Software Vulnerability Endangers EHR, Devices; HHS Websites Unaffected

The “Heartbleed” bug, discovered last week by two information technology (IT) security teams, caused a vulnerability in a popular encryption software used by many medical professionals to protect patient data. Electronic health record (EHR) systems often use OpenSSL’s encryption software to secure protected health information (PHI). Heartbleed can reveal the contents of a server’s memory to hackers, including private data such as usernames, passwords, and credit card numbers. Attackers are also able to obtain copies of a server’s digital keys, and use those keys to impersonate servers or to decrypt communications. Security experts estimate that 66 percent of all devices connected to the internet, including internet-capable medical devices, could be attacked using Heartbleed.

Heartbleed Danger

According to members of the security team that discovered Heartbleed, the bug allows anyone on the internet to access and read the memory of systems protected by the vulnerable versions of the OpenSSL software. Affected information includes secret keys used to identify service providers and to encrypt data, as well as user names, passwords, and actual saved content, allowing attackers to steal data directly from the services and users and to impersonate services and users. A fixed version of OpenSSL has been released, but the vendors of operating systems, appliances, and independent software all must adopt the fix for each program that uses OpenSSL. Further, users and administrators should change their passwords to prevent use of their accounts by anyone who has accessed their private account information. Passwords changed before the fixed version is installed are not secure.

The security team that discovered Heartbleed said, “We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”

Impact on Health Industry

OpenSSL is an open source protocol. Open source means users are universally granted free license to the product, which is not copyrighted. As a result, many health IT-related programs and devices use the protocol, including those that use Apache servers. A “cursory review” conducted by health IT developer Lauren Still found many web-based EHR platforms were vulnerable to the bug. Additionally, some Health Insurance Exchanges operated by states under the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) were exposed. Medical Device and Diagnostic Industry says that the bug could be used to attack systems used to communicate with insulin pumps, home health care networks, and medical devices such as MRI machines.

Safety of,

When the discovery of Heartbleed was announced, the Department of Homeland Security’s (DHS) U.S.-Computer Emergency Readiness Team (US-CERT) issued an immediate alert. Other DHS teams have reached out to vendors and asset owners to notify and assist them in determining vulnerabilities and protecting their data. DHS announced that “the Federal government’s core citizen-facing websites are not exposed to risks from this cybersecurity threat.” Building on DHS’s announcement, a CMS spokesperson stated “Due to CMS’s security protections, consumer accounts are not affected by this vulnerability. Additionally, other CMS consumer accounts, including, were not affected by this vulnerability. Per standard practice, CMS continues to work with the states to monitor this issue and ensure that appropriate security measures continue to be in place.”

Developer and cryptography consultant Filippo Valsorda published a tool that allows users to check websites for Heartbleed vulnerability. For websites that require passwords, Last Pass created a similar checker tool. Wolters Kluwer tested a number of HHS websites, and confirmed that in addition to, and the FDA’s online Drug Registration and Listing system were not vulnerable to Heartbleed; tests revealed that and CMS’s EHR Incentive Program Registration & Attestation system may possibly be affected.

Study Questions Government’s $1.3 Billion Stockpiling of Tamiflu® and Relenza®

Researchers at the Cochrane Collaboration and BMJ (formerly British Medical Journal) are questioning the U.S. government’s spending of $1.3 billion on stockpiling antivirals such as Tamiflu® and Relenza®, noting that there is no credible evidence demonstrating the two neuraminidase inhibitors lower hospital admissions and complications of influenza. While clinical trials showed that influenza-like symptoms in Tamiflu and Relenza takers were alleviated a half-day sooner than patients who took a placebo, the antivirals actually increased occurrences of nausea, vomiting, headaches, psychiatric disturbances, and renal events. Researchers also found that there was insufficient evidence to demonstrate Tamiflu and Relenza prevent person-to-person spreading of influenza.

“We now have the most robust, comprehensive review on neuraminidase inhibitors that exists,” said BMJ Editor-in-Chief David Tovey. “Initially thought to reduce [hospitalizations] and serious complications from influenza, the review highlights that Tamiflu is not proven to do this, and it also seems to lead to harmful effects that were not fully reported in the original publications. This shows the importance of ensuring that trial data are transparent and accessible.”

According to Cochrane and BMJ, the evidence that was previously presented to government agencies regarding Tamiflu and Relenza, which subsequently led to the expensive stockpiling of the antivirals, was incomplete. However, the Review, “Neuraminidase inhibitors for preventing and treating influenza in healthy adults and children,” involved 20 Tamiflu and 26 Relenza trials, involving over 24,000 people. “Drug approval and use cannot be based on biased or missing information any longer,” stated review authors Dr. Tom Jefferson, Dr. Carl Heneghan, and Dr. Peter Doshi. “We risk too much in our population’s health and economy. This updated Cochrane review is the first time a Cochrane systematic review has been based only on clinical study reports and regulator’s comments. It is the first example of open science in medicine using full clinical study reports available without conditions. And therefore the conclusions are that much richer. We urge people not to trust in published trials alone or on comment from conflicted health decision makers, but to view the information for themselves.”

According to Cochrane, “the review clearly recommends that guidance on the use of both neuraminidase inhibitors (oseltamivir and zanamivir) in the prevention or treatment of influenza should be revised to take account of the evidence of small benefit and increased risk of harms.” In addition, given the lack of evidence that supports original claims of the antivirals’ benefits, the review raised questions on whether stockpiling of the drugs is still justifiable.

Kusserow’s Corner: Dental Fraud and Abuse

We don’t often hear news dental fraud and abuse cases. This is as result of more limited benefits provided by government programs. Occasionally, we are reminded that enforcement problems extend to this area. Recently, the HHS Office of Inspector General (OIG) has focused on this area. It noted that Medicaid is the primary source of dental for approximately 35 million children and that in recent years, a number of dentists and dental chains have been prosecuted for providing unnecessary dental procedures to Medicaid children, as well as for causing harm to children while performing these procedures.

The OIG conducted a review relating coverage for children in low-income families and provides access to dental care in New York and issued a report entitled “Questionable Billing for Medicaid Pediatric Dental Services in New York (OEI-02-12-00330).” It analyzed New York Medicaid program, specifically looking into the fee-for-service paid claims for general dentists and orthodontists who provided services to 50 or more children in 2012.

Using several measures, the OIG identified dental providers with questionable billing who are extreme outliers when compared to their peers. It identified 23 general dentists and six orthodontists in New York with questionable billing. Medicaid paid these providers $13.2 million for pediatric dental services in 2012 and received extremely high payments per child; provided an extremely large number of services per child; or provided certain selected services, such as pulpotomies or extractions, to an extremely high proportion of children. Additionally, almost a third of the general dentists were associated with a single dental chain that had settled lawsuits for providing services that were medically unnecessary or that failed to meet professionally recognized standards of care to children.

The OIG noted that its findings raise concerns that certain providers may be billing for services that are not medically necessary or were never provided. It also raises concerns about the quality of care provided to Medicaid children. Although some of the billing may be legitimate, providers who bill for extremely large amounts of services warrant further scrutiny. Based upon findings, the OIG recommended that the New York State Department of Health:

  1. Continue to monitor general dentists and orthodontists to identify patterns of questionable billing,
  2. Ensure that the State employs adequate safeguards to monitor general dentists and orthodontists under managed care, and
  3. Ensure appropriate follow-up on the general dentists and orthodontists identified as having questionable billing.

The New York State Department of Health neither agreed nor disagreed with the recommendations, but identified actions it has taken or plans to take that support the first recommendation. It also outlined current requirements and processes that are in place that support the second recommendation. It did not indicate whether any steps were planned to address the third recommendation.

Recent examples of dental fraud and abuse enforcement actions include the unlicensed owner of Indiana-based Anderson Dental Center, who was charged with Medicaid fraud, theft, money laundering, and forgery. Eight employees, including three dentists, are also facing various charges that include Medicaid fraud, money laundering, and forgery in connection with submitting fraudulent claims for un-provided dental services to the state Medicaid program and with falsifying documents.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Copyright © 2014 Strategic Management Services, LLC. Published with permission.

Sebelius Resigns as HHS Secretary, Obama Nominates OMB Director

President Barack Obama announced the resignation of HHS Secretary Kathleen Sebelius in a press conference on April 11, 2014, ending her nearly two-term tenure with the Obama administration. President Obama then nominated Sylvia Mathews Burwell, the Director of the Office of Management and Budget (OMB) as her replacement. Sebelius’ resignation comes one day after it was reported that the Health Insurance Exchanges under the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) had garnered more than 7.5 million signups, exceeding HHS’s original goals. The HHS Secretary oversees the 11 operating divisions and eight agencies in the U.S. Public Health Services and three human service agencies.

President Gives Thanks

According to Obama, Sebelius told him in early March that she planned to step down from her post following the March 31, 2014 end of what she predicted to be a successful open enrollment period. After “five years of extraordinary service” and 7.5 million new insured Americans, Obama said Sebelius had “earned that right.” Sebelius, Obama said, would “go down in history” for serving as the Secretary of HHS when it was “finally declared that quality, affordable health care is not a privilege but a right for every single citizen of the United States of America.” In her tenure, Sebelius led achievements—“often without fanfare, often without acknowledgement”—that Obama said were critical to the health of Americans.

Critical Responses to Website Failures

Despite the recent good news, the rocky start of—as well as the resulting backlash from those across the aisle, who called for the Secretary’s resignation—tainted the reputation of Sebelius and of the Obama administration as a whole. The initial failure of the website spurred mockery from Saturday Night Live and headlines like The Daily Beast’s Kathleen Sebelius’s Daily Show Disaster. In her Daily Show interview, host Jon Stewart challenged Sebelius, saying, “I’m going to try and download every movie ever made, and you’re going to try and sign up for Obamacare—and we’ll see which happens first.”

Flaws in Management

In October 2013, Sebelius, the former governor of Kansas and former insurance commissioner to the state, told the House Energy and Commerce Committee that she was responsible for the “debacle” of the flawed roll-out of the federal health insurance website. She also told the Committee that the two weeks allotted for end-to-end testing of the website was inadequate for the task, but that none of the contractors hired by the government to create the website suggested delaying the launch past October 1. Health Law Daily reported on the Committee meeting in Sebelius accepts responsibility, rejects suggestion to extend enrollment period, October 30, 2013.

Health Reform WK-EDGE reported that, in December 2013, Sebelius wrote on her blog, “The launch of was flawed and simply unacceptable.” She announced that she would be undertaking “a series of initial steps in the process of better understanding the structural and managerial policies that led to the flawed launch of” These steps would focus on the government’s work with contractors in building the website, which according to Sebelius was critical in that “CMS alone spent $5.3 billion in 2013 on contracting engagements.” Sebelius wrote, “We must take steps to ensure that our contractors are well managed, and that they fulfill their commitments and provide good services and products for our tax dollars.”

Sylvia Mathews Burwell

Obama nominated Sylvia Mathews Burwell as Sebelius’ replacement, saying, “I could choose no manager as experienced, as competent as my current Director of the Office of Management and Budget.” Obama stated of Sebelius, “I will miss her advice. I will miss her friendship. I will miss her wit.” However, he said, Burwell “holds the same traits in abundance.”

According to her White House biography, Burwell has served as the President of the Walmart Foundation and as the President of the Global Development Program at the Bill & Melinda Gates Foundation, for which she also served as the Chief Operating Officer. During the Clinton Administration, she held the positions of Deputy Director of the OMB, Deputy Chief of Staff to the President, Chief of Staff of the Secretary of the Treasury, and Staff Director of the National Economic Council.

At the press conference, Sebelius welcomed Burwell as her replacement, expressing the strong beliefs of HHS in its “important mission” and referencing a quote that is engraved in the walls of the Hubert H. Humphrey Building, which will soon house Burwell’s office: “It was once said that the moral test of government is how that government treats those who are in the dawn of life, the children; those who are in the twilight of life, the elderly; and those who are in the shadows of life, the sick, the needy, and the handicapped.”

Burwell’s Senate Confirmation

Before Burwell officially takes over the position of HHS Secretary, she must be confirmed by the Senate. Under Article II, Section 2 of the U.S. Constitution, the president shall appoint officers of the United States “by and with the Advice and Consent of the Senate.” When a nomination is made, the question before the Senate is “Will the Senate advise and consent to this nomination?” According to a report by the Congressional Research Service (CRS), “Only a majority of Senators present and voting, a quorum being present, is required to approve a nomination.”

Tens of thousands of nominations are made during each Congress, so the Senate is not able to consider all of them in detail. “A regularized process facilitates quick action on thousands of government positions,” according to the CRS. Hundreds of nominations may be approved en bloc by the Senate at one time. However, the confirmation process also allows for the Senate to closely scrutinize candidates when necessary, especially nominees for high-level positions such as Supreme Court appointees. According to the CRS, “Among the executive branch positions, nominees for policymaking positions are more likely to be examined closely, and are slightly less likely to be confirmed, than nominees for non-policy positions.”

At the press conference, Obama stated he did not think Burwell’s confirmation would be a problem, as she was confirmed unanimously one year ago for her post as the director of the OMB.