As Editor Charles is chronicling at the world’s largest mobile event, Mobile World Congress in Barcelona has a great deal of focus on healthcare–and that includes healthcare data security. Both telehealth monitoring and telemedicine virtual consults are increasingly phone-based. That data transmitting via and in virtual storage a/k/a The Cloud, including personal health records (PHRs), is overly assumed to be secure, but security protocols vary. “We are at the mercy of who the app providers are and how well they secure the information, and they are at the mercy sometimes of the cloud providers.” according to Kevin Curran of the IEEE. This article also points out that there’s real consumer concern that insurance companies will access their personal identified data via various databases, (more…)
US health insurance giant AnthemHealth, which had a data breach of reportedly up to 80 million beneficiaries [TTA 6 Feb], was an inadvertent ‘inside job’. The Associated Press reported that the credentials of at least five employees were used to access information, at least one of whom was an administrator who viewed his credentials being used to query the data warehouse. It’s easier than you think to get them. In an analysis published by security firm Tripwire and also in MIT Technology Review, the writer Ken Westin outlines how easy it is to find that the Anthem warehouse is TeraData, and to match up employees engaged with it, through using public employee profiles on places like LinkedIn and job postings. Then it’s deductive to find exact email addresses (find the pattern–lead generation companies building business contact lists do this all the time) and send these key employees phishing emails (more…)
An impressive article written by a young doctor poses the problem of social sharing, data we don’t know we’re generating and how that data is being processed in ways such as tracking programs to predict and analyze our behavior. The example he gives of the Samaritans (a non-profit social services group in UK with a mission to prevent suicide) design of an app to be used with tweets of people we follow to alert you of worsening mood changes so that you could intervene. Some felt it was beneficial, most considered the possibilities for misuse or cyberstalking, and it was pulled. The other, rather chilling example was how a PHR could pick up EHR patient evaluation notes data not meant to be seen by the patient. Data insecurity with devastating consequences. Read the article for what UK family GPs are being asked to do by the Government. When data gets creepy: the secrets we don’t realise we’re giving away (Guardian). Hat tip to reader Mike Clark.
Just after this Editor rhapsodized that one of the unrecognized (except here) wins for Apple’s new iPhone 6 in healthcare will be to give the docs what they want–larger screens–is this sobering stat from Forrester. Only 59 percent of healthcare employees use full-disk encryption or file-level encryption on mHealth computing devices used at work. Yes, here is another hole in the data security dike that needs plugging, because Forrester also cites that 80 percent of data breaches relate to lost or stolen devices. (What, not mulch?) Author Chris Sherman also quoted street prices for health records to The Wall Street Journal’s CIO Journal blog (more…)
A knockout or a catch up? Now that the Hype Dust is settling (along with Apple’s stock price), let’s take a look at what we know today about the new, larger iPhones and the Apple Watch regarding health monitoring.
Where it was a catch up:
- Size and screen in phones. Apple got the message: squinting at tiny type and swiping to enlarge is rapidly becoming yesterday’s pain. As smartphones and larger screens knocked out the Blackberry, Samsung led the way in sizing up and higher resolution–and others followed suit. The awful fact is that the smartphone market is aging, both in users and who’s left in the market to grow it, and we want to see, not squint.
- [grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/09/apple-watch-beauty-shot.png” thumb_width=”150″ /]Finally (drum roll), a sleeker smartwatch with fitness tracking, out sometime next year–and not just a sports model. The basic model is a rubbery Sport watch, the mid-line has a sapphire crystal, stainless steel case and (proprietary) swappable bands. The beauty is the upmarket version in gold with a leather band (left, courtesy re/Code).
- Here Apple is up against multiple in-market competition from Fitbit to Moto to Withings to Samsung Gear–whose pricing is well below the starter Apple Watch at $349 in the $200 and below range.
- The Apple Watch looks seriously great, distinctively thinner and it’ll be a prestige item. But does it track more and better? No. According to reports (updated today) this is what it has: heart rate monitor, pulse, daily activity for which you need the phone. No sleep monitoring. It also has to be charged every night. There may be other features from developers, but they are under wraps for now and will likely require phone tethering. (re/Code) It’s not a comprehensive lifestyle watch–yet.
Where it could be a knockout in healthcare:
- Finally, a compelling reason for health care providers to ditch the old iPhone and not go Android. Healthcare providers in the US are heavily wedded to iOS: (more…)
Apple flying around the iCloud for Apple HealthKit. Making headlines this week was a few overly personal celebrity photos (foolishly) stored on iCloud accounts going public online. According to Apple, the accounts were hacked probably by ‘brute force’ password attack and not through an iCloud flaw. TechRepublic But more of concern to digital health developers eager to get all that health and fitness data integrated via the Apple HealthKit API is that Apple is saying ‘nein’ to anyone using the iCloud to store data. Why the concern? Mobihealthnews lays down Apple’s eight ground rules.
Is CyberRX 2.0 a prescription for HIT? HITRUST (Health Information Trust Alliance), with participation from (US) HHS, will be hosting an October cyber attack simulation exercise with over 750 healthcare organizations participating. Exercises are at three levels depending on organization size and will include targeting information systems, medical devices and other technology resources of government and healthcare organizations. Press release. Website.
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/09/ESD-America.png” thumb_width=”150″ /]And the weakest point may be ‘over the air’. ‘Interceptor’ fake cell towers can defeat smartphone encryption to ‘over the air’ eavesdrop on calls, read texts and possibly push spyware onto Android phones. According to the CEO of ESD America, they have detected at least 17 powerful towers, likely more, scattered around the US–many near military bases. (more…)
Huge price tag, is the solution more ‘white hat hacker/crackers’, get a clue, C-Suite and why China leads in hacking (important updates!)
Dan Munro in Forbes got out his calculator and estimated that the cost to Community Health Services, based on prior incidents, may be as high as $150 million. He bases it on recent poster children Columbia-NY Presbyterian and BlueCross BlueShield of Tennessee. The message to healthcare business executives: pay now–by beefing up HIT and data security–or pay later in rush remediation of data breaches like identity theft protection, Office of Civil Rights-HHS fines, potential insurance fraud, legal charges and damages awarded. On the latter, it took only hours after the announcement for the first class action to be filed in Alabama.
Of course cybersecurity experts, particularly the ‘white hat’ or ‘cracker’ variety, are in increasingly high demand across all business areas and internationally–and there aren’t many at that exalted level or even a rung or two below. Their commensurate compensation is one factor, but calls to hire less expensively overseas as explored in this article are, in this Editor’s estimation, a two-edged sword: much hacking, many sleeper bugs and ‘backdooring’ are engineered overseas (China, Russia, the Balkans, India); what is to say that these ‘former hackers’ aren’t playing both games? Cybersecurity’s hiring crisis: A troubling trajectory (ZDNet)
The C-Suite Must Care…The Workforce Must Be Aware
Since data security and data breaches threaten to swamp many sectors (universities and colleges, even more than healthcare, rank as the most vulnerable), the solution may not be wholly in the code. (more…)
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/08/keep-calm-and-encrypt-your-data-5.png” thumb_width=”150″ /]Breaking News–updated at end Earlier this year [TTA 23 Apr] this Editor commented on the fourth annual update from the Ponemon Institute plus a qualitative study from IS Solutions that contained mostly unwelcome news for healthcare IT departments in the US. Ponemon’s new estimate of data breaches’ cost per year: $5.6 billion. While making some progress in the existential threat that data breaches present to institutional and personal security, both reports also outlined the disconnect between HIT professionals busy dealing with and sealing off the mice of internal causes versus the looming, huge menace of the external criminal threat. We now know that Godzilla has arrived and he’s stomping ‘n’ chomping. Community Health Systems of Franklin, Tennessee claimed today as part of a SEC regulatory filing that hackers originating in China breached sensitive information in 4.5 million patient records accumulated over five years during April and June using cyberattacks and sophisticated malware. (more…)
Politico is a website (and if you’re in Foggy Bottom-ville, a magazine) much beloved by the ‘inside government’ crowd and the media ‘chattering classes’. With some aspirations to be like Private Eye but without the leavening sharp satire, the fact that they’ve turned their attention to–gasp!–the potential hackathon that is health records is amazing. They mention all the right sources: Ponemon, HIMSS, the American Medical Association, BitSight, AHIMA. In fact, the article itself may be a leading indicator that the governmental classes might actually do something about it. This Editor applauds Politico for jumping on our battered Conestoga wagon with the other Grizzled Pioneers. We’ve only been whinging on about data breaches and security since 2010 and their researchers could benefit from our back file.
And speaking of 2010, the Department of Health & Human Services (HHS) is doing its part to close the budget deficit by collecting data breach fines–$10 million in the past year. A goodly chunk will be coming from New York-Presbyterian Hospital/Columbia University Medical Center: $4.8 million for a 6,800 person breach (iHealthBeat) where sensitive records showed up online, readily available to search engines. And yes, we covered this back on 29 Sept 2010 when breaches were new and hushed up. Politico: Big cyber hack of health records is ‘only a matter of time’
Oddly, there is nary a mention of Healthcare.gov.
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/10/keep-calm-and-enter-at-own-risk-3.png” thumb_width=”150″ /]The PHI threat is within for HIT staff and CIOs, with no end in sight: Ponemon Institute and IS Decisions
The Ponemon Institute’s fourth annual benchmark report on patient privacy and data security was released last week and with a few exceptions, the news is worse than last year. Eight highlights in the study of 91 responding organizations (Ponemon admits results are skewed to larger sized respondents) for 2013 are:
- The average cost of data breaches in the study group was approximately $2 million over a two-year period. Extrapolated to the over 5,700 hospitals in the US, the annual cost is $5.6 billion, down from $7 billion in 2012.
- The number of data breaches decreased slightly. 38 percent report more than five in the 2013 report compared to 45 percent in 2012. The number of organizations reporting at least one data breach in the past two years was 90 percent versus 94 percent in 2012.
- Healthcare organizations improve ability to control data breach costs. The economic impact of data breaches for the healthcare organizations represented in this study over the past two years is $2.0 million–but it is 17 percent (nearly $400,000) less than 2012.
- ACA increases risk to patient privacy and information security. No surprises here for readers with insecure exchange of information between healthcare providers and government (75 percent ), patient data on insecure databases (65 percent) and patient registration on insecure websites (63 percent) leading the way. (more…)
As our readers know, we’ve preached the Gospel of Data Security for quite awhile, to the point where even The Gimlet’s Eyes have crossed. Based on this smart analysis in Healthcare IT News (done by an outsider to healthcare), there are real reasons why HIT leaders are reluctant to implement encryption and security that would be SOP for other types of organizations. Mr. Schuman sorts the ‘drag the feet’ factors:
- Outdated but still widely believed: Encryption makes information less accessible across a broad network, increasing retrieve and review time. There is increased, not decreased, pressure to increase access, including by practices and patients, as part of Meaningful Use (US).
- Encryption as a barrier: Providers see encryption as increasing time, decreasing usability of systems, making workarounds more difficult.
- Encryption not permitted: Equipment designed with a specific hardware/software configuration block security add-ins. The logic is that any add-ins, even for security, could and do compromise performance. They thus violate manufacturers’ warranties and leave hospitals/practices open to legal action if equipment does not perform as intended.
- It’s complicated and pricey: Encrypting proliferating devices multiplicity of devices and systems takes manpower–it’s not only not there, but also expensive. Good intentions, but little money, is there.
The solution may lie in encrypting data between applications, not in the hardware/software itself. Hat tip to reader ‘Klondike Playboy’ John Boden.
This week’s news of BlackBerry Ltd’s minority investment in the Dr. Patrick Soon-Shiong eight-company combine called NantHealth has generally focused on BlackBerry. Across the board, BlackBerry is depicted as the party badly needing a raison d’être. Down for the count in both retail and enterprise mobile phone markets it dominated for years, BB’s six-months-in-the-saddle CEO is now going back to those same enterprises singing the wonders of their QNX operating system and upcoming BBM Protected communication platform to highly regulated verticals which need max security: healthcare, finance, law enforcement, government. Although FierceCMO inaccurately reported that BlackBerry was acquiring NantHealth (Reuters/WSJ reports to contrary), it’s generated yawns from former tea-leaf readers such as ZDNet as yet another flail of the Berry as it sinks beneath the waves. Add to this the bewilderingly written CNBC ‘Commentary’ under BlackBerry CEO John Chen’s byline–who should fire the ghostwriter for inept generation of blue smoke and mirrors–and you wonder why the very smart Dr. Soon-Shiong even desires the association with a company most consider the equivalent of silent movies. It is certainly not for the investment money, which the doctor has more than most countries–an expenditure carefully considered at BlackBerry, undoubtedly.
Cui bono? NantHealth first, BlackBerry second is your Editor’s contrarian bet. Consider these three factors:
- Way down the column in most coverage is that BlackBerry and NantHealth are developing a healthcare smartphone. It will be optimized for 3D images and CT scans but fully usable as a normal smartphone. Release date: late 2014-early 2015 (Reuters). (more…)
Gigaom is one of our go-to sites for enthusiastic whiz-bang health gadget coverage (and more), but here’s the downside of all those devices: all that data. And it’s not only not secure, but also getting more insecure. Grégoire Ribordy of Swiss encryption company ID Quantique makes some key (and scary) points on the data breaches looming–and he doesn’t mention that block of Swiss cheese Healthcare.gov once:
- One-stop storage for your total health records and data, an idée fixe among government and single-payer theoreticians, just makes it one-stop-shopping for hackers.
- Richer health data means more to steal and exploit. There’s also the illegal use of genetic information for employment discrimination–hard to enforce regulations, easy to misuse personal data.
- Biological crime isn’t just a future plot of ‘Law & Order.’ Criminals can target patients with specific conditions–or healthcare workers can make money on the side by supplying accident victim data to personal injury attorneys, as recently happened in NY. For prominent people, their sensitive health information can be leaked to the press for profit. (more…)
In news late yesterday, IMS Health has filed with the US Securities and Exchange Commission (SEC) to raise up to $100 million in an initial public offering of stock. The preliminary prospectus listed JP Morgan, Goldman Sachs, Morgan Stanley and BofA Merrill Lynch as the underwriters. We have noted IMS Health’s expansiveness on entering mHealth through app curation, prescribing and data security at the mHealth Summit [TTA 23 Dec] and their previous acquisition of Diversinet [TTA 15 Aug] in mobile app security; the latter was only a small part of their 2013 acquisitions in several areas totaling $105 million. Clearly there are some plans which may very well include health apps and data. Reuters, GeekWire.