Dan Munro

Writer

Millions Of Patient Health Records Now At Risk Through Unregulated API’s

By

Over the course of about a year, a single ethical hacker was able to access millions of patient health records and expose systemic risks in software that are effectively outside the legal jurisdiction of the Health Information Portability and Accountability Act of 1996 (HIPAA).

Application Programming Interfaces (API’s) are considered infrastructure (not application) software because they typically work below the application presentation layer as a way to bridge data requests between different (often competing) software applications. The end-user (or consumer) would see the result of an API request in a front-facing application, but not the API itself.

Of the five FHIR API implementations I tested in phase two of my research, three contained pervasive vulnerabilities that allowed me to access over four million patient and clinician records – often using a single login. The other two were built by Electronic Health Record (EHR) vendors and I found no vulnerabilities in either of them. 

Alissa Knight
Ethical Hacker
Author of “Playing With FHIR”

The white paper, titled “Playing With FHIR,” is a word play on the underlying specification called Fast Healthcare Interoperability Resources – or FHIR – which is a kind of blueprint for building API’s used specifically in healthcare.

In fact, many of the vulnerabilities Alissa identified were easily avoidable and some of the techniques she used were very basic and in common use by entry level security testers globally. At least some of the vulnerabilities may have been caused by software developers who were overly eager to cash-in on a freshly minted regulation called the “information blocking rule.” The new rule went into effect earlier this year and it’s now clear that some developers (either intentionally or out of ignorance) didn’t adhere to critical security specifications that are clearly outlined in the FHIR blueprint.

The basic intent of the new rule (which is exclusive to healthcare) is to threaten incumbent EHR software vendors and providers with penalties if they intentionally “block” access to their datastore from 3rd party requests. In reality, however, the rule is really more of a theory because there’s no hard evidence of intentional blocking to date and there are reasons to believe that attempts at enforcing the new rule would be legally challenging – at best.

Why? Because there’s no precedent for this kind of rule (either in healthcare or other industries) so it’s legally novel and untested. Beyond that sizable hurdle, the rule has no less than eight exceptions which can be relatively easy to claim as a viable defense against allegations of data “blocking.”

In fact, Alissa’s research may well have undermined the entire rule because one of the eight exceptions is specific to security. With the kind of vulnerabilities she identified, EHR vendors could easily deny (or “block”) any 3rd party request for data simply by citing the security exception as their justification – and their defense would likely succeed based on this one exception alone. I’m not an attorney and I don’t think EHR vendors would hide behind that defense but given these new risks (and new liabilities), they very likely could.

For one thing, no one really knows how many FHIR API’s are in production today — let alone how many have basic security flaws. Regulations other than “information blocking” (most notably HIPAA with detailed protections around the use of personal health information) would not apply because many of the companies developing (or using) these new API’s would not be considered a “covered entity” or “business associate” and those legal identifiers are the binding requirement for HIPAA’s jurisdiction.

’Playing with FHIR’ highlights how a rapidly expanding ecosystem of consumer- oriented mobile apps and data aggregators may open new security vulnerabilities for patients and healthcare providers. EHR developers and the healthcare organizations they serve follow specific HIPAA requirements to protect health data. But when non-HIPAA regulated entities hold that same data, those requirements fall away. Strong privacy and security protections should extend to anyone who holds patients’ health information. 

Judy Faulkner
CEO & Founder, Epic

Given the unusual and unique wording of the “information blocking rule,” a cynic could argue that the entire rule was an intentional end-run around HIPAA – promoted by commercial interests eager to capitalize on lucrative health data (in a host of new directions), but who’s to say? One big takeaway is that Alissa found no vulnerabilities in the two API’s she tested from the EHR vendor community.

Cerner believes patients have the right to access their healthcare data in any manner they choose, and Cerner undergoes strict standards to protect data in our systems. However, we share concerns over the lack of consistent regulation of third-party developers. Cerner has been involved in industry and government conversations for years. We believe security and privacy protections should be extended for any entity working with identifiable health information and welcome industry conversation. 

David Feinberg
CEO & President, Cerner

There’s no immediate fix because again, the number of FHIR APIs in production today is unknown and opinions vary widely on next steps.

By CHIME’s estimation, what is needed is a national privacy law that gives consumers protection around how their health data is used when released to third-parties not governed by HIPAA. Further, the Federal Trade Commission (FTC) must be adequately resourced to address the burgeoning industry of third-party apps. To date this agency has only received 5 reports of breaches which we know does not represent the true state of things. We applaud the FTC for the recent guidance they issued indicating they will be paying much closer attention to these issues as they explicitly state that third-party are included in the definition of personal health records. 

Mari Savickis
VP, Public Policy
College of Healthcare Information Management Executives (CHIME)

Alissa’s research is the kind of sunlight that not only exposes technical vulnerabilities, but also the regulatory failings of government (Congress, HHS, ONC, etc…) to get this first attempt at legislating new access to patient data correct. As it is today, it’s just too easy for developers to avoid the time and considerable cost of securing their API’s. Not all the API’s are vulnerable, of course, but it’s relatively easy to find the ones that are so the proverbial barn door is now wide open to bad actors and the risks to protected health information (PHI) is significant with very limited legal recourse.

The final takeaway is this. FHIR is a great standard for APIs in healthcare, but until there is industrial strength certification and binding regulations that assert real penalties, software developers are effectively rewarded for taking the path of least resistance to revenue and the exposure can be measured in the millions of health records. We can’t expect — nor should we — voluntary compliance to security with something as critical as personal health information.

In the meantime, whatever happens — or doesn’t — the advice from Theresa Payton demands everybody’s undivided attention.

Criminals always go where the action is. As API’s continue to be the solution of choice for transformation efforts, the attackers will perfect their tradecraft to attack them and Gartner estimates that by 2022, API attacks will stand out as the most frequent attack method to compromise web applications. If peer reviews and red teaming are not on the top of your priority list now, read Alissa’s research and then reprioritize. 

Theresa Payton
CEO Fortalice Solutions
Former White House CIO
Author of Manipulated

[This article first appeared in Forbes in October of 2021]

11 Reasons Why We Need To End Employer Sponsored Health Insurance (ESI)

By

This post was originally published as 10 Reasons in Forbes last year, but there’s another big one I’ve added that’s critical as it relates to employers who provide health benefits to their employees – so I’m updating the post to reflect an important addition to the original list of 10. Here’s the list – with some minor readability edits.

  1. Employer Sponsored Insurance (ESI) was never the product of intelligent system design. In fact, there’s no clinical, fiscal or moral argument to support this unique financing model at all. It is quite literally an accident of WWII history and America is the only industrialized country that uses employment as the governing entity for health benefits. Employees are literally tethered to an employer for healthcare. We could have changed this accidental system design decades ago, but we never did.
  2. Whatever the business of private industry (either privately held or publicly traded), most enterprises aren’t actually in the business of healthcare so the vast majority have no specific healthcare domain expertise – nor should they seek to acquire it because it will never be a true focus or core competency. Large group purchasing models (like the one announced between Amazon, Berkshire and Chase) may purchase (or build) component elements of that domain expertise for their employees, but any of those fiscal or clinical benefits won’t auto-magically accrue to other companies – and let’s not forget – at least some of those “other” companies are direct competitors so the idea of sharing insights or lower pricing doesn’t make sense – and further assumes that hospitals or providers would agree to extend discounted pricing. Why on earth would they do that?
  3. Unlike Medicare or Medicaid, ESI (and commercial insurance more broadly) supports inelastic healthcare pricing because it is literally whatever the market will bear based on group purchasing dynamics. This is also why Obamacare health plans are entirely dependent on a laundry list of subsidies. As individuals, few Americans can afford unsubsidized Obamacare plans outright. This also makes it entirely pointless to go through a lengthy legislative repeal process because it’s relatively easy to cripple Obamacare outright. Just remove the fiscal subsidies – which is exactly what’s happened (or planned). As a footnote to this, there are about 30 million Americans who are currently uninsured and another 40 million Americans who are underinsured.
  4. The larger the employer (or group), the larger the fiscal benefit to the individual employer (or group) because of the group dynamic. That’s a compelling argument in favor of merger mania (leading to mega groups of millions of employees), but any of those effects don’t just ‘trickle-down’ to small employers. In fact, new business models (some with enviable ‘unicorn’ status in the ‘sharing economy’) are designed to ignore health insurance or health benefits outright. They may funnel employees to group-purchasing options – but that’s a marketing slight-of-hand to avoid the messy complexities and fiscal burden of managing ESI outright. Over 90% of net new job growth between 2005 and 2015 was from employers who offered no health benefits.
  5. Like most other employment functions, ESI — and the employment process known as open-enrollment — is arbitrarily tied to our annual tax calendar, but that has no correlation or applicability to human physiology or biology. We should all contribute (through taxation) to our healthcare system, of course, but a period of ‘open enrollment’ (with a very specific number of days) serves no clinical or moral purpose (other than to continually update pricing or monitor for pre-existing conditions and possible coverage denial).
  6. While big commercial titans capture all the headlines for many industry innovations (including high-profile healthcare initiatives like the ABC one referenced above), about 96% of privately-held companies have less than 100 employees. Each of these employers is effectively its own ‘tier’ of coverage and benefits. That works to support tiered (and highly variable pricing) but the only purpose of that is to maximize revenue and profits for businesses actually in the healthcare industry.
  7. Big employers are notorious for binge (and purge) cycles of headcount that results in a constant churning of employees. Today, the average employment tenure at any one company is just over 4 years. Among the top tech titans — companies like Facebook, Google, Microsoft and yes, Amazon – average employment tenure is less than 2 years. This constant churning of benefit plans and provider networks is totally counter-productive because it supports fragmented, episodic healthcare for billing purposes – not coordinated, long-term or preventative healthcare. Insurance companies faced this same dilemma years ago – only to be penalized when those efforts (which led to healthier members) were delivered straight to their competitors at the next employer. So they abandoned many of those initial efforts around long term preventative health.
  8. ESI represents a 4th party — the employer – in the management of a complex benefit over a long period of time. That function is administratively difficult for even 3-party systems (payer, provider and patient) in other parts of the world. So why do we need a 4th party to add to the layered complexity? We don’t.
  9. ESI is heavily subsidized through local, state and federal tax exclusions and this is not a trivial amount because it’s revenue that local, state and federal governments never see. By some estimates, the local, state and federal tax exclusions combined amount to about $600 billion per year. This makes the tax exclusions tied to ESI the 2nd largest entitlement behind Medicare. It’s effectively corporate welfare specifically designed to support expensive healthcare pricing.
  10. The employer contribution to ESI is significant – typically over 55% of the cost for PPO coverage (family of 4) – but this also helps employers keep wages artificially depressed. In fact, in recent years, the galloping cost of healthcare has tilted unequally to employees – and shifted away from employers. The days of ‘sharing’ those annual cost increases equally are clearly over.
  11. In another slight of hand – the big brand insurers like Aetna, Cigna or Blue Cross will distribute a wallet card to employees for health benefits, but it hides the fact that all too often, those big insurance companies aren’t carrying the fiscal risk. They’re simply being paid to design and manage the benefits of networks and providers/hospitals (based on tiered pricing). The big brand health insurers also handle claims processing and this outsourcing service (literally called Administrative Services Only or ASO) typically applies only to very large employers, but today, thanks to technology, even relatively small companies can be “self-insured.” Through the years, this migration (to employers as unregulated insurance companies) has resulted in about 61% of covered workers being under the umbrella of unregulated, self-insured employers. Why would employers want to do this? Because as self-insured companies they aren’t under any insurance regulation. Self-insured employers are entirely free to design benefit plans (with the assistance of big insurers and brokers) that suit their fiscal objectives.

The combined effect of ESI – again, uniquely American – is the most expensive healthcare system on planet earth and one of the biggest systemic flaws behind this ever-growing expense is ESI. As a distinctly separate flaw (I call it Healthcare’s Pricing Cabal), actual pricing originates elsewhere, of course, but employers really have no ceiling on what they will pay – especially for smaller (under 500) employer groups. This year – 2019 – America will spend more than $11,000 per capita – just on healthcare, and the average cost of PPO coverage through an employer for an American family of four is now over $28,000 per year.

Employers love to complain openly and often about the high-cost of healthcare, but they also benefit from both the corporate welfare of tax exclusions and depressed wages. The evidence of their real reluctance to systemic change is their strong opposition to the Cadillac Tax because it was the one tax proposal (through the Affordable Care Act) that was specifically targeted to cap the tax exclusion on very rich (so-called “Cadillac”) health plans offered by employers. The Kaiser Family Foundation has a compelling graphic on the long term and corrosive effect of ESI.

Don’t get me wrong, employers could band together and lobby to change the tax code to end all the fiscal perversions of ESI – but they won’t. They love to complain about high costs, but collectively, they are as culpable as large providers who work to propel prices ever higher – with no end in sight.

There is no miraculous solution to this – no magic wand against the trifecta of accidental system design that keeps pricing spiraling ever upward. That trifecta is actuarial math, ESI, and the transient (annual) nature of health benefits delivered at scale through literally tens of thousands of employers. Commercial (or private) ventures of every stripe and size can certainly lobby for legislation to change the moral morass of tiered pricing through employers, but they haven’t so far, likely won’t – and they certainly can’t end it. We are living with this moral mess as an accident of history. We need to end it.

The bad things [in] the U.S. health care system are that our financing of health care is really a moral morass in the sense that it signals to the doctors that human beings have different values depending on their income status. For example, in New Jersey, the Medicaid program pays a pediatrician $30 to see a poor child on Medicaid. But the same legislators, through their commercial insurance, pay the same pediatrician $100 to $120 to see their child. How do physicians react to it? If you phone around practices in Princeton, Plainsboro, Hamilton – none of them would see Medicaid kids. Uwe Reinhardt (1937 – 2017) – Economics Professor at the Woodrow Wilson School of Public and International Affairs at Princeton

Filed Under: ESI

Trump’s Executive Order Could Bankrupt The Medicare Trust Funds In Less Than 5 Months

By

THE VILLAGES, FLORIDA, UNITED STATES – 2019/10/03: U.S. President Donald Trump signs Executive Order #13890 at the Sharon L. Morse Performing Arts Center. (Photo by Paul Hennessy/SOPA Images/LightRocket via Getty Images)

On October 3rd of last year, President Trump signed a Executive Order (EO) #13890 with sweeping implications for how Medicare is priced and, by extension, how much the government winds up spending annually on Medicare. In fact, the whole EO signing ceremony is really designed to satisfy the optics of legislative action where none is legally permissible. Congress still holds the purse strings, so any increases to Medicare spending would obviously require congressional approval. Executive Orders have all the pomp and appearance of real legislation – including the requisite chorus of fist pumps and smiling faces – but they aren’t.

Congress keeps a pretty firm hand on the reins when it comes to Medicare spending. I don’t know what legal authority the administration hopes to draw on, especially if what it wants to do is increase the prices it pays for services through traditional Medicare.

Nicholas Bagley, Law Professor – University of Michigan

Independent of Trump’s legal authority through executive decree (I’m not an attorney), the actual wording of the EO appears to be hastily written and fraught with ambiguity around intent, but then that also makes perfect sense when speed to the signing ceremony is the top priority. Here’s the wording in the EO that I’m referencing.

Section 3(b): The Secretary, in consultation with the Chairman of the Council of Economic Advisers, shall submit to the President, through the Assistants to the President for Domestic and Economic Policy, a report within 180 days from the date of this order that identifies approaches to modify Medicare FFS payments to more closely reflect the prices paid for services in MA and the commercial insurance market, to encourage more robust price competition, and otherwise to inject market pricing into Medicare FFS reimbursement.

Long sentencing aside, HHS Secretary Alex Azar is to submit a report within 180 days “that identifies approaches to modify Medicare Fee-For-Service (FFS) payments to more closely reflect the prices paid for services in MA and the commercial insurance market.” Taken literally, that’s a huge price increase – and could easily bankrupt the Medicare Trust Funds (yes, there’s more than one) in a matter of months. In fact, many argue that our current healthcare cost crisis stems from inelastic pricing in the commercial insurance market.

The U.S. spends twice as much per person on health care as other high-income countries. The reason we spend more is because of higher prices, and those higher prices are mainly in the commercial insurance market. When it comes to keeping health care prices down, it’s hard to see how making Medicare look more like the private insurance market would be progress.

Larry Levitt, Executive Vice President for Health Policy, Kaiser Family Foundation

Granted, it’s relatively easy to be sweeping with reform ideas when healthcare pricing is so large and opaque, right? I mean who even knows what pricing looks like in “the commercial insurance market?” We all know it’s highly variable, but that’s not very mathematical, so how can anyone really score the total cost if commercial pricing is so mysterious? In the phrase made famous by Matt Damon in the movie The Martian, “let’s do the math.”

Using claims data from about 1,600 hospitals across 25 states, RAND Health Care published a study earlier this year suggesting that the national average for commercial inpatient pricing was +241% of Medicare pricing (2017). Here’s the actual quote:

Relative prices, including all hospitals and states in the analysis, rose from 236 percent of Medicare prices in 2015 to 241 percent of Medicare prices in 2017.

RAND Health Care Study: Price Paid to Hospitals by Private Health Plans Are High Relative to Medicare and Vary Widely

While RAND didn’t extend their analysis to include traditional (non-surgical) outpatient pricing – it’s reasonable to assume that commercial rates for outpatient prices are on par with inpatient prices – but let’s err on the side of caution and use +159% of Medicare for outpatient commercial pricing. Combining these two percentages equals a blended rate of +200%. At the simplest level, the RAND study suggests that healthcare pricing through commercial insurance is roughly double what Medicare is priced at. That’s the first variable.  

The second variable is annual Medicare spending. The Centers for Medicare and Medicaid Services (CMS) projects that Medicare will spend about $857 billion in 2020 – but let’s round down for simplicity to $850 billion. Using the blended rate from above (2X), a rough calculation suggests that by using commercial pricing, Medicare will spend about $1.7 trillion in 2020 – or about $33 billion per week.

Our final variable is the balance in the Medicare Trust Fund. In April of this year, the Board of Trustees of the Medicare Trust Funds released their annual report indicating that the balance in the Medicare Trust Funds at the end of 2018 was about $305 billion.

Table II.B1 from Annual Board of Trustees report
BOARD OF TRUSTEES OF THE FEDERAL HOSPITAL INSURANCE
AND FEDERAL SUPPLEMENTAL MEDICAL INSURANCE TRUST FUND

Keeping in mind that Medicare is reasonably funded for the 2020 forecast ($857 billion), let’s also say that doubling Medicare pricing only draws down from the Trust Funds by 50% per year (or roughly $16 billion per week instead of the full $33 billion per week). At an increased spending rate of $16 billion per week, the Medicare Trust Funds (about $305 billion) would be depleted in a little over nineteen weeks – or less than 5 months. If, in fact, we use the full $33 billion per week price increase, the Trust Funds would reach $0 in just over 9 weeks.

Granted, none of this is detailed financial forecasting (and I’m not an accountant) so I do have to emphasize that this is all back-of-the-envelope math, but it does expose at least some of the financial risk of moving Medicare to commercial pricing. Frankly, I don’t think this was the original intent, but by adding the phrase “… and the commercial insurance market” it’s really impossible to decipher just what the real intent was. At least until we see the detailed report Trump called for (April 2020), we’ll just have to hope the intent isn’t to bankrupt the Medicare Trust Funds.

______________________
NB: This post first appeared on Forbes in October of 2019 and has been lightly edited.