Amazon, Berkshire Hathaway, and JPMorgan Chase to hire CEO based in Boston, MA

Dr. Gawande will start in the CEO effective July 9. The new company will be headquartered in Boston and will operate as an independent entity that is free from profit-making incentives and constraints, the three organizations announced today.

As Healthcare Informatics noted in a news report published on January 30, “With an ambitious-sounding, if vaguely worded, announcement, three corporate giants—Amazon, Berkshire Hathaway, and JPMorgan Chase & Co. announced Jan. 30 that they were launching an initiative to improve satisfaction and reduce costs for their companies’ employees…The three companies, which bring their scale and complementary expertise to this long-term effort, will pursue this objective through an independent company that is free from profit-making incentives and constraints. The initial focus of the new company will be on technology solutions that will provide U.S. employees and their families with simplified, high-quality and transparent healthcare at a reasonable cost.’”

Details behind the initiative are still rather vague, but experts have pointed to reducing healthcare fraud and administrative costs as key areas that the companies will focus on. The lack of clarity has also led to skepticism among healthcare stakeholders. A recent survey from venture capital firm Venrock revealed that the majority of respondents are dubious about the impact of the Amazon/Berkshire Hathaway/JP Morgan healthcare partnership and believe the effort will face substantial challenges and take a lot of time to be successful.

CEO of athenahealth is stepping down

Athenahealth CEO Jonathan Bush has stepped down from the helm of the electronic health record system vendor effective immediately, the company said Wednesday.

The move comes after several allegations came to light in recent weeks, including “numerous physical altercations” with his now ex-wife, a sexual harassment settlement and inappropriate behavior at an industry event.

Athenahealth said in a statement that it is searching for CEO candidates. For now, Chief Financial Officer Marc Levine will take on additional leadership responsibilities. The company also named Jeff Immelt, former chairman and CEO of General Electric, as executive chairman.

The EHR vendor’s path forward is unclear. The board of directors will consider selling or merging the company as well as continuing operations independently. Elliott Management, which has a roughly 9% stake in Athenahealth, offered nearly $7 billion in May to purchase the company and has increased pressure on the board to accept the deal.

“We approach this process with an open mind and a commitment to continuing to strengthen the company—including its rich data asset, platform strategy and culture of innovation,” Immelt said in a statement. “We are fully focused on serving the best interests of our shareholders, employees and clients.”

Other investors—including Janus Henderson Group, which has a roughly 12% stake in Athenahealth—met with the Athenahealth board this month to urge a sale and to raise concerns about Athenahealth management’s “execution of strategic initiatives.”

Athenahealth had a relatively rough first quarter in 2018, booking less business than the same period a year earlier. Bush attributed the drop-off to weak demand, but said the company was in a strong position to grow. It laid off about 9% of its workforce at the end of 2017.

Cybersecurity: Nightmare scenarios and guiding principles

From legacy infrastructure to potential medical device hacks, some of the industry’s leading voices opened up about how the industry can begin to combat the inevitable breach.

By now, the healthcare sector is fully aware of the looming target placed on its back by hackers. The issue is that legacy infrastructure, staffing shortages and insider threats can make it tough to tackle these issues.

The biggest threats lie within the legacy infrastructure of healthcare itself. This includes medical devices operating on outdated platforms, along with IoT devices. We have not have seen it happen frequently but, if those devices are hacked cybercriminals can actually put patient lives at risk.

But security risks go beyond a breach. In healthcare, when a hacker gets in it often interrupts patient care, throws clinicians back to pencil and paper and downtime can last for weeks.

Consider the WannaCry attack that crippled the U.K. National Health Service last year.

Hackers are hitting EHR vendors, as well, which impacts providers operating on the impacted platforms. Allscripts was hit earlier this year, and some of its providers were unable to access patient records for up to a week.

“Breaches are always a concern, but lack of access to data and extended downtime with no access to records has huge impacts for revenue, patient care and community trust,” said Max Stroud, lead consultant with Galen Healthcare Solutions.

For some, the crux of security issues lies with the users. Often seen as the biggest threat, “user threats have the potential to cause significant losses and evade detection.”

Indeed, insider threats have been the biggest vulnerability to healthcare security for more than a year. Verizon’s April breach report found insider threats and human error were the biggest risks to security. In fact, healthcare is the only industry where insider threats outnumber outside threat actors.

Incremental steps and human-centric design

What can be done given the attack surface and seeming inevitability of a breach?

“A viewpoint has emerged in the last few years that organizations should just assume they are going to be compromised, so they should focus their efforts on detection and response for when an attack inevitably happens,” said a spokesperson from health IT firm Cognosante.

Detection and response, however, only comprise half the equation: “It’s a huge mistake to back off on preventive controls like strong access control, web application security, adaptive firewalls and user awareness training.”

Several experts said security needs to be designed with the user in mind. According to Stroud, she’s seen doctors share their passwords with nurses in order to complete charts, as it’s seen as “a care efficiency and not a risk.”

Even worse, Stroud said, “I’ve also seen EHRs delivered with standard admin logins. It’s not pretty out there.”

“Human-centered design should account for human-centered tendencies,” said Geeta Nayyar, MD, Femwell Group Health’s chief healthcare and innovation officer. “Understanding how we can help our folks develop an internal motivation to actively embrace the role of our first line of defense.”

With that in mind, organizations need to make it nearly impossible to do the wrong thing, Harlow added. “Very important to reduce exposure, reduce public face, limit internal access on role-based need-to-know basis.”

Organizations should also conduct pen testing and bug bounty programs on the regular to make sure they’re not susceptible to attacks.

“You can try to predict the future, or you can just continually review and improve your systems, processes, personnel, training, etc. including doing new risk assessments as changes are made,” said Harlow.

“We plan for what we can plan for – but there are many unknowns in this business,” said Nayyar. “Keep solid post-event contingency and crisis plans current.”