WannaCry’s anniversary: have we learned our malware and cybersecurity lessons?

Hard to believe that WannaCry, and the damage this malware wreaked worldwide, was but a year ago. Two months later, there was Petya/NotPetya. We’ve had hacking and ransomware eruptions regularly, the latest being the slo-mo malware devised by the Orangeworm hackers. What WannaCry and Petya/NotPetya had in common, besides cyberdamage, was they were developed by state actors or hackers with state support (North Korea and–suspected–Russia and/or Ukraine).

The NHS managed to evade Petya, which was fortunate as they were still repairing damage from WannaCry, which initially was reported to affect 20 percent of NHS England trusts. The final count was 34 percent of trusts–at least 80 out of 236 hospital trusts in England, as well as 603 primary care practices and affiliates. 

Has the NHS learned its lesson, or is it still vulnerable? A National Audit Office report concluded in late October that the Department of Health and the NHS were warned at least a year in advance of the risk.  “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.” There was no mechanism in place for ensuring migration of Windows XP systems and old software, requested by April 2015, actually happened. Another basic–firewalls facing the internet–weren’t actively managed. Worse, there was no test or rehearsal for a cyberdisruption. “As the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications.” NHS Digital was especially sluggish in response, receiving first reports around noon but not issuing an alert till 5pm. It was fortunate that WannaCry had a kill switch, and it was found as quickly as it was by a British security specialist with the handle Malware Tech. 

Tests run since WannaCry have proven uneven at best. While there has been reported improvement, even head of IT audit and security services at West Midlands Ambulance Service NHS Trust and a penetration tester for NHS trusts, said that they were “still finding some real shockers out there still.” NHS Digital deputy CEO Rob Shaw told a Public Accounts Committee (PAC) in February that 200 NHS trusts tested against cyber security standards had failed. MPs criticized the NHS and the Department of Health for not implementing 22 recommendations laid out by NHS England’s CIO, Will Smart. Digital Health News

Think ‘cyber-resilience’. It’s not a matter of ‘if’, but ‘when’. Healthcare organizations are never going to fix all the legacy systems that run their world. Medical devices and IoT add-ons will continue to run on outdated or never-updated platforms. Passwords are shared, initial passwords not changed in EHRs. Add to firewalls, prevention measures, emphasizing compliance and best practices, security cyber-resilience–more than a recovery plan, planning to keep operations running with warm backups ready to go, contingency plans, a way to make quick decisions on the main functions that keep the business going. Are healthcare organizations–and the NHS–capable of thinking and acting this way? WannaBet? CSO, Healthcare IT News. Hat tip to Joseph Tomaino of Grassi Healthcare Advisors via LinkedIn.

Orangeworm malware running wild in hospitals for three years: multiple reports

Orangeworm hacker group finds easy pickings in hospitals and healthcare. Reports have multiplied in recent weeks of the Orangeworm hacker (or hackers) threatening healthcare organizations, frequently hospitals. Major info security groups have issued warnings: Symantec, Cynerio, BlackBerry, and Rubicon Labs. Symantec’s report states that 39 percent of the victims come from healthcare, with the remainder coming from manufacturing (15 percent), IT (15 percent), and logistics (8 percent), most with ties to the healthcare sector, and suspected vectors for a supply-chain attack.

‘Easy pickings’ include invading the old computer systems and controls prevalent worldwide in healthcare organizations: devices designed to control X-ray machines, MRIs, and even systems that help patients fill out consent forms. Orangeworm accesses IT systems using the Kwampirs trojan, taking advantage of the fact that most hospital IT systems are old, and as we know from the Petya and WannaCry attacks a year ago, their old, unprotected, and unpatched systems are uniquely vulnerable.

The semi-shocking fact is that this has been spreading quietly in healthcare organizations for over three years. The attackers used, according to both Symantec and Bleeping Computer,  malware that infected systems by copying itself across network shares, methods that are considered antiquated and “noisy”. Orangeworm also didn’t change its command and control (C&C) communication protocol over the three years, seemingly unconcerned about discovery.

The attacks appear targeted and coordinated. Speculation is that Orangeworm is a hacker or a small group of hackers targeting the rich information in healthcare records to sell on black markets. 17 percent of the attacks have been in the US, with UK, Germany, the Philippines, and Hungary at 5 percent each.

Symantec’s advice is extensive and detailed here, but can be summed up as: quit using Windows XP based systems, patch and update software and systems, use anti-virus, protect file sharing. Also Digital Health, Information Security Buzz News, Security Intelligence.

MediBioSense and Blue Cedar take a new approach to secure medical wearable data (UK/US)

click to enlargeDoncaster UK-based MediBioSense Ltd. has partnered with San Francisco-based Blue Cedar to protect their VitalPatch app on smartphones and tablets. MediBioSense uses VitalPatch in their MBS HealthStream system marketed in the UK in acute care and long-term care setting. Blue Cedar is securing the app through their patented code-injected technology which protects the VitalPatch-collected data from the app to the provider database. The system with Blue Cedar’s security is available directly from MediBioSense.

VitalPatch is a single-use adhesive biosensor patch applied to the patient’s chest (see left above). It monitors eight vital signs and activity signs: heart rate, respiration, ECG, heart rate variability, temperature, body posture including fall detection/severity, and steps as an indicator of activity. MediBioSense contracted with the US-based developer, VitalConnect, to sell the system in the UK. VitalPatch is US FDA-cleared (Class II) and CE Marked for the EU.

One impetus, according to the release (PDF), is the GDPR (General Data Protection Regulation), the pan-European/UK data-protection law slated to take effect in May. This not only applies to European Union citizens’ personal data but also requires reports on how organizations safeguard that data. 

Blue Cedar, which this Editor has previously profiled [TTA 3 May 17], has developed code-injection technology that secures data from the app to the provider location on their servers or in the cloud. It secures the app without the device being managed. Devices have their own vulnerabilities when it comes to apps even when secured, as 84 percent of cyberattacks happen at the application layer (SAP). Blue Cedar’s security also enables tap-and-go from an icon versus multiple security entries, thus quick downloading from app stores or websites. For companies, the secured app provides granular analytic reports about users, app usage, devices, and operating systems which are useful for GDPR requirements.

Blue Cedar’s latest release of app security is Enforce, to secure existing mobile apps using in-app embedded controls to enforce a broad range of security policies. It is sold on the Microsoft Azure cloud platform and is primarily targeted to the value-added reseller (VAR) market. 

All the more reason to use all means to secure devices and apps. When as of last week Allscripts‘ EHR for e-prescribing was hit with a ransomware attack (FierceHealthcare), yet another hospital (Hancock Regional in Indianapolis) paid $5,000 to hackers to get back online (Digital Health), and Protenus/DataBreaches.net tracks a breach a day [TTA 29 Dec 17], cybersecurity has become Job #1 for anyone in the healthcare field. (And Big Healthcare now votes for security. Protenus today announced their $11 million Series B led by Kaiser Permanente Ventures and F-Prime Capital Partners. Release.)

Hacking, insider actions 81 percent of healthcare data breaches: Protenus

Healthcare data security company Protenus’ monthly Breach Barometer always contains interesting–and somewhat discouraging–surprises. August’s report topped July’s for the number of patients affected, with 674,000 patients involved in 33 incidents. Over 54 percent of breaches (N=18) were due to hacking (five incidents were attributed to ransomware), with over 27 percent (N=9) were from insider error (the main cause) or wrongdoing–over 81 percent in total. The remainder were due to loss, theft, or ‘unknown’. Another interesting finding was that discoveries of hacking are relatively quick at an average of 26 days from start to finish, due to the disruption they create, while insider attacks can go on for months (209.8 days)–or years. Protenus’ July report highlighted a breach at Tewksbury Hospital in Massachusetts that went unreported for a record-setting 14 years–an insider action that affected 1,100 records. Reporting to HHS is improving with reporting to HHS, the media or state attorneys general on average of 53 days. Protenus crunches its data from databreaches.net. (If you look at their reporting on TheDarkOverlord (@tdo_hackers), including their recent threats on a small Montana school system, you’ll be scared indeed.) MedCityNews 25 Sept, 23 August   Hat tip to Guy Dewsbury via LinkedIn

Higi and Interpreta’s data mix partnership–questions on consent, data security

click to enlargeHigi (also higi), which has placed health monitoring kiosks in over 11,000 US retail locations and a 5.5 million signup base, and data cruncher Interpreta announced that they are partnering to blend Higi’s vital signs data with Interpreta’s claims, clinical and genomics data analytics. Based on Mobihealthnews’ article and the joint release, an individual’s health information taken at higi retail stations will be “prioritized within Interpreta in real time”. They also claim that for the first time, insurance payers and providers will be able to leverage biometrics data, clinical, claims and additional genomic information a person may obtain from genetic testing services into a ‘personalized care roadmap’ that closes gaps in care. This is positioned as a big advance in population health and it all sounds great.

Perhaps not so great are the details. What about consent and data security? Aside from absolutely no mention of patient consent and HIPAA compliance in the above news, this Editor suspects that past, current and future Higi users may not be made aware that their vital signs data recorded with Higi will be 1) sent into a non-Higi database and 2) integrated with other information that appears in Interpreta’s database. How is this being done? Is consent obtained? What then happens? Is it used on an identified or de-identified basis? Where is it going? Who is doing what with it? Can it be sold, as 23andme’s genomic information is (with consent, but still…)? “Interpreta works in the realm of precision medicine, continuously interpreting and synchronizing clinical and genomics data in real time to create a personalized roadmap to enable the orchestration of timely care.” but they do this for providers and health plans who are then responsible for privacy and data integrity. Consent for Higi to keep a record of your blood pressure when you drop into your local RiteAid or ShopRite is not consent for Interpreta to use or manipulate it. These questions should have been addressed in the release or an accompanying fact sheet. We welcome a response from either Higi or Interpreta.

And one last and exceedingly ‘gimlety’ observation by this Editor: kiosks get hacked, and here we have not a price to a McDonald’s meal but a portal to deep PHI. Here’s a two-part article in an industry publication, Kiosk Marketplace, if you are skeptical. Part 1, Part 2 

Petya no pet as it spreads: is it ransomware or a vicious design for data destruction? (updated)

Breaking–The ‘more and worse’ experts predicted after WannaCry is here.  In two days, the Petya or PetyaWrap (or NotPetya) ransomware has spread from Ukraine to affect organizations in 64 countries with 2,000+ attacks involving 12,000+ machines. On the hit list are mostly Eastern European and trans-national companies: Maersk shipping, Merck, Nuance cloud services, WPP advertising, Mars and Mondelez foods, Rosneft (Russia’s largest oil producer), Chernobyl, unnamed Norwegian firms, Beiersdorf and Reckitt Benckiser in India, Cadbury and law firm DLA Piper in Australia. One local US healthcare provider affected in a near-total shutdown of their computer systems, and resorting to backups, is Heritage Valley Health System in western Pennsylvania. There are no reports to this hour that the NHS, major US, Asia-Pacific, or European health systems being affected. Update: Trading in FedEx shares were halted 29 June due to the Petya attack on its TNT Express international division. Update 30 June: The Princeton Community Hospital in rural West Virginia is running on paper records as Petya forced a complete replacement of its EHR and computer hardware. Fox Business

Like WannaCry, the ransomware exploited the EternalBlue backdoor; a report from ArsTechnica UK adds an exploit touchingly dubbed EternalRomance. But unlike WannaCry, according to ZDNet, both “Symantec and Bitdefender have confirmed that it’s a Petya ransomware strain dubbed GoldenEye, which doesn’t just encrypt files — it also encrypts hard drives, rendering entire computers useless.” ArsTechnica goes deeper into methodology. Petya uses a hacking tool called MimiKatz to extract passwords and then uses legitimate Microsoft utilities and components to spread it. (Ed. note: if you have time for only one technical article, read ArsTechnica’s as the latest and most detailed.)

The Microsoft patch–and Microsoft has just issued an update for Win10, which this Editor heartily recommends you download and install–while defending against WannaCry, still isn’t preventing the spread. It’s speedier than WannaCry, and that says a great deal. Its aim appears not to be ransom, but data destruction. Updated: this POV is confirmed in today’s ZDNet article confirming that Comae Technologies and Kaspersky Lab strongly believe that Petya is a ‘wiper’ designed to destroy data by forever blocking it on your hard drive.

Another article in ZDNet (Danny Palmer) attempts to isolate why hackers remain one step ahead of us:

Law enforcement agencies and cybersecurity firms across the world are investigating the attack – and researchers have offered a temporary method of ‘vaccinating’ against it** – but how has this happened again, just six weeks on from a previous global ransomware outbreak?

One reason this new form of Petya is proving so effective is due to improved worm capabilities, allowing it to spread across infected networks, meaning that only one unpatched machine on a whole network needs to become infected in order for the whole operation to come crashing down.

Not only that, but cybersecurity researchers at Microsoft say the ransomware has multiple ‘lateral movement’ techniques, using file-shares to transfer the malware across the network, using legitimate functions to execute the payload and it even has trojan-like abilities to steal credentials.

**  The inclusion of this link in the quote does not imply any recommendation by TTA, this Editor, or testing of said fix.

What you can do right now is to ensure every computer, every system, you own or are responsible for is fully updated with Microsoft and security patches. If you’re in an enterprise, consult your security provider. Run backups. Remind employees to not click on links in suspicious messages or odd links even from known senders–and report them immediately. Based on reports, phishing emails and watering hole attacks are the main vectors of spread, like WannaCry. (A suggestion from this Editor–limit web search to reputable sites, and don’t click on those advert links which are buggy anyway!) Be judicious on updates for your software except by Microsoft and your security provider; there is growing but still being debated evidence that the initial Ukrainian spread was through a hacked update on a popular tax accounting software, MeDoc. More on this in ZDNet’s 6 Quick Facts. Another suggestion from Wired: run two anti-virus programs on every computer you have, one free and one paid.

And no matter what you do–don’t pay the ransom! The email provider within hours blocked the email so that the payment cannot go through. Updates to come. More reading from Bleeping ComputerHealthcare IT News, CNBC, HIStalk, US-CERT, Fortune, Guardian,

Updated 15 May: 20% of NHS organizations hit by WannaCry, spread halted, hackers hunted

Updated 15 May: According to the Independent, 1 of 5 or 20 percent of NHS trusts, or ‘dozens’, have been hit by the WannaCry malware, with six still down 24 hours later. NHS is not referring to numbers, but here is their updated bulletin and if you are an NHS organization, yesterday’s guidance is a mandatory read. If you have been following this, over the weekend a British specialist known by his/her handle MalwareTech, tweeting as @malwaretechblog, registered a nonsensical domain name which he found was the stop button for the malware as designed into the program, with the help of Proofpoint’s Darien Huss.

It looks as if the Pac-Man march is over. Over the weekend, a British specialist known as MalwareTech, tweeting as @malwaretechblog, registered a nonsensical domain name which he found was the stop button for the malware, with the help of Proofpoint’s Darien Huss. It was a kill switch designed into the program. The Guardian tagged as MalwareTech a “22-year-old from southwest England who works for Kryptos logic, an LA-based threat intelligence company.”

Political fallout: The Home Secretary Amber Rudd is being scored for an apparent cluelessness and ‘wild complacency’ over cybersecurity. There are no reported statements from Health Secretary Jeremy Hunt. From the Independent: “Patrick French, a consultant physician and chairman of the Holborn and St Pancras Constituency Labour Party in London, tweeted: “Amber Rudd is wildly complacent and there’s silence from Jeremy Hunt. Perhaps an NHS with no money can’t prioritise cyber security!” Pass the Panadol!

Previously: NHS Digital on its website reported (12 May) that 16 NHS organizations have been hacked and attacked by ransomware. Preliminary investigation indicates that it is Wanna Decryptor a/k/a WannaCry. In its statement, ‘NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected.’ Healthcare IT News

According to cybersecurity site Krebs on Security, (more…)

The malware siege of Northern Lincolnshire and Goole NHS: a preview of more? (UK)

By now our UK readers are well aware of the shutdown due to malware starting Sunday 30 Oct, only resolved today, of the Northern Lincolnshire and Goole NHS Trust hospitals: Diana, Princess of Wales; Goole and District; Scunthorpe General.

click to enlarge (NHS website via Krebsonsecurity.com, click to enlarge)

click to enlarge (NHS website, click to enlarge)

It is estimated that it affected approximately 1,000 patients over the three shutdown days. Most patients were diverted to neighboring hospitals, according to The Guardian.

The Health Services Journal (paywalled) broke as an exclusive the NHS‘ high priority warning to providers around the country. Yet it seemed equivocal. According to The Sun, while NHS Digital marked the message as ‘severity: high’ and warned that “… we would like to remind all users of the need for proactive measures to reduce the likelihood of infection and minimise the impacts of any compromise.”, it was tempered with “We have no evidence that this is anything other than a local isolated incident but we will continue to keep health and care organisations informed.” Also according to The Sun, the Department of Health has noted that this has not been the first incident.

As our Readers know, US and Canadian hospitals and healthcare organizations have been subject of late to malware and its latest iteration, ransomware, with a large outbreak this summer. (more…)

The cybersecurity black hole–and bad flashback–that is the Internet of Things

click to enlargeOne week after the Dyn DDoS attack, the post-mortems get more alarming. Our Readers knew they were coming in 2014-2015 (our ‘Is IoT really necessary–and dangerous?)

IoT devices, and a lot of older networked medical devices, have been proven to be easy to hack, as even this non-ITer, non-codegeek realized then. But those in tech have been to this movie before–with Bluetooth circa 2002! Now shouldn’t designers have learned? From ZDNet:

“It’s almost like we’ve learned nothing from Bluetooth” says Justin Dolly, CISO at cybersecurity firm Malwarebytes.

“Seeing what these IoT vendors are doing, it just blows me away because they haven’t learned from history,” says Steve Manzuik, director of security research at Duo Security’s Duo Labs. “They’ve completely ignored everything that’s ever had bad vulnerabilities”.

Many of these devices, according to these experts, have default log in credentials, if they have them at all. IoT devices are also allegedly findable on a snoop site called Shodan. Reason why: the financial and market need to get products out fast and cheaply.

Over at data security company Varonis’ blog, with the great title in part, “Revenge of the Internet of Things”, another succinct and telling quote:

Once upon a time in early 2016, we were talking with pen tester Ken Munro about the security of IoT gadgetry — everything from wireless doorbells to coffee makers and other household appliances. I remember his answer when I asked about basic security in these devices. His reply: “You’re making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all.”

Privacy by Design is not part of the vocabulary of the makers of these IoT gadgets

Varonis also gives a how-to on changing settings in your router so you don’t become a victim, and how to secure your gadgets.

Bottom line: when Hackermania is Running Wild, do you, or anyone, really need to be an early adopter of an internet- connected coffee maker or fridge? And if you need internet-connected home security, telemedicine virtual consults, telehealth/remote patient monitoring or telecare….best heed Varonis and secure it!

Earlier in TTA: Friday’s cyberattack is a shot-over-bow for healthcare 

Friday’s cyberattack is a shot-over-bow for healthcare (updated)

click to enlargeFriday’s multiple distributed denial-of-service (DDoS) attacks on Dyn, the domain name system provider for hundreds of major websites, also hit close to home. Both Athenahealth and Allscripts went down briefly during the attack period. Athenahealth reported that only their patient-facing website was affected, not their EHRs, according to Modern Healthcare. However, a security expert from CynergisTek, CEO Mac McMillan, said that Athenahealth EHRs were affected, albeit only a few–all small hospitals.

A researcher/spokesman from Dyn had hours before the attack presented a talk on DDoS attacks at a meeting of the North American Network Operators Group (NANOG)

The culprit is a bit of malware called Mirai that targets IoT–Internet of Things–devices. It also took down the (Brian)KrebsOnSecurity.com blog which had been working with Dyn on information around DDoS attacks and some of those promoting ‘cures’. According to Krebs, the malware first looks through millions of poorly secured internet-connected devices (those innocent looking DVRs, smart home devices and even security devices that look out on your front door) and servers, then pounces via using botnets to convert a huge number of them to send tsunamis of traffic to the target to crash it. According to the Krebs website, it’s also entwined with extortion–read, ransomware demands. (Click ‘read more’ for additional analysis on the attack)

Here we have another warning for healthcare, if ransomware wasn’t enough. According to MH, “even for those hospitals with so-called “legacy” EHRs that run on the hospital’s own computers, an average of about 30 percent of their information technology infrastructure is hosted (more…)

Why do hackers love bitcoin? Blockchain. And why are healthcare, IoT liking blockchain?

Hackers love bitcoin for their ransomware payment because it’s virtual money, impossible to trace and encrypted to the n-th degree. Technically, bitcoin is not a transfer of payment–it IS money of the unregulated sort. The ransomee has to pay into a bitcoin exchange and then deliver the payment to the hacker. However, what sounds straightforward is actually fraught with risks, such as the bitcoin exchanges themselves as targets of hacking and the fluctuations of bitcoin value meaning that a ransom may not actually be paid in full. ID Experts‘ article gives the basics of bitcoin, what to expect and when paying a ransom is the prudent thing to do.

click to enlargeTurn what is behind bitcoin around though, and it becomes intriguing to HIT and IoT. Blockchain is “a distributed, secure transaction ledger that uses open-source technology to maintain data. Records are shared and distributed over many computers of entities that do not know each other; records can be time-stamped and signed using a private key to prevent tampering.” Each record block has an identifying hash that links each block into a virtual chain. (Wikipedia has a more complete description.) For bitcoin, it ensures security, anonymity and transferability without a central bank. For healthcare, distributed data and security is the exact opposite of the highly centralized, locked down approach of standard HIT to enable interoperability and security (left above). The Federal ONC-HIT (Office of the National Coordinator for Health Information Technology) under HHS is soliciting up to 15 proposals for “Blockchain and Its Emerging Role in Healthcare and Health-related Research.” through July 29. Cash prizes range from $1,500 to $5,000. The final eight will present at the awards presentation September 26-27. Potential uses are:

  • Medical banking between dis-intermediated parties
  • Distributed EHRs
  • Inventory management
  • Forming a research “commons” and a remunerative model for data sharing
  • Identity verification for insurance purposes
  • An open “bazaar” for services that accommodates transparency in pricing

Health Data Management, Information Management, Federal Register announcement

IoT and the inevitable, looming Big Data Breach

click to enlargeThe Gimlet Eye returns to once again cast a baleful gaze on All Those Connected Things, or the Plastic Fantastic Inevitable. Those 6.4 million Wi-Fi-connected tea kettles, smart fridge, remotely adjusted pacemakers (and other medical devices) plus home security two way video systems that accost the dodgy door ringer sound just peachy–but how good is their security? Not very, according to the experts quoted in this ZDNet article. It’s those nasty security flaws in IoT which were patched out 10 years ago on PCs that make them incredibly risky to have, as they can vector all sorts of Bad Things into both personal and enterprise networks. Their prediction is that a Connected Device with a big flaw will become molto popular and provide a Target a Hacker Can’t Refuse within two years. Or that some really clever hacker will write ransomware that will shut down millions of Connected Cars’ CPUs or disable the steering and brakes if 40 bitcoins aren’t placed in a brown paper bag and left on the third stool of the pizzeria at 83rd and Third.

Not much has changed since Eye wrote about those darn Internet Thingys last year [TTA 22 Sept 15]. The mystery is of course why these antique flaws are even part of the design. Designers being cheapskates? No consideration of security? (more…)

A weekend potpourri of health tech news: mergers, cyber-ransom, Obama as VC?

As we approach what we in these less-than-United States think of as the quarter-mile of the summer (our Independence Day holiday), and while vacations and picnics are top of mind, there’s a lot of news from all over which this Editor will touch on, gently (well, maybe not so gently). Grab that hot dog and soda, and read on….

Split decision probable for US insurer mergers. The Aetna-Humana and Anthem-Cigna mergers will reduce the Big 5 to the Big 3, leading to much controversy on both the Federal and state levels. While state department of insurance opposition cannot scupper the deals, smaller states such as Missouri and the recent split decision from California on Aetna-Humana (the insurance commissioner said no, the managed care department said OK) plus the no on the smaller Anthem-Cigna merger are influential. There’s an already reluctant Department of Justice anti-trust division and a US Senate antitrust subcommittee heavily influenced by a liberal think tank’s (Center for American Progress) report back in March. Divestment may not solve all their problems. Doctors don’t like it. Anthem-Cigna have also had public disagreements concerning their merged future management and governance, but the betting line indicates they will be the sacrificial lamb anyway. Healthcare Dive today,  Healthcare Dive, CT Mirror, WSJ (may be paywalled) Editor’s prediction: an even tougher reimbursement road for most of RPM and other health tech as four companies will be in Musical Chairs-ville for years.

‘thedarkoverlord’ allegedly holding 9.3 million insurance records for cyber-ransom. 750 bitcoins, or about $485,000 is the reputed price in the DeepDotWeb report. Allegedly the names, DOBs and SSNs were lifted from a major insurance company in plain text. This appears to be in addition to 655,000 patient records from healthcare organizations in Georgia and the Midwest for sale for 151 – 607 bitcoins or $100,000 – $395,000. The hacker promises ‘we’re just getting started’ and recommends that these organizations ‘take the offer’. Leave the gun, take the cannoli.  HealthcareITNews  It makes the 4,300 record breach at Massachusetts General via the typical unauthorized access at a third party, once something noteworthy, look like small potatoes in comparison. HealthcareITNews  Further reading on hardening systems by focusing on removing admin rights, whitelisting and endpoint security. HealthcareDataManagement

Should VistA stay or go? It looks like this granddaddy of all EHRs used by the US Veterans Health Administration will be sunsetted around 2018, but even their undersecretary for health and their CIO seem to be ambivalent in last week’s Congressional hearings. According to POLITICO’s Morning eHealth newsletter, “The agency will be sticking with its homegrown software through 2018, at which point the VA will start creating a cloud-based platform that may include VistA elements at its core, an agency spokesman explained.” Supposedly even VA insiders are puzzled as to what that means, and some key Senators are losing patience. VistA covers 365 data centers, 130 separate VistA systems, and 834 custom installations, and is also the core of many foreign government systems and the private Medsphere OpenVista. 6/23 and 6/24

click to enlargeDr Eric Topol grooves on ‘The Fourth Industrial Revolution’ of robotics and AI. (more…)

A Hollywood ending? Medical center’s $17,000 ransom to recover systems from hack attack

click to enlarge‘Hollywood’ Hulk Hogan is getting a workout! (UPDATED)

Hollywood Presbyterian Medical Center paid $17,000 (40 bitcoins) last night to hackers to regain control of its IT systems after last week’s ‘ransomware’ attack forced them offline. According to CEO Allen Stefanek, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key.” HealthcareITNews has the details and the full CEO letter/press release, including that no patient or employee information appears to have been compromised.

Obviously there will be more to follow including the usual opining, but in this resolution and spin, a bad precedent has been set in this Editor’s view. Labeling it a ‘low-tech’ attack shines a Klieg light (this is Hollywood after all) on the vulnerability of this hospital’s system. They now have the decryption key to the malware, but what other bad code and general mischief is buried in their systems to crop up later?  Another question: was the inflated bitcoin number floated to make the paid ransom seem ‘affordable’? Is this a Hollywood ending where all is happy, or is this an episode in the continuing soap opera of ‘Hospital as Cash Machine’?

Our original article follows: (more…)

The security risks, and the promise of, the Internet of Things

Jason Hope, who back in September wrote on how one of the greatest impediments to the much-touted Internet of Things (IoT) was not security, but the lack of a standardized protocol that would enable devices to communicate, has continued to write on both this topic and IoT security. While The Gimlet Eye had great fun lampooning the very notion of Thingys Talking and Doing Things Against Their Will [TTA 22 Sept 15], and this Editor has warned of security risks in over-connectivity of home devices (see below), relentlessly we are moving towards it. The benefit in both healthcare monitoring/TECS and safely living at home for older adults is obvious, but these devices must work together easily, safely and securely. To bend the English language a bit, the goal is ‘commonplaceness’–no one thinks much about the ubiquitous ATM, yet two decades ago ‘cash machines’ were not in many banks and (in the US) divided into regional networks.

As Mr Hope put it as the fifth and final prediction in his recent article:

The IoT Will Stop Being a “Thing”
How many times in the past week have you said, “I am getting on to the World Wide Web?” Chances are, not very many. How many times have you thought about the wonder of switching on a switch and having light instantly? Probably never. Soon, the Internet of Things, and connectivity in general, is going to be so common place, we also won’t think about it. It will just be part of life and the benefits and technology that wow us right now will cease to be memorable.

This Editor continues to be concerned about how hackers can get into devices, (more…)

90% of industries have had PHI data breach: Verizon (HIMSS Connected Health)

Reporting from the HIMSS Connected Health Conference (CHC)

Cybersecurity is one of the three central themes of this year’s HIMSS CHC, and excellent timing for releasing the highlights of Verizon’s first ever PHI (Protected Health Information) Data Breach Report. This is a spinoff of their extensive, eight years running international Data Breach Investigations Report (DBIR). 

It’s not just your doctor’s office, hospital or payer. It will be no surprise to our Readers that the healthcare sector is #7 in breaches–but that a PHI breach may come from non-healthcare (in US, HIPAA-covered) sources. This Editor spoke with Suzanne Widup, the lead author of the PHI Report and an info security/forensics expert, and included in that 90 percent are workers’ compensation programs, self-insured companies, the public sector, financial/insurance companies and–as a damper on this highly competitive (but hard to gauge results) area–wellness programs. Most organizations, according to Ms Widup, aren’t even conscious that they are holding this information and need to specially protect it from intrusion, as “PHI is like gold for today’s cybercriminal.”

Consistent with other authoritative tracking studies like Ponemon Institute’s and ID Experts’, the threat is from within: physical theft and loss, insider misuse and ‘miscellaneous’ account for 77 percent of theft. And as Bryan Sartin, managing director of Verizon’s RISK team noted in his keynote today, attacks take over a seven-month period on average to even be noticed. The breaches are long term, start small and sneaky. 2/3 of organizations don’t find out on their own, only when it starts to affect other partners. (Surprise!) Despite the proven Chinese and Black Vine involvement in several high profile, high-volume data hacks (Anthem), and ‘brute force’ hacks that make headlines (iCloud last year), the average breach is an inside job where “assets grow legs and walk off” in Dr Widup’s words, or privilege misuse.

When I asked Ms Widup about the Internet of Things (which is moving high on the hype curve, from what your Editor has experienced to the nth degree at this conference), she confirmed that this is an area that needs extra cybersecurity protection. (more…)