Attorneys

Drew R. Barnholtz Counsel

/ P 202-524-4140

LinkedIn connect on LinkedIn / Twitter @ifrahlaw

Drew Barnholtz brings to Ifrah Law over 15 years of corporate, entrepreneurial and law firm experience, focused on regulatory and transactional matters in the life sciences, health care and manufacturing industries.  His clients value his advice, knowing that it is informed by a career that is rich in the kinds of experience that yields keen insights, good judgement, and a bottom-line business orientation.

Before joining Ifrah Law, Drew served as a corporate lawyer whose transactional experience was particularly diverse.  He also knows first-hand the challenges faced by in-house counsel.  He served as Assistant General Counsel at Invacare Corporation, a $1+ billion manufacturer of durable medical equipment; and as Assistant General Counsel for University Hospitals, one of the nation’s leading health care systems.   In these positions Drew tackled a number of complex issues, including:

  • Advising clients on commercial transactions, acquisitions/divestitures, compliance, licensure, bond financing, and a variety of agreements
  • Drafting and implementing a range of compliance programs (including for HIPAA), policies and procedures, accreditation applications, and Plans of Correction for deficiencies cited in a survey
  • Providing analysis and opinions on Stark and the Anti-Kickback Statute for pharmacy, post-acute, physician and lab clients
  • Drafting a private placement memorandum, business plan and subscription agreement for a start-up company
  • Providing regulatory interpretation and advice for medical equipment manufacturers regarding FDA registration and listing requirements
  • Negotiating, as a key team member, a Consent Decree with the FDA, and the remediation and planning efforts required to comply with the Consent Decree

Drew has spoken to health care industry gatherings on numerous topics including the Affordable Care Act, responding to FDA investigations and negotiating consent decrees, and trends in hospice care investigations and enforcement, as well as written several articles.

"To Refer, Or Not To Refer? OIG’s Outdated Health Care Referral Restrictions," Healthcare Business TodayMarch 24, 2016
Drew Barnholtz, Presenter, "Compliance Trends For SNFs, ALCs & Hospices," AHLA's Long Term Care and The Law, Loews Portofino Bay Hotel, Orlando, FLFebruary 24, 2016

Can Your Pacemaker Be Hacked?

Mobile online remote medical consult clinic hospital flat 3d isometry isometric high tech healthcare interior concept vector illustration. People collection man doctor visiting on tablet device

Tom Kellermann, CEO of Strategic Cyber Ventures guest co-authored this post.

A famous Homeland episode involved a terrorist gaining access to the Vice-President’s pacemaker.  Accessing medical devices to wreak havoc was one of the motivations behind certain provisions of the Digital Millennium Copyright Act (aka the DMCA).  The DMCA makes it “illegal to circumvent technological measures used to prevent unauthorized access to copyrighted works.” Section 1201 of the DMCA allows for exemptions to be made every three years.  Recently, a number of exemptions were adopted to the DMCA’s anti-circumvention statute for numerous technologies, including personal medical devices.  Although the exemptions went into effect on October 28, 2015, there were stipulations that delayed implementation until very recently. A number of safeguards remain in place, but safeguards to protect cybercrime in the healthcare context remain compelling.

What does this mean for patients who are using portable medical devices?

The exemption removes the barrier for researchers to set-up controlled experiments that can aim to improve potential vulnerabilities in the security of these devices.  The exemption relates to researching medical devices and reads as follows:  “Literary works consisting of compilations of data generated by medical devices that are wholly or partially implanted in the body or by their corresponding personal monitoring systems, where such circumvention is undertaken by a patient for the sole purpose of lawfully accessing the data generated by his or her own device or monitoring system.”  In order to conduct research using this type of data, the research environment must meet certain criteria.  Those criteria include the following:  (1) the computer program, or any devices on which the programs run, must be “lawfully acquired,” (2) during the research, the device or computer program should operate “solely for the purpose of good-faith security research,” and (3) the research must not have begun before October 28, 2016.

How does this open up the field for more research opportunities?

The exemption rule allows for “good-faith research” which is defined as “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.”  What this means in the real world is that security researchers can, in a controlled manner and environment, access medical devices to search for vulnerabilities so that vulnerable software can be quickly patched.  The exemption allows for researchers to publicly talk about and share details of their vulnerability research without facing legal repercussions.

Why do we need this type of research?

A cybercrime-wave impacted the healthcare sector in 2016. According to TrapX there was 63% year over year growth in attacks against the healthcare sector.  Many of these cyber intrusions leveraged back-doors into medical devices like X-ray machines and blood gas analyzers. These devices are vulnerable to compromise as they lack the memory space necessary for cybersecurity software and are rarely updated. The dramatic ransomware attack against Medstar which crippled their hospitals’ networks underscored the defenselessness of the sector.  The culture of the healthcare sector has been to adopt technology with minimal regard to the cybersecurity of those networks.  The cybercrime community took note in 2016, and the ransomware attacks against the healthcare sector served as a canary in the coal mine. The vulnerability of medical devices poses a systemic risk to the sector’s digital health.

Historically, medical device manufacturers have been resistant to allow outside security experts to look at their code for fear that flaws in their software will be revealed and expose them to regulatory scrutiny or lawsuits.  More recently, some of the larger medical device manufacturers (e.g. Philips and Dräger) have published a coordinated vulnerability disclosure policy, which essentially invites researchers to look for software flaws in their devices, as well as a public statement about of how the companies will handle reported vulnerabilities.  For device manufacturers it is important to note that the FDA is encouraging this type of research to increase patient safety and reduce cybersecurity threats.

Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures for the Center for Devices and Radiological Health, a division of the FDA, stated that “The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices.”  On December 29, 2016 the FDA issued the final guidance “Postmarket Management of Cybersecurity in Medical Devices”.  What this means is the device manufacturers may need to report post-market modifications to devices already in the field related to cybersecurity to the FDA (pursuant to Part 806 of the Food, Drug & Cosmetic Act (for device manufacturers this reporting relates to compliance with the quality system regulations)).  Device manufacturers need to take into account security considerations through a product’s entire lifecycle, starting with its development to ensure proper performance and functionality if a hospital’s network is hacked. The FDA indicated that most routine updates or patches will not trigger a reporting responsibility, but the guidance leaves open the possibility that changes made to prevent or fix cybersecurity vulnerabilities will trigger reporting. As a result of this guidance, it is important for manufacturers to coordinate their cybersecurity efforts.  This relatively new exemption can help foster that dialogue and introduce research into vulnerabilities to reduce the threat of future cyber-attacks on critical medical devices used by patients. In 2017, an individual’s physical well-being is going to dependent on the digital health of medical devices.

What Proactive Risk Management Steps Can Be Taken in 2017 to Increase Security?

Listed below are some proactive steps that medical device manufacturers can take to decrease the risk of cybersecurity vulnerabilities and attacks.  With the advent of new research into cybersecurity, the hope is that additional technology improvements will take place to allow for even further safety and evolution of security for medical devices.

Proactive Risk Management for 2017

  1. Require regular penetration tests of medical devices and networks which develop and utilize them.
  2. Deploy a DeceptionGrid.
  3. Deploy User Entity Behavior Analytics
  4. Deploy two factor authentication (e.g. Biometrics) with contextual verification.
  5. Integrate Intrusion protection systems with breach detection systems.

Source: Strategic Cyber Ventures 2017

Read More

To Refer, Or Not To Refer? OIG’s Outdated Health Care Referral Restrictions

Man having video chat with female doctor on digital tablet at home

The Office of the Inspector General, which enforces Health and Human Services, has long been averse to referral services that don’t meet certain criteria.  To get protection against a possible enforcement action, the referral service can’t exclude anyone from participating in the service, and payments for referrals have to be reasonable and cannot be tied to the volume or value of the referrals that are made.  All this complexity doesn’t simply keep referral services from earning a legitimate living; it denies patients access to superior healthcare options.

In a time when patients gravitate toward online resources, the OIG’s restrictions on medical referrals appear horribly out of date. Generally, when people want to find a pharmacy, lab, or doctor, they ask a friend or family member. In many circumstances, though—such as moving to a new city and not knowing anyone—people are likely to go online. Here they will find numerous referral services that can steer them to many reputable providers, who are often happy to pay for the hookup. This type of commercialized referral happens all the time in privatized industries—but because the government pays for healthcare (in the case of Medicare and Medicaid), it gets to set the rules for that space. Many of these rules are legitimately designed to protect against fraud and misuse of public funds, but that shouldn’t make them impervious to revision.

Thankfully, this has not escaped the notice of referral services and even the OIG, which has issued some enlightened opinions on the matter; case in point, No. 11-18. In 2011, a web-based provider of billing, electronic record, and patient messaging services asked if it could offer a coordination service whereby physicians could pay a transmission fee for connecting to other providers in order to share patient information, provider numbers, and clinical data. In response, the OIG determined that this service would not be afforded protection under the safe harbor, but it would not necessitate enforcement action either. In this instance, and many others in today’s marketplace, the referral service isn’t a health care provider that bills the government, but a third party provider of software and services.  What would be the harm of facilitating the transmission of information between referring providers so that a patient can receive care?  Here the OIG acknowledged that the fee structure was fair market value, that it would be assessed whether or not a patient followed through, and that it was unlikely to influence a provider’s decision to refer to any particular person or entity.

When the referral services safe harbor was drafted it made some sense for the OIG to suspect that an online referral service could charge a fee to steer patients to a particular provider, thereby exploiting federally reimbursed services and products.  However, in most cases, online referral services are there simply to expand access to care, allow patients to have more choices, and help them find options that best suit their needs.  In any other industry it makes perfect business sense for a referral service to charge its users a fee in order to recoup the cost of implementation (if any) and achieve a profit. It’s high time the OIG gives medical referral services the air they need to do the same. Modifying the safe harbor could take a lot of time and effort, but the OIG can take it upon itself to revise its interpretation of the safe harbor’s requirements without having to turn a blind eye to the law.

Read More

Information on www.ifrahlaw.com is for general use and is not intended as legal advice. Sending an e-mail through this Web site, and receipt of same, does not constitute an attorney-client relationship. Information sent via e-mail is not considered confidential or privileged unless we have agreed to represent you. By sending this e-mail, you confirm that you have read, understand and agree to this notice.

Accept Cancel

  • Like Us on Facebook