Government Health IT Conference Focus on Interoperability; Developer Code of Conduct Released
Officials from the Obama administration, including the Department of Health and Human Services, Department of Defense, and National Institute for Standards and Technology, among others, were in attendance recently at the ninth annual Government Health IT conference in Washington. During the conference, officials gave updates on several fronts, including efforts to develop more standards that allow for innovation, emerging technologies to enable trusted identification of providers and patients, and the unveiling of an EHR Developer Code of Conduct from the EHR Association. During a discussion of the Standards & Interoperability Framework, ONC’s Doug Fridsma explained that his office gathers, enables, curates and supports. “Our job is not to determine what the solution is, but to define what success should look like.”
James Sheire, a senior advisor at the National Strategy for Trusted Identities in Cyberspace (NSTIC) – a public-private partnership being convened by NIST – updated the audience on how the group is creating a “trusted identity ecosystem.” Since 2009, NSTIC has created the ID ecosystem steering group, awarded $9.2 million to fund pilot programs, and is currently evaluating applications for second round of pilots in 2013. “The identity ecosystem will enable health information exchange,” Sheire said, adding that it will simultaneously streamline patient and provider access to multiple systems, secure patient access, and provide the ability for ID matching. "For patients this means no longer having to remember usernames and passwords, while at the same time making [transactions] more secure.”
Finally, the EHRA unveiled its Code of Conduct, outlining developers’ commitment to supporting safe health care delivery, facilitating innovation and maintaining high integrity. At a news conference announcing the Code, National Coordinator for Health IT Farzad Mostashari praised the code, saying, “The commitment here is very much in line with our national plan.” He added, “It's really very positive to see the association coming together and making a statement about what we stand for. This is what we believe is the right way to treat our customers.”
House Leaders Target August for SGR Fix
Two influential committees with jurisdiction over Medicare’s Sustainable Growth Rate (SGR) formula said they are targeting an August date for completing committee work on a replacement bill. The news comes amid some concern that the House Ways & Means and House Energy & Commerce Committees were no longer in sync on a path forward to replace the SGR. “We’re intending to complete the process through the committee before the August break,” Energy and Commerce Chairman Fred Upton (R-MI.) told reporters after speaking at a conference. Rep. Upton added that the Ways and Means may not do its own markup. “I’m not sure they’ll need to do a markup because of what we’re doing,” Upton said of the Ways and Means Committee. “We’re in absolute sync.” While Ways and Means Health Subcommittee Chair, Kevin Brady (R-Texas) agreed the two committees had an “excellent” working relationship, he also said there has been no discussion of timetables, markups, dates – and more importantly – a way to pay for a permanent fix. Ways and Means Chair Dave Camp (R-Mich.) said “We haven’t identified a pay for yet, and if I had, I wouldn’t be mentioning it to the press.”
On a related note the Congressional Budget Office (CBO) said Thursday (June 13) it will not update its 10-year budget baseline in August. This leaves a May estimate of $139.1 billion over ten years as the working estimate for the remainder of the year.
Congress Concerned with IRS Access to Personal Health Information
Leadership on the House Energy & Commerce Committee are concerned that the Internal Revenue Service (IRS) has improperly accessed millions of personal medical records. Details outlined in a letter to IRS Acting Commissioner Daniel Werfel said the committee was concerned about a lawsuit filed in California alleging IRS agents “stole more than 60 million medical records from more than 10 million American patients during a search conducted March 11, 2011.” Representatives Tim Murphy, Chairman of the Subcommittee on Oversight and Investigations and Michael Burgess, Vice Chair of the Subcommittee, asked Mr. Werfel to answer three questions, outlining how the IRS requests and examines protected health information from HIPAA covered entities. The plaintiffs in the California case argue that the IRS was given permission to access financial records of an employee of a covered entity, but that there was no attempt to parse financial information with health information, such as drug treatment, psychological counseling and sexual health treatment. Given recent controversies at the IRS, for targeting Tea Party groups with additional scrutiny and possible involvement of the Affordable Care Act lead for the IRS, there is growing suspicion on the Hill that IRS agents may have broad access to personal health records. The Obama administration maintains that the IRS, Homeland Security and HHS will not have access to personal health records as part of a federal data hub – but will instead be checking immigration status and program eligibility for possible health insurance exchange subsidies.
Cyberattacks Affect More than Just Computers and Databases, FDA Calls for Tighter Security
When many think of a device getting hacked, or viruses or malware, they think of computers, databases, websites, and cell phones, but today, the line does not stop there. Imagine you have a pacemaker for a heart condition – if you have an arrhythmia, the heart can beat too fast, too slow, or with an irregular rhythm – and you rely on your device to help your heart function normally (it uses electrical signaling to correct the heart condition). What if one day you had a heart event – perhaps your heart stops – and your pacemaker didn’t revive you? You only have a limited amount of time to get treatment before it is too late. Now imagine that your pacemaker is fully functional, but the reason it stopped working is that it was hacked and had a virus. Presently, the number of reported cyberattacks is on the rise, but as far as the Food and Drug Administration (FDA) knows, none of these incidents have affected patients.
Recently, the FDA released draft guidelines to tighten medical devices security standards based on an experiment by a few security analysts that proved people could easily hack important medical devices. According to a Washington Post article, “they managed to figure out hundreds of passwords for equipment that included surgical and anesthesia devices, patient monitors and lab analysis tools.” This poses a risk to patients with a multitude of conditions as their medical devices are connected to hospital networks, which expose them to cyber attacks. Viruses or other breaches can cause interruptions in medical devices or even shut them down.
This experiment proves that privacy and security guidelines should apply to more than just patient information – it should include devices as well. Comments for the FDA draft guidance are due 90 days after the rule is published in the Federal Register.
Edited by Gabriel Perna