Hospitals and large healthcare organizations have increasingly become prime targets for cybercriminals. In response, the Department of Health and Human Services (HHS) has established a new initiative within the National Institutes of Health (NIH) aimed at enhancing cybersecurity measures for hospitals.

This initiative, called “Universal Patching and Remediation for Autonomous Defense” (UPGRADE), was launched on May 20. UPGRADE’s mission is to develop a tailored and scalable suite of software tools that will enable hospital IT teams to effectively combat ransomware attacks and reduce the time needed to patch vulnerable healthcare products from months to just days or weeks.Continue Reading HHS Pledges $50 million to Empower Hospitals in the Battle Against Cyberattacks

The Department of Justice (DOJ) reported that its False Claims Act (FCA) recoveries for civil cases raked in approximately $2.7 billion for fiscal year 2023, representing a $450 million jump from 2022 recoveries.  Of the $2.7 billion recovered by the DOJ for 2023, approximately $1.8 billion (67%) came from the health care sector.

The real headline, however, may be the record-setting number of new FCA cases initiated in 2023 ­–– 500 initiated by the government and 712 initiated by private relators, for a total 1,212 new cases, over 250 more than the next-highest year (2022). Previous trends aside, this signals busy times ahead for the FCA.Continue Reading DOJ Announces $2.7 Billion in FCA Recoveries and Enforcement Priorities

On February 23, 2022, the Federal Bar Association (FBA) kicked off its fifth annual Qui Tam Conference to highlight key areas for False Claims Act (FCA) enforcement in the coming year. The conference opened with a keynote address by Gregory E. Demske, Chief Counsel to the Inspector General, Department of Health and Human Services (HHS), Office of Inspector General (OIG). Then, a series of panels analyzed the FCA-related developments from the prior year, recent efforts by the U.S. Department of Justice (DOJ) to combat cybersecurity fraud, and some of the schemes promoting alleged telehealth fraud during the ongoing COVID-19 public health emergency. Based on the comments of government speakers, all speaking in their individual capacities, below are key takeaways of what we expect the government to prioritize in 2022:

Pandemic-related fraud and telehealth fraud are key targets

Reinforcing the DOJ’s current enforcement priorities, we expect the DOJ to continue to focus its resources and enforcement activity on where it stands to recover the most dollars swiftly: pandemic-related fraud (e.g., misuse of CARES Act relief funds) and telehealth fraud.

During his keynote address, Demske similarly acknowledged these two areas of focus and added Medicare Advantage, the opioid epidemic, and nursing homes as ongoing priorities for OIG enforcement. Notably, Demske cited OIG’s Data Analytics Group as a robust resource for the agency to identify anomalies in large data sets (e.g., outlier distributions of CARES Act provider relief funds) that may lead to targeted enforcement.

For more information about the fraud and abuse implications of CARES Act provider relief funds, as well as practical tips for navigating the evolving CARES Act regulatory environment, please check this Reed Smith client alert.
Continue Reading FBA’s 2022 Qui Tam Conference Puts Annual Spotlight on FCA Enforcement Trends and Developments

A number of Congressional committees have recently held hearings on health policy issues, including the following:

  • House Energy and Commerce Committee hearings on “Cybersecurity in the Heath Care Sector: Strengthening Public-Private Partnerships” and Food and Drug Administration (FDA) medical device user fees.
  • A House Oversight and Government Reform Committee hearing on “Federally Funded Cancer Research:

Recent Congressional hearings focusing on health policy topics include the following:

  • House Energy and Commerce Committee hearings on HHS cybersecurity responsibilities, Medicare and Medicaid program integrity, the Administration’s proposed Medicare Part B drug payment model, and patient-focused health insurance reforms.
  • House Ways and Means Committee hearings on implementation of the Medicare Access & CHIP Reauthorization

HHS is forming a new “Health Care Industry Cybersecurity Task Force” as part of the Administration’s effort to improve preparedness for cybersecurity threats affecting the health care industry.  HHS is accepting nominations for the Task Force until March 9, 2016.  Key qualifications for panelists include:
Continue Reading HHS Seeks Nominees for New Health Care Cybersecurity Task Force; Nominations Due March 9

On January 22, 2016, the federal Food and Drug Administration (“FDA”) issued a draft guidance outlining postmarket recommendations for medical device manufacturers to address cybersecurity risks.  The draft guidance details the agency’s specific recommendations, which address monitoring, identifying and managing cybersecurity vulnerabilities in medical devices that are software, or contain software (including firmware) or programmable logic once they have entered the market. The draft guidance represents a part of the agency’s ongoing efforts to ensure the safety and effectiveness of medical devices in the face of potential cyber threats at all stages in their lifecycles.  Specifically, the draft guidance follows multiple public workshops on the issue and previous FDA guidance titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” which contains premarket recommendations for managing cybersecurity risks during the design stage of device development.  We previously blogged about this here.
Continue Reading FDA Issues Postmarket Cybersecurity Recommendations for Medical Devices

As discussed on our sister Life Sciences Legal Update blog, the FDA is holding a public two-day workshop entitled “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity” on January 20-21, 2016. The FDA seeks to bring together diverse stakeholders to highlight past collaborative efforts, identify tools to aid stakeholders in implementing disclosure

Yesterday the FDA issued final guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” which includes recommendations for medical device manufacturers on cybersecurity management and information that should be included in a pre-market submission. The recommendations are intended to supplement previous FDA guidances, “Guidance for the Content of Premarket

The OIG has concluded that the HHS Office for Civil Rights (OCR) is not adequately overseeing and enforcing the HIPAA Security Rule. In short, the OIG found that OCR failed to provide for periodic audits, as mandated by HITECH, to ensure that covered entities were in compliance with the Security Rule, and instead continued to

The Food and Drug Administration (FDA) has announced the availability of a new draft guidance document entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” The draft guidance identifies cybersecurity issues that medical device manufacturers should consider in preparing premarket submissions for medical devices – including Premarket Notifications (510(k)), Premarket Approval Applications