Ransom! (ware) strikes more hospitals and Apple (update)–Healthcare.gov’s plus trouble

click to enlargeGet out the Ransom! California hospitals appear to be Top of the Pops for ransomware attacks, which lock down and encrypt information after someone opens a malicious link in email, making it inaccessible. After the well-publicized attack on Hollywood Presbyterian in February, this week two hospitals in the Inland Empire, Chino Valley Medical Center in Chino and Desert Valley Hospital in Victorville, both owned by Prime Healthcare Management, received demands. While hacked, neither hospital paid the ransom and no patient data was compromised according to hospital spokesmen. Additional hospitals earlier this month: Methodist Hospital in Henderson, Kentucky and Ottawa Hospital in Ontario, Canada. In Ottawa, four computers were hacked but isolated and wiped. It is not known if ‘Locky’, the moniker for a new ransomware, was the Canadian culprit. FBI on the case in the US. HealthcareITNews, National Post

Update: Locky is the suspected culprit in the Prime, Hollywood Presbyterian and Kentucky ransomware attacks. On Monday, Maryland-based MedStar Health reported malware had caused a shutdown of some systems at its hospitals in Baltimore. Separately, Cisco Talos Research is claiming that a number of the attacks are exploiting a vulnerability in a network server called JBoss using a ransomware dubbed SamSam. Perhaps both are creating mischief? Ars Technica, Cisco Talos blog, BBC News, ThreatPost

More and worse attacks north of the 49th Parallel. Norfolk General Hospital in Simcoe, Ontario had a ransomware attack this week that spread to computers of staff, patients and families via the external website through the outdated content management system. According to MalwareBytes, “The particular strain of ransomware dropped here is TeslaCrypt which demands $500 to recover your personal files it has encrypted. That payment doubles after a week.”  So if you are running old Joomla! or even old WordPress, update now! Neil Versel in MedCityNews

If you’re thinking Mac Prevents Attacks, the first ransomware targeting Apple OS X hit earlier this month. Mac users who  downloaded version 2.90 of Transmission, a data transfer program using BitTorrent, were infected. KeRanger appears after three days to demand one bitcoin (about $400) to a specific address to retrieve their files. HealthcareITNews

Finally, there is the Hackermania gift that keeps on giving: Healthcare.gov. (more…)

Defense, VA EHR interoperability off the tracks again: GAO

click to enlarge According to the US Congress’ Government Accountability Office (GAO), the birddog of All Things Budget, the Department of Defense (DOD) and Veterans Affairs (VA) missed the 1 Oct 2014 deadline established in the Fiscal Year 2014 National Defense Authorization Act (NDAA) to certify that all health data in their systems met national standards and were interoperable. Modernization of software–a new Cerner EHR for DOD, modernization of VistA– is also behind the curve with a due date now beyond the 31 Dec 2016 deadline until after 2018. Finally the DOD-VA Interagency Program Office (IPO), which shares health data between the departments, has not yet produced or created a time frame nor “specified outcome-oriented metrics and established related goals that are important to gauging the impact that interoperability capabilities have on improving health care services for shared patients.” iHealthBeat, GAO report

Another go at a joint DOD-VA EHR? (US)

As this Editor was Pondering the Squandering last week of $28 billion HITECH Act funds meant to achieve EHR interoperability but falling well short, we recalled another Big EHR Squander: the integration of the Department of Defense’s (DOD) AHLTA with the Veteran Affairs’ VistA, an iEHR effort which collapsed in February 2013 at a mere $1 billion, in addition to dysfunctional or failed upgrades in both systems at just under $4 billion [TTA 27 July 13]. For civilians, this may not sound like much for concern, but for active duty, Reserve and National Guard service members transitioning from active to civilian status (and back as they are activated), often with complicated medical histories, it means a great deal.

At least one Congressman who also happens to be a physician, Representative Phil Roe, MD (R-TN) wants to try, try again. According to Politico’s Morning eHealth of last Wednesday, his bill will offer “a $50 million prize to the creator of an integrated military-veteran medical records system.” plus another $25 million over five years to operate it. DOD is moving forward with an $11 billion bid for a new EHR, but Rep. Roe’s staff issued a statement that differs with the DOD’s–that the new EHR still has no provision for secure and relatively seamless interoperability with the VA system to streamline the transfer of claims. We wish the best to Rep. Roe, and hope he can overcome Congressional inertia and two huge bureaucracies amidst doubts on the DOD’s EHR award process. FierceEMR on Roe bill, award process and adoption concerns by GAO and others. Also Anne Zieger in Healthcare Dive, iHealthBeat.

VA, DoD aren’t collaborating on EHR: GAO

Your ‘Dog Bites Man’ item for the weekend (no, it’s not in reverse!) is that the Government Accountability Office (GAO) has determined that Veterans Affairs (VA) and the Department of Defense (DoD) have not yet proved that their current two-system path, having rejected a single EHR, actually will be workable. In February 2013, both agencies abandoned a joint system after $1 billion in spend, and $4 billion in fixes/upgrades to their separate VistA and AHLTA systems. [TTA 15 Dec] By the two agencies going their separate ways, the GAO is mystified on what is going on with interoperability. The answer: not much. And as mentioned in our 15 December article, there was a 31 January deadline for an interoperability plan (or single system) to be implemented by 2016, mandated by the 2014 National Defense Authorization Act (NDAA). Obviously, this deadline has come and gone. FierceEMR article, GAO recommendation (full text PDF)

One way to overcome the interoperability problem and too much in the EHR? Get rid of those pesky backlogged patient records! The Daily Caller uncovered a VA whistleblower’s complaint to the VA’s Inspector General and their office of special counsel, plus Congress, that VA officials in Los Angeles intentionally canceled backlogged patient exam requests going back more than one year–and that the delay on exams went back 6-9 months. The deletions started in 2009. There is a wrongful dismissal (of said whistleblower) suit and other joy. Article, audio (02:21) Updates 3-4 March:  according to Under Secretary for Health Robert Petzel, the Daily Caller report was ‘scurrilous’. He stated that about 300 records were closed but not deleted after administrative review, generally for old imaging requests, and there was no effort to delete records to boost performance.  According to FierceHealthIT, the backlog is about 400,000. Also Military Times. According to EHR Intelligence, both DoD and the VA agree with the GAO recommendations; GAO will update its findings once the agencies have taken action. Also iHealthBeat.