Short takes: ransomware op BlackCat busted by FBI, websites shut–for now; health systems lay off IT staffers; retailers collecting way too much PII including health

December 22, 2023 | by

FBI busts BlackCat/ALPHV ransomware. In an Eliot Ness-like move, the Federal Bureau of Investigation (FBI) got busy and delivered a nice present to healthcare organizations for Christmas. According to two 19 December articles in Bleeping Computer (article 2), the FBI seized operational darknet websites for the ALPHV ransomware operation (article 1) and created a decryptor to help approximately 500 companies recover their data for free, negating $68 million in ransom demands. The details are a little thin, but Bleeping reconstructed in article 2 what they could out of the search warrant. The FBI arranged with a confidential human source (CHS) to become a backend affiliate, meaning the CHS could log in and use ALPHV’s affiliate panel to manage extortion and ransom campaigns. It sounds like a rather nifty platform with lots of management and negotiation tools if you’re extorting a victim company. How the FBI got the decryption keys is another matter they are mum on, as not available through the affiliate panel, but “they obtained 946 private and public key pairs associated with the ransomware operation’s Tor negotiation sites, data leak sites, and management panel”. 

US law enforcement was assisted by their counterparts in Europol, plus law enforcement in Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, and Austria. This is the third breach of the same gang; as Bleeping Computer put it, they’ll “rebrand under a new name as they have done in the past” in a few months.

But maybe faster than that. Some added details from Healthcare IT News sourced from KrebsonSecurity:  BlackCat briefly unseized its darknet site, wiped out the FBI screen above (courtesy Bleeping Computer), and put in a ‘we’re unseized’ notice (in the Krebs article) that they were still open for business at a different location, offering affiliates a 90% payout, and that for affiliates, you could ransomware anything, anywhere (hospitals and nuclear plants cited!) except those located in Russia and the CIS. 

Given ransomware, hacking, cybersecurity threats, and maintaining/upgrading operations, you’d think hospitals would be hiring, not firing, IT workers. But noooooo. Becker’s listed seven health systems that are either pinkslipping IT staff or transferring them to outsourced companies. They are Kaiser–115 nationwide; Novant Health–unknown due to ‘changing up their IT system’; Tower Health (Reading PA)–outsourced staff to a vendor; Mass General Brigham–staff reduction via voluntary buyouts in effect 22 November; Bon Secours Mercy Health–layoffs plus eliminating open roles; Care New England–outsourced staff to health IT provider Kyndryl; Franciscan Health–moved 61 to a vendor. Pennywise, pound foolish.

Here’s more than money you’ve left behind with your online holiday shopping–data, and lots of it. This study from Incogni Research is unnerving, as it goes far beyond what you think you’ve shared–you buy nasal spray in the winter, allergy eyedrops in the spring, etc.– to what retailers are actually collecting on you. This Editor will cite only the companies in healthcare–CVS, Walgreens, Amazon, and Walmart–according to their study:

  • All four collect PII data that includes customers’ identifiers (like their names, online identifiers, and driver’s license numbers), characteristics of protected classifications (like marital status, ancestry, and disabilities), commercial information (like purchase history and property records), and audio/electronic/visual information (like video and/or audio recordings of consumers).
  • Walmart, CVS, and Walgreens additionally collect Social Security numbers, union membership status, and sex-life data.
  • Their apps collect 15 to 20 data points, such as exact location, personal data, financial data, health and fitness, messages, photos and videos, audio files, files and docs, app activity, web browsing, app info and performance, device or other IDs

Users can opt out of some of these, but most do not. And some go to third parties. And all had been breached at one time or another, whether at the retailer or at the vendor level. Prepare to be shocked and dismayed. Release on DR Journal

FTC, HHS OCR scrutiny tightens on third-party ad trackers, sends letter to 130 hospitals and telehealth providers

July 27, 2023 | by

If you’ve checked on your legal department, they may resemble Pepper (left). Hospitals and telehealth companies have been put on notice by letter agencies HHS Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) that personal health information–not just protected health information (PHI) covered by HIPAA–that can be transmitted to third-parties by ad trackers like Meta Pixel is now forbidden, verboten, not permitted. In the joint statement by OCR and FTC, hospitals, providers, and telehealth providers were explicitly told that use of these online trackers is being equated with violations of consumer privacy. Their release specified “sensitive information” such as health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, and where an individual seeks medical treatment. Hospitals and telehealth companies also cannot plead ignorance of what their developers did, as the responsibility is being put squarely on them to monitor the data going to third parties out of websites and apps. 

“The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said. At OCR, which historically had its hands full with HIPAA violations and data breaches, their scope has broadened. “Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.” Both HHS and FTC can take action without the time-consuming legal actions that DOJ must undertake.

True to FTC’s renewed use of the 2009 Health Breach Notification Rule, the letter sent to 130 hospital systems and telehealth providers came down hard on anything that could be interpreted as personal health information. Even for health organizations not covered by HIPAA, the letter is explicit on their obligation to protect against disclosure to third parties and to monitor the flow to third parties even if not used for marketing. Without explicit consumer authorization, it can “violate the FTC Act as well as constitute a breach of security under the FTC’s Health Breach Notification Rule.” Previous TTA coverage on third-party trackers and FTC actions here. Health IT Security

Between the DOJ and FTC alone, with actions on ad trackers and changes to antitrust guidelines, they have made the spring and summer of 2023 a most interesting and busy one for hospital and healthcare company legal departments. It’s even more amazing that given this background and on notice, Amazon just keeps flouting basic regulations about health information usage, such as for Amazon Clinic–which to date has not rolled out. TTA 27 June

Amazon Clinic delays 50-state telehealth rollout due to Federal data privacy, HIPAA concerns on user registration, PHI–is it a warning?

June 27, 2023 | by

Amazon delaying Amazon Clinic national rollout from today (27 June) to 19 July. Amazon Clinic, which debuted last November as an asynchronous, message-based telehealth consult or prescription renewal referral platform [TTA 16 Nov 2022], has run once again into Federal scrutiny. This time, it’s two Senators from New England–the well-known Elizabeth Warren (D-MA) and the little-known Peter Welch (D-VT)–who are poking Amazon with the stick of whether sensitive health and personal data are flowing into Amazon’s other databases.

Their letter to CEO Andy Jassy was fair warning that, as this Editor predicted last February (see the list of open issues) after the One Medical buy closed to high-fives all around, the government is nowhere near finished with scrutinizing Amazon and how personal data, including health data, flows between their units and is monetized. 

In a two-page letter dated 16 June based on reporting in the Washington Post (100% owned by Amazon’s 12.6% shareholder and controller, Jeff Bezos–the irony runs deep here), the two senators believe that they have caught Amazon but good–and with some of the goods. 

  • Users of the Amazon Clinic service are asked, in the registration form, to authorize the “use and disclosure of protected health information.” They are told that agreement to this gives Amazon access to the “complete patient file” and that this information “may be re-disclosed,” after which it will “no longer be protected by HIPAA”. By agreeing to this, users waive any HIPAA personal health information protections.
  • If the user declines to agree, they are redirected and unable to complete Amazon Clinic registration and denied care. HIPAA regulations specifically prohibit conditioning care on agreement to disclose patient information. (This is known by anyone who has taken required training or certification on HIPAA when working for health plans or other regulated healthcare providers including RPM and telehealth vendors.)

The letter raises the sensible, usual questions on why personal data is being collected and what Amazon is doing with it. For instance, it requests responses on how patient data is used by Amazon, what data is shared with third-party entities, and what data is used in any analytics or algorithms. It cites as a non-compliance example the $1.5 million that GoodRx paid in an FTC penalty on their past Meta Pixel usage for ad tracking. (Interestingly avoiding the $7.5 million Teladoc paid for similar ad tracker misuse by BetterHelp.)

The $30/visit service has been available in 33 states since last year and currently through asynchronous messaging, provides care for minor conditions such as UTIs, herpes, and skin infections. The expansion will cover all 50 states and add synchronous video telehealth.

One would think that with billions on the line with One Medical, Amazon would be more cautious about poking the Antitrust Bear. They have already been put on notice by the Federal Trade Commission, the Department of Justice (DOJ), Congress, and multiple states. For Amazon Clinic, requiring individuals to waive their right to protect their PHI in registering for the service is downright brazen. How this got past their legal and compliance departments boggles the mind. Why Amazon is not ‘hiving off’ PHI collected through this small service is another question. Doing so would show to FTC and DOJ that Amazon can play by the rules. Instead, it confirms the widely held belief of those in healthcare that Amazon culturally cannot deal with the restrictions that come with the territory. Are they deliberately ‘playing chicken’ with the Feds? Pollo loco? This up-to-the-line behavior tends not to end well, as the telemental health providers that over-prescribed controlled substances found out.  POLITICO, The Hill, mHealth Intelligence

“All That We Let In”: health apps’ APIs are vulnerable and easy to hack, exposing and altering PHI and PII

February 27, 2021 | by

Mobile security company Approov has issued a scary report on the hackability of popular health apps. They tested 30 apps (not named in the report) of the 300,000-odd health apps in the market, and found that the application programming interfaces (APIs) used in 100 percent of these apps had hardcoded vulnerabilities that could allow hackers to access protected health information (PHI), personally identifiable information (PII), identity, and billing information. According to the report (registration required), these apps used by patient care organizations for remote account management and telemedicine appointments may expose 23 million individuals. Of the 30 apps tested:

  • 77 percent contained hardcoded API keys, some of which do not expire
  • Seven percent had hardcoded usernames and passwords in plain text
  • 50 percent of the doors that these API vulnerabilities opened led to PHI and billing information
  • 100 percent of the API endpoints tested were vulnerable to Broken Object Level Authorization (BOLA) attacks. These involve a relatively simple process of falsifying user IDs and swapping out numbers. For some apps, the hack could gain clinician-level access and alter medical histories and records (including issuing prescriptions for medication).
  • 100 percent of the apps were vulnerable to man-in-the-middle attacks due to failure to implement certificate pinning, which forces the app to validate the server’s certificate against a known good copy

Alyssa Knight, the ‘recovering hacker’ who authored the report, also hacked into one hospital’s EHR and changed its values by one digit. She was then able to access health records and registration information. She used a hacking tool that looks like it is generating data from a mobile health app.

The use of mobile apps for telehealth and portals has become far more widespread as a result of the pandemic, yet security has lagged–even though the level of sophistication in the apps, and the amount of information they integrate, has accelerated to become the norm. It’s a wakeup call to developers, health systems, and digital health companies that off the shelf and old APIs don’t meet security demands. Unfortunately, Gartner projects that APIs will become the vector for most data breaches by 2022. CPO Magazine, FierceHealthcare

Hackermania ‘bigger than government itself’–and 25% of healthcare organizations report mobile breaches

March 7, 2019 | by

To quote reporter Andy Rooney, ‘why is that?’ Everyone in healthcare (with our Readers well ahead of the curve) has known for years that our organizations are special targets, indeed–by hackers (activists or not), spammers, ransomwarers, criminals, bad guys in China, North Korea, and Eastern Europe, plus an assortment of malicious insiders and the simply klutzy. Why? Healthcare organizations, payers, and service companies have a treasure trove of PHI and PII with Big Value. 

So to read in Healthcare IT News that Christopher Wray, the new director of the FBI, is saying that today’s cyberthreats are bigger than any one agency, and in fact bigger than the government itself, it gives you the feeling that the steamroller has not only run over us, but is on the second pass.

According to one reporting company, Bitglass, breach incidents were year-over-year flat (290), but the number of records affected in 2018 nearly tripled from 4.7 million to 11.5 million. Hacking finally became the top cause (45.9 percent) versus unauthorized access and disclosure (35.9 percent). Loss and theft is down to about 15 percent.

And mobile feels like that second pass. Verizon’s Mobile Security Index 2019 reports that 25 percent of healthcare organizations have had a mobile-related compromise. Nearly all hospitals are investing in mobile. In the field, doctors and other clinicians are either using issued devices or BYOD, whether authorized or not. Whether or not their organizations are using app security systems like Blue Cedar [TTA 17 Feb 18] or work with companies like DataArt on securing proprietary systems is entirely another question. Apparently it’s not a priority. According to the Verizon study, nearly half of all organizations sacrificed mobile security in the past year to “get the job done.” Healthcare Dive.

Back to Director Wray, who is urging public-private cooperation especially with the FBI, which itself has not hesitated to break encryption (e.g. Apple’s) in going after criminals’ phones.