Good morning. Happy belated Veterans Day to all those who have served our country — thank you!
Today's word count is 768, or <3 minutes.
Illustration: Rebecca Zisser/Axios
Over 32 million people have had their protected health information breached this year in 311 hacking incidents against health care providers that are under investigation by the Department of Health and Human Services.
The big picture: Complex, bloated hospital systems are a glaring weak spot in U.S. cybersecurity — and there are limits to the government's power to help, Axios' Orion Rummler reports.
Hospitals are vulnerable because they maintain so many systems at once — medical records, billing records and also internet-connected medical devices — that get further entangled after mergers, which have been spiking for at least a decade.
"Cybercriminals know they are a soft target where they can access patient records and social security numbers and other information," Suzanne Schwartz, a deputy director in the FDA's device center, told Axios.
Threat level: Some vulnerabilities aren't as hard to fix as they might seem, experts said.
What's next: The AHA doesn't make its own cybersecurity guidelines, and the FDA's are limited. The agency is seeking more legal authority over device security, and the AHA wants FDA guidelines to be made mandatory.
Go deeper: What your hospital knows about you
The not-for-profit hospital system Ascension allowed Google to access a wide array of patient data, including names and diagnoses, but did not notify patients or doctors about their secret data project until the Wall Street Journal reported the story yesterday.
Why it matters: This exchange of sensitive medical information is technically legal under federal law that protects patient health information, as long as Google is contracted as a "business associate" with Ascension, Axios' Bob Herman writes.
The big picture: "The initiative, code-named 'Project Nightingale,' appears to be the biggest effort yet by a Silicon Valley giant to gain a toehold in the health-care industry through the handling of patients’ medical data," per WSJ's Rob Copeland.
Both Google and Ascension are financially motivated: Google hopes to sell similar products to other health systems, while Ascension wants to improve patient care and identify ways to generate more revenue from patients.
My thought bubble: What could possibly go wrong here?
Photo: Uli Deck/picture alliance via Getty Images
Blue Health Intelligence, the company that houses medical and pharmacy claims data for 190 million people who have Blue Cross Blue Shield insurance, has agreed to a multiyear deal to share its data with the Health Care Cost Institute, Bob reports.
Why it matters: HCCI, a nonprofit group used by many health policy researchers, was on the verge of shutting down earlier this year after UnitedHealthcare said it would stop sharing claims data.
Details: Financial terms were not disclosed, but HCCI will pay a fee to the Blues-owned company for the insurers' consolidated data feed, which strips out any identifying information of people.
Aetna and Kaiser Permanente will continue to provide their data to HCCI. Humana, which had signaled it would join UnitedHealthcare and end its relationship with HCCI, may now stay aboard as well.
The big picture: Health care prices and spending among people with employer-based coverage are in a black box.
Self-injury among teenagers is on the rise, especially among adolescent girls, the New York Times reports.
Why it matters: Habitual self harm is an indication of higher suicide risk for some people. And because it's considered a symptom rather than a standalone diagnosis, experts are struggling to respond.
By the numbers: About one in five adolescents say they've harmed themselves to reduce emotional pain at least once, according to a review of surveys taken in nearly a dozen countries.
Go deeper: Why we're failing to stop teen suicide