TTA’s Midsummer Week 5: Hackermania runs wild on double summer time, LIVI expands to 1.8 M in UK, Allscripts deals with DOJ, and GSK IMPACT opens for UK charity applications

 

 

Summer is really flying by, but the daystopper of the week is the doubling of breached patient records this year. LIVI adds a lot of patients in the UK, Allscripts settles with DOJ on compliance, and GSK IMPACT opens for UK charitable organization applications.

The Breach Barometer hits a new high for healthcare–and the year isn’t over (The geometric increase in breaches and exposed records)
LIVI telemedicine app expands availability to 1.85 million patients with GPs in Birmingham, Shropshire, Northamptonshire, Southeast (The crowded UK telemedicine field)
Allscripts reaches deal with DOJ on Practice Fusion in compliance settlement for $145 million (Bargains are never bargains)
2020 GSK IMPACT/The King’s Fund Awards now open for applications (UK) (Apply soon!)

Summer is flying by, but rural health connectivity advances at the FCC. Smartphones now set up to detect viruses. Another smartphone enabled ultrasound player–but this time in 3D. A study connects health tech to retaining LTC workers. Connected Health Summit coming up, and Vivify Health acquires a new VP.

Comings and goings, short takes, and in other news…: Vivify’s new SVP Sales, Parks’ Connected Health Summit, $35M for 3D portable ultrasound, Oxford Medical Sim new pilot (Events, products, and more)
Technology will help ease, but not replace, rising workforce demand in long-term care: UCSF study (It’s almost all about the workers and retaining them in the face of technology)
Can a smartphone camera, app, and device detect viruses at low cost? (A University of Tokyo team says yes)
FCC reforming Rural Health Care Program to improve telehealth funding in addition to Connected Care Pilot (US) (About time, but still underfunded)

A news-filled week with events, executive moves at Verily, Teladoc, and ATA, a challenging take on oral health, a dim view on AI, mall ‘medtail’, CVS’ SDH initiative, and Call9’s fan dance.

Comings and goings, short takes and upcoming events: MedStartr Wed night, Mad*Pow acquired, Teladoc’s new COO, JAMA ponders telepharmacy, NHS London anxiety apps partner (updated)
Oral health: more than a public health challenge, an opportunity for telehealth? (Two Lancet articles make the case)
News roundup: docs dim on AI without purpose, ‘medtail’ a mall trend, CVS goes SDH, Kvedar to ATA, Biden ‘moonshot’ shorts out, and Short Takes
Call9: we’ll be back — with a different model! (Not forthcoming to Crain’s on what it looks like, though)

Rock Health assesses the first half 2019 funding picture and is reassured at the pressure that investors have to exit–but we see other and somewhat cautionary things. And the hearings on the CVS-Aetna merger slump towards an exhausting close in Judge Leon’s court.

Health tech bubble watch: Rock Health’s mid-2019 funding assessment amid Big IPOs (Why the funding picture is far more interesting than Rock Health thinks)
The CVS-Aetna merger hearing draws to a dreary, weary close (But when?)

A just-published UK survey of the care tech landscape has implications in the worldwide trend of community-based wellness and disease prevention. CVS-Aetna goes another round in Judge Leon’s court, this time with five states; he should Ask Alexa as NHS patients in the UK shortly will. And did you attend DHACA’s most recent meeting on the 17th?

Care Technology Landscape Review: Socitm Advisory for Essex County Council (UK) (A UK study which has international resonance)
‘Ask Alexa’ if you’re sick, says the NHS (But what if Alexa no comprende?)
Another round this Wednesday in the CVS-Aetna merger hearings (We’ll see what happens next in the longest post-merger hearing in healthcare history)
Come and listen to Julian Hitchcock talking regulation next Wednesday 17th July! (It’s past, but keep in touch with DHACA)

A sanguine look at CVS-Aetna’s possible merger denial indicates it may not be all bad. EHRs in the news as another cause of doctor burnout, and Malaysia’s $360M implementation plan. GreatCall’s lawsuit on its mobile PERS–and how not to approach an Editor on said subject. 

A measured look at the uncertainty around the CVS-Aetna merger (A numbers-backed perspective that says an un-merger may not be all bad)
Malaysia to spend over $360M for EHRs over the next five years (Only a few markets left for EHRs in Asia)
EHR system-generated emails/inbasket messages contributing to burnout in 36% of doctors: study (And EHRs were going to fix 21st Century Medicine)
The GreatCall Lively Mobile Plus Federal District Court lawsuit–and TTA (A few thoughts about Doing Right and The Right Approach–and we note that Scott Barnes has withdrawn himself from the class action lawsuit)


Have a job to fill? Seeking a position? Free listings available to match our Readers with the right opportunities. Email Editor Donna.


Read Telehealth and Telecare Aware: http://telecareaware.com/  @telecareaware

Follow our pages on LinkedIn and on Facebook

We thank our present and past advertisers and supporters: Tynetec, Eldercare, UK Telehealthcare, NYeC, PCHAlliance, ATA, The King’s Fund, DHACA, HIMSS, Health 2.0 NYC, MedStartr, Parks Associates, and HealthIMPACT.

Reach international leaders in health tech by advertising your company or event/conference in TTA–contact Donna for more information on how we help and who we reach. See our advert information here. 


Telehealth & Telecare Aware: covering the news on latest developments in telecare, telehealth, telemedicine and health tech, worldwide–thoughtfully and from the view of fellow professionals

Thanks for asking for update emails. Please tell your colleagues about this news service and, if you have relevant information to share with the rest of the world, please let me know.

Donna Cusano, Editor In Chief
donna.cusano@telecareaware.com

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

The Breach Barometer hits a new high for healthcare–and the year isn’t over

31.6 million healthcare breached records can’t be right? But it is, and it’s double all of 2018. Protenus’ Breach Barometer for the first six months of the year tallied over double the number of patient records breached calculated for 2018 (15.1 million). The number of breach incidents reported was smaller–285 breach incidents disclosed to the US Department of Health and Human Services or the media–compared to 503 breaches in 2018, which means that individual data breaches affected far more records.

Hackermania is running wilder than ever. Nearly half the breaches were due to hacking. The big kahuna of breaches this year was reported in May at American Medical Collection Agency, a third-party billing collections firm. This eight-month breach affected 20 to 22 million records at Quest Diagnostics, LabCorp, Opko Health, under one of its subsidiaries, BioReference Laboratories, Inc., and Clinical Pathology Laboratories [TTA 5 June] This hack also involved Optum360, a Quest contractor and part of healthcare giant Optum. In terms of PII, the records breached included SSI, DOB, and physical addresses.

 Yet insider breaches are still a significant threat at 21 percent, whether from errors without malicious intent or deliberate wrongdoing. In the report, Protenus (with DataBreaches.net) calculated that 60 of the 285 breaches were insider-related affecting 3.5 million records. 35 were insider-error incidents, with 22 additional due to wrongdoing.

When it comes to breaches, the trend is easily not healthcare organizations’ friend, as 2018 tripled 2017’s total breached records. This is despite the new emphasis on healthcare IT security and insider training. Protenus release, FierceHealthcare, Protenus first half report (PDF)

Hackermania ‘bigger than government itself’–and 25% of healthcare organizations report mobile breaches

To quote reporter Andy Rooney, ‘why is that?’ Everyone in healthcare (with our Readers well ahead of the curve) has known for years that our organizations are special targets, indeed–by hackers (activists or not), spammers, ransomwarers, criminals, bad guys in China, North Korea, and Eastern Europe, plus an assortment of malicious insiders and the simply klutzy. Why? Healthcare organizations, payers, and service companies have a treasure trove of PHI and PII with Big Value. 

So to read in Healthcare IT News that Christopher Wray, the new director of the FBI, is saying that today’s cyberthreats are bigger than any one agency, and in fact bigger than the government itself, it gives you the feeling that the steamroller has not only run over us, but is on the second pass.

According to one reporting company, Bitglass, breach incidents were year-over-year flat (290), but the number of records affected in 2018 nearly tripled from 4.7 million to 11.5 million. Hacking finally became the top cause (45.9 percent) versus unauthorized access and disclosure (35.9 percent). Loss and theft is down to about 15 percent.

And mobile feels like that second pass. Verizon’s Mobile Security Index 2019 reports that 25 percent of healthcare organizations have had a mobile-related compromise. Nearly all hospitals are investing in mobile. In the field, doctors and other clinicians are either using issued devices or BYOD, whether authorized or not. Whether or not their organizations are using app security systems like Blue Cedar [TTA 17 Feb 18] or work with companies like DataArt on securing proprietary systems is entirely another question. Apparently it’s not a priority. According to the Verizon study, nearly half of all organizations sacrificed mobile security in the past year to “get the job done.” Healthcare Dive.

Back to Director Wray, who is urging public-private cooperation especially with the FBI, which itself has not hesitated to break encryption (e.g. Apple’s) in going after criminals’ phones.

TTA’s Week: NHS loses the pagers, digital health ethical talk-talk, back to chronic condition monitoring, consumers driving health design–whatta notion!

 

 

Chronic condition telehealth monitoring is suddenly hot–again. When will digital health ethics be more than talk-talk? No more faxes, no more pagers in the NHS. Surprise! Consumer behavior should drive health tech. Plus late spring events + Connected Health Summit speaking opportunities.

And scroll below for news of The King’s Fund’s Digital Health and Care Congress, including Matt Hancock as keynote speaker on day 2. Plus 10% off registration for our Readers!

Suddenly hot: chronic condition management in telehealth initiatives at University of Virginia and Doctor on Demand (We’ve been here before)
Events, dear friends: MedTech London, Aging 2.0 Philadelphia, speakers wanted for Connected Health Summit (More for your calendar from late winter into late summer)
First they came for the fax machines….now NHS is coming for the pagers (Pretty soon it will be the stethoscopes, the furniture…)
The King’s Fund Digital Health and Care Conference announces Matt Hancock as Day 2 keynoter (He’s everywhere!)
About time: digital health grows a set of ethical guidelines (But how to put it into action beyond the nice meetings and draft principles?)
A short but canny look at consumer behavior as a driver of health technology (Design that fits into life–what a notion!)

Rounding up HIMSS and the millennial/Gen Z healthcare mindset. It’s wall-to-wall Theranos for the next few weeks. And we bid farewell to a fine (if over-parodied) actor with our video advert.

News roundup: of logos and HIMSS roundups, Rock Health’s Digital Health Consumer Adoption survey, and the millennial/Gen Z walkaway from primary care (Increasingly not trad, dad)
The Theranos Story, ch. 58: with HBO and ABC, let the mythmaking and psychiatric profiling begin! (updated) (A deluge of Theranos Analysis)
From our archives: a long buried advert (RIP Bruno Ganz) (Editors Steve and Donna salute a fine actor and fine movie–remembered, humorously)

The Topol Review’s relationship to reality explored by Roy Lilley. Robotics effects in therapy for children with autism and CP. The wind’s even more at the back of telehealth–but there are caveats. Plus Editor Charles is back with a UK digital health roundup.

Roy Lilley’s tart-to-the-max view of The Topol Review on the digital future of the NHS (This week’s Must Read)
Robots’ largely positive, somewhat equivocal role in therapy for children with autism and cerebral palsy (HIMSS)
The wind may be even stronger at the back of telehealth this year–but not without a bit of chill (VA, Virginia as indicators–and the hurdles when you get there )
A selection of short digital health items of potential interest (Editor Charles is back with views on AI and events)

The telehealth entrepreneur and the $5 million fraud = 15 years in prison. Scotland’s Current Health wins FDA clearance, Latin America telemedicine’s uncertain state, women in eHealth, and studies on digital health in health systems.

News roundup: Current Health’s Class II, Healthware Italy’s €10 million boost, the low state of Latin America telemedicine, weekend reading on digital health in health systems
Digital health versus eHealth: ‘here we go again’ with the confusion and the differences. Plus Women in eHealth (JISfTeH) (Reviving the terminology discussion)
The telehealth ‘entrepreneur’ whose $5 million funding bought stays at the Ritz and portfolios at Bottega Veneta (And 15 years in the Federal pen. Tell your mum or uncle to be wary of good stories)

Our lead this week is the sale of Tunstall’s US operation. Unicorns need to hype less and publish studies more. The King’s Fund’s two events in March and May, Bayer’s accelerator winners, and news from Apple to teledermatology for São’s spotted!

Short takes: Livongo buys myStrength, Apple Watch cozies with insurers, Lively hears telehealth and $16 million
Tunstall Americas sold to Connect America
(Tunstall conceding their business is outside the US)
Where’s the evidence? Healthcare unicorns lack the proof and credibility of peer-reviewed studies. (Unicorns need to add substance to the sparkle)
News roundup: Virginia includes RPM in telehealth, Chichester Careline changes, Sensyne AI allies with Oxford, Tunstall partners in Scotland, teledermatology in São Paolo
The King’s Fund ‘Digital Health and Care Explained’ 27 March
(Readers also get a 10% discount at the 22-23 May Congress)
Bayer’s G4A accelerator awards agreements with KinAptic, Agamon, Cyclica (DE) (A truly international accelerator program)

Latest through the revolving door is NHS’ chief digital officer, digital health may be more ‘bubbly’ than you would like, telemedicine and telehealth gain important consumer and Medicare facing ground, and fill your calendar some more!

NHS England digital head Bauer exits for Swedish medical app Kry, but not without controversy (The revolving door reveals a self-made cloud over her head)
Events, Dear Friends, Events: UK Telehealthcare, Mad*Pow HXD, dHealth Summit (Get out the calendars–and the checkbooks/app)
Telemedicine virtual visits preferred by majority in Massachusetts General Hospital survey (Over 94% loved the convenience alone)
Medicare Advantage model covering telehealth for certain in-person visits starting in 2020 (The needle moves–slowly)
It’s not a bubble, really! Or developing? Analysis of Rock Health’s verdict on 2018’s digital health funding. (‘Bubbly’ factors that may influence this year–not for the better)

We round up the Official Healthcare Circus of CES, Verily rolls along with $1 bn in investment, and Walgreens Boots finally makes an alliance splash with Microsoft

It’s Official: CES is now a health tech event (updated) (And still a circus! We round up the top coverage so you don’t have to)
News roundup: Walgreens Boots-Microsoft, TytoCare, CVS-Aetna moves along, Care Innovations exits Louisville
Verily, Google’s life sciences arm, gathers in another billion to go…where? (Updated for Study Watch clearance) (Still a mystery)


The King’s Fund’s annual Digital Health and Care Congress is back on 22-23 May. Just announced–Secretary Matt Hancock keynoting Day 2. Meet leading NHS and social care professionals and learn how data and technology can improve the health and well-being of patients plus the quality and effectiveness of the services that they use. Our Readers are eligible for a 10% discount using the link in the advert or here, plus the code Telehealth_10.


Have a job to fill? Seeking a position? Free listings available to match our Readers with the right opportunities. Email Editor Donna.


Read Telehealth and Telecare Aware: http://telecareaware.com/  @telecareaware

Follow our pages on LinkedIn and on Facebook

We thank our present and past advertisers and supporters: Tynetec, Eldercare, UK Telehealthcare, NYeC, PCHAlliance, ATA, The King’s Fund, HIMSS, Health 2.0 NYC, MedStartr, Parks Associates, and HealthIMPACT.

Reach international leaders in health tech by advertising your company or event/conference in TTA–contact Donna for more information on how we help and who we reach. See our advert information here. 


Telehealth & Telecare Aware: covering the news on latest developments in telecare, telehealth, telemedicine and health tech, worldwide–thoughtfully and from the view of fellow professionals

Thanks for asking for update emails. Please tell your colleagues about this news service and, if you have relevant information to share with the rest of the world, please let me know.

Donna Cusano, Editor In Chief
donna.cusano@telecareaware.com

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

About time: digital health grows a set of ethical guidelines

Is there a sense of embarrassment in the background? Fortune reports that the Stanford University Libraries are taking the lead in organizing an academic/industry group to establish ethical guidelines to govern digital health. These grew out of two meetings in July and November last year with the participation of over 30 representatives from health care, pharmaceutical, and nonprofit organizations. Proteus Digital Health, the developer of a formerly creepy sensor pill system, is prominently mentioned, but attending were representatives of Aetna CVS, Otsuka Pharmaceuticals (which works with Proteus), Kaiser Permanente, Intermountain Health, Tencent, and HSBC Holdings.

Here are the 10 Guiding Principles, which concentrate on data governance and sharing, as well as the use of the products themselves. They are expanded upon in this summary PDF:

  1. The products of digital health companies should always work in patients’ interests.
  2. Sharing digital health information should always be to improve a patient’s outcomes and those of others.
  3. “Do no harm” should apply to the use and sharing of all digital health information.
  4. Patients should never be forced to use digital health products against their wishes.
  5. Patients should be able to decide whether their information is shared, and to know how a digital health company uses information to generate revenues.
  6. Digital health information should be accurate.
  7. Digital health information should be protected with strong security tools.
  8. Security violations should be reported promptly along with what is being done to fix them.
  9. Digital health products should allow patients to be more connected to their care givers.
  10. Patients should be actively engaged in the community that is shaping digital health products.

We’ve already observed that best practices in design are putting some of these principals into action. Your Editors have long advocated, to the point of tiresomeness, that data security is not notional from the smallest device to the largest health system. Our photo at left may be vintage, but if anything the threat has both grown and expanded. 2018’s ten largest breaches affected almost 7 million US patients and disrupted their organizations’ operations. Social media is also vulnerable. Parts of the US government–Congress and the FTC through a complaint filing–are also coming down hard on Facebook for sharing personal health information with advertisers. This is PHI belonging to members of closed Facebook groups meant to support those with health and mental health conditions. (HIPAA Journal).

But here is where Stanford and the conference participants get all mushy. From their press release:

“We want this first set of ten statements to spur conversations in board rooms, classrooms and community centers around the country and ultimately be refined and adopted widely.” –Michael A. Keller, Stanford’s university librarian and vice provost for teaching and learning

So everyone gets to feel good and take home a trophy? Nowhere are there next steps, corporate statements of adoption, and so on.

Let’s keep in mind that Stanford University was the nexus of the Fraud That Was Theranos, which is discreetly not mentioned. If not a shadow hovering in the background, it should be. Perhaps there is some mea culpa, mea maxima culpa here, but this Editor will wait for more concrete signs of Action.

Breached healthcare records down 72% but incident numbers steady. Then there’s MyFitnessPal’s 150 million…

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Hackermania in healthcare may be running less wild…but what about consumer health devices? Year-end and top-of-year analyses indicate that the flood of breached records may be starting to drain. A Bitglass analysis of 2017 US Department of Health and Human Services (HHS) data from its infamous ‘Wall of Shame’ is encouraging. They found that the number of breached records decreased over the 2015-2017 period by 72 percent between 2015 and 2017 and by 95 percent from 2016. The calculation excludes the huge spike in breaches due to two 2015 incidents at Anthem and Premera Blue Cross [TTA 9 Sep 15]. Numerically, the breach incident numbers decreased but are relatively steady: 2017 at 294, 2016 at 328. Data security company Protenus in its tracking found more incidents in 2017 versus 2016 (477 in 2017 v. 450 in 2016) but the same reduction in records affected, with five times fewer records in 2017 versus 2016’s 27.3 million records.

What’s been successful has been reducing mega-breaches and containment of healthcare device loss and theft through education and enforcement of employee practices. What continues is the major cause of breaches continue to be insider-related via error and wrongdoing; this includes the major annual Verizon report. Healthcare Informatics

Protenus’ February report, while continuing the reduction trend, had its share of hacking and insider incidents. Of the 39 incidents in their report affecting over 348,000 records, insider actions such as the misuse of system credentials accounted for 51 percent of breached records while hacks were 46 percent, with the majority involving ransomware or malware. Hacking as a cause hasn’t disappeared but perhaps has shifted to easier targets.

UnderArmour’s MyFitnessPal delivers another breach blow. Late last month, the company revealed that 150 million user records were hacked in February. The MyFitnessPal mobile app (more…)

KRACK is wack for Wi-Fi attack–protocol flaw exposed

What’s being called Black Monday in the security world is the discovery of a fundamental flaw with WPA2 (Wireless Protected Access v2), which secures an estimated 60 percent of the world’s Wi-Fi networks. According to all reports, the WPA2 protocol (the ‘handshake’ between the device and the router) can be manipulated into reusing encryption keys. ‘KRACK’–for Key Reinstallation Attack–threatens any Wi-Fi enabled device and all Wi-Fi networks. It was discovered by researchers at KU Leuven, a university in Flanders, Belgium. 

Threats include attacks on any sensitive information–hackermania potentially running wild. The vulnerability also permits an attacker to inject malicious information–ransomware and malware–into a Wi-Fi network. 

Security firm Varonis narrows the greatest threat down to Android users and devices that implement the WPA2 protocol very strictly. They consider Apple iOS devices and Windows PCs to be mostly (as of now) unaffected “since they don’t strictly implement the WPA2 protocol and key reinstallation.” 

This obviously affects any public networks or lightly protected networks in practices and hospitals. Varonis notes that the attack depends upon being within Wi-Fi range of the target device with the attacker sending forged data to the client. But this is difficult–it requires not only proximity but also access to a specialized networking device and to be able to code the attack manually.

Updates are allegedly on the way from Apple and Google, while Microsoft has already included it in last week’s updates for Windows 7, 8, and 10 (Telegraph). Most vulnerable devices are Android smartphones and tablets, which according to The Verge have an additional variant vulnerability affecting 41 percent of devices–and Android devices are notoriously slow to send out updates. 

Monday also marked a second threat called ROCA, an attack on public key encryption which may weaken authentication of software when installing it. This will be fixed in software updates.

Recommended protection for now, as listed in the Telegraph, is to ensure that all your Wi-Fi access is password-protected and to implement updates on networks. Don’t use public unsecured networks. Shop only on https-protected sites. Computers and devices are issuing firmware and driver updates, and a constantly updated list is published over at the wonderfully-named Bleeping Computer, but your router may not automatically update, so you will have to do some searching and consulting with your internet provider. Also Wordfence (hat tip to Founder Steve) and a second article in The Verge.

Petya no pet as it spreads: is it ransomware or a vicious design for data destruction? (updated)

Breaking–The ‘more and worse’ experts predicted after WannaCry is here.  In two days, the Petya or PetyaWrap (or NotPetya) ransomware has spread from Ukraine to affect organizations in 64 countries with 2,000+ attacks involving 12,000+ machines. On the hit list are mostly Eastern European and trans-national companies: Maersk shipping, Merck, Nuance cloud services, WPP advertising, Mars and Mondelez foods, Rosneft (Russia’s largest oil producer), Chernobyl, unnamed Norwegian firms, Beiersdorf and Reckitt Benckiser in India, Cadbury and law firm DLA Piper in Australia. One local US healthcare provider affected in a near-total shutdown of their computer systems, and resorting to backups, is Heritage Valley Health System in western Pennsylvania. There are no reports to this hour that the NHS, major US, Asia-Pacific, or European health systems being affected. Update: Trading in FedEx shares were halted 29 June due to the Petya attack on its TNT Express international division. Update 30 June: The Princeton Community Hospital in rural West Virginia is running on paper records as Petya forced a complete replacement of its EHR and computer hardware. Fox Business

Like WannaCry, the ransomware exploited the EternalBlue backdoor; a report from ArsTechnica UK adds an exploit touchingly dubbed EternalRomance. But unlike WannaCry, according to ZDNet, both “Symantec and Bitdefender have confirmed that it’s a Petya ransomware strain dubbed GoldenEye, which doesn’t just encrypt files — it also encrypts hard drives, rendering entire computers useless.” ArsTechnica goes deeper into methodology. Petya uses a hacking tool called MimiKatz to extract passwords and then uses legitimate Microsoft utilities and components to spread it. (Ed. note: if you have time for only one technical article, read ArsTechnica’s as the latest and most detailed.)

The Microsoft patch–and Microsoft has just issued an update for Win10, which this Editor heartily recommends you download and install–while defending against WannaCry, still isn’t preventing the spread. It’s speedier than WannaCry, and that says a great deal. Its aim appears not to be ransom, but data destruction. Updated: this POV is confirmed in today’s ZDNet article confirming that Comae Technologies and Kaspersky Lab strongly believe that Petya is a ‘wiper’ designed to destroy data by forever blocking it on your hard drive.

Another article in ZDNet (Danny Palmer) attempts to isolate why hackers remain one step ahead of us:

Law enforcement agencies and cybersecurity firms across the world are investigating the attack – and researchers have offered a temporary method of ‘vaccinating’ against it** – but how has this happened again, just six weeks on from a previous global ransomware outbreak?

One reason this new form of Petya is proving so effective is due to improved worm capabilities, allowing it to spread across infected networks, meaning that only one unpatched machine on a whole network needs to become infected in order for the whole operation to come crashing down.

Not only that, but cybersecurity researchers at Microsoft say the ransomware has multiple ‘lateral movement’ techniques, using file-shares to transfer the malware across the network, using legitimate functions to execute the payload and it even has trojan-like abilities to steal credentials.

**  The inclusion of this link in the quote does not imply any recommendation by TTA, this Editor, or testing of said fix.

What you can do right now is to ensure every computer, every system, you own or are responsible for is fully updated with Microsoft and security patches. If you’re in an enterprise, consult your security provider. Run backups. Remind employees to not click on links in suspicious messages or odd links even from known senders–and report them immediately. Based on reports, phishing emails and watering hole attacks are the main vectors of spread, like WannaCry. (A suggestion from this Editor–limit web search to reputable sites, and don’t click on those advert links which are buggy anyway!) Be judicious on updates for your software except by Microsoft and your security provider; there is growing but still being debated evidence that the initial Ukrainian spread was through a hacked update on a popular tax accounting software, MeDoc. More on this in ZDNet’s 6 Quick Facts. Another suggestion from Wired: run two anti-virus programs on every computer you have, one free and one paid.

And no matter what you do–don’t pay the ransom! The email provider within hours blocked the email so that the payment cannot go through. Updates to come. More reading from Bleeping ComputerHealthcare IT News, CNBC, HIStalk, US-CERT, Fortune, Guardian,

Dry the tears: WannaCry stymied, North Korea hackers suspect. Is this a poke for a worse attack?

Breaking News This morning’s (Tuesday 16 May) news is about reputable security organizations–Kaspersky Lab and Symantec–connecting the dots that lead for now to a North Korea-linked hacking organization, the Lazarus Group. This group has been identified in previous hack attacks and is based upon WannaCry code appearing in Lazarus programs. US Homeland Security has admitted seeing the same similarities, but all are working to gain more information.

Lazarus has been previously identified as the source of the 2014 Sony attack and the theft of $81 million from the Bangladesh central bank, again linked to fundraising for North Korea for its missiles, army, EMP and nuclear arming while its terrorized people starve. However, this attack was a flop; according to US Homeland Security, about $70,000 was raised in ransom. The Homeland Security spokesman also distanced the NSA from the original information which targeted weaknesses in Microsoft’s systems.

According to reports, WannaCry disproportionately affected Russia, Taiwan, Ukraine and India, according to Czech security firm Avast. No US Federal government systems were affected. China on Monday reported that it attacked traffic police and school systems.

The Telegraph has posted a speculative list of 34 NHS organizations which suffered IT failure during the WannaCry attack. The article includes a map produced by MalwareTech that geographically spots the infection locations; the Boston to Washington corridor is a sea of blue dots. And…Marcus Hutchins has been identified as the young UK tech working for Kryptos Logic who redirected the attacks by buying a domain embedded in the WannaCry code. How it worked, according to PC World, is that if the malware can’t connect to the unregistered domain, it infects the system. By registering the domain and creating a page for the malware to connect to, he stopped the malware spread. (Video in Telegraph article)  Also FoxNews

But is this a prelude to more and worse? Is this testing our preparedness? If so, we’ve been found wanting on an enterprise level with vulnerable systems and administrators not updating their software and OS. George Avetisov, the CEO of HYPR, a biometric authentication company, in The Hill, summarized it neatly today: “We’ve also learned the hard way that, simply through a coordinated phishing attack on unsuspecting users, hackers can disrupt the day-to-day activities of enterprises that provide communications, travel, freight and healthcare administration simply by remotely deploying malware.” He then goes on to praise President Trump’s executive order (EO), “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which he signed on Thursday–right before all this began. As if in confirmation…ShadowBrokers, the group that hacked the NSA files, today announced the availability of a subscription to a ‘members only data dump’ like a Wine of the Month Club. Watch out, banks and healthcare, it’s open season! NHS, better pay attention to another kind of hygiene–cyberhygiene. Without it, plans for patient apps and data sharing will go sideways–and deserved fodder for Dame Fiona [TTA 10 May]. The Hill  Earlier coverage here

Hackermania meets The Dark Overlord with 2.3 million 2017 health data breaches

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]It’s a cage match! Reports are soaring, with a proliferation of data breaches year to date, after a relatively quiet period in 2016.

The Dark Overlord (TDO), in the mainstream news with dumping unseen Netflix program episodes on illegal file-sharing sites and demanding ransom (Guardian), also has been hard at work dumping PHI hacked from various clinics. DataBreaches.net tallied it at 180,000 records from at least nine medical clinics.

Health data security developer/provider Protenus, whose Breach Barometer tracks the numbers, counted 2.1 million breaches in 1st Quarter. March spiked with 700,000 coming from Commonwealth Health Corporation of Kentucky.

Our standby Privacy Rights Clearinghouse counted over 175,000 to date, but 160,000 came from MedCenter Health in Protenus’ total, so their net addition was 15,000. But PRC’s detail illustrates that ransomware is alive, well, and invading smaller healthcare organizations. Other reasons are unauthorized data server access, third-party vendors, email error, and theft.

16 or 27 million 2016 breaches, 1 in 4 Americans? Data, IoT insecurity runs wild (US/UK)

What’s better than a chilly early spring dive into the North Sea of Health Data Insecurity?

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2017/03/Accenture-Health-2017-Consumer-Survey.jpg” thumb_width=”150″ /]Accenture’s report released in February calculated that 26 percent of Americans had experienced a health care-related data breach. 50 percent of those were victims of medical identity theft and had to pay out an average of $2,500 in additional cost. One-third (36 percent) believed the breach took place in hospitals, followed by urgent care and pharmacies (both 22 percent). How did they find out? Credit card and insurer statements were usual, with only one-third being notified by their provider. Interestingly, a scant 12 percent of data breach victims reported the breach to the organization holding their data. (You’d think they’d be screaming?) The samples were taken between November 2016 and January 2017. Accenture has similar surveys for UK, Australia, Singapore, Brazil, Norway, and Saudi Arabia. Release  PDF of the US Digital Trust Report

So what’s 16 million breaches between friends? Or 4 million? Or 27 million?

  • That is the number (well, 15.9 million and change) of healthcare/medical records breached in 2016 in 376 breaches reported by the Identity Theft Resource Center (ITRC), a Federally/privately supported non-profit. Healthcare, no surprise, is far in the lead with 34 percent and 44 percent respectively. The 272 pages of the 2016 End of Year Report will take more than a casual read, but much of its data is outside of healthcare.
  • For a cross-reference, we look to the non-profit Privacy Rights Clearinghouse which for many years has been a go-to resource for researchers. PRC’s 2016 numbers are lower, substantially so in the number of records: 301 breaches and 4 million records.
  • HIMSS and Healthcare IT News insist that ransomware is under-reported, (more…)

The malware siege of Northern Lincolnshire and Goole NHS: a preview of more? (UK)

By now our UK readers are well aware of the shutdown due to malware starting Sunday 30 Oct, only resolved today, of the Northern Lincolnshire and Goole NHS Trust hospitals: Diana, Princess of Wales; Goole and District; Scunthorpe General.

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2016/11/nhsalert-940×445.png” thumb_width=”300″ /] (NHS website via Krebsonsecurity.com, click to enlarge)

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2016/11/nhsalert2.png” thumb_width=”300″ /] (NHS website, click to enlarge)

It is estimated that it affected approximately 1,000 patients over the three shutdown days. Most patients were diverted to neighboring hospitals, according to The Guardian.

The Health Services Journal (paywalled) broke as an exclusive the NHS‘ high priority warning to providers around the country. Yet it seemed equivocal. According to The Sun, while NHS Digital marked the message as ‘severity: high’ and warned that “… we would like to remind all users of the need for proactive measures to reduce the likelihood of infection and minimise the impacts of any compromise.”, it was tempered with “We have no evidence that this is anything other than a local isolated incident but we will continue to keep health and care organisations informed.” Also according to The Sun, the Department of Health has noted that this has not been the first incident.

As our Readers know, US and Canadian hospitals and healthcare organizations have been subject of late to malware and its latest iteration, ransomware, with a large outbreak this summer. (more…)

The cybersecurity black hole–and bad flashback–that is the Internet of Things

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2016/10/blackhole_596.jpg” thumb_width=”150″ /]One week after the Dyn DDoS attack, the post-mortems get more alarming. Our Readers knew they were coming in 2014-2015 (our ‘Is IoT really necessary–and dangerous?)

IoT devices, and a lot of older networked medical devices, have been proven to be easy to hack, as even this non-ITer, non-codegeek realized then. But those in tech have been to this movie before–with Bluetooth circa 2002! Now shouldn’t designers have learned? From ZDNet:

“It’s almost like we’ve learned nothing from Bluetooth” says Justin Dolly, CISO at cybersecurity firm Malwarebytes.

“Seeing what these IoT vendors are doing, it just blows me away because they haven’t learned from history,” says Steve Manzuik, director of security research at Duo Security’s Duo Labs. “They’ve completely ignored everything that’s ever had bad vulnerabilities”.

Many of these devices, according to these experts, have default log in credentials, if they have them at all. IoT devices are also allegedly findable on a snoop site called Shodan. Reason why: the financial and market need to get products out fast and cheaply.

Over at data security company Varonis’ blog, with the great title in part, “Revenge of the Internet of Things”, another succinct and telling quote:

Once upon a time in early 2016, we were talking with pen tester Ken Munro about the security of IoT gadgetry — everything from wireless doorbells to coffee makers and other household appliances. I remember his answer when I asked about basic security in these devices. His reply: “You’re making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all.”

Privacy by Design is not part of the vocabulary of the makers of these IoT gadgets

Varonis also gives a how-to on changing settings in your router so you don’t become a victim, and how to secure your gadgets.

Bottom line: when Hackermania is Running Wild, do you, or anyone, really need to be an early adopter of an internet- connected coffee maker or fridge? And if you need internet-connected home security, telemedicine virtual consults, telehealth/remote patient monitoring or telecare….best heed Varonis and secure it!

Earlier in TTA: Friday’s cyberattack is a shot-over-bow for healthcare 

VA’s moves spell the end of the homegrown EHR

The Veterans Health Administration (VHA) is formally reaching out to the private sector to explore switching from its current, pioneering EHR system, VistA (also referred to as CPRS, Computerized Patient Record System) to a commercial system. Their ‘feeler’ is an August 5 and 8 notice in FedBizOpps.gov titled 99–TAC-16-37877 * RFI – VHA supporting COTS EHR REQUEST FOR INFORMATION (RFI), Solicitation Number: VA11816N1486. This requests information on business support for transitioning to a commercial-off-the-shelf system (COTS–don’t governments love acronyms?–Ed.) and closes 26 August, which is not a lot of time even for an RFI.

VHA has been under extreme pressure from Congress to modernize its EHR, lately in July hearings before the Senate Appropriations Committee. EHR replacement is also in line with the Congressionally-mandated, now concluded Commission on Care’s recently published recommendations on a total, top-down reorganization of VHA, including a sweeping reorg of their HIT management. The VHA strategy appears to be that while they are walking down the road to replace VistA and have already spent to assess where they are with KLAS and other EHR consultancies (spending $160,000+ on surveys), they are essentially ‘kicking the can down the road’ to the next administration (POLITICO’s Morning eHealth, 14 July).

Current state is to continue to upgrade VistA through late 2018, though the closely related Department of Defense’s Military Health System is in the long process of cutting its homegrown AHLTA over to Cerner-Leidos as MHS Genesis, awarded last August, with a first trial in the Pacific Northwest later this year (HealthcareITNews, Ed. emphasis). Of course, it will take the VHA years to roll it out; there are close to 9 million veterans enrolled in the closed system that is the VHA.  FCW, Morning eHealth 10 August

Love EHRs or hate them, the sheer size of the VHA and its growing concession that VistA won’t do in caring for American veterans makes it clear that the future of EHRs is in private systems from major developers–a field which is winnowing out to The Few (take that, GE).  (more…)

Summertime, and the health data breaches are easy….

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Cybersecurity is the word, not the bird, from South Korea (see here) to the US.  The week opened with an unusual healthcare plan supplier breach: 3.3 million payer records held by a card issuer, Newkirk Products of Albany, NY. The company issues ID cards for several Blue Cross and Blue Shield plans and provides management services to other commercial payers. Ironically, it was discovered five days after their $410 million acquisition by Broadridge Financial Solutions of Lake Success, Long Island. On July 6, Newkirk discovered ‘unauthorized access’ to a server with records containing the member’s name, mailing address, type of plan, member and group ID number, names of dependents enrolled in the plan, primary care provider, and in some cases, date of birth, premium invoice information and Medicaid ID number. “No health plans’ systems were accessed or affected in any way” according to the release. MedCityNews, Newkirk release on notice

Another supplier breach affected another estimated 3.7 million patients at Arizona’s Banner Health. This one was a bit closer to home, hacking computer systems used in payment processing on debit and credit cards used at their food and beverage outlets in four states between June 23 and July 7.  A week later, the hackers gained unauthorized access to systems containing patient information, health plan member and beneficiary information, as well as information about physician and healthcare providers. MedCityNews, Banner Health release

But what’s secret anymore about your health data anyway? It’s all those apps that are sending data via your Apple Watch and your Fitbit which aren’t necessarily covered by HIPAA or secure. (more…)

IoT and the inevitable, looming Big Data Breach

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2013/02/gimlet-eye.jpg” thumb_width=”150″ /]The Gimlet Eye returns to once again cast a baleful gaze on All Those Connected Things, or the Plastic Fantastic Inevitable. Those 6.4 million Wi-Fi-connected tea kettles, smart fridge, remotely adjusted pacemakers (and other medical devices) plus home security two way video systems that accost the dodgy door ringer sound just peachy–but how good is their security? Not very, according to the experts quoted in this ZDNet article. It’s those nasty security flaws in IoT which were patched out 10 years ago on PCs that make them incredibly risky to have, as they can vector all sorts of Bad Things into both personal and enterprise networks. Their prediction is that a Connected Device with a big flaw will become molto popular and provide a Target a Hacker Can’t Refuse within two years. Or that some really clever hacker will write ransomware that will shut down millions of Connected Cars’ CPUs or disable the steering and brakes if 40 bitcoins aren’t placed in a brown paper bag and left on the third stool of the pizzeria at 83rd and Third.

Not much has changed since Eye wrote about those darn Internet Thingys last year [TTA 22 Sept 15]. The mystery is of course why these antique flaws are even part of the design. Designers being cheapskates? No consideration of security? (more…)