Orangeworm malware running wild in hospitals for three years: multiple reports

Orangeworm hacker group finds easy pickings in hospitals and healthcare. Reports have multiplied in recent weeks of the Orangeworm hacker (or hackers) threatening healthcare organizations, frequently hospitals. Major info security groups have issued warnings: Symantec, Cynerio, BlackBerry, and Rubicon Labs. Symantec’s report states that 39 percent of the victims come from healthcare, with the remainder coming from manufacturing (15 percent), IT (15 percent), and logistics (8 percent), most with ties to the healthcare sector, and suspected vectors for a supply-chain attack.

‘Easy pickings’ include invading the old computer systems and controls prevalent worldwide in healthcare organizations: devices designed to control X-ray machines, MRIs, and even systems that help patients fill out consent forms. Orangeworm accesses IT systems using the Kwampirs trojan, taking advantage of the fact that most hospital IT systems are old, and as we know from the Petya and WannaCry attacks a year ago, their old, unprotected, and unpatched systems are uniquely vulnerable.

The semi-shocking fact is that this has been spreading quietly in healthcare organizations for over three years. The attackers used, according to both Symantec and Bleeping Computer,  malware that infected systems by copying itself across network shares, methods that are considered antiquated and “noisy”. Orangeworm also didn’t change its command and control (C&C) communication protocol over the three years, seemingly unconcerned about discovery.

The attacks appear targeted and coordinated. Speculation is that Orangeworm is a hacker or a small group of hackers targeting the rich information in healthcare records to sell on black markets. 17 percent of the attacks have been in the US, with UK, Germany, the Philippines, and Hungary at 5 percent each.

Symantec’s advice is extensive and detailed here, but can be summed up as: quit using Windows XP based systems, patch and update software and systems, use anti-virus, protect file sharing. Also Digital Health, Information Security Buzz News, Security Intelligence.

Soapbox: JPM’s Dimon takes the 50,000 foot view on the JP Morgan Chase-Berkshire Hathaway-Amazon health joint venture

Mr. Jamie Dimon, the chairman and CEO of JP Morgan Chase, had a few thoughts about the JPM-Berkshire Hathaway-Amazon healthcare JV for all three companies. You’ll have to fill up the tea or coffee mug (make it a small pot) for it’s an exceedingly prolix Annual Shareholder Letter you’ll have to sled through to find those comments. Your Editor has taken her punishment to find them, towards the end of the letter in ‘Public Policy’. 

They demonstrate what this Editor suspected–an headache-inducing mix of generalities and overreach, versus starting modestly and over-delivering.

  • Point #1 sets up what has gone wrong. Among several, “Our nation’s healthcare costs are twice the amount per person compared with most developed nations.” Under point 2 on how poor public policy happened, an admission that Obamacare fixed little:

Here’s another example: We all know that the U.S. healthcare system needs to be reformed. Many have advocated getting on the path to universal healthcare for all Americans. The creation of Obamacare, while a step in the right moral direction, was not well done. America has 290 million people who have insurance — 180 million through private enterprise and 110 million through Medicare and Medicaid. Obamacare slightly expanded both and created exchanges that insure 10 million people. But it did very little to fix our broken healthcare system and has, in fact, torn up the body politic over 10 years — and this tumult may go on for another 10 years.

  • Point #7 is about fixing the deficit and the ill effects if we don’t. In Mr. Dimon’s view, healthcare is a major part of this through the uncontrolled growth of entitlements, with Medicare, Medicaid and Social Security leading the pack–skipping over the fact that nearly all Americans pay into Medicare and SSI well in advance of any entitlement collection. Healthcare is also an offender through unnecessary costs such as administrative and fraud (25-40 percent),  and six mainly chronic conditions accounting for 75 percent of spending.
  • The experts–specifically, their experts–will fix it! “While we don’t know the exact fix to this problem, we do know the process that will help us fix it. We need to form a bipartisan group of experts whose direct charge is to fix our healthcare system. I am convinced that this can be done, and if done properly, it will actually improve the outcomes and satisfaction of all American citizens.”
  • The generalities continue with
    • The JV “will help improve the satisfaction of our healthcare services for our employees (that could be in terms of costs and outcomes) and possibly help inform public policy for the country.” 
    • Aligning incentives systemwide ‘because we’re getting what we incentivize’
    • “Studying the extraordinary amount of money spent on waste, administration and fraud costs.”
    • “Empowering employees to make better choices and have the best options available by owning their own healthcare data with access to excellent telemedicine options, where more consumer-driven health initiatives can help.”
    • “Developing better wellness programs, particularly around obesity and smoking — they account for approximately 25% of chronic diseases (e.g., cancer, stroke, heart disease and depression).”
    • “Determining why costly and specialized medicine and pharmaceuticals are frequently over- and under-utilized.”
    • “Examining the extraordinary amount of money spent on end-of-life care, often unwanted.”
    • “To attack these issues, we will be using top management, big data, virtual technology, better customer engagement and the improved creation of customer choice (high deductibles have barely worked”).

This Editor has observed from the vantage of the health tech, analytics, payer, and care model businesses that nearly every company has addressed or is addressing all these concerns. So what’s new here? Perhaps the scale, but will they tap into the knowledge base those businesses represent or reinvent the wheel? 

A bad sign is Mr. Dimon’s inclusion of ‘end of life care’. This last point is a prime example of overreach–how many of the JV’s employees are in this situation? The ‘attack’ tactics? We’ve seen, heard, and many of us have been part of similar efforts.

Prediction: This JV may be stuck at the 50,000 foot view. It will take a long time, if ever, to descend and produce the concrete, broadly applicable results that it eagerly promises to its million-plus employees, much less the polity. 

Weekend Big Read: will telemedicine do to retail healthcare what Amazon did to retail?

Updated. Our past contributor and TelehealthWorks’ Bruce Judson (ATA 2017 coverage) has penned this weekend’s Big Read in the HuffPost. His hypothesis is that telemedicine specifically will disrupt location-based care, followed by other digitally based care–and that executives at health systems and payers are in denial. More and more states are recognizing both parity of treatment and (usually) payment. Telemedicine also appeals to three major needs: care at home or on the go, with a minimal wait; maldistribution of care, especially specialized care; and follow-up/post-acute care. His main points in the article:

  • Healthcare executives are being taken by surprise because present digital capabilities will not be future capabilities, and the shift to virtual will be a gradual process
  • Telemedicine will address doctor shortages and grow into coordinated care platforms embedding expertise (via connected diagnostics, analytics, machine learning, AI) and care teams
  • Telemedicine will eventually go up-market and directly compete with large providers in urban areas, displacing a significant amount of in-person care with virtual care
  • Telemedicine will start to incorporate continuous feedback loops to further optimize their services and move into virtual health coaching and chronic care management
  • Telemedicine platforms are also sub-specializing into stroke response, pediatrics, and neurology
  • Centers of expertise and expert platforms will become larger and fewer–centralizing into repositories of ‘the best’
  • Platforms will be successful if they are trusted through positive patient experiences. This is a consumer satisfaction model.

Mr. Judson draws an analogy of healthcare with internet services, an area where he has decades of expertise: “A general phenomenon associated with Internet services is that they break activities into their component parts, and then reconnect them in a digital chain.” Healthcare will undergo a similar deconstruction and reconstruction with a “new set of competitive dynamics.”

It’s certainly a provocative POV that at least gives a rationale for the sheer messiness and stop-n-start that this Editor has observed in Big Health since the early 2000s. A caution: the internet, communications, and retail do not endure the sheer volume of regulatory force imposed on healthcare, which tends to make the retail analogy inexact. Governments monitor and regulate health outcomes, not search results or video downloads (except when it comes to net neutrality). It’s hard to find an industry so regulated other than financial/banking and utilities. FierceHealthcare also found the premise intriguing, noting the VA’s ‘Anywhere’ programs [TTA 9 Aug] and citing two studies indicating 96 percent of large employers plan to make telemedicine, also with behavioral health services, available, and that 20 percent of employers are seeing over 8 percent employee utilization. (Under 10 percent utilization gave RAND the vapors earlier this year with both this Editor and Mr. Judson stinging RAND’s findings with separate analyses.)

Ericsson report: will 5G close the healthcare gap from hospitals into the home?

Ericsson, one of Europe’s leading telecom companies, earlier this month published its latest ConsumerLab report, “From Healthcare to Homecare” on the next generation of healthcare enabled by the greater speed and security of 5G–the fifth generation of wireless mobile. Their key findings among consumers and industry decision makers contained surprises:

  • Growing frustration with hospital wait times. 39 percent prefer an online consult with a doctor versus waiting for the face-to-face.
  • Wearables are perceived as better ways to monitor and even administer medication for chronic conditions–nearly two in three consumers want them. But medical grade wearables will be required.
    • Yet the current state doesn’t lend itself to these wishes. “55 percent of healthcare decision makers from regulatory bodies say these devices are not sufficiently accurate or reliable for diagnosis. In addition, for liability reasons it will be very difficult to rely on patients’ smartphones for connectivity….medical-grade wearables will be required. Such devices could also automatically dispense medicine and offer convenience to those recovering from surgery.”
  • +/- 60 percent of surveyed consumers believe that wearables will improve lifestyles, provide personalized care, and put people in control of their own health.
  • There’s real security concerns that 5G is expected to access: “61 percent of consumers say remote robotic surgery is risky as it relies on the internet….47 percent of telecom decision makers say that secure access to an online central repository [of medical records] is a key challenge and expect 5G to address this.” Surprisingly, only 46 percent of cross-industry decision makers consider data security to be an issue. Battery power is also a significant concern for over half in wearables, a problem that over 40 percent will be helped by 5G.
  • Even more surprising is the lack of desire for consumer access to their medical records–only 35 percent of consumers believe that it will help them easily manage the quality and efficiency of their care. In contrast, 45 percent of cross-industry experts consider the central repository as a breakthrough in healthcare provisioning.

Decentralizing care into the home is seen as worthwhile by a majority of industry decision makers 

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2017/06/healthcare-to-homecare-fig3_rgb.jpg” thumb_width=”250″ /] (more…)

Hospitals should ‘wash their hands’ of older medical devices, OS: expert

Our Readers are likely well aware that older medical devices may present a Hacker’s Holiday, but putting a very fine point on it was Kevin Fu, associate professor of electrical engineering and computer science at University of Michigan, speaking at a Healthcare IT News healthcare cybersecurity forum this week in Boston. Mr Fu pointed out that many hospitals are actively using old devices and old PC systems; one local hospital had 600 supposedly unpatched Windows XP (!) boxes deployed. Older medical devices were not designed with security in mind, which he likens to basic sanitation:

“If you’re using this old software, these old operating systems, you’re vulnerable to all that malware – that garden-variety malware – that has been out in the wild for more than 10 years.” and “This is not rocket science; this is basic hygiene. This is forgetting to wash your hands before going into the operating room. Here we have medical devices where, if malware gets through the perimeter, there is very little defense.”

The press has been concentrating on the big breaches and external hacking (they do make good copy–Ed.), and we’ve expended a lot of air on things like the EHR Wars, but the real threats are more mundane, as Ponemon and others in the field have warned for years. Software updates and infected USB flash drives can spread malware. A vendor can be a regular Typhoid Mary unintentionally corrupting systems and devices down the line.  (more…)

Eye feels the pain of Google’s Brin and Page

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2013/02/gimlet-eye.jpg” thumb_width=”150″ /] Oh, the discomfort that Sergey and Larry must be feeling being grilled interviewed by “billionaire venture capitalist Vinod Khosla” (grudgingly respected in TTA 30 May) at one of his eponymous Summits. Here they are with Google Glass in all sorts of adaptations from Parkinson’s to gait improvement to surgery [see multiple TTA articles here], a ‘moonshot on aging and longevity’ dubbed Calico [TTA 19 Sept 13] and even a contact lens to measure blood glucose in tears [TTA 17 Jan]. All good stuff with Big Change potential. Instead they whinge on about how the health field is so regulated, and all the cool stuff you could do with the data but for that privacy thingy (those darn EU, UK regulations and in US, HIPAA). Page to Khosla: “I do worry that we regulate ourselves out of some really great possibilities that are certainly on the data-mining end.” Brin to Khosla: “Generally, health is just so heavily regulated. It’s just a painful business to be in. It’s just not necessarily how I want to spend my time.” Gee. Whiz. What is apparent here is a lack of personal respect for us ‘little folks’ privacy and our everyday, humdrum lives.

Advice straight from The Gimlet Eye: My dear boys, you’ll just have to get people’s data with that old-fashioned thing, permission. (And you’d be surprised that many would be happy to give it to you.) Or if it’s all too painful, Sergey can play with his superyacht, latest girlfriend and follow his estranged wife Anne Wojcicki’s 23andme‘s ongoing dealings with the FDA. At least she’s in the arena. Google leaders think health is ‘a painful business to be in’ (SFGate) Mobihealthnews covers their true confessions, with an interesting veer off in the final third of the article to Mr Khosla’s view of Ginger.io’s surprising pilot with Kaiser and then to WellDoc’s Bluestar diabetes therapy app–the only one that is 510(k)Class II and registered as a pharmaceutical product [TTA 10 Jan].  Also interesting re the Googlers’ mindset is a SFGate blog piece on Larry Page’s attitudes towards leisure and work in a Keynes-redux ‘vision of the future‘. < work + > people may= >leisure, but certainly<<<$£€¥ for even the well-educated and managerial!

Healthcare Apps 2014 – a few impressions

This event was held on April 28th-30th in Victoria in London. It was organised by Pharma IQ and clearly had a strong pharma focus (including the charge which at £1995 for industry attendees clearly discriminated in favour of those with big-pharma sized budgets). It was also held just a few days after the significantly lower-priced Royal Society of Medicine event, and in the middle of a London Tube strike, all of which doubtless contributed to the relatively modest attendance (26 paid). I am most grateful to the organisers for kindly inviting me as one of speaker Alex Wyke’s guests.

As mentioned in an earlier post, there was a similarity with the RSM agenda, so I won’t repeat comments made by the same speaker before. The first up was the 3G Doctor, David Doherty, who gave another of his excellent presentations, although the sound engineer sadly made some of it inaudible. After a review of how we had got to where we are, he suggested that the Internet is about to become a device-dominated network. He drew a parallel between (more…)

‘Angel (Investment) in America’ perking up

Two articles in the Washington Post and Business News Daily cite fresh interest in ‘angel’ investing in the US in the healthcare, mobile and internet sectors. Conducted by pre-money valuation tool Worthworm (yet to debut), a survey of 100 angel investors indicate that next year, 50 percent of angel investors plan to increase the number of their investments and 24 percent plan to increase the dollar amount of investment in 2014.’ 40 percent of respondents expect increased healthcare investing and over 30 percent favor mobile and Internet companies. (more…)

Alpha version of Open Health Data Platform produces impressive data analysis graphics (UK)

The alpha version of the CDEC Open Health Data Platform offers a tantalising glimpse into what big data can do to improve healthcare. This site uses data from sources like the Health and Social Care Information Centre (HSCIC) and shows how it can be turned into visualisations and analysis to answer specific health-related questions.

The initial release, which focuses on a small number of datasets including data about GP prescriptions and diabetes prevalence to show the extent of diabetes treatment in the UK, is a request for comment from the UK  innovator community. Specifically sought are views on functionality to include and the future data sets to incorporate.

The outline business case for developing the tool suggests potentially many profitable opportunities particularly for micro-enterprises and SMEs.

An extremely exciting venture, much to be encouraged.