chevron-down Created with Sketch Beta.
March 22, 2024

Washington Roundup

Roll Call reports,

  • Lawmakers released a more than $1.2 trillion, six-bill appropriations package early Thursday morning, less than 48 hours ahead of a Friday night deadline for this second and final wrapup measure for the fiscal year that began Oct. 1. 
  • Both parties were touting “wins” in the package well before unveiling the massive 1,012-page bill, which had already won President Joe Biden’s blessing and pledge to sign it “immediately.” That, plus the lure of a two-week recess, should help get the package over the finish line, though it seems likely to slip past the 11:59 p.m. Friday cutoff for the current stopgap spending law.
  • But lawmakers weren’t really sweating the prospect of a weekend funding lapse, given its limited impact on government operations — especially with Friday’s expected House passage likely to be a strong signal of congressional intent to keep the lights on.

The American Hospital Association (AHA) News informs us,

  • "The House Energy and Commerce Committee March 20 unanimously passed AHA-supported legislation to reauthorize through 2029 the Dr. Lorna Breen Health Care Provider Protection Act (H.R. 7153), which provides grants to help health care organizations offer behavioral health services for front-line health care workers. The bill also would reauthorize a national campaign that provides hospital leaders with evidence-based solutions to support worker well-being. Without congressional action, the law will expire at the end of this year."
  • and
  • "Congress should address any statutory constraints that prevent the Centers for Medicare & Medicaid Services and Department of Health and Human Services from adequately helping hospitals and other health care providers impacted by the Change Healthcare cyberattack, AHA said a letter submitted to the House Ways and Means Committee for a hearing March 20 with HHS Secretary Xavier Becerra on fiscal year 2025 funding for HHS." 

Fierce Healthcare lets us know,

  • "The Employee Retirement Income Security Act, or ERISA, is turning 50 this year and lawmakers are curious to hear about how the law could be updated to increase coverage affordability and care access.
  • "Payers and providers, it turns out, have very different ideas on where Congress should focus its efforts.
  • "In response to the House Committee on Education and the Workforce’s January request for information, lobbying groups representing both sides of the industry weighed in on the act that outlines federal guidelines for employee benefit plans, including employer-sponsored group health plans."
  • The article delves into these comments.

The Congressional Budget Office released a presentation about "The Federal Perspective on Coverage of medications to treat obesity. Assuming Congress allows Medicare to cover anti-obesity medications (AOM),

  • "The future price trajectory of AOMs is highly uncertain.
    • "CBO expects semaglutide to be selected for price negotiation by the Secretary of Health and Human Services within the next few years, which would lower its price (and potentially the prices of other drugs in the AOM class).
    • "CBO expects generic competition for semaglutide and tirzepatide to start in earnest in the second decade of a policy allowing Medicare Part D to cover AOMs.
    • "New AOMs are expected to become available. The new drugs might be more effective, have fewer side effects, or be taken less frequently or more easily than current medications. Those improvements could translate to higher prices, on average, even if prices decline for drugs that exist today."
  • See also the Beckers Hospital Review article below on the next generation of AMOs. 

Healthcare Dive tells us,

  • "The Medicare Advisory Payment Commission, which advises Congress on Medicare policy, is recommending boosting hospital payment rates by 1.5% in 2025 and base physician payment rates by 1.3% above current law, according to its annual report released Friday. 
  • "MedPAC suggested tying the rate of physician payment increases moving forward to the Medicare Economic Index, an annual measure of practice cost inflation. MedPAC suggested payments increase “by the amount specified in current law plus 50% of the projected increase in the MEI.”
  • "Provider groups, including the Medical Group Management Association and American Medical Association, have said the proposed payment increases are inadequate."

Cybersecurity Update

Cyberscoop reports,

  • “A cyberattack on a payment processor that has crippled large parts of the U.S. health care system is inspiring calls in Washington to urgently implement cybersecurity regulations for the sector, setting up a showdown with hospital and health care groups that are stridently arguing against such a move. 
  • “As these companies have become so large, it is creating a systemic cybersecurity risk,” Sen. Ron Wyden, an Oregon Democrat, said Thursday during a Senate Finance Committee hearing featuring Health and Human Services Secretary Xavier Becerra, whose agency is responsible for overseeing the health care industry’s digital security standards. * * *
  • “The incident has reinvigorated conversations among policymakers in Washington about how to improve the health care sector’s security posture. HHS has proposed a voluntary set of cybersecurity standards and is working to develop mandatory rules, but these are unlikely to come into effect soon. 
  • “Until mandatory rules are in place, industry critics like Wyden want sharper action. “The next step has got to be fines and accountability for negligent CEOs, which will enable HHS to protect patients and our national security,” he said Thursday.”

Cybersecurity Dive adds,

  • ‘Ransomware remains a persistent threat, despite law enforcement actions aimed at disrupting the infrastructure threat actors rely on to conduct their attacks, according to the Office of the Director of National Intelligence’s latest annual threat assessment.
  • “Transnational organized criminals involved in ransomware operations are improving their attacks, extorting funds, disrupting critical services and exposing sensitive data,” said the report, which was publicly released Monday. “Important U.S. services and critical infrastructure such as healthcare, schools and manufacturing continue to experience ransomware attacks.”
  • “National intelligence leaders warned that the ransomware problem is worsening and is growing more difficult to combat.”

In this regard, the Wall Street Journal considers “Why Are Data Breaches Still Rising If Companies Are So Focused on Cybersecurity.”

  • Evolving Ransomware Attacks * *. * First, after a slight drop [in 2022], [ransomware] attacks are on the rise again due to the emergence of ransomware gangs that franchise their malware and make it available to budding cybercriminals. This trend is allowing more criminals, even those with minimal computer knowledge, to get into the ransomware game.”
  • “Second, these attacks are becoming more damaging in that many attackers are now stealing their victims’ data, in addition to just locking it up. I refer to this new approach as Ransomware 2.0. The hackers threaten to disclose the private information if they don’t receive a ransom payment. This results in large leaks of corporate and consumer data that didn’t occur before.
  • Cloud misconfiguration: More companies now store and maintain their corporate data in the cloud via services such as Amazon Web Services, Google Cloud and Microsoft Azure to avoid the expense of having to own and operate their own data centers. This is making the cloud an attractive target for hackers. In fact, 82% of breaches in 2023 involved data stored in the cloud, according to a recent IBM report. 
  • “Cybercriminals are taking advantage of the fact that many organizations migrated rapidly to the cloud without fully understanding all of the configuration settings and establishing procedures to keep their data safe. As a result, errors and glitches in these settings are common, and many companies have no idea that their sensitive information is exposed to the public internet until it is too late. Such misconfigurations have become one of the most common security issues when deploying new cloud-based applications.
  • Exploitation of vendor systems: Almost every company, especially large companies, rely on a network of vendors to provide services ranging from maintaining the air conditioning to updating software packages. These vendors often have special access to the company’s computers, which I refer to as “side doors,” similar to a passkey given to the cleaning crew. 
  • “As large companies have become better prepared to repel cyberattacks, hackers have shifted their attention to vendors, often much smaller companies with limited cyber defense resources and expertise. Attackers exploit those weaknesses to first get into the vendor’s system, then use the vendor’s privileged access to get into the computer systems of every company that uses the vendor.” 

Becker's Payer Issues discusses what fifteen insurers and trade associations explored with Biden Administration officials on March 18, 2024 about the Change Healthcare situation. 

  • During the meeting, stakeholders discussed how progress has been made in reestablishing claims processing systems, though small, rural and safety-net providers specifically are still reporting issues with cash flow.
  •  Many healthcare organizations will require third-party certification of Change’s cybersecurity before reconnecting to its systems, in which UnitedHealth was urged to provide a timeframe around. Payers were also asked to analyze their internal data to determine which providers need more support and to engage with them directly.
  • According to Reuters, payers said they would accelerate payments to Medicare and Medicaid providers, along with providing loans to Medicaid providers.”
  • Here is a link to the HHS readout from this meeting.

United Healthcare Group has been updating its Change Healthcare Cyberattack Response website practically daily.