Roundup: data breaches ’round the world

Following on our review of recent articles on why medical identity theft is so attractive, here’s our review of data breaches in the news, including a new (to this Editor) report from Europe.

  • It’s not Europe, blame the UK! That is one of the surprising findings of a meta-review of all types of data breaches released earlier this month by the Central European University’s Center for Media, Data and Society (CMDS). While not specific to healthcare, it is the first study this Editor has seen on EU data breaches and is useful for general trends. 229 verified incidents were analyzed by the CMDS across  28 EU member countries plus Switzerland and Norway, 2005-3rd Quarter 2014, and includes unusual healthcare breaches such as Danish HIV patients’ personal information included in a PowerPoint presentation later published online. Key findings:
    1. 57 percent of breaches were due to insider theft, mismanagement or error; 41 percent were hacker-instigated
    2. It’s common: “for every 100 people in the study countries, 43 personal records have been compromised”
    3. In terms of impact, the UK by far, then Greece, Norway, Germany and Netherlands were the top five countries for incidents and numbers of records breached (report page 9) (more…)

Data breaches and ‘hackermania’ running wild

Data breaches remain in the news–and the debate around how best to secure data rages.

Everything old is new again. UK website Computing reported that East Midlands Ambulance Service NHS Trust lost a data cartridge containing 42,000 records from its divisional headquarters in Nottingham. It was a small but deadly cartridge containing scanned handwritten copies of Patient Report Forms from September to November 2012. However, it can only be read on a now-obsolete cartridge reader, one of which is on the Trust’s premises. An interesting project for a ‘cracker’? Perhaps someone thought it was an old paperweight? Is this the virtue of old tech?

Wakey, wakey Hermann! Memorial Hermann Health System in Houston, Texas had an unauthorized employee nosing around patient records for seven years up to July, affecting at last count 10,604 patients. Compromised were health insurance information, Social Security (SSI) numbers, names, addresses and dates of birth (DOB). Obviously they weren’t firewalled and easy to access. No motive cited. According to HealthITSecurity, this person has been suspended, not fired. Also iHealthBeat.

Nothing to see here…move on. Breaking News. Healthcare.gov was breached in July by a hacker uploading malicious software to a server used to test code. No evidence that personal information was compromised. HHS maintains this was the first successful intrusion. We’ll see. MarketWatch (excerpt of WSJ paywalled story)

Is any system hackerproof? Reader Joanne Chiocchi cited this Editor’s first article on the massive CHS breach (from the reprint in HITECH Answers–thank you, Roberta Mullin) and posed this question on LinkedIn’s Ellen’s Ethical Lens group. 48 comments later, (more…)

‘Hackermania running wild,’ part 2

Apple flying around the iCloud for Apple HealthKit. Making headlines this week was a few overly personal celebrity photos (foolishly) stored on iCloud accounts going public online. According to Apple, the accounts were hacked probably by ‘brute force’ password attack and not through an iCloud flaw. TechRepublic  But more of concern to digital health developers eager to get all that health and fitness data integrated via the Apple HealthKit API is that Apple is saying ‘nein’ to anyone using the iCloud to store data. Why the concern? Mobihealthnews lays down Apple’s eight ground rules.

Is CyberRX 2.0 a prescription for HIT? HITRUST (Health Information Trust Alliance), with participation from (US) HHS, will be hosting an October cyber attack simulation exercise with over 750 healthcare organizations participating. Exercises are at three levels depending on organization size and will include targeting information systems, medical devices and other technology resources of government and healthcare organizations. Press release. Website.

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2014/09/ESD-America.png” thumb_width=”150″ /]And the weakest point may be ‘over the air’. ‘Interceptor’ fake cell towers can defeat smartphone encryption to ‘over the air’ eavesdrop on calls, read texts and possibly push spyware onto Android phones. According to the CEO of ESD America, they have detected at least 17 powerful towers, likely more, scattered around the US–many near military bases. (more…)

The drip of data breaches now a flood: 4.5 million records hacked–update

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2014/08/keep-calm-and-encrypt-your-data-5.png” thumb_width=”150″ /]Breaking News–updated at end  Earlier this year [TTA 23 Apr] this Editor commented on the fourth annual update from the Ponemon Institute plus a qualitative study from IS Solutions that contained mostly unwelcome news for healthcare IT departments in the US. Ponemon’s new estimate of data breaches’ cost per year: $5.6 billion. While making some progress in the existential threat that data breaches present to institutional and personal security, both reports also outlined the disconnect between HIT professionals busy dealing with and sealing off the mice of internal causes versus the looming, huge menace of the external criminal threat. We now know that Godzilla has arrived and he’s stomping ‘n’ chomping. Community Health Systems of Franklin, Tennessee claimed today as part of a SEC regulatory filing that hackers originating in China breached sensitive information in 4.5 million patient records accumulated over five years during April and June using cyberattacks and sophisticated malware.  (more…)

Politico: massive hacking of health records imminent

Politico is a website (and if you’re in Foggy Bottom-ville, a magazine) much beloved by the ‘inside government’ crowd and the media ‘chattering classes’. With some aspirations to be like Private Eye but without the leavening sharp satire, the fact that they’ve turned their attention to–gasp!–the potential hackathon that is health records is amazing. They mention all the right sources: Ponemon, HIMSS, the American Medical Association, BitSight, AHIMA. In fact, the article itself may be a leading indicator that the governmental classes might actually do something about it. This Editor applauds Politico for jumping on our battered Conestoga wagon with the other Grizzled Pioneers. We’ve only been whinging on about data breaches and security since 2010 and their researchers could benefit from our back file.

And speaking of 2010, the Department of Health & Human Services (HHS) is doing its part to close the budget deficit by collecting data breach fines–$10 million in the past year. A goodly chunk will be coming from New York-Presbyterian Hospital/Columbia University Medical Center: $4.8 million for a 6,800 person breach (iHealthBeat) where sensitive records showed up online, readily available to search engines. And yes, we covered this back on 29 Sept 2010 when breaches were new and hushed up. Politico: Big cyber hack of health records is ‘only a matter of time’

Oddly, there is nary a mention of Healthcare.gov.

HHS draft report on health IT framework published

Another part of the 2012 FDA Safety and Innovation Act (FDASIA) clicked into place with the US Department of Health and Human Services (HHS) publishing a draft report proposing strategy and recommendations for what is rather grandly termed a “health IT framework”. Basically it defines more unified criteria, based on risk to the patient and function of what the device does, not the platform (mobile, software, etc.). It then separates products into three broad categories. Excerpted from the FDA release and the FDASIA Health IT Report:

  1.  Products with administrative health IT functions, which pose little or no risk to patient safety and as such require no additional oversight by FDA. Examples: billing software, inventory management.
  2. Products with health management health IT functions. Examples: software for health information and data management, knowledge management, EHRs, electronic access to clinical results and most clinical decision support software. This will be coordinated largely by HHS’s Office of the National Coordinator for Health IT (ONC) as part of their activities (including their current voluntary EHR certification program), but the private sector is also cited in establishing best practices.
  3. Products with medical device health IT functions, which potentially pose greater risks to patients if they do not perform as intended. Examples: computer-aided detection software, software for bedside monitor alarms and radiation treatment software. The draft report proposes that FDA continue regulating products in this last category. (Illustration on page 13 of report.)

The report also recommends the creation of a public-private entity under ONC, the Health IT Safety Center, which “would serve as a trusted convener of stakeholders and as a forum for the exchange of ideas and information focused on promoting health IT as an integral part of patient safety.” The private sector is duly noted as a ‘stakeholder’.

The report was developed by FDA “in consultation” with ONC and, not unexpectedly, the Federal Communications Commission (FCC). Another recommendation (page 28) is the establishment of a ‘tri-Agency memorandum of understanding (MOU)’ to further determine their working relationship in this area. There’s a 90 day comment period on the 34 page report, which is perfect for weekend reading (!) How this onion will eventually be peeled, rather than quartered, remains to be seen, as does anything emanating from Foggy Bottom.  FDA release. Report. FierceMobileHealthcare.

Update 8 April: A good summary of criticism and approval of the framework to date appears in iHealthBeat from the California Health Care Foundation. The two US Senators sponsoring the PROTECT Act [TTA 28 Feb, 6 Mar] stated there is still too much regulation of low-risk technologies, and Bradley Thompson of Epstein Becker/mHealth Regulatory Coalition believes the report is weak on the issues around clinical decision support software. With praise: HIMSS, Health IT Now Coalition and ACT, which claims to represent about 5,000 mobile application developers and IT firms, but has no locatable website.

Previously in TTA: FDA finally issues proposed rule simplifying medical device classification

FCC sharply elbows up to the mHealth regulatory table

That other three-letter agency, the Federal Communications Commission (FCC), which has shown a distinctly competitive face versus the FDA on Federal healthcare tech policy over the past three years and more, has formed–drum roll–a task force to examine adoption of wireless technologies by health care organizations. Connect2HealthFCC will “identify regulatory barriers and incentives to expand the use of wireless health technologies; and strengthen partnerships with stakeholders in the telehealth and mobile health industries.” If this an accurate statement of the task force’s purpose, the parade not only has gone by, but it’s also three counties away. Yet going back in our files, this Editor notes that the FCC has vigorously fenced not only with the FDA, but also with HHSNIH, NIST and Congress for its place in the Federal HIT regulatory firmament. With issues such as ‘net neutrality’, wireless bandwidth and rural broadband, the FCC has a heaping healthcare helping on its plate just in assuring national access and removing conflicts in frequency demands by devices. However, the task force is headed by Michele Ellison, lately the FCC’s top regulatory enforcer with, as The Hill notes, 6,000 actions under her belt. In Foggy Bottom, things are never what they seem. iHealthBeat

US, UK agreement on HIT

Edited from the HHS releaseUS Health & Human Services (HHS) Secretary Kathleen Sebelius and UK Secretary of State for Health Jeremy Hunt on Thursday 23 January signed a bi-lateral agreement for the use and sharing of health IT information and tools. The agreement strengthens efforts to cultivate and increase the use of health IT tools and information designed to help improve the quality and efficiency of the delivery of health care in both countries.  The two Secretaries signed the agreement at the Annual Meeting of the HHS Office of the National Coordinator (ONC) for Health Information Technology. It concentrates on four key areas identified at the joint June 2013 summit:

  • Sharing Quality Indicators
  • Liberating Data and Putting It to Work
  • Adopting Digital Health Record Systems
  • Priming the Health IT Market

Collaboration efforts will be showcased at the Health Innovation Expo conference at Manchester Central 3-4 March (two weeks before HC2014) and the Health Datapalooza on 1-3 June in Washington, DC. A possible good sign for telehealth as there’s a great deal of mention of ‘preventive interventions’, ‘accessing and sharing data’ and the ‘health IT marketplace’.

Full memorandum of understanding text here. Also iHealthBeat.

Data insecurity in Obamacare insurance exchanges (US)

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2013/10/keep-calm-and-enter-at-own-risk-3.png” thumb_width=”175″ /]The warning that should appear as the main page of 50 state health exchanges.

Subsumed under the ‘government shutdown’ (affecting in reality a distinct minority of Federal government employees) is the significant concern that the state-based online exchanges now selling individual insurance, effective 1 Jan 2014, much trumpeted under the Affordable Care Act and baked into it two years ago, already present significant vulnerabilities in securing the vital data of millions: Social Security number, date of birth, addresses, tax and earnings information. These state-based exchanges are also dependent on information from a Federal data ‘Hub’ which “acts as a conduit for exchanges to access the data from where they are originally stored.” (HHS Office of Inspector General report August 2013, page 2) If improperly secured, this opens up other Federal agencies to further upstream identity theft mayhem.

Already information is in the hands of thousands of call center staff and so-called ‘navigators’ who may or may not have gone through security verifications. Insurance customer information has already leaked outside of exchanges (see below). (more…)

Telehealth Soapbox: Medical device tax finally under fire; implications many (US)

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2013/09/gizmodo-the-top-10-rube-goldberg-machines-featured-on-film-rube-goldberg.jpg” thumb_width=”180″ /]A key part of the Rube Goldberg (or Heath Robinson)-esque funding of the Accountable Care Act (ACA, a/k/a Obamacare) is a punitive medical device tax of 2.3 percent levied on gross sales (not profits) of hip, knee, cardiac implants, many dental materials, diagnostics such as scanners, radiotherapy machines, catheters and more. Since it went into effect on 1 January, it has raised $1 billion according to the Medical Imaging & Technology Alliance, the Advanced Medical Technology Association and the Medical Device Manufacturers Association in July–for a program that does not start till 2014. According to The Hill, senior Senators Orrin Hatch, Barrasso and Hoeven are pushing for a repeal amendment to be attached to the stopgap spending bill. The reasons why the tax deserves to be tossed out on its ear are: (more…)

Is nothing private in your EHR? Another disturbing trend out of Swampland.

According to a solicitation posted by the Department of Health and Human Services (HHS-Ed.) on Sept. 4, the CMS (Centers for Medicare and Medicaid Services) is commissioning the National Academy of Sciences (NAS) to study how best to add social and behavioral factors to electronic health record reporting.  Washington Free Beacon

So a non-profit online publication, which one would site on the conservative or libertarian side (part of the Center for American Freedom), breaks a huge story, way ahead of the mainstream media, which has major implications for privacy, data security, public health, how goes your doctor or hospital visit and the level of care you receive. Is this EHR TMI (too much information)? The Federal inclusion is being linked to Stage 3 of the Meaningful Use program and reimbursement under Medicare, Medicaid and the Children’s Hospital Insurance Program (CHIP). The NAS already is working on this with the Institute of Medicine to draft suggestions for collecting this behavioral data and identifying “core social and behavioral domains to be included in all EHRs.”

With linking the data to outside Nosey Parkers agencies such as public health entities, the possibilities for identified data becoming insecure or compromised increase dramatically. Will it be accessed (abused) by other entities involved in ACA such as the IRS, state Medicaid databases and Social Security? How much of this data will accidentially leak out in non-deidentified files? Will breaches of millions of non-encrypted records become the norm? Another important and oft-overlooked factor is the additional workload on already overworked hospital and clinical staff, who presently struggle to get comprehensive vital data correctly into multiple fields and screens on present EHRs–a major pain point among many speakers and participants at this past week’s iHT2 Health IT Summit. Finally, there’s the patient. He or she will be pressed to answer, due to penalties baked into the ARRA/HITECH MU3 incentives, the most personal questions about their life and behavior particularly if the diagnosis is one of what euphemistically was called a ‘social disease’. Having spoken this week to those in public health both at iHT2 and at Health 2.0 NYC, this Editor can see it as a deterrent to getting the care they need–or choosing evasion rather than truth with their doctor because there are no more confidences. Even the California Healthcare Foundation, hardly on the right wing, sounds an alarm in iHealthBeat.

An ‘Office of mHealth’ a solution for FDA gridlock? (US)

The ‘FDA Office of mHealth‘ bill (H.R. 6626) as sponsored by Mike Honda, Silicon Valley’s House Representative (California 17th District), which expired with last year’s Congress [TTA 18 Dec] will be revived with revisions, according to MedCityNews. (Rep. Honda will be keynoting on the second day of MedCityNews’ ENGAGE conference in Washington D.C. in June.) Formerly dubbed HIMTA (Healthcare Innovation and Marketplace Technologies Act) will now include how that office will work with the alphabet soup of other agencies: FCC, HHS, ONC, FTC. It struck this Editor in December–and later [TTA 28 Mar]–that this bill does not go far enough. In its good intentions to speed mHealth approvals by creating a framework plus monetary incentives, it is not powerful or independent enough to slice through or bypass various turfs.  What would be revolutionary is simplification. Why not an independent unit that draws from FDA, FCC and HHS, but has priority and license to cut through red tape? But that would require major giving up of ground–and with this Federal Government, that ain’t gonna happen. Add to it that the most innovative work–and usage– is being done at DOD (DARPA, T2) and the VA, and the alphabet soup becomes goulash.  Wall Street Journal’s Venture Capital Dispatch