Washington Debrief: House Leaders Target August for SGR Fix

Leadership on the House Energy & Commerce Committee are concerned that the Internal Revenue Service (IRS) has improperly accessed millions of personal medical records.  Details outlined in a letter to IRS Acting Commissioner Daniel Werfel said the committee was concerned about a lawsuit filed in California alleging IRS agents “stole more than 60 million medical records from more than 10 million American patients during a search conducted March 11, 2011.”  Representatives Tim Murphy, Chairman of the Subcommittee on Oversight and Investigations and Michael Burgess, Vice Chair of the Subcommittee, asked Mr. Werfel to answer three questions, outlining how the IRS requests and examines protected health information from HIPAA covered entities.  The plaintiffs in the California case argue that the IRS was given permission to access financial records of an employee of a covered entity, but that there was no attempt to parse financial information with health information, such as drug treatment, psychological counseling and sexual health treatment.  Given recent controversies at the IRS, for targeting Tea Party groups with additional scrutiny and possible involvement of the Affordable Care Act lead for the IRS, there is growing suspicion on the Hill that IRS agents may have broad access to personal health records.  The Obama administration maintains that the IRS, Homeland Security and HHS will not have access to personal health records as part of a federal data hub – but will instead be checking immigration status and program eligibility for possible health insurance exchange subsidies.

Cyberattacks Affect More than Just Computers and Databases, FDA Calls for Tighter Security

When many think of a device getting hacked, or viruses or malware, they think of computers, databases, websites, and cell phones, but today, the line does not stop there.  Imagine you have a pacemaker for a heart condition – if you have an arrhythmia, the heart can beat too fast, too slow, or with an irregular rhythm – and you rely on your device to help your heart function normally (it uses electrical signaling to correct the heart condition).  What if one day you had a heart event – perhaps your heart stops – and your pacemaker didn’t revive you?  You only have a limited amount of time to get treatment before it is too late.  Now imagine that your pacemaker is fully functional, but the reason it stopped working is that it was hacked and had a virus.  Presently, the number of reported cyberattacks is on the rise, but as far as the Food and Drug Administration (FDA) knows, none of these incidents have affected patients.

Recently, the FDA released draft guidelines to tighten medical devices security standards based on an experiment by a few security analysts that proved people could easily hack important medical devices.  According to a Washington Post article, “they managed to figure out hundreds of passwords for equipment that included surgical and anesthesia devices, patient monitors and lab analysis tools.”  This poses a risk to patients with a multitude of conditions as their medical devices are connected to hospital networks, which expose them to cyber attacks. Viruses or other breaches can cause interruptions in medical devices or even shut them down.

This experiment proves that privacy and security guidelines should apply to more than just patient information – it should include devices as well.  Comments for the FDA draft guidance are due 90 days after the rule is published in the Federal Register.

Edited by Gabriel Perna