TTA’s 4th of July Fireworks: sparklers and starbursts from Teladoc, King’s College London, ransomware, FCC, Samsung, Walgreens, more!

 

No fireworks near your Editor except illegal ones, but we have a few legal ones on hand. Ransomware is sending up mortars. COVID’s effect on telehealth is a flitter-glitter comet, but patient counts to date misfire. Samsung starbursts tele-genomics. We’re waving sparklers for the SURE Recovery app from King’s College London. And telehealth celebrated with some nifty Roman candles from the FCC, but Huawei and ZTE were sent the smoke bombs. 

Happy US Independence Day (a/k/a The Colonial Rebellion)–a day early!

News roundup: Teladoc closes InTouch, Samsung bets on tele-genomics, SURE Recovery app, Optimize.health’s seed round, Walgreens’ Microsoft boost
Hackermania runs wild, Required Reading Department: The Anatomy of a Ransomware Attack (Weekend reading for you and your IT department)
Do Huawei and ZTE present security threats to the US and global communications networks? The FCC says yes. (Recognizing geopolitical reality)
FCC approves 70 more COVID-19 telehealth funding applications for an additional $32 million (A major support for growth for small to large organizations)
Hackermania runs wild…all the way to the bank! Ransomware strikes Crozer-Keystone, UCSF med school, others (Hackers in their basements didn’t break for COVID)
COVID effect on US practices: in-person visits down 37%, telehealth peaks at 14%; ATA asks Congress to make expansion permanent (Patients still not visiting their doctors, virtual or not)
The TeleDentists now in 14 states with Anthem (Recognition of an oft-forgotten but key part of medicine)

On the First Day of Summer, there’s hot news with NHS finally giving up on its NHSX COVID tracing app and a few changes over at NHSX. Otherwise, we observe some semblance of a return to Business As Usual. A former unicorn goes bankrupt, a telecare company brings out a new product, the VA has more drama around its EHR. But still plenty of COVID related news, including its hopefully permanent telehealth stimulus, without any drugs!

Breaking: NHSX COVID contact tracing app exits stage left. Enter the Apple and Google dance team. (Not a surprise to anyone, and some changes made)

News Roundup (updated): Proteus files Ch. 11, VA’s EHR tests now fall–maybe, making US telehealth expansion permanent, Rennova’s rural telehealth bet, Oysta’s Lite, Fitbit’s Ready to Work jumps on the screening bandwagon
Where in the world is the NHS COVID contact tracing app? Apps rolling out globally, but will they roll out before it’s treatable?
(Apps have problems, but the protocols are getting better every day)

Despite other events, COVID still makes the news. Malcolm Fisk and his team studied how telehealth responded at the start of the pandemic in three countries. The ‘Thank And Praise’ virtual wall continues to accept thanks for healthcare workers. ATA’s now virtual conference may have been boosted by other cancellations. And finally, COVID struck the courts and held up the Cigna-Anthem breakup settlement–only three years in the making!

Another COVID casualty: a final decision on the Cigna-Anthem damages settlement (It’s only 3 years and billions at stake!)
ATA’s annual conference now 22-26 June–and fully virtual; announces three awards and Fellows (Plenty of names from US, UK, EU)
Thank and Praise’ to healthcare workers continues (UK) (A service that deserves notice for its graciousness)
Telehealth and the response to COVID-19 in Australia, UK, and US: the paper (Malcolm Fisk and team’s comparative study)

Gasping under our fabric masks, we are wheezing the Almost Summertime Blues. Is NHS a little blue with its unready contact tracing app and having to do things the Old Fashioned Way? Higi is not at all blue with a $30 million Series B infusion led by–Babylon Health–nor Propeller Health, 34 EU health tech startups, and Amazon. Google’s attorneys will roast in an Arizona summer. And finally, BMJ discovers that masks might make your breathing a lot more difficult–and concentrate whatever virus you’re exhaling.

Babylon Health leads a $30 million Series B for Higi health kiosks (An interesting series–of mutual interests in the US of A)
News roundup: LabCorp CRO boosts Medable, Propeller Health gains 510(k), EU’s 34 medtech startups, Amazon’s healthcare moves, Google’s Arizona privacy lawsuit
NHS’ COVID contact tracing service started today–but where’s the app? Australia?
(Looks like the old fashioned un-digital way)
Why ‘masking up’ isn’t such a great idea–more than a false sense of security (And 6 other reasons why)

Sloooowly emerging from our homes into the sunshine, and maybe back into our offices soon, we have a first-person participant view of TechForce19. Back in the office, there will be a whole lot of app tracking and separation going on, if we return. In other news, Optum continues its buying spree, Amwell raises a few dollars, and DHACA has a #WebinarWednesday coming up in June. 

Reflections of a TechForce19 Participant (What it’s like to be in the center of a tornado!)
Optum buys naviHealth for reported $1 billion; Amwell raises $194 million in Series C (More $ in analytics, telehealth)
DHACA home testing webinar 20th May 10am–next one 3 June (DHACA’s #WebinarWednesday)
Post-COVID back to work: for workplace screening, testing, contact tracing, there’s an app for that (You’ll be in a very different looking office with plenty of new rules–if you return there)

Have a job to fill? Seeking a position? Free listings available to match our Readers with the right opportunities. Email Editor Donna.


Read Telehealth and Telecare Aware: http://telecareaware.com/  @telecareaware

Follow our pages on LinkedIn and on Facebook

We thank our present and past advertisers and supporters: Legrand/Tynetec, Eldercare, UK Telehealthcare, NYeC, PCHAlliance, ATA, The King’s Fund, DHACA, HIMSS, Health 2.0 NYC, MedStartr, Parks Associates, and HealthIMPACT.

Reach international leaders in health tech by advertising your company or event/conference in TTA–contact Donna for more information on how we help and who we reach. See our advert information here. 


Telehealth & Telecare Aware: covering the news on latest developments in telecare, telehealth, telemedicine and health tech, worldwide–thoughtfully and from the view of fellow professionals

Thanks for asking for update emails. Please tell your colleagues about this news service and, if you have relevant information to share with the rest of the world, please let me know.

Donna Cusano, Editor In Chief
donna.cusano@telecareaware.com

Hackermania runs wild…all the way to the bank! Ransomware strikes Crozer-Keystone, UCSF med school, others

News to make you livid. After surviving (to date) the COVID pandemic, health systems and medical schools are being attacked by ransomware criminals. Both the small Crozer-Keystone Health System and the globally known University of California San Francisco School of Medicine have been attacked by the ever-so cutely named Netwalker (a/k/a MailTo). Yes, this criminal hacker gang isn’t outside banging pots for first responders or donating money, or even sticking to a brief truce (Emsisoft), but figuring ways to spread malware into healthcare organizations for fun and profit. 

And profitable it’s been. UCSF paid Netwalker the princely sum of $1.14 million (£910,000) in 116.4 bitcoins after an attack starting 1 June that was also (to add insult to injury) published on Netwalker’s public blog. In the timeline presented by BBC News, it was negotiated down (professionally) from $3 million; BBC also obtained some key parts of the negotiation via an anonymous tipoff, and it’s fascinating reading. Netwalker leads the victim to a dark web ‘customer service’ site where there’s a countdown to double payment or deletion of your now-encrypted data. They are also able to live chat with the victim.

UCSF was able to limit the malware encryption damage to servers within the School of Medicine (according to the BBC, literally unplugging computers; according to UCSF, isolating servers) but decided to pay the ransom to unlock the encrypted data and return data they obtained, stating in its public release “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good”. They will work with the FBI on the incident and have brought on board outside expert help.

According to FierceHealthcare, Netwalker was also behind the attack on the Champaign-Urbana Public Health District (Illinois) website in March and Michigan State University’s network in May.

Paying ransom is contrary to the advice of the major world security services such as the FBI, Europol, and the UK’s National Cyber Security Centre, on the simple basis that it encourages them. It’s a true damned-if-you-do, damned-if-you-don’t situation, as Brett Callow, a threat analyst at cyber-security company Emsisoft, said to the BBC: “But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?” 

Crozer-Keystone to date has refused to pay ransom. On 19 June, bitcoin publication Cointelegraph published a screenshot of Netwalker’s dark web auction page of the data. Apparently it is all financial and not medical records or PHI. Crozer also isolated the intrusion and took systems offline. Crozer is a small system of four hospitals in suburban Philadelphia (Delaware County) and serves parts of the state of Delaware and western New Jersey.

Neither Crozer nor UCSF have gone public with the source of the breach, but it is known that the main lure during the pandemic has been phishing emails with COVID-19 results or news, loaded with malware downloads.

As this Editor wrote back in May 2018 on the anniversary of WannaCry, it’s not a matter of if, but when, at highly vulnerable organizations like healthcare and academia with high-value information records. Right now, the Hakbit spear-phishing ransomware connected to an Excel spreadsheet macro is targeting mid-level individuals at pharma, healthcare, and other sectors in Austria, Germany, and Switzerland, according to tech research firm Proofpoint. TechGenix

More: Becker’s 22 June on Crozer-Keystone, 29 June on UCSF, 12 largest healthcare breaches to date, 10 healthcare system incidents for June, Kroger hacking incident exposing 11,000 health records. DataBreaches.net news page.

Hospitals should ‘wash their hands’ of older medical devices, OS: expert

Our Readers are likely well aware that older medical devices may present a Hacker’s Holiday, but putting a very fine point on it was Kevin Fu, associate professor of electrical engineering and computer science at University of Michigan, speaking at a Healthcare IT News healthcare cybersecurity forum this week in Boston. Mr Fu pointed out that many hospitals are actively using old devices and old PC systems; one local hospital had 600 supposedly unpatched Windows XP (!) boxes deployed. Older medical devices were not designed with security in mind, which he likens to basic sanitation:

“If you’re using this old software, these old operating systems, you’re vulnerable to all that malware – that garden-variety malware – that has been out in the wild for more than 10 years.” and “This is not rocket science; this is basic hygiene. This is forgetting to wash your hands before going into the operating room. Here we have medical devices where, if malware gets through the perimeter, there is very little defense.”

The press has been concentrating on the big breaches and external hacking (they do make good copy–Ed.), and we’ve expended a lot of air on things like the EHR Wars, but the real threats are more mundane, as Ponemon and others in the field have warned for years. Software updates and infected USB flash drives can spread malware. A vendor can be a regular Typhoid Mary unintentionally corrupting systems and devices down the line.  (more…)

The pileup of Federal ‘titanic serial IT disasters’ (US)

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/06/keep-calm-and-secure-your-data-4.png” thumb_width=”150″ /]Don’t feel bad, HIT execs–the Feds are even worse. Complementary to our coverage of the increased danger of hacked health IT systems and data breaches (the trail of tears is here and here) is the oddly muted press clamor around the 4 June hacking report of the Federal Office of Personnel Management (OPM). Chinese hackers roamed around two OPM databases–personnel and security clearances–for nearly a year, according to CNN’s Senate briefing coverage. The breach likely exceeded 18 million records, though the real number may never be known. Privacy Rights Clearinghouse summarizes it and provides an interesting link to a timeline by Brian Krebs, whose independent reporting beat is IT security. Megan McArdle, a reformed IT consultant writing for Bloomberg News and independently, points at the Federal lack of urgency around having adequate IT that doesn’t fail. Example–the much chronicled failure around Healthcare.gov and the so-called health exchanges, which appear to be functioning better, but reports say they are nearly porous and hackable as they were in 2013. She notes that it’s all about ‘scorched-earth determination’ and that the direction has to come from the top, meaning the President. And ‘voters have never held Obama responsible for his administration’s appalling IT record’. A thought that should give those in telehealth and telemedicine who are working with CMS value-based program ACOs a great deal of pause. NY Post editorial via Press Reader.

Hackermania running wild, 2015 edition

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”300″ /]

Do we need the Hulkster Running Wild against Hacking? It’s so heartwarming to see the mainstream press catch up to what your Editors have been whinging on for the past few years: that healthcare data is the Emperor With No Clothes. Here we have Reuters and the New York Times with a case of the vapors, seeking a fainting couch. Reuters dubs 2015 ‘The year of the healthcare hack’. The FBI is investigating the AnthemHealth breach, while their counterparts UnitedHealth, Cigna and Aetna are in full, breathless damage control mode. The Times at least delves into the possibility that it was at least partially instigated by China and the People’s Liberation Army (PLA) unit that trolls for intellectual property.

Our Readers, savvy to your Editors’ warnings since at least 2010, were aware that the drumbeat accelerated this past summer. (more…)

Dr Topol’s prescription for The Future of Medicine, analyzed

The Future of Medicine Is in Your Smartphone sounds like a preface to his latest book, ‘The Patient Will See You Now’, but it is quite consistent with Dr Topol’s talks of late [TTA 5 Dec]. The article is at once optimistic–yes, we love the picture–yet somewhat unreal. When we walk around and kick the tires…

First, it flies in the face of the increasing control of healthcare providers by government as to outcomes and the shift for good or ill to ‘outcomes-based medicine’. Second, ‘doctorless patients’ may need fewer services, not more, and why should these individuals, who represent the high-info elite at least initially, be penalized by having to pay the extremely high premiums dictated by government-approved health insurance (in the US, ACA-compliant insurance a/k/a Obamacare)–or face the US tax penalties for not enrolling in same? Third, those liberating mass market smartwatches and fitness trackers aren’t clinical quality yet–fine directionally, but real clinical diagnosis (more…)

41 percent of healthcare employees don’t encrypt mobile devices: Forrester

Just after this Editor rhapsodized that one of the unrecognized (except here) wins for Apple’s new iPhone 6 in healthcare will be to give the docs what they want–larger screens–is this sobering stat from Forrester. Only 59 percent of healthcare employees use full-disk encryption or file-level encryption on mHealth computing devices used at work. Yes, here is another hole in the data security dike that needs plugging, because Forrester also cites that 80 percent of data breaches relate to lost or stolen devices. (What, not mulch?)  Author Chris Sherman also quoted street prices for health records to The Wall Street Journal’s CIO Journal blog  (more…)

CHS data breach estimated price tag: $150 million

Huge price tag, is the solution more ‘white hat hacker/crackers’, get a clue, C-Suite and why China leads in hacking (important updates!)

Dan Munro in Forbes got out his calculator and estimated that the cost to Community Health Services, based on prior incidents, may be as high as $150 million. He bases it on recent poster children Columbia-NY Presbyterian and BlueCross BlueShield of Tennessee. The message to healthcare business executives: pay now–by beefing up HIT and data security–or pay later in rush remediation of data breaches like identity theft protection, Office of Civil Rights-HHS fines, potential insurance fraud,  legal charges and damages awarded. On the latter, it took only hours after the announcement for the first class action to be filed in Alabama.

Of course cybersecurity experts, particularly the ‘white hat’ or ‘cracker’ variety, are in increasingly high demand across all business areas and internationally–and there aren’t many at that exalted level or even a rung or two below. Their commensurate compensation is one factor, but calls to hire less expensively overseas as explored in this article are, in this Editor’s estimation, a two-edged sword: much hacking, many sleeper bugs and ‘backdooring’ are engineered overseas (China, Russia, the Balkans, India); what is to say that these ‘former hackers’ aren’t playing both games? Cybersecurity’s hiring crisis: A troubling trajectory (ZDNet)

The C-Suite Must Care…The Workforce Must Be Aware

Since data security and data breaches threaten to swamp many sectors (universities and colleges, even more than healthcare, rank as the most vulnerable), the solution may not be wholly in the code. (more…)

Risky hospital business: happy device hacking, insider data breaches

A heap of ‘insanely easy’ hospital hacking–but no harm done: Essentia Health’s head of information security, Scott Erven, set his team to work–with management approval–on hacking practically every internal device and system over two years, and found that most were ‘insanely easy’ to hack. They successfully hacked drug infusion pumps, EHRs, Bluetooth-enabled defibrillators, surgery robots, CT scanners, networked refrigerator temperature settings and X-ray machines with potentially disastrous results. Where the common security holes are in networked equipment: lack of authentication, weak passwords, embedded web services and the list goes on. Mr Erven presented this at an industry meeting in April, without naming brands or devices as he’s still trying to fix them. Essentia Health operates about 100 facilities, including clinics, hospitals and pharmacies, in Minnesota, North Dakota, Wisconsin and Idaho–and should receive much credit for facilitating this study. This is the environment into which we will be plonking tons of patient information in PHRs and telehealth monitoring. Pass the painkillers. Summary in HealthIT Outcomes, much more essential detail in Wired worth the read.

The ‘Maybe No One Will Notice’ Data Breach:  The recent incident at the University of Massachusetts Memorial Medical Center in Worcester illustrates the difficulty that even academic medical centers have with detecting data security breaches, particularly when they are small, sneaky, over time and by an insider. UMass uncovered a series of low-profile breaches by a former employee who helped himself to patient information such as name, address, date of birth and Social Security number–and may have used it to open up credit card and mobile phone accounts. Only four records appear to have been misused in this way, but at least 2,400 records were estimated to be improperly accessed–over 12 years, which made it even more difficult to find. Perhaps the employee was funding retirement? HealthcareInfoSecurity

The ‘Ambulance Chaser’ Data Breach: What better way for lawyers and shady outpatient clinics to get accident patients fresh from the ER (ED), than to have someone on the inside feeding them patient information? (more…)