TTA’s Where Did Spring Go?: Meta Pixel captures personal health info, sending to Facebook; Oracle’s remaking of Cerner; Balwani’s Theranos trial nears verdict; data breaches skyrocket, more!

 

 

Weekly Update

Probably the most important and developing story of today is the misuse of Meta Pixel ad tracking code, its capture of personal health information from major health system sites, and sending it straight to Facebook. A corollary story is the sharp rise of health data breaches, now in the millions. Telemental Cerebral’s legal miseries pile up, Sunny Balwani of Theranos awaits legal verdict, and successful fundings a bit thin on ground. And will there even be a Cerner left after Oracle’s through with it? (The skepticism around tech fixes to Big Health Problems continues.)

Breaking: Hospitals sending sensitive patient information to Facebook through website ‘Meta Pixel’ ad tracker–study (Next week’s Big Story)
Thursday news roundup: FTC now investigating Cerebral, Balwani’s Theranos trial rests at last, Proscia pathology AI $37M Series C, health data breaches pile up (Hackermania continues to run wild)
Wednesday news roundup: Oracle scrutinizing outside vendors, cloud change coming for Cerner EHRs, audio-only telehealth can continue after PHE–HHS, Proximie connected surgery raises $80M (UK) (Will there even be a Cerner left?)
Oracle’s Big Healthcare Transformation: it’s all about ‘better information’ (sigh) (updated) (A misguided trust in tech fixes?)

Oracle’s close on their Cerner buy led the news, with the usual claims that the combined companies will ‘redefine the future of healthcare.’ For those who’ve heard that song before, the business of healthcare continues, with Apple, Amwell, Connected Health (UK), a metabolic tracker out of India, and the biggest US data breach of the year so far. Cigna tracks why loneliness is peaking, while the less lonely join class-action lawsuits against Teladoc. And considering SPACs to go public the easy way? Fuggedaboutit!

Weekend review: FDA clears Apple Watch ‘AFib History’, OS9 adds health features; Amwell’s new CMO; 2M records breached at New England provider, largest this year (Apple reinforces Watch for health)
Remote health monitoring a winning strategy…for sports? (Metabolic tracking is the angle)
Thursday news roundup: dimming SPACs, hospital-at-home pilots in DFW, Connected Health debuts bespoke home care services configurator in NIR (The decline in SPAC ‘funny money’)
A sneak peek at Oracle’s plans for healthcare prior to 9 June’s ‘The Future of Healthcare’ live (Without listening to Tony Blair! And nary a mention of DOD and VA.)
Wednesday AM roundup all about money: $28B Oracle-Cerner closes today, 9 June strategy talk; Teladoc class-action lawsuits begin; Cigna’s look at loneliness (Money and the loss of)

Last weekend was Britain’s Platinum Jubilee Weekend, which made the bank holiday very special indeed. And from the US, much respect. A potpourri of news including the likely closing of Oracle’s Cerner buy (it will, on 8 June) and the Homeward Bound second act of several Livongo veterans.

God Save The Queen on her unprecedented 70 years of service!

Thursday news roundup: bet on Oracle-Cerner closing next week, VA EHR progress reports mandated, Homeward-RiteAid rural care, Medtronic-DaVita kidney JV, Withings reenters RPM, Lightbeam buys Jvion AI (Potpourri of activity)
CVS, Walmart refuse Cerebral, Done Health controlled substance prescriptions via telehealth; Cerebral CEO replaced (Trouble in telementalhealth-land)

A little bit of everything as we arrive at the unofficial start of summer. Walmart expands its drone delivery, AWS gains a big one in the Healthcare Cloud Wars, and Verizon publishes its latest roundup on IT breaches. Oracle-Cerner moves a little closer to full international approval. There’s an Aging2.0 challenge, a substantial RPM raise, and NY seniors get robots. And to white coat or not on a telehealth consult.

Thursday’s short takes: Walmart’s delivery drones expand, AWS lands Geisinger for AI and cloud, UHG-Kaia Health partner for virtual MSK therapy (Droning on and the Cloud Wars accelerate)
ElliQ companion robot, NYSOFA partner for NY older adult assistance (Will they like it?)
Wednesday news roundup: Oracle-Cerner reportedly OK’d by EU, VitalTech RPM raises $14.1 M, Aging 2.0 interoperability challenge, what do rough times mean for investors and startups, employees cause 39% of healthcare IT breaches (Breaches multiply, and Lisa Suennen’s take on what to expect from the current financial craziness)
To white coat, or not to white coat? That is the telehealth doctor question. (A short, refreshing read through the history of the medical white coat)

Our strange May continues with a lot of legal activity, including the tale of one doctor who side gigged as Dr. Mabuse, Master Cybercriminal. Telehealth continues a wobbly path, with claims down along with Amwell’s performance. And Cerner has more problems, this time with DOD and VA. But a new Perspective gives us hope that the UK can save more than £14 bn through TEC–and there’s always self-driving cars for med delivery!  

Thursday legal news roundup: Oscar Health accused of IPO securities fraud; Venezuelan cardiologist moonlights as cybercriminal, faces slammer; Change Healthcare sues former employee now at Olive AI (When lawsuit news outstrips M&A, it’s not good)
Cerner EHR implementation with both DOD and VA running into interoperability, other problems: Federal audit (More process problems being sorted out in public)
Perspectives: Where next for technology-enabled care after 2025? (Is £14bn in savings over the next 10 years an underestimate?)
News roundup: telehealth claims drop 9% in February; Amwell’s good news, bad news Q1; tech-enabled practice Crossover Health growing; NowRx and Hyundai test semi-self-driving delivery (One hopes those Hyundai Ionics drive better than telehealth’s performing)

May’s ups and downs, with the stock market drowning out healthcare. Cerebral confirmed their Federal investigation for prescribing practices, putting a bucket of cold water on this hot sector. But good news pokes its head out, with a Johns Hopkins study that telehealth is benefiting the underserved and urban, not just the affluent and young. More good news with a telecare pioneer receiving the top award for UK enterprise.

Alertacall receives Queen’s Award For Enterprise: Innovation (An outstanding recognition for a telecare pioneer in this Platinum Jubilee Year)
CMS telehealth pandemic waivers boosted usage among disadvantaged, urban patients (Tide lifting all boats, and that’s good)
DOJ investigates telemental Cerebral on over-prescribing of controlled medications (A flashing warning sign for investors)


Have a job to fill? Seeking a position? See jobs listed with our new job search partner Jooble in the right sidebar!


Read Telehealth and Telecare Aware: https://telecareaware.com/  @telecareaware

Follow our pages on LinkedIn and on Facebook

We thank our present and past advertisers and supporters: Legrand/Tynetec, Eldercare, UK Telehealthcare, NYeC, PCHAlliance, ATA, The King’s Fund, DHACA, HIMSS, Health 2.0 NYC, MedStartr, Parks Associates, and HealthIMPACT.

Reach international leaders in health tech by advertising your company or event/conference in TTA–contact Donna for more information on how we help and who we reach. 


Telehealth & Telecare Aware: covering the news on latest developments in telecare, telehealth, telemedicine, and health tech, worldwide–thoughtfully and from the view of fellow professionals

Thanks for asking for update emails. Please tell your colleagues about this news service and, if you have relevant information to share with the rest of the world, please let me know.

Donna Cusano, Editor In Chief
donna.cusano@telecareaware.com

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Thursday news roundup: FTC now investigating Cerebral, Balwani’s Theranos trial rests at last, Proscia pathology AI $37M Series C, health data breaches pile up

Telemental health Cerebral’s miseries pile on. The Federal Trade Commission (FTC) is now investigating Cerebral on deceptive advertising and marketing practices. The Wall Street Journal (may be paywalled) reviewed the 1 June letter sent to the company. The letter requests the usual preservation of documents and asks ‘dozens of questions’ related to their business. Of particular interest to the FTC is the ‘negative option’ practice that continues the subscription fee unless the subscriber takes positive action to cancel it. Subscribers have complained that Cerebral did not cancel their subscriptions after repeated attempts to do so and did not refund their money. Reuters, FierceHealthcare

Also of interest to the FTC will be the dodgy advertising claims about ADHD and obesity which ran on TikTok and Instagram [TTA 10 May]. The WSJ reported that their ad spend topped $65 million for this year–$13 million on TikTok alone from January to May this year, making Cerebral the third-largest advertiser behind HBO and Amazon, according to research firm Pathmatics.

The FTC action follows the Department of Justice (DOJ) investigation of their prescribing of controlled (Schedule 2, high potential for abuse) substances such as Adderall and Xanax, CVS and Walmart refusing their prescriptions, the unceremonious booting of the CEO and co-founder, and a wrongful dismissal lawsuit by a former VP of product and engineering, Matthew Truebe. Certainly, its investors led by SoftBank, which raised $300 million in December less than six months after a raise of $127 million, are unhappy at watching their $4.8 billion baby crash and burn.

The second “rerun” Theranos trial of Sunny Balwani rests. This much-muted trial is winding towards its close. Receiving much less breathless and near-sensational coverage than Elizabeth Holmes’, Theranos president Balwani was tried in the same San Jose Federal district court, with the same prosecutor (Robert Leach), just about the same charges (12 counts of wire fraud), and Judge Davila presiding. Holmes was convicted and her sentencing is scheduled for September.

The prosecution rested on 20 May and the defense on 9 June. The trial took some delays due to at least two jurors falling ill from Covid. The defense strategy rested on Holmes’ founding and operating the company without Balwani for a few years and that he never sold his shares, making him as victimized as any ordinary investor. The prosecution is relying on how close Holmes and Balwani were, that he had great power at Theranos–and used it, plus in his position was well aware of the problems with the lab machines and deliberately sought to defraud investors by covering it up. Unsurprisingly, Holmes did not testify at his trial, although she was a looming presence at his as he was somewhat at hers, especially in her testimony about their relationship. Closing arguments took place on Tuesday (14 June) and the jury will be charged after their conclusion. NBC Bay Area, New York Post, Wall Street Journal

Happier news comes from Proscia, a pathology software company, funding a $37 million Series C. Highline Capital Management, Triangle Peak Partners, and Alpha Intelligence Capital led the round along with participation from five earlier investors. Their total funding is up to $72 million. Their AI-enabled Concentriq platform combines “enterprise scalability with a broad portfolio of AI applications to accelerate breakthroughs and unlock clinical insights that advance precision medicine.” Clients include 10 of the top 20 pharmaceutical companies as well as the Joint Pathology Center, Proscia release, Becker’s 

Adding to the tally of healthcare data breaches are several this week. The year-to-date winner, of course, are the 2 million at Shields Health Care Group in Massachusetts [TTA 10 June], but this week, reports have been breaking out like late spring roses:

  •  A clinical guidance software vendor’s breach reported 10 June has exposed the protected health information (PHI) of patients at Omaha, Nebraska-based CHI Health and Sioux Falls, South Dakota based Avera Health. Avera has about 900 exposed patients, but the number at CHI is not yet known. MCG Health is the vendor. Becker’s
  • Yuma (Ariz.) Regional Medical Center reported an April ransomware attack that while short in duration, exposed PHI of 700,000 patients. An unauthorized user removed files from the hospital’s system that included patient health information such as names, social security numbers, health insurance information, and limited medical information relating to care. The hospital went offline until it was resolved, including reporting to law enforcement. Becker’s, Healthcare Dive
  • UChicago Medicine had its employee accounts hacked in March by an unauthorized user. It exposed about 2,500 patient records that included patient first and last names, social security numbers, health information, legacy Medicare beneficiary identification numbers, health insurance policy numbers, and driver’s license numbers. Becker’s
  • And Kaiser Foundation Health Plan of Washington had about 70,000 patient PHIs exposed on 5 April when an unauthorized user gained access to one employee’s emails with information on patient first and last names, dates of service, laboratory test information, and medical record numbers.

Short, but certainly not sweet, and expensive.

Two healthcare data breaches of note: International Committee of the Red Cross and Jefferson Health

Healthcare data breaches have become so commonplace that this Editor now leaves it to others to report. They all share the same characteristics–international hackers inserting ransomware in compromised systems and demanding billions in bitcoin, disgruntled employees erasing or taking home files, burglaries, inside jobs of various stripes. A steady drumbeat despite many efforts to secure against outside attacks and continously monitor systems, still there are plenty of legacy devices floating around hospitals and clinics using outdated computer software and initial setup passwords.

But this one hits a new high of heartlessness. The International Committee of the Red Cross (ICRC), headquartered in Geneva, reported that on 18 January that servers hosting the personal information of more than 500,000 displaced people receiving aid services from the Red Cross and Red Crescent Movement program had been hacked. The servers were located in Switzerland and were directly targeted. The 515,000 records were of people in the ‘Restoring Family Links’ program which aids missing people and their families, unaccompanied or separated children, detainees, and other people as a result of armed conflict, natural disasters, or migration. The information consisted of names, locations, and contacts.  In addition, log in information of 2,000 workers was also breached. Pray tell, where’s the monetary value in this? Or is there something more nefarious? These systems and their information have been taken offline, hampering this international program. ICRC ‘What We Know’, Becker’s Health IT, Healthcare IT News

A more ‘garden variety’ breach of 9,000 patients’ protected health information (PHI) took place in November at Philadelphia’s Jefferson Health. This was an insurance portal breach that accessed patient billing information with the intent of rerouting the payments from the hospital to themselves. The hacker in the process gained access to patient billing information, names, dates of treatment, treatment codes and costs, but not the jackpot of SSI and other financial information. The article does not disclose whether payments were successfully redirected.  Becker’s Health IT

“All That We Let In”: health apps’ APIs are vulnerable and easy to hack, exposing and altering PHI and PII

Mobile security company Approov has issued a scary report on the hackability of popular health apps. They tested 30 apps (not named in the report) of the 300,000-odd health apps in the market, and found that the application programming interfaces (APIs) used in 100 percent of these apps had hardcoded vulnerabilities that could allow hackers to access protected health information (PHI), personally identifiable information (PII), identity, and billing information. According to the report (registration required), these apps used by patient care organizations for remote account management and telemedicine appointments may expose 23 million individuals. Of the 30 apps tested:

  • 77 percent contained hardcoded API keys, some of which do not expire
  • Seven percent had hardcoded usernames and passwords in plain text
  • 50 percent of the doors that these API vulnerabilities opened led to PHI and billing information
  • 100 percent of the API endpoints tested were vulnerable to Broken Object Level Authorization (BOLA) attacks. These involve a relatively simple process of falsifying user IDs and swapping out numbers. For some apps, the hack could gain clinician-level access and alter medical histories and records (including issuing prescriptions for medication).
  • 100 percent of the apps were vulnerable to man-in-the-middle attacks due to failure to implement certificate pinning, which forces the app to validate the server’s certificate against a known good copy

Alyssa Knight, the ‘recovering hacker’ who authored the report, also hacked into one hospital’s EHR and changed its values by one digit. She was then able to access health records and registration information. She used a hacking tool that looks like it is generating data from a mobile health app.

The use of mobile apps for telehealth and portals has become far more widespread as a result of the pandemic, yet security has lagged–even though the level of sophistication in the apps, and the amount of information they integrate, has accelerated to become the norm. It’s a wakeup call to developers, health systems, and digital health companies that off the shelf and old APIs don’t meet security demands. Unfortunately, Gartner projects that APIs will become the vector for most data breaches by 2022. CPO Magazine, FierceHealthcare

Weekend reading: HISTalk’s interview with Spirion’s CEO on healthcare data security

A short but must-read if you care about data security and your customers/patients/residents. Where this HISTalk interview with Kevin Coppins, CEO of Spirion, excels is leading the reader through areas that are usually filled with fog and IT jargon. The view is from his company and a healthcare organization sitting in a conference room and scoping the problem without ‘paralysis by analysis’ or a turnkey ‘solution’ that may not be one. What’s different here is the clear, and few, logic steps, particularly the first three listed, that Mr. Coppins takes to get the ball rolling rather than befogging the discussion with too many factors or the punitive consequences of regulatory non-compliance.

“The concept of data and sensitive data is at the core of both security and privacy.”

  1. How much data do you have? (Nobody really knows, admit it)
  2. Of that data, what would you consider ‘sensitive’, and how do you define ‘sensitive’? Not only by regulation/compliance directives, but what your patients, clients and the board would consider ‘sensitive’.
  3. How much of that data is actually critical? 
  4. What’s the impact? How personal is it to your organization, not just in a compliance way but in your community, etc.
  5. How do I reduce the risk of loss?
  6. If I lost the data due to hacking or ransomware, what’s the backup? How fast can this happen?

This Editor notes that these points (quantity, definition, risk of loss and recovery, and community impact) can be applied to other situation analyses.

The litany of ransomware attacks that have ramped up during the pandemic waves has pushed data security issues to the ‘gotta tackle’ list. According to Emsisoft, a security company, there were 41 attacks on healthcare organizations in first half 2020. This didn’t stop during the summer, with a rash of them at end of October and a hit list of 400 hospitals, according to Becker’s.) Hacking attacks persist but aren’t getting the headlines.

And his conclusion is pertinent: “When it comes to security and privacy and all the drama and all the noise that you hear about it and read about it, just boil it down to this — am I doing everything I can today to protect what matters most to the constituents I serve?”

Will the rise of technology mean the fall of privacy–and what can be done? UK seeks a new National Data Guardian.

Can we have data sharing and interoperability while retaining control by individuals on what they want shared? This keeps surfacing as a concern in the US, UK, Europe, and Australia, especially with COVID testing.

In recent news, last week’s acquisition of Ancestry by Blackstone [TTA 13 August] raised questions in minds other than this Editor’s of how a business model based on the value of genomic data to others is going to serve two masters–investors and its customers who simply want to know their genetic profile and disease predispositions, and may not be clear about or confused about how to limit where their data is going, however de-identified. The consolidation of digital health companies, practices, and payers–Teladoc and Livongo, CVS Health and Aetna, and even Village MD and Walgreens–are also dependent on data. Terms you hear are ‘tracking the patient journey’, ‘improving population health’, and a Big ’80s term, ‘synergy’. This does not include all the platforms that are solely about the data and making it more available in the healthcare universe.

A recent HIMSS virtual session, reported in Healthcare Finance, addressed the issue in a soft and jargony way which is easy to dismiss. From one of the five panelists:  

Dr. Alex Cahana, chief medical officer at ConsenSys Health.”And so if we are in essence our data, then any third party that takes that data – with a partial or even complete agreement of consent from my end, and uses it, abuses it or loses it – takes actually a piece of me as a human.”

Dignity-Preserving Technology: Addressing Global Health Disparities in Vulnerable Populations

But then when you dig into it and the further comments, it’s absolutely true. Most data sharing, most of the time, is helpful. Not having to keep track of everything on paper, or being able to store your data digitally, or your primary care practice or radiologist having it and interpretation accessible, makes life easier. The average person tends to block the possibility of misuse, except if it turns around and bites us. So what is the solution? Quite a bit of this discussion was about improving “literacy” which is a Catch-22 of vulnerability– ‘lacking skill and ability’ to understand how their data is being used versus ‘the system’ actually creating these vulnerable populations. But when the priority, from the government on to private payers, is ‘value-based care’ and saving money, how does this prevent ‘nefarious use’ of sharing data and identifying de-identified data for which you, the vulnerable, have given consent, to that end? 

It’s exhausting. Why avoid the problem in the first place? Having observed the uses and misuses of genomics data, this Editor will harp on again that we should have a Genomic Data Bill of Rights [TTA 29 Aug 18] for consumers to be fully transparent on where their data is going, how it is being used, and to easily keep their data private without jumping through a ridiculous number of hoops. This could be expandable to all health data. While I’d prefer this to be enforced by private entities, I don’t see it having a chance. In the US, we have HIPAA which is enforced by HHS’ Office of Civil Rights (OCR), which also watchdogs and fines for internal data breaches. Data privacy is also a problem of international scope, what with data hacking coming from state-sponsored entities in China and North Korea, as well as Eastern European pirates.

Thus it is encouraging that the UK’s Department of Health and Social Care is seeking a new national data guardian (NDG) to figure out how to safeguard patient data, based on the December 2018 Act. This replaces Dame Fiona Caldicott who was the first NDG starting in 2014 well before the Act. The specs for the job in Public Appointments are here. You’ll be paid £45,000 per annum, for a 2-3 day per week, primarily working remote with some travel to Leeds and London. (But if you’d like it, apply quickly–it closes 3 Sept!). It’s not full time, which is slightly dismaying given the situation’s growing importance. The HealthcareITNews article has a HIMSS interview video with Dame Fiona discussing the role of trust in this process starting with the clinician, and why the Care.data program was scrapped. Of related interest is Public Health England’s inter-mortem of lessons learned in data management from COVID-19, while reportedly Secretary Matt Hancock is replacing it with a new agency with a sole focus on health protection from pandemics. Hmmmmm…..HealthcareITNews.

Hackermania runs wild…all the way to the bank! Ransomware strikes Crozer-Keystone, UCSF med school, others

News to make you livid. After surviving (to date) the COVID pandemic, health systems and medical schools are being attacked by ransomware criminals. Both the small Crozer-Keystone Health System and the globally known University of California San Francisco School of Medicine have been attacked by the ever-so cutely named Netwalker (a/k/a MailTo). Yes, this criminal hacker gang isn’t outside banging pots for first responders or donating money, or even sticking to a brief truce (Emsisoft), but figuring ways to spread malware into healthcare organizations for fun and profit. 

And profitable it’s been. UCSF paid Netwalker the princely sum of $1.14 million (£910,000) in 116.4 bitcoins after an attack starting 1 June that was also (to add insult to injury) published on Netwalker’s public blog. In the timeline presented by BBC News, it was negotiated down (professionally) from $3 million; BBC also obtained some key parts of the negotiation via an anonymous tipoff, and it’s fascinating reading. Netwalker leads the victim to a dark web ‘customer service’ site where there’s a countdown to double payment or deletion of your now-encrypted data. They are also able to live chat with the victim.

UCSF was able to limit the malware encryption damage to servers within the School of Medicine (according to the BBC, literally unplugging computers; according to UCSF, isolating servers) but decided to pay the ransom to unlock the encrypted data and return data they obtained, stating in its public release “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good”. They will work with the FBI on the incident and have brought on board outside expert help.

According to FierceHealthcare, Netwalker was also behind the attack on the Champaign-Urbana Public Health District (Illinois) website in March and Michigan State University’s network in May.

Paying ransom is contrary to the advice of the major world security services such as the FBI, Europol, and the UK’s National Cyber Security Centre, on the simple basis that it encourages them. It’s a true damned-if-you-do, damned-if-you-don’t situation, as Brett Callow, a threat analyst at cyber-security company Emsisoft, said to the BBC: “But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?” 

Crozer-Keystone to date has refused to pay ransom. On 19 June, bitcoin publication Cointelegraph published a screenshot of Netwalker’s dark web auction page of the data. Apparently it is all financial and not medical records or PHI. Crozer also isolated the intrusion and took systems offline. Crozer is a small system of four hospitals in suburban Philadelphia (Delaware County) and serves parts of the state of Delaware and western New Jersey.

Neither Crozer nor UCSF have gone public with the source of the breach, but it is known that the main lure during the pandemic has been phishing emails with COVID-19 results or news, loaded with malware downloads.

As this Editor wrote back in May 2018 on the anniversary of WannaCry, it’s not a matter of if, but when, at highly vulnerable organizations like healthcare and academia with high-value information records. Right now, the Hakbit spear-phishing ransomware connected to an Excel spreadsheet macro is targeting mid-level individuals at pharma, healthcare, and other sectors in Austria, Germany, and Switzerland, according to tech research firm Proofpoint. TechGenix

More: Becker’s 22 June on Crozer-Keystone, 29 June on UCSF, 12 largest healthcare breaches to date, 10 healthcare system incidents for June, Kroger hacking incident exposing 11,000 health records. DataBreaches.net news page.

News roundup: stroke rehab uses Hollywood technology, 3M sues IBM Watson Health on analytics software misuse, AI-based skin cancer detection apps fail, Dictum’s successful telemed use post-pediatric surgery, malware attacks Boston practice network

Motion capture technology being used in stroke and TBI rehab. Best known for turning actors into cartoon superheroes, motion capture tech is now being used at Spaulding Rehabilitation Hospital in Boston for returning mobility to stroke and TBI patients. Attached to the patient are sensors–reflective markers–on key parts of the body. Using an array of infrared cameras, the patient is tracked on gait and other affected motion areas. Doctors and therapists can then better target therapy, plus assistive technologies from orthotics to full exoskeletons. Includes video. STAT

When Giants Sue. 3M is suing IBM Watson Health on their use of licensed 3M software in ‘unauthorized ways’ and charging direct copyright infringement and contract breaches. 3M’s Grouper Plus System analyzes claims and other coded data to help calculate reimbursement. 3M contends that IBM was licensed only for internal use dating back to a Truven agreement in 2007, years before their acquisition by IBM. The suit also adds that IBM then integrated the software into Watson platforms without a license transfer and expansion to cover the use, as well as dodged an audit of the use. The suit is in NY Federal Court. Becker’s Health IT Report

Algorithm-based dermatology apps fail to accurately detect risk for melanomas and similar skin cancer.  A just-published BMJ study determined that these smartphone apps, which use algorithms that catalogue and classify images of lesions into high or low risk for skin cancer and return an immediate risk assessment with subsequent recommendation to the user, are not effective. Six apps were examined, including two with a CE mark. None were FDA-approved and two were cited by the Federal Trade Commission for deceptive marketing. Only one, SkinVision, is still commercially available. Study results do not apply to apps that physicians use in direct telemedicine consults. IEEE Spectrum

Successful test and planned rollout of telemedicine tablet for post-surgery checks at Children’s Hospital of Richmond (Virginia–CHoR). The Dictum Health eVER-HOME tablet used for virtual visits had a 92 percent acceptance rate of telemedicine visits in place of in-person visits, zero return to hospital/ER events, earlier patient discharge post-surgery (12 to 24 hours), and avoidance of long-distance travel by patients for follow-up visits, a significant factor as CHoR is a destination hospital for specialized pediatric surgery. The rollout will include AI capabilities in Dictum’s Care Central platform to help determine rising risk and more. Dictum Health is a company best known for telemedicine units for remote workers (e.g. oil rigs) using their Virtual Exam Room (VER) technologies. Dictum release, mHealth Intelligence

CHoR is having a better week than a physician’s network affiliated with Boston Children’s Hospital. Pediatric Physician’s Organization at Children’s (PPOC) is the victim of a malware attack affecting computer systems at about 500 affiliated physicians and clinicians. The impacted systems have been quarantined and does not affect BCH. Becker’s Hospital Review, Health IT Security  Health IT Security also rounds up other recent data breaches, hacks, and phishing attacks.

The Breach Barometer hits a new high for healthcare–and the year isn’t over

31.6 million healthcare breached records can’t be right? But it is, and it’s double all of 2018. Protenus’ Breach Barometer for the first six months of the year tallied over double the number of patient records breached calculated for 2018 (15.1 million). The number of breach incidents reported was smaller–285 breach incidents disclosed to the US Department of Health and Human Services or the media–compared to 503 breaches in 2018, which means that individual data breaches affected far more records.

Hackermania is running wilder than ever. Nearly half the breaches were due to hacking. The big kahuna of breaches this year was reported in May at American Medical Collection Agency, a third-party billing collections firm. This eight-month breach affected 20 to 22 million records at Quest Diagnostics, LabCorp, Opko Health, under one of its subsidiaries, BioReference Laboratories, Inc., and Clinical Pathology Laboratories [TTA 5 June] This hack also involved Optum360, a Quest contractor and part of healthcare giant Optum. In terms of PII, the records breached included SSI, DOB, and physical addresses.

 Yet insider breaches are still a significant threat at 21 percent, whether from errors without malicious intent or deliberate wrongdoing. In the report, Protenus (with DataBreaches.net) calculated that 60 of the 285 breaches were insider-related affecting 3.5 million records. 35 were insider-error incidents, with 22 additional due to wrongdoing.

When it comes to breaches, the trend is easily not healthcare organizations’ friend, as 2018 tripled 2017’s total breached records. This is despite the new emphasis on healthcare IT security and insider training. Protenus release, FierceHealthcare, Protenus first half report (PDF)

About time: digital health grows a set of ethical guidelines

Is there a sense of embarrassment in the background? Fortune reports that the Stanford University Libraries are taking the lead in organizing an academic/industry group to establish ethical guidelines to govern digital health. These grew out of two meetings in July and November last year with the participation of over 30 representatives from health care, pharmaceutical, and nonprofit organizations. Proteus Digital Health, the developer of a formerly creepy sensor pill system, is prominently mentioned, but attending were representatives of Aetna CVS, Otsuka Pharmaceuticals (which works with Proteus), Kaiser Permanente, Intermountain Health, Tencent, and HSBC Holdings.

Here are the 10 Guiding Principles, which concentrate on data governance and sharing, as well as the use of the products themselves. They are expanded upon in this summary PDF:

  1. The products of digital health companies should always work in patients’ interests.
  2. Sharing digital health information should always be to improve a patient’s outcomes and those of others.
  3. “Do no harm” should apply to the use and sharing of all digital health information.
  4. Patients should never be forced to use digital health products against their wishes.
  5. Patients should be able to decide whether their information is shared, and to know how a digital health company uses information to generate revenues.
  6. Digital health information should be accurate.
  7. Digital health information should be protected with strong security tools.
  8. Security violations should be reported promptly along with what is being done to fix them.
  9. Digital health products should allow patients to be more connected to their care givers.
  10. Patients should be actively engaged in the community that is shaping digital health products.

We’ve already observed that best practices in design are putting some of these principals into action. Your Editors have long advocated, to the point of tiresomeness, that data security is not notional from the smallest device to the largest health system. Our photo at left may be vintage, but if anything the threat has both grown and expanded. 2018’s ten largest breaches affected almost 7 million US patients and disrupted their organizations’ operations. Social media is also vulnerable. Parts of the US government–Congress and the FTC through a complaint filing–are also coming down hard on Facebook for sharing personal health information with advertisers. This is PHI belonging to members of closed Facebook groups meant to support those with health and mental health conditions. (HIPAA Journal).

But here is where Stanford and the conference participants get all mushy. From their press release:

“We want this first set of ten statements to spur conversations in board rooms, classrooms and community centers around the country and ultimately be refined and adopted widely.” –Michael A. Keller, Stanford’s university librarian and vice provost for teaching and learning

So everyone gets to feel good and take home a trophy? Nowhere are there next steps, corporate statements of adoption, and so on.

Let’s keep in mind that Stanford University was the nexus of the Fraud That Was Theranos, which is discreetly not mentioned. If not a shadow hovering in the background, it should be. Perhaps there is some mea culpa, mea maxima culpa here, but this Editor will wait for more concrete signs of Action.

Telemedicine virtual visits preferred by majority in Massachusetts General Hospital survey

The results are far better than parity with in-person visits for follow up. A group of 254 patients and 61 health care providers were the subject of a survey conducted by researchers at Massachusetts General Hospital, part of Partners HealthCare, and Johns Hopkins. It found that virtual video visits (VVVs) are perceived by the majority of patients as the same as or better than office visits in convenience and cost, at the same level of quality and personal connection. It measured responses from both patients and providers in the MGH TeleHealth (sic) program, in place since 2012, in follow up care from providers in psychiatry, neurology, cardiology, oncology and primary care (the last two added late in the survey).

The results were: 

  • The vast majority (94.5%) of patients preferred the travel time (minimal) and time convenience (79.5%) of the VVV
  • Most patients (62.6%) and clinicians (59.0%) reported “no difference” between VVV and office visits on “the overall quality of the visit.”
  • When rating “the personal connection felt during the visit”, over half–but more patients than clinicians–said that there was “no difference” with the VVV (patients, 59.1%; clinicians, 50.8%), although 32.7% of patients and 45.9% of clinicians reported that the “office visit is better”.
  • They were also willing to pay for it–and that increased with distance from the doctor. Among those who traveled more than 90 minutes to an office visit, 51.5% indicated they would pay a co-payment of more than $50 for a VVV compared with 30.4% of those who traveled less than 30 minutes.
  • Results graphs are here

The survey results were published in the American Journal of Managed Care. This month’s issue also examines gamification in healthcare, asynchronous communication between primary and specialty care practitioners at Geisinger, EHRs–and the relationship between data breaches and not surprisingly increased advertising expenditures after the fact to rebuild lost trust. According to this last article, breached hospitals were more likely to be large, teaching, and urban hospitals relative to the control group.

Also UPI and HealthDay.

More and more into the (data) breach: 3X more patient records in Q2, UnityPoint’s breach balloons to 1.3M

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]And we thought Healthcare Hackermania was following the Hulkster into retirement. After a quiet Q1, data breaches and hack attacks blew up both in Q2 and now in this quarter.

Data compliance analytics firm Protenus’ Breach Barometer (with DataBreaches.net) has been tracking healthcare data breaches for years. It was quiet last quarter with 1.13 million patient records affected in 110 separate health data breaches. But last quarter was a true triple threat with patient records up three times to 3.14 million, 142 separate breaches–which means more per breach on average. What is also distressing is that 29.71 percent are repeat offenses among employees, up from 21 percent in the previous quarter.

  • 36.6 percent of breaches were due to external hacking, nearly double that of Q1.
  • 30.99 percent were due to insiders, either through deliberate wrongdoing (theft) or insider error. Insider wrongdoing was led by family members snooping on other family members’ records. Not Russians, Chinese, NoKos, or Bulgarians bashing about. 
  • In contrast to Q1, where the biggest data breach was a network hack of an Oklahoma-based health network (reportedly the Oklahoma State University Center for Health Sciences), compromising nearly 280,000 records, Q2’s Big Breach was a physical burglary of the California Department of Developmental Services in Sacramento affecting over 581,000 records. After the usual ransacking and theft, the burglars started a fire before they left and the sprinklers did the rest.

It routinely takes nearly forever from when a breach occurs to when it is discovered: in Q1 244 days, in Q2 204 days. In Q2 the longest discovery time was over five years –2013 to 2018. This indicates that insiders may be good at covering their tracks, and/or IT staff don’t get around to detecting and policing breaches.

Protenus and DataBreaches.net compile incidents disclosed to HHS and reported in the media, and are now adding their own proprietary, non-public data on the status of health data breaches nationwide, including a review of tens of trillions of individual
accesses to EHRs which Protenus audits as part of their healthcare systems services. More detail in Protenus Q2 and Q1 full reports, HealthITSecurity (Q1)

Certain to lead their Q3 report is the 1.4 million patient record breach at UnityPoint Health, an Iowa-based health system. In May, a small phishing breach compromised 16,000 records. This cyberattack also started with email phishing and spread through employee networks. “The phishing campaign tricked employees into providing confidential login information, which hackers used to infiltrate email accounts and access data contained within.” Were the hackers after patient data? According to UnityPoint, “The phishing attack on UnityPoint Health was more likely focused on diverting business funds from our organization.” Healthcare Analytics News

You may not want a cyberattack, but cyberattacks and hacking want you….

Healthcare cybersecurity breaches multiply like measles as far away as Singapore. Is it a matter of time before hacking kills someone?

Even if you are the Prime Minister of Singapore, you can be hacked. Prime Minister Lee Hsien Loong joined 1.5 million of his fellow Singaporeans in what they have termed an unprecedented data breach of SingHealth, considered to be a world model. There are the usual state actor suspects: Russians, Chinese–and North Koreans–starting less than two weeks (27 June) after hosting the meeting between President Donald Trump and Maximum Leader Kim Jong Un. (That is hardly a gracious thank you if it’s them (s/o).  POLITICO Morning eHealth reported on Monday 23 July. 

What’s happened since: Singapore banks have been instructed to tighten data procedures and use additional verification methods. The government believes 1) they are next and 2) that the healthcare breach data could be used to impersonate customer identities. SingHealth records include full name, national identification number, address, gender, race, and date of birth. (ZDNet)

The National (UAE) reported that the hack specifically targeted the PM. Their angle was that Singapore has ambitions to host a ‘smart city’ as does the UAE and testing Singapore means that the UAE may be next. Singapore is covering a different angle–the ‘inside job’ one. They moved to disconnect computers from the internet at public centers which may inconvenience patients and healthcare staff but which weakens data collection for this very busy centralized system. (Reuters) Watch the government press conference here.

Will the next WannaCry or NotPetya kill someone? That is the premise in this article in ZDNet and one we’ve discussed previously. It’s not a targeted attack on a particular life, but could be an infrastructure failure–for instance, an industrial control for electricity that destroys systems including those to dependent homes or hospitals. What this article doesn’t include are all those aging hackable connected devices in operating rooms, hospital rooms, and in-hospital Wi-Fi powering tablets and other connected devices. KRACK can be very wack indeed! [TTA 18 Oct 17]

Breached healthcare records down 72% but incident numbers steady. Then there’s MyFitnessPal’s 150 million…

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Hackermania in healthcare may be running less wild…but what about consumer health devices? Year-end and top-of-year analyses indicate that the flood of breached records may be starting to drain. A Bitglass analysis of 2017 US Department of Health and Human Services (HHS) data from its infamous ‘Wall of Shame’ is encouraging. They found that the number of breached records decreased over the 2015-2017 period by 72 percent between 2015 and 2017 and by 95 percent from 2016. The calculation excludes the huge spike in breaches due to two 2015 incidents at Anthem and Premera Blue Cross [TTA 9 Sep 15]. Numerically, the breach incident numbers decreased but are relatively steady: 2017 at 294, 2016 at 328. Data security company Protenus in its tracking found more incidents in 2017 versus 2016 (477 in 2017 v. 450 in 2016) but the same reduction in records affected, with five times fewer records in 2017 versus 2016’s 27.3 million records.

What’s been successful has been reducing mega-breaches and containment of healthcare device loss and theft through education and enforcement of employee practices. What continues is the major cause of breaches continue to be insider-related via error and wrongdoing; this includes the major annual Verizon report. Healthcare Informatics

Protenus’ February report, while continuing the reduction trend, had its share of hacking and insider incidents. Of the 39 incidents in their report affecting over 348,000 records, insider actions such as the misuse of system credentials accounted for 51 percent of breached records while hacks were 46 percent, with the majority involving ransomware or malware. Hacking as a cause hasn’t disappeared but perhaps has shifted to easier targets.

UnderArmour’s MyFitnessPal delivers another breach blow. Late last month, the company revealed that 150 million user records were hacked in February. The MyFitnessPal mobile app (more…)

MediBioSense and Blue Cedar take a new approach to secure medical wearable data (UK/US)

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2018/01/VitalPatch_Header_Photo_Tablet.jpg” thumb_width=”150″ /]Doncaster UK-based MediBioSense Ltd. has partnered with San Francisco-based Blue Cedar to protect their VitalPatch app on smartphones and tablets. MediBioSense uses VitalPatch in their MBS HealthStream system marketed in the UK in acute care and long-term care setting. Blue Cedar is securing the app through their patented code-injected technology which protects the VitalPatch-collected data from the app to the provider database. The system with Blue Cedar’s security is available directly from MediBioSense.

VitalPatch is a single-use adhesive biosensor patch applied to the patient’s chest (see left above). It monitors eight vital signs and activity signs: heart rate, respiration, ECG, heart rate variability, temperature, body posture including fall detection/severity, and steps as an indicator of activity. MediBioSense contracted with the US-based developer, VitalConnect, to sell the system in the UK. VitalPatch is US FDA-cleared (Class II) and CE Marked for the EU.

One impetus, according to the release (PDF), is the GDPR (General Data Protection Regulation), the pan-European/UK data-protection law slated to take effect in May. This not only applies to European Union citizens’ personal data but also requires reports on how organizations safeguard that data. 

Blue Cedar, which this Editor has previously profiled [TTA 3 May 17], has developed code-injection technology that secures data from the app to the provider location on their servers or in the cloud. It secures the app without the device being managed. Devices have their own vulnerabilities when it comes to apps even when secured, as 84 percent of cyberattacks happen at the application layer (SAP). Blue Cedar’s security also enables tap-and-go from an icon versus multiple security entries, thus quick downloading from app stores or websites. For companies, the secured app provides granular analytic reports about users, app usage, devices, and operating systems which are useful for GDPR requirements.

Blue Cedar’s latest release of app security is Enforce, to secure existing mobile apps using in-app embedded controls to enforce a broad range of security policies. It is sold on the Microsoft Azure cloud platform and is primarily targeted to the value-added reseller (VAR) market. 

All the more reason to use all means to secure devices and apps. When as of last week Allscripts‘ EHR for e-prescribing was hit with a ransomware attack (FierceHealthcare), yet another hospital (Hancock Regional in Indianapolis) paid $5,000 to hackers to get back online (Digital Health), and Protenus/DataBreaches.net tracks a breach a day [TTA 29 Dec 17], cybersecurity has become Job #1 for anyone in the healthcare field. (And Big Healthcare now votes for security. Protenus today announced their $11 million Series B led by Kaiser Permanente Ventures and F-Prime Capital Partners. Release.)

Rounding up the roundups in health tech and digital health for 2017; looking forward to 2018’s Nitty-Gritty

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2017/12/Lasso.jpg” thumb_width=”100″ /]Our Editors will be lassoing our thoughts for what happened in 2017 and looking forward to 2018 in several articles. So let’s get started! Happy Trails!

2017’s digital health M&A is well-covered by Jonah Comstock’s Mobihealthnews overview. In this aggregation, the M&A trends to be seen are 1) merging of services that are rather alike (e.g. two diabetes app/education or telehealth/telemedicine providers) to buy market share, 2) services that complement each other by being similar but with strengths in different markets or broaden capabilities (Teladoc and Best Doctors, GlobalMed and TreatMD), 3) fill a gap in a portfolio (Philips‘ various acquisitions), or 4) payers trying yet again to cement themselves into digital health, which has had a checkered record indeed. This consolidation is to be expected in a fluid and relatively early stage environment.

In this roundup, we miss the telecom moves of prior years, most of which have misfired. WebMD, once an acquirer, once on the ropes, is being acquired into a fully corporate info provider structure with its pending acquisition by KKR’s Internet Brands, an information SaaS/web hoster in multiple verticals. This points to the commodification of healthcare information. 

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2017/12/canary-in-the-coal-mine.jpgw595.jpeg” thumb_width=”150″ /]Love that canary! We have a paradigm breaker in the pending CVS-Aetna merger into the very structure of how healthcare can be made more convenient, delivered, billed, and paid for–if it is approved and not challenged, which is a very real possibility. Over the next two years, if this works, look for supermarkets to get into the healthcare business. Payers, drug stores, and retailers have few places to go. The worldwide wild card: Walgreens Boots. Start with our article here and move to our previous articles linked at the end.

US telehealth and telemedicine’s march towards reimbursement and parity payment continues. See our article on the CCHP roundup and policy paper (for the most stalwart of wonks only). Another major change in the US is payment for more services under Medicare, issued in early November by the Centers for Medicare and Medicaid Services (CMS) in its Final Rule for the 2018 Medicare Physician Fee Schedule. This also increases payment to nearly $60 per month for remote patient monitoring, which will help struggling RPM providers. Not quite a stride, but less of a stumble for the Grizzled Survivors. MedCityNews

In the UK, our friends at The King’s Fund have rounded up their most popular content of 2017 here. Newer models of telehealth and telemedicine such as Babylon Health and PushDoctor continue to struggle to find a place in the national structure. (Babylon’s challenge to the CQC was dropped before Christmas at their cost of £11,000 in High Court costs.) Judging from our Tender Alerts, compared to the US, telecare integration into housing is far ahead for those most in need especially in support at home. Yet there are glaring disparities due to funding–witness the national scandal of NHS Kernow withdrawing telehealth from local residents earlier this year [TTA coverage here]. This Editor is pleased to report that as of 5 December, NHS Kernow’s Governing Body has approved plans to retain and reconfigure Telehealth services, working in partnership with the provider Cornwall Partnership NHS Foundation Trust (CFT). Their notice is here.

More UK roundups are available on Digital Health News: 2017 review, most read stories, and cybersecurity predictions for 2018. David Doherty’s compiled a group of the major international health tech events for 2018 over at 3G Doctor. Which reminds this Editor to tell him to list #MedMo18 November 29-30 in NYC and that he might want to consider updating the name to 5G Doctor to mark the transition over to 5G wireless service advancing in 2018.

Data breaches continue to be a worry. The Protenus/DataBreaches.net roundup for November continues the breach a day trend. The largest breach they detected was of over 16,000 patient records at the Hackensack Sleep and Pulmonary Center in New Jersey. The monthly total was almost 84,000 records, a low compared to the prior few months, but there may be some reporting shifting into December. Protenus blog, MedCityNews

And perhaps there’s a future for wearables, in the watch form. The Apple Watch’s disconnecting from the phone (and the slowness of older models) has led to companies like AliveCor’s KardiaBand EKG (ECG) providing add-ons to the watch. Apple is trying to develop its own non-invasive blood glucose monitor, with Alphabet’s (Google) Verily Study Watch in test having sensors that can collect data on heart rate, gait and skin temperature. More here from CNBC on Big Tech and healthcare, Apple’s wearables.

Telehealth saves lives, as an Australian nurse at an isolated Coral Bay clinic found out. He hooked himself up to the ECG machine and dialed into the Emergency Telehealth Service (ETS). With assistance from volunteers, he was able to medicate himself with clotbusters until the Royal Flying Doctor Service transferred him to a Perth hospital. Now if he had a KardiaBand….WAToday.com.au  Hat tip to Mike Clark

This Editor’s parting words for 2017 will be right down to the Real Nitty-Gritty, so read on!: (more…)