Nov 12, 2019

Axios Vitals

Good morning. Happy belated Veterans Day to all those who have served our country — thank you!

Today's word count is 768, or <3 minutes.

1 big thing: Why hospitals are a weak spot in U.S. cybersecurity

Illustration: Rebecca Zisser/Axios

Over 32 million people have had their protected health information breached this year in 311 hacking incidents against health care providers that are under investigation by the Department of Health and Human Services.

The big picture: Complex, bloated hospital systems are a glaring weak spot in U.S. cybersecurity — and there are limits to the government's power to help, Axios' Orion Rummler reports.

Hospitals are vulnerable because they maintain so many systems at once — medical records, billing records and also internet-connected medical devices — that get further entangled after mergers, which have been spiking for at least a decade.

  • Attackers know hospitals are open 24/7, have a vastly complex network and can't afford interruptions to public health.

"Cybercriminals know they are a soft target where they can access patient records and social security numbers and other information," Suzanne Schwartz, a deputy director in the FDA's device center, told Axios.

Threat level: Some vulnerabilities aren't as hard to fix as they might seem, experts said.

  • John Riggi, a senior cybersecurity adviser for the American Hospital Association, said he has heard medical device manufacturers tell hospitals to buy total replacements for machines that may only need a security software update.

What's next: The AHA doesn't make its own cybersecurity guidelines, and the FDA's are limited. The agency is seeking more legal authority over device security, and the AHA wants FDA guidelines to be made mandatory.

  • The FDA's cybersecurity oversight in hospitals is limited only to medical devices — not the other internet-connected devices that hospitals are also full of.
  • The FDA's ability to work with medical device-makers to tackle cybersecurity has improved drastically since the 2017 WannaCry attack, Schwartz said — but hospitals still have weaknesses that are left unaddressed.

Go deeper: What your hospital knows about you

2. Google's controversial health care data project

The not-for-profit hospital system Ascension allowed Google to access a wide array of patient data, including names and diagnoses, but did not notify patients or doctors about their secret data project until the Wall Street Journal reported the story yesterday.

Why it matters: This exchange of sensitive medical information is technically legal under federal law that protects patient health information, as long as Google is contracted as a "business associate" with Ascension, Axios' Bob Herman writes.

The big picture: "The initiative, code-named 'Project Nightingale,' appears to be the biggest effort yet by a Silicon Valley giant to gain a toehold in the health-care industry through the handling of patients’ medical data," per WSJ's Rob Copeland.

  • Google is using the information in part to design new software that suggests changes to individual patients' care.

Both Google and Ascension are financially motivated: Google hopes to sell similar products to other health systems, while Ascension wants to improve patient care and identify ways to generate more revenue from patients.

My thought bubble: What could possibly go wrong here?

3. The Blues' new data sharing deal

Photo: Uli Deck/picture alliance via Getty Images

Blue Health Intelligence, the company that houses medical and pharmacy claims data for 190 million people who have Blue Cross Blue Shield insurance, has agreed to a multiyear deal to share its data with the Health Care Cost Institute, Bob reports.

Why it matters: HCCI, a nonprofit group used by many health policy researchers, was on the verge of shutting down earlier this year after UnitedHealthcare said it would stop sharing claims data.

Details: Financial terms were not disclosed, but HCCI will pay a fee to the Blues-owned company for the insurers' consolidated data feed, which strips out any identifying information of people.

  • Swati Abbott, CEO of Blue Health Intelligence, said "a majority" of the 36 Blue Cross Blue Shield companies will submit claims data, although five plans "restrict some of their contributions." She would not name those five companies.

Aetna and Kaiser Permanente will continue to provide their data to HCCI. Humana, which had signaled it would join UnitedHealthcare and end its relationship with HCCI, may now stay aboard as well.

The big picture: Health care prices and spending among people with employer-based coverage are in a black box.

  • Research groups like HCCI have attempted to bring some of that information to light, and HCCI now has a new major source of claims data to do so.
4. Self-harm rising among adolescents

Self-injury among teenagers is on the rise, especially among adolescent girls, the New York Times reports.

Why it matters: Habitual self harm is an indication of higher suicide risk for some people. And because it's considered a symptom rather than a standalone diagnosis, experts are struggling to respond.

By the numbers: About one in five adolescents say they've harmed themselves to reduce emotional pain at least once, according to a review of surveys taken in nearly a dozen countries.

  • For some people, self harm can become "a full-blown addiction, as powerful as an opiate habit," per NYT.

Go deeper: Why we're failing to stop teen suicide

5. While you were (long) weekending...
  • Kaiser Permanente announced that its CEO and chairman Bernard J. Tyson died unexpectedly at age 60.
  • Health officials have made a breakthrough in determining what's behind the mysterious vaping-related illness sweeping the country, the Washington Post reports.
  • President Trump said he'll be meeting with vaping industry representatives as the administration continues to formulate its response to the vaping epidemic, Reuters reports.
  • China's revamping of its health care system is creating business opportunities for global drugmakers, per WSJ.