News roundup: Proteus may be no-teous, DOJ leads on Google-Fitbit, HHS’ mud fight, Leeds leading in health tech, malware miseries, comings and goings

Proteus stumbles hard, cuts back. The original ‘tattle-tale pill’ company, Proteus Digital Health, plans to lay off 292 people in the San Francisco Bay Area and to permanently close its three Redwood City and Hayward locations, starting 18 January, according to notices sent to California state and local offices, including the state employment development department. It is unclear where Proteus will be located after the closures.

This followed after Proteus failed to launch a twelfth funding round of $100 million. According to reports, they furloughed most of their employees for two weeks in November and are reorganizing. This is after a substantial number of investors have put in about $487M in funding through a Series H (Crunchbase), including a game-changing investment by Novartis dating back to 2010.  Proteus achieved unicorn status about three years ago, but its high-priced pill tracking technology with a pill sensor tracked by a skin-worn monitor reporting into a smartphone has a built-in limited market to expensive medication. Otsuka Pharmaceutical in 2017 partnered with Proteus for an FDA-cleared digital medicine system called Abilify MyCite that basically put an off-patent behavioral drug back into a more expensive tracking methodology. But Proteus remains a great idea on tracking compliance in search of a real market, and may not have much of a future. San Jose Mercury News, CNBC

But ingestible detectable pills are still being tested. On Monday, as Proteus’ bad news broke, eTectRx announced its FDA clearance of the ID-Cap System and its testing at Brigham and Women’s Hospital and Fenway Health, focusing on HIV medication when used for treatment and prevention. Release, HISTalk

Department of Justice taking the lead on scrutinizing Google’s Fitbit acquisition. The Federal Trade Commission also sought jurisdiction over the transaction. According to the New York Post, “both agencies are concerned that a Google-owned Fitbit would give the search giant an even bigger window into people’s private data, including sensitive health information, sources said. Under the Hart-Scott-Rodino Act, all large mergers must file proposals with both the DOJ and the FTC, but only one antitrust agency reviews the merger.”

Coal from stockings being thrown about at HHS. According to POLITICO and the New York Times, the disagreements between Seema Verma, the head of the Centers for Medicare and Medicaid Services (CMS), and the Cabinet-level Secretary of Health and Human Services (HHS), Alex Azar, have boiled over, enough to have to be settled by the President’s acting chief of staff, Mick Mulvaney. According to the Times, both President Trump and VP Mike Pence have told them to find a way to work together. Both are administration appointees, but President Trump has not been reluctant to cut a mis-performing or overly contrary appointee loose. The latest salvo from those obviously not on Ms. Verma’s side was the revelation that she requested compensation for jewelry stolen on a business trip, contrary to government policy of course. She was compensated for other items which is standard. (Isn’t that what homeowners’ insurance is for? And what sensible person actually travels with valuable jewelry?) Under Ms. Verma, CMS has been quite progressive in developing new business models in Medicare fee-for-service, moving providers to two-sided risk, and innovating in both Medicare and Medicaid. It will either be settled, or one or both will be gone. Pass the popcorn.

Leeds picks up another health tech company. Mindwave Ventures is opening an office there, as well as appointing Dr Victoria Betton and Dr Janak Gunatilleke to the roles of chief innovation officer and chief operating officer. Mindwave develops technologies around digital products and services in healthcare and health research. Leeds reportedly is home to over 250 health tech companies and holds an annual Leeds Digital Festival in the spring [TTA 11 April].

Ransomware attack hits Hackensack Meridian. Systems were down for about a week. While this large New Jersey health system hasn’t admitted it, sources told the Asbury Park Press that it was ransomware. And if it’s not ransomware, its Emotet and Trickbot. Read ZDNet and be very apprehensive for 2020, indeed, as apparently healthcare is just one big target.

Comings and Goings: There may be some end of year bombshells, but after last week’s big news about John Halamka, it’s been fairly quiet. Paul Walker, whom this Editor knew at New York eHealth Collaborative, has joined CommonWell Health Alliance as executive director. Mr. Walker was most recently Philips Interoperability Solutions’ vice president of strategy and business development. CommonWell’s goal is improving healthcare interoperability and its services are used by more than 15,000 care provider sites nationwide. Blog release, Healthcare Innovation ….Dr. Jacqueline Shreibati, the chief medical officer for AliveCor, is joining Google Health in the health research area. Mum’s the word when it comes to Fitbit (see above). CNBC ….Peter Knight has pleaded guilty to falsifying educational credentials to gain his position as chief information and digital office at Oxford University Hospitals NHS Foundation Trust. He held that position from August 2016 until September 2018. BBC News

Digital health: why is it a luxury good in a world crying for health as a commodity?

Why digital health still struggles to find its stride. Those of us in the healthcare field, especially Grizzled Pioneers, have been wondering for the past decade why Digital Health’s Year is always Next Year. Or Next Decade. 

Looking back only to 2000, we’ve had 9-11, a dot-com bust, a few years in between when the economy thrived and the seed money started to pollinate young companies, a prolonged recession that killed off many, and now finally a few good economic years where money has flooded into the sector, to good companies and those walking the fine line of mismanagement or fraud. We’ve seen the rise/fall/rise of sensors, wearables, and remote monitoring, giants like Google and Microsoft out and back in, the establishment of EHRs, acceptance by government and private payers, quite a bit of integration, and more. All one has to look is at the investment trends breaking all records, with funding rounds of over $10 million raising barely a notice–enough to raise fears of a bubble. Then there’s another rising tide–that of cyberattack, ransomware, insider and outsider hacking.

Is it this year? It may not be. Despite the sunshine, interoperability holds it all back. Those giant EHRs–Cerner, Epic, Athenahealth, Allscripts–are largely walled gardens and so customized by provider application that they barely are able to talk to their like systems. There are regional health exchanges such as New York’s SHIN-NY, Maryland’s CRISP, and others, but they are limited in scope to their states. The VA’s VistA, the granddaddy of the integrated system, died of old age in its garden. Paul Markovich, CEO of Blue Shield of California cites the lack of interoperability and being able to access their personal health data as a major barrier to both patients and to the large companies who want to advance AI and need the data for modeling. (China and its companies, as we’ve noted, neatly solve this problem by force. [TTA 17 Apr]) Apple is back in with Health Records, but Mr. Markovich estimates it may take 10 years to gather the volume of data it needs to establish AI modeling. Some wags demand that Apple buy Epic, as if Epic was up for sale. BSC, like others, is testing interoperability workarounds like Notable, Ooda Health, and Manifest MedEx. Mr. Markovich cites interoperability and scaling as reasons why healthcare is expensive. CNBC

And what about those thriving startups? Hold on. During the Google Cloud/Rock Health 3 June event, one of the panelists–from Partners HealthCare, which works both side of the street with Pivot Labs–noted that hospitals have figured out their own revenue models, and co-development with hospitals is key. Even if validated, not every tech is commercially ready or lowers cost. And employers are far worse than hospitals at buying in because they ultimately look at financial value, even if initially they adopt for other reasons. In addition, the bar moved higher. The new validation standard is now provider-centric–workload, provider satisfaction, and implementation metrics, because meeting clinical outcomes is a given. Mobihealthnews

And still another barrier–data breaches and cyberattack–is still with us, and growing. Quest Diagnostics’ data breach affects nearly 12 million patients. It was traced to an individual at a vendor, American Medical Collection Agency, and it involved Optum360, a Quest contractor and part of healthcare giant Optum. The unauthorized person had access to the network for eight months – between 1 August 2018, and 30 March 2019–and involved both financial and some health records. Quest now is in the #2 slot behind the massive 79 million person Anthem breach, which, based on a Federal grand jury indictment in Indianapolis in May, was executed by a Chinese group in 2015 using spearfishing and backdoors that gathered data and sent it to China. There were three other US businesses in the indictment which are not identified. Securing health data is expensive — and another limitation on the cost-lowering effects of interoperability. Healthcare IT News

Digital Health’s Year, for now, will remain Next Year–and digital health for now will remain fractional, unable to do much to commoditize healthcare or lower major costs.

Yet another NHS cyber-vulnerability: fax machines

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2018/08/attackflow1.png” thumb_width=”250″ /]Now fax machines are hackable, say the white hats at Check Point Research. Your GP or doctor thinks they are safe, but their protocols haven’t been updated since the Big ’80s. Check Point found that all a hacker needs is the fax number to hack into one. 

The ‘how to’ is in the article. New ‘all in one’ printers which are connected to phone lines and wirelessly to networks can receive a malicious fax as an entry point into the network. Data is then exfiltrated through another fax as illustrated above left. Check Point’s study cited the HP OfficeJet Pro All-in-One fax printer but others would be vulnerable as well. Online electronic fax numbers may also have problems.

NHS’ census, released via a FOIA request, indicates it uses 9,000 fax machines. NHS has minimized the risk they present. HP has since issued security updates for its fax printers. Also Digital Health. 

The cybersecurity black hole–and bad flashback–that is the Internet of Things

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2016/10/blackhole_596.jpg” thumb_width=”150″ /]One week after the Dyn DDoS attack, the post-mortems get more alarming. Our Readers knew they were coming in 2014-2015 (our ‘Is IoT really necessary–and dangerous?)

IoT devices, and a lot of older networked medical devices, have been proven to be easy to hack, as even this non-ITer, non-codegeek realized then. But those in tech have been to this movie before–with Bluetooth circa 2002! Now shouldn’t designers have learned? From ZDNet:

“It’s almost like we’ve learned nothing from Bluetooth” says Justin Dolly, CISO at cybersecurity firm Malwarebytes.

“Seeing what these IoT vendors are doing, it just blows me away because they haven’t learned from history,” says Steve Manzuik, director of security research at Duo Security’s Duo Labs. “They’ve completely ignored everything that’s ever had bad vulnerabilities”.

Many of these devices, according to these experts, have default log in credentials, if they have them at all. IoT devices are also allegedly findable on a snoop site called Shodan. Reason why: the financial and market need to get products out fast and cheaply.

Over at data security company Varonis’ blog, with the great title in part, “Revenge of the Internet of Things”, another succinct and telling quote:

Once upon a time in early 2016, we were talking with pen tester Ken Munro about the security of IoT gadgetry — everything from wireless doorbells to coffee makers and other household appliances. I remember his answer when I asked about basic security in these devices. His reply: “You’re making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all.”

Privacy by Design is not part of the vocabulary of the makers of these IoT gadgets

Varonis also gives a how-to on changing settings in your router so you don’t become a victim, and how to secure your gadgets.

Bottom line: when Hackermania is Running Wild, do you, or anyone, really need to be an early adopter of an internet- connected coffee maker or fridge? And if you need internet-connected home security, telemedicine virtual consults, telehealth/remote patient monitoring or telecare….best heed Varonis and secure it!

Earlier in TTA: Friday’s cyberattack is a shot-over-bow for healthcare 

UCLA Health data breach may affect 4.5 million patients

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/06/keep-calm-and-secure-your-data-4.png” thumb_width=”150″ /]Breaking news out of Los Angeles this afternoon is that the UCLA Health System’s computer network was compromised by an external cyberattack, compromising an estimated 4.5 million patient records. According to the LA Times, “the hospital saw unusual activity in one of its computer servers in October and began investigating with assistance from the FBI. The investigation confirmed May 5 that the hackers had gained access to parts of UCLA Health’s computer system where some patient information was stored. The hackers gained access to names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information like patient diagnoses and procedures.” There also appears to have been a delay in the realization that the sensitive PHI had been accessed, and that the suspicious activity could have started as early as September 2014. Yet the UCLA Health statement equivocates: “At this time, there is no evidence that the attacker (more…)

“Who do I call?” when the cyberalarm goes off

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”175″ /]A top read for the weekend is this short article by Gillian Tett in the FT on the lack of coordination in the US in not only protecting systems from cyberattack, but also the lack of coordination between public and private sectors in protection–and when something does go wrong. As Henry Kissinger famously said about Europe when various crises loomed, ‘who do I call?’

Indicators of a gathering storm are everywhere:

* Wednesday’s hours-long, still unexplained outages at the NYSE and United Airlines. (The Wall Street Journal website going down for a bit was the topping on the jitters)

* A joint report from Cambridge University and Lloyds insurance group, also released Wednesday, estimated that a hack shutting down the US electrical grid would create $1 trillion in damage. (more…)

Roundup: data breaches ’round the world

Following on our review of recent articles on why medical identity theft is so attractive, here’s our review of data breaches in the news, including a new (to this Editor) report from Europe.

  • It’s not Europe, blame the UK! That is one of the surprising findings of a meta-review of all types of data breaches released earlier this month by the Central European University’s Center for Media, Data and Society (CMDS). While not specific to healthcare, it is the first study this Editor has seen on EU data breaches and is useful for general trends. 229 verified incidents were analyzed by the CMDS across  28 EU member countries plus Switzerland and Norway, 2005-3rd Quarter 2014, and includes unusual healthcare breaches such as Danish HIV patients’ personal information included in a PowerPoint presentation later published online. Key findings:
    1. 57 percent of breaches were due to insider theft, mismanagement or error; 41 percent were hacker-instigated
    2. It’s common: “for every 100 people in the study countries, 43 personal records have been compromised”
    3. In terms of impact, the UK by far, then Greece, Norway, Germany and Netherlands were the top five countries for incidents and numbers of records breached (report page 9) (more…)