2017 HIMSS Conference Insights

Members of Arnall Golden Gregory LLP’s Healthcare Information Technology team attended the 2017 HIMSS Conference February 19-23 in Orlando, FL. Hundreds of innovative companies and 40,000+ technology professionals took part in a week of networking and industry discussion and education. From our conversations at the conference, visits with clients and friends, and participation in some excellent briefings and presentations, we compiled our key takeaways. If you were not able to attend, here they are by topic, and we hope they are helpful.

Venture Capital and Funding

• Personalized health and wellness are the top areas where HIT investors are placing their money
• “Patient and consumer experience” brought in $2.8 billion in investments in 2016, with an average deal size of $17 million.
• Patient engagement decisions are being made at the C-suite level now.
• “Losers” for investment dollars include electronic health record platforms (talking point at the conference was that “no new EHRs are being developed”).
• Also on the decline is provider acquisitions of technology companies.
• Insurers are investing more in technology acquisitions because it’s easier for payers to deploy and run pilot programs.
• Investments in digital health companies have increased from $1 billion in 2010 to $8.1 billion in 2016
• Whether the ACA is repealed or not, the trend of delivering better outcomes at a lower cost is not going to change.
• Population health management and patient engagement link together. Think of patient engagement as the “last mile” of population health.
• Barriers to innovation are formidable in large healthcare systems. Sometimes the best technology implementation occurs on the departmental level.
• The level of dissatisfaction among physicians regarding demands on their time is formidable – a reality successful HCIT companies are going to need to address in developing solutions.

Keynote by Ginni Rometty, CEO of IBM

• Three topics on everyone’s mind at HIMSS 2017: (1) Focus on cybersecurity; (2) Focus on changes in healthcare from the new administration; (3) Cognitive Technology.
• We are at a “profoundly hopeful moment” and the beginning of “cognitive era” in healthcare.
• 80% of data in the world is NOT searchable on web. That means there is vast potential for new insights.
• HCIT companies must have an open platform to succeed. Why? Conditions for success are both innovation and an ecosystem to support it. When available data and these platforms converge, we will be at HCIT tipping point.
• Three specific platforms all of our organizations will need: cloud, data, and artificial intelligence (AI).
• IBM’s emphasis on cognitive technology and AI is intended to augment people, not replace them.
• Math and data are woven through so many of our “new collar” jobs in era of cognitive tech. STEM education critical.
• Blockchain technology will have a profound effect on healthcare. Key will be agreed standards, as in case of early Internet.

OCR Privacy Office, Regulatory Agenda

• OCR’S Deven McGraw reviewed the office’s privacy regulatory agenda, including HITECH provision re: sharing penalty/settlement.
• A list of 2016-2017 enforcement actions makes the point that OCR enforcement is vigorous and ongoing.
• Per Ms. McGraw , look for FAQ coming soon from OCR, dealing with social media and health information.
• Guidance, enforcement, outreach, audit are all tools available to OCR per Ms. McGraw.
• OCR privacy desk audits “may” also be subject to onsite review as well, but not necessarily. Still, use the audit process, if you are going through it in any case, to evaluate whether you are employing best practices.
• Elements of OCR desk audit include privacy rule controls, breach notification controls, and security management process (both risk assessment and risk management).
• Persistent problem per Ms. McGraw is still a lack of business associate agreements. Your company needs one from anyone doing business with you who is receiving PHI at any point in the chain.
• A second problem is incomplete risk analysis. That analysis must extend to the whole enterprise, not just one business unit.
• It is not enough to identify a risk; you must also do something to manage it. Not to a 100% degree, but your efforts at addressing the risk must be timely and reasonable. Where action is not possible, document what you can’t address and why.
• Other HIPAA problems OCR frequently sees are: lack of transmission security, lack of auditing, and no patching of software.
• Insufficient backup and contingency planning are also persistent problems revealed in OCR audits.

Ransomware: Prevention, Detection, and Response

• Time to amend associated agreements to include requirement about when and how business associate (BA) notifies provider of ransomware attacks?
• Per OCR , to date approximately 36 organizations have paid $30MM in enforcement actions related to ransomware.
• Many ransomware attacks occurring but NOT being reported; the real numbers are likely higher than statistics suggest.
• Most ransomware exploits PERSONAL vulnerability as much or more than technical gaps. Training of teams is critical.
• Consider third-party messaging apps, like social media, used by staff. Also, no BA agreement typically in place to cover these apps. Companies need to understand these vulnerabilities and take control of them.
• Variation on ransomware: “White hat” hackers pull out PHI and supply it to provider with choice: accept remedial “service” or we call media.
• Per security panel at himss17, do not assume every ransomware incident is reportable. Reportability of ransomware attack to OCR depends on the form of ransomware, including whether data exfiltrated.
• Do note, however, that OCR will take position that virtually all, such incidents ARE reportable. Making those distinctions and judgment calls is why having counsel involved early is important.
• The consequences of a breach, and number of breach enforcers, continue to increase: they include not only OCR but derivative plaintiffs, state AGs, the FTC, class plaintiffs, and, for public companies, SEC.
• List of “Do Nots” in case of ransomware (or other potential data breach): Do NOT email blast “we have an incident/problem;” open any other files; seek to conceal incident; automatically pay the attacker; contact the media; have other discussion of the matter unless with security officer and/or security response team.
• List of “do’s” includes: DO contact security officer; involve, via security officer, the technical team responsible for incident response; get legal counsel involved; initiate redundant systems if available; investigate scope and extent of attack and data affected; engage forensic resources as available; contact law enforcement.
• Read your cyber insurance policy. What preconditions to coverage exist? What notice must be given to the carrier? Is your company required to report to law enforcement as any precondition to coverage?

Evolving State of Medical Device Cybersecurity

• Medical devices are subject to FDA regulation.
• Cybersecurity concerns should be addressed during the design and development of the medical device.
• Executives and boards of directors should be engaged in cybersecurity discussion. They need to focus on what really matters and to do that, they need to understand the company’s risk tolerance. It is impossible to prevent all incidents of cybersecurity breaches, a recognition that helps align focus and resource allocation.