FBI ‘Flash Alerts’ health organizations about hacker attacks (US)

August 22, 2014 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/08/keep-calm-and-encrypt-your-data-5.png” thumb_width=”150″ /]Late yesterday Reuters reported that the Federal Bureau of Investigation (FBI) issued a ‘flash alert’ to healthcare organizations, warning they are being targeted by “…malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII),” and that “These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data.” These alerts are sent to businesses by the FBI and Department of Homeland Security (DHS) to help prevent cyberattacks. This follows an April FBI alert warning healthcare companies that their security systems were lax compared to other sectors, making them highly vulnerable to hacker attacks. Our Monday report on the Community Health System attack on 4.5 million records at the the #2 US publicly traded hospital operator  (more…)

The drip of data breaches now a flood: 4.5 million records hacked–update

August 18, 2014 | by

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/08/keep-calm-and-encrypt-your-data-5.png” thumb_width=”150″ /]Breaking News–updated at end  Earlier this year [TTA 23 Apr] this Editor commented on the fourth annual update from the Ponemon Institute plus a qualitative study from IS Solutions that contained mostly unwelcome news for healthcare IT departments in the US. Ponemon’s new estimate of data breaches’ cost per year: $5.6 billion. While making some progress in the existential threat that data breaches present to institutional and personal security, both reports also outlined the disconnect between HIT professionals busy dealing with and sealing off the mice of internal causes versus the looming, huge menace of the external criminal threat. We now know that Godzilla has arrived and he’s stomping ‘n’ chomping. Community Health Systems of Franklin, Tennessee claimed today as part of a SEC regulatory filing that hackers originating in China breached sensitive information in 4.5 million patient records accumulated over five years during April and June using cyberattacks and sophisticated malware.  (more…)

Politico: massive hacking of health records imminent

July 2, 2014 | by

Politico is a website (and if you’re in Foggy Bottom-ville, a magazine) much beloved by the ‘inside government’ crowd and the media ‘chattering classes’. With some aspirations to be like Private Eye but without the leavening sharp satire, the fact that they’ve turned their attention to–gasp!–the potential hackathon that is health records is amazing. They mention all the right sources: Ponemon, HIMSS, the American Medical Association, BitSight, AHIMA. In fact, the article itself may be a leading indicator that the governmental classes might actually do something about it. This Editor applauds Politico for jumping on our battered Conestoga wagon with the other Grizzled Pioneers. We’ve only been whinging on about data breaches and security since 2010 and their researchers could benefit from our back file.

And speaking of 2010, the Department of Health & Human Services (HHS) is doing its part to close the budget deficit by collecting data breach fines–$10 million in the past year. A goodly chunk will be coming from New York-Presbyterian Hospital/Columbia University Medical Center: $4.8 million for a 6,800 person breach (iHealthBeat) where sensitive records showed up online, readily available to search engines. And yes, we covered this back on 29 Sept 2010 when breaches were new and hushed up. Politico: Big cyber hack of health records is ‘only a matter of time’

Oddly, there is nary a mention of Healthcare.gov.

Risky hospital business: happy device hacking, insider data breaches

May 10, 2014 | by

A heap of ‘insanely easy’ hospital hacking–but no harm done: Essentia Health’s head of information security, Scott Erven, set his team to work–with management approval–on hacking practically every internal device and system over two years, and found that most were ‘insanely easy’ to hack. They successfully hacked drug infusion pumps, EHRs, Bluetooth-enabled defibrillators, surgery robots, CT scanners, networked refrigerator temperature settings and X-ray machines with potentially disastrous results. Where the common security holes are in networked equipment: lack of authentication, weak passwords, embedded web services and the list goes on. Mr Erven presented this at an industry meeting in April, without naming brands or devices as he’s still trying to fix them. Essentia Health operates about 100 facilities, including clinics, hospitals and pharmacies, in Minnesota, North Dakota, Wisconsin and Idaho–and should receive much credit for facilitating this study. This is the environment into which we will be plonking tons of patient information in PHRs and telehealth monitoring. Pass the painkillers. Summary in HealthIT Outcomes, much more essential detail in Wired worth the read.

The ‘Maybe No One Will Notice’ Data Breach:  The recent incident at the University of Massachusetts Memorial Medical Center in Worcester illustrates the difficulty that even academic medical centers have with detecting data security breaches, particularly when they are small, sneaky, over time and by an insider. UMass uncovered a series of low-profile breaches by a former employee who helped himself to patient information such as name, address, date of birth and Social Security number–and may have used it to open up credit card and mobile phone accounts. Only four records appear to have been misused in this way, but at least 2,400 records were estimated to be improperly accessed–over 12 years, which made it even more difficult to find. Perhaps the employee was funding retirement? HealthcareInfoSecurity

The ‘Ambulance Chaser’ Data Breach: What better way for lawyers and shady outpatient clinics to get accident patients fresh from the ER (ED), than to have someone on the inside feeding them patient information? (more…)

Data breaches may cost healthcare organizations $5.6 bn annually: Ponemon (US)

April 23, 2014 | by | 1 Comment

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/10/keep-calm-and-enter-at-own-risk-3.png” thumb_width=”150″ /]The PHI threat is within for HIT staff and CIOs, with no end in sight: Ponemon Institute and IS Decisions

The Ponemon Institute’s fourth annual benchmark report on patient privacy and data security was released last week and with a few exceptions, the news is worse than last year. Eight highlights in the study of 91 responding organizations (Ponemon admits results are skewed to larger sized respondents) for 2013 are:

  1. The average cost of data breaches in the study group was approximately $2 million over a two-year period. Extrapolated to the over 5,700 hospitals in the US, the annual cost is $5.6 billion, down from $7 billion in 2012.
  2. The number of data breaches decreased slightly. 38 percent report more than five in the 2013 report compared to 45 percent in 2012. The number of organizations reporting at least one data breach in the past two years was 90 percent versus 94 percent in 2012.
  3. Healthcare organizations improve ability to control data breach costs. The economic impact of data breaches for the healthcare organizations represented in this study over the past two years is $2.0 million–but it is 17 percent (nearly $400,000) less than 2012.
  4. ACA increases risk to patient privacy and information security. No surprises here for readers with insecure exchange of information between healthcare providers and government (75 percent ), patient data on insecure databases (65 percent) and patient registration on insecure websites (63 percent) leading the way. (more…)

Why healthcare doesn’t encrypt: correct, incorrect assumptions

April 22, 2014 | by

As our readers know, we’ve preached the Gospel of Data Security for quite awhile, to the point where even The Gimlet’s Eyes have crossed. Based on this smart analysis in Healthcare IT News (done by an outsider to healthcare), there are real reasons why HIT leaders are reluctant to implement encryption and security that would be SOP for other types of organizations. Mr. Schuman sorts the ‘drag the feet’ factors:

  1. Outdated but still widely believed: Encryption makes information less accessible across a broad network, increasing retrieve and review time. There is increased, not decreased, pressure to increase access, including by practices and patients, as part of  Meaningful Use (US).
  2. Encryption as a barrier: Providers see encryption as increasing time, decreasing  usability of systems, making workarounds more difficult.
  3. Encryption not permitted: Equipment designed with a specific hardware/software configuration block security add-ins. The logic is that any add-ins, even for security, could and do compromise performance. They thus violate manufacturers’ warranties and leave hospitals/practices open to legal action if equipment does not perform as intended.
  4. It’s complicated and pricey: Encrypting proliferating devices multiplicity of devices and systems takes manpower–it’s not only not there, but also expensive. Good intentions, but little money, is there.

The solution may lie in encrypting data between applications, not in the hardware/software itself. Hat tip to reader ‘Klondike Playboy’ John Boden.

PHI data: 361,000 examples that it’s more insecure than ever

April 9, 2014 | by

We’ve been fairly consistent in our coverage of data breaches, including the regrettable fact that more digital data stored out there on EHRs and devices with low security means Happy Hacking (or Stealing) for Fun and Profit. [TTA 2 Apr] Here’s additional proof, including the first incident this Editor has seen of email phishing:

California, there they go: A theft of eight computers from Sutherland Healthcare Solutions’ medical billing and collections office compromised 338,700 patients’ personal health information (PHI), including SSIs. Sutherland provides services to the Los Angeles County Department of Health Services and Department of Public Health. Being California, three class action lawsuits have already been filed. Kaiser Permanente compromised 5,100 records at their Northern California Division of Research. According to iHealthBeat, it was on a laptop; Health Data Management reports it was on a server. The malware was lurking for 2 1/2 years (!) but it’s not determined whether the data was actually stolen. Phishing scam hits Catholic Health Initiatives, affects 12,000 in multiple states: What looked like an internal CHI email asking for patient information wasn’t– (more…)

How insecure can health data get? Very.

April 2, 2014 | by

Gigaom is one of our go-to sites for enthusiastic whiz-bang health gadget coverage (and more), but here’s the downside of all those devices: all that data. And it’s not only not secure, but also getting more insecure. Grégoire Ribordy of Swiss encryption company ID Quantique makes some key (and scary) points on the data breaches looming–and he doesn’t mention that block of Swiss cheese Healthcare.gov once:

  1. One-stop storage for your total health records and data, an idée fixe among government and single-payer theoreticians, just makes it one-stop-shopping for hackers.
  2. Richer health data means more to steal and exploit.  There’s also the illegal use of genetic information for employment discrimination–hard to enforce regulations, easy to misuse personal data.
  3. Biological crime isn’t just a future plot of ‘Law & Order.’ Criminals can target patients with specific conditions–or healthcare workers can make money on the side by supplying accident victim data to personal injury attorneys, as recently happened in NY. For prominent people, their sensitive health information can be leaked to the press for profit. (more…)

Now three medical device maker networks hacked

February 14, 2014 | by

St. Jude Medical, Medtronic and Boston Scientific targeted. The San Francisco Chronicle reported earlier this week, from what they termed a source close to the companies, that all three companies had data intrusions that lasted for several months during 2013, and were not aware of them until alerted by Federal authorities. None of the companies, nor the FBI, confirmed or commented on this for the Chronicle. The attacks were “very thorough” and the source stated that they showed signs of being committed by hackers in China. The attraction of all three companies–Medtronic being the world’s largest– is their intellectual property and of course patient data, with the article mentioning confidential patient data collection from clinical trials. Also iHealthBeat.

Previously in TTA: US health data breaches hit record; Healthcare.gov backdoored?

US health data breaches hit record; Healthcare.gov backdoored?

February 7, 2014 | by

Security firm Redspin reports a total of 7.1 million affected records in 2013, up from 3 million in 2012. The five largest breaches accounted for 85 percent of the total: Advocate Health, Horizon BCBSNJ, AHMC Healthcare, Texas Health Harris Methodist Hospital Fort Worth and Indiana Family & Social Services Administration. Hardware theft of unencrypted devices accounted for the first three; Texas Health was perhaps the most unique because it disposed of over 277,000 microfiche patient records in a city park, making it the winner of last May’s ‘It’s Just Mulch’ award in ‘The exploding black market in healthcare data’.  Not included in the Redspin report (free download here) was a mid-December breach of 405,000 records at Bryan, Texas-based St. Joseph Health System which would have put it fourth on the list. This took place in a two-day data security attack on their servers traced to China and reported to the FBI. While Redspin attributes only six percent of breaches to hacking, this is an amount sure to increase as more information is digitized. Health Data Management, iHealthBeat, FierceHealthIT  Security breaches, natural disasters and outages are events that cost US hospitals over $1.6 billion annually, and 82 percent of health IT executives surveyed by MeriTalk said that their technology infrastructure is “not fully prepared for a disaster recovery incident.” The $1.6 billion seems low in light of the Ponemon Institute’s 2012 health data breach estimate of $7 billion annually–and the $12 billion in victim costs [TTA 14 Sept 13]. FierceHealthIT

.…and wait till Healthcare.gov-related security breaches start. This Editor stopped beating the dead and quartered horse of Healthcare.gov last year, finding that what was suspected and detailed from the start was simply borne out by subsequent revelations. Another example: the recent revelation that US intelligence agencies are highly concerned that code in the website was produced by programmers in Belarus, a former Soviet republic closely allied to that hotbed of hacking, Russia. That means that ‘backdoors’ are right in the code, waiting to be opened. This affects more than the website–but through the hub, states, HHS, IRS and DHS. How did our Washington types find out about it? When a top Belarusian official bragged on state radio about it! Ace intelligence writer Bill Gertz in the Washington Times broke the story. (Want more on the website’s security problems? See here for more on the Gertz story plus the David Kennedy/TrustedSec testimony and more. But bring your preferred headache remedy!)

The sea of security ‘red flags’ that is Healthcare.gov

October 15, 2013 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/10/120306.png” thumb_width=”170″ /]It’s just a fact of life
That no one cares to mention
She wasn’t very good
But she had good intentions

—Lyle Lovett, ‘Good Intentions’

Confirmed by experts to the more-than-mainstream Christian Science Monitor are the layers of insecurity completely feasible on the current Healthcare.gov website–and the 14 state (plus DC) websites feeding into the Federal health insurance exchange and up into the mysterious hub linked to other Federal agencies. Healthcare.gov is supposed to adhere to NIST standards but these are no guarantee–and the state sites are not required to. ‘Red flags’ cited by experts (aside from ‘Wildman’ John McAfee) make for interesting reading:

  • Cross-site request forgery
  • ‘Clickjacking’–an invisible layer over the legitimate website
  • Cookie theft, and not by the Cookie Monster
  • Problematic verification from state to Federal, from legitimate third-party assistance, from brokers and so on
  • Log in fraud–the happy hunting ground of hackers and DDOS attacks

Warnings were apparent as early as 2 October [TTA 8 Oct]. And as our later coverage has explained, undoing all of this is near-impossible even with funding, in the less-than-a-month window till the crash time deadline in mid-November and then early January. Obamacare website security called ‘outrageous’: How safe is it? (+video)

Our 11-14 October compilation is a narrative and summary of major articles on the failure of the Healthcare.gov website and its consequences like none you will see elsewhere.

VA Department data breaches soar (US)

October 14, 2013 | by

If after the Healthcare.gov debacle, there’s still any confidence that centralized Federal systems are secure and trustworthy, please read this HealthcareITNews tally of the multiple data breaches and HIPAA violations taking place at the US Department of Veterans Affairs (VA).

From 2010 through May 2013, VA department employees or contractors were responsible for 14,215 privacy breaches affecting more than 101,000 veterans across 167 VA facilities, including incidences of identity theft, stealing veteran prescriptions, Facebook posts concerning veterans’ body parts, and failing to encrypt data, a Pittsburgh Tribune-Review investigation revealed.

The two-month investigation by the Pittsburgh Tribune-Review published this weekend found that the VA led the way in HIPAA violations–17 in the past few years–for reasons centering on lack of accountability, shoddy safeguards, sloppiness in handling data and failure to encrypt data even after the 2006 theft of a laptop put records of 26.5 million veterans in danger. There are few firings, disciplinary actions or HHS fines.

This should put telehealth and telemedicine providers on notice that their encryption will have to be ‘stronger than the VA’, as both they and Department of Defense (DOD) are the single largest users of telehealth in the US.

Data insecurity in Obamacare insurance exchanges (US)

October 8, 2013 | by | 2 Comments
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/10/keep-calm-and-enter-at-own-risk-3.png” thumb_width=”175″ /]The warning that should appear as the main page of 50 state health exchanges.

Subsumed under the ‘government shutdown’ (affecting in reality a distinct minority of Federal government employees) is the significant concern that the state-based online exchanges now selling individual insurance, effective 1 Jan 2014, much trumpeted under the Affordable Care Act and baked into it two years ago, already present significant vulnerabilities in securing the vital data of millions: Social Security number, date of birth, addresses, tax and earnings information. These state-based exchanges are also dependent on information from a Federal data ‘Hub’ which “acts as a conduit for exchanges to access the data from where they are originally stored.” (HHS Office of Inspector General report August 2013, page 2) If improperly secured, this opens up other Federal agencies to further upstream identity theft mayhem.

Already information is in the hands of thousands of call center staff and so-called ‘navigators’ who may or may not have gone through security verifications. Insurance customer information has already leaked outside of exchanges (see below). (more…)

Medical identity theft hits new highs

September 14, 2013 | by

August ended with the report of the second highest-ever identity breach traced to a healthcare provider–4 million patient names, addresses, dates of birth, Social Security numbers and clinical information, contained on four unencrypted Advocate Health System (Illinois) office computers. It was a ‘behemoth breach’ in Healthcare IT News‘ words and has led to the filing of a class-action lawsuit (Privacy Rights Clearinghouse). Now security consultant Ponemon Institute’s latest report, released yesterday, increases the breach anxiety level with its 2013 Survey on Medical Identity Theft: (more…)

FDA’s discouraging role in medical device security

August 8, 2013 | by

According to a Wall Street Journal report (unfortunately firewalled), hospitals are pointing a very long finger at medical device manufacturers for not updating software and leaving devices open to breaches. Yet the manufacturers readily cite FDA’s most recent guidance as prohibiting software updates and security patches without resubmitting their devices for approval–something a spokesperson for the FDA denies as long as the update is for cybersecurity only. If the draft guidance issued in June is actually finalized, it will go the distance in helping manufacturers and hospitals. Hospitals Say Device Manufacturers Resist Boosting Cybersecurity (iHealthBeat)