HEALTH DATA BREACHES SURGE: Nearly 50 million Americans had their sensitive health information breached in 2021, more than triple as many as in 2018, a POLITICO analysis of the latest HHS Office for Civil Rights data found.
It’s a nationwide problem: About half of states and Washington, D.C., saw more than 1 in 10 of their residents directly affected by unauthorized access to their health information, according to the analysis, raising significant privacy and security concerns. And hacking accounted for more than 80 percent of all such breaches last year — up from 35 percent in 2016.
Health care cybersecurity experts say a rise in the hacking of financially lucrative health information and ransomware, more awareness of threats and thus increased reporting, the turn to remote work and health care’s digital pivot are all behind the swell. Health care information is highly coveted by hackers, who can sell the data on the dark web or use it fraudulently, including false Medicare claims and identity theft.
“Unfortunately, the industry is pretty much easy pickings, and they’re hitting it because they’re getting paid,” said Mac McMillan, CEO of cybersecurity company CynergisTek. “It’s [not] gonna slow down until we either get more serious about stopping it, or blocking it, or being more effective at it. From the cybercriminals’ perspective, they’re being successful, they’re getting paid; why would they stop?”
That left us wondering: Is it a given that our health records are more likely to be breached in the digital era?
The health care sector has long pushed for data to move more freely, with new government regulations and private-sector efforts aimed at making it easier for patients’ records to travel with them.
“Because data starts to move around more freely, this is sort of the cost of doing business,” said Aaron Maguregui, senior counsel at Foley & Lardner.
But health care’s data fragmentation has an upside: Breaches won’t always often affect a person’s comprehensive health record since information doesn’t move easily across systems, said Harry Greenspun, partner and chief medical officer at Guidehouse, an advisory firm.
The impact: Although tens of millions of individuals had their health information breached in 2021, not all of them will suffer significant consequences. Many won’t realize their health data has been compromised or understand what it means, said Carter Groome, CEO of First Health Advisory, a health care risk management consulting firm. Kirk Nahra, a privacy attorney at WilmerHale, argues few people are meaningfully affected.
Some people will be more concerned about breaches than others, said Cindi Bassford, a partner at Guidehouse who focuses on cybersecurity.
“If you believe that there’s confidential medical information about you floating out there, that eats at you because you really don’t know the impact,” Greenspun said.
Welcome back to Future Pulse, where we explore the convergence of health care and technology. Share your news and feedback: @_BenLeonard_.
CDC PUSH TO BOLSTER DATA: The Centers for Disease Control and Prevention is calling on staff to better collect and analyze public health data, POLITICO’s Erin Banco and Krista Mahr report.
In an email obtained by POLITICO last week, Dan Jernigan, the CDC’s deputy director for Public Health Science and Surveillance, pointed to a letter from Director Rochelle Walensky.
“Among the things Dr. Walensky shared in her letter, are five big commitments that will push us to work more collaboratively by moving from a mindset of ‘my data’ to ‘our data,’” the email reads.
The email is the first official indication the agency is taking new actions to fix data issues that have hindered the agency’s Covid-19 response. It comes as lawmakers call for the agency to bolster data collection ahead of future pandemics, allowing it to be shared more easily among health departments, hospitals and the federal government. Jernigan told POLITICO the push will include unifying federal and state public health data systems, ensuring information is real-time and aiding states in hiring data collection and analysis workers.
The CDC has struggled to keep up with Covid-19 largely because of the nation’s antiquated public health infrastructure, which depends on underfunded state health departments to gather data and submit it to CDC.
RUSSIAN CYBER THREAT RISING: In light of what he called new intelligence, President Joe Biden said Monday that Russia is “exploring” possible cyberattacks against the United States, POLITICO’s Maggie Miller and Sam Sabin report.
“The more Putin’s back is against the wall, the greater the severity of the tactics he may employ … one of the tools he’s most likely to use in my view, in our view, is cyberattacks,” Biden said Monday, calling on companies to “harden your cyber defenses immediately.”
Escalation: Some health care cybersecurity experts tell POLITICO’s Ben Leonard they’ve seen an increase in cyber threats potentially tied to Russia in recent days.
“People are just seeing more traffic, more email bombs, so to speak,” said Mac McMillan, CEO of the cybersecurity firm CynergisTek. “They’re more of a nuisance at the moment, not full-fledged attacks that are doing anything, but clearly, there’s stuff going on now.”
The threat also has escalated at Ukrainian-based vendors of health care organizations. Carter Groome, CEO of First Health Advisory, a health care risk management consulting firm, said malware attacks on Ukrainian targets have risen about 10 times over the two weeks.
The sector is also an attractive target for hackers given the trove of sensitive information in health records and health care organizations’ perceived willingness to pay ransoms to unlock systems, since disrupting care delivery can be catastrophic.
AUDIO-ONLY TELEHEALTH SURGES: Audio-only telehealth was used more often than video visits for primary care and behavioral health at federally qualified health centers between August 2020 and August 2021, a new study from the RAND Corporation found.
The study adds to the volume of literature showing the widespread use of audio-only virtual care during the pandemic. By the end of the study period, when vaccinations were widespread, in-person visits became more popular than audio-only visits for primary care but not for behavioral health.
Advocates have touted audio-only telehealth as a way to expand care to people connectivity barriers .Last month, an HHS report found lower-income people used audio-only virtual care significantly more than higher-income people.
The HHS report pointed to research suggesting video telehealth is better than audio-only in “many clinical contexts.” The RAND report called for empirical testing on how audio-only care affects quality of care.
“Although audio-only visits have clearly played a critical role in maintaining access to care during the public health emergency, their ongoing role in the care delivery of low-income populations requires careful consideration,” the RAND report said.
CIAO, VAX PASSPORTS: Italy is pulling requirements for proof of Covid-19 vaccination to enter indoor public spaces May 1, POLITICO Europe’s Carlo Martuscelli reports.
The country is also ending its state of emergency and outdoor proof-of-vaccination requirements at the end of March, while lifting indoor mask mandates April 30. Health Minister Roberto Speranza touted the country’s Green Pass vaccine passport system, saying it helped avert lockdowns.
Several European countries including France and Belgium have pulled virus restrictions recently. Italy’s moves come despite a rise in Covid-19 cases.
As large parts of the world with wide access to vaccines try to move on from Covid-19, the next step for digital Covid-19 vaccine credentials — commonly referred to as “passports” — is unclear.
In the U.S., many major cities like New York that had once required proof of vaccination to enter many public spaces are no longer doing so, though businesses can still require it. It’s not certain if proof of vaccination requirements would return in the event of a surge, with governors and lawmakers on both sides of the aisle reluctant to reimpose restrictions.
Some U.S. states have touted the digital credentials for school proof-of-vaccination requirements, and they could be used for a wider range of health information.
The largest pharmacy benefit managers are dominating more and more of drug pricing negotiations, STAT reports.
Abortion via virtual care is “revolutionizing” service in some states, Boston’s GBH reports.
“A Ketamine Clinic Treads the Line Between Health Care and a ‘Spa Day for Your Brain,’” reports The New York Times.