Hospitals should ‘wash their hands’ of older medical devices, OS: expert

December 5, 2015 | by

Our Readers are likely well aware that older medical devices may present a Hacker’s Holiday, but putting a very fine point on it was Kevin Fu, associate professor of electrical engineering and computer science at University of Michigan, speaking at a Healthcare IT News healthcare cybersecurity forum this week in Boston. Mr Fu pointed out that many hospitals are actively using old devices and old PC systems; one local hospital had 600 supposedly unpatched Windows XP (!) boxes deployed. Older medical devices were not designed with security in mind, which he likens to basic sanitation:

“If you’re using this old software, these old operating systems, you’re vulnerable to all that malware – that garden-variety malware – that has been out in the wild for more than 10 years.” and “This is not rocket science; this is basic hygiene. This is forgetting to wash your hands before going into the operating room. Here we have medical devices where, if malware gets through the perimeter, there is very little defense.”

The press has been concentrating on the big breaches and external hacking (they do make good copy–Ed.), and we’ve expended a lot of air on things like the EHR Wars, but the real threats are more mundane, as Ponemon and others in the field have warned for years. Software updates and infected USB flash drives can spread malware. A vendor can be a regular Typhoid Mary unintentionally corrupting systems and devices down the line.  (more…)

Politico: massive hacking of health records imminent

July 2, 2014 | by

Politico is a website (and if you’re in Foggy Bottom-ville, a magazine) much beloved by the ‘inside government’ crowd and the media ‘chattering classes’. With some aspirations to be like Private Eye but without the leavening sharp satire, the fact that they’ve turned their attention to–gasp!–the potential hackathon that is health records is amazing. They mention all the right sources: Ponemon, HIMSS, the American Medical Association, BitSight, AHIMA. In fact, the article itself may be a leading indicator that the governmental classes might actually do something about it. This Editor applauds Politico for jumping on our battered Conestoga wagon with the other Grizzled Pioneers. We’ve only been whinging on about data breaches and security since 2010 and their researchers could benefit from our back file.

And speaking of 2010, the Department of Health & Human Services (HHS) is doing its part to close the budget deficit by collecting data breach fines–$10 million in the past year. A goodly chunk will be coming from New York-Presbyterian Hospital/Columbia University Medical Center: $4.8 million for a 6,800 person breach (iHealthBeat) where sensitive records showed up online, readily available to search engines. And yes, we covered this back on 29 Sept 2010 when breaches were new and hushed up. Politico: Big cyber hack of health records is ‘only a matter of time’

Oddly, there is nary a mention of Healthcare.gov.