The Verge - Healths

US COVID-19 data has never been good enough

Posted: 20 Aug 2021 05:00 AM PDT

A Pop Up Covid-19 Vaccination Site As Cases Rise in Florida

When American experts first started to worry that COVID-19 vaccines weren't working quite as well against delta as they did against earlier coronavirus strains, they didn't have much domestic data to go on. The Centers for Disease Control and Prevention was only collecting data on post-vaccination COVID-19 cases if they led to hospitalization or death — the agency wasn't doing big-picture tracking of COVID-19 in vaccinated people. Only a few states and counties were collecting and publicizing that information.

The CDC was doing some analysis, but it wasn't sharing the information quickly, frustrating experts who hoped for a more dynamic picture of how the delta variant was affecting vaccinated people. The agency finally released some data this week as part of the justification for pushing booster doses of the COVID-19 vaccine, but the scope was still limited and came too late.

"It's not acceptable how long it takes for this data to be made available," a senior CDC official told The Washington Post. For the most part, US experts had to rely on vaccine data from other countries: Israel, Canada, the United Kingdom.

Data, or lack thereof, has been one of the biggest challenges in the US COVID-19 response. From the early days of the outbreak, health departments have struggled to collect information on cases, and often only had delayed and incomplete data. Most clinical trials investigating COVID-19 treatments were small and couldn't deliver conclusive answers.

Part of the problem was that the US has a fragmented public health system, and data is siloed off in individual hospitals. Places with national health systems, like the UK, were in a better position to understand big-picture trends through the pandemic — its National Health Service was able to run a multisite clinical trial to look at COVID-19 treatments, which eventually identified treatments that saved lives.

CDC is a retrospective agency, it's not in business of gathering real-time info that requires analytical work and providing partial answers. We relied on it to do these things mistakenly judging it's capabilities, resources, culture. We need to make reforms going forward.
— Scott Gottlieb, MD (@ScottGottliebMD) August 15, 2021

Over 18 months later, the problems in the US persist. Officials don't have a good grasp on where and how COVID-19 is spreading in certain groups, former Food and Drug Administration Commissioner Scott Gottlieb outlined on Twitter. The CDC isn't equipped to collect real-time data, he notes. That constrains the country's response.

Now, those problems are making it harder to understand the dynamics of coronavirus infections from the delta variant in vaccinated people in the US. Delta has only been the dominant coronavirus variant in the US for around two months, so it could take some time for the patterns to emerge. But officials are moving forward with booster plans based only on the limited information they have now. Hopefully, the data will eventually catch up with their actions.

Here's what else happened this week.

Research

U.S. officials' decision on Covid-19 booster shots baffles — and upsets — some scientists
Many experts say that the available data on vaccine efficacy doesn't support the decision to offer boosters to everyone. The shots still hold strong against severe disease. (Helen Branswell / Stat News)

Babies and Toddlers Spread Virus in Homes More Easily Than Teens, Study Finds
Young children, who can't be isolated when they're sick, are more likely to pass COVID-19 onto other people living in their household. (Emily Anthes / The New York Times)

Delta's rise is fuelled by rampant spread from people who feel fine
The virus starts building up around two days before people start showing symptoms of COVID-19. Most infections happen in the pre-symptomatic phase, making it harder to stop the spread. (Smriti Mallapaty / Nature)

Development

COVID-19 booster shots will be offered to Americans in September, Biden administration says
Pending FDA and CDC sign-off, federal officials plan to start offering boosters to healthcare workers, nursing home residents, and others who were the earliest to get initial shots. (Nicole Wetsman / The Verge)

What's safe to do during summer's Covid surge? STAT asked public health experts about their own plans
Most experts surveyed say they won't go to a movie or eat indoors at a restaurant, but they would get their hair cut — while wearing a mask. (Helen Branswell / Stat News)

A grim warning from Israel: Vaccination blunts, but does not defeat Delta
Vaccines are still working in Israel, but the number of vaccinated people who have severe cases of COVID-19 is raising concerns about waning protection in vulnerable populations. (Meredith Wadman / Science)

Perspectives

"When they started talking about covid coming out I was like, 'All right, we're gonna create a vaccine, there's gonna be a big demand for it, and Montana doesn't have a lot of access...I hate to say it, but I literally took advantage of covid-19 to open up and push forward."

— Kyle Austin, a traveling pharmacist, is the only person offering the Pfizer / BioNTech COVID-19 vaccine in some parts of Montana.

More than numbers

To the people who have received the 4.5 billion vaccine doses distributed so far — thank you.

To the more than 209,804,195 people worldwide who have tested positive, may your road to recovery be smooth.

To the families and friends of the more than 4,400,048 people who have died worldwide — 624,832 of those in the US — your loved ones are not forgotten.

Stay safe, everyone.

The pandemic revealed the health risks of hospital ransomware attacks

Posted: 19 Aug 2021 09:07 AM PDT

A natural experiment in Vermont helped show the impacts

In late October 2020, the University of Vermont Health Network was hit by a ransomware attack. The system couldn't access electronic health records for nearly a month. Every computer at UVM Medical Center was infected with malware. Hospitals in the network delayed chemotherapy and mammogram appointments, just as COVID-19 cases in the United States started to tick upward in what would become an enormous winter wave.

Intuitively, cyberattacks on hospitals seem like they'd be dangerous for patients. Shutting down computer systems shuts off access to patient scans, can lock physicians out of tools they need to provide care, and creates backlogs in the operating systems. But despite years of attacks, there's very little data on whether those disruptions actually caused harm.

The specific circumstances of the COVID-19 pandemic, though, gave experts an opening to see what the UVM attack meant for patient care. Because hospital systems were already strained caring for COVID-19 patients, any additional stressors — like a ransomware attack — could be seen more clearly. So, when a team at the United States' Cybersecurity and Infrastructure Security Agency (CISA) scrutinized the data, they were able to show that patients did worse in hospitals navigating a cyberware attack than in hospitals that didn't.

The findings, which are still unpublished, should help push back on any groups hesitant to say that cyberattacks are dangerous for patients, says Josh Corman, a senior adviser to CISA, the federal agency that advises on government and private sector cybersecurity issues. "We should stop pretending that there is no harm to human life from cyber attacks," he says.

Data gaps

Data in the field is so thin that experts turn to marathons to make the argument that cyberattacks will harm patients. They often point to one particular bit of research: a 2017 paper in the New England Journal of Medicine that looked at emergency care during marathons in the United States. The study found people who had heart attacks during a marathon were at higher risk of death within a month than people who had heart attacks on other days, likely because it took longer for them to get the care they needed.

It's not a perfect analogy, but like marathons (which close roads and cause delays for ambulances), ransomware attacks can force hospitals to divert ambulances or delay treatments. It's one of the clearer pieces of evidence available. It has been hard to get a good picture of the same phenomenon during ransomware attacks because the numbers tend to be so small, says Mark Jarrett, chief quality officer at Northwell Health in New York. "You really need an approach that looks at data across the country, so you can get a large enough denominator that you'll be able to get a numerator that really means something," he says.

Hospitals also tend to be tight-lipped about ransomware attacks. They sometimes go days before announcing that systems are down because of a cyberattack, and often don't share many details about the impact an attack is actually having on day-to-day operations. It would likely be a challenge to convince an organization to agree to any investigation into the impact of an attack on its patient care, says Sung Choi, assistant professor at the University of Central Florida department of health management and informatics who studies healthcare cybersecurity.

"They're very careful about releasing data on mortality, because that links directly to the reputation of the hospital," he says.

There hasn't even been a close analysis of the potential health harms from the 2017 WannaCry cyberattack, which downed computers across the United Kingdom's National Health Service and threw the system into chaos, Corman says. Just looking at stroke patients should give a sense of what the harm might have been, he says — if people having a stroke don't make it to a health facility that can handle the emergency quickly, they're more likely to have a bad outcome. During a few days of the WannaCry attack, there were no stroke centers open in London. "The official line is that no one died. It strains credulity," he says. "There's such a palpable, visceral reluctance to admit that we've lost lives because of cybersecurity."

Connecting the dots

The pandemic gave Corman and his team at CISA an opening to get a clearer picture of the harm caused by ransomware attacks. The work started with its analysis of excess death during the pandemic. Excess deaths, which count the number of deaths above normal during a given time of the year, help outline the true toll of an event like a COVID-19 outbreak — it helps show COVID-19 deaths that may have not been counted in the official toll, and how many people may have died because of disruptions in their care during the chaos of the pandemic.

The team was interested in trying to figure out ways to predict when there might be excess deaths regionally or nationally. Normally, when hospitals get overburdened because of a local emergency, they're able to divert ambulances, reschedule surgeries, and lean on the other healthcare resources in the community. There's slack in the system to make that possible. Eventually, they might reach a point where they weren't able to provide adequate care to the people they were treating, but it would take a long time to reach that point.

But during COVID-19 outbreaks, every hospital was under stress. "No one could absorb anything," Corman says. "Regions could shift through this more quickly." They'd reach a point where there were too many patients to handle faster than normal.

In their analysis, the CISA team figured out that once an area had a certain percentage of intensive care unit beds filled, they were more likely to start to see excess deaths two, four, and six weeks later. It was an inflection point — a strong indicator that the area was approaching a capacity issue that would tip over into higher death rates, Corman says.

With that metric in mind, the CISA team looked at the excess death data in the state of Vermont during the UVM ransomware attack. "It was a natural experiment in the state," Corman says. They found that during the same time period, with the pandemic going on in the background, hospitals affected by the ransomware attack reached that inflection point earlier than unaffected hospitals and remained there longer. "You're reaching that danger zone where you're going to see excess deaths two, four, and six weeks later more quickly," he says. "Water is wet, fire is hot, and we can now tell that cyber disruption introduces degraded or delayed patient care."

Data scientists working on the project also think Vermont was the best-case scenario, Corman says — in other states with poorer overall health, the effect might be more dramatic.

The UVM Medical Center did not respond to a request for comment.

The pandemic created an environment where the CISA team was able to see the impact of ransomware more easily — excess deaths were already so high that the trends and patterns were easy to pick out. The same patterns, though, likely hold true outside of the pandemic, Corman says. A ransomware attack puts stress on a hospital system, delaying care, which could lead to bad outcomes. The impact may be less dramatic when there isn't another emergency, but experts could use the same framework to scrutinize ransomware attacks at any time.

The CISA analysis is still ongoing and circulating through the federal government, and Corman isn't sure when the final conclusions will be published. But having a quantitative picture of how ransomware affects patient health could help spur organizations dragging their heels on cybersecurity into action, Northwell Health's Jarrett says. "Patient safety should always be driven by data, so having the data will make a big difference."

Data from CISA could be a good first step. Jarrett hopes there could also be analysis of harm to patients who don't necessarily die, but who have worse health outcomes because of delays in their care. "Not everyone dies, thankfully," he says. But a heart attack patient who isn't seen quickly enough could have permanent damage. "Your health going forward is not going to be the same level."

Any hospital facing down a ransomware attack should do their own analysis of what went wrong and what the implications were for patients, Jarrett says. "Clinicians in general tend to think of this as an information technology issue, and it really isn't. It's a patient safety issue."

Magnificent News

Friday, August 20, 2021