Monthly Healthcare News Roundup: Class Action Lawsuit Against Opioid Manufacturers, the FDA’s New Draft Recommendations for CDS, and More

Every month, we compile the most compelling healthcare privacy and security related news stories. Below, you’ll learn about a historic class action lawsuit against opioid manufacturers, the FDA’s new draft recommendations involving clinical decision support software, and more.

$260 million opioid settlement reached at last minute with big drug companies

A landmark moment in the nation’s opioid epidemic occurred last month when four major pharmaceutical companies and distributors reached a $260 million settlement with two Ohio counties, averting what would have been the first federal opioid trial.

The settlement involves pharmaceutical companies and manufacturers, mainly McKesson, Cardinal Health, and AmerisourceBergen, which alone are responsible for distributing 90% of all prescriptions in the United States. The companies agreed to provide cash payouts and addiction treatments for the areas most deeply affected by the opioid crisis. This has the potential to become the model for thousands of similar cases in the pursuit of holding the pharmaceutical industry accountable for the nationwide crisis.

“We have powerful evidence that pharmacies were also implicated in this epidemic,” said Paul J. Hanly, Jr., lead lawyer for the cities and counties involved in the lawsuit. “Those folks now have targets on their backs. Even so, we’re very interested in a global settlement, and we believe those companies are too — or they ought to be.”

 ECRI’s top health tech hazards for 2020 include EHR errors, alert fatigue, missing MRI data

ECRI has released its Top 10 Health Technology Hazards for 2020 report, aimed at helping healthcare leaders prioritize and address risks to patient safety. Highlighted in the report are hazards found by incident investigations conducted by ECRI, incident reporting databases, and medical device testing.

Among the top risks include:

  • Alert overload – When a high amount of notifications overwhelm clinicians, it creates the potential for significant events to fall through the cracks
  • Home care security risks – Interruption in the transfer of patient data from cybersecurity issues can lead to delayed care or misdiagnosis
  • Medication timing errors in EHRs – When a medication order from an EHR doesn’t match the dose administration time intended by the prescriber, it could lead to delays for critical medications

Read the full article to learn more about ECRI’s top healthcare tech hazards for 2020.

Changing the cybersecurity culture

Among cybersecurity attacks to healthcare, ransomware and denial-of-service attacks make headlines. But cultural and technological vulnerabilities are responsible for a major portion of the industry’s cybersecurity incidents.

According to privacy and cyber risk specialist IT Governance’s monthly reports throughout 2019, top risks to healthcare cybersecurity range from unauthorized patient record access to coding errors that inadvertently expose patient records.

There is a silver lining – cybersecurity providers have seen an improvement in healthcare organizations when implementing proactive steps to prevent and detect breaches early. But it isn’t a simple task to explain the importance of cultural changes to stakeholders.

“Being more proactive means having the ability to fix issues as they are identified over time. The biggest challenge for a hospital CIO is being able to communicate the likelihood and impact of a breach and introduce whatever is necessary to prevent it. And describing possible impact to a board is difficult.” – Dave Kennedy, Founder and Senior Principle Security Consultant at TrustedSec

Sila and Ponemon Institute study finds rampant lapses in securing access to sensitive information

Sila Solutions Group has partnered with the Ponemon Institute to release The 2019 Study on Privileged Access Security, which surveyed over 650 IT and IT security professionals throughout North America to find trends and lapses in privileged access management (PAM), which is restricted and protected access to accounts at the helm of organizations’ most critical data.

A major takeaway from the study is that gaps in PAM practices continue to be a major roadblock for organizations even with the ever-present risk of a data breach. 70% of those surveyed believe that insiders with privileged access are accessing sensitive data without valid business reasons – and over half of participants expect privileged user abuse to increase within the next year or two. This result is likely to be connected to the 62% of participants who felt that their organization assigned privileges beyond a given user’s business responsibilities – which may have farther-reaching consequences for healthcare data security than organizations realize.

“The status quo is not secure. Business and IT leaders need to look beyond simple tool integration and a ‘check the box’ mentality solely driven by compliance demands. Organizations take a big risk by not properly investing in effective PAM strategies that not only promote security, but propel business success.” – Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute

How should AI be designed and regulated, and who should it serve?

The FDA has released a new set of draft recommendations on clinical decision support (CDS), which is “software that is intended to provide decision support for the diagnosis, treatment, prevention, cure, or mitigation of diseases or other conditions.” The agency is taking a risk-based approach to categorizing CDS tools, many of which are powered by artificial intelligence (AI).

AI and machine learning software is growing rapidly in healthcare – 50% of healthcare organizations plan to adopt AI within the next five years. And at the HIMSS Connected Health Conference last month, a panel of speakers including Robert Havasy, managing director of the Personal Connected Health Alliance, saw in the FDA draft a “truly global framework emerging, with common principles among the U.S., Europe and other places.”

Imposter emails plague healthcare industry

Cybersecurity company Proofpoint has released their 2019 Healthcare Threat Report Protecting Patients, Providers and Payers. The study evaluated a year’s worth of cyber attacks against healthcare systems, pharmaceutical and life sciences providers, and health insurers. Covering millions of malicious emails, it was clear that cyber attackers target more than just infrastructure – they use social engineering tactics through email to directly target people.

Of the imposter emails researchers evaluated, common key words included, “payment,” “request,” and “urgent” in the subject line. And in the first quarter of 2019 alone, health systems received 43 spoof emails like these, a 300% increase from a year prior.

What should your organization look out for when checking their emails? Read the full article to learn more.