Health Advisory Council Newsletter | 2017 Q4 | Member Q&A’s

December 13, 2017/by

Joseph Hill
Director, Government Relations Division, American Society of Health-System Pharmacists

Q. How would you describe your role at the American Society of Health-System Pharmacists (ASHP)?
A. I serve as the Director of the Government Relations Division for ASHP. In this capacity, I oversee all of our government relations activity including Congressional, federal agencies, and state.

Q. What do you think Council members should know about ASHP?
A. ASHP’s nearly 45,000 members are committed to providing patient care that helps patients achieve optimal health outcomes. ASHP helps its members achieve this goal by advocating and supporting the professional practice of pharmacists in hospitals, health systems, ambulatory care clinics, and other settings spanning the full spectrum of patient care. ASHP serves its members as their collective voice on issues related to medication use and public health.

Q. What ASHP initiatives would you like to share with the Council?
A. ASHP is a lead member of the Patient Access to Pharmacists’ Care Coalition (PAPPC), a group of more than 30 organizations (including NCL) representing pharmacy, rural health care, and consumers. PAPCC is currently advocating for legislation (H.R. 592, S. 109) that would increase patient access to pharmacists’ direct patient care services in underserved areas. The bills have broad bipartisan support with more than half of the U.S. House of Representatives (240) signed on in support and nearly half of the Senate (49). The bills would allow Medicare beneficiaries to access care from pharmacists in underserved areas for services that are already allowed by state scope of practice laws.

Q. What is ASHP doing to change the way people think about and approach healthcare?
A. Medication use has become the first line of treatment for most conditions. As a result, more people are taking more medications than ever before. While this helps to improve patient health overall, improper medication use, adverse drug reactions, and lack of patient counseling are emerging challenges that can cause patient harm, and increase costs. Pharmacists are the medication use experts and are trained to help patients make the best use of their medicines. ASHP is at the forefront of advancing the profession of pharmacy away from medication dispensers to direct patient care providers as it relates to medication use.

Q. What does ASHP value about membership in NCL’s Health Advisory Council?
A. ASHP shares NCL’s goal of improving the health and well-being of our nation’s consumers. We believe NCL enables ASHP to amplify its voice on the role that pharmacists play in making medication use safe and effective.

Janet McUlsky
Senior Director, National Alliance Development, Pfizer, Inc.

Q. What is your role at Pfizer?
A. As Senior Director of National Alliance Development at Pfizer, I have dual roles in working with the advocacy community. Together with my team, I am responsible for developing and maintaining relationships with the broad non-profit healthcare policy community in DC. Our objective is to work together on policy issues that are important to all parties while always maintaining our respective independence and integrity. Of equal importance is the role we play in taking patient concerns to Pfizer colleagues and encouraging and assisting them in developing programmatic responses.

Q. What do you think Council Members should know about Pfizer?
A. Pfizer has a rich history as a transformative innovator that, through the generations, has demonstrated a willingness to develop initiatives that respond to the changing needs in healthcare. A great example is Pfizer’s response to an appeal from the U.S. Government in 1941 to expedite the manufacture of penicillin. The company’s management invested millions of dollars, putting at stake their own assets as stockholders, to buy the equipment and facilities needed for the novel process of deep-tank fermentation. Pfizer employees worked around the clock to perfect the complex production process and in just four months, the company was producing five times more penicillin than originally anticipated. To this day, our employees are innovators and trailblazers who are committed to finding the next cure.

Q. What Pfizer initiatives would you like to share with the Council?
A. Pfizer’s R&D is active in the areas of oncology, neuroscience, cardiovascular, inflammation and immunology and rare diseases. Two big concerns currently being explored are difficult to treat cancers and vaccines for diseases that are particularly impactful in high risk populations. As a healthcare company – and not just a drug manufacturer – we also invest a lot of our talent and time on prevention with programs such as Get Old and other healthy living initiatives designed to advance wellness, prevention, treatments, and cures.

Q. What is Pfizer doing to change the way people think about and approach healthcare?
A. Our nation is on the cusp of a gigantic change in medicine. Innovations such as gene therapy and personalized medicine take us closer to unlocking ways to treat many illnesses. At the same time, patients are increasingly faced with access barriers to treatment. Pfizer is working with advocacy organizations to make sure that patients’ needs are always in focus, from innovation to manufacturing to engagement in public policy. That is how we continue our commitment to innovative research and patient-centric healthcare.

Q. What partnerships has Pfizer had with NCL?
A. Pfizer has partnered with NCL over the years in many efforts to educate consumers on healthcare topics. We believe that informed consumers have a distinct advantage when it comes to their healthcare and are proud of our role in raising awareness about prevention initiatives that benefit consumers as well as initiatives that protect patients.

Q. What does Pfizer value about membership in NCL’s Health Advisory Council?
A. NCL’s Health Advisory Council provides a valuable forum to discuss critical healthcare policies with a variety of stakeholders. In bringing together the broad healthcare community, including leading government officials, the Health Advisory Council inspires a constructive dialogue that enhances our understanding of public needs. I find the diversity of viewpoints inspiring and educational, and I look forward to continuing our charge of protecting patients and promoting healthy lives.

The #DataInsecurity Digest | Issue 58

December 13, 2017/by

Issue 58 | December 14, 2017

#DataInsecurity Digest: Nielsen settling in at DHS during uncertain times for cybersecurity

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Newly confirmed DHS secretary Kirstjen Nielsen will certainly have her work cut out for her as she settles into her role amid growing concerns on the U.S.’s role in leading global cybersecurity efforts. Breaches continue making news as PayPal announced that the personal data of 1.6 million TIO users has been compromised. More than $75 million in bitcoin was stolen as the value of the popular cryptocurrency rises dramatically. Uber announced new departures from the security team in the wake its data breach cover-up. Unfortunately, it looks like the epidemic of data insecurity is here to stay as one recent study found that ransomware attacks jumped nearly 2000 percent since 2015, and another group of researchers found that phishing attacks are becoming even more elaborate in order to lull their victims into a false sense of security.

After this issue, The #DataInsecurity Digest will take a few weeks off for winter break and will resume publication in 2018. Thank you for being a loyal reader! From the staff at the National Consumers League, best wishes for a happy holiday season and a healthy New Year!

And now, on to the clips!

—————–

Kirstjen Nielsen confirmed as DHS secretary. Last week’s Senate vote confirming Nielsen as John Kelly’s replacement couldn’t have been timelier, @tayhatmaker reports, “given the ever-expanding nature of cyber threats, particularly those against U.S. critical infrastructure.” (Source: Techcrunch)

More than $70 million vanishes in bitcoin cyber heist. The dramatic rise in bitcoins’ value in recent months has raised concerns about the security of bitcoin wallets. NiceHash, the largest crypto-mining marketplace, revealed that approximately 4,700 bitcoin—or $70+ million—had been stolen from an online account. Although few details about the hack are available, NiceHash chief executive Marko Kobal promised that “we are doing really everything we can right now. However, this will take time… As soon as we have a solution in place, we’ll reach out, hopefully in the next few days.” (Source: Wall Street Journal)

Breach du jour: 1.6 million TIO users. PayPal, which recently acquired TIO, a digital payment company, announced that the personally identifiable information (names, addresses, bank-account details, Social Security numbers, and login details) of 1.6 million TIO users may have been breached. Fortunately, “PayPal hasn’t integrated TIO with its platform, so PayPal users aren’t affected by the security vulnerabilities at TIO.” (Source: Wall Street Journal)

Cyber analysts raise concerns over Trump’s cyber foreign policy. With the Trump Administration almost a year into its term, cyber officials on both sides of the aisle are beginning to worry about a failure to lead on cyber policy. “When it comes to shaping and enforcing international rules of the road in cyberspace… the Trump Administration may be taking a step back from the U.S.’s historic role, a move experts worry could cede ground to an anti-Democratic model for the internet championed by U.S. adversaries such as Russia and China.” (Source: NextGov)

Ransomware attacks up nearly 2,000 percent. A new study by @Malwarebytes found that since 2015, ransomware attacks have jumped 1,989 percent. The report called for businesses to “heighten their awareness of cyber crime, and take a realistic view towards the likelihood of attack.” @Malwarebytes argued that “cyber crime must be elevated from a tech issue to a business-critical consideration.” (Source: Computer Weekly)

Phishers adopting https to grant their victims a false sense of security. @PhishLabs published new analysis that found “phishers actively chose to implement web encryption. The green padlock lends legitimacy, a patina of security that helps trick web users into trusting a site and giving up their valuable information.” The study also found that “in two extremely prevalent types of phishers targeting PayPal and Apple, about 75 percent were using HTTPS sites.” (Source: Wired)

Quick hit: Canadian hacker-for-hire admits to hacking Yahoo. Karim Baratov admitted “to breaking into Yahoo’s systems to steal information on at least 500 million user accounts in 2014 as part of a job he did for Russian government agents.” Baratov now faces a fine of up to $2.3 million. (Source: Law 360)

More senior executive resignations from Uber’s security team. Three high-profile resignations add to the uncertainty Uber’s security team has been facing since Chief Security Officer Joe Sullivan was fired after covering up a massive data breach. @josephmenn and @dnvolz report resignations by: Pooja Ashok, Sullivan’s chief of staff; Prithvi Rai, a senior security engineer and the number two manager in the department; and Jeff Jones, who handled physical security. (Source: Reuters)

Events

February 28, 2018 – Privacy Con 2018, Washington, DC
In February, the FTC will host its third Privacy Con, convening a broad array of academics, researchers, consumer advocates, government officials, and industry representatives to address the privacy implications of emerging technologies.

National Consumers League
Published December 14, 2017

The #DataInsecurity Digest | Issue 57

November 29, 2017/by

Issue 57 | November 30, 2017

#DataInsecurity Digest: Uber under fire for breach cover-up

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Election insecurity was back in the news this week with reports that President Trump’s election integrity commission made voting data of nearly 100 million citizens vulnerable to hackers. Meanwhile, the potential financial fallout from past data breaches became apparent with Hilton Hotels paying out $700,000 to settle charges from two of its 2015 data breaches. There were also reports that Equifax’s data breach could cost the company $110 million. And, not surprisingly, a new Gallup poll found that Americans are more worried about cyber crime than any other type of crime.

On to the clips!

—————–

Uber attempted to cover up a 57 million-account breach. Last week, Uber disclosed that millions of customer and driver names, phone numbers, and email addresses were stolen from a third-party server. In its disclosure, Uber acknowledged that it payed a $100,000 ransom to the hackers. @MikeIsaac reports that not only did Uber pay the ransom, but also in order to keep the breach secret, “the company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a ‘bug bounty.” (Source: New York Times)

Uber facing Congressional scrutiny for breach cover-up. Members of Congress on both sides of the aisle, including Senate Commerce Committee Chairman John Thune (R-SD), are beginning to question Uber’s handling of its massive data breach. Thune, along with three other Senate Republicans, sent a letter to Uber demanding “a full timeline of the breach discovery and Uber’s following actions.” Thune and colleagues noted in the letter that it’s not just that the company “concealed the breach without notifying affected drivers and consumers,” it’s that “prior privacy concerns at Uber” make it “a serious incident that merits further scrutiny.” (Source: Recode)

At least five states are investigating Uber. Illinois, Massachusetts, Missouri, New York, and Connecticut have all pledged to investigate Uber’s mishandling of its breach. In addition, @TonyRomm reports: “Uber must contend with the possible threat of a new probe at the Federal Trade Commission.” While the top privacy enforcement agency has not said it will investigate Uber, it has stated that it is “closely evaluating the serious issues raised.” (Source: Recode)

Criminals are using Equifax data to open credit cards and take out mortgages in victims’ names. Numerous accounts of identity theft came to light after a national class action lawsuit, Allen et al v. Equifax, was filed. One plaintiff has claimed that “multiple ‘unauthorized mortgages’ have been applied for using his stolen information.” (Source: Washington Post)

Pentagon leaves 1.8 billion documents on unsecured server. While the documents were not classified, as they were “internet posts scraped from social media, news sites, forums and other publicly available websites,” @selenalarson reports that the Pentagon’s “failure to fully secure the data raises concerns about government cybersecurity practices.” (Source: CNN)

Iranian hacker charged for HBO breach. Iranian hacker Behzad Mesri is facing charges for the theft of 1.5 terabytes of data that was stolen from HBO last May. The data includes unaired episodes of “Ballers,” “Barry,” “Room 104,” “Curb Your Enthusiasm,” “The Deuce,” and the script of an unaired episode of “Game of Thrones.” The hacker released the data to the public after HBO refused to pay a $6 million ransom. (Source: New York Times)

UK warns that Putin could use your Tinder account to blackmail you. The UK’s National Cyber Security Centre (NCSC) is warning that “Russian hackers are capable of tracking users’ electronic footprints on Tinder and other social media that helps them build up a user profile,” even if users created an anonymous profile. The NCSC further warned consumers: “attackers could use the data for a variety of malicious purposes.” (Source: Daily Mail)

Events

National Consumers League
Published November 30, 2017

The #DataInsecurity Digest | Issue 56

November 15, 2017/by

Issue 56 | November 16, 2017

#DataInsecurity Digest: Voter data exposed; major Hilton payout from 2015 breaches

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

On to the clips!

—————–

Election integrity commission leaves the records of nearly 100 million citizens exposed to hackers. @dellcam reports that “multiple sets of login credentials, which could be used by virtually anyone to directly access the Crosscheck system—as well the encrypted voter data it contains—have been compromised.” @dellcam also reports, “It would be difficult to overstate the carelessness with which Crosscheck handles the personal data of US voters. At the heart of the program… there does exist the illusion of security. But it is a lie, a myth, a mirage. It is the creeping thought of a warm blanket entering the mind of stranded mountain climber, shortly before he freezes to death, buried in ten feet of snow.” (Source: Gizmodo)

Gallup: Americans more worried about cyber crime than any other type of crime. The study found that 67 percent of Americans worry about hackers stealing their information. “Additionally, major data breaches over the past several years have affected hundreds of millions of people in the U.S. and around the world, contributing to the overall anxiety concerning cybercrime.” (Source: Gallup)

Hilton pays $700,000 to settle 2015 data breaches. The settlement, a consequence of two data breaches that affected nearly 350,000 credit cards, was announced by New York Attorney General Eric Schneiderman last week. In addition to the hefty sum, Hilton must “provide immediate notice to consumers affected by a breach, maintain comprehensive information security programs, and conduct data security assessments.” (Source: Reuters)

Data breach projected to cost Equifax $110 million. While Equifax has already set aside $87.5 million to cover costs related to the breach, @joe_r_curtis reports that the firm admitted that “the total cost of the hack could hit $110 million.” (Source: ITPro)

DHS nominee Kirstjen Nielsen moves on to the next round. After several delays over concerns regarding Nielsen’s lack of leadership experience, close ties to the Trump Administration, and possible ethics questions, the Senate Homeland Security and Governmental Affairs Committee approved her nomination in an 11-4 vote. @MatthewDalyWDC reports, “Democrats complained that she lacked the experience needed to run a major agency with 240,000 employees. They also cited concerns about possible White House interference in a recent DHS decision to send home thousands of Nicaraguans long granted U.S. protection.” Chairman Ron Johnson (R-WI) hopes to have Nielsen confirmed by the full Senate chamber by the end of the month. (Source: Washington Post)

195 Trump-affiliated URLs compromised. The Associated Press reports that, over the past five years, more than 100 websites owned by the Trump organization were hacked. “Computer users who visited the Trump-related addresses were unwittingly redirected to servers in St. Petersburg, Russia, that cybersecurity experts said contained malicious software commonly used to steal passwords or hold files for ransom. Whether anyone fell victim to such tactics is unclear.” @latams reports that, “it was not until this past week, after the Trump camp was asked about it by the AP, that the last of the tampered-with addresses were repaired.” (Source: Associated Press)

Senate grills former Equifax and Yahoo CEOs. Last week, ousted CEOs Marissa Mayer (Yahoo) and Richard Smith (Equifax) faced the Senate Commerce Committee for questioning on mismanagement, which led to record-setting data breaches of both their companies. Sen. Richard Blumenthal (D-CT) said more needs to be done to prevent this behavior. “The Equifax breach in particular exposed the limits of the Federal Trade Commission’s ability to protect consumers and impose civil penalties on companies that treat our data with negligence and recklessness… Under current law, even some of the most egregious examples of lax security can be met only with apologies and promises to do better next time, not fines or other penalties or real deterrents,” said the Connecticut Senator. (Source: The Street)

Events

National Consumers League
Published November 16, 2017

The #DataInsecurity Digest | Issue 55

November 1, 2017/by

Issue 55 | November 2, 2017

#DataInsecurity Digest: Equifax knew about vulnerability; White House considers cyber strategy

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Equifax remained in the headlines this week when it came to light that the credit-reporting giant knew about its security vulnerability as early as December 2016 and chose to do nothing. Deservingly, the UK’s Financial Conduct Authority began investigating Equifax’s actions, and may even prevent Equifax from running credit checks on British citizens.

The Trump Administration announced that after 10 months in office, it’s in the beginning stages of creating a cybersecurity strategy. Meanwhile, researchers found a massive vulnerability in LG connected devices, which could have led to several safety hazards including hackers remotely turning on stovetops and operating in-home cameras.

On to the clips!

—————–

Equifax knew of its security vulnerability in December and turned a blind eye. @lorenzoFB reports that months prior to its massive breach, a security researcher warned Equifax that an employee portal “was completely exposed to anyone on the internet. [The portal] displayed several search fields, and anyone—with no authentication whatsoever—could force the site to display the personal data of Equifax’s customers…” The fact that this vulnerability was left unpatched for months “opens the possibility that more than one group of hackers broke into the company.” (Source: Motherboard)

Equifax’s regulatory fallout intensifies with new U.K. Financial Conduct Authority investigation. The U.K.’s Financial Conduct Authority has announced it will investigate Equifax in the wake of 694,000 UK citizens having their personal data compromised. @kayewiggins reports that, “The regulator has the power to fine the firm or even withdraw its authorization, which would prevent it from running credit checks in Britain.” (Source: Bloomberg Technology)

Speaking of Equifax’s lax security…10 percent of surveyed financial firms were hacked in 2017. New research from Security Scorecard found that financial firms were much more susceptible to hacks than telecommunications (3 percent hacked in 2017), transportation (2 percent) or manufacturing firms (1 percent). In addition, the report also found that “Only 25 percent of the Top 20 FDIC-insured banks (ranked by cybersecurity performance) received an ‘A’ grade in DNS Health,” and that the “financial services industry had more malware events than five other industries combined.” (Source: Security Scorecard)

Trump Administration’s cybersecurity strategy in process. Last week, White House Homeland Security Adviser @TomBossert45 announced that the White House plans to start drafting a new cybersecurity strategy. @Joseph_Marks_ reports that the strategy is likely to be based off of three main components: “improving the security of federal government computer networks; leveraging government resources to better secure critical infrastructure, such as hospitals, banks and financial firms; and establishing norms of good behavior in cyberspace and punishing bad behavior.” While @TomBossert45 would not provide a timeline for the strategy’s release, he did say that, “As soon as we’re prepared to put forward a strategy that will be beneficial to the government and the nation, we’ll do so.” (Source: Nextgov)

Citing executive privilege, White House blocks cyber czar from testifying in Senate. White House Cyber Coordinator Rob Joyce’s absence from the Senate Armed Services hearing led Chairman John McCain (R-AZ) to comment: “I would also like to note at the outset the empty chair at the witness table… Unfortunately, but not surprisingly, the White House declined to have its cyber coordinator testify.” Sen. McCain left open the possibility to pursue Sen. Bill Nelson’s (D-FL) suggestion of subpoenaing Rob Joyce. (Source: The Hill)

Breach du jour: LG home appliances. A vulnerability found in the LG SmartThinQ application could have allowed hackers to “take over a user’s account and control connected appliances such as their oven, refrigerator, dishwasher, washing machine, air conditioner and more.” Check Point Software Technologies, the security researchers who discovered the flaw, stated that the vulnerability also “gave attackers the potential to spy on users’ home activities via the Hom-Bot robot vacuum cleaner video camera.” (Source: Yahoo News)

Americans’ mobile device cyber hygiene has improved by more than 50 percent in the past 5 years. A CTIA study finds that “77 percent of Americans use PINs/passwords on their smartphones, a 54 percent increase in the last five years,” and that “(n)early 50 percent of Americans have an anti-virus program installed on their smartphone, a 58 percent increase in the last five years.” (Source: CTIA)

Events

National Consumers League
Published November 2, 2017

The #DataInsecurity Digest | Issue 54

October 17, 2017/by

Issue 54 | October 18, 2017

#DataInsecurity Digest: Equifax aftermath continues; cyber veteran to head DHS

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: President Trump’s new pick to head DHS, cyber veteran Kirstjen Nielsen, will certainly have her hands full as the aftermath of the Equifax breach continues. Equifax grabbed new headlines this week when a second breach came to light. This time, hackers prompted visitors to Equifax’s website to download a fraudulent Adobe Flash update, which could compromise their computers. This recent revelation caused the IRS to pause a $7.1 million contract with Equifax over security concerns. Meanwhile, Hyatt Hotels was once again the subject of a point-of-sale data breach when 41 of its properties’ systems were attacked, leading to compromised customer credit card information.

On to the clips!

—————–

Equifax breach 2.0. After compromising 145.5 million consumers’ sensitive data, Equifax is the subject of a second data breach. @dangoodin001 reports that “For several hours on Wednesday, and again early Thursday morning, the site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors’ computers with adware…” (Source: Ars Technica)

Equifax blames its vendor for the mistake. Equifax told Politico’s Morning Cybersecurity that the new breach was not a hack, but rather the result of faulty code used by a vendor. “The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content.” (Source: Politico)

IRS suspends contract with Equifax. After news broke of a second Equifax data breach, the IRS temporarily suspended its $7.1 million data security contract with the troubled credit bureau. The contract was meant to provide fraud prevention and taxpayer identification services for the IRS. @KathyKristof reports that “The agency does not believe that any data the IRS has shared with Equifax to date has been compromised, but the suspension was taken as ‘a precautionary step.’” (Source: CBS News)

CEOs pivot their focus to cybersecurity. A KPMG LLP survey found that CEOs now rank cybersecurity as their top investment focus. “This is something a lot of us just didn’t have to worry about five years ago—someone else was handling that,” says Michael Riggs, chief executive of car-hauling company Jack Cooper Holdings Corp. But now, “any CEO who’s not putting this at the top of their priority list is crazy.” (Source: Wall Street Journal)

Trump nominates cyber veteran Kirstjen Nielsen to head DHS. Last week former chief of staff at the Department of Homeland Security Kirstjen Nielson was picked by President Trump to lead DHS. @steveholland1 reports that, in addition to serving on George W. Bush’s White House Homeland Security Council, “Nielsen previously worked at a cyber think tank at George Washington University … and is considered well-versed in some of the more technical missions at the department, such as sharing cyber-threat information with the private sector.” (Source: Reuters)

Breach du jour: Hyatt Hotels. Hyatt Hotels announced that 41 of its properties were the subject of a POS data breach. The breach compromised data including cardholder names, card numbers, expiration dates, and internal verification codes, from cards manually entered or swiped at the front desk. This is Hyatt’s second breach in as many years. “In late 2015 Hyatt said its payment processing system was infected with credit-card-stealing malware, that had affected 250 hotels in about 50 countries.” (Source: Reuters)

DPRK hackers target electric grid. The cybersecurity company FireEye released a report that linked North Korean hackers to a spear-phishing campaign targeting America’s electric grid. “There is no evidence that the hacking attempts were successful, but FireEye assessed that the targeting of electric utilities could be related to increasing tensions between the U.S. and North Korea, potentially foreshadowing a disruptive cyberattack.” (Source: NBC News)

Suggested reading: Who is to blame when a data breach occurs? The council of Foreign Relations’ @robknake weighed in on this question with a solid rebuttal of Equifax’s dismissal of blame: “when companies like Equifax try to drum up sympathy by portraying themselves as the victim, we should all be extremely suspect. No one in corporate America should be surprised any longer that connecting their systems to the internet puts the data they hold at risk. All companies should recognize that protecting the data they hold is their responsibility.” @robknake argued that “[u]ltimately, the question of liability should not be about assigning blame, but how liability can be used in the interest of positive outcomes…If criminals can’t be held liable, or if doing so will not stop future breaches, there needs to be other ways to hold Equifax and other companies liable. If not, it’s the individual victims (you, me, all of us) who will be left holding the bag even though none of us ever asked Equifax to hold our data.” (Source: Council on Foreign Relations)

Events

National Consumers League
Published October 18, 2017

The #DataInsecurity Digest | Issue 53

October 4, 2017/by

Issue 53 | October 5, 2017

#DataInsecurity Digest: Momentum for action on data security standard building

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Momentum for federal action on data security standards continued to grow this week. Equifax’s ousted chief executive is testifying this week at four separate hearings in both the House and Senate to mixed reviews, so far. Verizon announced that a security review of its newly-acquired Yahoo unit discovered that 3 billion accounts were actually compromised in hacks, which was previously estimated at only 1 billion. Director Richard Cordray of the Consumer Financial Protection Bureau (CFPB) may have provided consumers with some peace of mind when he announced that the CFPB will begin monitoring the security practices of the giant credit reporting agencies to ensure that nothing like the Equifax breach ever happens again. Meanwhile, millions of credit cards have been compromised due to a point-of-sale breach at both Sonic Drive-In and Whole Foods.

On to the clips!

—————–

Bipartisan demand for more data security protections at Equifax hearing. Both sides of the aisle at Tuesday’s Energy and Commerce Committee hearing expressed outrage over the never-ending stream of data breaches. Rep. Joe Barton (R-TX) called for new federal laws to “put some teeth behind penalties for data breaches …[w]e could have this hearing every year from now on if we don’t do something to change the current system.” Rep. Barton also called for additional penalties so “that even a company that’s worth $13 billion would rather protect the data, and probably not collect as much data, than have to come up here and appear and say ‘we’re sorry.’” (Source: New York Times)

Yahoo breach actually impacted 3 billion accounts. The previously-reported 1 billion record breach at Yahoo (now known as Oath after its acquisition by Verizon) was actually much bigger. Try 2 billion records bigger. This makes the biggest-ever breach in history even larger by orders of magnitude. “On the one hand, this new information doesn’t really change things in a practical sense, because the initial billion account estimate was already enormous—you could safely assume you were impacted—and Yahoo took protective steps for all users in December,” writes @lilyhnewman. “On the other hand, three billion accounts.” (Source: WIRED)

CFPB to be one of the cops on the beat charged with protecting consumers’ data security. Consumer Financial Protection Bureau director Richard Cordray recently commented that, “[i]f [companies] are going to restore public confidence in this marketplace, and if they’re going to create the kind of reforms necessary, they’re going to have to recognize the old days of just doing what they want, being subject to lawsuits now and then, are over … We’re going to have monitoring in place that’s preventive. It’s going to be a different regime than we’re used to.” Codray also took a swipe at the credit bureaus’ past indifference to data security, saying. “[i]n the past they (credit bureaus) dealt with these problems on their own. They did the best they could. … That’s not good enough.” (Source: CNBC)

While the SEC’s data breach is smaller in size, its impact may be just as damaging as Equifax’s. SEC chairman Walter J. Clayton acknowledges that a breach at his agency “may have provided the basis for illicit gain through trading.” However, Clayton’s public response to the breach made matters even worse when he said that “even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face.” This led @peterjhenning to reflect, “Those words are certain to be cited back to the SEC by any company — especially Equifax — when questions are raised about the systems it uses to prevent digital attacks and make a timely disclosure to the public when they do occur.” (Source: New York Times)

Breach du jour: Sonic Drive-In breach compromises up to 5 million credit cards. Last week @briankrebs broke the story that the fastfood drive-in restaurant was the subject of a point-of-sale breach after 5 million credit cards were posted for sale on the dark web. Krebs cautions that Sonic may not be responsible for all of the 5 million cards as, “there are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.” (Source: Krebs on Security)

Breach du jour part deux: Whole Foods. Last week Whole Foods announced that its full-service restaurants and taprooms were the subject of a point-of-sale breach. @justinwmmoyer of @washingtonpost reports that 56 stores across the country were impacted by the breach. The grocery store chain stated that as its “restaurants and taprooms use a separate checkout system and information, its grocery shoppers weren’t affected.” (Source: Wall Street Journal)

Government contractor and cybersecurity firm Deloitte hacked. While Deloitte claims that the breach impacted “very few” clients, @briankrebs reports that it may be much more widespread than the company is acknowledging. Krebs’ sources stated that “investigators still are not certain that they have completely evicted the intruders from the network,” and that the hackers “accessed the entire email database and all admin accounts … [b]ut we never notified our advisory clients or our cyber intel clients.” (Source: Krebs on Security)

Quick hit: McAffee report finds ‘health, public and education sectors collectively comprised more than 50 percent of all cybersecurity incidents.’ McAffee’s report also found that “the majority of publicly-disclosed cybersecurity incidents (78 percent) took place in the Americas.” (Source: Becker’s Hospital Review)

Events

National Consumers League
Published October 5, 2017

Health Advisory Council Newsletter | 2017 Q3

September 22, 2017/by

Health Advisory Council Newsletter Fall 2017

Welcome to the Q3 issue of the Health Advisory Council Newsletter. This quarter, NCL and Council Members have been active on many fronts. Please see our policy updates, a new Q&A with the FDA’s Office of Women’s Health, Member updates, and more.

Save the date! NCL Trumpeter Awards

We hope you will join us on October 25 in Washington, DC at the Omni Shoreham Hotel for NCL’s Trumpeter Awards Dinner. Many of you know and work with Dr. Janet Woodcock, Director of the FDA’s Center for Drug Evaluation and Research (CDER). We are delighted to honor Dr. Woodcock with NCL’s Florence Kelley Consumer Leadership Award. Kelley was NCL’s leader for our first 33 years and a towering figure in the Progressive Era. NCL will also honor Consumer Financial Protection Bureau Director Richard Cordray and Congressman John Lewis (D-GA) with the 2017 Trumpeter Awards. The sponsorship deadline is October 6! For more information, please contact Lee Granados, NCL senior director of development, at leeg@nclnet.org or (202) 207-2829.

NCL health policy at work

Defending the ACA, Medicare, and Medicaid

As part of the Protect Our Care coalition, NCL continues to be actively engaged in the nationwide effort to protect the Affordable Care Act, Medicare, and Medicaid through statements, letters, and social media channels. Like many of you, we are working with our colleagues in the consumer, patient, and public health communities to support a bipartisan effort that will strengthen and improve the Affordable Care Act and shore up, not undermine, the healthcare marketplace.

Click here for more NCL health policy updates.

Member spotlight

Get to know the FDA Office of Women’s Health with a new Member Q&A.

Updates on Member programs

Get the latest updates on programs, policy, and initiatives from our Members, including AARP, America’s Health Insurance Plans, Association for Accessible Medicines, and many more.

Stay tuned for upcoming meeting

We are in the process of planning our end-of-year Health Advisory Council Membership meeting for November/December. We look forward to having you join us and will let you know the date as soon as it is confirmed.

We want to hear from you!

If you have time-sensitive information and updates you’d like to share with the Health Advisory Council in between NCL’s quarterly newsletters, please contact Karin Bolte (karinb@nclnet.org) or Janay Johnson (janayj@nclnet.org), and we will be happy to forward your materials to the Council membership. We also encourage you to contact us with your ideas and suggestions for Council activities.

_______________

National Consumers League
Published September 26, 2017

NCL health policy updates | Health Advisory Council Newsletter | 2017 Q3

September 21, 2017/by

NCL health policy at work

Defending the ACA, Medicare, and Medicaid

Generic drugs

On September 15, NCL submitted comments to FDA in follow-up to the FDA’s July 18, 2017 public meeting on “Administering the Hatch-Waxman Amendments: Ensuring a Balance Between Innovation and Access.” NCL’s comments focused on the following areas: pay-for-delay agreements; product hopping; Citizen Petitions; REMS requirements and generics; and reducing the generic drug backlog at the FDA.

Biosimilar biological products

On July 13, NCL Executive Director Sally Greenberg testified in support of biosimilars at the FDA Oncologic Drugs Advisory Committee meeting consideration of Mylan’s biosimilar to Genentech’s HERCEPTIN (trastuzumab) for the treatment of HER2-positive breast cancer and gastric cancer.

On September 6, NCL submitted comments to CMS on the CY 2018 Medicare Physician Fee Schedule biosimilar payment policy. We urged CMS to include language that assigns each biosimilar product its own unique reimbursement code in order to preserve the physician-patient decision-making relationship and ensure robust biosimilar research and development.

Alzheimer’s Disease

NCL is proud to be a partner in WomenAgainstAlzheimer’s We Won’t Wait Campaign, which seeks to unite women in a widespread effort to define Alzheimer’s as the 21st Century’s primary economic justice issue and health crisis for women. The Campaign promotes advocacy, education, and action on 5 key pillars: public funding; sex-based research; economic justice; diagnosis and treatment; and brain health.

In August, NCL facilitated a meeting for advocates including Jill Lesser, President of WomenAgainstAlzheimer’s, and Dr. Lindsay Chura, Chief Scientific Officer of AARP’s Global Council on Brain Health, with Dr. Janet Woodcock, Director of the FDA’s Center for Drug Evaluation and Research (CDER), and other CDER staff. The group discussed the state of the Alzheimer’s drug pipeline and ways to encourage the development of Alzheimer’s treatments. We were pleased to hear FDA Commissioner Gottlieb speak on the topic and indicate that FDA would be clarifying the Guidance for the development of safe and effective Alzheimer’s treatments.

MyHealthPlan.guide

In preparation for Open Enrollment, NCL worked with America’s Health Insurance Plans (AHIP) to update and add new content to our joint MyHealthPlan.guide website, a comprehensive online tool that informs, educates, and engages consumers to better understand how health insurance works. The site provides consumers with easy-to-access, straightforward information to determine the health insurance coverage that is right for them and how to best use it to meet their personal health needs.

FDA Appropriations

This month, NCL participated with more than 20 members of the Alliance for a Stronger FDA in the Alliance’s September Advocacy Day on the Hill. NCL met with the offices of Senate Appropriations Ranking Member Leahy (D-VT), Agriculture, Rural Development, FDA, and Related Agencies Subcommittee Chairman Hoeven (R-ND) and other Subcommittee members to thank the Senators for supporting the FDA in the FY 18 appropriations cycle and to lay the groundwork for the FY 19 cycle.

Health Advisory Council Member Updates | Fall 2017

September 21, 2017/by

Updates on Health Advisory Council Member programs | Fall 2017

AARP
The Global Council on Brain Health (GCBH) launched its most recent report, Engage Your Brain: GCBH Recommendations on Cognitively Stimulating Activities. The full report and associated infographics can be reached via the hyperlinks in this update or online at www.GlobalCouncilonBrainHealth.org.

The GCBH agreed that stimulating your brain benefits cognitive health and impacts how well your brain functions as you age. The GCBH outlined 9 recommendations and provided practical tips to help maintain brain health, and explained the state of science on brain training. AARP is trying to get this practical guidance out broadly, so please pass it along to colleagues and friends.

America’s Health Insurance Plans (AHIP)
Over the past six months, the AHIP-convened Modern Medicaid Alliance (MMA) organized a comprehensive multi-state campaign to educate key policymakers about the value of the modern Medicaid program. This includes the innovative solutions used to deliver care through Medicaid and the impact Medicaid is having on the lives of tens of millions of Americans. Through meetings with Members of Congress, in-state thought leader summits, digital advertising, media outreach, and extensive deployment of the voices of MMA’s 37 member organizations and other stakeholders, the MMA is getting its message out about the importance of maintaining funding for Medicaid. The end goal is to protect and promote the health of the program’s 70 million beneficiaries. Thankfully, Congress did not pass legislation that would strip Medicaid of critical funding. So far that is.

This month, the MMA launched a “Medicaid Dashboard” in collaboration with Morning Consult. This customizable webpage allows visitors to easily view, parse, and interact with integrated Medicaid datasets; gives users the ability to convert data into social sharing and email content, or build reports to be used for presentations or as one-pagers or leave-behinds for use on Capitol Hill; and features polling results focused on today’s modern Medicaid program. It can be found on the Modern Medicaid Alliance website and will be updated as appropriate.

American Society of Health-System Pharmacists (ASHP)
ASHP is currently focused on its upcoming lobby day, Wednesday, September 27, 2017. ASHP will once again be highlighting the Pharmacy and Medically Underserved Areas Enhancement Act (H.R. 592, S. 109). Both bills have bipartisan support. ASHP is a lead member of the Patient Access to Pharmacists’ Care Coalition (PAPCC), which is spearheading the effort to pass the bills. NCL is also a member of PAPCC. ASHP will also discuss drug prices, express support for the 340B program, and ASHP’s continued focus on addressing the opioid epidemic.

Further, ASHP recently commented to CMS on two proposed rules, the physician fee schedule proposal and the Hospital Outpatient Prospective Payment System (HOPPS) rule. On the physician fee proposal, ASHP is pleased to see a payment mechanism for the Diabetes Prevention Program. For the HOPPS proposed rule, ASHP expressed concern over a proposed cut to reimbursement rates for entities participating in the 340B drug discount program.

Association for Accessible Medicines (AAM)
On September 12-13, 2017, the Association for Accessible Medicines (AAM) and its Biosimilars Council brought together industry representatives, U.S. government officials, and academic experts to discuss the future of biosimilars at the 2017 AAM Biosimilars Council Conference – Leading on Biosimilars. The event featured presentations from key industry leaders, including Andy Slavitt, former Acting Administrator for the Centers for Medicare and Medicaid Services (CMS) and Adrian van den Hoven, Director General of Medicines for Europe.

A focus of the conference was biosimilar education and sessions dedicated to educating the public, patients, and healthcare professionals about the safety and effectiveness of biosimilars. The Council used the conference as a platform to announce an update to its handbook, The New Frontier for Improved Access to Medicines: Biosimilars & Interchangeable Biologic Products. The updated handbook is a reference tool for all stakeholders, and in particular patients and healthcare professionals interested in learning more about biosimilars and interchangeable biologics. The publication explains the benefits and science behind biosimilar medicines — safe, effective alternatives to costly biologic therapies. It also explains who will benefit from access to these medicines, outlines the legal and regulatory framework, and illuminates the quality manufacturing and development process in approachable language.

Additionally, AAM and the Council announced the results of a new patient access study, “Biosimilars in the United States: Providing More Patients Greater Access to Lifesaving Medicines” published by Avalere Health for the Council. The study found that 1.2 million U.S. patients could gain access to biologics by 2025 as the result of biosimilar availability. Women, lower income, and elderly patients would particularly benefit from access to biosimilar medicines. These and other resources are available on the Biosimilars Council website, here.

Consumer Healthcare Products Association (CHPA) Educational Foundation
Reminding Parents about Safe Storage during June’s National Safety Month

For the third year in a row, the Up and Away campaign championed the critical importance of safe medicine storage for National Safety Month, specifically highlighting the risks of unsafe storage during the summer travel season. Utilizing the most effective tactics of past rallies, the campaign reached more parents and caregivers than ever before. Through partner activation, highly targeted Facebook and Instagram advertising, radio news, and influencer marketing with eight diverse bloggers, the Up and Away campaign garnered more impressions than the 2015 and 2016 National Safety Month rallies combined, and is our single most successful rally yet, with more than 43 million impressions. A big thank you goes to FDA, CDC, and all of our PROTECT Initiative partners for sharing our messages around safe storage during the busy summer travel months – a habit that will keep kids safe all year long.

FDA Center for Drug Evaluation and Research (FDA/CDER)
On September 14, 2017, the U.S. Food and Drug Administration (FDA) launched an educational campaign aimed at raising awareness about the value of generic drugs, or generics. The campaign is designed to impart two central messages:

Generic drugs have the same safety, effectiveness and quality standards as their name-brand counterparts; and
Patients and their doctors should talk to each other about exploring generic alternatives to brand-name medications.

The campaign consists of a consumer-focused 30-second television public service announcement (PSA), a print and digital campaign for health care professionals, and updated FDA web content, including fact sheets and infographics, for the consumer audience. Look for campaign materials, including the PSA, at http://www.fda.gov/genericdrugs.

Momenta Pharmaceuticals, Inc.
Momenta Pharmaceuticals, along with a number of NCL Health Advisory Council members, participated in the July 18 meeting at the FDA examining regulatory actions to ensure that the intended balance between encouraging innovation in drug development and accelerating the availability to the public of lower cost alternatives to innovator drugs is maintained. The FDA Commissioner, along with a number of stakeholders, consumers, industry, and academics alike, called for action to accelerate generic and biosimilar approvals, eliminate barriers to access to reference products, and promote patient access in a variety of ways. The presentations and testimony can be viewed at: https://www.fda.gov/Drugs/NewsEvents/ucm563986.htm.

National Alliance for Caregiving
Join the National Alliance for Caregiving for the 12th Annual National Conference of Caregiver Advocates. Our one-day meeting will be hosted in partnership with the American Society on Aging at the Aging in America 2017 Conference, on Monday, March 26, 2018 in San Francisco. For more, go to http://www.caregiving.org/coalitions/annual-conference/.

National Association of Nurse Practitioners in Women’s Health (NPWH)
NPWH is in full swing preparing for its 20th Annual NPWH Premier Women’s Healthcare Conference on October 11-14, 2017 in Seattle. NPWH will host more than 600 attendees for learning, reflecting, and networking. Shortly after the conference, on November 2, NPWH will convene its second annual Healthy At Any Age: Women’s Health After 50 summit. NPWH is also excited to have just published the fourth edition of its NPWH Well-Woman Visit App, featuring a new section on menopause.

National Council on Patient Information and Education (NCPIE)
This October, NCPIE’s annual “Talk About Your Medicines” Month will focus on potential risks of combining alcohol and medications — a compelling health and safety issue. Our theme is Think Before You Drink — sometimes, alcohol and medicines don’t mix. This can be especially so for America’s aging Baby Boomers and older adults. BeMedWise.org will offer tips and resources for patients, caregivers, and health care providers to help prevent medication interactions and important facts about aging, alcohol, and prescription medications. Please contact Deborah Davidson at ddavidson@ncpie.info to get the 2017 TAYM Month communications toolkit.

National Partnership for Women and Families
The National Partnership for Women & Families analyzed new data released on September 12, 2017 by the U.S. Census Bureau, which points to significant gains for women in access to health insurance under the Affordable Care Act (ACA). The ACA corrected longstanding, discriminatory gaps in access to insurance coverage for women by expanding Medicaid coverage, establishing marketplaces to shop for insurance, and providing financial assistance to make coverage affordable. The ACA also guaranteed coverage for a robust scope of benefits, including maternity care, preventive care, mental health services, prescription drugs and more. Nonetheless, as the data show, progress is still needed to ensure all women have health coverage and persistent health disparities are eliminated. Check out the National Partnership’s analysis of the health insurance coverage data here.

Pharmaceutical Research and Manufacturers of America (PhRMA)

Healthcare Ready has been activated for Hurricane Maria, and remains engaged for Hurricanes Harvey and Irma. The organization has been working with private sector partners to restore healthcare operations and reconnect patients to healthcare following these natural disasters. The Rx Open map (rxopen.org), which covers more than 90% of all pharmacies in the US, has been activated for TX, LA, FL, GA, SC and Puerto Rico. The attached infographic highlighting some of our work and our emergency pages can be found at: healthcareready.org/Maria, healthcareready.org/Harvey, and healthcareready.org/Irma.

USP
On September 19, 2017 at the United Nations General Assembly in New York City, USP launched the Quality Institute — a unique program established to enable evidence-based discussions and provide the rationale for investments in quality of medicines.

The USP Quality Institute will provide much-needed research and data to enable evidence-based policy decisions that can help increase the availability of quality medicines everywhere, helping to build a foundation for a healthier world. The Quality Institute will help to provide governments and health policy makers with better data about the benefits of quality medicine to make strategic decisions about where to invest scarce resources. For more information, please contact Amy Sonderman at amy@usp.org.

Valeant Pharmaceuticals International, Inc.
Valeant is a global specialty pharmaceutical company focused on fulfilling our mission of improving people’s lives with our health care products. We develop, manufacture and market a range of pharmaceutical products, primarily in the specialty therapeutic areas of eye health, gastroenterology, and dermatology. Our leadership is delivering on our commitment to patients and society, as we build a sustainable company dedicated to advancing global health. In May 2016, Valeant established a Patient Access and Pricing Committee to help our company ensure patients have the best possible access to our products. Additionally, we have pledged that the average annual price increase for our prescription products will be set at no greater than single digits and will be below the 5-year weighted average of increases within the branded biopharmaceutical industry.