Our research team breaks down this week’s top healthcare news.
In an age of unprecedented change, staying current has never been more important. Our team at Chartis is curating news most relevant to the healthcare industry and tracking the topics that are trending on seven key issues: high reliability care, digital and advanced technology, financial sustainability, health disparities, the health ecosystem of the future, partnerships, and the provider enterprise. Each week, we break down what’s happening and why it matters.
Last week the Centers for Disease Control and Prevention (CDC) made two major announcements that could impact many Americans as the pandemic stretches into its fifteenth month. First, on May 12, a federal advisory committee voted in favor of recommending that Pfizer’s vaccine be approved for use in children ages 12 through 15. The approval came after a clinical trial of 2,000 adolescents reported no adverse events and 100 percent efficacy in preventing COVID-19 cases. The American Academy of Pediatrics strongly supported the approval.
The day after the expanded emergency use approval of the Pfizer vaccine, the CDC announced fully vaccinated Americans no longer needed to wear masks in most cases — indoors and outdoors. That news was met with a mix of excitement, concern, confusion, and questions, depending on the audience. Some state or city governments have mask mandates that remain in place even after the CDC’s announcement, leaving some vaccinated residents uncertain whether their mask was still necessary. Businesses have also taken varying approaches, with some still requiring masks as they review policies and others lifting mask requirements immediately.
The new population of vaccine-eligible youth is good news for many reasons — it may aid schools fully reopening in the fall, allow certain camps or activities to resume this summer in certain age groups, and if herd immunity remains in reach, make achieving it more likely. Rolling out the vaccine now to a subset of children can also help prepare schools, pediatricians’ offices, and other vaccination sites for the fall when the vaccine is likely to be approved in children two years old and up, if clinical trials go well.
While approval in children under 12 years old is likely coming this year, it is still at least four months away. One group that has been particularly concerned about the mask mandate lifting has been parents of children in this younger age group. Part of the apprehension is how it will be determined who has been vaccinated and how masking will be enforced for the unvaccinated to avoid putting those not yet eligible at risk, like children under age 12. It also remains to be seen if schools that are in person will lift mask mandates since so much of the school population still remains ineligible for a vaccine.
An additional concern is that opening up the vaccine to the younger age group does not mean everyone will get it. There is even more hesitancy among parents of this age group than there is among people getting the vaccine for themselves. According to Kaiser Family Foundation, only 30 percent of caregivers said they would vaccinate their adolescents immediately. The American Academy of Pediatrics has issued statements in support of vaccination and is running webinars to assuage fears. Thus far, data indicates that vaccination in the remainder of eligible adults, who can then safely go unmasked, and in pediatric groups as they are approved is the fastest, safe path forward.
On May 9, Colonial Pipeline, the operator of one of the United States’ largest gasoline pipelines, made headlines worldwide as the victim of a ransomware attack. The company was forced to shut down their pipeline, cutting off the supply to much of the East Coast. In a ransomware attack, data is “held hostage” until a fee is paid to hackers; if no fee is paid, the data will be permanently erased or released publicly, whichever is more damaging. Colonial Pipeline ended up paying the hackers $4.4 million and has begun to resume service, though at the date of this publication there are still gas stations on the East Coast with no gasoline. Paying hackers “ransoms” do not always result in retrieving data successfully, cyber insurance does not always cover these payments, and they do not deter from future attacks (some would argue they encourage them).
A week earlier, another cyberattack occurred at Scripps Health, a health system with five hospitals and a large ambulatory network in the San Diego area. This ransomware attack led to a network outage at Scripps, forcing them to disable their IT systems and move to paper records and telephone communication, taking them back more than a decade in their operations and levels of efficiency and coordination.
This paralyzed many parts of the health system. Four of their hospitals were put on diversion, meaning patients who would have been brought to Scripps via ambulance were diverted to other area hospitals. Their emergency rooms were only accepting trauma patients and those who walked through the door on foot. Appointment systems for clinic visits, procedures, and surgeries were disabled; patient portals were inaccessible; and Scripps’ internal emails systems were shut down.
The breach also exposed Scripps to errors and patient safety risks. In a recent article in Modern Healthcare, one patient noted that after the attack, his pre-operative staff triple-checked the type of surgery he was going to have via paper records, but then two different nurses tried to administer the same dose of a blood thinning medication, which would have given him a double dose and put him at risk. As he stated, "It's things like that that scare me from a patient safety point of view, with no physician access to patient records, incomplete paper trails, and unfamiliar processes." Finally, Scripps has not yet determined whether private patient data has been compromised, and the local community is upset about the lack of clear communication and how the entire situation has been handled.
For years we have been warned that a major cyberattack could cripple parts of the country’s infrastructure, and that the increasing sophistication of hackers makes the threat more likely. Healthcare has become an increasingly popular industry to target, likely because of its complex, interwoven IT systems that have been cobbled together over decades, as well as the abundance of staff who have access to those systems, presenting many points of vulnerability. In 2020, 92 individual ransomware attacks occurred at healthcare organizations; 600 clinics, hospitals, and organizations and more than 18 million patient records were affected — a 470 percent increase from 2019, per a Comparitech report cited in Fierce Healthcare. This cost the healthcare industry $20.8 billion in system “downtime” caused by the ransomware attacks.
One reason cyberattacks are becoming more common is that we are surrounded by what some refer to as “technical debt”: programs written hastily, decades ago, that were not meant to scale to the extent they have or interoperate with multiple different IT systems. It’s a challenge to fix this without completely starting over, which is expensive and logistically impossible. As Zeynep Tufekci, who covers technology for The Atlantic, recently wrote, “We don’t mess with these rickety layers, because it would be very expensive and difficult, and could cause everything else to crumble. That means there is a lot of duct tape in our code, holding various programs and their constituent parts together, and many parts of it are doing things they weren’t designed for.”
The Scripps example demonstrated that ransomware attacks on health systems can cause a disruption in normal operations of a health system, an inconvenience to patients, and a loss of revenue to the system — exacerbated and/or prolonged by a loss of confidence in the health system if communication is not clear and forthcoming, as many would say has been the case with Scripps in this ransomware attack. In addition, these attacks can put pressure on other healthcare systems to care for the patients of the targeted health system, lead to delayed necessary or elective care, put patient safety at risk, and potentially lead to the exposure of private patient medical records.
Scripps includes five hospitals. Their attack occurred on May 1, and they are still not fully operational. If a similar type of attack happens to a national system, like it did with United Health Services (UHS) in 2020, the impact to the system and to patients could be nationwide. In the UHS example, the attack resulted in a loss of $67 million. If there was an attack on any number of large regional health systems with a concentrated presence in a particular geography, it is possible that other healthcare providers in the area would not have capacity to cover the number of diverted emergency cases and other patients, presenting a serious public health risk.
There is no easy way to prevent cyberattacks within health systems, and investments in this area are often limited by the high costs, competing IT, or other organizational priorities — this will only be exacerbated as healthcare providers continue to repair their finances after the devastation of COVID-19. However, there are measures that can be taken to reduce the risk of an attack or mitigate the damage. As colleagues at The Chartis Group outlined in a recent piece, Under Attack: Five Practical Steps to Thwart Increased Cyber Threats, there are some lower cost, more immediate steps that can be taken, including:
Harvard Business Review recently recommended appointing a respected, well-known security champion who can lead efforts. This is in addition to the HIPAA requirement to appoint a HIPAA Security Officer who oversees the creation and execution of policies and procedures that ensure the security of electronic Protected Health Information (PHI). Healthcare organizations should employ a variety of efforts, as opposed to relying on cyber insurance alone; put into place agile management processes, such as constant upgrades and patches to combat new threats; and develop a solid response plan should a cyberattack occur.
Unfortunately, the threat of cyberattacks on technology infrastructures across every industry is increasing. For healthcare providers, the potential impact could be direct harm to people and patients, and possibly a large public health crisis. Serious and relentless measures should be taken by health systems and our government to prevent such attacks, and plans should be put into place to mitigate negative outcomes when an attack inevitably occurs.
Harvard Business Review
How to Make Cybersecurity a Top Priority for Boards and CFOs
Applying behavioral health insights, this paper presents a strategy for healthcare leaders to communicate and operate in ways that address patients’ and employees’ pandemic-inspired anxieties and fears, alleviate tension, and foster stability.
While health systems have focused on the immediate health needs caused by COVID-19, cyberattacks have increased as hackers have exploited the outbreak's disruption. Learn five immediate key areas for health system focus that can have a positive impact on security and business continuity without incremental cost.
What is the new normal rate for telehealth adoption? And how is telehealth best utilized by specific service lines and for specific patients and use cases? This new report analyzes 6 key areas to identify trends and practical insights.