Ransom! (ware) strikes more hospitals and Apple (update)–Healthcare.gov’s plus trouble

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Get out the Ransom! California hospitals appear to be Top of the Pops for ransomware attacks, which lock down and encrypt information after someone opens a malicious link in email, making it inaccessible. After the well-publicized attack on Hollywood Presbyterian in February, this week two hospitals in the Inland Empire, Chino Valley Medical Center in Chino and Desert Valley Hospital in Victorville, both owned by Prime Healthcare Management, received demands. While hacked, neither hospital paid the ransom and no patient data was compromised according to hospital spokesmen. Additional hospitals earlier this month: Methodist Hospital in Henderson, Kentucky and Ottawa Hospital in Ontario, Canada. In Ottawa, four computers were hacked but isolated and wiped. It is not known if ‘Locky’, the moniker for a new ransomware, was the Canadian culprit. FBI on the case in the US. HealthcareITNews, National Post

Update: Locky is the suspected culprit in the Prime, Hollywood Presbyterian and Kentucky ransomware attacks. On Monday, Maryland-based MedStar Health reported malware had caused a shutdown of some systems at its hospitals in Baltimore. Separately, Cisco Talos Research is claiming that a number of the attacks are exploiting a vulnerability in a network server called JBoss using a ransomware dubbed SamSam. Perhaps both are creating mischief? Ars Technica, Cisco Talos blog, BBC News, ThreatPost

More and worse attacks north of the 49th Parallel. Norfolk General Hospital in Simcoe, Ontario had a ransomware attack this week that spread to computers of staff, patients and families via the external website through the outdated content management system. According to MalwareBytes, “The particular strain of ransomware dropped here is TeslaCrypt which demands $500 to recover your personal files it has encrypted. That payment doubles after a week.”  So if you are running old Joomla! or even old WordPress, update now! Neil Versel in MedCityNews

If you’re thinking Mac Prevents Attacks, the first ransomware targeting Apple OS X hit earlier this month. Mac users who  downloaded version 2.90 of Transmission, a data transfer program using BitTorrent, were infected. KeRanger appears after three days to demand one bitcoin (about $400) to a specific address to retrieve their files. HealthcareITNews

Finally, there is the Hackermania gift that keeps on giving: Healthcare.gov. (more…)

The pileup of Federal ‘titanic serial IT disasters’ (US)

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/06/keep-calm-and-secure-your-data-4.png” thumb_width=”150″ /]Don’t feel bad, HIT execs–the Feds are even worse. Complementary to our coverage of the increased danger of hacked health IT systems and data breaches (the trail of tears is here and here) is the oddly muted press clamor around the 4 June hacking report of the Federal Office of Personnel Management (OPM). Chinese hackers roamed around two OPM databases–personnel and security clearances–for nearly a year, according to CNN’s Senate briefing coverage. The breach likely exceeded 18 million records, though the real number may never be known. Privacy Rights Clearinghouse summarizes it and provides an interesting link to a timeline by Brian Krebs, whose independent reporting beat is IT security. Megan McArdle, a reformed IT consultant writing for Bloomberg News and independently, points at the Federal lack of urgency around having adequate IT that doesn’t fail. Example–the much chronicled failure around Healthcare.gov and the so-called health exchanges, which appear to be functioning better, but reports say they are nearly porous and hackable as they were in 2013. She notes that it’s all about ‘scorched-earth determination’ and that the direction has to come from the top, meaning the President. And ‘voters have never held Obama responsible for his administration’s appalling IT record’. A thought that should give those in telehealth and telemedicine who are working with CMS value-based program ACOs a great deal of pause. NY Post editorial via Press Reader.

Hackermania running wild, 2015 edition

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”300″ /]

Do we need the Hulkster Running Wild against Hacking? It’s so heartwarming to see the mainstream press catch up to what your Editors have been whinging on for the past few years: that healthcare data is the Emperor With No Clothes. Here we have Reuters and the New York Times with a case of the vapors, seeking a fainting couch. Reuters dubs 2015 ‘The year of the healthcare hack’. The FBI is investigating the AnthemHealth breach, while their counterparts UnitedHealth, Cigna and Aetna are in full, breathless damage control mode. The Times at least delves into the possibility that it was at least partially instigated by China and the People’s Liberation Army (PLA) unit that trolls for intellectual property.

Our Readers, savvy to your Editors’ warnings since at least 2010, were aware that the drumbeat accelerated this past summer. (more…)

Data breaches and ‘hackermania’ running wild

Data breaches remain in the news–and the debate around how best to secure data rages.

Everything old is new again. UK website Computing reported that East Midlands Ambulance Service NHS Trust lost a data cartridge containing 42,000 records from its divisional headquarters in Nottingham. It was a small but deadly cartridge containing scanned handwritten copies of Patient Report Forms from September to November 2012. However, it can only be read on a now-obsolete cartridge reader, one of which is on the Trust’s premises. An interesting project for a ‘cracker’? Perhaps someone thought it was an old paperweight? Is this the virtue of old tech?

Wakey, wakey Hermann! Memorial Hermann Health System in Houston, Texas had an unauthorized employee nosing around patient records for seven years up to July, affecting at last count 10,604 patients. Compromised were health insurance information, Social Security (SSI) numbers, names, addresses and dates of birth (DOB). Obviously they weren’t firewalled and easy to access. No motive cited. According to HealthITSecurity, this person has been suspended, not fired. Also iHealthBeat.

Nothing to see here…move on. Breaking News. Healthcare.gov was breached in July by a hacker uploading malicious software to a server used to test code. No evidence that personal information was compromised. HHS maintains this was the first successful intrusion. We’ll see. MarketWatch (excerpt of WSJ paywalled story)

Is any system hackerproof? Reader Joanne Chiocchi cited this Editor’s first article on the massive CHS breach (from the reprint in HITECH Answers–thank you, Roberta Mullin) and posed this question on LinkedIn’s Ellen’s Ethical Lens group. 48 comments later, (more…)

How insecure can health data get? Very.

Gigaom is one of our go-to sites for enthusiastic whiz-bang health gadget coverage (and more), but here’s the downside of all those devices: all that data. And it’s not only not secure, but also getting more insecure. Grégoire Ribordy of Swiss encryption company ID Quantique makes some key (and scary) points on the data breaches looming–and he doesn’t mention that block of Swiss cheese Healthcare.gov once:

  1. One-stop storage for your total health records and data, an idée fixe among government and single-payer theoreticians, just makes it one-stop-shopping for hackers.
  2. Richer health data means more to steal and exploit.  There’s also the illegal use of genetic information for employment discrimination–hard to enforce regulations, easy to misuse personal data.
  3. Biological crime isn’t just a future plot of ‘Law & Order.’ Criminals can target patients with specific conditions–or healthcare workers can make money on the side by supplying accident victim data to personal injury attorneys, as recently happened in NY. For prominent people, their sensitive health information can be leaked to the press for profit. (more…)

US health data breaches hit record; Healthcare.gov backdoored?

Security firm Redspin reports a total of 7.1 million affected records in 2013, up from 3 million in 2012. The five largest breaches accounted for 85 percent of the total: Advocate Health, Horizon BCBSNJ, AHMC Healthcare, Texas Health Harris Methodist Hospital Fort Worth and Indiana Family & Social Services Administration. Hardware theft of unencrypted devices accounted for the first three; Texas Health was perhaps the most unique because it disposed of over 277,000 microfiche patient records in a city park, making it the winner of last May’s ‘It’s Just Mulch’ award in ‘The exploding black market in healthcare data’.  Not included in the Redspin report (free download here) was a mid-December breach of 405,000 records at Bryan, Texas-based St. Joseph Health System which would have put it fourth on the list. This took place in a two-day data security attack on their servers traced to China and reported to the FBI. While Redspin attributes only six percent of breaches to hacking, this is an amount sure to increase as more information is digitized. Health Data Management, iHealthBeat, FierceHealthIT  Security breaches, natural disasters and outages are events that cost US hospitals over $1.6 billion annually, and 82 percent of health IT executives surveyed by MeriTalk said that their technology infrastructure is “not fully prepared for a disaster recovery incident.” The $1.6 billion seems low in light of the Ponemon Institute’s 2012 health data breach estimate of $7 billion annually–and the $12 billion in victim costs [TTA 14 Sept 13]. FierceHealthIT

.…and wait till Healthcare.gov-related security breaches start. This Editor stopped beating the dead and quartered horse of Healthcare.gov last year, finding that what was suspected and detailed from the start was simply borne out by subsequent revelations. Another example: the recent revelation that US intelligence agencies are highly concerned that code in the website was produced by programmers in Belarus, a former Soviet republic closely allied to that hotbed of hacking, Russia. That means that ‘backdoors’ are right in the code, waiting to be opened. This affects more than the website–but through the hub, states, HHS, IRS and DHS. How did our Washington types find out about it? When a top Belarusian official bragged on state radio about it! Ace intelligence writer Bill Gertz in the Washington Times broke the story. (Want more on the website’s security problems? See here for more on the Gertz story plus the David Kennedy/TrustedSec testimony and more. But bring your preferred headache remedy!)

2014: the year of reckoning for the ‘better mousetraps’

Or, the Incredible Immutability of the Gartner Hype Cycle

From Editor Donna, her take on the ‘mega-trend’ of 2014

This Editor expected that her ‘trends for next year’ article would be filled with Sensors, Wearables, Glasses, Smartwatches, 3D Printing, Tablets and Other Whiz-Bang Gizmos, with splashes of color from Continuing Crises like Healthcare.gov in the US, the NHS’ 3million lives plus ‘whither UK telecare’, various Corporate ‘Oops-ses’, IP/Patent Trolls and Assaults on Privacy. While these will continue to spread like storm debris on the beach, providing continuing fodder for your Editors (and The Gimlet Eye) to pick through, speculate and opine on, what in my view rises above–or is under it all–for 2014?

We are whipping past the 2012-13 Peak of Inflated Expectations in health tech…

…diving into the Trough of Disillusionment in 2014. Crystallizing this certainty (more…)

Fast takes for Friday

Changes at Center for Connected Health, DecaWave’s chip, Happy Hackers  Healthcare.gov

Center for Connected Health executives to head Portuguese ‘body dynamics’ company in US. Associate Director Joseph Ternullo, who over the years was one of the key organizers of the Connected Health Symposium, is leaving Partners HealthCare/CCH after 17 years to lead the US subsidiary of Kinematix (formerly Tomorrow Options) located in Boston. This was announced by email to CCH contacts today. Kinematix in October raised $2.6 million in Series B funding from Portugal Ventures. Heading the US board is another Partners HealthCare alumnus, Jay Pieper, formerly CEO of Partners International Medical Services. Kinematix’s two products focus on sensor-based monitoring for foot health assessment and to prevent pressure sores and falls.  Release. Boston Business Journal….ScenSor senses you to 10 centimeters. A 6 x 6 mm chip (more…)

The train, plane and car wreck that is Healthcare.gov and Obamacare

If the ACA and Healthcare.gov were Boeing or Airbus aircraft–they would have been grounded on 3 October.

Wherever you reside in the over 150 countries TTA is read in, if you need more convincing that the US Government is unable to be successful (and Editor Donna is being restrained and charitable) at 99 percent of everything contained in this misbegotten Act, all one needs to do is read our previous coverage and this latest update in the Daily Mail along with their links to their own previous coverage. Are you sure it’s going to be fixed within weeks, Mr. President? This is Obamacare website riddled with garbled messages today

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2013/11/article-2491576-1943076800000578-829_634x378.jpg” thumb_width=”600″ /]

Except in the minds of White House and HHS planners, the obvious solution would be to STOP: halt the enrollment process, suspend the ACA implementation, restore the right to current coverage for the millions who have been blocked from renewing their current individual coverage and take the entire website down. Rethink all the elements including the coverage structure and the website, send it back to Congress for relegislating and implement a program that works sometime in 2015 IF a way can be found. But no, Americans get piecemeal fixes on a website and system that increase the vulnerability of personal information to hackers and identity theft–and coverage they cannot afford. (And this is only in the individual and small group market. Wait till it applies to large employers–other than unions which have been exempted.) (more…)

700+ cybersquatters on Healthcare.gov, state exchanges

The Washington Examiner estimates that there are 700 or more ‘cyber-squatters’–the dodgy websites that have URLs close to a well-known name–on the Obamacare Healthcare.gov and the 14 state (plus District of Columbia) sites. Identity theft moves to a new and obvious level when it’s no hacking required. All thieves need to is to put up a legitimate-appearing website with the appropriate language and forms that ask for your name, address, income, date of birth and Social Security number, which is apparently what Obama-care.us does. “[Obama-care.us] is so well deceptively designed that I had to research the owner to verify that it wasn’t a government site,” said a retired cybersecurity industry expert.” According to the article, 3,000 people have visited it. What is normal for major sites is to ‘buy around’ the name in multiple domains, alternate search terms and even misspellings and using them to redirect. This is another standard business practice that somehow they neglected to check off the list at HHS. Example: a long-established and legitimate site, Healthcare.com, is so close in name that it alone is capable of siphoning off 30 percent of normal traffic–and they never were approached to sell. Which considering that the real website doesn’t work….  Obamacare launch spawns 700+ cyber-squatters capitalizing on Healthcare.gov, state exchanges  And more on the Lucky Men ‘laughing all the way to the bank’ behind Healthcare.com from VentureBeatPreviously in TTA: The sea of security ‘red flags’ that is Healthcare.gov

The sea of security ‘red flags’ that is Healthcare.gov

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2013/10/120306.png” thumb_width=”170″ /]It’s just a fact of life
That no one cares to mention
She wasn’t very good
But she had good intentions

—Lyle Lovett, ‘Good Intentions’

Confirmed by experts to the more-than-mainstream Christian Science Monitor are the layers of insecurity completely feasible on the current Healthcare.gov website–and the 14 state (plus DC) websites feeding into the Federal health insurance exchange and up into the mysterious hub linked to other Federal agencies. Healthcare.gov is supposed to adhere to NIST standards but these are no guarantee–and the state sites are not required to. ‘Red flags’ cited by experts (aside from ‘Wildman’ John McAfee) make for interesting reading:

  • Cross-site request forgery
  • ‘Clickjacking’–an invisible layer over the legitimate website
  • Cookie theft, and not by the Cookie Monster
  • Problematic verification from state to Federal, from legitimate third-party assistance, from brokers and so on
  • Log in fraud–the happy hunting ground of hackers and DDOS attacks

Warnings were apparent as early as 2 October [TTA 8 Oct]. And as our later coverage has explained, undoing all of this is near-impossible even with funding, in the less-than-a-month window till the crash time deadline in mid-November and then early January. Obamacare website security called ‘outrageous’: How safe is it? (+video)

Our 11-14 October compilation is a narrative and summary of major articles on the failure of the Healthcare.gov website and its consequences like none you will see elsewhere.

Non-functional Obamacare exchange websites? $500 million estimated to date. 2014? Priceless. (US)

Updated/Revised for breaking news and analysis, 12-14 October (US). Much new information noted in dark blue. (Grab your tea or coffee…this is a long one as this story rolls on.)

The mainstream reports continue to build that both the Federal HealthCare.gov site, which provides health exchange enrollment for 36 states, and many of the state-run health insurance exchanges (14 plus District of Columbia) are a nightmare of programming glitches and simply don’t work. It is not the demand–which has been high but not unanticipatedly so with an initial 8 million hits–but more disturbingly, the programming appears to be is unsound.  “Computer experts” quoted by CBS This Morning are making statements like “It wasn’t designed well, it wasn’t implemented well, and it looks like nobody tested it,” going on to say ” It’s not even ready for beta testing for my book. I would be ashamed and embarrassed if my organization delivered something like that.” A more technical dissection of the site’s multiple system architecture problems is provided by Reuters here, with the best quote “The site basically DDOS’d itself,” he said. (DDOS–distributed denial of service, a hacking technique but here, the website overwhelmed itself!) 

Counting the cost

A rough calculation of the cost has been made on a tech website, Digital Trends. Andrew Couts (who is pro-Obamacare) ran some public numbers on the IT cost of setting up the Federal part of the exchanges and add in associated 2012-13 costs, and arrives at $500 millionnot including the $2 billion to build out and operate the exchanges in 2014 (General Accounting Office). Larger numbers north of $600 million have been bandied about, but this Editor will go for now with Mr. Couts’ perhaps low estimate which has been supported by more mainstream reporting. (more…)

Data insecurity in Obamacare insurance exchanges (US)

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2013/10/keep-calm-and-enter-at-own-risk-3.png” thumb_width=”175″ /]The warning that should appear as the main page of 50 state health exchanges.

Subsumed under the ‘government shutdown’ (affecting in reality a distinct minority of Federal government employees) is the significant concern that the state-based online exchanges now selling individual insurance, effective 1 Jan 2014, much trumpeted under the Affordable Care Act and baked into it two years ago, already present significant vulnerabilities in securing the vital data of millions: Social Security number, date of birth, addresses, tax and earnings information. These state-based exchanges are also dependent on information from a Federal data ‘Hub’ which “acts as a conduit for exchanges to access the data from where they are originally stored.” (HHS Office of Inspector General report August 2013, page 2) If improperly secured, this opens up other Federal agencies to further upstream identity theft mayhem.

Already information is in the hands of thousands of call center staff and so-called ‘navigators’ who may or may not have gone through security verifications. Insurance customer information has already leaked outside of exchanges (see below). (more…)