Healthcare data security company Protenus’ monthly Breach Barometer always contains interesting–and somewhat discouraging–surprises. August’s report topped July’s for the number of patients affected, with 674,000 patients involved in 33 incidents. Over 54 percent of breaches (N=18) were due to hacking (five incidents were attributed to ransomware), with over 27 percent (N=9) were from insider error (the main cause) or wrongdoing–over 81 percent in total. The remainder were due to loss, theft, or ‘unknown’. Another interesting finding was that discoveries of hacking are relatively quick at an average of 26 days from start to finish, due to the disruption they create, while insider attacks can go on for months (209.8 days)–or years. Protenus’ July report highlighted a breach at Tewksbury Hospital in Massachusetts that went unreported for a record-setting 14 years–an insider action that affected 1,100 records. Reporting to HHS is improving with reporting to HHS, the media or state attorneys general on average of 53 days. Protenus crunches its data from databreaches.net. (If you look at their reporting on TheDarkOverlord (@tdo_hackers), including their recent threats on a small Montana school system, you’ll be scared indeed.) MedCityNews 25 Sept, 23 August Hat tip to Guy Dewsbury via LinkedIn
Higi (also higi), which has placed health monitoring kiosks in over 11,000 US retail locations and a 5.5 million signup base, and data cruncher Interpreta announced that they are partnering to blend Higi’s vital signs data with Interpreta’s claims, clinical and genomics data analytics. Based on Mobihealthnews’ article and the joint release, an individual’s health information taken at higi retail stations will be “prioritized within Interpreta in real time”. They also claim that for the first time, insurance payers and providers will be able to leverage biometrics data, clinical, claims and additional genomic information a person may obtain from genetic testing services into a ‘personalized care roadmap’ that closes gaps in care. This is positioned as a big advance in population health and it all sounds great.
Perhaps not so great are the details. What about consent and data security? Aside from absolutely no mention of patient consent and HIPAA compliance in the above news, this Editor suspects that past, current and future Higi users may not be made aware that their vital signs data recorded with Higi will be 1) sent into a non-Higi database and 2) integrated with other information that appears in Interpreta’s database. How is this being done? Is consent obtained? What then happens? Is it used on an identified or de-identified basis? Where is it going? Who is doing what with it? Can it be sold, as 23andme’s genomic information is (with consent, but still…)? “Interpreta works in the realm of precision medicine, continuously interpreting and synchronizing clinical and genomics data in real time to create a personalized roadmap to enable the orchestration of timely care.” but they do this for providers and health plans who are then responsible for privacy and data integrity. Consent for Higi to keep a record of your blood pressure when you drop into your local RiteAid or ShopRite is not consent for Interpreta to use or manipulate it. These questions should have been addressed in the release or an accompanying fact sheet. We welcome a response from either Higi or Interpreta.
And one last and exceedingly ‘gimlety’ observation by this Editor: kiosks get hacked, and here we have not a price to a McDonald’s meal but a portal to deep PHI. Here’s a two-part article in an industry publication, Kiosk Marketplace, if you are skeptical. Part 1, Part 2
Breaking–The ‘more and worse’ experts predicted after WannaCry is here. In two days, the Petya or PetyaWrap (or NotPetya) ransomware has spread from Ukraine to affect organizations in 64 countries with 2,000+ attacks involving 12,000+ machines. On the hit list are mostly Eastern European and trans-national companies: Maersk shipping, Merck, Nuance cloud services, WPP advertising, Mars and Mondelez foods, Rosneft (Russia’s largest oil producer), Chernobyl, unnamed Norwegian firms, Beiersdorf and Reckitt Benckiser in India, Cadbury and law firm DLA Piper in Australia. One local US healthcare provider affected in a near-total shutdown of their computer systems, and resorting to backups, is Heritage Valley Health System in western Pennsylvania. There are no reports to this hour that the NHS, major US, Asia-Pacific, or European health systems being affected. Update: Trading in FedEx shares were halted 29 June due to the Petya attack on its TNT Express international division. Update 30 June: The Princeton Community Hospital in rural West Virginia is running on paper records as Petya forced a complete replacement of its EHR and computer hardware. Fox Business
Like WannaCry, the ransomware exploited the EternalBlue backdoor; a report from ArsTechnica UK adds an exploit touchingly dubbed EternalRomance. But unlike WannaCry, according to ZDNet, both “Symantec and Bitdefender have confirmed that it’s a Petya ransomware strain dubbed GoldenEye, which doesn’t just encrypt files — it also encrypts hard drives, rendering entire computers useless.” ArsTechnica goes deeper into methodology. Petya uses a hacking tool called MimiKatz to extract passwords and then uses legitimate Microsoft utilities and components to spread it. (Ed. note: if you have time for only one technical article, read ArsTechnica’s as the latest and most detailed.)
The Microsoft patch–and Microsoft has just issued an update for Win10, which this Editor heartily recommends you download and install–while defending against WannaCry, still isn’t preventing the spread. It’s speedier than WannaCry, and that says a great deal. Its aim appears not to be ransom, but data destruction. Updated: this POV is confirmed in today’s ZDNet article confirming that Comae Technologies and Kaspersky Lab strongly believe that Petya is a ‘wiper’ designed to destroy data by forever blocking it on your hard drive.
Another article in ZDNet (Danny Palmer) attempts to isolate why hackers remain one step ahead of us:
Law enforcement agencies and cybersecurity firms across the world are investigating the attack – and researchers have offered a temporary method of ‘vaccinating’ against it** – but how has this happened again, just six weeks on from a previous global ransomware outbreak?
One reason this new form of Petya is proving so effective is due to improved worm capabilities, allowing it to spread across infected networks, meaning that only one unpatched machine on a whole network needs to become infected in order for the whole operation to come crashing down.
Not only that, but cybersecurity researchers at Microsoft say the ransomware has multiple ‘lateral movement’ techniques, using file-shares to transfer the malware across the network, using legitimate functions to execute the payload and it even has trojan-like abilities to steal credentials.
** The inclusion of this link in the quote does not imply any recommendation by TTA, this Editor, or testing of said fix.
What you can do right now is to ensure every computer, every system, you own or are responsible for is fully updated with Microsoft and security patches. If you’re in an enterprise, consult your security provider. Run backups. Remind employees to not click on links in suspicious messages or odd links even from known senders–and report them immediately. Based on reports, phishing emails and watering hole attacks are the main vectors of spread, like WannaCry. (A suggestion from this Editor–limit web search to reputable sites, and don’t click on those advert links which are buggy anyway!) Be judicious on updates for your software except by Microsoft and your security provider; there is growing but still being debated evidence that the initial Ukrainian spread was through a hacked update on a popular tax accounting software, MeDoc. More on this in ZDNet’s 6 Quick Facts. Another suggestion from Wired: run two anti-virus programs on every computer you have, one free and one paid.
And no matter what you do–don’t pay the ransom! The email provider within hours blocked the email so that the payment cannot go through. Updates to come. More reading from Bleeping Computer, Healthcare IT News, CNBC, HIStalk, US-CERT, Fortune, Guardian,
Updated 15 May: According to the Independent, 1 of 5 or 20 percent of NHS trusts, or ‘dozens’, have been hit by the WannaCry malware, with six still down 24 hours later. NHS is not referring to numbers, but here is their updated bulletin and if you are an NHS organization, yesterday’s guidance is a mandatory read. If you have been following this, over the weekend a British specialist known by his/her handle MalwareTech, tweeting as @malwaretechblog, registered a nonsensical domain name which he found was the stop button for the malware as designed into the program, with the help of Proofpoint’s Darien Huss.
It looks as if the Pac-Man march is over. Over the weekend, a British specialist known as MalwareTech, tweeting as @malwaretechblog, registered a nonsensical domain name which he found was the stop button for the malware, with the help of Proofpoint’s Darien Huss. It was a kill switch designed into the program. The Guardian tagged as MalwareTech a “22-year-old from southwest England who works for Kryptos logic, an LA-based threat intelligence company.”
Political fallout: The Home Secretary Amber Rudd is being scored for an apparent cluelessness and ‘wild complacency’ over cybersecurity. There are no reported statements from Health Secretary Jeremy Hunt. From the Independent: “Patrick French, a consultant physician and chairman of the Holborn and St Pancras Constituency Labour Party in London, tweeted: “Amber Rudd is wildly complacent and there’s silence from Jeremy Hunt. Perhaps an NHS with no money can’t prioritise cyber security!” Pass the Panadol!
Previously: NHS Digital on its website reported (12 May) that 16 NHS organizations have been hacked and attacked by ransomware. Preliminary investigation indicates that it is Wanna Decryptor a/k/a WannaCry. In its statement, ‘NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected.’ Healthcare IT News
By now our UK readers are well aware of the shutdown due to malware starting Sunday 30 Oct, only resolved today, of the Northern Lincolnshire and Goole NHS Trust hospitals: Diana, Princess of Wales; Goole and District; Scunthorpe General.(NHS website via Krebsonsecurity.com, click to enlarge) (NHS website, click to enlarge)
It is estimated that it affected approximately 1,000 patients over the three shutdown days. Most patients were diverted to neighboring hospitals, according to The Guardian.
The Health Services Journal (paywalled) broke as an exclusive the NHS‘ high priority warning to providers around the country. Yet it seemed equivocal. According to The Sun, while NHS Digital marked the message as ‘severity: high’ and warned that “… we would like to remind all users of the need for proactive measures to reduce the likelihood of infection and minimise the impacts of any compromise.”, it was tempered with “We have no evidence that this is anything other than a local isolated incident but we will continue to keep health and care organisations informed.” Also according to The Sun, the Department of Health has noted that this has not been the first incident.
As our Readers know, US and Canadian hospitals and healthcare organizations have been subject of late to malware and its latest iteration, ransomware, with a large outbreak this summer. (more…)
IoT devices, and a lot of older networked medical devices, have been proven to be easy to hack, as even this non-ITer, non-codegeek realized then. But those in tech have been to this movie before–with Bluetooth circa 2002! Now shouldn’t designers have learned? From ZDNet:
“It’s almost like we’ve learned nothing from Bluetooth” says Justin Dolly, CISO at cybersecurity firm Malwarebytes.
“Seeing what these IoT vendors are doing, it just blows me away because they haven’t learned from history,” says Steve Manzuik, director of security research at Duo Security’s Duo Labs. “They’ve completely ignored everything that’s ever had bad vulnerabilities”.
Many of these devices, according to these experts, have default log in credentials, if they have them at all. IoT devices are also allegedly findable on a snoop site called Shodan. Reason why: the financial and market need to get products out fast and cheaply.
Over at data security company Varonis’ blog, with the great title in part, “Revenge of the Internet of Things”, another succinct and telling quote:
Once upon a time in early 2016, we were talking with pen tester Ken Munro about the security of IoT gadgetry — everything from wireless doorbells to coffee makers and other household appliances. I remember his answer when I asked about basic security in these devices. His reply: “You’re making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all.”
Privacy by Design is not part of the vocabulary of the makers of these IoT gadgets
Varonis also gives a how-to on changing settings in your router so you don’t become a victim, and how to secure your gadgets.
Bottom line: when Hackermania is Running Wild, do you, or anyone, really need to be an early adopter of an internet- connected coffee maker or fridge? And if you need internet-connected home security, telemedicine virtual consults, telehealth/remote patient monitoring or telecare….best heed Varonis and secure it!
Earlier in TTA: Friday’s cyberattack is a shot-over-bow for healthcare
A researcher/spokesman from Dyn had hours before the attack presented a talk on DDoS attacks at a meeting of the North American Network Operators Group (NANOG)
The culprit is a bit of malware called Mirai that targets IoT–Internet of Things–devices. It also took down the (Brian)KrebsOnSecurity.com blog which had been working with Dyn on information around DDoS attacks and some of those promoting ‘cures’. According to Krebs, the malware first looks through millions of poorly secured internet-connected devices (those innocent looking DVRs, smart home devices and even security devices that look out on your front door) and servers, then pounces via using botnets to convert a huge number of them to send tsunamis of traffic to the target to crash it. According to the Krebs website, it’s also entwined with extortion–read, ransomware demands. (Click ‘read more’ for additional analysis on the attack)
Here we have another warning for healthcare, if ransomware wasn’t enough. According to MH, “even for those hospitals with so-called “legacy” EHRs that run on the hospital’s own computers, an average of about 30 percent of their information technology infrastructure is hosted (more…)
Hackers love bitcoin for their ransomware payment because it’s virtual money, impossible to trace and encrypted to the n-th degree. Technically, bitcoin is not a transfer of payment–it IS money of the unregulated sort. The ransomee has to pay into a bitcoin exchange and then deliver the payment to the hacker. However, what sounds straightforward is actually fraught with risks, such as the bitcoin exchanges themselves as targets of hacking and the fluctuations of bitcoin value meaning that a ransom may not actually be paid in full. ID Experts‘ article gives the basics of bitcoin, what to expect and when paying a ransom is the prudent thing to do.Turn what is behind bitcoin around though, and it becomes intriguing to HIT and IoT. Blockchain is “a distributed, secure transaction ledger that uses open-source technology to maintain data. Records are shared and distributed over many computers of entities that do not know each other; records can be time-stamped and signed using a private key to prevent tampering.” Each record block has an identifying hash that links each block into a virtual chain. (Wikipedia has a more complete description.) For bitcoin, it ensures security, anonymity and transferability without a central bank. For healthcare, distributed data and security is the exact opposite of the highly centralized, locked down approach of standard HIT to enable interoperability and security (left above). The Federal ONC-HIT (Office of the National Coordinator for Health Information Technology) under HHS is soliciting up to 15 proposals for “Blockchain and Its Emerging Role in Healthcare and Health-related Research.” through July 29. Cash prizes range from $1,500 to $5,000. The final eight will present at the awards presentation September 26-27. Potential uses are:
- Medical banking between dis-intermediated parties
- Distributed EHRs
- Inventory management
- Forming a research “commons” and a remunerative model for data sharing
- Identity verification for insurance purposes
- An open “bazaar” for services that accommodates transparency in pricing
The Gimlet Eye returns to once again cast a baleful gaze on All Those Connected Things, or the Plastic Fantastic Inevitable. Those 6.4 million Wi-Fi-connected tea kettles, smart fridge, remotely adjusted pacemakers (and other medical devices) plus home security two way video systems that accost the dodgy door ringer sound just peachy–but how good is their security? Not very, according to the experts quoted in this ZDNet article. It’s those nasty security flaws in IoT which were patched out 10 years ago on PCs that make them incredibly risky to have, as they can vector all sorts of Bad Things into both personal and enterprise networks. Their prediction is that a Connected Device with a big flaw will become molto popular and provide a Target a Hacker Can’t Refuse within two years. Or that some really clever hacker will write ransomware that will shut down millions of Connected Cars’ CPUs or disable the steering and brakes if 40 bitcoins aren’t placed in a brown paper bag and left on the third stool of the pizzeria at 83rd and Third.
Not much has changed since Eye wrote about those darn Internet Thingys last year [TTA 22 Sept 15]. The mystery is of course why these antique flaws are even part of the design. Designers being cheapskates? No consideration of security? (more…)
As we approach what we in these less-than-United States think of as the quarter-mile of the summer (our Independence Day holiday), and while vacations and picnics are top of mind, there’s a lot of news from all over which this Editor will touch on, gently (well, maybe not so gently). Grab that hot dog and soda, and read on….
Split decision probable for US insurer mergers. The Aetna-Humana and Anthem-Cigna mergers will reduce the Big 5 to the Big 3, leading to much controversy on both the Federal and state levels. While state department of insurance opposition cannot scupper the deals, smaller states such as Missouri and the recent split decision from California on Aetna-Humana (the insurance commissioner said no, the managed care department said OK) plus the no on the smaller Anthem-Cigna merger are influential. There’s an already reluctant Department of Justice anti-trust division and a US Senate antitrust subcommittee heavily influenced by a liberal think tank’s (Center for American Progress) report back in March. Divestment may not solve all their problems. Doctors don’t like it. Anthem-Cigna have also had public disagreements concerning their merged future management and governance, but the betting line indicates they will be the sacrificial lamb anyway. Healthcare Dive today, Healthcare Dive, CT Mirror, WSJ (may be paywalled) Editor’s prediction: an even tougher reimbursement road for most of RPM and other health tech as four companies will be in Musical Chairs-ville for years.
‘thedarkoverlord’ allegedly holding 9.3 million insurance records for cyber-ransom. 750 bitcoins, or about $485,000 is the reputed price in the DeepDotWeb report. Allegedly the names, DOBs and SSNs were lifted from a major insurance company in plain text. This appears to be in addition to 655,000 patient records from healthcare organizations in Georgia and the Midwest for sale for 151 – 607 bitcoins or $100,000 – $395,000. The hacker promises ‘we’re just getting started’ and recommends that these organizations ‘take the offer’. Leave the gun, take the cannoli. HealthcareITNews It makes the 4,300 record breach at Massachusetts General via the typical unauthorized access at a third party, once something noteworthy, look like small potatoes in comparison. HealthcareITNews Further reading on hardening systems by focusing on removing admin rights, whitelisting and endpoint security. HealthcareDataManagement
Should VistA stay or go? It looks like this granddaddy of all EHRs used by the US Veterans Health Administration will be sunsetted around 2018, but even their undersecretary for health and their CIO seem to be ambivalent in last week’s Congressional hearings. According to POLITICO’s Morning eHealth newsletter, “The agency will be sticking with its homegrown software through 2018, at which point the VA will start creating a cloud-based platform that may include VistA elements at its core, an agency spokesman explained.” Supposedly even VA insiders are puzzled as to what that means, and some key Senators are losing patience. VistA covers 365 data centers, 130 separate VistA systems, and 834 custom installations, and is also the core of many foreign government systems and the private Medsphere OpenVista. 6/23 and 6/24
Dr Eric Topol grooves on ‘The Fourth Industrial Revolution’ of robotics and AI. (more…)
Hollywood Presbyterian Medical Center paid $17,000 (40 bitcoins) last night to hackers to regain control of its IT systems after last week’s ‘ransomware’ attack forced them offline. According to CEO Allen Stefanek, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key.” HealthcareITNews has the details and the full CEO letter/press release, including that no patient or employee information appears to have been compromised.
Obviously there will be more to follow including the usual opining, but in this resolution and spin, a bad precedent has been set in this Editor’s view. Labeling it a ‘low-tech’ attack shines a Klieg light (this is Hollywood after all) on the vulnerability of this hospital’s system. They now have the decryption key to the malware, but what other bad code and general mischief is buried in their systems to crop up later? Another question: was the inflated bitcoin number floated to make the paid ransom seem ‘affordable’? Is this a Hollywood ending where all is happy, or is this an episode in the continuing soap opera of ‘Hospital as Cash Machine’?
Our original article follows: (more…)
Jason Hope, who back in September wrote on how one of the greatest impediments to the much-touted Internet of Things (IoT) was not security, but the lack of a standardized protocol that would enable devices to communicate, has continued to write on both this topic and IoT security. While The Gimlet Eye had great fun lampooning the very notion of Thingys Talking and Doing Things Against Their Will [TTA 22 Sept 15], and this Editor has warned of security risks in over-connectivity of home devices (see below), relentlessly we are moving towards it. The benefit in both healthcare monitoring/TECS and safely living at home for older adults is obvious, but these devices must work together easily, safely and securely. To bend the English language a bit, the goal is ‘commonplaceness’–no one thinks much about the ubiquitous ATM, yet two decades ago ‘cash machines’ were not in many banks and (in the US) divided into regional networks.
As Mr Hope put it as the fifth and final prediction in his recent article:
The IoT Will Stop Being a “Thing”
How many times in the past week have you said, “I am getting on to the World Wide Web?” Chances are, not very many. How many times have you thought about the wonder of switching on a switch and having light instantly? Probably never. Soon, the Internet of Things, and connectivity in general, is going to be so common place, we also won’t think about it. It will just be part of life and the benefits and technology that wow us right now will cease to be memorable.
This Editor continues to be concerned about how hackers can get into devices, (more…)
Reporting from the HIMSS Connected Health Conference (CHC)
Cybersecurity is one of the three central themes of this year’s HIMSS CHC, and excellent timing for releasing the highlights of Verizon’s first ever PHI (Protected Health Information) Data Breach Report. This is a spinoff of their extensive, eight years running international Data Breach Investigations Report (DBIR).
It’s not just your doctor’s office, hospital or payer. It will be no surprise to our Readers that the healthcare sector is #7 in breaches–but that a PHI breach may come from non-healthcare (in US, HIPAA-covered) sources. This Editor spoke with Suzanne Widup, the lead author of the PHI Report and an info security/forensics expert, and included in that 90 percent are workers’ compensation programs, self-insured companies, the public sector, financial/insurance companies and–as a damper on this highly competitive (but hard to gauge results) area–wellness programs. Most organizations, according to Ms Widup, aren’t even conscious that they are holding this information and need to specially protect it from intrusion, as “PHI is like gold for today’s cybercriminal.”
Consistent with other authoritative tracking studies like Ponemon Institute’s and ID Experts’, the threat is from within: physical theft and loss, insider misuse and ‘miscellaneous’ account for 77 percent of theft. And as Bryan Sartin, managing director of Verizon’s RISK team noted in his keynote today, attacks take over a seven-month period on average to even be noticed. The breaches are long term, start small and sneaky. 2/3 of organizations don’t find out on their own, only when it starts to affect other partners. (Surprise!) Despite the proven Chinese and Black Vine involvement in several high profile, high-volume data hacks (Anthem), and ‘brute force’ hacks that make headlines (iCloud last year), the average breach is an inside job where “assets grow legs and walk off” in Dr Widup’s words, or privilege misuse.
When I asked Ms Widup about the Internet of Things (which is moving high on the hype curve, from what your Editor has experienced to the nth degree at this conference), she confirmed that this is an area that needs extra cybersecurity protection. (more…)
Genomic data sets have become more accessible to researchers through a network of servers, dubbed beacons, called The Beacon Project, organized by the National Institutes of Health (NIH)-funded Global Alliance for Genomics and Health. Genomics researchers are interested in looking for a particular genetic variant in a multitude of genomic databases. Using these beacons, when a researcher finds a gene of interest, they then can apply for more complete access to the data. They can find mutations and find other researchers working on the same one.
However, the risk is that some of this data is not sufficiently de-identified, and in the process of ‘pinging’ these beacons for genetic data, someone can create an unauthorized genomic profile of that person. For instance, a ‘nefarious user’ can find the match for an individual’s genome in a heart disease beacon, then can infer that the individual — or a relative of that person — likely has heart disease. (more…)
Knock yersself out! The Gimlet Eye files via Bottle from A Dot On The Map off the New York coast. One of the stranger follow ups of the past week–one that is difficult to read with straight face–is the report in the Financial Times that the Chinese hacked into insurer Anthem’s 80-million strong beneficiary database in order to study up on the American healthcare system and benefit their aging population. Neil Versel with raised eyebrow in MedCityNews quoting the FT story: “The Chinese hackers had trained their sights on the U.S. health sector to help the country understand how other nations deal with medical care, people familiar with the Anthem investigation said.” You’d think it would be easier for the Chinese to go to a few conferences, meet a few executives and learn a few things first. Then maybe they could do a ‘deal deal’ with an insurer on their IP, or bring them into China on a JV. With so many services for sale from the thundering horde of data analytics companies and multiple middleware providers, write a check already. But that would destroy the Fun of Hacking!
How the FT could actually print without a hint of skepticism this ‘nothing to see here, move on’ story rolls the Eye. (more…)
Excellus joins fellow BCBS members Anthem [TTA 11 Feb], soon to be merging with Cigna, with 80 million; Premera Blue Cross [TTA 24 Mar] with 11 million, Care First with a ‘bag o’ shells’ 1.1. million [TTA 2 June]. The pattern has been such that the national Blue Cross Blue Shield Association (BCBSA) announced in July that it will offer all 106 million of its members identity protection starting next January. (Note for our mathematicians: Anthem has millions of non-BCBS members) Chinese hackers are suspected in the Anthem breach.
FierceHealthPayer broke the story, in this Editor’s estimation, to the healthcare trade area. Rochester Democrat & Chronicle. Excellus message to policyholders. The NBC/AP report also has a video interview with Eugene Kaspersky of the eponymous anti-virus software (and whose Kaspersky Lab was also a hacking victim earlier this year)
Updated via the Rochester Democrat & Chronicle: FireEye is becoming the ‘go-to’ security company for health organization breaches–Excellus hired them in the wake of the Anthem breach and they discovered the vulnerability facilitating the breach.