DOJ indicts Iranian health care hackers

With help from Arthur Allen (@arthurallen202) and Mohana Ravindranath (@ravindranize)

Editor’s Note: This edition of Free Morning eHealth is published weekdays at 10 a.m. POLITICO Pro eHealth subscribers hold exclusive early access to the newsletter each morning at 6 a.m. To learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services, click here.

DOJ INDICTS IRANIAN HEALTH CARE HACKERS: The Department of Justice on Wednesday indicted a pair of Iranian hackers who allegedly infected a swath of health care institutions — including MedStar Health and Allscripts — during a nearly three-year series of attacks. The hackers used the SamSam ransomware virus to obtain millions of dollars in ill-gotten gains, prosecutors say.

The hackers are outside the long arm of the law at the moment, but they’re in legal jeopardy nevertheless.

We contacted the institutions that were victimized by the attacks; those that responded took the opportunity to praise law enforcement’s efforts. “With our cooperation, law enforcement caught and prosecuted the culprit,” said a spokeswoman for orthopaedic hospital OrthoNebraska, one of the health care organizations that had been attacked. “No patient data was accessed due to the internal controls we had in place.”

For Bennet Waters, a principal with security advisory firm The Chertoff Group, the attacks illustrate the need for health care organizations to master the basics — such as timely patching of their software and education to avoid phishing attacks.

“Hackers are fundamentally lazy people,” Waters said, and often use the same types of attacks over and over again. (Indeed, the indictment says that the most recent intrusion described in the indictment occurred in September.) “They’re preying on the fact that, as a general rule, IT users — the general public,” he added, “still lack a sophisticated awareness of hygiene.”

More coverage here, for Pros.

Meanwhile … : Atrium Health, a health care system in North Carolina, announced that an unrelated hack compromised more than 2 million people’s data. The hack was through one of the system’s third-party billing systems, Waters said, which illustrates that it’s not just the fancy connected devices that are at risk.

eHealth tweets of the day: Harlan Krumholz @hmkyale “[re: the Amazon announcement] It will take a lot to determine how best to extract meaningful information from unstructured data in the #EHR. Will take a village. And we also need easier ways for docs to input data, making their document work easier, faster, better. We need to work both sides of this problem.

And the #ethics of extracting knowledge from the #EHR; all depends who is doing it for what reason and with what permissions. Is it for the patient; by the patient or to the patient?...”

THURSDAY: Your correspondent and his colleagues will be covering the ONC Annual Meeting for the next couple of days. Anything we should be watching out for? Give us a tip at [email protected]. Or submit suggestions socially at @ravindranize, @arthurallen202, @dariustahir, @POLITICOPro, @Morning_eHealth.

Election Day has come and gone, but the real work is just beginning. Head to Pro’s Midterms HQ to find out how election outcomes affect you and how to plan your next move. Read More.

AMAZON GARNERS SOME SKEPTICISM: Amazon’s new software — touted as a way to mine free text in EHRs — is getting mostly awe but some skepticism, our colleague Arthur Allen reports.

Lots of competitors, like OptumLabs and the Veterans Health Administration, are trying their hands at similar modes of analysis.

“Breakthroughs in the application of AI in medicine should be viewed with healthy skepticism until results are published,” said Matthew Samore, an informaticist at the University of Utah. While Amazon’s entry in the area is noteworthy, he said, “translating these algorithms and technologies into practical benefits for health care may be the more substantial challenge.”

But Amazon has a scale that others don’t, and may be able to provide its service in a convenient, usable format. That might be an important advance.

HHS SOLUTIONS FOR EASIER HEALTH IT SIMPLE SIGN IN, COMMON STANDARDS: Among HHS’s laundry list of recommendations for simplifying health IT are biometric log-ons, common standards aligning PDMPs with EHRs, automating some orders for medical services and equipment, and supporting APIs so health IT products can integrate with each other.

Those suggestions and more are detailed in the draft strategy crafted by CMS and ONC and published Wednesday. The agencies distilled input from four working groups on clinical documentation, usability and user experience, quality reporting and public health reporting.

HHS also could do more to promote electronic prescribing for controlled substances, the draft says. And it calls on EHR vendors to make more sensible screen layouts for clinicians to work on and to standardize how they present clinical information. HHS invited responses to the draft before Jan. 28.

And the winner is!: HHS also announced the winners of a contest — the Easy EHR Issue Reporting Challenge — that looked for software that makes it easy for clinicians to report safety and usability issues. The James Madison Advisory Group snagged first place — and $45,000 — for a hotkey that launches a safety event reporting system and takes screenshots.

CAN CURES ACT FIX PRICE TRANSPARENCY? ONC’s upcoming rulemaking could do more than just clarify which behaviors violate the 21st Century Cures Act’s ban on information blocking, our colleague Mohana Ravindranath writes. If the rule is broad enough, says one lawyer, it could be a mechanism for enforcing price transparency.

That law makes it illegal for developers, health information exchanges, and providers to “interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” It’s generally understood to promote the freer transfer of patient data; but former ONC official Jodi Daniel, currently of Crowell & Moring, says it potentially could be used to penalize any groups that make it harder to see the prices of health products and services.

A couple of her clients hope to build a business strategy employing the law to pressure insurers to make pricing information more transparent. Certain insurers intentionally make it difficult for patients to find out-of-network pricing, they say.

“It’s common practice for providers to check benefits information,” Daniel said. Insurers that limit access to such data are “altering the practice of enabling a doctor and a patient to have the information they need at the point of care.”

UPDATES FROM CLINICAL TRIAL INNOVATION: At a National Academy of Medicine session on “virtual clinical trials” Wednesday, neurologist Ray Dorsey of the University of Rochester Medical Center said bringing health IT to trials was opening new worlds of information to scientists and doctors.

Wearables, he said, can give insight about the health of his Parkinson’s patients: “We discovered that our patients were lying down more than 50 percent of the time. No one knew that. None of my colleagues with decades of experience caring for Parkinson’s patients. There’s tons of information we’ve been unable to capture about individuals,” Dorsey said.

The Academy’s event on virtual clinical trials continues today.

ALLIANCE ROLLS OUT STANDARDS ON APIs: The CARIN Alliance — a group of dozens of health care organizations founded by health IT luminaries like David Blumenthal, Aneesh Chopra, and Leavitt Partners — has rolled out a new code of conduct describing how institutions should share data with apps. The code describes a set of principles for privacy, consent, security, and convenient access to data. The full document can be found here.

PDMP UPDATES: Some notes on the state of prescription drug monitoring programs:

North Carolina: The Tar Heel State and PDMP vendor Appriss announced that they’re integrating program data and the vendor’s NarxCare risk-scoring software directly into providers’ electronic health records. Doctors have long complained that PDMP data is inconvenient to access outside of the EHR.

Kentucky: Similarly, Owensboro Health seeking to integrate Kentucky’s PDMP data more closely into its records, local radio station WKMS reported.

Alphabet’s plan to kill mosquitos, Bloomberg reports.

Consultant Paul Keckley describes a tortuous lack of transparency on prices in one hospital visit

FDA officials describe their experience with their SENTINEL data-monitoring program in The New England Journal of Medicine.