Weekend reading: AI cybersecurity tools no panacea, reality v. illusion in healthcare AI, RPM in transitioning to hospital-at-home, Korean study on older adult health tech usage

A potpourri of current articles. Hope you don’t feel like Pepper the Robot after you read them!

AI won’t boost cybersecurity, that’s cutting corners (Cybernews)

AI tools that make cybersecurity more effective and faster in response are increasingly available. They are estimated in a Techopedia article rounding up multiple studies to be a global market of over $133 billion by 2030. IBM claims that organizations with AI cybersecurity took 100 days less to identify and contain data breaches. Yet AI can also leave organizations more vulnerable to cyberattack. Hackers and ransomwareistes have been using AI for years in phishing and vishing (phone-based social engineering) attacks–now using OpenAI. What’s vulnerable? Large language models (LLMs) used in generative AI (AI with the ability to create content) can be corrupted and fed false information [TTA 7 Feb] or create deepfake images–Google Gemini is the latest example (not in article). FTA: “We need human critical thinking to use AI to solve and prevent problems. We’re adopting AI far faster than we have the ability to understand how to adopt it properly.” Another approach is to think like a cybercriminal and use AI to better understand how criminals can break into your systems.

What is real and what is illusion with healthcare AI? (03:16 video, Healthcare IT News)

This is a preview of a HIMSS24 talk on 11 March by Dr. Jonathan Chen, assistant professor at the Stanford Center for Biomedical Informatics Research. Patient care and outcomes are dependent on discerning what is real and what is not, especially in the use of chatbots in patient notes. Generative AI can be very convincing even if it’s not accurate, and that is not what is wanted in patient care. We are at the Gartner Peak of Inflated Expectations when it comes to AI–and we’ve been there before.

RPM strategies for moving from discharge to hospital-at-home care (Healthcare IT News) 

How can the home be better treated as a fundamental care setting? Understanding this is key to transitioning patients from in-hospital acute care to hospital-at-home, which is in reality not being discharged and requires managing a significant number of complex layers. Interview with Cindy Gaines, RN, chief clinical transformation officer at Lumeon, a clinical automation company.

Tailor fit digital health tech to the elderly’s needs: study (Mobihealthnews)

This summarizes a South Korean study that compared the usage of digital devices, such as smartphone apps, health apps, and wearables, among healthy and pre-frail/frail Koreans aged 65+. Smartphone use is nearly universal in South Korea, but wearables are only lightly used. Frailer respondents used social media more than healthy ones and used more healthcare apps on their phones. From the study: “There was a notable difference in the services used by pre-frail and frail respondents compared to healthy respondents. Therefore, when developing digital devices for pre-frail and frail older adults, it is crucial to incorporate customized services that meet their unique needs, particularly those services that they frequently use.”

505 participants completed the survey, with 153 (30.3%) identified as pre-frail or frail and 352 (69.7%) as healthy. Full study in the Journal of Korean Medical Science 27 November 2023

2023’s global cyberattack disaster: healthcare #3 in weekly attacks, 10% of organizations ransomwared–report

An average of 1,100+ cyberattacks per organization per week. Let that sink in.  While it represents only a 1% increase over 2022, and averages are well…averages, this is a lot to handle for any organization even if nowhere near the weekly average.

The report from Check Point Software Technologies, Ltd. an Israel (Tel Aviv HQ) and US-based IT security organization, is depressing reading for any company, especially for healthcare. (Editor’s note: Check Point’s data is derived from ThreatCloud AI, their intelligence engine.) Many of the large numbers are boiled down to averages per organization per week.

  • In terms of general cyber attacks globally, healthcare is #3 with an above-average 1,500 per organization per week attacks on average, right behind #2 government and military, with education far ahead, #1, with 2,046 per organization per week. It was up 3% versus 2022.
  • Retail and wholesale attacks are up 22% annually–a cautionary note for healthcare organizations engaging in retail operations.
  • Regionally, APAC (1,930 attacks) and Africa (1,900 attacks) led with increases at 3% and 12% respectively.

We not only must be concerned with ransomware–but mega-ransomware. These include zero-day exploits (a software flaw exploited by the hacker/ransomwareiste before the vendor or developer finds it). Rather than being content with encrypting data and demanding bitcoin for its release, the hyper version is now data theft followed by extortion campaigns threatening public disclosure of the stolen data, such as by MOVEit and GoAnywhere. Not mentioned here is another vector–business associates and vendors, using ‘social engineering’ tactics to steal passwords and other secure information to gain access into the larger system [TTA 24 Jan

  • 10% of global organizations were targeted by a ransomware attack, up 3 percentage points from 2022
  • Healthcare again was above average, #3 with 12% of organizations experiencing attacks. Government/military was #2 with 16% and education/research with 22% of organizations. 
  • The Americas went up from 5% in 2022 to 9% in 2023. APAC and EMEA were higher and also increased

Advice they give on security is logical: robust data backup, cyber awareness training, up-to-date patches, stronger user authentication, implementing anti-ransomware solutions, and utilizing better threat prevention. Can healthcare do this while leaning out IT, fighting collapsing margins, and transforming care delivery?

A Thanksgiving turkey for hospitals: multiple cyber and ransomware attacks

IT incidents were on the Thanksgiving menu at many US hospitals. It was no holiday for the hospitals experiencing attacks and outages, forcing ERs to divert to other hospitals and resort to downtime procedures. The hospitals reporting them are part of Ardent Health Services, a 30-hospital operator. Ransomware has been reported for some as the cause. Not all Ardent hospitals have been reported as affected.

A rundown of what was attacked, and where:

  • The 10-hospital UT Health East Texas (Tyler, Texas) network reverted to downtime procedures after a security incident, outage, and locked down its systems. Ambulances heading to its ERs were diverted to other hospitals.
  • Lovelace Health System in Albuquerque, New Mexico, affecting six hospitals, 33 health care clinics and seven outpatient therapy clinics. 
  • BSA Health System in Amarillo, Texas 
  • The University of Kansas Health System St. Francis Campus in Topeka 
  • Hillcrest HealthCare System (Tulsa, Oklahoma) 
  • Closer to this Editor’s home, two Hackensack Meridian hospitals in New Jersey served by Ardent were ransomwared starting on Thanksgiving: Pascack Valley in Westwood and Mountainside Medical Center in Montclair. Local reports indicated a ransomware attack. The outage continued through the weekend. Other Hackensack Meridian hospitals are not served by Ardent and were not affected.

Ardent has reported this to law enforcement and in their release, stated they are still determining the full impact of the event, though working with partners to restore access to electronic medical records and operations. 

In addition to the Ardent hospitals, on Thursday the six-hospital Vanderbilt University Medical Center (Nashville, Tennessee) reported a cyberattack that compromised a database and was contained. Ransomwareistas Meow claimed that their information was leaked on the dark web. VUMC is not confirming a ransomware attack and stated that the “compromised database did not contain personal or protected information about patients or employees.”

Becker’s 27 Nov, 27 Nov (Hackensack), Asbury Park Press, News12NJ, Ardent Health release, The Record

Mid-week news roundup (updated 18 Aug): CVS eyeing Signify Health for in-home/VBC; Babylon Health mixed pic of revenue and losses up; Geisinger doubles telemed specialties; connected IoT devices expand cyber-insecurity (more); Owlet layoffs

CVS has dropped another sandal as to their quest to add primary care and home health to their portfolio [TTA 5 Aug]. Reports indicates that CVS Health is bidding to acquire Signify Health, which is up for sale. Signify is best known as a major provider of in-home health care in both evaluations and community-based services, with users such as health plans, health systems, community groups, non-profits, and government. In March, they added provider value-based care with Caravan Health, a mid-sized Accountable Care Organization (ACO) management service organization (MSO), for $250 million.  This would give CVS both leverage in in-home care and access to value-based care models in health systems and practices, adding a network of jumbo (100,000 lives+) ACOs to Aetna’s 500 ACOs.

Signify did take a bit of a bath with its acquisition/merger of Remedy Partners in 2019 which marked their entry into the Federal shared savings programs around Episodes of Care. While it created a $600 million company. Remedy’s Episodes of Care in the CMS Bundled Payments for Care Improvement (BPCI) program was always problematic for Signify on multiple levels (Editor’s experience). Signify announced its exit from the successor BPCI-A (Advanced) model last month to concentrate on home care and the Caravan business. The wind-down, which will take some time as these are Federal programs through CMS, will save Signify about $115-120 million in costs, compared to their annual direct and shared costs of $145 million. Restructuring costs such as severance may be only $35 million. After IPO-ing in February 2021 at $24 per share, it has only recently climbed to $23, having recently hit a 52-week low of $10.70. FierceHealthcare, HealthcareFinanceNews

Updated Perhaps in preparation for acquisition, Signify Health is shedding 489 people starting 1 October, including 45 in Connecticut, with the remainder in Texas, South Dakota, and New York. The information comes from required notices to the Connecticut Department of Labor. The majority of employees affected are remote workers. It appears to be related to Signify’s winding up of BPCI and Episodes of Care activity which are likely on calendar year contracts. The legacy company, Remedy Partners, had been headquartered in Connecticut with staff in New York. Moving forward with layoffs now makes the company more attractive for sale, as the separation expenses will not be an acquiring company liability. The 1 October start date is also a tell.  CT Insider, Becker’s

A mixed picture for Babylon Health. Its Q2 results were up substantially in revenue–4.6x year-over-year from $57.5 million to $265.4 million–along with key indicators such as US members up 220% and a 7.5% improvement in medical margins over three quarters. The US has been very very good to Babylon with value-based care membership growing 3.2x year-on-year to a total of approximately 269,000 US VBC members with 40% of its VBC revenue from Medicare contracts. However, losses are up along with growth–$157.1 million compared to $64.9 million loss PY. Babylon at end of July announced worldwide layoffs of at least 100 people of its current 2,500 in their bid to save $100 million in Q3. Babylon release, Mobihealthnews

Geisinger Health was one of the pioneers in telehealth and remote patient monitoring, from ur-days in the early 2010s to today. Much of its patient base in Pennsylvania is rural or semi-rural, living well away from care centers, with a clinician base equally scattered. They went with a single system–Teladoc–integrated into Epic. By the early days of the pandemic, Geisinger was able to expand their telehealth coverage from 20 to more than 70 specialties, 200 providers to more than 2,000 providers, and over two years (2020-2022) completing over 784,000 telehealth visits to homes, local clinics, or local hospitals. Case study in HealthcareITNews

If you’re a health system CIO managing lots of connected devices, you may need to go to a psychiatrist with your feelings of insecurity. That’s the gist of a new report, the Insecurity of Connected Devices in Healthcare 2022. A new-to-this-Editor cybersecurity firm, Cynerio, partnered with researchers at the Ponemon Institute to survey 517 executives at US health systems to find that their Internet of Medical Things (IoMT)/Internet of Things (IoT) vulnerabilities haven’t changed much since this Editor banged the gong about them well before the pandemic:

  • Cyberattacks–frequent: 56% of respondents experienced 1+ cyberattacks in the past 24 months involving IoMT/IoT devices; 58% averaged 9+ cyberattacks. Adverse impacts on patient care were reported by 45% and 53% of those resulted in increased mortality rates. 24% of hospitals noted an impact on their mortality rates.
  • Data breaches are routine: 43% of hospitals had one in the past two years
  • Risks may be high, but the reaction is sluggish: 71% rated security risks as high or very high, but only 21% report a mature stage of proactive security actions. 46% performed accepted procedures such as scanning for devices, but only 33% keep inventory.
  • Ka-ching! Goes the ransomware! When attacked, 47% paid the ransom, and 32% were in the $250-500,000 range.

The full report is available for download here. Those who prefer a webinar must wait till 17 August at 2pm (EDT)–registration hereCynerio release, HealthcareITNews

Updated. Having sat in on the webinar, some further information points from the Ponemon survey deepen the ‘gravity of the risk’:

  • IoT is different because a hack or cyberransoming prevents the device from working. It isn’t fixed by backup as data can be.
  • Health systems are still using IoT computer systems running Windows XT/95–and earlier (!)
  • The average total cost of the largest data breaches is $13 million–the most common cost is in the $1-5 million range. 
  • 88% of these data breaches involved at least one IoT/MT device
  • Risks are known, but action is lagging. 72% of health organizations report a high level of urgency in securing devices–yet 67% of organizations do not keep an inventory of IoT/IoMT devices that they scan
  • 79% don’t consider their activities to be ‘mature’
  • Security investment doesn’t reflect the gravity of the risk–only 3.4% of IT budgets focus on IoT/MT device security.

And in sad layoff news, Owlet Baby Care is shedding an unknown number of employees. Here is the notice on LinkedIn. We noted their FDA problems and a fast pivot last in February, but their going public via a SPAC has been rocky at best with shares lingering at $2 from the IPO at $8. Marketing a pricey baby monitor direct to consumer is expensive, even if it meets a need, and this is likely a cash crunch. At least the ‘leader of people & culture’ is giving them a proper sendoff of thanks–and more usefully, providing their contact information for potential job openings with other companies.

[This is in contrast to the gone-viral spectacle of the CEO of something called HyperSocial posting on LinkedIn his angst about laying off staff–along with a selfie of him weeping. Not exactly confidence-making and All About Him. This Editor’s comment is one of 6,000-odd posts which are largely doubtful to negative.]

More and more into the (data) breach: 3X more patient records in Q2, UnityPoint’s breach balloons to 1.3M

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]And we thought Healthcare Hackermania was following the Hulkster into retirement. After a quiet Q1, data breaches and hack attacks blew up both in Q2 and now in this quarter.

Data compliance analytics firm Protenus’ Breach Barometer (with DataBreaches.net) has been tracking healthcare data breaches for years. It was quiet last quarter with 1.13 million patient records affected in 110 separate health data breaches. But last quarter was a true triple threat with patient records up three times to 3.14 million, 142 separate breaches–which means more per breach on average. What is also distressing is that 29.71 percent are repeat offenses among employees, up from 21 percent in the previous quarter.

  • 36.6 percent of breaches were due to external hacking, nearly double that of Q1.
  • 30.99 percent were due to insiders, either through deliberate wrongdoing (theft) or insider error. Insider wrongdoing was led by family members snooping on other family members’ records. Not Russians, Chinese, NoKos, or Bulgarians bashing about. 
  • In contrast to Q1, where the biggest data breach was a network hack of an Oklahoma-based health network (reportedly the Oklahoma State University Center for Health Sciences), compromising nearly 280,000 records, Q2’s Big Breach was a physical burglary of the California Department of Developmental Services in Sacramento affecting over 581,000 records. After the usual ransacking and theft, the burglars started a fire before they left and the sprinklers did the rest.

It routinely takes nearly forever from when a breach occurs to when it is discovered: in Q1 244 days, in Q2 204 days. In Q2 the longest discovery time was over five years –2013 to 2018. This indicates that insiders may be good at covering their tracks, and/or IT staff don’t get around to detecting and policing breaches.

Protenus and DataBreaches.net compile incidents disclosed to HHS and reported in the media, and are now adding their own proprietary, non-public data on the status of health data breaches nationwide, including a review of tens of trillions of individual
accesses to EHRs which Protenus audits as part of their healthcare systems services. More detail in Protenus Q2 and Q1 full reports, HealthITSecurity (Q1)

Certain to lead their Q3 report is the 1.4 million patient record breach at UnityPoint Health, an Iowa-based health system. In May, a small phishing breach compromised 16,000 records. This cyberattack also started with email phishing and spread through employee networks. “The phishing campaign tricked employees into providing confidential login information, which hackers used to infiltrate email accounts and access data contained within.” Were the hackers after patient data? According to UnityPoint, “The phishing attack on UnityPoint Health was more likely focused on diverting business funds from our organization.” Healthcare Analytics News

You may not want a cyberattack, but cyberattacks and hacking want you….

South Korea’s ambivalence towards telemedicine

The surprising reasons why. 5.8 million South Koreans aren’t exactly tech-phobic, enjoying a nationally swift internet backbone and high personal smartphone penetration. The home of the two leading smartphone makers is pioneering mobile-first retailing and a national IoT network. South Korea (SK) also has the need–an aging population living in rural areas. Yet South Korea bans doctor-patient virtual visits in their Medical Act, and expects major demonstrations by doctors and activists when it comes up for a vote later this year in their National Assembly. Telemedicine and also telehealth/RPM may happen eventually, backed by powerhouses like SK Telecom, Samsung and LG, but will have to take into consideration some unique circumstances:

  • Cyberattacks from North Korea, which have already hit a Seoul university hospital’s software security contractor and demonstrated their system’s HIT vulnerabilities
  • The government’s glitch-ridden telemedicine pilot program with serious problems in data management, encryption and weak passwords
  • The fear that only the rich will be able to afford it–and in SK’s split system, the fear that funding may be withdrawn from the extensive network of community clinics instead of benefiting them

Medical professionals, including the 100,000 doctors in the KMA who successfully blocked telemedicine in 2014 and haven’t participated in the pilot program, are calling for “a slower, more collaborative plan of attack that establishes safety protocols and smart regulatory oversight.”  Quartz

Extent, cost of health ID theft exposed in Wall Street Journal

Confirmation that your Editors (including Founder Steve) are no longer Voices Crying In The Wilderness on health data insecurity came this weekend on the front page (print) of The Wall Street Journal. It concentrated less on the profit of stolen PHI–$50 per record on average versus $7 for a credit card, according to Ponemon Institute–than on the horror of the 2.3 million individuals suddenly finding out that hospitalizations, procedures and prescriptions in their name were being used by others, leaving them with the bill and unable to clear both their financials and their health records.

EHRs are treasure troves of health and financial information. Unlike credit card theft, there’s no warning–and no limits. Providers and insurance companies put the onus on the person with the stolen data. There is no healthcare equivalent of the Fair Credit Billing Act (FCBA) and the Fair Credit Reporting Act (FCRA), which since 1974 and 1970 respectively have limited the individual impact of fraudulent credit card charges.

Consumer security programs like LifeLock are not particularly effective in proactive notification. In other words, you’re stuck. You may run through your benefits and then be responsible for the bills. Second, you may never get the bad information and diagnoses out of the supposedly accessible health record because of privacy laws, especially if you are a caregiver.

Victims sometimes only find out when they get a bill or a call from a debt collector. They can wind up with the thief’s health data folded into their own medical charts. A patient’s record may show she has diabetes when she doesn’t, say, or list a blood type that isn’t hers—errors that can lead to dangerous diagnoses or treatments.

Adding insult to injury, a victim often can’t fully examine his own records because the thief’s health data, now folded into his, are protected by medical-privacy laws. And hospitals sometimes continue to hound victims for payments they didn’t incur.

According to Ponemon, “65% of victims reported they spent an average of $13,500 to restore credit, pay health-care providers for fraudulent claims and correct inaccuracies in their health records.”

Very rarely does this Editor look for a Federal remedy to a problem, (more…)

“The data security fault, dear Brutus, is not China, but in the company org chart”

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/06/Org-chart1.jpg” thumb_width=”150″ /]Mansur Habib, PhD and cybersecurity strategist, formerly CIO for the Baltimore City Health Department, proposes that any data breach analysis should start first with a hard look at the organizational chart. If the CIO or the chief information security officer (CISO) doesn’t report directly to the CEO, the executive clearly does not place priority on IT and data security, treating it as a cost center to be restricted; in his words, they do not ’embrace cybersecurity risk as business risk’. In his 2013 doctoral research in 2013 and subsequently, Dr Habib observed that about half of US HIT and cybersecurity heads report to the chief financial officer (CFO) or some other executive like a CAO (administrative). His withering take on most CEOs are that they are more concerned with stock price (more…)

Seven safeguards for your mHealth app

With cyberattacks from all sources on the rise, and mHealth apps being used by providers in care coordination, telehealth, patient engagement and PHRs, Practice Unite, which has some experience in this area through designing customized app platforms for healthcare organizations’ patient and clinician communications, in its blog notes seven points for developers to keep in mind:

1. Access control– unique IDs assigned to each user, remote wiping of the mHealth app from any user’s device.
2. Audit controls
3. Authentication
4. Integrity controls, such as compartmentalization, to ensure that electronically transmitted PHI is not prematurely altered or corrupted
5. Transmission security: data encryption at rest, in transit, and on independently secured servers protects PHI at each stage of transmission
6. Third party app integration–must fully comply with HIPAA safeguards
7. Proprietary data encryption

But all seven points need backing from the top on down in a healthcare organization. (More in the article above)

The drip of data breaches now a flood: 4.5 million records hacked–update

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/08/keep-calm-and-encrypt-your-data-5.png” thumb_width=”150″ /]Breaking News–updated at end  Earlier this year [TTA 23 Apr] this Editor commented on the fourth annual update from the Ponemon Institute plus a qualitative study from IS Solutions that contained mostly unwelcome news for healthcare IT departments in the US. Ponemon’s new estimate of data breaches’ cost per year: $5.6 billion. While making some progress in the existential threat that data breaches present to institutional and personal security, both reports also outlined the disconnect between HIT professionals busy dealing with and sealing off the mice of internal causes versus the looming, huge menace of the external criminal threat. We now know that Godzilla has arrived and he’s stomping ‘n’ chomping. Community Health Systems of Franklin, Tennessee claimed today as part of a SEC regulatory filing that hackers originating in China breached sensitive information in 4.5 million patient records accumulated over five years during April and June using cyberattacks and sophisticated malware.  (more…)