TTA’s Summer Windup Redux: Don’t buy that digital kit before you test your analogue (UK); Doro acquires Invicta, PillPack hits data wall, Humana and CTA, events, more!

 

 

Editor Donna feels like the hamster on the wheel–though able to capture a few more days of summer–but Editor Charles jumps on the Analogue versus Digital Soapbox.

Telecare – time to sweat the analogue assets, not dump them (Editor Charles asks that you do your homework before you cart in that shiny new digital kit and throw the old out the window)

Summer may be winding down but activity is winding up. Doro acquires Invicta, Amazon’s PillPack hits a data wall, Humana first payer to join CTA. Judge Leon finally blesses CVS-Aetna’s merger after 9 months. And events, including Digital Mental Health at the RSM 23 Sept.

News and event roundup: Amazon PillPack, Humana joins CTA, NH’s telemedicine go, Fitbit Lives Healthy in Singapore, supporting Helsinki’s older adults, events
Shock news: the CVS-Aetna merger officially approved after 9 months (Judge Leon’s Final Judgment delivered. But what about future healthcare mergers?)
Doro AB acquires Invicta Telecare from Clarion Housing, increasing to nearly 200,000 users (UK) (Consolidation continues)
Digital Mental Health for Adults – a one day conference at the RSM on 23 September 2019 in London (Sponsored by the RSM)

Being contrarian, we consider that AI and machine learning may be doing real damage both in its workings and in the quality of all that medical data being fed into it. Regrettably, telemedicine in nursing homes looks like a permanent failure. And CMS takes the lead in the PFS with three new telehealth codes on opioid treatment.

A realistic look at why telemedicine isn’t succeeding in nursing homes (It should, but it’s the economics of the business)
Are AI’s unknown workings–fed by humans–creating intellectual debt we can’t pay off? (Building dangerous error upon error with bad data, destroying theoretical thinking–and that’s for starters)
CMS’ three new proposed telehealth codes, changes on inclusions, in 2020 Medicare Physician Fee Schedule (US) (CMS takes initiative in opioid treatment)

Summer is really flying by, but the daystopper of the week is the doubling of breached patient records this year. LIVI adds a lot of patients in the UK, Allscripts settles with DOJ on compliance, and GSK IMPACT opens for UK charitable organization applications.

The Breach Barometer hits a new high for healthcare–and the year isn’t over (The geometric increase in breaches and exposed records)
LIVI telemedicine app expands availability to 1.85 million patients with GPs in Birmingham, Shropshire, Northamptonshire, Southeast (The crowded UK telemedicine field)
Allscripts reaches deal with DOJ on Practice Fusion in compliance settlement for $145 million (Bargains are never bargains)
2020 GSK IMPACT/The King’s Fund Awards now open for applications (UK) (Apply soon!)

Summer is flying by, but rural health connectivity advances at the FCC. Smartphones now set up to detect viruses. Another smartphone enabled ultrasound player–but this time in 3D. A study connects health tech to retaining LTC workers. Connected Health Summit coming up, and Vivify Health acquires a new VP.

Comings and goings, short takes, and in other news…: Vivify’s new SVP Sales, Parks’ Connected Health Summit, $35M for 3D portable ultrasound, Oxford Medical Sim new pilot (Events, products, and more)
Technology will help ease, but not replace, rising workforce demand in long-term care: UCSF study (It’s almost all about the workers and retaining them in the face of technology)
Can a smartphone camera, app, and device detect viruses at low cost? (A University of Tokyo team says yes)
FCC reforming Rural Health Care Program to improve telehealth funding in addition to Connected Care Pilot (US) (About time, but still underfunded)


Have a job to fill? Seeking a position? Free listings available to match our Readers with the right opportunities. Email Editor Donna.


Read Telehealth and Telecare Aware: http://telecareaware.com/  @telecareaware

Follow our pages on LinkedIn and on Facebook

We thank our present and past advertisers and supporters: Tynetec, Eldercare, UK Telehealthcare, NYeC, PCHAlliance, ATA, The King’s Fund, DHACA, HIMSS, Health 2.0 NYC, MedStartr, Parks Associates, and HealthIMPACT.

Reach international leaders in health tech by advertising your company or event/conference in TTA–contact Donna for more information on how we help and who we reach. See our advert information here. 


Telehealth & Telecare Aware: covering the news on latest developments in telecare, telehealth, telemedicine and health tech, worldwide–thoughtfully and from the view of fellow professionals

Thanks for asking for update emails. Please tell your colleagues about this news service and, if you have relevant information to share with the rest of the world, please let me know.

Donna Cusano, Editor In Chief
donna.cusano@telecareaware.com

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

TTA’s Midsummer Week 6: AI and machine learning’s hidden risks and debt, the permanent fail of nursing home telehealth, and CMS’ PFS adds telehealth codes for opioids

 

It’s hard to believe, but ‘traditional summer’ is starting to wind down. Being contrarian, we consider that AI and machine learning may be doing real damage both in its workings and in the quality of all that medical data being fed into it. Regrettably, telemedicine in nursing homes looks like a permanent failure. And CMS takes the lead in the PFS with three new telehealth codes on opioid treatment.

TTA will be on holiday starting next week. There will no Alerts published on Thursday 29 August or 5 September.

A realistic look at why telemedicine isn’t succeeding in nursing homes (It should, but it’s the economics of the business)
Are AI’s unknown workings–fed by humans–creating intellectual debt we can’t pay off? (Not only that, but building dangerous error upon error with bad data and destroying theoretical thinking)
CMS’ three new proposed telehealth codes, changes on inclusions, in 2020 Medicare Physician Fee Schedule (US) (CMS takes initiative in opioid treatment)

Summer is really flying by, but the daystopper of the week is the doubling of breached patient records this year. LIVI adds a lot of patients in the UK, Allscripts settles with DOJ on compliance, and GSK IMPACT opens for UK charitable organization applications.

The Breach Barometer hits a new high for healthcare–and the year isn’t over (The geometric increase in breaches and exposed records)
LIVI telemedicine app expands availability to 1.85 million patients with GPs in Birmingham, Shropshire, Northamptonshire, Southeast (The crowded UK telemedicine field)
Allscripts reaches deal with DOJ on Practice Fusion in compliance settlement for $145 million (Bargains are never bargains)
2020 GSK IMPACT/The King’s Fund Awards now open for applications (UK) (Apply soon!)

Summer is flying by, but rural health connectivity advances at the FCC. Smartphones now set up to detect viruses. Another smartphone enabled ultrasound player–but this time in 3D. A study connects health tech to retaining LTC workers. Connected Health Summit coming up, and Vivify Health acquires a new VP.

Comings and goings, short takes, and in other news…: Vivify’s new SVP Sales, Parks’ Connected Health Summit, $35M for 3D portable ultrasound, Oxford Medical Sim new pilot (Events, products, and more)
Technology will help ease, but not replace, rising workforce demand in long-term care: UCSF study (It’s almost all about the workers and retaining them in the face of technology)
Can a smartphone camera, app, and device detect viruses at low cost? (A University of Tokyo team says yes)
FCC reforming Rural Health Care Program to improve telehealth funding in addition to Connected Care Pilot (US) (About time, but still underfunded)

A news-filled week with events, executive moves at Verily, Teladoc, and ATA, a challenging take on oral health, a dim view on AI, mall ‘medtail’, CVS’ SDH initiative, and Call9’s fan dance.

Comings and goings, short takes and upcoming events: MedStartr Wed night, Mad*Pow acquired, Teladoc’s new COO, JAMA ponders telepharmacy, NHS London anxiety apps partner (updated)
Oral health: more than a public health challenge, an opportunity for telehealth? (Two Lancet articles make the case)
News roundup: docs dim on AI without purpose, ‘medtail’ a mall trend, CVS goes SDH, Kvedar to ATA, Biden ‘moonshot’ shorts out, and Short Takes
Call9: we’ll be back — with a different model! (Not forthcoming to Crain’s on what it looks like, though)

Rock Health assesses the first half 2019 funding picture and is reassured at the pressure that investors have to exit–but we see other and somewhat cautionary things. And the hearings on the CVS-Aetna merger slump towards an exhausting close in Judge Leon’s court.

Health tech bubble watch: Rock Health’s mid-2019 funding assessment amid Big IPOs (Why the funding picture is far more interesting than Rock Health thinks)
The CVS-Aetna merger hearing draws to a dreary, weary close (But when?)

A just-published UK survey of the care tech landscape has implications in the worldwide trend of community-based wellness and disease prevention. CVS-Aetna goes another round in Judge Leon’s court, this time with five states; he should Ask Alexa as NHS patients in the UK shortly will. And did you attend DHACA’s most recent meeting on the 17th?

Care Technology Landscape Review: Socitm Advisory for Essex County Council (UK) (A UK study which has international resonance)
‘Ask Alexa’ if you’re sick, says the NHS (But what if Alexa no comprende?)
Another round this Wednesday in the CVS-Aetna merger hearings (We’ll see what happens next in the longest post-merger hearing in healthcare history)
Come and listen to Julian Hitchcock talking regulation next Wednesday 17th July! (It’s past, but keep in touch with DHACA)


Have a job to fill? Seeking a position? Free listings available to match our Readers with the right opportunities. Email Editor Donna.


Read Telehealth and Telecare Aware: http://telecareaware.com/  @telecareaware

Follow our pages on LinkedIn and on Facebook

We thank our present and past advertisers and supporters: Tynetec, Eldercare, UK Telehealthcare, NYeC, PCHAlliance, ATA, The King’s Fund, DHACA, HIMSS, Health 2.0 NYC, MedStartr, Parks Associates, and HealthIMPACT.

Reach international leaders in health tech by advertising your company or event/conference in TTA–contact Donna for more information on how we help and who we reach. See our advert information here. 


Telehealth & Telecare Aware: covering the news on latest developments in telecare, telehealth, telemedicine and health tech, worldwide–thoughtfully and from the view of fellow professionals

Thanks for asking for update emails. Please tell your colleagues about this news service and, if you have relevant information to share with the rest of the world, please let me know.

Donna Cusano, Editor In Chief
donna.cusano@telecareaware.com

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

The Breach Barometer hits a new high for healthcare–and the year isn’t over

31.6 million healthcare breached records can’t be right? But it is, and it’s double all of 2018. Protenus’ Breach Barometer for the first six months of the year tallied over double the number of patient records breached calculated for 2018 (15.1 million). The number of breach incidents reported was smaller–285 breach incidents disclosed to the US Department of Health and Human Services or the media–compared to 503 breaches in 2018, which means that individual data breaches affected far more records.

Hackermania is running wilder than ever. Nearly half the breaches were due to hacking. The big kahuna of breaches this year was reported in May at American Medical Collection Agency, a third-party billing collections firm. This eight-month breach affected 20 to 22 million records at Quest Diagnostics, LabCorp, Opko Health, under one of its subsidiaries, BioReference Laboratories, Inc., and Clinical Pathology Laboratories [TTA 5 June] This hack also involved Optum360, a Quest contractor and part of healthcare giant Optum. In terms of PII, the records breached included SSI, DOB, and physical addresses.

 Yet insider breaches are still a significant threat at 21 percent, whether from errors without malicious intent or deliberate wrongdoing. In the report, Protenus (with DataBreaches.net) calculated that 60 of the 285 breaches were insider-related affecting 3.5 million records. 35 were insider-error incidents, with 22 additional due to wrongdoing.

When it comes to breaches, the trend is easily not healthcare organizations’ friend, as 2018 tripled 2017’s total breached records. This is despite the new emphasis on healthcare IT security and insider training. Protenus release, FierceHealthcare, Protenus first half report (PDF)

Digital health: why is it a luxury good in a world crying for health as a commodity?

Why digital health still struggles to find its stride. Those of us in the healthcare field, especially Grizzled Pioneers, have been wondering for the past decade why Digital Health’s Year is always Next Year. Or Next Decade. 

Looking back only to 2000, we’ve had 9-11, a dot-com bust, a few years in between when the economy thrived and the seed money started to pollinate young companies, a prolonged recession that killed off many, and now finally a few good economic years where money has flooded into the sector, to good companies and those walking the fine line of mismanagement or fraud. We’ve seen the rise/fall/rise of sensors, wearables, and remote monitoring, giants like Google and Microsoft out and back in, the establishment of EHRs, acceptance by government and private payers, quite a bit of integration, and more. All one has to look is at the investment trends breaking all records, with funding rounds of over $10 million raising barely a notice–enough to raise fears of a bubble. Then there’s another rising tide–that of cyberattack, ransomware, insider and outsider hacking.

Is it this year? It may not be. Despite the sunshine, interoperability holds it all back. Those giant EHRs–Cerner, Epic, Athenahealth, Allscripts–are largely walled gardens and so customized by provider application that they barely are able to talk to their like systems. There are regional health exchanges such as New York’s SHIN-NY, Maryland’s CRISP, and others, but they are limited in scope to their states. The VA’s VistA, the granddaddy of the integrated system, died of old age in its garden. Paul Markovich, CEO of Blue Shield of California cites the lack of interoperability and being able to access their personal health data as a major barrier to both patients and to the large companies who want to advance AI and need the data for modeling. (China and its companies, as we’ve noted, neatly solve this problem by force. [TTA 17 Apr]) Apple is back in with Health Records, but Mr. Markovich estimates it may take 10 years to gather the volume of data it needs to establish AI modeling. Some wags demand that Apple buy Epic, as if Epic was up for sale. BSC, like others, is testing interoperability workarounds like Notable, Ooda Health, and Manifest MedEx. Mr. Markovich cites interoperability and scaling as reasons why healthcare is expensive. CNBC

And what about those thriving startups? Hold on. During the Google Cloud/Rock Health 3 June event, one of the panelists–from Partners HealthCare, which works both side of the street with Pivot Labs–noted that hospitals have figured out their own revenue models, and co-development with hospitals is key. Even if validated, not every tech is commercially ready or lowers cost. And employers are far worse than hospitals at buying in because they ultimately look at financial value, even if initially they adopt for other reasons. In addition, the bar moved higher. The new validation standard is now provider-centric–workload, provider satisfaction, and implementation metrics, because meeting clinical outcomes is a given. Mobihealthnews

And still another barrier–data breaches and cyberattack–is still with us, and growing. Quest Diagnostics’ data breach affects nearly 12 million patients. It was traced to an individual at a vendor, American Medical Collection Agency, and it involved Optum360, a Quest contractor and part of healthcare giant Optum. The unauthorized person had access to the network for eight months – between 1 August 2018, and 30 March 2019–and involved both financial and some health records. Quest now is in the #2 slot behind the massive 79 million person Anthem breach, which, based on a Federal grand jury indictment in Indianapolis in May, was executed by a Chinese group in 2015 using spearfishing and backdoors that gathered data and sent it to China. There were three other US businesses in the indictment which are not identified. Securing health data is expensive — and another limitation on the cost-lowering effects of interoperability. Healthcare IT News

Digital Health’s Year, for now, will remain Next Year–and digital health for now will remain fractional, unable to do much to commoditize healthcare or lower major costs.

Hackermania ‘bigger than government itself’–and 25% of healthcare organizations report mobile breaches

To quote reporter Andy Rooney, ‘why is that?’ Everyone in healthcare (with our Readers well ahead of the curve) has known for years that our organizations are special targets, indeed–by hackers (activists or not), spammers, ransomwarers, criminals, bad guys in China, North Korea, and Eastern Europe, plus an assortment of malicious insiders and the simply klutzy. Why? Healthcare organizations, payers, and service companies have a treasure trove of PHI and PII with Big Value. 

So to read in Healthcare IT News that Christopher Wray, the new director of the FBI, is saying that today’s cyberthreats are bigger than any one agency, and in fact bigger than the government itself, it gives you the feeling that the steamroller has not only run over us, but is on the second pass.

According to one reporting company, Bitglass, breach incidents were year-over-year flat (290), but the number of records affected in 2018 nearly tripled from 4.7 million to 11.5 million. Hacking finally became the top cause (45.9 percent) versus unauthorized access and disclosure (35.9 percent). Loss and theft is down to about 15 percent.

And mobile feels like that second pass. Verizon’s Mobile Security Index 2019 reports that 25 percent of healthcare organizations have had a mobile-related compromise. Nearly all hospitals are investing in mobile. In the field, doctors and other clinicians are either using issued devices or BYOD, whether authorized or not. Whether or not their organizations are using app security systems like Blue Cedar [TTA 17 Feb 18] or work with companies like DataArt on securing proprietary systems is entirely another question. Apparently it’s not a priority. According to the Verizon study, nearly half of all organizations sacrificed mobile security in the past year to “get the job done.” Healthcare Dive.

Back to Director Wray, who is urging public-private cooperation especially with the FBI, which itself has not hesitated to break encryption (e.g. Apple’s) in going after criminals’ phones.

Yet another NHS cyber-vulnerability: fax machines

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2018/08/attackflow1.png” thumb_width=”250″ /]Now fax machines are hackable, say the white hats at Check Point Research. Your GP or doctor thinks they are safe, but their protocols haven’t been updated since the Big ’80s. Check Point found that all a hacker needs is the fax number to hack into one. 

The ‘how to’ is in the article. New ‘all in one’ printers which are connected to phone lines and wirelessly to networks can receive a malicious fax as an entry point into the network. Data is then exfiltrated through another fax as illustrated above left. Check Point’s study cited the HP OfficeJet Pro All-in-One fax printer but others would be vulnerable as well. Online electronic fax numbers may also have problems.

NHS’ census, released via a FOIA request, indicates it uses 9,000 fax machines. NHS has minimized the risk they present. HP has since issued security updates for its fax printers. Also Digital Health. 

OpenEMR’s security flaws threaten millions of patient records; McAfee successfully alters vital signs reporting into monitoring systems

The OpenEMR system, which is an open-source patient record system used in UK hospitals and others worldwide, has dozens of security flaws in its software, according to Project Insecurity, a London-based “tight-knit computer research organization which focuses primarily on educating the masses on the topics of information security” according to their corporate description on LinkedIn. According to their report, Project Insecurity found vulnerabilities including: “a portal authentication bypass, multiple instances of SQL injection, multiple instances of remote code execution, unauthenticated information disclosure, unrestricted file upload, CSRFs including a CSRF to RCE proof of concept, and unauthenticated administrative actions.”  OpenEMR has stated that they have now supplied patches to fix the vulnerabilities listed in the report. However, these multiple flaws put potentially millions of patient records at risk for some time.

OpenEMR’s decentralized model has some drawbacks when it comes to security. According to OpenEMR, they do not know how many organizations are affected as the open-source software has voluntary registration. Patches and security fixes are announced to the registration list, the OpenEMR’s online forum and social accounts, the open-emr.org community, and OpenEMR vendors. While no data has been publicly exposed, the Project Insecurity report revealed this system’s risk to the healthcare organizations which use it. Also DigitalHealth and Project Insecurity on Twitter.

McAfee has confirmed another vulnerability–that vital signs reporting into a central monitoring station can be altered in real time. They tested a circa 2004 bedside monitor/central monitoring system reportedly still in use. The system monitored heartbeat, oxygen level, and blood pressure, used both wired and wireless networking over TCP/IP, and appeared to store patient information. The central monitoring station ran Windows XP Embedded, which presented one set of flaws, but far more accessible to a breach was the communication from the devices to the central monitoring system. In short, “the attacker simply has to send replacement data to the central station while appearing as the patient monitor.” The article proves vital signs can be altered by the time they reach the central monitoring station to create a bad diagnosis, unnecessary testing, and unneeded medication. The McAfee article lays out How to Mess With Vital Signs, Believably.

More and more into the (data) breach: 3X more patient records in Q2, UnityPoint’s breach balloons to 1.3M

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]And we thought Healthcare Hackermania was following the Hulkster into retirement. After a quiet Q1, data breaches and hack attacks blew up both in Q2 and now in this quarter.

Data compliance analytics firm Protenus’ Breach Barometer (with DataBreaches.net) has been tracking healthcare data breaches for years. It was quiet last quarter with 1.13 million patient records affected in 110 separate health data breaches. But last quarter was a true triple threat with patient records up three times to 3.14 million, 142 separate breaches–which means more per breach on average. What is also distressing is that 29.71 percent are repeat offenses among employees, up from 21 percent in the previous quarter.

  • 36.6 percent of breaches were due to external hacking, nearly double that of Q1.
  • 30.99 percent were due to insiders, either through deliberate wrongdoing (theft) or insider error. Insider wrongdoing was led by family members snooping on other family members’ records. Not Russians, Chinese, NoKos, or Bulgarians bashing about. 
  • In contrast to Q1, where the biggest data breach was a network hack of an Oklahoma-based health network (reportedly the Oklahoma State University Center for Health Sciences), compromising nearly 280,000 records, Q2’s Big Breach was a physical burglary of the California Department of Developmental Services in Sacramento affecting over 581,000 records. After the usual ransacking and theft, the burglars started a fire before they left and the sprinklers did the rest.

It routinely takes nearly forever from when a breach occurs to when it is discovered: in Q1 244 days, in Q2 204 days. In Q2 the longest discovery time was over five years –2013 to 2018. This indicates that insiders may be good at covering their tracks, and/or IT staff don’t get around to detecting and policing breaches.

Protenus and DataBreaches.net compile incidents disclosed to HHS and reported in the media, and are now adding their own proprietary, non-public data on the status of health data breaches nationwide, including a review of tens of trillions of individual
accesses to EHRs which Protenus audits as part of their healthcare systems services. More detail in Protenus Q2 and Q1 full reports, HealthITSecurity (Q1)

Certain to lead their Q3 report is the 1.4 million patient record breach at UnityPoint Health, an Iowa-based health system. In May, a small phishing breach compromised 16,000 records. This cyberattack also started with email phishing and spread through employee networks. “The phishing campaign tricked employees into providing confidential login information, which hackers used to infiltrate email accounts and access data contained within.” Were the hackers after patient data? According to UnityPoint, “The phishing attack on UnityPoint Health was more likely focused on diverting business funds from our organization.” Healthcare Analytics News

You may not want a cyberattack, but cyberattacks and hacking want you….

Healthcare cybersecurity breaches multiply like measles as far away as Singapore. Is it a matter of time before hacking kills someone?

Even if you are the Prime Minister of Singapore, you can be hacked. Prime Minister Lee Hsien Loong joined 1.5 million of his fellow Singaporeans in what they have termed an unprecedented data breach of SingHealth, considered to be a world model. There are the usual state actor suspects: Russians, Chinese–and North Koreans–starting less than two weeks (27 June) after hosting the meeting between President Donald Trump and Maximum Leader Kim Jong Un. (That is hardly a gracious thank you if it’s them (s/o).  POLITICO Morning eHealth reported on Monday 23 July. 

What’s happened since: Singapore banks have been instructed to tighten data procedures and use additional verification methods. The government believes 1) they are next and 2) that the healthcare breach data could be used to impersonate customer identities. SingHealth records include full name, national identification number, address, gender, race, and date of birth. (ZDNet)

The National (UAE) reported that the hack specifically targeted the PM. Their angle was that Singapore has ambitions to host a ‘smart city’ as does the UAE and testing Singapore means that the UAE may be next. Singapore is covering a different angle–the ‘inside job’ one. They moved to disconnect computers from the internet at public centers which may inconvenience patients and healthcare staff but which weakens data collection for this very busy centralized system. (Reuters) Watch the government press conference here.

Will the next WannaCry or NotPetya kill someone? That is the premise in this article in ZDNet and one we’ve discussed previously. It’s not a targeted attack on a particular life, but could be an infrastructure failure–for instance, an industrial control for electricity that destroys systems including those to dependent homes or hospitals. What this article doesn’t include are all those aging hackable connected devices in operating rooms, hospital rooms, and in-hospital Wi-Fi powering tablets and other connected devices. KRACK can be very wack indeed! [TTA 18 Oct 17]

WannaCry’s anniversary: have we learned our malware and cybersecurity lessons?

Hard to believe that WannaCry, and the damage this malware wreaked worldwide, was but a year ago. Two months later, there was Petya/NotPetya. We’ve had hacking and ransomware eruptions regularly, the latest being the slo-mo malware devised by the Orangeworm hackers. What WannaCry and Petya/NotPetya had in common, besides cyberdamage, was they were developed by state actors or hackers with state support (North Korea and–suspected–Russia and/or Ukraine).

The NHS managed to evade Petya, which was fortunate as they were still repairing damage from WannaCry, which initially was reported to affect 20 percent of NHS England trusts. The final count was 34 percent of trusts–at least 80 out of 236 hospital trusts in England, as well as 603 primary care practices and affiliates. 

Has the NHS learned its lesson, or is it still vulnerable? A National Audit Office report concluded in late October that the Department of Health and the NHS were warned at least a year in advance of the risk.  “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.” There was no mechanism in place for ensuring migration of Windows XP systems and old software, requested by April 2015, actually happened. Another basic–firewalls facing the internet–weren’t actively managed. Worse, there was no test or rehearsal for a cyberdisruption. “As the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications.” NHS Digital was especially sluggish in response, receiving first reports around noon but not issuing an alert till 5pm. It was fortunate that WannaCry had a kill switch, and it was found as quickly as it was by a British security specialist with the handle Malware Tech. 

Tests run since WannaCry have proven uneven at best. While there has been reported improvement, even head of IT audit and security services at West Midlands Ambulance Service NHS Trust and a penetration tester for NHS trusts, said that they were “still finding some real shockers out there still.” NHS Digital deputy CEO Rob Shaw told a Public Accounts Committee (PAC) in February that 200 NHS trusts tested against cyber security standards had failed. MPs criticized the NHS and the Department of Health for not implementing 22 recommendations laid out by NHS England’s CIO, Will Smart. Digital Health News

Think ‘cyber-resilience’. It’s not a matter of ‘if’, but ‘when’. Healthcare organizations are never going to fix all the legacy systems that run their world. Medical devices and IoT add-ons will continue to run on outdated or never-updated platforms. Passwords are shared, initial passwords not changed in EHRs. Add to firewalls, prevention measures, emphasizing compliance and best practices, security cyber-resilience–more than a recovery plan, planning to keep operations running with warm backups ready to go, contingency plans, a way to make quick decisions on the main functions that keep the business going. Are healthcare organizations–and the NHS–capable of thinking and acting this way? WannaBet? CSO, Healthcare IT News. Hat tip to Joseph Tomaino of Grassi Healthcare Advisors via LinkedIn.

Orangeworm malware running wild in hospitals for three years: multiple reports

Orangeworm hacker group finds easy pickings in hospitals and healthcare. Reports have multiplied in recent weeks of the Orangeworm hacker (or hackers) threatening healthcare organizations, frequently hospitals. Major info security groups have issued warnings: Symantec, Cynerio, BlackBerry, and Rubicon Labs. Symantec’s report states that 39 percent of the victims come from healthcare, with the remainder coming from manufacturing (15 percent), IT (15 percent), and logistics (8 percent), most with ties to the healthcare sector, and suspected vectors for a supply-chain attack.

‘Easy pickings’ include invading the old computer systems and controls prevalent worldwide in healthcare organizations: devices designed to control X-ray machines, MRIs, and even systems that help patients fill out consent forms. Orangeworm accesses IT systems using the Kwampirs trojan, taking advantage of the fact that most hospital IT systems are old, and as we know from the Petya and WannaCry attacks a year ago, their old, unprotected, and unpatched systems are uniquely vulnerable.

The semi-shocking fact is that this has been spreading quietly in healthcare organizations for over three years. The attackers used, according to both Symantec and Bleeping Computer,  malware that infected systems by copying itself across network shares, methods that are considered antiquated and “noisy”. Orangeworm also didn’t change its command and control (C&C) communication protocol over the three years, seemingly unconcerned about discovery.

The attacks appear targeted and coordinated. Speculation is that Orangeworm is a hacker or a small group of hackers targeting the rich information in healthcare records to sell on black markets. 17 percent of the attacks have been in the US, with UK, Germany, the Philippines, and Hungary at 5 percent each.

Symantec’s advice is extensive and detailed here, but can be summed up as: quit using Windows XP based systems, patch and update software and systems, use anti-virus, protect file sharing. Also Digital Health, Information Security Buzz News, Security Intelligence.

MediBioSense and Blue Cedar take a new approach to secure medical wearable data (UK/US)

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2018/01/VitalPatch_Header_Photo_Tablet.jpg” thumb_width=”150″ /]Doncaster UK-based MediBioSense Ltd. has partnered with San Francisco-based Blue Cedar to protect their VitalPatch app on smartphones and tablets. MediBioSense uses VitalPatch in their MBS HealthStream system marketed in the UK in acute care and long-term care setting. Blue Cedar is securing the app through their patented code-injected technology which protects the VitalPatch-collected data from the app to the provider database. The system with Blue Cedar’s security is available directly from MediBioSense.

VitalPatch is a single-use adhesive biosensor patch applied to the patient’s chest (see left above). It monitors eight vital signs and activity signs: heart rate, respiration, ECG, heart rate variability, temperature, body posture including fall detection/severity, and steps as an indicator of activity. MediBioSense contracted with the US-based developer, VitalConnect, to sell the system in the UK. VitalPatch is US FDA-cleared (Class II) and CE Marked for the EU.

One impetus, according to the release (PDF), is the GDPR (General Data Protection Regulation), the pan-European/UK data-protection law slated to take effect in May. This not only applies to European Union citizens’ personal data but also requires reports on how organizations safeguard that data. 

Blue Cedar, which this Editor has previously profiled [TTA 3 May 17], has developed code-injection technology that secures data from the app to the provider location on their servers or in the cloud. It secures the app without the device being managed. Devices have their own vulnerabilities when it comes to apps even when secured, as 84 percent of cyberattacks happen at the application layer (SAP). Blue Cedar’s security also enables tap-and-go from an icon versus multiple security entries, thus quick downloading from app stores or websites. For companies, the secured app provides granular analytic reports about users, app usage, devices, and operating systems which are useful for GDPR requirements.

Blue Cedar’s latest release of app security is Enforce, to secure existing mobile apps using in-app embedded controls to enforce a broad range of security policies. It is sold on the Microsoft Azure cloud platform and is primarily targeted to the value-added reseller (VAR) market. 

All the more reason to use all means to secure devices and apps. When as of last week Allscripts‘ EHR for e-prescribing was hit with a ransomware attack (FierceHealthcare), yet another hospital (Hancock Regional in Indianapolis) paid $5,000 to hackers to get back online (Digital Health), and Protenus/DataBreaches.net tracks a breach a day [TTA 29 Dec 17], cybersecurity has become Job #1 for anyone in the healthcare field. (And Big Healthcare now votes for security. Protenus today announced their $11 million Series B led by Kaiser Permanente Ventures and F-Prime Capital Partners. Release.)

Hacking, insider actions 81 percent of healthcare data breaches: Protenus

Healthcare data security company Protenus’ monthly Breach Barometer always contains interesting–and somewhat discouraging–surprises. August’s report topped July’s for the number of patients affected, with 674,000 patients involved in 33 incidents. Over 54 percent of breaches (N=18) were due to hacking (five incidents were attributed to ransomware), with over 27 percent (N=9) were from insider error (the main cause) or wrongdoing–over 81 percent in total. The remainder were due to loss, theft, or ‘unknown’. Another interesting finding was that discoveries of hacking are relatively quick at an average of 26 days from start to finish, due to the disruption they create, while insider attacks can go on for months (209.8 days)–or years. Protenus’ July report highlighted a breach at Tewksbury Hospital in Massachusetts that went unreported for a record-setting 14 years–an insider action that affected 1,100 records. Reporting to HHS is improving with reporting to HHS, the media or state attorneys general on average of 53 days. Protenus crunches its data from databreaches.net. (If you look at their reporting on TheDarkOverlord (@tdo_hackers), including their recent threats on a small Montana school system, you’ll be scared indeed.) MedCityNews 25 Sept, 23 August   Hat tip to Guy Dewsbury via LinkedIn

Higi and Interpreta’s data mix partnership–questions on consent, data security

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2017/08/Interpreta-Higi.jpg” thumb_width=”150″ /]Higi (also higi), which has placed health monitoring kiosks in over 11,000 US retail locations and a 5.5 million signup base, and data cruncher Interpreta announced that they are partnering to blend Higi’s vital signs data with Interpreta’s claims, clinical and genomics data analytics. Based on Mobihealthnews’ article and the joint release, an individual’s health information taken at higi retail stations will be “prioritized within Interpreta in real time”. They also claim that for the first time, insurance payers and providers will be able to leverage biometrics data, clinical, claims and additional genomic information a person may obtain from genetic testing services into a ‘personalized care roadmap’ that closes gaps in care. This is positioned as a big advance in population health and it all sounds great.

Perhaps not so great are the details. What about consent and data security? Aside from absolutely no mention of patient consent and HIPAA compliance in the above news, this Editor suspects that past, current and future Higi users may not be made aware that their vital signs data recorded with Higi will be 1) sent into a non-Higi database and 2) integrated with other information that appears in Interpreta’s database. How is this being done? Is consent obtained? What then happens? Is it used on an identified or de-identified basis? Where is it going? Who is doing what with it? Can it be sold, as 23andme’s genomic information is (with consent, but still…)? “Interpreta works in the realm of precision medicine, continuously interpreting and synchronizing clinical and genomics data in real time to create a personalized roadmap to enable the orchestration of timely care.” but they do this for providers and health plans who are then responsible for privacy and data integrity. Consent for Higi to keep a record of your blood pressure when you drop into your local RiteAid or ShopRite is not consent for Interpreta to use or manipulate it. These questions should have been addressed in the release or an accompanying fact sheet. We welcome a response from either Higi or Interpreta.

And one last and exceedingly ‘gimlety’ observation by this Editor: kiosks get hacked, and here we have not a price to a McDonald’s meal but a portal to deep PHI. Here’s a two-part article in an industry publication, Kiosk Marketplace, if you are skeptical. Part 1, Part 2 

Petya no pet as it spreads: is it ransomware or a vicious design for data destruction? (updated)

Breaking–The ‘more and worse’ experts predicted after WannaCry is here.  In two days, the Petya or PetyaWrap (or NotPetya) ransomware has spread from Ukraine to affect organizations in 64 countries with 2,000+ attacks involving 12,000+ machines. On the hit list are mostly Eastern European and trans-national companies: Maersk shipping, Merck, Nuance cloud services, WPP advertising, Mars and Mondelez foods, Rosneft (Russia’s largest oil producer), Chernobyl, unnamed Norwegian firms, Beiersdorf and Reckitt Benckiser in India, Cadbury and law firm DLA Piper in Australia. One local US healthcare provider affected in a near-total shutdown of their computer systems, and resorting to backups, is Heritage Valley Health System in western Pennsylvania. There are no reports to this hour that the NHS, major US, Asia-Pacific, or European health systems being affected. Update: Trading in FedEx shares were halted 29 June due to the Petya attack on its TNT Express international division. Update 30 June: The Princeton Community Hospital in rural West Virginia is running on paper records as Petya forced a complete replacement of its EHR and computer hardware. Fox Business

Like WannaCry, the ransomware exploited the EternalBlue backdoor; a report from ArsTechnica UK adds an exploit touchingly dubbed EternalRomance. But unlike WannaCry, according to ZDNet, both “Symantec and Bitdefender have confirmed that it’s a Petya ransomware strain dubbed GoldenEye, which doesn’t just encrypt files — it also encrypts hard drives, rendering entire computers useless.” ArsTechnica goes deeper into methodology. Petya uses a hacking tool called MimiKatz to extract passwords and then uses legitimate Microsoft utilities and components to spread it. (Ed. note: if you have time for only one technical article, read ArsTechnica’s as the latest and most detailed.)

The Microsoft patch–and Microsoft has just issued an update for Win10, which this Editor heartily recommends you download and install–while defending against WannaCry, still isn’t preventing the spread. It’s speedier than WannaCry, and that says a great deal. Its aim appears not to be ransom, but data destruction. Updated: this POV is confirmed in today’s ZDNet article confirming that Comae Technologies and Kaspersky Lab strongly believe that Petya is a ‘wiper’ designed to destroy data by forever blocking it on your hard drive.

Another article in ZDNet (Danny Palmer) attempts to isolate why hackers remain one step ahead of us:

Law enforcement agencies and cybersecurity firms across the world are investigating the attack – and researchers have offered a temporary method of ‘vaccinating’ against it** – but how has this happened again, just six weeks on from a previous global ransomware outbreak?

One reason this new form of Petya is proving so effective is due to improved worm capabilities, allowing it to spread across infected networks, meaning that only one unpatched machine on a whole network needs to become infected in order for the whole operation to come crashing down.

Not only that, but cybersecurity researchers at Microsoft say the ransomware has multiple ‘lateral movement’ techniques, using file-shares to transfer the malware across the network, using legitimate functions to execute the payload and it even has trojan-like abilities to steal credentials.

**  The inclusion of this link in the quote does not imply any recommendation by TTA, this Editor, or testing of said fix.

What you can do right now is to ensure every computer, every system, you own or are responsible for is fully updated with Microsoft and security patches. If you’re in an enterprise, consult your security provider. Run backups. Remind employees to not click on links in suspicious messages or odd links even from known senders–and report them immediately. Based on reports, phishing emails and watering hole attacks are the main vectors of spread, like WannaCry. (A suggestion from this Editor–limit web search to reputable sites, and don’t click on those advert links which are buggy anyway!) Be judicious on updates for your software except by Microsoft and your security provider; there is growing but still being debated evidence that the initial Ukrainian spread was through a hacked update on a popular tax accounting software, MeDoc. More on this in ZDNet’s 6 Quick Facts. Another suggestion from Wired: run two anti-virus programs on every computer you have, one free and one paid.

And no matter what you do–don’t pay the ransom! The email provider within hours blocked the email so that the payment cannot go through. Updates to come. More reading from Bleeping ComputerHealthcare IT News, CNBC, HIStalk, US-CERT, Fortune, Guardian,

Updated 15 May: 20% of NHS organizations hit by WannaCry, spread halted, hackers hunted

Updated 15 May: According to the Independent, 1 of 5 or 20 percent of NHS trusts, or ‘dozens’, have been hit by the WannaCry malware, with six still down 24 hours later. NHS is not referring to numbers, but here is their updated bulletin and if you are an NHS organization, yesterday’s guidance is a mandatory read. If you have been following this, over the weekend a British specialist known by his/her handle MalwareTech, tweeting as @malwaretechblog, registered a nonsensical domain name which he found was the stop button for the malware as designed into the program, with the help of Proofpoint’s Darien Huss.

It looks as if the Pac-Man march is over. Over the weekend, a British specialist known as MalwareTech, tweeting as @malwaretechblog, registered a nonsensical domain name which he found was the stop button for the malware, with the help of Proofpoint’s Darien Huss. It was a kill switch designed into the program. The Guardian tagged as MalwareTech a “22-year-old from southwest England who works for Kryptos logic, an LA-based threat intelligence company.”

Political fallout: The Home Secretary Amber Rudd is being scored for an apparent cluelessness and ‘wild complacency’ over cybersecurity. There are no reported statements from Health Secretary Jeremy Hunt. From the Independent: “Patrick French, a consultant physician and chairman of the Holborn and St Pancras Constituency Labour Party in London, tweeted: “Amber Rudd is wildly complacent and there’s silence from Jeremy Hunt. Perhaps an NHS with no money can’t prioritise cyber security!” Pass the Panadol!

Previously: NHS Digital on its website reported (12 May) that 16 NHS organizations have been hacked and attacked by ransomware. Preliminary investigation indicates that it is Wanna Decryptor a/k/a WannaCry. In its statement, ‘NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected.’ Healthcare IT News

According to cybersecurity site Krebs on Security, (more…)