Kat Jercich

The registration page in its original form was not usable for those who used screen-reader software or who didn't have a computer mouse.

Gaumard Scientific vice president Jim Archetto said the goal is to place providers into the kind of "low-frequency, high-risk" environment they might not often encounter in a clinical setting.

The Cybersecurity Infrastructure and Security Agency this week released a binding operational directive this week requiring federal agencies to patch known exploited vulnerabilities carrying "significant risk" to the federal enterprise. The directive also established a catalog of nearly 300 vulnerabilities, each with an accompanying due date for taking action. Roughly a third of those due dates fall within two weeks. "This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf," explained the directive.    "These required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates or otherwise maintains agency information," it continued.   WHY IT MATTERS   As reported by the Wall Street Journal, the directive is one of the widest-ranging mandates of its kind.   It applies to all departments and agencies, save for the Department of Defense, the Central Intelligence Agency and the Office of the Director of National Intelligence. The Journal noted, too, that the directive is the first to require patches for both internet-connected and offline systems.   Agencies have until November 17 to address the vulnerabilities discovered by cyber professionals in 2021, and up to six months to fix the remaining 200 or so flagged in previous years.   "These default timelines may be adjusted in the case of grave risk to the Federal Enterprise," the directive read.   Agencies are also required to review and update agency internal vulnerability management procedures, including providing a copy of those procedures to CISA upon request.   The policies must, at a minimum:   Establish a process for ongoing remediation of CISA-identified vulnerabilities. Assign roles and responsibilities for executing directive-required agency actions. Define necessary actions required to enable prompt response to directive-required actions. Establish internal validation and enforcement procedures to ensure adherence with the directive. Set internal tracking and reporting requirements to evaluate adherence with this directive, as well as provide necessary reporting to CISA. In addition, agencies must report on the status of listed vulnerabilities.   The listed flaws originate with a range of companies, including Google, Apple and Android, although Microsoft is the vendor that appears most frequently. CISA said it will regularly update the catalog.   CISA said the directive does not replace BOD 19-02, a 2019 directive that requires remediation of critical and high vulnerabilities on internet-facing federal information systems. "Instead of only focusing on vulnerabilities that carry a specific [common vulnerability scoring system] score, CISA is targeting vulnerabilities for remediation that have known exploits and are being actively exploited by malicious cyber actors," said the agency in a fact sheet accompanying the directive.   CISA Director Jen Easterly noted on Twitter that the vulnerability catalog could help members of the private sector as well. "The [binding operational directive] applies to federal civilian agencies; however, ALL organizations should adopt this directive and prioritize mitigating vulnerabilities listed on our public catalog, which are being actively used to exploit public and private organizations," she wrote in a post on Wednesday.   "Knowing which vulnerabilities are currently being exploited by cybercriminals allows the private sector to leverage CISA’s expertise to operate on a more level playing field, and should be an important tool in the never-ending fight against cybercriminals," said Robert Cattanach, a partner at the international law firm Dorsey and Whitney, in a statement sent to Healthcare IT News.   THE LARGER TREND   Federal agencies have not been exempt from bad actors' attempts to take advantage of vulnerabilities – and the consequences are often wide-ranging.   One of the most prominent incidents in recent months, of course, was the SolarWinds breach, which led to the victimization of numerous agencies, including the National Institutes of Health and the Centers for Disease Control and Prevention.    The SolarWinds Orion Platform appeared on CISA's catalog of vulnerabilities.   ON THE RECORD   "The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector and ultimately the American people’s security and privacy. The federal government must improve its efforts to protect against these campaigns by ensuring the security of information technology assets across the federal enterprise," read the directive.   "Vulnerabilities that have previously been used to exploit public and private organizations are a frequent attack vector for malicious cyber actors of all types. These vulnerabilities pose significant risk to agencies and the federal enterprise. It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents," it continued. Kat Jercich is senior editor of Healthcare IT News. Twitter: @kjercich Email: kjercich@himss.org Healthcare IT News is a HIMSS Media publication.

In a pair of op-eds published in the Federal News Network, former Veterans Affairs Deputy Chief Information Officer Ed Meagher offered his take on the agency's beleaguered attempts to update its electronic health record system.   In short, said Meagher, the VA's legacy EHR, VistA "needs to be modernized, not replaced."   As he explained, "VistA meets all of VA’s current needs. It does need to be 'replatformed' and key elements need to be modernized, but those efforts were underway, at several orders of magnitude lower cost and risk, when the Cerner system was imposed on the VA.   "No amount of good intentions, hard work, heroic management, relentless oversight or endless funding will be able to overcome the fatal flaws of this massive, misbegotten program," Meagher added.   WHY IT MATTERS   Meagher, who served as deputy CIO at the VA from 2000 through 2006, and briefly as the agency's chief technology officer in 2006, has been a longtime critic of the VA's plans for an EHR overhaul. "VistA represents 30 years' worth of knowledge, experience, data standardization, education, integration, reliability, research, institutional memory and best practices. Much of this will be lost or degraded under the Cerner system," he wrote in his first op-ed, published October 15.   He also called the VA's report following its three-month strategic review "very disappointing," given what he saw as a lack of consideration about the EHR modernization contract. "Instead, a laundry list of high-level issues were identified, and high-level remedies recommended. At the heart of each of these remedies was the belief that better management, better oversight and just plain trying harder would ultimately succeed," he said.   In short, Meagher said, the replacement plan is a "self-inflicted wound that if allowed to proceed will fester, degrade and ultimately critically damage the VA’s ability to meet its mission."   At the same time, he acknowledged in his second op-ed, published this week, that stopping the EHRM program will likely mean lawsuits, criticism and degradation of trust.   With that in mind, he offered VA leadership "specific recommendations," including:   Filtering next steps through a stringent view of what is best for veterans Transparently addressing practical, contractual, political, personal, personnel and organizational issues Examining the source of advice and counsel Protecting alternatives by fully funding and staffing the VistA program office Taking the time to "appreciate what you have" in VistA Turning to a third party for an end-to-end modeling simulation of the proposed solution Identifying the level of risks posed by the interdependencies of systems Engaging with rank-and-file members of the VA team Asking about enduring questions regarding the Cerner system and contract Appreciating the potential consequence if the EHR program fails   "The very best advice I can offer you is that in this moment it may appear that staying the course is your best option and that halting this multibillion-dollar juggernaut would seem like failure and a waste of money and the efforts of many dedicated and committed people. That is not the case," said Meagher.   THE LARGER TREND   VistA has been criticized for being outdated and for lacking ease of interoperability with the Department of Defense.   But, as Healthcare IT News has reported, the homegrown EHR system is relatively well-liked, particularly by its users.   "When people really look at the history of VA, it has over 20 to 25 years of creating health informatics. It's elevated the functionality requirements over time," Deanne Clark, senior health informatics consultant at DSS, said in 2017. "VA has been working with end users to really understand the software and users."   ON THE RECORD   "In the long run, when your servant leadership will be judged, when your pluses and minuses will be summed, it only matters that you do the right thing, for the right reasons, at the right time," wrote Meagher in his second op-ed.   Kat Jercich is senior editor of Healthcare IT News. Twitter: @kjercich Email: kjercich@himss.org Healthcare IT News is a HIMSS Media publication.

Among hospitalized patients, the agency found that those who had gotten two shots of the Moderna or Pfizer vaccine were less likely to test positive for COVID-19.

Advocacy organizations and business groups, including the U.S. Chamber of Congress, argue that current law effectively prevents employers from offering virtual care to part-time or seasonal workers.

The electronic health record vendor had asked the nation's highest court to review its case against Tata Consultancy Services earlier this year.

The groups say that the premature expiration of pandemic-era policies could leave patients, especially immunocompromised people, in the lurch.

The company logged 3.9 million visits in Q3, notching 37% growth from the previous year. But it reported $84.3 million in net loss, compared with $35.9 million for the same period in 2020.

The so-called SUNSET rule would have required the Department of Health and Human Services to review its regulations once a decade.