What’s better than a chilly early spring dive into the North Sea of Health Data Insecurity?
Accenture’s report released in February calculated that 26 percent of Americans had experienced a health care-related data breach. 50 percent of those were victims of medical identity theft and had to pay out an average of $2,500 in additional cost. One-third (36 percent) believed the breach took place in hospitals, followed by urgent care and pharmacies (both 22 percent). How did they find out? Credit card and insurer statements were usual, with only one-third being notified by their provider. Interestingly, a scant 12 percent of data breach victims reported the breach to the organization holding their data. (You’d think they’d be screaming?) The samples were taken between November 2016 and January 2017. Accenture has similar surveys for UK, Australia, Singapore, Brazil, Norway, and Saudi Arabia. Release PDF of the US Digital Trust Report
So what’s 16 million breaches between friends? Or 4 million? Or 27 million?
- That is the number (well, 15.9 million and change) of healthcare/medical records breached in 2016 in 376 breaches reported by the Identity Theft Resource Center (ITRC), a Federally/privately supported non-profit. Healthcare, no surprise, is far in the lead with 34 percent and 44 percent respectively. The 272 pages of the 2016 End of Year Report will take more than a casual read, but much of its data is outside of healthcare.
- For a cross-reference, we look to the non-profit Privacy Rights Clearinghouse which for many years has been a go-to resource for researchers. PRC’s 2016 numbers are lower, substantially so in the number of records: 301 breaches and 4 million records.
- HIMSS and Healthcare IT News insist that ransomware is under-reported, but their count is large anyway. The HITN 20 March article reports from Protenus’ 2016 research that over 27 million healthcare records were stolen in 450 reported data breaches. 26.8 percent were attributed to ransomware, hacking or malware. This article also contains a lot of speculation by attorneys and other experts in the field that ransomware-related breaches are under-reported: “The reality is often after a ransomware incident, executives find out that criminals have been exploiting their network for years and going public with the information would force their board, executives and staff to answer some serious questions that they are not willing or prepared to answer,” according to ICIT Senior Fellow James Scott quoted in the article.
And don’t be late in your reporting! Presence Health had to pony up a $475,000 settlement with Health and Human Services’ (HHS) Office of Civil Rights earlier this year for a 22 Oct 2013 breach exposing the PHI of over 800 patients that went unreported until 31 Jan 2014. It violated the HHS 60-day rule by a little over a month. It is the first HIPAA monetary enforcement on a healthcare organization for untimely breach reporting, according to HHS. (See HITN above)
Oops! In the UK, the Information Commissioner’s Office (ICO) fined HCA International Ltd a hefty £200,000 for failure to keep its IVF patients’ information from the Lister Hospital secured. In April 2015, a patient found through online search unencrypted transcripts of patient records. The Indian company performing transcription work from 2009 stored audio files and transcripts on an unsecured server. And don’t look now–by May 2018 the ICO will be able to fine four percent of a company’s global turnover where a serious breach of data protection law has occurred.
The danger of the Internet of Things may not come from your microwave, but your talking teddy. For over a year, the makers of CloudPets left customer records in an un-firewalled, un-passworded MongoDB database. 800,000 emails and passwords were exposed, along with 2 million recorded messages for this internet-connected messaging toy. Hackers were targeting exposed MongoDB databases in January. The same article claims that the stuffed animals have such poor device security that they could be easily hacked and turned into spy devices. Is there nothing sacred? Motherboard Hat tip on ICO and this to former NI Editor Toni Bunting
Healthcare IT News published the results of their October survey of 95 healthcare executives as to their forward plans (resolutions?) for 2017. It’s unsurprisingly centered on upgrades to the following areas:
The surprises come here–the technologies they expect to introduce or investigate.
- Data security (52 percent)–definitely making up for lost time and spending due to the obvious threats from hacking and data breaches. In November alone, nearly two incidents a day (57) and over 458,000 records were reported by healthcare entities to HHS. (Protenus Breach Barometer)
- Data analytics (51 percent)–figuring out what to do with all that patient data generated by….
- Patient engagement and population health (44 percent each)–demanded by quality standards in CMS’ MACRA Quality Payment Program (QPP), including the Merit-Based Incentive Payment System (MIPS) and the Advanced Alternative Payment Models (APMs)
Analytics and workflow correspond to the last two points above, but what is compelling is an apparent tipping point for technology which links the patient to care monitoring and access: telehealth
(44 percent), smart medical devices
(41 percent) and remote patient monitoring
(34 percent). These overlap (as in telehealth and RPM require smart medical devices), yet these are strong numbers if
they accurately reflect these execs’ actual (or eventual) spending. (Does it point to more clinically validated use of trackers like Fitbit
? The Magic 8 Ball does not tell here….)
The presence of 2016-17’s ‘It Girl’, precision medicine (21 percent), which applies both data analytics and genomics to improve patient outcomes, isn’t surprising with the emphasis on quality care.
One can quibble that the sample size is small N, and the report doesn’t confirm the selection details like title, location, and type of organization, but the direction has to be cheering on many fronts. HITN’s overview, survey results (16 slides)
Mashing up our summer ‘tune’ list are the latest reports on ransomware attacks and data breaches:
- Banner Health’s odd breach of 3.7 million records, first testing their café credit cards then entering their patient information systems, is leading to at least one class-action lawsuit. HealthITOutcomes, Becker’s Hospital Review
- Bon Secours Health System of Maryland had a exposure of 655,000 records when a business associate of Bon Secours left patient information exposed online for four days while it adjusted its network settings. Healthcare Dive
- The Locky ransomware has been battering hospitals since the beginning of August, with phishing emails spiking on August 11. Most of this global strike is attacking healthcare, with transportation and telecom running second; countries with the highest frequency of attacks are US, Japan, and South Korea, FireEye reports. ZDNet
- Solutionary, now NTT Security, which specializes in cybersecurity services, reported last month that 88 percent of all ransomware detections in second quarter 2016 targeted healthcare. However, Cryptowall, not Locky, was the killer ransomware they spotted, accounting for nearly 94 percent of detections. Release
- Can you anticipate cyber crimes like these? ID Experts has an intriguing blog post on how you can think like a cyber thief. Part One of a promised three-part series. Updated: ID Experts disclosed earlier this week that it spun off RADAR, its two-year-old IT security and compliance company, effective 2 Aug, with a $6.2 million Series A funding. It appears that the CEO wrote the check (CrunchBase). There’s gold in dem dere cyber varmints! MedCityNews Release
- Scared enough? The Federal Trade Commission comes to the rescue with a half-day seminar on ransomware detection and prevention in Washington DC on September 7. The session is free and will be webcast (details to come). FTC release, event page
Cybersecurity is the word, not the bird, from South Korea (see here) to the US. The week opened with an unusual healthcare plan supplier breach: 3.3 million payer records held by a card issuer, Newkirk Products of Albany, NY. The company issues ID cards for several Blue Cross and Blue Shield plans and provides management services to other commercial payers. Ironically, it was discovered five days after their $410 million acquisition by Broadridge Financial Solutions of Lake Success, Long Island. On July 6, Newkirk discovered ‘unauthorized access’ to a server with records containing the member’s name, mailing address, type of plan, member and group ID number, names of dependents enrolled in the plan, primary care provider, and in some cases, date of birth, premium invoice information and Medicaid ID number. “No health plans’ systems were accessed or affected in any way” according to the release. MedCityNews, Newkirk release on notice
Another supplier breach affected another estimated 3.7 million patients at Arizona’s Banner Health. This one was a bit closer to home, hacking computer systems used in payment processing on debit and credit cards used at their food and beverage outlets in four states between June 23 and July 7. A week later, the hackers gained unauthorized access to systems containing patient information, health plan member and beneficiary information, as well as information about physician and healthcare providers. MedCityNews, Banner Health release
But what’s secret anymore about your health data anyway? It’s all those apps that are sending data via your Apple Watch and your Fitbit which aren’t necessarily covered by HIPAA or secure. (more…)
Hackers love bitcoin for their ransomware payment because it’s virtual money, impossible to trace and encrypted to the n-th degree. Technically, bitcoin is not a transfer of payment–it IS money of the unregulated sort. The ransomee has to pay into a bitcoin exchange and then deliver the payment to the hacker. However, what sounds straightforward is actually fraught with risks, such as the bitcoin exchanges themselves as targets of hacking and the fluctuations of bitcoin value meaning that a ransom may not actually be paid in full. ID Experts‘ article gives the basics of bitcoin, what to expect and when paying a ransom is the prudent thing to do.
Turn what is behind bitcoin around though, and it becomes intriguing to HIT and IoT. Blockchain
is “a distributed, secure transaction ledger that uses open-source technology to maintain data. Records are shared and distributed over many computers of entities that do not know each other; records can be time-stamped and signed using a private key to prevent tampering.” Each record block has an identifying hash that links each block into a virtual chain. (Wikipedia
has a more complete description.) For bitcoin, it ensures security, anonymity and transferability without a central bank. For healthcare, distributed data and security is the exact opposite of the highly centralized, locked down approach of standard HIT to enable interoperability and security (left above). The Federal ONC-HIT
(Office of the National Coordinator for Health Information Technology) under HHS
is soliciting up to 15 proposals for “Blockchain and Its Emerging Role in Healthcare and Health-related Research.” through July 29. Cash prizes range from $1,500 to $5,000. The final eight will present at the awards presentation September 26-27. Potential uses are:
- Medical banking between dis-intermediated parties
- Distributed EHRs
- Inventory management
- Forming a research “commons” and a remunerative model for data sharing
- Identity verification for insurance purposes
- An open “bazaar” for services that accommodates transparency in pricing
Health Data Management, Information Management, Federal Register announcement
The average fully allocated cost of a data breach, according to the 2016 Ponemon Institute
study (sponsored by IBM
) is now over $4 million. The average global cost of every lost or stolen record is $158, but for healthcare organizations, that average cost is $355 per record, which reflects the higher street value of healthcare information. Healthcare was the second most ‘churned’ type of organization, surpassed only by financial services. Across the industries surveyed, hacking and ‘inside jobs’ caused the most data breaches overall–48 percent. (Hackermania does really run wild!) Healthcare organizations can mitigate costs by being proactive in detecting breaches early, having a CISO (chief information security officer), instituting employee training and awareness programs, deploying encryption and endpoint security plus a business continuity management plan. Ponemon/IBM website
. Healthcare IT News
Threat hunting is also emphasized in a second Ponemon study sponsored by Raytheon, which recommended offensively hunting down threats to data security, and defensively setting up a security barrier to protect patient data and care systems. With nation-state attacks (think China and Russia), ransomware, compromises due to IoT (add outdated software), and physical data theft, the game is now complete control rather than plain ol’ disruption. After the attack, when most healthcare organizations finally get into gear on cyberthreats, is far too late. Ponemon/Raytheon ‘Don’t Wait’. Healthcare IT News
A much-needed book in the age of Hacker/RansomwareMania. A new book published, ‘Protecting Patient Information’ by Paul Cerrato, is subtitled ‘A Decision-Maker’s Guide to Risk, Prevention, and Damage Control.” It’s not a tome at 162 pages, since it’s written not for academics or IT Gearheads, but for physicians (including doctors running small practices), nurses, healthcare executives and business associates. It takes a practical, three-part approach to IT security in healthcare organizations which can be applied internationally:
- How to do an in-depth analysis of the organization’s risk level
- How to lower the risk of a data breach within the myriad of Federal and state rules regarding protected PHI
- How to deal with a data breach, even if you’ve followed 1) and 2) (This may be the ‘worst case scenario’ part of the book)
The preface to the book is written by John Halamka, MD, himself a CIO of Beth Israel Deaconess Medical Center in Boston and a professor at Harvard Medical School. It will set you back about $42, but worth it. Hat tip to our friends at HITECH Answers via Twitter. If you’ve read the book or will read it soon, this Editor and your fellow Readers would be interested in your thoughts or even a review.
‘Hollywood’ Hulk Hogan is getting a workout! (UPDATED)
Hollywood Presbyterian Medical Center paid $17,000 (40 bitcoins) last night to hackers to regain control of its IT systems after last week’s ‘ransomware’ attack forced them offline. According to CEO Allen Stefanek, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key.” HealthcareITNews has the details and the full CEO letter/press release, including that no patient or employee information appears to have been compromised.
Obviously there will be more to follow including the usual opining, but in this resolution and spin, a bad precedent has been set in this Editor’s view. Labeling it a ‘low-tech’ attack shines a Klieg light (this is Hollywood after all) on the vulnerability of this hospital’s system. They now have the decryption key to the malware, but what other bad code and general mischief is buried in their systems to crop up later? Another question: was the inflated bitcoin number floated to make the paid ransom seem ‘affordable’? Is this a Hollywood ending where all is happy, or is this an episode in the continuing soap opera of ‘Hospital as Cash Machine’?
Our original article follows: (more…)
Reporting from the HIMSS Connected Health Conference (CHC)
Cybersecurity is one of the three central themes of this year’s HIMSS CHC, and excellent timing for releasing the highlights of Verizon’s first ever PHI (Protected Health Information) Data Breach Report. This is a spinoff of their extensive, eight years running international Data Breach Investigations Report (DBIR).
It’s not just your doctor’s office, hospital or payer. It will be no surprise to our Readers that the healthcare sector is #7 in breaches–but that a PHI breach may come from non-healthcare (in US, HIPAA-covered) sources. This Editor spoke with Suzanne Widup, the lead author of the PHI Report and an info security/forensics expert, and included in that 90 percent are workers’ compensation programs, self-insured companies, the public sector, financial/insurance companies and–as a damper on this highly competitive (but hard to gauge results) area–wellness programs. Most organizations, according to Ms Widup, aren’t even conscious that they are holding this information and need to specially protect it from intrusion, as “PHI is like gold for today’s cybercriminal.”
Consistent with other authoritative tracking studies like Ponemon Institute’s and ID Experts’, the threat is from within: physical theft and loss, insider misuse and ‘miscellaneous’ account for 77 percent of theft. And as Bryan Sartin, managing director of Verizon’s RISK team noted in his keynote today, attacks take over a seven-month period on average to even be noticed. The breaches are long term, start small and sneaky. 2/3 of organizations don’t find out on their own, only when it starts to affect other partners. (Surprise!) Despite the proven Chinese and Black Vine involvement in several high profile, high-volume data hacks (Anthem), and ‘brute force’ hacks that make headlines (iCloud last year), the average breach is an inside job where “assets grow legs and walk off” in Dr Widup’s words, or privilege misuse.
When I asked Ms Widup about the Internet of Things (which is moving high on the hype curve, from what your Editor has experienced to the nth degree at this conference), she confirmed that this is an area that needs extra cybersecurity protection. (more…)
Breaking news out of Los Angeles this afternoon is that the UCLA Health System’s computer network was compromised by an external cyberattack, compromising an estimated 4.5 million patient records. According to the LA Times, “the hospital saw unusual activity in one of its computer servers in October and began investigating with assistance from the FBI. The investigation confirmed May 5 that the hackers had gained access to parts of UCLA Health’s computer system where some patient information was stored. The hackers gained access to names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information like patient diagnoses and procedures.” There also appears to have been a delay in the realization that the sensitive PHI had been accessed, and that the suspicious activity could have started as early as September 2014. Yet the UCLA Health statement equivocates: “At this time, there is no evidence that the attacker (more…)
Mansur Habib, PhD and cybersecurity strategist, formerly CIO for the Baltimore City Health Department, proposes that any data breach analysis should start first with a hard look at the organizational chart. If the CIO or the chief information security officer (CISO) doesn’t report directly to the CEO, the executive clearly does not place priority on IT and data security, treating it as a cost center to be restricted; in his words, they do not ’embrace cybersecurity risk as business risk’. In his 2013 doctoral research in 2013 and subsequently, Dr Habib observed that about half of US HIT and cybersecurity heads report to the chief financial officer (CFO) or some other executive like a CAO (administrative). His withering take on most CEOs are that they are more concerned with stock price (more…)
Don’t feel bad, HIT execs–the Feds are even worse. Complementary to our coverage of the increased danger of hacked health IT systems and data breaches (the trail of tears is here and here) is the oddly muted press clamor around the 4 June hacking report of the Federal Office of Personnel Management (OPM). Chinese hackers roamed around two OPM databases–personnel and security clearances–for nearly a year, according to CNN’s Senate briefing coverage. The breach likely exceeded 18 million records, though the real number may never be known. Privacy Rights Clearinghouse summarizes it and provides an interesting link to a timeline by Brian Krebs, whose independent reporting beat is IT security. Megan McArdle, a reformed IT consultant writing for Bloomberg News and independently, points at the Federal lack of urgency around having adequate IT that doesn’t fail. Example–the much chronicled failure around Healthcare.gov and the so-called health exchanges, which appear to be functioning better, but reports say they are nearly porous and hackable as they were in 2013. She notes that it’s all about ‘scorched-earth determination’ and that the direction has to come from the top, meaning the President. And ‘voters have never held Obama responsible for his administration’s appalling IT record’. A thought that should give those in telehealth and telemedicine who are working with CMS value-based program ACOs a great deal of pause. NY Post editorial via Press Reader.
Criminal activity is the cause of nearly 6 out of 10 data breaches, according to a study published in JAMA
last week (subscription required). Cyberbreaches–the infamous hacking attacks–produce breaches in the millions, but the far more typical and frequent breach, if smaller, is caused by simple theft of records–electronic and paper. HealthLeaders We’ve reported previously
that stolen records (over 500) have ranged from laptops to paper records as landfill and even old-style X-rays in dead storage sought after for mercury content. So if Hackermania is not always running wild, except when it is, how to keep those records secure?
According to West Virginia United Health System’s assistant CIO interviewed by FierceHealthIT at HIMSS
, it requires a policy change of staff education, expectations, understanding that protecting patient information is part of holistic care–and frequent audits. Trust, but verify. Encrypt–and keep passwords secure, multiple and frequently changed.
“The medical industry is years and years behind other industries when it comes to security.”–Dave Kennedy, TrustedSEC CEO.
We admire the Washington Post for arriving at the conclusion we did in 2010–that healthcare organizations are uniquely vulnerable to cyberattack because of the high value of patient data, and an often lighter level of HIT security. But now we get the finger wag that ‘it’s only going to get worse.’ (Beyond 120 million breached records?) Data security, of which HIPAA patient information protection is a part, wasn’t primary for years, especially in organizations overwhelmed with transitioning EHRs, getting EMRs to speak with EHRs, Meaningful Use, new care and payment models, 30-day readmissions and ‘oh, by the way, how will we get paid?’ The Premera Blue Cross (Washington state) breach of 11 million records was the second largest in healthcare history (after Anthem Health‘s February bunker buster of a breach). Most breaches are from stolen laptops or shared/easy to guess passwords (or none at all)–but these have not been in the millions. Premera’s theft took place on 5 May 2014 and was only discovered in January; it included SSIs, bank information, claims data, patient name/address and date of birth. Those affected were in California and Alaska primarily, but also included Federal employees.
But Premera can’t say they were not warned. The US Office of Personnel Management’s Office of the Inspector General (OPM OIG) independently audited Premera in April 2014 detailing several vulnerabilities, including a lack of timely patch implementations, a lack of methodology to “ensure that unsupported or out-of-date software is not utilized” and insecure server configurations, and the need to upgrade physical access controls in their data center. FierceHealthIT
Premera’s medical files data may expose other payers, which in turn may legally come after Premera, according to FierceHealthIT.
Only now are health systems and practices focusing on securing all information (more…)
Do we need the Hulkster Running Wild against Hacking? It’s so heartwarming to see the mainstream press catch up to what your Editors have been whinging on for the past few years: that healthcare data is the Emperor With No Clothes. Here we have Reuters and the New York Times with a case of the vapors, seeking a fainting couch. Reuters dubs 2015 ‘The year of the healthcare hack’. The FBI is investigating the AnthemHealth breach, while their counterparts UnitedHealth, Cigna and Aetna are in full, breathless damage control mode. The Times at least delves into the possibility that it was at least partially instigated by China and the People’s Liberation Army (PLA) unit that trolls for intellectual property.
Our Readers, savvy to your Editors’ warnings since at least 2010, were aware that the drumbeat accelerated this past summer. (more…)
US health insurance giant AnthemHealth, which had a data breach of reportedly up to 80 million beneficiaries [TTA 6 Feb], was an inadvertent ‘inside job’. The Associated Press reported that the credentials of at least five employees were used to access information, at least one of whom was an administrator who viewed his credentials being used to query the data warehouse. It’s easier than you think to get them. In an analysis published by security firm Tripwire and also in MIT Technology Review, the writer Ken Westin outlines how easy it is to find that the Anthem warehouse is TeraData, and to match up employees engaged with it, through using public employee profiles on places like LinkedIn and job postings. Then it’s deductive to find exact email addresses (find the pattern–lead generation companies building business contact lists do this all the time) and send these key employees phishing emails (more…)