A much-needed book in the age of Hacker/RansomwareMania. A new book published, ‘Protecting Patient Information’ by Paul Cerrato, is subtitled ‘A Decision-Maker’s Guide to Risk, Prevention, and Damage Control.” It’s not a tome at 162 pages, since it’s written not for academics or IT Gearheads, but for physicians (including doctors running small practices), nurses, healthcare executives and business associates. It takes a practical, three-part approach to IT security in healthcare organizations which can be applied internationally:
- How to do an in-depth analysis of the organization’s risk level
- How to lower the risk of a data breach within the myriad of Federal and state rules regarding protected PHI
- How to deal with a data breach, even if you’ve followed 1) and 2) (This may be the ‘worst case scenario’ part of the book)
The preface to the book is written by John Halamka, MD, himself a CIO of Beth Israel Deaconess Medical Center in Boston and a professor at Harvard Medical School. It will set you back about $42, but worth it. Hat tip to our friends at HITECH Answers via Twitter. If you’ve read the book or will read it soon, this Editor and your fellow Readers would be interested in your thoughts or even a review.
Ransomware threats are now the subject of a joint alert in both the US and Canada, with at least 14 hospitals under attack on both sides of the border. Ten of the hospitals are part of MedStar in Maryland [TTA 26 March, updated], and as your Editors have noted, it’s not just hospitals but also Mac iOS under attack and now, reportedly, even police and cafes (Telegraph.uk, NPR). $24 million was lost to ransomware in 2015 in the US alone, according to the FBI. Healthcare IT News reports a new variation called PowerWare which is delivered through MS Word documents, but goes further than Locky in mimicking legitimate files and activities without writing new files on the system, which makes it hard to detect. It invades PowerShell which is used by system admins for task automation and configuration management.
If you are catching up and want a useful overview, see Wired. The headline states the obvious, at least to this Editor. Hospitals and their often-flawed IT managed by overworked staffs are the perfect target for ransomware and multiple viruses as lives are at stake, not widget production. Like most malware and internet Bad Things, ransomware originated in Eastern Europe (where else?) back in 2005. Most attacks include instructions on how to access bitcoin, the untraceable payment method demanded by the hospital hostage-takers.
How to prevent or mitigate? NPR cites Peter Van Valkenburgh, director of research at Coin Center, a digital currency advocacy non-profit, that hospitals can take safeguards including HTTPS encryption, two-factor authentication and implementing file backups on a separate server.
Don’t feel bad, HIT execs–the Feds are even worse. Complementary to our coverage of the increased danger of hacked health IT systems and data breaches (the trail of tears is here and here) is the oddly muted press clamor around the 4 June hacking report of the Federal Office of Personnel Management (OPM). Chinese hackers roamed around two OPM databases–personnel and security clearances–for nearly a year, according to CNN’s Senate briefing coverage. The breach likely exceeded 18 million records, though the real number may never be known. Privacy Rights Clearinghouse summarizes it and provides an interesting link to a timeline by Brian Krebs, whose independent reporting beat is IT security. Megan McArdle, a reformed IT consultant writing for Bloomberg News and independently, points at the Federal lack of urgency around having adequate IT that doesn’t fail. Example–the much chronicled failure around Healthcare.gov and the so-called health exchanges, which appear to be functioning better, but reports say they are nearly porous and hackable as they were in 2013. She notes that it’s all about ‘scorched-earth determination’ and that the direction has to come from the top, meaning the President. And ‘voters have never held Obama responsible for his administration’s appalling IT record’. A thought that should give those in telehealth and telemedicine who are working with CMS value-based program ACOs a great deal of pause. NY Post editorial via Press Reader.
This week’s priceless quote:
“A lot of the response was, ‘We live in a cornfield in the middle of Minnesota,’” he said. “’Who wants to hurt us? Who can even find us here?’”–Jim Nelms, Mayo Clinic’s first chief information security officer,
We know where you are and what you do! The precarious state of healthcare data security at facilities and with insurers, plus increased external threats from hacking has been getting noticed by Congress–when you see it in POLITICO, you know finally it’s made it into the Rotunda. It was over the horizon late last summer with the FBI alert and legislators in high dudgeon over the Community Health Systems China hack [TTA 22 Aug 14]. It’s a roof that leaks, that costs a lot to fix, doesn’t have immediate benefit (cost avoidance never does) but when it does leak it’s disastrous.
This article rounds up much of what these pages have pointed out for several years, including the Ponemon Institute/IBM study from earlier this week, the Chinese/Russian connections behind Big Hacks not only for selling data, but also IP [TTA 26 Aug 14] and how decidedly easy it is to hack devices and equipment [TTA 10 May 14]. Acknowledgement that healthcare data security is about 20 years behind finance and defense deserves a ‘hooray!’, but when you realize that on average only 3 percent of HIT spend is on security when it should be a minimum of 10 percent (HIMSS) or higher…yet the choice may be better security or uncompensated patient care particularly in rural areas, what will it be for many healthcare organizations?
The article also doesn’t go far enough in the devil’s dilemma–that the Federal Government with Medicare, HITECH, meaningful use, rural telehealth and programs like Medicare Shared Savings demand more and more data tracking, sharing and response mechanisms, stretching HIT 15 ways from sundown. At the cutely named Health Datapalooza presently going on in Washington DC, data sharing is It for Quality Care, or else. Yet the costs to smaller healthcare providers to prevent that ER readmission scenario through new care models such as PCMHs and ACOs is stunning. And the consequences may be more consolidated, less available healthcare. We are already seeing merger rumors in the insurer area and scaledowns/shutdowns/buyouts of community health organizations including smaller hospitals and clinics. Also iHealthBeat.
DARPA to the rescue? The folks who brought you the Internet may develop a solution, but it won’t be tomorrow or even the day after. The Brandeis Program is a several stage project over 4.5 years to determine how “to enable information systems that would allow individuals, enterprises and U.S. government agencies to keep personal and/or proprietary information private.” It discards the current methodology of filtering data (de-identification) or trusting third-parties to secure. Armed With Science FedBizOpps has the broad agency announcement in addition to vendor solicitation information.
Suicides by US active duty soldiers have more than doubled since 2001, according to a January Pentagon report, and current prevention programs have not been that effective in reducing the over 200 reported suicides per year. Enter a huge database program called STARRS–Army Study to Assess Risk and Resilience in Service–to identify risk factors for soldiers’ mental health. The US Army not only likes acronyms, but also never does anything small–a five-year, $65 million program analyzing 1.1 billion data records from 1.6 million soldiers drawn from 39 Army and Defense Department databases. Researchers are looking at tens of thousands of neuro-cognitive assessments, 43,000 blood samples, more than 100,000 surveys, hospital records, criminal records, previous risk studies, family and job histories plus combat logs. The study, also using resources from the National Institute of Mental Health, the University of Michigan and other educational institutions, will conclude this June–and researchers are now wrestling with the privacy and moral consequences of responsibly using this data for health and in leadership. NextGov
Weekend reading and a banquet for your consideration.
Though computers can and do improve patient safety in many ways, the case of Pablo Garcia vividly illustrates that, even in one of the world’s best hospitals, filled with well-trained, careful and caring doctors, nurses and pharmacists, technology can cause breathtaking errors.
This one began when a young physician went to an electronic health record and set a process in motion that never could have happened in the age of paper.
From The Overdose: Harm in a Wired Hospital by Robert Wachter, MD (Medium.com Backchannel), Part 1 of 4
The situation is a pediatric patient with a severe chronic illness, with multiple symptoms requiring multiple medications to control, admitted to University of California San Francisco (UCSF). The article is a case history of the chain of events, both technological and human, that led to an severe overdose of a routine antibiotic medication, which the patient had already been maintained on for years, nearly killing the child. You will see, with horror, how every check-and-balance failed in the prescribing and dispensing procedure, and why.
Dr Wachter is not only chief of the medical service and chief (more…)
The report issued today by the influential Robert Wood Johnson Foundation (RWJF), ‘Data for Health: Learning What Works’ advocates a fresh approach to health data through greater education on the value/importance of sharing PHI, improved security and privacy safeguards and investing in community data infrastructure. If the above quote and the first two items sound contradictory, perhaps they are, but current ‘strict’ privacy regulations (that’s you, HIPAA), data siloing and the current state of the art in security aren’t stemming Hackermania (or sheer bad data hygiene and security procedures). Based on three key themes, the RWJF is recommending a suite of actions (see below) to build what they term a ‘Culture of Health. All of which, from the 10,000 foot view, seem achievable. The need–and importantly, the perception of need–to integrate the rising quantity of data from all these devices, pry it out of its silos (elaborated upon earlier this week in ‘Set that disease data free!), analyze it and make it meaningful plus shareable to people and their doctors/clinicians keeps building. (‘Meaningful’ here is not to be confused with the HITECH Act’s Meaningful Use.)
But who will take the lead? Who will do the work? Will the HIT structure, infrastructure and very importantly, the legal framework follow? We wonder if there is enough demand and bandwidth in the current challenged system. Release. RWJF ‘Data for Health’ page with links to study PDF, executive summary which adds details to the recommendations below, more.
“The medical industry is years and years behind other industries when it comes to security.”–Dave Kennedy, TrustedSEC CEO.
We admire the Washington Post for arriving at the conclusion we did in 2010–that healthcare organizations are uniquely vulnerable to cyberattack because of the high value of patient data, and an often lighter level of HIT security. But now we get the finger wag that ‘it’s only going to get worse.’ (Beyond 120 million breached records?) Data security, of which HIPAA patient information protection is a part, wasn’t primary for years, especially in organizations overwhelmed with transitioning EHRs, getting EMRs to speak with EHRs, Meaningful Use, new care and payment models, 30-day readmissions and ‘oh, by the way, how will we get paid?’ The Premera Blue Cross (Washington state) breach of 11 million records was the second largest in healthcare history (after Anthem Health‘s February bunker buster of a breach). Most breaches are from stolen laptops or shared/easy to guess passwords (or none at all)–but these have not been in the millions. Premera’s theft took place on 5 May 2014 and was only discovered in January; it included SSIs, bank information, claims data, patient name/address and date of birth. Those affected were in California and Alaska primarily, but also included Federal employees.
But Premera can’t say they were not warned. The US Office of Personnel Management’s Office of the Inspector General (OPM OIG) independently audited Premera in April 2014 detailing several vulnerabilities, including a lack of timely patch implementations, a lack of methodology to “ensure that unsupported or out-of-date software is not utilized” and insecure server configurations, and the need to upgrade physical access controls in their data center. FierceHealthIT
Premera’s medical files data may expose other payers, which in turn may legally come after Premera, according to FierceHealthIT.
Only now are health systems and practices focusing on securing all information (more…)
The US Department of Veterans Affairs (VA), in its proposed 2016 budget released earlier this week, is increasing support for telehealth/mHealth along with programs that use these services–rural health and mental health. Telehealth’s VA budget from FY 2014 increased from $986 million to just below $1.1 billion in the current year. In FY 2016 (beginning 1 Oct), the VA is allocating $1.22 billion of a $56 billion budget, and in 2017 advance appropriations, $1.37 billion–a year-to-year increase of 11 percent and 12 percent respectively .
VA has the largest telehealth program in the US, divided into three main functional areas: (more…)
According to the World Health Organisation, urinary tract infections (UTIs) win top prize for most frequent health care-associated infection in high-income countries. And the cause?…A massive 75% of all of hospital acquired UTIs result from having a urinary catheter fitted (i.e. a tube inserted into the bladder through the urethra to drain urine). And it’s far from unusual to have this procedure done, for between 15 to 25 percent of hospitalized patients have one fitted during their hospital stay (Source CDC). Having a urinary tract infection can be nasty enough but if left untreated serious consequences can result including permanent kidney damage.
The most effective way to reduce the incidence of UTIs (apart from not having a catheter fitted in the first place) is by removing the catheter as soon as it is no longer needed. Unfortunately, all too often this does not happen. That’s why the findings from this new study from the University of Pennsylvania are significant. Results showed that automated alerts in Electronic Health Records (EHRs) reduced urinary tract infections in hospital patients with urinary catheters.
The EHR alert system worked by prompting physicians to specify the reason for inserting the patient’s catheter. On the basis of the reason selected, the system then helped them decide (a) whether urinary catheters were needed in the first place and (b) alerted them to reassess the need for catheters that had not been removed within a recommended time period. And it was no small-fry study. (more…)
Huge price tag, is the solution more ‘white hat hacker/crackers’, get a clue, C-Suite and why China leads in hacking (important updates!)
Dan Munro in Forbes got out his calculator and estimated that the cost to Community Health Services, based on prior incidents, may be as high as $150 million. He bases it on recent poster children Columbia-NY Presbyterian and BlueCross BlueShield of Tennessee. The message to healthcare business executives: pay now–by beefing up HIT and data security–or pay later in rush remediation of data breaches like identity theft protection, Office of Civil Rights-HHS fines, potential insurance fraud, legal charges and damages awarded. On the latter, it took only hours after the announcement for the first class action to be filed in Alabama.
Of course cybersecurity experts, particularly the ‘white hat’ or ‘cracker’ variety, are in increasingly high demand across all business areas and internationally–and there aren’t many at that exalted level or even a rung or two below. Their commensurate compensation is one factor, but calls to hire less expensively overseas as explored in this article are, in this Editor’s estimation, a two-edged sword: much hacking, many sleeper bugs and ‘backdooring’ are engineered overseas (China, Russia, the Balkans, India); what is to say that these ‘former hackers’ aren’t playing both games? Cybersecurity’s hiring crisis: A troubling trajectory (ZDNet)
The C-Suite Must Care…The Workforce Must Be Aware
Since data security and data breaches threaten to swamp many sectors (universities and colleges, even more than healthcare, rank as the most vulnerable), the solution may not be wholly in the code. (more…)
Breaking News–updated at end Earlier this year [TTA 23 Apr] this Editor commented on the fourth annual update from the Ponemon Institute plus a qualitative study from IS Solutions that contained mostly unwelcome news for healthcare IT departments in the US. Ponemon’s new estimate of data breaches’ cost per year: $5.6 billion. While making some progress in the existential threat that data breaches present to institutional and personal security, both reports also outlined the disconnect between HIT professionals busy dealing with and sealing off the mice of internal causes versus the looming, huge menace of the external criminal threat. We now know that Godzilla has arrived and he’s stomping ‘n’ chomping. Community Health Systems of Franklin, Tennessee claimed today as part of a SEC regulatory filing that hackers originating in China breached sensitive information in 4.5 million patient records accumulated over five years during April and June using cyberattacks and sophisticated malware. (more…)
The big news in HIT circles today was Cerner’s purchase of Siemens’ health IT business for $1.3 billion. Forbes has the most detailed analysis by far, which appears prepared in advance based on the 22 July rumor published by HISTalk at that time. HISTalk’s and their readers’ comments on the announcement conference call today are moderately scathing and worth reading if of interest to you. The takeaway for this Editor is that it was a defensive move for Cerner versus Epic Systems, Athenahealth and Allscripts; they bought out a competitor, bought market share with the acquisition (although how much of it would have fallen to them anyway is a question), gained more of an international foothold plus an inside track to customers eager to move to newer technology. For Siemens, it appears (more…)
Philips Healthcare and Salesforce announced last week their partnership to construct a connected, multi-point and collaborative data platform to benefit providers, payers and patients. The initial step is the launch later this summer of the Philips eCare Coordinator app for healthcare providers and a patient-centered Philips eCare Companion app, which will uptake data from Philips Healthcare medical devices into a variation on the Salesforce1 cloud platform. What’s emphasized in the releases and information from media sources is that it will be designed as an open platform for other device and software providers. (Data security problems down the line are anyone’s guess.) While Philips’ global CEO was part of the announcement and it’s expected that Philips will be lead dog for this, the only two customers mentioned were US and Salesforce’s. There were also few details on how clinical staff would access and use the data.
Cui bono from this? Philips of course, which of late has been lagging (more…)
Another part of the 2012 FDA Safety and Innovation Act (FDASIA) clicked into place with the US Department of Health and Human Services (HHS) publishing a draft report proposing strategy and recommendations for what is rather grandly termed a “health IT framework”. Basically it defines more unified criteria, based on risk to the patient and function of what the device does, not the platform (mobile, software, etc.). It then separates products into three broad categories. Excerpted from the FDA release and the FDASIA Health IT Report:
- Products with administrative health IT functions, which pose little or no risk to patient safety and as such require no additional oversight by FDA. Examples: billing software, inventory management.
- Products with health management health IT functions. Examples: software for health information and data management, knowledge management, EHRs, electronic access to clinical results and most clinical decision support software. This will be coordinated largely by HHS’s Office of the National Coordinator for Health IT (ONC) as part of their activities (including their current voluntary EHR certification program), but the private sector is also cited in establishing best practices.
- Products with medical device health IT functions, which potentially pose greater risks to patients if they do not perform as intended. Examples: computer-aided detection software, software for bedside monitor alarms and radiation treatment software. The draft report proposes that FDA continue regulating products in this last category. (Illustration on page 13 of report.)
The report also recommends the creation of a public-private entity under ONC, the Health IT Safety Center, which “would serve as a trusted convener of stakeholders and as a forum for the exchange of ideas and information focused on promoting health IT as an integral part of patient safety.” The private sector is duly noted as a ‘stakeholder’.
The report was developed by FDA “in consultation” with ONC and, not unexpectedly, the Federal Communications Commission (FCC). Another recommendation (page 28) is the establishment of a ‘tri-Agency memorandum of understanding (MOU)’ to further determine their working relationship in this area. There’s a 90 day comment period on the 34 page report, which is perfect for weekend reading (!) How this onion will eventually be peeled, rather than quartered, remains to be seen, as does anything emanating from Foggy Bottom. FDA release. Report. FierceMobileHealthcare.
Update 8 April: A good summary of criticism and approval of the framework to date appears in iHealthBeat from the California Health Care Foundation. The two US Senators sponsoring the PROTECT Act [TTA 28 Feb, 6 Mar] stated there is still too much regulation of low-risk technologies, and Bradley Thompson of Epstein Becker/mHealth Regulatory Coalition believes the report is weak on the issues around clinical decision support software. With praise: HIMSS, Health IT Now Coalition and ACT, which claims to represent about 5,000 mobile application developers and IT firms, but has no locatable website.
Previously in TTA: FDA finally issues proposed rule simplifying medical device classification
The mHealth Regulatory Coalition, which is a four-year-old alliance of legal and software companies in the health IT/software area, and whose most vocal spokespersons are well-known industry legal counsels Brad Thompson and Kim Tyrrell-Knott of Epstein Becker Green, has come out against the PROTECT Act (S 2007). PROTECT, which was proposed by Senators Fischer and King, would limit FDA regulation of certain ‘low-risk’ clinical software in the interest of fostering innovation and reducing regulatory burden. Original reports indicated that this responsibility would be transferred to the National Institute of Standards and Technology (NIST) [TTA 28 Feb]. According to Mr. Thompson, “The rush to avoid expert reviews of complex technologies with far-reaching health ramifications ignores the fact that we cannot separate the high risk from the low risk apps using broad terms in legislation.” His example: a theoretical smartphone app designed to diagnose melanomas from photos. PROTECT is being supported by IBM, athenahealth, Software & Information Industry Association, Newborn Coalition and McKesson. The bill also would exempt certain health IT software from being charged a 2.3% medical device tax, which is perhaps the ‘long game’ being played here by the aforementioned companies, as most Washington watchers give the bill as it stands little chance of clearing both houses of Congress and a congressional committee, much less being signed into law. The question remains: how best to speed less clinically significant wellness software to market without logjamming FDA. iHealthBeat summary, Clinical Innovation + Technology, MRC press release