Weekend reading: 1/3 of global healthcare orgs ransomwared, 50%+ mobile privacy problems–BMJ study, med device insecurity

June 25, 2021 | by

Weekend reading to make you feel insecure, indeed. Healthcare continues to be one of the most vulnerable sectors to hacking, breaches, ransomware. (It likely was one of the top 5 on the list handed to Mr. Putin in Geneva a week ago.) It doesn’t help that many organizations from providers to payers, legacy devices to apps, figuratively have a ‘Welcome Hackers’ neon sign on their doors, virtual and otherwise.

Three articles from the always interesting Healthcare Dive, two by Rebecca Pifer and the third by veteran Greg Slobodkin, will give our Readers a quick and unsettling overview:

  • According to cybersecurity company Sophos in their 16-page report, 2020 was an annus horribilis for healthcare organizations and ransomware, with 34 percent suffering a ransomware attack, 65 percent confirming the attacks encrypted their data, but only 69 percent reported that the encrypted data was restored after the ransom was paid. Costs were upward of $1 million. Their conclusion: assume you will be hit, and at least three backups. Dive 24 June
  • The BMJ found that lax or no privacy policies were a key problem with over half of mobile health apps. 23 percent of user data transmissions occurred on insecure communication protocols and 28.1 percent of apps provided no privacy policies. There’s a lot to unpack in the BMJ study by the Macquarie University (Sydney) team. Our long-time Readers will recall our articles about insecure smartphone apps dating back to 2013 with Charles Lowe’s article here as an example. Dive 16 June
  • Old medical devices, continuing vulnerability that can’t be fixed. Yes, fully functioning and legacy medical devices, often costing beaucoup bucks, are shockingly running on Windows 98 (!), Windows XP, outdated software, and manufacturers’ passwords. It’s hard to believe that Dive is writing about this as it’s been an issue this Editor’s written about since (drumroll) 2013 when TTA picked up on BBC and other reports of ‘murderous defibrillators and pacemakers’. If too far back, try 2015 with Kevin Fu’s and Ponemon’s warnings then to ‘wash their hands’ of these systems even if they’re still working. Chris Gates quoted in the article: “You can’t always bolt-on security after the fact, especially with a legacy piece of equipment — I’ve literally handed checks back to clients and told them there’s no fixing this.” Dive 23 June

What to do?

  • If you are a healthcare organization, think security first. Other organizations in finance and BPO do, locking down to excruciating points. And yes, you’ll have to pay a premium for the best IT security people, up your budgets, and lower your bureaucracy to attract them. Payers are extremely vulnerable with their wealth of PHI and PII, yet tend to skimp here.
  • Consider bringing in all your IT teams to your home country and not offshoring. Much of the hacking occurs overseas where it’s tougher to secure servers and the cloud reliably and fully.
  • Pay for regular and full probes and audits done by outside experts.
  • If you supply a mobile app–design with security and privacy first, from the phone or device to the cloud or server, including data sharing. There are companies that can assist you with this. One example is Blue Cedar, but there are others.
  • If you supply hardware and software for medical devices, think updates, patches, and tracking every bit you sell to make sure your customers do what they need to do. Even if your customer is a past one.

(Side message to NHS Digital–don’t rush your GPDPR upload to the summer holidays. Make it fourth quarter. Your GPs will thank you.)

Suggestions from our Readers wanted! While your Editor has been covering security issues since early days here, she is not an expert, programmer, or developer, nor has stayed at a Holiday Inn Express lately.

Hackermania runs wild, Required Reading Department: The Anatomy of a Ransomware Attack

July 2, 2020 | by

Cue the Duke Ellington score and Jimmy Stewart for the defense, we now have a moment-by-moment look at how a ransomware attack on an organization unfolds. The example is from a Ryuk ransomware attack last October on an unnamed organization.

      • The first step was a probe of the network via the Trickbot malware
      • Hackers then explored the network to determine a valuation–to monetize data
      • They then unleashed other tools in the Pivot and Profile phase–PowerTrick and Cobalt Strike–to search for open ports and other devices
      • The hackers, finding what they want, deploy their Anchor backdoor and Ryuk ransomware to secure their hold on the network
      • Total time from initial malware to Ryuk ransomware encryption: about two weeks

Ryuk has been a highly successful ransomware, netting its extortioners $61m in ransom between February 2018 and October 2019 according to the FBI. UK’s National Cyber Security Centre advisory indicates global attacks starting in later 2018.

The value in this study is substantial–the SentinelOne article is chock full of terminology and screenshots a programmer or white hat would love. It also reveals a multi-step process that if stopped at step 1 (the Trickbot malware) means a tougher nut to crack for the hackers, and a nearly two-week window for a response. ZDNet’s article is written for us ‘civilians’. The sidebar has links to several articles, including this horror compendium from UK victims, ‘The most stressful four hours of my career‘.  Earlier: Hackermania runs wild…all the way to the bank!

The Breach Barometer hits a new high for healthcare–and the year isn’t over

August 15, 2019 | by

31.6 million healthcare breached records can’t be right? But it is, and it’s double all of 2018. Protenus’ Breach Barometer for the first six months of the year tallied over double the number of patient records breached calculated for 2018 (15.1 million). The number of breach incidents reported was smaller–285 breach incidents disclosed to the US Department of Health and Human Services or the media–compared to 503 breaches in 2018, which means that individual data breaches affected far more records.

Hackermania is running wilder than ever. Nearly half the breaches were due to hacking. The big kahuna of breaches this year was reported in May at American Medical Collection Agency, a third-party billing collections firm. This eight-month breach affected 20 to 22 million records at Quest Diagnostics, LabCorp, Opko Health, under one of its subsidiaries, BioReference Laboratories, Inc., and Clinical Pathology Laboratories [TTA 5 June] This hack also involved Optum360, a Quest contractor and part of healthcare giant Optum. In terms of PII, the records breached included SSI, DOB, and physical addresses.

 Yet insider breaches are still a significant threat at 21 percent, whether from errors without malicious intent or deliberate wrongdoing. In the report, Protenus (with DataBreaches.net) calculated that 60 of the 285 breaches were insider-related affecting 3.5 million records. 35 were insider-error incidents, with 22 additional due to wrongdoing.

When it comes to breaches, the trend is easily not healthcare organizations’ friend, as 2018 tripled 2017’s total breached records. This is despite the new emphasis on healthcare IT security and insider training. Protenus release, FierceHealthcare, Protenus first half report (PDF)

Hackermania ‘bigger than government itself’–and 25% of healthcare organizations report mobile breaches

March 7, 2019 | by

To quote reporter Andy Rooney, ‘why is that?’ Everyone in healthcare (with our Readers well ahead of the curve) has known for years that our organizations are special targets, indeed–by hackers (activists or not), spammers, ransomwarers, criminals, bad guys in China, North Korea, and Eastern Europe, plus an assortment of malicious insiders and the simply klutzy. Why? Healthcare organizations, payers, and service companies have a treasure trove of PHI and PII with Big Value. 

So to read in Healthcare IT News that Christopher Wray, the new director of the FBI, is saying that today’s cyberthreats are bigger than any one agency, and in fact bigger than the government itself, it gives you the feeling that the steamroller has not only run over us, but is on the second pass.

According to one reporting company, Bitglass, breach incidents were year-over-year flat (290), but the number of records affected in 2018 nearly tripled from 4.7 million to 11.5 million. Hacking finally became the top cause (45.9 percent) versus unauthorized access and disclosure (35.9 percent). Loss and theft is down to about 15 percent.

And mobile feels like that second pass. Verizon’s Mobile Security Index 2019 reports that 25 percent of healthcare organizations have had a mobile-related compromise. Nearly all hospitals are investing in mobile. In the field, doctors and other clinicians are either using issued devices or BYOD, whether authorized or not. Whether or not their organizations are using app security systems like Blue Cedar [TTA 17 Feb 18] or work with companies like DataArt on securing proprietary systems is entirely another question. Apparently it’s not a priority. According to the Verizon study, nearly half of all organizations sacrificed mobile security in the past year to “get the job done.” Healthcare Dive.

Back to Director Wray, who is urging public-private cooperation especially with the FBI, which itself has not hesitated to break encryption (e.g. Apple’s) in going after criminals’ phones.

About time: digital health grows a set of ethical guidelines

February 27, 2019 | by

Is there a sense of embarrassment in the background? Fortune reports that the Stanford University Libraries are taking the lead in organizing an academic/industry group to establish ethical guidelines to govern digital health. These grew out of two meetings in July and November last year with the participation of over 30 representatives from health care, pharmaceutical, and nonprofit organizations. Proteus Digital Health, the developer of a formerly creepy sensor pill system, is prominently mentioned, but attending were representatives of Aetna CVS, Otsuka Pharmaceuticals (which works with Proteus), Kaiser Permanente, Intermountain Health, Tencent, and HSBC Holdings.

Here are the 10 Guiding Principles, which concentrate on data governance and sharing, as well as the use of the products themselves. They are expanded upon in this summary PDF:

  1. The products of digital health companies should always work in patients’ interests.
  2. Sharing digital health information should always be to improve a patient’s outcomes and those of others.
  3. “Do no harm” should apply to the use and sharing of all digital health information.
  4. Patients should never be forced to use digital health products against their wishes.
  5. Patients should be able to decide whether their information is shared, and to know how a digital health company uses information to generate revenues.
  6. Digital health information should be accurate.
  7. Digital health information should be protected with strong security tools.
  8. Security violations should be reported promptly along with what is being done to fix them.
  9. Digital health products should allow patients to be more connected to their care givers.
  10. Patients should be actively engaged in the community that is shaping digital health products.

We’ve already observed that best practices in design are putting some of these principals into action. Your Editors have long advocated, to the point of tiresomeness, that data security is not notional from the smallest device to the largest health system. Our photo at left may be vintage, but if anything the threat has both grown and expanded. 2018’s ten largest breaches affected almost 7 million US patients and disrupted their organizations’ operations. Social media is also vulnerable. Parts of the US government–Congress and the FTC through a complaint filing–are also coming down hard on Facebook for sharing personal health information with advertisers. This is PHI belonging to members of closed Facebook groups meant to support those with health and mental health conditions. (HIPAA Journal).

But here is where Stanford and the conference participants get all mushy. From their press release:

“We want this first set of ten statements to spur conversations in board rooms, classrooms and community centers around the country and ultimately be refined and adopted widely.” –Michael A. Keller, Stanford’s university librarian and vice provost for teaching and learning

So everyone gets to feel good and take home a trophy? Nowhere are there next steps, corporate statements of adoption, and so on.

Let’s keep in mind that Stanford University was the nexus of the Fraud That Was Theranos, which is discreetly not mentioned. If not a shadow hovering in the background, it should be. Perhaps there is some mea culpa, mea maxima culpa here, but this Editor will wait for more concrete signs of Action.

Breached healthcare records down 72% but incident numbers steady. Then there’s MyFitnessPal’s 150 million…

April 5, 2018 | by

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Hackermania in healthcare may be running less wild…but what about consumer health devices? Year-end and top-of-year analyses indicate that the flood of breached records may be starting to drain. A Bitglass analysis of 2017 US Department of Health and Human Services (HHS) data from its infamous ‘Wall of Shame’ is encouraging. They found that the number of breached records decreased over the 2015-2017 period by 72 percent between 2015 and 2017 and by 95 percent from 2016. The calculation excludes the huge spike in breaches due to two 2015 incidents at Anthem and Premera Blue Cross [TTA 9 Sep 15]. Numerically, the breach incident numbers decreased but are relatively steady: 2017 at 294, 2016 at 328. Data security company Protenus in its tracking found more incidents in 2017 versus 2016 (477 in 2017 v. 450 in 2016) but the same reduction in records affected, with five times fewer records in 2017 versus 2016’s 27.3 million records.

What’s been successful has been reducing mega-breaches and containment of healthcare device loss and theft through education and enforcement of employee practices. What continues is the major cause of breaches continue to be insider-related via error and wrongdoing; this includes the major annual Verizon report. Healthcare Informatics

Protenus’ February report, while continuing the reduction trend, had its share of hacking and insider incidents. Of the 39 incidents in their report affecting over 348,000 records, insider actions such as the misuse of system credentials accounted for 51 percent of breached records while hacks were 46 percent, with the majority involving ransomware or malware. Hacking as a cause hasn’t disappeared but perhaps has shifted to easier targets.

UnderArmour’s MyFitnessPal delivers another breach blow. Late last month, the company revealed that 150 million user records were hacked in February. The MyFitnessPal mobile app (more…)

KRACK is wack for Wi-Fi attack–protocol flaw exposed

October 18, 2017 | by

What’s being called Black Monday in the security world is the discovery of a fundamental flaw with WPA2 (Wireless Protected Access v2), which secures an estimated 60 percent of the world’s Wi-Fi networks. According to all reports, the WPA2 protocol (the ‘handshake’ between the device and the router) can be manipulated into reusing encryption keys. ‘KRACK’–for Key Reinstallation Attack–threatens any Wi-Fi enabled device and all Wi-Fi networks. It was discovered by researchers at KU Leuven, a university in Flanders, Belgium. 

Threats include attacks on any sensitive information–hackermania potentially running wild. The vulnerability also permits an attacker to inject malicious information–ransomware and malware–into a Wi-Fi network. 

Security firm Varonis narrows the greatest threat down to Android users and devices that implement the WPA2 protocol very strictly. They consider Apple iOS devices and Windows PCs to be mostly (as of now) unaffected “since they don’t strictly implement the WPA2 protocol and key reinstallation.” 

This obviously affects any public networks or lightly protected networks in practices and hospitals. Varonis notes that the attack depends upon being within Wi-Fi range of the target device with the attacker sending forged data to the client. But this is difficult–it requires not only proximity but also access to a specialized networking device and to be able to code the attack manually.

Updates are allegedly on the way from Apple and Google, while Microsoft has already included it in last week’s updates for Windows 7, 8, and 10 (Telegraph). Most vulnerable devices are Android smartphones and tablets, which according to The Verge have an additional variant vulnerability affecting 41 percent of devices–and Android devices are notoriously slow to send out updates. 

Monday also marked a second threat called ROCA, an attack on public key encryption which may weaken authentication of software when installing it. This will be fixed in software updates.

Recommended protection for now, as listed in the Telegraph, is to ensure that all your Wi-Fi access is password-protected and to implement updates on networks. Don’t use public unsecured networks. Shop only on https-protected sites. Computers and devices are issuing firmware and driver updates, and a constantly updated list is published over at the wonderfully-named Bleeping Computer, but your router may not automatically update, so you will have to do some searching and consulting with your internet provider. Also Wordfence (hat tip to Founder Steve) and a second article in The Verge.

Petya no pet as it spreads: is it ransomware or a vicious design for data destruction? (updated)

June 28, 2017 | by

Breaking–The ‘more and worse’ experts predicted after WannaCry is here.  In two days, the Petya or PetyaWrap (or NotPetya) ransomware has spread from Ukraine to affect organizations in 64 countries with 2,000+ attacks involving 12,000+ machines. On the hit list are mostly Eastern European and trans-national companies: Maersk shipping, Merck, Nuance cloud services, WPP advertising, Mars and Mondelez foods, Rosneft (Russia’s largest oil producer), Chernobyl, unnamed Norwegian firms, Beiersdorf and Reckitt Benckiser in India, Cadbury and law firm DLA Piper in Australia. One local US healthcare provider affected in a near-total shutdown of their computer systems, and resorting to backups, is Heritage Valley Health System in western Pennsylvania. There are no reports to this hour that the NHS, major US, Asia-Pacific, or European health systems being affected. Update: Trading in FedEx shares were halted 29 June due to the Petya attack on its TNT Express international division. Update 30 June: The Princeton Community Hospital in rural West Virginia is running on paper records as Petya forced a complete replacement of its EHR and computer hardware. Fox Business

Like WannaCry, the ransomware exploited the EternalBlue backdoor; a report from ArsTechnica UK adds an exploit touchingly dubbed EternalRomance. But unlike WannaCry, according to ZDNet, both “Symantec and Bitdefender have confirmed that it’s a Petya ransomware strain dubbed GoldenEye, which doesn’t just encrypt files — it also encrypts hard drives, rendering entire computers useless.” ArsTechnica goes deeper into methodology. Petya uses a hacking tool called MimiKatz to extract passwords and then uses legitimate Microsoft utilities and components to spread it. (Ed. note: if you have time for only one technical article, read ArsTechnica’s as the latest and most detailed.)

The Microsoft patch–and Microsoft has just issued an update for Win10, which this Editor heartily recommends you download and install–while defending against WannaCry, still isn’t preventing the spread. It’s speedier than WannaCry, and that says a great deal. Its aim appears not to be ransom, but data destruction. Updated: this POV is confirmed in today’s ZDNet article confirming that Comae Technologies and Kaspersky Lab strongly believe that Petya is a ‘wiper’ designed to destroy data by forever blocking it on your hard drive.

Another article in ZDNet (Danny Palmer) attempts to isolate why hackers remain one step ahead of us:

Law enforcement agencies and cybersecurity firms across the world are investigating the attack – and researchers have offered a temporary method of ‘vaccinating’ against it** – but how has this happened again, just six weeks on from a previous global ransomware outbreak?

One reason this new form of Petya is proving so effective is due to improved worm capabilities, allowing it to spread across infected networks, meaning that only one unpatched machine on a whole network needs to become infected in order for the whole operation to come crashing down.

Not only that, but cybersecurity researchers at Microsoft say the ransomware has multiple ‘lateral movement’ techniques, using file-shares to transfer the malware across the network, using legitimate functions to execute the payload and it even has trojan-like abilities to steal credentials.

**  The inclusion of this link in the quote does not imply any recommendation by TTA, this Editor, or testing of said fix.

What you can do right now is to ensure every computer, every system, you own or are responsible for is fully updated with Microsoft and security patches. If you’re in an enterprise, consult your security provider. Run backups. Remind employees to not click on links in suspicious messages or odd links even from known senders–and report them immediately. Based on reports, phishing emails and watering hole attacks are the main vectors of spread, like WannaCry. (A suggestion from this Editor–limit web search to reputable sites, and don’t click on those advert links which are buggy anyway!) Be judicious on updates for your software except by Microsoft and your security provider; there is growing but still being debated evidence that the initial Ukrainian spread was through a hacked update on a popular tax accounting software, MeDoc. More on this in ZDNet’s 6 Quick Facts. Another suggestion from Wired: run two anti-virus programs on every computer you have, one free and one paid.

And no matter what you do–don’t pay the ransom! The email provider within hours blocked the email so that the payment cannot go through. Updates to come. More reading from Bleeping ComputerHealthcare IT News, CNBC, HIStalk, US-CERT, Fortune, Guardian,

Dry the tears: WannaCry stymied, North Korea hackers suspect. Is this a poke for a worse attack?

May 16, 2017 | by | 1 Comment

Breaking News This morning’s (Tuesday 16 May) news is about reputable security organizations–Kaspersky Lab and Symantec–connecting the dots that lead for now to a North Korea-linked hacking organization, the Lazarus Group. This group has been identified in previous hack attacks and is based upon WannaCry code appearing in Lazarus programs. US Homeland Security has admitted seeing the same similarities, but all are working to gain more information.

Lazarus has been previously identified as the source of the 2014 Sony attack and the theft of $81 million from the Bangladesh central bank, again linked to fundraising for North Korea for its missiles, army, EMP and nuclear arming while its terrorized people starve. However, this attack was a flop; according to US Homeland Security, about $70,000 was raised in ransom. The Homeland Security spokesman also distanced the NSA from the original information which targeted weaknesses in Microsoft’s systems.

According to reports, WannaCry disproportionately affected Russia, Taiwan, Ukraine and India, according to Czech security firm Avast. No US Federal government systems were affected. China on Monday reported that it attacked traffic police and school systems.

The Telegraph has posted a speculative list of 34 NHS organizations which suffered IT failure during the WannaCry attack. The article includes a map produced by MalwareTech that geographically spots the infection locations; the Boston to Washington corridor is a sea of blue dots. And…Marcus Hutchins has been identified as the young UK tech working for Kryptos Logic who redirected the attacks by buying a domain embedded in the WannaCry code. How it worked, according to PC World, is that if the malware can’t connect to the unregistered domain, it infects the system. By registering the domain and creating a page for the malware to connect to, he stopped the malware spread. (Video in Telegraph article)  Also FoxNews

But is this a prelude to more and worse? Is this testing our preparedness? If so, we’ve been found wanting on an enterprise level with vulnerable systems and administrators not updating their software and OS. George Avetisov, the CEO of HYPR, a biometric authentication company, in The Hill, summarized it neatly today: “We’ve also learned the hard way that, simply through a coordinated phishing attack on unsuspecting users, hackers can disrupt the day-to-day activities of enterprises that provide communications, travel, freight and healthcare administration simply by remotely deploying malware.” He then goes on to praise President Trump’s executive order (EO), “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which he signed on Thursday–right before all this began. As if in confirmation…ShadowBrokers, the group that hacked the NSA files, today announced the availability of a subscription to a ‘members only data dump’ like a Wine of the Month Club. Watch out, banks and healthcare, it’s open season! NHS, better pay attention to another kind of hygiene–cyberhygiene. Without it, plans for patient apps and data sharing will go sideways–and deserved fodder for Dame Fiona [TTA 10 May]. The Hill  Earlier coverage here

Hackermania meets The Dark Overlord with 2.3 million 2017 health data breaches

May 10, 2017 | by | 2 Comments
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]It’s a cage match! Reports are soaring, with a proliferation of data breaches year to date, after a relatively quiet period in 2016.

The Dark Overlord (TDO), in the mainstream news with dumping unseen Netflix program episodes on illegal file-sharing sites and demanding ransom (Guardian), also has been hard at work dumping PHI hacked from various clinics. DataBreaches.net tallied it at 180,000 records from at least nine medical clinics.

Health data security developer/provider Protenus, whose Breach Barometer tracks the numbers, counted 2.1 million breaches in 1st Quarter. March spiked with 700,000 coming from Commonwealth Health Corporation of Kentucky.

Our standby Privacy Rights Clearinghouse counted over 175,000 to date, but 160,000 came from MedCenter Health in Protenus’ total, so their net addition was 15,000. But PRC’s detail illustrates that ransomware is alive, well, and invading smaller healthcare organizations. Other reasons are unauthorized data server access, third-party vendors, email error, and theft.

16 or 27 million 2016 breaches, 1 in 4 Americans? Data, IoT insecurity runs wild (US/UK)

March 29, 2017 | by

What’s better than a chilly early spring dive into the North Sea of Health Data Insecurity?

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2017/03/Accenture-Health-2017-Consumer-Survey.jpg” thumb_width=”150″ /]Accenture’s report released in February calculated that 26 percent of Americans had experienced a health care-related data breach. 50 percent of those were victims of medical identity theft and had to pay out an average of $2,500 in additional cost. One-third (36 percent) believed the breach took place in hospitals, followed by urgent care and pharmacies (both 22 percent). How did they find out? Credit card and insurer statements were usual, with only one-third being notified by their provider. Interestingly, a scant 12 percent of data breach victims reported the breach to the organization holding their data. (You’d think they’d be screaming?) The samples were taken between November 2016 and January 2017. Accenture has similar surveys for UK, Australia, Singapore, Brazil, Norway, and Saudi Arabia. Release  PDF of the US Digital Trust Report

So what’s 16 million breaches between friends? Or 4 million? Or 27 million?

  • That is the number (well, 15.9 million and change) of healthcare/medical records breached in 2016 in 376 breaches reported by the Identity Theft Resource Center (ITRC), a Federally/privately supported non-profit. Healthcare, no surprise, is far in the lead with 34 percent and 44 percent respectively. The 272 pages of the 2016 End of Year Report will take more than a casual read, but much of its data is outside of healthcare.
  • For a cross-reference, we look to the non-profit Privacy Rights Clearinghouse which for many years has been a go-to resource for researchers. PRC’s 2016 numbers are lower, substantially so in the number of records: 301 breaches and 4 million records.
  • HIMSS and Healthcare IT News insist that ransomware is under-reported, (more…)

The malware siege of Northern Lincolnshire and Goole NHS: a preview of more? (UK)

November 3, 2016 | by

By now our UK readers are well aware of the shutdown due to malware starting Sunday 30 Oct, only resolved today, of the Northern Lincolnshire and Goole NHS Trust hospitals: Diana, Princess of Wales; Goole and District; Scunthorpe General.

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2016/11/nhsalert-940×445.png” thumb_width=”300″ /] (NHS website via Krebsonsecurity.com, click to enlarge)

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2016/11/nhsalert2.png” thumb_width=”300″ /] (NHS website, click to enlarge)

It is estimated that it affected approximately 1,000 patients over the three shutdown days. Most patients were diverted to neighboring hospitals, according to The Guardian.

The Health Services Journal (paywalled) broke as an exclusive the NHS‘ high priority warning to providers around the country. Yet it seemed equivocal. According to The Sun, while NHS Digital marked the message as ‘severity: high’ and warned that “… we would like to remind all users of the need for proactive measures to reduce the likelihood of infection and minimise the impacts of any compromise.”, it was tempered with “We have no evidence that this is anything other than a local isolated incident but we will continue to keep health and care organisations informed.” Also according to The Sun, the Department of Health has noted that this has not been the first incident.

As our Readers know, US and Canadian hospitals and healthcare organizations have been subject of late to malware and its latest iteration, ransomware, with a large outbreak this summer. (more…)

The cybersecurity black hole–and bad flashback–that is the Internet of Things

October 29, 2016 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2016/10/blackhole_596.jpg” thumb_width=”150″ /]One week after the Dyn DDoS attack, the post-mortems get more alarming. Our Readers knew they were coming in 2014-2015 (our ‘Is IoT really necessary–and dangerous?)

IoT devices, and a lot of older networked medical devices, have been proven to be easy to hack, as even this non-ITer, non-codegeek realized then. But those in tech have been to this movie before–with Bluetooth circa 2002! Now shouldn’t designers have learned? From ZDNet:

“It’s almost like we’ve learned nothing from Bluetooth” says Justin Dolly, CISO at cybersecurity firm Malwarebytes.

“Seeing what these IoT vendors are doing, it just blows me away because they haven’t learned from history,” says Steve Manzuik, director of security research at Duo Security’s Duo Labs. “They’ve completely ignored everything that’s ever had bad vulnerabilities”.

Many of these devices, according to these experts, have default log in credentials, if they have them at all. IoT devices are also allegedly findable on a snoop site called Shodan. Reason why: the financial and market need to get products out fast and cheaply.

Over at data security company Varonis’ blog, with the great title in part, “Revenge of the Internet of Things”, another succinct and telling quote:

Once upon a time in early 2016, we were talking with pen tester Ken Munro about the security of IoT gadgetry — everything from wireless doorbells to coffee makers and other household appliances. I remember his answer when I asked about basic security in these devices. His reply: “You’re making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all.”

Privacy by Design is not part of the vocabulary of the makers of these IoT gadgets

Varonis also gives a how-to on changing settings in your router so you don’t become a victim, and how to secure your gadgets.

Bottom line: when Hackermania is Running Wild, do you, or anyone, really need to be an early adopter of an internet- connected coffee maker or fridge? And if you need internet-connected home security, telemedicine virtual consults, telehealth/remote patient monitoring or telecare….best heed Varonis and secure it!

Earlier in TTA: Friday’s cyberattack is a shot-over-bow for healthcare 

VA’s moves spell the end of the homegrown EHR

August 12, 2016 | by

The Veterans Health Administration (VHA) is formally reaching out to the private sector to explore switching from its current, pioneering EHR system, VistA (also referred to as CPRS, Computerized Patient Record System) to a commercial system. Their ‘feeler’ is an August 5 and 8 notice in FedBizOpps.gov titled 99–TAC-16-37877 * RFI – VHA supporting COTS EHR REQUEST FOR INFORMATION (RFI), Solicitation Number: VA11816N1486. This requests information on business support for transitioning to a commercial-off-the-shelf system (COTS–don’t governments love acronyms?–Ed.) and closes 26 August, which is not a lot of time even for an RFI.

VHA has been under extreme pressure from Congress to modernize its EHR, lately in July hearings before the Senate Appropriations Committee. EHR replacement is also in line with the Congressionally-mandated, now concluded Commission on Care’s recently published recommendations on a total, top-down reorganization of VHA, including a sweeping reorg of their HIT management. The VHA strategy appears to be that while they are walking down the road to replace VistA and have already spent to assess where they are with KLAS and other EHR consultancies (spending $160,000+ on surveys), they are essentially ‘kicking the can down the road’ to the next administration (POLITICO’s Morning eHealth, 14 July).

Current state is to continue to upgrade VistA through late 2018, though the closely related Department of Defense’s Military Health System is in the long process of cutting its homegrown AHLTA over to Cerner-Leidos as MHS Genesis, awarded last August, with a first trial in the Pacific Northwest later this year (HealthcareITNews, Ed. emphasis). Of course, it will take the VHA years to roll it out; there are close to 9 million veterans enrolled in the closed system that is the VHA.  FCW, Morning eHealth 10 August

Love EHRs or hate them, the sheer size of the VHA and its growing concession that VistA won’t do in caring for American veterans makes it clear that the future of EHRs is in private systems from major developers–a field which is winnowing out to The Few (take that, GE).  (more…)

Summertime, and the health data breaches are easy….

August 10, 2016 | by

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Cybersecurity is the word, not the bird, from South Korea (see here) to the US.  The week opened with an unusual healthcare plan supplier breach: 3.3 million payer records held by a card issuer, Newkirk Products of Albany, NY. The company issues ID cards for several Blue Cross and Blue Shield plans and provides management services to other commercial payers. Ironically, it was discovered five days after their $410 million acquisition by Broadridge Financial Solutions of Lake Success, Long Island. On July 6, Newkirk discovered ‘unauthorized access’ to a server with records containing the member’s name, mailing address, type of plan, member and group ID number, names of dependents enrolled in the plan, primary care provider, and in some cases, date of birth, premium invoice information and Medicaid ID number. “No health plans’ systems were accessed or affected in any way” according to the release. MedCityNews, Newkirk release on notice

Another supplier breach affected another estimated 3.7 million patients at Arizona’s Banner Health. This one was a bit closer to home, hacking computer systems used in payment processing on debit and credit cards used at their food and beverage outlets in four states between June 23 and July 7.  A week later, the hackers gained unauthorized access to systems containing patient information, health plan member and beneficiary information, as well as information about physician and healthcare providers. MedCityNews, Banner Health release

But what’s secret anymore about your health data anyway? It’s all those apps that are sending data via your Apple Watch and your Fitbit which aren’t necessarily covered by HIPAA or secure. (more…)

IoT and the inevitable, looming Big Data Breach

July 6, 2016 | by

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/02/gimlet-eye.jpg” thumb_width=”150″ /]The Gimlet Eye returns to once again cast a baleful gaze on All Those Connected Things, or the Plastic Fantastic Inevitable. Those 6.4 million Wi-Fi-connected tea kettles, smart fridge, remotely adjusted pacemakers (and other medical devices) plus home security two way video systems that accost the dodgy door ringer sound just peachy–but how good is their security? Not very, according to the experts quoted in this ZDNet article. It’s those nasty security flaws in IoT which were patched out 10 years ago on PCs that make them incredibly risky to have, as they can vector all sorts of Bad Things into both personal and enterprise networks. Their prediction is that a Connected Device with a big flaw will become molto popular and provide a Target a Hacker Can’t Refuse within two years. Or that some really clever hacker will write ransomware that will shut down millions of Connected Cars’ CPUs or disable the steering and brakes if 40 bitcoins aren’t placed in a brown paper bag and left on the third stool of the pizzeria at 83rd and Third.

Not much has changed since Eye wrote about those darn Internet Thingys last year [TTA 22 Sept 15]. The mystery is of course why these antique flaws are even part of the design. Designers being cheapskates? No consideration of security? (more…)