Kusserow on Compliance: FBI on cybersecurity—advice and tips

The FBI recently made presentations on cyber security at the Boston Conference on Cyber Security and at the American Hospital Association annual meeting. Key points from these presentations included, underscoring that the FBI is the lead federal agency for investigating cyber-attacks by criminals, overseas adversaries, and terrorists. The FBI views cyber threats seriously, as a growing problem as cyber intrusions are becoming more commonplace, more dangerous, and more sophisticated. Both private and public sector networks are targeted by adversaries for trade secrets, sensitive business data, and privacy information. Universities are targeted for their research and development. Individuals are targeted by fraudsters and identity thieves. Children are targeted by online predators. The FBI has been gearing up to the challenges from these threats by enhancing its Cyber Division’s investigative capacity to sharpen its focus on intrusions into government and private computer networks. However, they are struggling against a number of challenges, including finding talented workers in competition with the private sector, and the fact that a majority of cyber-attacks are never reported because parties want to address the problem without getting entangled in an FBI investigation. This hampers their work. The FBI desires to encourage better reporting, emphasizing that the agency has an interest in protecting private information and data; any internal information received will not be used against a provider, as they will be treated as a victim. The FBI recognizes that health care organizations are major targets for cyber-criminals, because the sensitive data they collect in droves can be sold at a high price for use in fraud and identity theft. Medical devices are also increasingly becoming a target.

The FBI is encouraging health care companies to share some basic network information with their local FBI offices, before an attack occurs, and to join an information-sharing group with other companies in their industry. The following observations and advice came from the two FBI presentations:

FBI Advice and Tips

  1. People are “weak links” in cyber-attacks, so train them to recognize and prevent cybercrimes.
  2. Review if everyone with high-level access to a hospital’s database needs to have that access.
  3. It is important to update and patch systems regularly to prevent intrusion.
  4. More people with security access, the easier it is to breach.
  5. Conduct regular systems tests to help flag vulnerabilities before a hacker can gain access.
  6. Develop a business continuity plan to prevent down time.
  7. Establish real-time data backups to permit work to continue.
  8. Organizations should establish closer ties with the local FBI before there is any incident.
  9. Those harmed in a cyber-attack will be treated like victims of a crime.
  10. Called for building a relationship with the local FBI.
  11. Organizations should join information-sharing groups with others in their industry.
  12. Regular systems tests can also help flag vulnerabilities before a hacker can get in.
  13. Don’t assign responsibility for cyber security to someone at a low level in the organization.
  14. Cyber security is an enterprise risk and executive and board level interest is needed.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Owner of compounding company at the center of the 2012 meningitis outbreak acquitted of murder

A Boston jury convicted Barry Cadden, the owner and head pharmacist of the New England Compounding Center (NECC), of racketeering and mail fraud in connection with the 2012 nationwide fungal meningitis outbreak but acquitted him of 25 second-degree murder charges. His sentencing is scheduled for June 21, 2017; he faces a statutory maximum sentence of up to 20 years’ imprisonment on each of the mail fraud and racketeering counts.

Outbreak. In September 2012, the Centers for Disease Control and Prevention (CDC) began investigating a multistate outbreak of fungal meningitis and other infections among patients who received contaminated preservative-free methylprednisolone acetate (MPA) steroid injections from NECC. The CDC reported that 753 patients in 20 states were diagnosed with a fungal infection after receiving injections of NECC’s MPA. Of those 753 patients, the CDC reported that 64 patients in nine states died.

Indictment. In December 2014, the U.S. Attorney’s Office in Massachusetts announced a 131-count federal criminal indictment in connection with the outbreak. Cadden and NECC’s supervisory pharmacist, Glenn A. Chin, were charged with 25 acts of second-degree murder in Florida, Indiana, Maryland, Michigan, North Carolina, Tennessee and Virginia. Twelve other individuals associated with NECC, including six other pharmacists, the director of operations, the national sales director, an unlicensed pharmacy technician, two of NECC’s owners, and one other individual were charged with additional crimes.

Prosecutors alleged that Cadden directed and authorized the shipping of contaminated MPA nationwide. In addition, he authorized the shipping of drugs before test results confirmed their sterility, failed to notify customers of nonsterile results, and compounded drugs with expired ingredients. NECC also used fictional and celebrity names on fake prescriptions to dispense drugs.

 

FDA considers establishing a new ‘Office of Patient Affairs’

The FDA announced that it is establishing a public docket to solicit public input on ongoing efforts to enhance mechanisms for patient engagement at the agency. In addition, to achieve a more transparent, accessible, and robust experience for patient communities, the FDA is considering establishing a new Office of Patient Affairs.

On November 4, 2014, the FDA established a docket (FDA-2014-N-1698) for the public to submit information related to the FDA’s implementation of the Food and Drug Administration Safety and Innovation Act (FDASIA) (P.L. 112-144), Patient Participation in Medical Product Discussions under FDASIA section 1137.

Based on the comments received, the FDA identified objectives for its patient engagement activities. First, to develop a nuanced understanding of the patient experience of disease by: (1) gathering patient perspective on what is clinically meaningful; (2) assessing attitudes towards benefit-risk and tolerance of uncertainty; and (3) enhancing the science of eliciting and integrating patient input.

Second, to support patients and their advocates in understanding regulatory processes and navigating the FDA by: (1) communicating relevant FDA positions, procedures, and activities; (2) connecting patients and their advocates with the appropriate resources; and (3) resolving discrete challenges and needs.

To achieve these objectives, the FDA is considering establishing a central “Office of Patient Affairs.” The responsibilities of this central office would include:

  • offering a single, central entry point to the FDA for the patient community;
  • providing triage and navigation services for inbound inquiries from patient stakeholders;
  • hosting and maintaining robust data management systems that would incorporate and formalize knowledge shared with the FDA by patient stakeholders and the FDA’s relationships with patient communities; and
  • developing a scalable and forward-looking platform for communicating with patient stakeholders, particularly online channels.

The Office of Patient Affairs would be directly accountable to the medical product Centers. A regular evaluation of this central office and of FDA’s overall patient engagement efforts are also proposed.

 

 

Biosimilar dispute headed to the Supreme Court

Biosimilar manufacturers will soon have a definitive answer on the timing of giving notice of commercial marketing, thanks to the Supreme Court. On January 13, 2017, the Court granted and consolidated Sandoz, Inc.’s petition for writ of certiorari and Amgen, Inc.’s conditional cross-petition for writ of certiorari. The dispute appeals the Federal Circuit’s July 21, 2015 decision holding that Amgen was entitled to an additional 180-day marketing exclusivity period because of Sandoz’s late notification of its intention to market a biologic product that is biosimilar to Amgen’s Neupogen® (see Court interprets biosimilar ‘enigma’ in favor of abbreviated biologic license applicant, Health Law Daily, July 22, 2015).

The Court also granted Apotex, Inc.’s motion for leave to file a brief as amici curiae; Apotex was involved in a similar dispute with Amgen (see Biosimilar applicant must give 180-day post-licensure notice to reference sponsor, Health Law Daily, July 6, 2016), though the Court denied Apotex’s petition for writ of certiorari earlier this term (see SCOTUS denies cert in biosimilar licensing dispute, Health Law Daily, December 12, 2016).

The Biologics Price Competition and Innovation Act (BPCIA), which was passed in 2010 as sections 7001-7003 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148), created an abbreviated pathway for FDA approval of a “biosimilar” biologic product. Amgen originally brought suit against Sandoz in federal court asserting various violations of Amgen’s approved license for its cancer-fighting biologic Neupogen (filgrastim) and infringement of Amgen’s patent for a particular method of using filgrastim. The Court will be hearing arguments relating to Sandoz’s question regarding the 180-day notice of commercial marketing and Amgen’s cross-petition on the optionality of a process to settle patent disputes known as the “patent dance” (see Shall we dance? Biosimilars step toward new legal and regulatory future, Health Law Daily, March 31, 2016).

Makeup of the Court

Since the February 13, 2016, death of Justice Antonin Scalia, there have been eight Justices sitting on the Court. President Barack Obama’s nominee to replace Scalia, D.C. Court of Appeals Chief Judge Merrick Garland, was not considered by the Senate; President-elect Donald Trump plans to nominate a successor early into his term. In order to receive a vote in cases pending before the Court, a Justice must be seated on both the day of the oral argument and the day the written decision is released. Trump’s nominee will only be part of the decision if he or she is confirmed and duly sworn in before the oral arguments, which are not yet scheduled.