The Breach Barometer hits a new high for healthcare–and the year isn’t over

31.6 million healthcare breached records can’t be right? But it is, and it’s double all of 2018. Protenus’ Breach Barometer for the first six months of the year tallied over double the number of patient records breached calculated for 2018 (15.1 million). The number of breach incidents reported was smaller–285 breach incidents disclosed to the US Department of Health and Human Services or the media–compared to 503 breaches in 2018, which means that individual data breaches affected far more records.

Hackermania is running wilder than ever. Nearly half the breaches were due to hacking. The big kahuna of breaches this year was reported in May at American Medical Collection Agency, a third-party billing collections firm. This eight-month breach affected 20 to 22 million records at Quest Diagnostics, LabCorp, Opko Health, under one of its subsidiaries, BioReference Laboratories, Inc., and Clinical Pathology Laboratories [TTA 5 June] This hack also involved Optum360, a Quest contractor and part of healthcare giant Optum. In terms of PII, the records breached included SSI, DOB, and physical addresses.

 Yet insider breaches are still a significant threat at 21 percent, whether from errors without malicious intent or deliberate wrongdoing. In the report, Protenus (with DataBreaches.net) calculated that 60 of the 285 breaches were insider-related affecting 3.5 million records. 35 were insider-error incidents, with 22 additional due to wrongdoing.

When it comes to breaches, the trend is easily not healthcare organizations’ friend, as 2018 tripled 2017’s total breached records. This is despite the new emphasis on healthcare IT security and insider training. Protenus release, FierceHealthcare, Protenus first half report (PDF)

TTA’s Week: NHS loses the pagers, digital health ethical talk-talk, back to chronic condition monitoring, consumers driving health design–whatta notion!

 

 

Chronic condition telehealth monitoring is suddenly hot–again. When will digital health ethics be more than talk-talk? No more faxes, no more pagers in the NHS. Surprise! Consumer behavior should drive health tech. Plus late spring events + Connected Health Summit speaking opportunities.

And scroll below for news of The King’s Fund’s Digital Health and Care Congress, including Matt Hancock as keynote speaker on day 2. Plus 10% off registration for our Readers!

Suddenly hot: chronic condition management in telehealth initiatives at University of Virginia and Doctor on Demand (We’ve been here before)
Events, dear friends: MedTech London, Aging 2.0 Philadelphia, speakers wanted for Connected Health Summit (More for your calendar from late winter into late summer)
First they came for the fax machines….now NHS is coming for the pagers (Pretty soon it will be the stethoscopes, the furniture…)
The King’s Fund Digital Health and Care Conference announces Matt Hancock as Day 2 keynoter (He’s everywhere!)
About time: digital health grows a set of ethical guidelines (But how to put it into action beyond the nice meetings and draft principles?)
A short but canny look at consumer behavior as a driver of health technology (Design that fits into life–what a notion!)

Rounding up HIMSS and the millennial/Gen Z healthcare mindset. It’s wall-to-wall Theranos for the next few weeks. And we bid farewell to a fine (if over-parodied) actor with our video advert.

News roundup: of logos and HIMSS roundups, Rock Health’s Digital Health Consumer Adoption survey, and the millennial/Gen Z walkaway from primary care (Increasingly not trad, dad)
The Theranos Story, ch. 58: with HBO and ABC, let the mythmaking and psychiatric profiling begin! (updated) (A deluge of Theranos Analysis)
From our archives: a long buried advert (RIP Bruno Ganz) (Editors Steve and Donna salute a fine actor and fine movie–remembered, humorously)

The Topol Review’s relationship to reality explored by Roy Lilley. Robotics effects in therapy for children with autism and CP. The wind’s even more at the back of telehealth–but there are caveats. Plus Editor Charles is back with a UK digital health roundup.

Roy Lilley’s tart-to-the-max view of The Topol Review on the digital future of the NHS (This week’s Must Read)
Robots’ largely positive, somewhat equivocal role in therapy for children with autism and cerebral palsy (HIMSS)
The wind may be even stronger at the back of telehealth this year–but not without a bit of chill (VA, Virginia as indicators–and the hurdles when you get there )
A selection of short digital health items of potential interest (Editor Charles is back with views on AI and events)

The telehealth entrepreneur and the $5 million fraud = 15 years in prison. Scotland’s Current Health wins FDA clearance, Latin America telemedicine’s uncertain state, women in eHealth, and studies on digital health in health systems.

News roundup: Current Health’s Class II, Healthware Italy’s €10 million boost, the low state of Latin America telemedicine, weekend reading on digital health in health systems
Digital health versus eHealth: ‘here we go again’ with the confusion and the differences. Plus Women in eHealth (JISfTeH) (Reviving the terminology discussion)
The telehealth ‘entrepreneur’ whose $5 million funding bought stays at the Ritz and portfolios at Bottega Veneta (And 15 years in the Federal pen. Tell your mum or uncle to be wary of good stories)

Our lead this week is the sale of Tunstall’s US operation. Unicorns need to hype less and publish studies more. The King’s Fund’s two events in March and May, Bayer’s accelerator winners, and news from Apple to teledermatology for São’s spotted!

Short takes: Livongo buys myStrength, Apple Watch cozies with insurers, Lively hears telehealth and $16 million
Tunstall Americas sold to Connect America
(Tunstall conceding their business is outside the US)
Where’s the evidence? Healthcare unicorns lack the proof and credibility of peer-reviewed studies. (Unicorns need to add substance to the sparkle)
News roundup: Virginia includes RPM in telehealth, Chichester Careline changes, Sensyne AI allies with Oxford, Tunstall partners in Scotland, teledermatology in São Paolo
The King’s Fund ‘Digital Health and Care Explained’ 27 March
(Readers also get a 10% discount at the 22-23 May Congress)
Bayer’s G4A accelerator awards agreements with KinAptic, Agamon, Cyclica (DE) (A truly international accelerator program)

Latest through the revolving door is NHS’ chief digital officer, digital health may be more ‘bubbly’ than you would like, telemedicine and telehealth gain important consumer and Medicare facing ground, and fill your calendar some more!

NHS England digital head Bauer exits for Swedish medical app Kry, but not without controversy (The revolving door reveals a self-made cloud over her head)
Events, Dear Friends, Events: UK Telehealthcare, Mad*Pow HXD, dHealth Summit (Get out the calendars–and the checkbooks/app)
Telemedicine virtual visits preferred by majority in Massachusetts General Hospital survey (Over 94% loved the convenience alone)
Medicare Advantage model covering telehealth for certain in-person visits starting in 2020 (The needle moves–slowly)
It’s not a bubble, really! Or developing? Analysis of Rock Health’s verdict on 2018’s digital health funding. (‘Bubbly’ factors that may influence this year–not for the better)

We round up the Official Healthcare Circus of CES, Verily rolls along with $1 bn in investment, and Walgreens Boots finally makes an alliance splash with Microsoft

It’s Official: CES is now a health tech event (updated) (And still a circus! We round up the top coverage so you don’t have to)
News roundup: Walgreens Boots-Microsoft, TytoCare, CVS-Aetna moves along, Care Innovations exits Louisville
Verily, Google’s life sciences arm, gathers in another billion to go…where? (Updated for Study Watch clearance) (Still a mystery)


The King’s Fund’s annual Digital Health and Care Congress is back on 22-23 May. Just announced–Secretary Matt Hancock keynoting Day 2. Meet leading NHS and social care professionals and learn how data and technology can improve the health and well-being of patients plus the quality and effectiveness of the services that they use. Our Readers are eligible for a 10% discount using the link in the advert or here, plus the code Telehealth_10.


Have a job to fill? Seeking a position? Free listings available to match our Readers with the right opportunities. Email Editor Donna.


Read Telehealth and Telecare Aware: http://telecareaware.com/  @telecareaware

Follow our pages on LinkedIn and on Facebook

We thank our present and past advertisers and supporters: Tynetec, Eldercare, UK Telehealthcare, NYeC, PCHAlliance, ATA, The King’s Fund, HIMSS, Health 2.0 NYC, MedStartr, Parks Associates, and HealthIMPACT.

Reach international leaders in health tech by advertising your company or event/conference in TTA–contact Donna for more information on how we help and who we reach. See our advert information here. 


Telehealth & Telecare Aware: covering the news on latest developments in telecare, telehealth, telemedicine and health tech, worldwide–thoughtfully and from the view of fellow professionals

Thanks for asking for update emails. Please tell your colleagues about this news service and, if you have relevant information to share with the rest of the world, please let me know.

Donna Cusano, Editor In Chief
donna.cusano@telecareaware.com

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

About time: digital health grows a set of ethical guidelines

Is there a sense of embarrassment in the background? Fortune reports that the Stanford University Libraries are taking the lead in organizing an academic/industry group to establish ethical guidelines to govern digital health. These grew out of two meetings in July and November last year with the participation of over 30 representatives from health care, pharmaceutical, and nonprofit organizations. Proteus Digital Health, the developer of a formerly creepy sensor pill system, is prominently mentioned, but attending were representatives of Aetna CVS, Otsuka Pharmaceuticals (which works with Proteus), Kaiser Permanente, Intermountain Health, Tencent, and HSBC Holdings.

Here are the 10 Guiding Principles, which concentrate on data governance and sharing, as well as the use of the products themselves. They are expanded upon in this summary PDF:

  1. The products of digital health companies should always work in patients’ interests.
  2. Sharing digital health information should always be to improve a patient’s outcomes and those of others.
  3. “Do no harm” should apply to the use and sharing of all digital health information.
  4. Patients should never be forced to use digital health products against their wishes.
  5. Patients should be able to decide whether their information is shared, and to know how a digital health company uses information to generate revenues.
  6. Digital health information should be accurate.
  7. Digital health information should be protected with strong security tools.
  8. Security violations should be reported promptly along with what is being done to fix them.
  9. Digital health products should allow patients to be more connected to their care givers.
  10. Patients should be actively engaged in the community that is shaping digital health products.

We’ve already observed that best practices in design are putting some of these principals into action. Your Editors have long advocated, to the point of tiresomeness, that data security is not notional from the smallest device to the largest health system. Our photo at left may be vintage, but if anything the threat has both grown and expanded. 2018’s ten largest breaches affected almost 7 million US patients and disrupted their organizations’ operations. Social media is also vulnerable. Parts of the US government–Congress and the FTC through a complaint filing–are also coming down hard on Facebook for sharing personal health information with advertisers. This is PHI belonging to members of closed Facebook groups meant to support those with health and mental health conditions. (HIPAA Journal).

But here is where Stanford and the conference participants get all mushy. From their press release:

“We want this first set of ten statements to spur conversations in board rooms, classrooms and community centers around the country and ultimately be refined and adopted widely.” –Michael A. Keller, Stanford’s university librarian and vice provost for teaching and learning

So everyone gets to feel good and take home a trophy? Nowhere are there next steps, corporate statements of adoption, and so on.

Let’s keep in mind that Stanford University was the nexus of the Fraud That Was Theranos, which is discreetly not mentioned. If not a shadow hovering in the background, it should be. Perhaps there is some mea culpa, mea maxima culpa here, but this Editor will wait for more concrete signs of Action.

Telemedicine virtual visits preferred by majority in Massachusetts General Hospital survey

The results are far better than parity with in-person visits for follow up. A group of 254 patients and 61 health care providers were the subject of a survey conducted by researchers at Massachusetts General Hospital, part of Partners HealthCare, and Johns Hopkins. It found that virtual video visits (VVVs) are perceived by the majority of patients as the same as or better than office visits in convenience and cost, at the same level of quality and personal connection. It measured responses from both patients and providers in the MGH TeleHealth (sic) program, in place since 2012, in follow up care from providers in psychiatry, neurology, cardiology, oncology and primary care (the last two added late in the survey).

The results were: 

  • The vast majority (94.5%) of patients preferred the travel time (minimal) and time convenience (79.5%) of the VVV
  • Most patients (62.6%) and clinicians (59.0%) reported “no difference” between VVV and office visits on “the overall quality of the visit.”
  • When rating “the personal connection felt during the visit”, over half–but more patients than clinicians–said that there was “no difference” with the VVV (patients, 59.1%; clinicians, 50.8%), although 32.7% of patients and 45.9% of clinicians reported that the “office visit is better”.
  • They were also willing to pay for it–and that increased with distance from the doctor. Among those who traveled more than 90 minutes to an office visit, 51.5% indicated they would pay a co-payment of more than $50 for a VVV compared with 30.4% of those who traveled less than 30 minutes.
  • Results graphs are here

The survey results were published in the American Journal of Managed Care. This month’s issue also examines gamification in healthcare, asynchronous communication between primary and specialty care practitioners at Geisinger, EHRs–and the relationship between data breaches and not surprisingly increased advertising expenditures after the fact to rebuild lost trust. According to this last article, breached hospitals were more likely to be large, teaching, and urban hospitals relative to the control group.

Also UPI and HealthDay.

More and more into the (data) breach: 3X more patient records in Q2, UnityPoint’s breach balloons to 1.3M

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]And we thought Healthcare Hackermania was following the Hulkster into retirement. After a quiet Q1, data breaches and hack attacks blew up both in Q2 and now in this quarter.

Data compliance analytics firm Protenus’ Breach Barometer (with DataBreaches.net) has been tracking healthcare data breaches for years. It was quiet last quarter with 1.13 million patient records affected in 110 separate health data breaches. But last quarter was a true triple threat with patient records up three times to 3.14 million, 142 separate breaches–which means more per breach on average. What is also distressing is that 29.71 percent are repeat offenses among employees, up from 21 percent in the previous quarter.

  • 36.6 percent of breaches were due to external hacking, nearly double that of Q1.
  • 30.99 percent were due to insiders, either through deliberate wrongdoing (theft) or insider error. Insider wrongdoing was led by family members snooping on other family members’ records. Not Russians, Chinese, NoKos, or Bulgarians bashing about. 
  • In contrast to Q1, where the biggest data breach was a network hack of an Oklahoma-based health network (reportedly the Oklahoma State University Center for Health Sciences), compromising nearly 280,000 records, Q2’s Big Breach was a physical burglary of the California Department of Developmental Services in Sacramento affecting over 581,000 records. After the usual ransacking and theft, the burglars started a fire before they left and the sprinklers did the rest.

It routinely takes nearly forever from when a breach occurs to when it is discovered: in Q1 244 days, in Q2 204 days. In Q2 the longest discovery time was over five years –2013 to 2018. This indicates that insiders may be good at covering their tracks, and/or IT staff don’t get around to detecting and policing breaches.

Protenus and DataBreaches.net compile incidents disclosed to HHS and reported in the media, and are now adding their own proprietary, non-public data on the status of health data breaches nationwide, including a review of tens of trillions of individual
accesses to EHRs which Protenus audits as part of their healthcare systems services. More detail in Protenus Q2 and Q1 full reports, HealthITSecurity (Q1)

Certain to lead their Q3 report is the 1.4 million patient record breach at UnityPoint Health, an Iowa-based health system. In May, a small phishing breach compromised 16,000 records. This cyberattack also started with email phishing and spread through employee networks. “The phishing campaign tricked employees into providing confidential login information, which hackers used to infiltrate email accounts and access data contained within.” Were the hackers after patient data? According to UnityPoint, “The phishing attack on UnityPoint Health was more likely focused on diverting business funds from our organization.” Healthcare Analytics News

You may not want a cyberattack, but cyberattacks and hacking want you….

Healthcare cybersecurity breaches multiply like measles as far away as Singapore. Is it a matter of time before hacking kills someone?

Even if you are the Prime Minister of Singapore, you can be hacked. Prime Minister Lee Hsien Loong joined 1.5 million of his fellow Singaporeans in what they have termed an unprecedented data breach of SingHealth, considered to be a world model. There are the usual state actor suspects: Russians, Chinese–and North Koreans–starting less than two weeks (27 June) after hosting the meeting between President Donald Trump and Maximum Leader Kim Jong Un. (That is hardly a gracious thank you if it’s them (s/o).  POLITICO Morning eHealth reported on Monday 23 July. 

What’s happened since: Singapore banks have been instructed to tighten data procedures and use additional verification methods. The government believes 1) they are next and 2) that the healthcare breach data could be used to impersonate customer identities. SingHealth records include full name, national identification number, address, gender, race, and date of birth. (ZDNet)

The National (UAE) reported that the hack specifically targeted the PM. Their angle was that Singapore has ambitions to host a ‘smart city’ as does the UAE and testing Singapore means that the UAE may be next. Singapore is covering a different angle–the ‘inside job’ one. They moved to disconnect computers from the internet at public centers which may inconvenience patients and healthcare staff but which weakens data collection for this very busy centralized system. (Reuters) Watch the government press conference here.

Will the next WannaCry or NotPetya kill someone? That is the premise in this article in ZDNet and one we’ve discussed previously. It’s not a targeted attack on a particular life, but could be an infrastructure failure–for instance, an industrial control for electricity that destroys systems including those to dependent homes or hospitals. What this article doesn’t include are all those aging hackable connected devices in operating rooms, hospital rooms, and in-hospital Wi-Fi powering tablets and other connected devices. KRACK can be very wack indeed! [TTA 18 Oct 17]

Breached healthcare records down 72% but incident numbers steady. Then there’s MyFitnessPal’s 150 million…

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Hackermania in healthcare may be running less wild…but what about consumer health devices? Year-end and top-of-year analyses indicate that the flood of breached records may be starting to drain. A Bitglass analysis of 2017 US Department of Health and Human Services (HHS) data from its infamous ‘Wall of Shame’ is encouraging. They found that the number of breached records decreased over the 2015-2017 period by 72 percent between 2015 and 2017 and by 95 percent from 2016. The calculation excludes the huge spike in breaches due to two 2015 incidents at Anthem and Premera Blue Cross [TTA 9 Sep 15]. Numerically, the breach incident numbers decreased but are relatively steady: 2017 at 294, 2016 at 328. Data security company Protenus in its tracking found more incidents in 2017 versus 2016 (477 in 2017 v. 450 in 2016) but the same reduction in records affected, with five times fewer records in 2017 versus 2016’s 27.3 million records.

What’s been successful has been reducing mega-breaches and containment of healthcare device loss and theft through education and enforcement of employee practices. What continues is the major cause of breaches continue to be insider-related via error and wrongdoing; this includes the major annual Verizon report. Healthcare Informatics

Protenus’ February report, while continuing the reduction trend, had its share of hacking and insider incidents. Of the 39 incidents in their report affecting over 348,000 records, insider actions such as the misuse of system credentials accounted for 51 percent of breached records while hacks were 46 percent, with the majority involving ransomware or malware. Hacking as a cause hasn’t disappeared but perhaps has shifted to easier targets.

UnderArmour’s MyFitnessPal delivers another breach blow. Late last month, the company revealed that 150 million user records were hacked in February. The MyFitnessPal mobile app (more…)

MediBioSense and Blue Cedar take a new approach to secure medical wearable data (UK/US)

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2018/01/VitalPatch_Header_Photo_Tablet.jpg” thumb_width=”150″ /]Doncaster UK-based MediBioSense Ltd. has partnered with San Francisco-based Blue Cedar to protect their VitalPatch app on smartphones and tablets. MediBioSense uses VitalPatch in their MBS HealthStream system marketed in the UK in acute care and long-term care setting. Blue Cedar is securing the app through their patented code-injected technology which protects the VitalPatch-collected data from the app to the provider database. The system with Blue Cedar’s security is available directly from MediBioSense.

VitalPatch is a single-use adhesive biosensor patch applied to the patient’s chest (see left above). It monitors eight vital signs and activity signs: heart rate, respiration, ECG, heart rate variability, temperature, body posture including fall detection/severity, and steps as an indicator of activity. MediBioSense contracted with the US-based developer, VitalConnect, to sell the system in the UK. VitalPatch is US FDA-cleared (Class II) and CE Marked for the EU.

One impetus, according to the release (PDF), is the GDPR (General Data Protection Regulation), the pan-European/UK data-protection law slated to take effect in May. This not only applies to European Union citizens’ personal data but also requires reports on how organizations safeguard that data. 

Blue Cedar, which this Editor has previously profiled [TTA 3 May 17], has developed code-injection technology that secures data from the app to the provider location on their servers or in the cloud. It secures the app without the device being managed. Devices have their own vulnerabilities when it comes to apps even when secured, as 84 percent of cyberattacks happen at the application layer (SAP). Blue Cedar’s security also enables tap-and-go from an icon versus multiple security entries, thus quick downloading from app stores or websites. For companies, the secured app provides granular analytic reports about users, app usage, devices, and operating systems which are useful for GDPR requirements.

Blue Cedar’s latest release of app security is Enforce, to secure existing mobile apps using in-app embedded controls to enforce a broad range of security policies. It is sold on the Microsoft Azure cloud platform and is primarily targeted to the value-added reseller (VAR) market. 

All the more reason to use all means to secure devices and apps. When as of last week Allscripts‘ EHR for e-prescribing was hit with a ransomware attack (FierceHealthcare), yet another hospital (Hancock Regional in Indianapolis) paid $5,000 to hackers to get back online (Digital Health), and Protenus/DataBreaches.net tracks a breach a day [TTA 29 Dec 17], cybersecurity has become Job #1 for anyone in the healthcare field. (And Big Healthcare now votes for security. Protenus today announced their $11 million Series B led by Kaiser Permanente Ventures and F-Prime Capital Partners. Release.)

Rounding up the roundups in health tech and digital health for 2017; looking forward to 2018’s Nitty-Gritty

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2017/12/Lasso.jpg” thumb_width=”100″ /]Our Editors will be lassoing our thoughts for what happened in 2017 and looking forward to 2018 in several articles. So let’s get started! Happy Trails!

2017’s digital health M&A is well-covered by Jonah Comstock’s Mobihealthnews overview. In this aggregation, the M&A trends to be seen are 1) merging of services that are rather alike (e.g. two diabetes app/education or telehealth/telemedicine providers) to buy market share, 2) services that complement each other by being similar but with strengths in different markets or broaden capabilities (Teladoc and Best Doctors, GlobalMed and TreatMD), 3) fill a gap in a portfolio (Philips‘ various acquisitions), or 4) payers trying yet again to cement themselves into digital health, which has had a checkered record indeed. This consolidation is to be expected in a fluid and relatively early stage environment.

In this roundup, we miss the telecom moves of prior years, most of which have misfired. WebMD, once an acquirer, once on the ropes, is being acquired into a fully corporate info provider structure with its pending acquisition by KKR’s Internet Brands, an information SaaS/web hoster in multiple verticals. This points to the commodification of healthcare information. 

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2017/12/canary-in-the-coal-mine.jpgw595.jpeg” thumb_width=”150″ /]Love that canary! We have a paradigm breaker in the pending CVS-Aetna merger into the very structure of how healthcare can be made more convenient, delivered, billed, and paid for–if it is approved and not challenged, which is a very real possibility. Over the next two years, if this works, look for supermarkets to get into the healthcare business. Payers, drug stores, and retailers have few places to go. The worldwide wild card: Walgreens Boots. Start with our article here and move to our previous articles linked at the end.

US telehealth and telemedicine’s march towards reimbursement and parity payment continues. See our article on the CCHP roundup and policy paper (for the most stalwart of wonks only). Another major change in the US is payment for more services under Medicare, issued in early November by the Centers for Medicare and Medicaid Services (CMS) in its Final Rule for the 2018 Medicare Physician Fee Schedule. This also increases payment to nearly $60 per month for remote patient monitoring, which will help struggling RPM providers. Not quite a stride, but less of a stumble for the Grizzled Survivors. MedCityNews

In the UK, our friends at The King’s Fund have rounded up their most popular content of 2017 here. Newer models of telehealth and telemedicine such as Babylon Health and PushDoctor continue to struggle to find a place in the national structure. (Babylon’s challenge to the CQC was dropped before Christmas at their cost of £11,000 in High Court costs.) Judging from our Tender Alerts, compared to the US, telecare integration into housing is far ahead for those most in need especially in support at home. Yet there are glaring disparities due to funding–witness the national scandal of NHS Kernow withdrawing telehealth from local residents earlier this year [TTA coverage here]. This Editor is pleased to report that as of 5 December, NHS Kernow’s Governing Body has approved plans to retain and reconfigure Telehealth services, working in partnership with the provider Cornwall Partnership NHS Foundation Trust (CFT). Their notice is here.

More UK roundups are available on Digital Health News: 2017 review, most read stories, and cybersecurity predictions for 2018. David Doherty’s compiled a group of the major international health tech events for 2018 over at 3G Doctor. Which reminds this Editor to tell him to list #MedMo18 November 29-30 in NYC and that he might want to consider updating the name to 5G Doctor to mark the transition over to 5G wireless service advancing in 2018.

Data breaches continue to be a worry. The Protenus/DataBreaches.net roundup for November continues the breach a day trend. The largest breach they detected was of over 16,000 patient records at the Hackensack Sleep and Pulmonary Center in New Jersey. The monthly total was almost 84,000 records, a low compared to the prior few months, but there may be some reporting shifting into December. Protenus blog, MedCityNews

And perhaps there’s a future for wearables, in the watch form. The Apple Watch’s disconnecting from the phone (and the slowness of older models) has led to companies like AliveCor’s KardiaBand EKG (ECG) providing add-ons to the watch. Apple is trying to develop its own non-invasive blood glucose monitor, with Alphabet’s (Google) Verily Study Watch in test having sensors that can collect data on heart rate, gait and skin temperature. More here from CNBC on Big Tech and healthcare, Apple’s wearables.

Telehealth saves lives, as an Australian nurse at an isolated Coral Bay clinic found out. He hooked himself up to the ECG machine and dialed into the Emergency Telehealth Service (ETS). With assistance from volunteers, he was able to medicate himself with clotbusters until the Royal Flying Doctor Service transferred him to a Perth hospital. Now if he had a KardiaBand….WAToday.com.au  Hat tip to Mike Clark

This Editor’s parting words for 2017 will be right down to the Real Nitty-Gritty, so read on!: (more…)

Hacking, insider actions 81 percent of healthcare data breaches: Protenus

Healthcare data security company Protenus’ monthly Breach Barometer always contains interesting–and somewhat discouraging–surprises. August’s report topped July’s for the number of patients affected, with 674,000 patients involved in 33 incidents. Over 54 percent of breaches (N=18) were due to hacking (five incidents were attributed to ransomware), with over 27 percent (N=9) were from insider error (the main cause) or wrongdoing–over 81 percent in total. The remainder were due to loss, theft, or ‘unknown’. Another interesting finding was that discoveries of hacking are relatively quick at an average of 26 days from start to finish, due to the disruption they create, while insider attacks can go on for months (209.8 days)–or years. Protenus’ July report highlighted a breach at Tewksbury Hospital in Massachusetts that went unreported for a record-setting 14 years–an insider action that affected 1,100 records. Reporting to HHS is improving with reporting to HHS, the media or state attorneys general on average of 53 days. Protenus crunches its data from databreaches.net. (If you look at their reporting on TheDarkOverlord (@tdo_hackers), including their recent threats on a small Montana school system, you’ll be scared indeed.) MedCityNews 25 Sept, 23 August   Hat tip to Guy Dewsbury via LinkedIn

Hackermania meets The Dark Overlord with 2.3 million 2017 health data breaches

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]It’s a cage match! Reports are soaring, with a proliferation of data breaches year to date, after a relatively quiet period in 2016.

The Dark Overlord (TDO), in the mainstream news with dumping unseen Netflix program episodes on illegal file-sharing sites and demanding ransom (Guardian), also has been hard at work dumping PHI hacked from various clinics. DataBreaches.net tallied it at 180,000 records from at least nine medical clinics.

Health data security developer/provider Protenus, whose Breach Barometer tracks the numbers, counted 2.1 million breaches in 1st Quarter. March spiked with 700,000 coming from Commonwealth Health Corporation of Kentucky.

Our standby Privacy Rights Clearinghouse counted over 175,000 to date, but 160,000 came from MedCenter Health in Protenus’ total, so their net addition was 15,000. But PRC’s detail illustrates that ransomware is alive, well, and invading smaller healthcare organizations. Other reasons are unauthorized data server access, third-party vendors, email error, and theft.

16 or 27 million 2016 breaches, 1 in 4 Americans? Data, IoT insecurity runs wild (US/UK)

What’s better than a chilly early spring dive into the North Sea of Health Data Insecurity?

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2017/03/Accenture-Health-2017-Consumer-Survey.jpg” thumb_width=”150″ /]Accenture’s report released in February calculated that 26 percent of Americans had experienced a health care-related data breach. 50 percent of those were victims of medical identity theft and had to pay out an average of $2,500 in additional cost. One-third (36 percent) believed the breach took place in hospitals, followed by urgent care and pharmacies (both 22 percent). How did they find out? Credit card and insurer statements were usual, with only one-third being notified by their provider. Interestingly, a scant 12 percent of data breach victims reported the breach to the organization holding their data. (You’d think they’d be screaming?) The samples were taken between November 2016 and January 2017. Accenture has similar surveys for UK, Australia, Singapore, Brazil, Norway, and Saudi Arabia. Release  PDF of the US Digital Trust Report

So what’s 16 million breaches between friends? Or 4 million? Or 27 million?

  • That is the number (well, 15.9 million and change) of healthcare/medical records breached in 2016 in 376 breaches reported by the Identity Theft Resource Center (ITRC), a Federally/privately supported non-profit. Healthcare, no surprise, is far in the lead with 34 percent and 44 percent respectively. The 272 pages of the 2016 End of Year Report will take more than a casual read, but much of its data is outside of healthcare.
  • For a cross-reference, we look to the non-profit Privacy Rights Clearinghouse which for many years has been a go-to resource for researchers. PRC’s 2016 numbers are lower, substantially so in the number of records: 301 breaches and 4 million records.
  • HIMSS and Healthcare IT News insist that ransomware is under-reported, (more…)

Health execs’ wish list for 2017: security, analytics, pop health…and telehealth (US)

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2017/01/2017-upgrade-HITN-survey.jpg” thumb_width=”200″ /]Healthcare IT News published the results of their October survey of 95 healthcare executives as to their forward plans (resolutions?) for 2017. It’s unsurprisingly centered on upgrades to the following areas:

  • Data security (52 percent)–definitely making up for lost time and spending due to the obvious threats from hacking and data breaches. In November alone, nearly two incidents a day (57) and over 458,000 records were reported by healthcare entities to HHS. (Protenus Breach Barometer)
  • Data analytics (51 percent)–figuring out what to do with all that patient data generated by….
  • Patient engagement and population health (44 percent each)–demanded by quality standards in CMS’ MACRA Quality Payment Program (QPP), including the Merit-Based Incentive Payment System (MIPS) and the Advanced Alternative Payment Models (APMs)
[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2017/01/2017-introduce-investigate-HITN-survey.jpg” thumb_width=”200″ /]The surprises come here–the technologies they expect to introduce or investigate. Analytics and workflow correspond to the last two points above, but what is compelling is an apparent tipping point for technology which links the patient to care monitoring and access: telehealth (44 percent), smart medical devices (41 percent) and remote patient monitoring (34 percent). These overlap (as in telehealth and RPM require smart medical devices), yet these are strong numbers if they accurately reflect these execs’ actual (or eventual) spending. (Does it point to more clinically validated use of trackers like Fitbit? The Magic 8 Ball does not tell here….)

The presence of 2016-17’s ‘It Girl’, precision medicine (21 percent), which applies both data analytics and genomics to improve patient outcomes, isn’t surprising with the emphasis on quality care.

One can quibble that the sample size is small N, and the report doesn’t confirm the selection details like title, location, and type of organization, but the direction has to be cheering on many fronts. HITN’s overview, survey results (16 slides)

Summertime, and the ransomware is running wild (updated)

Mashing up our summer ‘tune’ list are the latest reports on ransomware attacks and data breaches:

  • Banner Health’s odd breach of 3.7 million records, first testing their café credit cards then entering their patient information systems, is leading to at least one class-action lawsuit. HealthITOutcomes, Becker’s Hospital Review
  • Bon Secours Health System of Maryland had a exposure of 655,000 records when a business associate of Bon Secours left patient information exposed online for four days while it adjusted its network settings. Healthcare Dive
  • The Locky ransomware has been battering hospitals since the beginning of August, with phishing emails spiking on August 11. Most of this global strike is attacking healthcare, with transportation and telecom running second; countries with the highest frequency of attacks are US, Japan, and South Korea, FireEye reports. ZDNet
  • Solutionary, now NTT Security, which specializes in cybersecurity services, reported last month that 88 percent of all ransomware detections in second quarter 2016 targeted healthcare. However, Cryptowall, not Locky, was the killer ransomware they spotted, accounting for nearly 94 percent of detections. Release
  • Can you anticipate cyber crimes like these? ID Experts has an intriguing blog post on how you can think like a cyber thief. Part One of a promised three-part series. Updated: ID Experts disclosed earlier this week that it spun off RADAR, its two-year-old IT security and compliance company, effective 2 Aug, with a $6.2 million Series A funding. It appears that the CEO wrote the check (CrunchBase).  There’s gold in dem dere cyber varmints! MedCityNews  Release
  • Scared enough? The Federal Trade Commission comes to the rescue with a half-day seminar on ransomware detection and prevention in Washington DC on September 7. The session is free and will be webcast (details to come). FTC release, event page

Summertime, and the health data breaches are easy….

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Cybersecurity is the word, not the bird, from South Korea (see here) to the US.  The week opened with an unusual healthcare plan supplier breach: 3.3 million payer records held by a card issuer, Newkirk Products of Albany, NY. The company issues ID cards for several Blue Cross and Blue Shield plans and provides management services to other commercial payers. Ironically, it was discovered five days after their $410 million acquisition by Broadridge Financial Solutions of Lake Success, Long Island. On July 6, Newkirk discovered ‘unauthorized access’ to a server with records containing the member’s name, mailing address, type of plan, member and group ID number, names of dependents enrolled in the plan, primary care provider, and in some cases, date of birth, premium invoice information and Medicaid ID number. “No health plans’ systems were accessed or affected in any way” according to the release. MedCityNews, Newkirk release on notice

Another supplier breach affected another estimated 3.7 million patients at Arizona’s Banner Health. This one was a bit closer to home, hacking computer systems used in payment processing on debit and credit cards used at their food and beverage outlets in four states between June 23 and July 7.  A week later, the hackers gained unauthorized access to systems containing patient information, health plan member and beneficiary information, as well as information about physician and healthcare providers. MedCityNews, Banner Health release

But what’s secret anymore about your health data anyway? It’s all those apps that are sending data via your Apple Watch and your Fitbit which aren’t necessarily covered by HIPAA or secure. (more…)

Why do hackers love bitcoin? Blockchain. And why are healthcare, IoT liking blockchain?

Hackers love bitcoin for their ransomware payment because it’s virtual money, impossible to trace and encrypted to the n-th degree. Technically, bitcoin is not a transfer of payment–it IS money of the unregulated sort. The ransomee has to pay into a bitcoin exchange and then deliver the payment to the hacker. However, what sounds straightforward is actually fraught with risks, such as the bitcoin exchanges themselves as targets of hacking and the fluctuations of bitcoin value meaning that a ransom may not actually be paid in full. ID Experts‘ article gives the basics of bitcoin, what to expect and when paying a ransom is the prudent thing to do.

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2016/07/blockchain-in-HC.jpg” thumb_width=”200″ /]Turn what is behind bitcoin around though, and it becomes intriguing to HIT and IoT. Blockchain is “a distributed, secure transaction ledger that uses open-source technology to maintain data. Records are shared and distributed over many computers of entities that do not know each other; records can be time-stamped and signed using a private key to prevent tampering.” Each record block has an identifying hash that links each block into a virtual chain. (Wikipedia has a more complete description.) For bitcoin, it ensures security, anonymity and transferability without a central bank. For healthcare, distributed data and security is the exact opposite of the highly centralized, locked down approach of standard HIT to enable interoperability and security (left above). The Federal ONC-HIT (Office of the National Coordinator for Health Information Technology) under HHS is soliciting up to 15 proposals for “Blockchain and Its Emerging Role in Healthcare and Health-related Research.” through July 29. Cash prizes range from $1,500 to $5,000. The final eight will present at the awards presentation September 26-27. Potential uses are:

  • Medical banking between dis-intermediated parties
  • Distributed EHRs
  • Inventory management
  • Forming a research “commons” and a remunerative model for data sharing
  • Identity verification for insurance purposes
  • An open “bazaar” for services that accommodates transparency in pricing

Health Data Management, Information Management, Federal Register announcement