work with the alphabet soup of other agencies: FCC, HHS, ONC, FTC. It struck this Editor in December–and later [TTA 28 Mar]–that this bill does not go far enough. In its good intentions to speed mHealth approvals by creating a framework plus monetary incentives, it is not powerful or independent enough to slice through or bypass various turfs.  What would be revolutionary is simplification. Why not an independent unit that draws from FDA, FCC and HHS, but has priority and license to cut through red tape? But that would require major giving up of ground–and with this Federal Government, that ain’t gonna happen. Add to it that the most innovative work–and usage– is being done at DOD (DARPA, T2) and the VA, and the alphabet soup becomes goulash.  Wall Street Journal’s Venture Capital Dispatch