News roundup: UHG’s cyberattack hit now $2.3B, Senate bill on cyberattacks intro’d, VA’s AI tech sprint awards, AliveCor’s new CPT codes

UHG reported earnings, profit reduced by $1 billion due to Change Healthcare cyberattack costs. On Tuesday 16 July UnitedHealth Group reported Q2 (ending 30 June) earnings of $98.9 billion, up $6 billion or 7% versus Q2 last year. Profit though didn’t move the same way, instead taking a hit at $7.9 billion, down from last year’s $8.1 billion. Despite strong performances in the UnitedHealthcare and Optum units, the drag from the Change Healthcare cyberattack is now estimated at an additional $1 billion from last quarter’s guesstimate, now at $2.3 billion. Also affecting the profit bottom line is inflating healthcare costs that are reflected in rising medical loss ratios (MLRs). Change is also obliged to do the patient notification which will start by the end of this month [TTA 21 June], having already started notifications of hospitals, providers, insurers, and other customers. Release, Healthcare Dive

But hey, now the Senate has a bill to coordinate agencies with the purpose of reducing those darn cyberattacks. The Healthcare Cybersecurity Act, sponsored by Senators Jacky Rosen (D-Nev.), Todd Young (R-Ind.), and Angus King (I-Me.), would direct the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to collaborate on improving cybersecurity. One important change would be creating an HHS liaison within CISA to coordinate incident response specifically for healthcare entities. An earlier version introduced by Sen. Rosen in 2022, S. 3904 (117th Congress), never made it into committee.  Sen. Jacky Rosen release, Healthcare Finance   But aren’t there other agencies involved in cyberattacks and ransomware like the FBI and the Department of Justice? And international agencies like the NCA and Europol since so many come from the darker parts of Europe and Asia? (The devil’s in the details…)

The Department of Veterans Affairs (VA) is taking a modest dip into the AI ocean. The award late last week of pilots for an AI-assisted healthcare dictation tool went to Abridge AI and Nuance Communications. The non-competitive, fixed-price contracts are as a result of the two companies winning the first track of the VA’s AI Tech Sprint which launched last October. The tools are designed to generate transcriptions from ambient recordings of patient encounters within specialty care, mental health care, and primary care settings, as well as integrating into the Oracle Cerner EHR. The notice does not specify start or end date. There is also a second sprint around developing an AI system to process documents generated in patient-provider encounters and other complex medical documents for continuity of care and sharing information with VA providers. FedScoop

AliveCor received CPT codes applicable to the company’s Kardia 12L ECG System. The Category III Current Procedural Terminology (CPT) codes are assigned by the American Medical Association (AMA).  The 12-lead system a few weeks ago gained FDA clearance for the combination of the Kardia 12L ECG System (left), a single cable with five electrodes that acquires 8 high-quality diagnostic bandwidth leads, with their KAI 12L AI-assisted diagnostic technology for clinician use only. The three new codes will be effective 1 January 2025 and will be published in the 2025 CPT Code book. Release

News roundup: Change responsible for data breach notices; 37% of healthcare orgs have no cybersec contingency plan; health execs scared by Ascension breach; CVS continues betting on health services; Plenful’s $17M Series A

HHS agrees with providers that the data breach notification is on Change Healthcare, not them. Health and Human Services’ Office for Civil Rights (OCR) moved quickly to formally change the FAQs that kicked off the 100+ provider letter [TTA 23 May]. Now “Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.” “Covered entities” in this case refers to the providers. Only one entity–Change or the provider–“needs to complete breach notifications to affected individuals, HHS, and where applicable the media.” Providers must contact Change Healthcare for the delegation. 

Chad Golder, general counsel and secretary at the American Hospital Association (AHA) said in their statement, “As we explained then, not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack.” HHS notice, Healthcare Dive

Meanwhile, UHG still does not know the extent of the breach which started in late February. Knowing the extent of the breach is needed to start notifications. It has not formally notified HHS of the breach long past the 60-day mandated window (see #3 in the HHS FAQs). This may create an ‘unreasonable delay’ (see #6). Not all Change systems are back up either–see the Optum Solutions page that has plenty of red Xs.

Only 63% of healthcare organizations have a cybersecurity response plan in place, leaving 37% without a plan. This is based on a survey of 296 IT/data security/management executive respondents working at healthcare organizations in the US performed by Software Advice, an advisory and consulting firm. Other findings:

  • Nearly 1 in 3 have had a data breach in the last three years
  • 42% of practices have experienced a ransomware attack, and of those, 48% say the attack impacted customer data
  • 34% failed to recover data after the ransomware attack
  • 55% of medical practices allow access to more data than employees need to do their job which makes them more vulnerable to attacks
  • While 41% of data breaches are attributable to malicious hacking, another 39% are due to malware, 37% are due to social engineering and phishing scams, 36% are due to software vulnerabilities, and 30% are due to employee error.

It would have been helpful if Software Advice in its report had broken down the type of practices surveyed. Healthcare Dive

Meanwhile, healthcare executives were ‘scared’ by the Ascension Health breach, as they should have been. Katie Adams’ piece in MedCityNews explores reactions from five different C-suite hospital executives about the recent attack on Ascension. The IT and data officers are from MD Anderson, Yale New Haven Health, CommonSpirit Health, Allegheny Health Network, and UPMC. The overall take was that threats are more common than ever, bad actors are abundant and getting better (using tools that can make amateurs into pretty good “bad actors” via “LLM products and have them help you build ransomware code.”), managing weaknesses in third-party vendors that live in the cloud is a Herculean task, phishing, and the need for ‘government’ to be involved. 

This Editor notes that the rush for providers into generative AI, given this environment, is perhaps premature. Yet here they go; researchers from Mount Sinai’s Icahn School of Medicine used structured data, such as vital signs, and unstructured data, such as nurse triage notes, to develop models predicting hospital admissions using ChatGPT-4. It supposedly can learn from fewer examples than other machine-learning models currently used and use data from traditional models. Becker’s

Ascension is slowly coming back, now projecting that all their locations will have their EHRs restored by the week of 14 June. Currently, only Florida, Alabama and Austin are up and running. Ascension Rx retail, home delivery and specialty pharmacy sites are now open as well. They will have some ‘splainin’ to do to HHS OCR. Ascension update site

CVS is confident in the future of its retail health despite their struggles with Minute Clinics and Oak Street.  Despite the struggle of retail health clinics at other providers such as Walgreens/VillageMD and the shutdown of Walmart Health, Sree Chaguturu, MD, CVS Health’s executive vice president and chief medical officer, expressed complete confidence at a recent industry conclave, thINc360 – The Healthcare Innovation Congress. This is despite the closures of dozens of Minute Clinics in Southern California and New England [TTA 31 May] out of their 1,100 total plus that CVS seeking an investment partner for Oak Street [TTA 29 May]. Dr. Chaguturu returned time and again to the 10,000-odd CVS Pharmacy locations and their leverage within communities, leaning very hard on the 5 million people coming in daily and the ‘opportunity for their pharmacists to engage’. As a CVS customer at a small location, those busy pharmacists aren’t engaging with me unless I have a script to fill or need an OTC decongestant that’s on the state signoff list due to an ingredient. In fact, CVS locations have rather few people nowadays, including behind checkout counters. Then again, it was a meeting speech. FierceHealthcare

Concluding on a brighter note, Plenful’s Series A came in at a tidy $17 million. Plenful developed and markets an AI-assisted workflow-automation platform for pharmacy and healthcare operations, claiming that it automates over 95% of the work for disparate administrative workflows. Features include 340B audit, document processing, contracted rates optimization and inventory planning, and pharmacy cycle revenue and reporting. Founded in 2021, the company has already lined up some impressive clients. Lead investor TQ Ventures was joined by Mitchell Rales (cofounder and chairman of Danaher), Susa Ventures, Waterline Ventures, and Bessemer Partners, the lead for last September’s $9 million seed funding for a total of $26 million. Crunchbase, Mobihealthnews

Dry the tears: WannaCry stymied, North Korea hackers suspect. Is this a poke for a worse attack?

Breaking News This morning’s (Tuesday 16 May) news is about reputable security organizations–Kaspersky Lab and Symantec–connecting the dots that lead for now to a North Korea-linked hacking organization, the Lazarus Group. This group has been identified in previous hack attacks and is based upon WannaCry code appearing in Lazarus programs. US Homeland Security has admitted seeing the same similarities, but all are working to gain more information.

Lazarus has been previously identified as the source of the 2014 Sony attack and the theft of $81 million from the Bangladesh central bank, again linked to fundraising for North Korea for its missiles, army, EMP and nuclear arming while its terrorized people starve. However, this attack was a flop; according to US Homeland Security, about $70,000 was raised in ransom. The Homeland Security spokesman also distanced the NSA from the original information which targeted weaknesses in Microsoft’s systems.

According to reports, WannaCry disproportionately affected Russia, Taiwan, Ukraine and India, according to Czech security firm Avast. No US Federal government systems were affected. China on Monday reported that it attacked traffic police and school systems.

The Telegraph has posted a speculative list of 34 NHS organizations which suffered IT failure during the WannaCry attack. The article includes a map produced by MalwareTech that geographically spots the infection locations; the Boston to Washington corridor is a sea of blue dots. And…Marcus Hutchins has been identified as the young UK tech working for Kryptos Logic who redirected the attacks by buying a domain embedded in the WannaCry code. How it worked, according to PC World, is that if the malware can’t connect to the unregistered domain, it infects the system. By registering the domain and creating a page for the malware to connect to, he stopped the malware spread. (Video in Telegraph article)  Also FoxNews

But is this a prelude to more and worse? Is this testing our preparedness? If so, we’ve been found wanting on an enterprise level with vulnerable systems and administrators not updating their software and OS. George Avetisov, the CEO of HYPR, a biometric authentication company, in The Hill, summarized it neatly today: “We’ve also learned the hard way that, simply through a coordinated phishing attack on unsuspecting users, hackers can disrupt the day-to-day activities of enterprises that provide communications, travel, freight and healthcare administration simply by remotely deploying malware.” He then goes on to praise President Trump’s executive order (EO), “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which he signed on Thursday–right before all this began. As if in confirmation…ShadowBrokers, the group that hacked the NSA files, today announced the availability of a subscription to a ‘members only data dump’ like a Wine of the Month Club. Watch out, banks and healthcare, it’s open season! NHS, better pay attention to another kind of hygiene–cyberhygiene. Without it, plans for patient apps and data sharing will go sideways–and deserved fodder for Dame Fiona [TTA 10 May]. The Hill  Earlier coverage here

IoT and the inevitable, looming Big Data Breach

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/02/gimlet-eye.jpg” thumb_width=”150″ /]The Gimlet Eye returns to once again cast a baleful gaze on All Those Connected Things, or the Plastic Fantastic Inevitable. Those 6.4 million Wi-Fi-connected tea kettles, smart fridge, remotely adjusted pacemakers (and other medical devices) plus home security two way video systems that accost the dodgy door ringer sound just peachy–but how good is their security? Not very, according to the experts quoted in this ZDNet article. It’s those nasty security flaws in IoT which were patched out 10 years ago on PCs that make them incredibly risky to have, as they can vector all sorts of Bad Things into both personal and enterprise networks. Their prediction is that a Connected Device with a big flaw will become molto popular and provide a Target a Hacker Can’t Refuse within two years. Or that some really clever hacker will write ransomware that will shut down millions of Connected Cars’ CPUs or disable the steering and brakes if 40 bitcoins aren’t placed in a brown paper bag and left on the third stool of the pizzeria at 83rd and Third.

Not much has changed since Eye wrote about those darn Internet Thingys last year [TTA 22 Sept 15]. The mystery is of course why these antique flaws are even part of the design. Designers being cheapskates? No consideration of security? (more…)

The security risks, and the promise of, the Internet of Things

Jason Hope, who back in September wrote on how one of the greatest impediments to the much-touted Internet of Things (IoT) was not security, but the lack of a standardized protocol that would enable devices to communicate, has continued to write on both this topic and IoT security. While The Gimlet Eye had great fun lampooning the very notion of Thingys Talking and Doing Things Against Their Will [TTA 22 Sept 15], and this Editor has warned of security risks in over-connectivity of home devices (see below), relentlessly we are moving towards it. The benefit in both healthcare monitoring/TECS and safely living at home for older adults is obvious, but these devices must work together easily, safely and securely. To bend the English language a bit, the goal is ‘commonplaceness’–no one thinks much about the ubiquitous ATM, yet two decades ago ‘cash machines’ were not in many banks and (in the US) divided into regional networks.

As Mr Hope put it as the fifth and final prediction in his recent article:

The IoT Will Stop Being a “Thing”
How many times in the past week have you said, “I am getting on to the World Wide Web?” Chances are, not very many. How many times have you thought about the wonder of switching on a switch and having light instantly? Probably never. Soon, the Internet of Things, and connectivity in general, is going to be so common place, we also won’t think about it. It will just be part of life and the benefits and technology that wow us right now will cease to be memorable.

This Editor continues to be concerned about how hackers can get into devices, (more…)

90% of industries have had PHI data breach: Verizon (HIMSS Connected Health)

Reporting from the HIMSS Connected Health Conference (CHC)

Cybersecurity is one of the three central themes of this year’s HIMSS CHC, and excellent timing for releasing the highlights of Verizon’s first ever PHI (Protected Health Information) Data Breach Report. This is a spinoff of their extensive, eight years running international Data Breach Investigations Report (DBIR). 

It’s not just your doctor’s office, hospital or payer. It will be no surprise to our Readers that the healthcare sector is #7 in breaches–but that a PHI breach may come from non-healthcare (in US, HIPAA-covered) sources. This Editor spoke with Suzanne Widup, the lead author of the PHI Report and an info security/forensics expert, and included in that 90 percent are workers’ compensation programs, self-insured companies, the public sector, financial/insurance companies and–as a damper on this highly competitive (but hard to gauge results) area–wellness programs. Most organizations, according to Ms Widup, aren’t even conscious that they are holding this information and need to specially protect it from intrusion, as “PHI is like gold for today’s cybercriminal.”

Consistent with other authoritative tracking studies like Ponemon Institute’s and ID Experts’, the threat is from within: physical theft and loss, insider misuse and ‘miscellaneous’ account for 77 percent of theft. And as Bryan Sartin, managing director of Verizon’s RISK team noted in his keynote today, attacks take over a seven-month period on average to even be noticed. The breaches are long term, start small and sneaky. 2/3 of organizations don’t find out on their own, only when it starts to affect other partners. (Surprise!) Despite the proven Chinese and Black Vine involvement in several high profile, high-volume data hacks (Anthem), and ‘brute force’ hacks that make headlines (iCloud last year), the average breach is an inside job where “assets grow legs and walk off” in Dr Widup’s words, or privilege misuse.

When I asked Ms Widup about the Internet of Things (which is moving high on the hype curve, from what your Editor has experienced to the nth degree at this conference), she confirmed that this is an area that needs extra cybersecurity protection. (more…)

UCLA Health data breach may affect 4.5 million patients

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/06/keep-calm-and-secure-your-data-4.png” thumb_width=”150″ /]Breaking news out of Los Angeles this afternoon is that the UCLA Health System’s computer network was compromised by an external cyberattack, compromising an estimated 4.5 million patient records. According to the LA Times, “the hospital saw unusual activity in one of its computer servers in October and began investigating with assistance from the FBI. The investigation confirmed May 5 that the hackers had gained access to parts of UCLA Health’s computer system where some patient information was stored. The hackers gained access to names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information like patient diagnoses and procedures.” There also appears to have been a delay in the realization that the sensitive PHI had been accessed, and that the suspicious activity could have started as early as September 2014. Yet the UCLA Health statement equivocates: “At this time, there is no evidence that the attacker (more…)

58 percent of health data breaches due to simple theft, not hacking: JAMA

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/08/keep-calm-and-encrypt-your-data-5.png” thumb_width=”150″ /] Criminal activity is the cause of nearly 6 out of 10 data breaches, according to a study published in JAMA last week (subscription required). Cyberbreaches–the infamous hacking attacks–produce breaches in the millions, but the far more typical and frequent breach, if smaller, is caused by simple theft of records–electronic and paper. HealthLeaders We’ve reported previously that stolen records (over 500) have ranged from laptops to paper records as landfill and even old-style X-rays in dead storage sought after for mercury content. So if Hackermania is not always running wild, except when it is, how to keep those records secure? According to West Virginia United Health System’s assistant CIO interviewed by FierceHealthIT at HIMSS, it requires a policy change of staff education, expectations, understanding that protecting patient information is part of holistic care–and frequent audits. Trust, but verify. Encrypt–and keep passwords secure, multiple and frequently changed.