Sunday, February 08, 2015

Weekend update

The House and Senate will be in session here in Washington, D.C. this coming week. Here is a link to The Week in Congress's report on last week's doings. 

The FEHBlog has been discussing the Anthem security breach in recent posts. The Better Business Bureau offers these tips to consumers in the immediate wake of the breach.

Health Data Management reports how Anthem and other health industry stakeholders participate in a security alliance called the HiTrust Alliance which according to Health Data Management allowed the stakeholders to conclude that this particular hacking attack was limited to Anthem.

The FEHBlog noted on Friday that the Wall Street Journal, among other press sources, is reporting that the confidential data was not encrypted on Anthem's servers. This rang a bell with the FEHBlog because as a lawyer he knows that the 2009 HITECH Act's unsecured protected health information breach notice provisions encourages insurers and health care providers to encrypt confidential data. And insurers and health care providers do encrypt mobile devices like laptops and thumb drives. If encrypted mobile devices are lost or stolen, which can happen, encryption will protect the lost or stolen data.

The FEHBlog has puzzled over whether this new incident will push health care companies to encrypt servers holding confidential databases. Servers of course are not mobile devices.  The FEHBlog ran across this interesting blog post from a Columbia University computer science professor who explains why encrypting confidential data held on servers may not be particularly useful:
In a case like the Anthem breach, the really sensitive databases [on the servers] are always in use. This means that they're effectively decrypted: the database management systems (DBMS) are operating on cleartext, which means that the decryption key is present in RAM somewhere. It may be in the OS, it may be in the DBMS, or it may even be in the application itself (though that's less likely if a large relational database is in use, which it probably is). What's to stop an attacker from obtaining that key, or perhaps from just making database queries?
The answer, in theory, is other forms of access control. Perhaps the DBMS requires authentication, or operating system permissions will prevent the attacker from getting at the keys. Unfortunately—and as these many data breaches show—these defenses are not configured properly or aren't doing the job. If that's the case, though, adding encryption isn't going to help; the attacker will just go around the crypto. There's a very simple rule of thumb here: Encryption is most useful when OS protections cannot work.
What do I mean by that? The most obvious situation is where the attacker has physical access to the device. Laptop disks should always be encrypted; ditto flash drives, backup media, etc. Using full disk encryption on your servers' drives isn't a bad idea, since it protects your data when you discard the media, but you then have to worry about where the key comes from if the server crashes and reboots.  
In sum, there is no simple answer to this significant problem.

The Drug Channels blog reports on what the surprisingly deep discounts on Gilead's Hepatitis C drugs offered to PBMs after AbbVie's competing drug hit the market portends for biosimilar drug pricing:
Biosimilars are unlikely to be fully interchangeable with their innovator products. Competition between a biologic drug and a biosimilar is much more likely to resemble brand-to-brand competition than it is to resemble the dynamics of brand-to-generic competition.
As a result, the conventional wisdom—summarized in this still relevant 2009 Federal Trade Commission (FTC) report—believes that a biosimilar’s discount will be only 10% to 30% off the innovator’s price.
However, the large hepatitis C discounts suggest that biosimilars may drive deeper discounts for formulary placement. Although the hepatitis C products are not therapeutically equivalent, we are seeing big discounts to both government and commercial payers.
That's good news.  The Wall Street Journal's Pharmalot blog reports that prescription drug manufacturer Pfizer has invested $16 billion to purchase one of the largest sellers of biosimilar drugs in Europe, Hospira.  The European Union has been approving biosimilars for over a decade now.

No comments: