Healthcare hacking on the rise

https://mailchi.mp/ef14a7cfd8ed/the-weekly-gist-august-6-2021?e=d1e747d2d8

From the largest global meat producer to a major gas pipeline company, cyberattacks have been on the rise everywhere—and with copious amounts of valuable patient data, healthcare organizations have become a prime target.

The graphic above outlines the recent wave of data attacks plaguing the sector. Healthcare data breaches reached an all-time high in 2020, and hacking is now the most common type of breach, tripling from 2018 to 2020. This year is already on pace to break last year’s record, with nearly a third more data breaches during the first half of the year, compared to the same period last year.

Recovering from ransomware attacks is expensive for any business, but healthcare organizations have the highest average recovery costs, driven by the “life and death” nature of healthcare data, and need to quickly restore patient records. A single healthcare record can command up to $250 on the black market, 50 times as much as a credit card, the next highest-value record. Healthcare organizations are also slower to identify and contain data breaches, further driving up recovery costs.

A new report from Fitch Ratings finds cyberattacks may soon threaten hospitals’ bottom lines, especially if they affect a hospital’s ability to bill patients when systems become locked or financial records are compromised. The rise in healthcare hacking is shining a light on many health systems’ lax cybersecurity systems, and use of outdated technology.

And as virtual delivery solutions expand, health systems must double down on performing continuous risk assessments to keep valuable data assets safe and avoid disruptions to care delivery.

Colonial hack a wake-up call to CFOs with legacy systems

What is a cyber attack? Recent examples show disturbing trends | CSO Online

CFOs whose finance and accounting functions are built on legacy computer systems got a stark reminder last week from the Colonial pipeline hacking of what’s at stake if their system is breached.

The hack to Colonial’s system led to widespread gas shortages throughout the East and reportedly forced the company to pay $5 million in ransomware to get the instructions for reclaiming its data. 

“For finance departments, the cybersecurity risk is huge,” Samir Jaipati, a finance solutions leader with EY Americas, told CFO Dive in an email. “Something built on outdated technology won’t be able to keep hackers out.” 

Security specialists generally agree legacy, on-premises systems starting from about 10 years ago typically have solid cybersecurity features built in, but those that are older might require significant upgrades if they’re going to stand a chance against today’s sophisticated hackers.

The risk for CFOs who must manage their processes on an outdated system is they’ll try to get by with short-term fixes that won’t solve the systemic problems they face. 

“These temporary fixes aren’t as dependable and in the long-term may cost more,” said Kaipati.

Best effort

For CFOs who don’t have the time or budget to implement the system overhaul they need or to transfer their processes to a more secure on-premises system or to a cloud-based system, the best step is to do a comprehensive review of their end-to-end finance processes to audit for consistency and reliability, said Steve Adams, Gartner finance director. 

He suggested reviewing the organization’s record-to-report process from start to finish to understand where non-secure platforms are used, whether there are audit trails that don’t exist, and if exogenous data is incorporated. By eliminating these and other red flags, CFOs can go a significant way to clean up their processes and reduce risk without making system changes, Adams said. 

CFOs taking this approach should first engage their IT business partner and ask for a full audit of the cybersecurity capabilities of the suite of financial applications and to use that review as a starting point to making improvements, he said. 

Wider integration

Legacy systems pose a broader problem than just security risk; they can impede company growth because CFOs aren’t generating the data or producing the analytics that can help them identify ways to make more money or reduce costs in the same way they can get from sophisticated cloud-based solutions. 

Nor can legacy systems be expected to be as good at integrating data throughout the organization in the same way as cloud systems.

For CFOs who can do it, switching from an old on-premises system to the cloud can be a game-changer, said Manish Sharma, an Accenture operations group executive.

“CFOs that are agile and able to overcome these restrictions by scaling digital and cloud-powered technologies have been able to break down data silos and siloed ways of working to support the ever-evolving business strategy with speed and flexibility,” he said. 

The importance of using up-to-date IT was emphasized in a recent Accenture report that found “future-ready” leaders are emerging ahead of the pack with higher efficiency and profitability by scaling digital capabilities in ways to improve operational maturity.

“These leaders use better, more diverse data to inform decision-making as part of a cloud-powered continuous feedback loop,” said Sharma.

Flexible categorization

Another benefit of moving to the cloud or a hybrid cloud-on-premises arrangement is cost flexibility. 

On average, the cost of managing an outdated IT system can cost a business around $3.61 per line of code or over $1 million for an application with 300,000 lines of code, said Kevin Shuler, owner and CEO of the Quandary Consulting Group, a Denver-based IT firm. 

“It accounts for customizations, maintenance, reporting, server and hardware, etc.,” he said. 

While replacing the old with the new might appear to be prohibitively expensive at first glance, Shuler noted what can put a CFO more at ease is the costs are more transparent than maintaining a legacy system.

“Better, they can be categorized as either an operating expense or a capital expense since a lot of software is classified as a service rather than software,” he said. 

This gives flexibility to the CFO’s finances and forecasting. It also means more resources can be available for modernized systems. 

“That means you can get superior resources at a lower cost than trying to pull from a pool of highly specialized and competitive contractors who work mainly with legacy systems,” he said.

More than a year into the pandemic, we’re still figuring out what risks we’re willing to take

Charting the pandemic over the next 12 months — and beyond - STAT

When the Centers for Disease Control and Prevention last week issued guidelines for what vaccinated people can safely do, the agency employed the word “risk” 43 times.

The word often carried a modifier, like so: increased risk, residual risk, low risk, potential risk, minimal risk, higher risk. The CDC did not define “low,” “minimal” or “higher,” instead using broad brushstrokes to paint a picture of post-vaccination life.

For example: “Indoor visits or small gatherings likely represent minimal risk to fully vaccinated people.”

On Wednesday, CDC director Rochelle Walensky said she could not give a definitive answer to what a “small” gathering is, because there are too many variables.

“If we define a small- and medium-sized gathering, we actually also have to define the size of the space that it’s in, the ventilation that is occurring, the space between people. And so, I think we should get back to the the general concepts,” Walensky said.

The situation has left people where they’ve been since the start of the pandemic: forced to play the role of amateur epidemiologist.

In the early days of the pandemic, we wondered if we could catch the coronavirus from a passing jogger and if our groceries, fresh from the store and resting on the kitchen counter, threatened to kill us. Science has attenuated some of our earliest fears. But more than a year into this crisis, we’re still trying to perform complicated risk calculations while relying on contradictory research and shifting CDC guidance.

Risk analysis is not something humans are necessarily good at. We rely on anecdotes more than scientific data. The questions we ask rarely have a simple yes or no answer. Risk tends to be on a sliding scale. Outside of self-isolation, there is no obvious way to drive the risk of viral transmission to zero, nor is risky behavior guaranteed to result in a dire outcome. We have no choice but to live probabilistically.

The risk landscape keeps changing as well. The virus is mutating, and there are many different variants in circulation. Many people are now fully vaccinated, some only partially vaccinated (in between shots, for example), some unvaccinated and some armored with a level of immunity through natural infection. Add the extreme variation in disease severity because of age and underlying conditions, and the risk equations get so long we may run out of chalkboard.

The restrictions imposed by governments have sometimes made little sense. Casinos were open before schools in some states. Mask mandates outdoors remained in place even when indoor dining became permitted.

“It seems to me if we are going to have indoor dining, we should have mask-free jogging,” Harvard epidemiologist Marc Lipsitch said in an email.

One thing that is incontrovertibly true: The coronavirus vaccines are remarkably safe and effective, and people should get vaccinated if possible.

“These are off-the-scale good,” said Amesh Adalja, an infectious-disease doctor and senior scholar at the Johns Hopkins Center for Health Security. “These are much better than vaccines that we rely on every year, like the flu vaccine.”

Even for people sold on vaccines, there remain lingering questions about what is and isn’t safe, and what is and isn’t the proper way to go about daily life in an increasingly vaccinated society. Here, we present some answers, with the caveat that our knowledge of the coronavirus, SARS-CoV-2, is still evolving, as is the virus itself.

Q: Why do I still need to wear a mask after I’m fully vaccinated?

A: You don’t need to wear a mask outdoors when fully vaccinated, except in crowds (such as at a sports stadium or a concert), nor do you have to wear one indoors among other vaccinated people or members of your own household.

But there are situations where you still need to mask up. You could still get infected with the coronavirus, and although it would most likely be mild or asymptomatic, you could transmit the virus to another person. Again, the odds of that happening are low, and there is encouraging data from Israel that suggests vaccinations dramatically reduce community spread.

But remember: A vaccination campaign is not simply about protecting the vaccinated individual. The goal is to build immunity broadly. Moreover, many communities still require masks in public settings — so it’s the law. It’s also polite — you don’t want to make people guess if you’ve been vaccinated or not. That probably will change when infection rates plummet and vaccinations are far more widespread.

“It is also a show of solidarity that we are still in this together,” said Maria Van Kerkhove, technical lead for the World Health Organization’s covid-19 response. “It’s about you and your community, your family, your friends, your workplace, your loved ones. It’s not just about you.”

At some point, viral transmission will plummet. We’re a long way from that point. As long as the virus is circulating in our communities, we need to use what we can to limit the spread and drive down the infection rate.

“Because [the vaccines] are not perfect, that’s precisely why we are urging people to be cautious,” Surgeon General Vivek H. Murthy said in a recent White House covid-19 task force news briefing. “We have great confidence in vaccines. We understood they are not perfect.”

Q: If you’re vaccinated, are you definitely protected against the coronavirus?

A: You’re very likely protected from symptomatic illness. That’s why Adalja, echoing the consensus, said, “These vaccines are something that will change your life.”

In clinical trials, the Pfizer and Moderna vaccines were about 95 percent effective in blocking symptomatic illness after two shots. The one-shot Johnson & Johnson vaccine was not quite as effective but just as good at preventing severe illness and death — which is the highest public health priority in a pandemic like this.

Q: But aren’t there also breakthrough infections?

A: As of April 26, the CDC had documented 9,245 breakthrough infections among fully vaccinated people. But look at the denominator: Those cases were among more than 95 million people. That’s fewer than 1 in 10,000 people vaccinated. (The agency noted that this is probably an undercount because of lack of testing and surveillance.) Of those rare breakthrough cases known to the CDC, 27 percent were asymptomatic and only 9 percent required hospitalization.

Adalja said people need to focus on probabilities and not anecdotes.

“This is kind of a cognitive bias that people have with many kinds of risk. It’s just like when there’s a shark attack in Australia. How much coverage does that get?” he said.

Q: Should people who got the Johnson & Johnson vaccine worry about blood clots?

A: If you notice unusual and serious side effects, such as severe headaches, contact your doctor. But the risk is extremely low. Federal regulators reauthorized the use of the vaccine after a 10-day pause, having found 15 cases of a serious clotting disorder among the 7 million people who had received the vaccine at that time. By any calculation, the risk of a bad vaccine reaction is much less than the risk of getting a serious case of covid-19.

Paul A. Offit, a pediatrician at Children’s Hospital of Philadelphia who is an expert on vaccination, suggests that the Johnson & Johnson coronavirus vaccine suffers from bad timing. Had it been approved first, before the Pfizer and Moderna vaccines, its many virtues would have been celebrated and the rare side effects minimized.

He noted that the Johnson & Johnson vaccine is “refrigerator stable” for up to five weeks. The vaccine is appealing to public health officials because it’s one-and-done and can be more easily deployed in remote locations and in places where recipients are homebound.

Q: How long will natural or vaccine-induced immunity last?

A: No one knows, but the initial evidence is encouraging, said Alessandro Sette, a professor of immunology at the La Jolla Institute for Immunology. A research paper published by Sette and fellow researchers in January showed that 90 percent of people who recovered from a coronavirus infection had robust levels of immunity eight months after they became sick. Immunity did not suddenly drop after eight months — that was merely the limit of the research period.

“Ninety percent having a good immune response also means 10 percent don’t. That is a reason for vaccinating and being careful even if you had the disease,” Sette said.

Immunity post-vaccination also appears durable, and there is less variability in levels of antibodies and other immune system cells following a vaccination than following a natural infection, Sette said.

Because this is a novel disease, and vaccines have not been widely deployed for very long, it is too soon to know how long antibodies will last. But Sette pointed out that the immune system has other weapons against invasive viruses, including “killer T-cells,” which continue to be able to recognize infected cells and kill them, preventing viral replication.

Q: Do the vaccines work against these new virus variants? And shouldn’t we be worried about a new variant that has even scarier, vaccine-evading mutations?

A: The immune response generated by vaccines is sufficiently protective against coronavirus variants to prevent most people from getting seriously ill.

Infectious-disease experts do worry about future mutations that could allow the virus to exhibit vaccine evasion. That said, there are limits to how much the virus can mutate — how much it can change its structure — and still function, according to Sette.

“The virus has to walk a tightrope,” he said. The virus can mutate to escape the effect of a specific antibody, but “it can’t change too much.”

He added, “While the virus has surprised us this year in a number of ways, the data we’ve seen so far does not suggest there’s an infinite number of ways the virus can mutate and escape immune recognition and still be as infectious.”

Q: When will we reach herd immunity?

A: No one knows what level of immunity would throttle virus transmission, and it probably varies from one environment to another and from one season of the year to another. But in the United States, at least, vaccinations have already had an effect. The virus increasingly is slamming into immune-system walls. Eventually, with enough vaccinations, most of the people who get infected will be dead-end alleys for the virus.

The virus appears destined to pop up in smaller outbreaks that could be more easily contained. But the virus won’t disappear, especially because it continues to spread at catastrophic rates in many countries that have low levels of vaccination. The only infectious disease-causing virus ever eradicated is smallpox.

For now, successful navigation of the pandemic may simply mean taking steps to reduce the threat of a serious case of covid-19 (as best as anyone can determine it) to the level of other threats that we typically tolerate, and which don’t tend to keep us awake at night.

New Jersey health system sues insurer over $2.5B policy payout

RWJBarnabas Health

RWJBarnabas Health sued an insurance carrier for allegedly refusing to cover the West Orange, N.J.-based system’s pandemic-related losses, according to NJ.com

The health system is suing Zurich American Insurance Co. for breach of contract, alleging the company refused to honor its obligations under a $2.5 billion “Zurich Edge Healthcare Policy.” 

The health system, which treats 3 million patients annually, claims Zurich’s policy should cover losses caused by illnesses like COVID-19. The lawsuit, filed March 19, alleges Zurich failed to acknowledge COVID-19 caused property damage after employees and patients died from the virus in its facilities, according to Law360. 

“Zurich has known, or should have known, for decades that its policy could be called upon to pay up to its full limits — here $2.5 billion dollars — to RWJBarnabas for losses associated with viruses and pandemics,” the lawsuit states. 

Ridgewood, N.J.-based Valley Health System is also suing Zurich, alleging the insurance company wrongfully denied covering its losses tied to the pandemic under a $550 million policy, according to Law360

A Zurich spokesperson declined to comment on RWJBarnabas’ lawsuit, telling NJ.com that it is not the company’s practice to comment on pending litigation. 

In Virginia, Carilion Clinic filed a similar lawsuit against its insurance provider, American Guarantee and Liability Insurance Co., on March 18. The Roanoke, Va.-based system says it lost more than $150 million because of the pandemic, and the insurance company allegedly refused to provide coverage or properly investigate its losses. 

“To cushion the impact of the coronavirus and COVID-19, Carilion Clinic turned to its property insurer, AGLIC, to whom Carilion Clinic had paid nearly $1 million in premiums in exchange for $1.3 billion in property damage and time element (also known as business interruption) coverage effective June 1, 2019 to June 1, 2020,” the lawsuit states. “AGLIC, however, declined to fulfill its obligations to Carilion Clinic under the policy.” 

Carilion is seeking damages for breach of contract and a judgment declaring the scope of American Guarantee’s obligation to cover the losses under the policy.

Read the full NJ.com article here

Read the full Law360 article here

The danger of a fourth wave

Change in new COVID-19 cases in the past week

Percent change of the 7-day average of new cases

on Feb. 23 and March 2, 2021

The U.S. could be in danger of a fourth coronavirus wave - Axios

The U.S. may be on the verge of another surge in coronavirus cases, despite weeks of good news.

The big picture: Nationwide, progress against the virus has stalled. And some states are ditching their most important public safety measures even as their outbreaks are getting worse.

Where it stands: The U.S. averaged just under 65,000 new cases per day over the past week. That’s essentially unchanged from the week before, ending a six-week streak of double-digit improvements.

  • Although the U.S. has been moving in the right direction, 65,000 cases per day is not a number that indicates the virus is under control. It’s the same caseload the U.S. was seeing last July, at the height of the summer surge in cases and deaths.

What we’re watching: Texas Gov. Greg Abbott on Tuesday rescinded the state’s mask mandate and declared that businesses will be able to operate at full capacity, saying risk-mitigation measures are no longer necessary because of the progress on vaccines.

  • But the risk in Texas is far from over. In fact, its outbreak is growing: New cases in the state rose by 27% over the past week.
  • Mississippi Gov. Tate Reeves also scrapped all business restrictions, along with the state’s mask mandate, on Tuesday. New cases in Mississippi were up 62% over the past week, the biggest jump of any state.
  • The daily average of new daily cases also increased in eight more states, in addition to Mississippi and Texas.

How it works: If Americans let their guard down too soon, we could experience yet another surge — a fourth wave — before the vaccination campaign has had a chance to do its work.

  • The vaccine rollout is moving at breakneck speed. The U.S. should have enough doses for every adult who wants one by May, President Biden said this week.
  • At the same time, however, more contagious variants of the coronavirus are continuing to gain ground, meaning that people who haven’t gotten their vaccines yet may be spreading and contracting the virus even more easily than before.

What’s next: The bigger a foothold those variants can get, the harder it will be to escape COVID-19 — now or in the future.

  • The existing vaccines appear to be less effective against two variants, discovered in South Africa and Brazil, which means the virus could keep circulating even in a world where the vast majority of people are vaccinated.
  • And that means it’s increasingly likely that COVID-19 will never fully go away — that outbreaks may flare up here and there for years, requiring vaccine booster shots as well as renewed protective measures.

The bottom line: Variants emerge when viruses spread widely, which is also how people die.

  • Whatever “the end of the pandemic” looks like — however good it’s possible for things to get — the way to get there is through ramping up vaccinations and continuing to control the virus through masks and social distancing. Not doing those things will only make the future worse.
  • “Getting as many people vaccinated as possible is still the same answer and the same path forward as it was on December 1 or January 1 … but the expected outcome isn’t the same,” Shane Crotty, a virologist at the La Jolla Institute for Immunology in San Diego, told Reuters.