DARPA’s $5.1M contract with Kryptowire to develop passive smartphone health monitoring, predictive analytics

click to enlargeTruly unobtrusive health monitoring on the horizon? The Defense Advanced Research Projects Agency (DARPA) has contracted with cybersecurity firm Kryptowire to develop a health monitoring and analytics app to assess the health and readiness of warfighters (to us civilians–soldiers, sailors, airmen, and Marines) especially in the field. The WASH program–Warfighter Analytics using Smartphones for Health–will use the data from smartphone sensors like microphones, cameras, pedometers, thermometers, and accelerometers (see DARPA illustration, left above). Through sensor-based information, physiological and cognitive symptoms can be captured and analyzed.

Based on their information, most of the assessment will be passive rather than actively diagnostic, and with an emphasis on predictive health and a real-time approach to disease detection and biomarker identification. Part of the challenge will be to filter out the ‘noise’–extraneous information also captured by these sensors on a daily and extraordinary basis. Security, of course, is a major concern. (Where better than to award the app development to a cybersecurity company?)

DARPA is fond of commercializing its technologies (remember something called DARPANET?) so this is planned for commercial release in due time. Usage in clinical trials is an area mentioned. One day we may all be wearing smartphones which unobtrusively monitor our health and positive behaviors. (I’ll leave it to our Readers to say Yay or Nay to this notion.)

The award is for $5.1 million. A development timeframe is not mentioned. Business Wire, DARPA WASH page, HealthcareITNews, Daily Mail (which amusingly tries to paint this as a spy program through an ACLU representative quote).

MediBioSense and Blue Cedar take a new approach to secure medical wearable data (UK/US)

click to enlargeDoncaster UK-based MediBioSense Ltd. has partnered with San Francisco-based Blue Cedar to protect their VitalPatch app on smartphones and tablets. MediBioSense uses VitalPatch in their MBS HealthStream system marketed in the UK in acute care and long-term care setting. Blue Cedar is securing the app through their patented code-injected technology which protects the VitalPatch-collected data from the app to the provider database. The system with Blue Cedar’s security is available directly from MediBioSense.

VitalPatch is a single-use adhesive biosensor patch applied to the patient’s chest (see left above). It monitors eight vital signs and activity signs: heart rate, respiration, ECG, heart rate variability, temperature, body posture including fall detection/severity, and steps as an indicator of activity. MediBioSense contracted with the US-based developer, VitalConnect, to sell the system in the UK. VitalPatch is US FDA-cleared (Class II) and CE Marked for the EU.

One impetus, according to the release (PDF), is the GDPR (General Data Protection Regulation), the pan-European/UK data-protection law slated to take effect in May. This not only applies to European Union citizens’ personal data but also requires reports on how organizations safeguard that data. 

Blue Cedar, which this Editor has previously profiled [TTA 3 May 17], has developed code-injection technology that secures data from the app to the provider location on their servers or in the cloud. It secures the app without the device being managed. Devices have their own vulnerabilities when it comes to apps even when secured, as 84 percent of cyberattacks happen at the application layer (SAP). Blue Cedar’s security also enables tap-and-go from an icon versus multiple security entries, thus quick downloading from app stores or websites. For companies, the secured app provides granular analytic reports about users, app usage, devices, and operating systems which are useful for GDPR requirements.

Blue Cedar’s latest release of app security is Enforce, to secure existing mobile apps using in-app embedded controls to enforce a broad range of security policies. It is sold on the Microsoft Azure cloud platform and is primarily targeted to the value-added reseller (VAR) market. 

All the more reason to use all means to secure devices and apps. When as of last week Allscripts‘ EHR for e-prescribing was hit with a ransomware attack (FierceHealthcare), yet another hospital (Hancock Regional in Indianapolis) paid $5,000 to hackers to get back online (Digital Health), and Protenus/DataBreaches.net tracks a breach a day [TTA 29 Dec 17], cybersecurity has become Job #1 for anyone in the healthcare field. (And Big Healthcare now votes for security. Protenus today announced their $11 million Series B led by Kaiser Permanente Ventures and F-Prime Capital Partners. Release.)

Ericsson report: will 5G close the healthcare gap from hospitals into the home?

Ericsson, one of Europe’s leading telecom companies, earlier this month published its latest ConsumerLab report, “From Healthcare to Homecare” on the next generation of healthcare enabled by the greater speed and security of 5G–the fifth generation of wireless mobile. Their key findings among consumers and industry decision makers contained surprises:

  • Growing frustration with hospital wait times. 39 percent prefer an online consult with a doctor versus waiting for the face-to-face.
  • Wearables are perceived as better ways to monitor and even administer medication for chronic conditions–nearly two in three consumers want them. But medical grade wearables will be required.
    • Yet the current state doesn’t lend itself to these wishes. “55 percent of healthcare decision makers from regulatory bodies say these devices are not sufficiently accurate or reliable for diagnosis. In addition, for liability reasons it will be very difficult to rely on patients’ smartphones for connectivity….medical-grade wearables will be required. Such devices could also automatically dispense medicine and offer convenience to those recovering from surgery.”
  • +/- 60 percent of surveyed consumers believe that wearables will improve lifestyles, provide personalized care, and put people in control of their own health.
  • There’s real security concerns that 5G is expected to access: “61 percent of consumers say remote robotic surgery is risky as it relies on the internet….47 percent of telecom decision makers say that secure access to an online central repository [of medical records] is a key challenge and expect 5G to address this.” Surprisingly, only 46 percent of cross-industry decision makers consider data security to be an issue. Battery power is also a significant concern for over half in wearables, a problem that over 40 percent will be helped by 5G.
  • Even more surprising is the lack of desire for consumer access to their medical records–only 35 percent of consumers believe that it will help them easily manage the quality and efficiency of their care. In contrast, 45 percent of cross-industry experts consider the central repository as a breakthrough in healthcare provisioning.

Decentralizing care into the home is seen as worthwhile by a majority of industry decision makers 

click to enlarge (more…)

HealthIMPACT East Monday 5 June (NYC)

HealthIMPACT East
Monday, 5 June, Union League Club, New York, NY

The HealthIMPACT series of mainly single-day events on health tech/HIT’s effect on healthcare now covers several major cities in the US. What this Editor likes about them is that they compress a great deal of information in a single day, with well-presented, relaxed panel discussions with top executives and figures in the industry. They are also held in interesting venues like the Union League Club in NYC. HealthIMPACT East is co-produced with NODE Health. This fifth annual meeting will focus on evidence-based digital health, healthcare innovations, cybersecurity, and how to achieve value-based care. Speakers are from academic and provider organizations like Yale University, Jefferson Health, Mount Sinai, Northwell Health, PCHAlliance, New York-Presbyterian, NJIT, and Partnership Fund for NYC, Panels are being hosted this year by former colleagues from Health 2.0 NYC Megan Antonelli of Purpose Events and “The Healthcare IT Guy” Shahid Shah. It’s not too late to register for this full day, including breakfast, lunch, and cocktail reception, here. TTA is a media partner for HealthIMPACT East.

Updated 15 May: 20% of NHS organizations hit by WannaCry, spread halted, hackers hunted

Updated 15 May: According to the Independent, 1 of 5 or 20 percent of NHS trusts, or ‘dozens’, have been hit by the WannaCry malware, with six still down 24 hours later. NHS is not referring to numbers, but here is their updated bulletin and if you are an NHS organization, yesterday’s guidance is a mandatory read. If you have been following this, over the weekend a British specialist known by his/her handle MalwareTech, tweeting as @malwaretechblog, registered a nonsensical domain name which he found was the stop button for the malware as designed into the program, with the help of Proofpoint’s Darien Huss.

It looks as if the Pac-Man march is over. Over the weekend, a British specialist known as MalwareTech, tweeting as @malwaretechblog, registered a nonsensical domain name which he found was the stop button for the malware, with the help of Proofpoint’s Darien Huss. It was a kill switch designed into the program. The Guardian tagged as MalwareTech a “22-year-old from southwest England who works for Kryptos logic, an LA-based threat intelligence company.”

Political fallout: The Home Secretary Amber Rudd is being scored for an apparent cluelessness and ‘wild complacency’ over cybersecurity. There are no reported statements from Health Secretary Jeremy Hunt. From the Independent: “Patrick French, a consultant physician and chairman of the Holborn and St Pancras Constituency Labour Party in London, tweeted: “Amber Rudd is wildly complacent and there’s silence from Jeremy Hunt. Perhaps an NHS with no money can’t prioritise cyber security!” Pass the Panadol!

Previously: NHS Digital on its website reported (12 May) that 16 NHS organizations have been hacked and attacked by ransomware. Preliminary investigation indicates that it is Wanna Decryptor a/k/a WannaCry. In its statement, ‘NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected.’ Healthcare IT News

According to cybersecurity site Krebs on Security, (more…)

Thinking about a location for your health tech startup? Consider…’virtual’ Estonia!

‘Extreme digital living’ is the norm in the Baltic country of Estonia, which rebuilt itself from the ground up after the formal dissolution of the Soviet Union (and each citizen receiving a distribution of €10) to one of the most advanced online-only countries in the world, far ahead of the US, the UK, and the rest of the EU. Internet access is by law a basic human right in Estonia. Digital signatures are equal in every way to paper signatures, except for marriage and divorce (a nostalgic touch). Everyday living is paperless and programming is taught in early grades. Live in picturesque Tallinn and need a delivery? It may come to your door via Starship robot, founded by one of the former Skype team. (Did you know that former Skypers have funded much of the Estonian tech and investment boom?) They take data security seriously with the Russian Bear growling (and hacking) on the border, so they created a NATO-accredited cyberdefense center in Tallinn and a whole country backup in a Luxembourg ‘data embassy’. Blockchain is a large part of this–and the government is working on using it for mapping the genome data of its 1.3 million citizens and sell it (deidentified) to precision medicine researchers.

So if you are a US, UK, EU, or even Australian-based developer, or already have a small tech company, why is this of interest? Estonia has opened a door for foreigners that is a most attractive one–virtual residency, no matter where you live. Once you’re an e-resident, simply register your company (online of course) and pay a fee of €145. You now can do business in euros–and fully access the EU. Most companies pay monthly administrative and accounting fees in Estonia, providing the country with income. About 1,400 companies have taken advantage of e-residency. It isn’t a tax haven, but if you do have income in Estonia, their corporate taxes are low–20 percent, compared to 19 percent for the UK, 30 percent for Australia, and a shattering 39 percent for the US (at present). Trading Economics And there is that tech and digital-savvy workforce as an additional incentive. Is This Tiny European Nation a Preview of Our Tech Future? (FortuneHat tip to TTA Founder Steve Hards

Blue Cedar releases new security for health apps, built into the app

click to enlargeFor healthcare organizations, device and app developers, one stumbling block for apps has been securing data. The endpoint for security has been to secure and manage the device, which constrains widespread BYOD use and convenient downloading. What if, instead, the apps and the data on them were secured without needing to further secure the device? This is what Blue Cedar, a mobile security developer, has done with what they call a mobile device management (MDM) alternative, with security ‘baked into the app”.

One of their first for the new platform is MedStar Health, the largest healthcare provider in the Maryland and Washington, DC region. Blue Cedar’s MDM enabled them to secure their mobile app for clinicians that contained protected patient information (PHI) yet run securely on personal mobile devices.

Blue Cedar’s Chief Product Officer, Chris Ford, spoke with this Editor and explained that their new platform (V3.14) works through injecting a security code in the mobile app, which enforces policy on encryption and use. Their Enterprise Mobility Management (EMM) can now incorporate support for secure apps on unmanaged devices, security and connectivity for VoIP-based apps, and enforcement of granular controls for HTTP-based apps. This and other features of the new platform will permit healthcare app developers to distribute apps through sites like the Apple Store or Google Play and “trust functionality” that allows control of data sharing between apps on the same device.

Blue Cedar spun off last year from IoT security company Mocana, founded in 2002, and now has over 150 customers in multiple verticals. They believe their MDM alternative is ideal for healthcare organizations and health app/wearable developers, recently adding representation in the UK and Europe. Release (PDF)

Why hackers feel the $$ love for healthcare: Brookings study

click to enlargeIt’s the information, silly! A recent study by the Center for Technology Innovation at the Brookings Institution tells us what we already know: healthcare organizations hold high-value information electronically, and because they haven’t invested equally in cybersecurity, it’s all vulnerable. When those nifty EHRs hold names, dates of birth, addresses, Social Security numbers and health histories, they are eminently salable. What’s new here is that the vulnerability increases due to factors not based on security, but on legal and data exchange requirements:

  • Data sharing and accessing
  • Length of storage to comply with regulations
  • The size of the records–the more information they hold, the more vulnerable

Lay on top of this ransomware.

The worst threat is not the hacker in a Bulgarian basement, but what is termed ‘state actors’ who want health information for a variety of reasons. They may be compiling a big database:”…a dossier of individuals that they could use for social engineering for future attacks”–such as sending phishing emails to government employees with specific, accurate information that when opened, infect their computers with malware for another purpose. Some solutions presented are using an outside cloud storage provider; using blockchain, which requires both public and private encryption keys; intrusion-detection systems (IDS) and security information and event management (SIEM) software. CSO, Brookings report (28 pages)

Hospitals should ‘wash their hands’ of older medical devices, OS: expert

Our Readers are likely well aware that older medical devices may present a Hacker’s Holiday, but putting a very fine point on it was Kevin Fu, associate professor of electrical engineering and computer science at University of Michigan, speaking at a Healthcare IT News healthcare cybersecurity forum this week in Boston. Mr Fu pointed out that many hospitals are actively using old devices and old PC systems; one local hospital had 600 supposedly unpatched Windows XP (!) boxes deployed. Older medical devices were not designed with security in mind, which he likens to basic sanitation:

“If you’re using this old software, these old operating systems, you’re vulnerable to all that malware – that garden-variety malware – that has been out in the wild for more than 10 years.” and “This is not rocket science; this is basic hygiene. This is forgetting to wash your hands before going into the operating room. Here we have medical devices where, if malware gets through the perimeter, there is very little defense.”

The press has been concentrating on the big breaches and external hacking (they do make good copy–Ed.), and we’ve expended a lot of air on things like the EHR Wars, but the real threats are more mundane, as Ponemon and others in the field have warned for years. Software updates and infected USB flash drives can spread malware. A vendor can be a regular Typhoid Mary unintentionally corrupting systems and devices down the line.  (more…)

FDA Workshop: Collaborative Approaches to Medical Device Cybersecurity

20-21 January 2016, FDA White Oak Campus, Silver Spring Maryland

Attend this free and public two-day workshop hosted by FDA on cybersecurity and medical devices highlighting “past collaborative efforts, increase awareness of existing maturity models (i.e. frameworks leveraged for benchmarking an organization’s processes) which are used to evaluate cybersecurity status, standards, and tools in development, and to engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity.” Registration required (information and form here), but there is also a webcast (link available after 13 Jan) if you cannot make it to FDA.

HIMSS Connected Health Conference/mHealth Summit starts Sunday–save $100

Time is short! This Editor will be attending the HIMSS Connected Health Conference this November 8-11 in Washington, DC (actually outside The Puzzle Palace in National Harbor, Maryland). Telehealth & Telecare Aware has been a media partner (disclosure) since the 2009 mHealth Summit. Changes this year include that it is three conferences in one: the original mHealth Summit with the Global mHealth Forum, the new PopHealth Summit (concentrating on health improvement on the community, regional and national level) and the much needed new CyberSecurity Summit.

Attend all three for one registration, including a large Exposition floor and three pavilions for Population Health, Cybersecurity and Games for Health. Also, there are extra co-located and add on events, mainly on Sunday the 8th. The Global mHealth Forum focuses on mobile and connected health in low and middle income countries (LMICs) and is on Wednesday.

The Summit organizers have been kind enough to offer an excellent discount to our readers of $100. When registering, click on the advert (above, right hand side) and use the promotional code TELEHEALTH100 to receive it. (more…)

China’s Anthem hack: they just wanna understand US healthcare

click to enlargeKnock yersself out! The Gimlet Eye files via Bottle from A Dot On The Map off the New York coast. One of the stranger follow ups of the past week–one that is difficult to read with straight face–is the report in the Financial Times that the Chinese hacked into insurer Anthem’s 80-million strong beneficiary database in order to study up on the American healthcare system and benefit their aging population. Neil Versel with raised eyebrow in MedCityNews quoting the FT story: “The Chinese hackers had trained their sights on the U.S. health sector to help the country understand how other nations deal with medical care, people familiar with the Anthem investigation said.” You’d think it would be easier for the Chinese to go to a few conferences, meet a few executives and learn a few things first. Then maybe they could do a ‘deal deal’ with an insurer on their IP, or bring them into China on a JV. With so many services for sale from the thundering horde of data analytics companies and multiple middleware providers, write a check already. But that would destroy the Fun of Hacking!

How the FT could actually print without a hint of skepticism this ‘nothing to see here, move on’ story rolls the Eye. (more…)

mHealth Summit now HIMSS Connected Health Conference

Another sign that mHealth is now in our rear view mirrors [TTA 24 July] is that one of the main conferences on the US and international conference calendar is changing its name. Since 2009, the mHealth Summit has closed the year. Its organizing groups have changed and it’s gone international to Europe (the recent summit in Riga). Now it has been renamed (though not on the website yet) the HIMSS Connected Health Conference-an umbrella event comprising the mHealth Summit (including the Global mHealth Forum), and two new conferences:  the Cyber Security Summit and Population Health Summit.

The shift in the industry and new concerns are clearly reflected in this reorganization. Transitions were visible last year to this Editor in covering the sessions, speaking with exhibitors and attendees. It’s not about the tech anymore, but how it fits into care models, saves money/avoids costs, improves care, improves the experience–all population health metrics–and fits with other technology and analytics. (It’s also how it fits into government payment models, an endlessly changing equation.) What is surprising is the lifting of cybersecurity to equal status, given the Hackers’ Holiday that healthcare is now (see TTA here). (Also this Editor notes that last year’s Big Buzzwords, Big Data and Analytics, has faded into where it should be–into facilitating population health and we should expect, inform data security. We also note that HIMSS has stepped forward as the organizer. HIMSS release  Telehealth & Telecare Aware has been a media partner of the mHealth Summit for most years since 2009. 

“The data security fault, dear Brutus, is not China, but in the company org chart”

click to enlargeMansur Habib, PhD and cybersecurity strategist, formerly CIO for the Baltimore City Health Department, proposes that any data breach analysis should start first with a hard look at the organizational chart. If the CIO or the chief information security officer (CISO) doesn’t report directly to the CEO, the executive clearly does not place priority on IT and data security, treating it as a cost center to be restricted; in his words, they do not ’embrace cybersecurity risk as business risk’. In his 2013 doctoral research in 2013 and subsequently, Dr Habib observed that about half of US HIT and cybersecurity heads report to the chief financial officer (CFO) or some other executive like a CAO (administrative). His withering take on most CEOs are that they are more concerned with stock price (more…)

Seven safeguards for your mHealth app

With cyberattacks from all sources on the rise, and mHealth apps being used by providers in care coordination, telehealth, patient engagement and PHRs, Practice Unite, which has some experience in this area through designing customized app platforms for healthcare organizations’ patient and clinician communications, in its blog notes seven points for developers to keep in mind:

1. Access control– unique IDs assigned to each user, remote wiping of the mHealth app from any user’s device.
2. Audit controls
3. Authentication
4. Integrity controls, such as compartmentalization, to ensure that electronically transmitted PHI is not prematurely altered or corrupted
5. Transmission security: data encryption at rest, in transit, and on independently secured servers protects PHI at each stage of transmission
6. Third party app integration–must fully comply with HIPAA safeguards
7. Proprietary data encryption

But all seven points need backing from the top on down in a healthcare organization. (More in the article above)

Data breach fail at AnthemHealth: an inadvertent ‘inside job’ (updated)

US health insurance giant AnthemHealth, which had a data breach of reportedly up to 80 million beneficiaries [TTA 6 Feb], was an inadvertent ‘inside job’. The Associated Press reported that the credentials of at least five employees were used to access information, at least one of whom was an administrator who viewed his credentials being used to query the data warehouse. It’s easier than you think to get them. In an analysis published by security firm Tripwire and also in MIT Technology Review, the writer Ken Westin outlines how easy it is to find that the Anthem warehouse is TeraData, and to match up employees engaged with it, through using public employee profiles on places like LinkedIn and job postings. Then it’s deductive to find exact email addresses (find the pattern–lead generation companies building business contact lists do this all the time) and send these key employees phishing emails  (more…)