Data breach cost crests $4 million: Ponemon Institute

June 22, 2016 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]The average fully allocated cost of a data breach, according to the 2016 Ponemon Institute study (sponsored by IBM) is now over $4 million. The average global cost of every lost or stolen record is $158, but for healthcare organizations, that average cost is $355 per record, which reflects the higher street value of healthcare information. Healthcare was the second most ‘churned’ type of organization, surpassed only by financial services. Across the industries surveyed, hacking and ‘inside jobs’ caused the most data breaches overall–48 percent. (Hackermania does really run wild!) Healthcare organizations can mitigate costs by being proactive in detecting breaches early, having a CISO (chief information security officer), instituting employee training and awareness programs, deploying encryption and endpoint security plus a business continuity management plan. Ponemon/IBM website. Healthcare IT News

Threat hunting is also emphasized in a second Ponemon study sponsored by Raytheon, which recommended offensively hunting down threats to data security, and defensively setting up a security barrier to protect patient data and care systems. With nation-state attacks (think China and Russia), ransomware, compromises due to IoT (add outdated software), and physical data theft, the game is now complete control rather than plain ol’ disruption. After the attack, when most healthcare organizations finally get into gear on cyberthreats, is far too late. Ponemon/Raytheon ‘Don’t Wait’. Healthcare IT News

‘Protecting Patient Information’–a ‘worst case scenario’ book for HIT

May 4, 2016 | by

A much-needed book in the age of Hacker/RansomwareMania. A new book published, ‘Protecting Patient Information’ by Paul Cerrato, is subtitled ‘A Decision-Maker’s Guide to Risk, Prevention, and Damage Control.” It’s not a tome at 162 pages, since it’s written not for academics or IT Gearheads, but for physicians (including doctors running small practices), nurses, healthcare executives and business associates. It takes a practical, three-part approach to IT security in healthcare organizations which can be applied internationally:

  1. How to do an in-depth analysis of the organization’s risk level
  2. How to lower the risk of a data breach within the myriad of Federal and state rules regarding protected PHI
  3. How to deal with a data breach, even if you’ve followed 1) and 2) (This may be the ‘worst case scenario’ part of the book)

The preface to the book is written by John Halamka, MD, himself a CIO of Beth Israel Deaconess Medical Center in Boston and a professor at Harvard Medical School. It will set you back about $42, but worth it. Hat tip to our friends at HITECH Answers via Twitter. If you’ve read the book or will read it soon, this Editor and your fellow Readers would be interested in your thoughts or even a review.

Ransom! (ware) strikes more hospitals and Apple (update)–Healthcare.gov’s plus trouble

March 26, 2016 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Get out the Ransom! California hospitals appear to be Top of the Pops for ransomware attacks, which lock down and encrypt information after someone opens a malicious link in email, making it inaccessible. After the well-publicized attack on Hollywood Presbyterian in February, this week two hospitals in the Inland Empire, Chino Valley Medical Center in Chino and Desert Valley Hospital in Victorville, both owned by Prime Healthcare Management, received demands. While hacked, neither hospital paid the ransom and no patient data was compromised according to hospital spokesmen. Additional hospitals earlier this month: Methodist Hospital in Henderson, Kentucky and Ottawa Hospital in Ontario, Canada. In Ottawa, four computers were hacked but isolated and wiped. It is not known if ‘Locky’, the moniker for a new ransomware, was the Canadian culprit. FBI on the case in the US. HealthcareITNews, National Post

Update: Locky is the suspected culprit in the Prime, Hollywood Presbyterian and Kentucky ransomware attacks. On Monday, Maryland-based MedStar Health reported malware had caused a shutdown of some systems at its hospitals in Baltimore. Separately, Cisco Talos Research is claiming that a number of the attacks are exploiting a vulnerability in a network server called JBoss using a ransomware dubbed SamSam. Perhaps both are creating mischief? Ars Technica, Cisco Talos blog, BBC News, ThreatPost

More and worse attacks north of the 49th Parallel. Norfolk General Hospital in Simcoe, Ontario had a ransomware attack this week that spread to computers of staff, patients and families via the external website through the outdated content management system. According to MalwareBytes, “The particular strain of ransomware dropped here is TeslaCrypt which demands $500 to recover your personal files it has encrypted. That payment doubles after a week.”  So if you are running old Joomla! or even old WordPress, update now! Neil Versel in MedCityNews

If you’re thinking Mac Prevents Attacks, the first ransomware targeting Apple OS X hit earlier this month. Mac users who  downloaded version 2.90 of Transmission, a data transfer program using BitTorrent, were infected. KeRanger appears after three days to demand one bitcoin (about $400) to a specific address to retrieve their files. HealthcareITNews

Finally, there is the Hackermania gift that keeps on giving: Healthcare.gov. (more…)

The evolution of Facebook: implications for social health

February 9, 2016 | by

The Telegraph’s recent retrospective on Facebook and its evolution from 2004’s ‘Thefacebook’ of Harvard University students to the Facebook that many of us use now, with Chat, timeline and a converged mobile and desktop design, led reader Mike Clark to drop Editor Charles a line about how healthcare isn’t maximizing social media and internet-based innovation. Recent studies have indicated that these social patient communities benefit their members. Agreed, but there are increasing qualifications–and qualms.

Back in 2014, Facebook made some noises on forming its own online health communities, a move that was widely derided as Facebook monetizing yet another slice of personal (health) data from users. While Charles has made the excellent point that “almost all good health apps are essentially the tailored interface to an internet service that sits behind it, a fact often forgotten by commentators”, Editor Donna on her side of the Atlantic has seen concerns mount on privacy, security and the stealthy commercialization/monetization of many popular online patient support groups (OSGs) which Carolyn Thomas (‘The Heart Sister’) skewers here, excepting those with solid non-profit firewalling (academic, government, clinical). Example she gives: Patients Like Me, which markets health data gathered from members to companies developing products to sell to patients. How many members, with a disease or chronic condition on their mind, will browse through to this page that says in part: “Except for the restricted personal information you entered when registering for the site, you should expect that every piece of information you submit (even if it is not currently displayed) may be shared with our partners and any member of PatientsLikeMe, including other patients.”

We’ve also noted that genomics data may not be sufficiently de-identified so that it can’t be matched through inference [TTA 31 Oct 15], with the potential for sale. And of course Hackermania Running Wild continues (see here).

For now general information sites like WebMD and personalized reference sites such as Medivisor feel more secure to users, as well as small non-commercialized OSGs and ‘closed’ telehealth/telemedicine systems.

The security risks, and the promise of, the Internet of Things

February 3, 2016 | by

Jason Hope, who back in September wrote on how one of the greatest impediments to the much-touted Internet of Things (IoT) was not security, but the lack of a standardized protocol that would enable devices to communicate, has continued to write on both this topic and IoT security. While The Gimlet Eye had great fun lampooning the very notion of Thingys Talking and Doing Things Against Their Will [TTA 22 Sept 15], and this Editor has warned of security risks in over-connectivity of home devices (see below), relentlessly we are moving towards it. The benefit in both healthcare monitoring/TECS and safely living at home for older adults is obvious, but these devices must work together easily, safely and securely. To bend the English language a bit, the goal is ‘commonplaceness’–no one thinks much about the ubiquitous ATM, yet two decades ago ‘cash machines’ were not in many banks and (in the US) divided into regional networks.

As Mr Hope put it as the fifth and final prediction in his recent article:

The IoT Will Stop Being a “Thing”
How many times in the past week have you said, “I am getting on to the World Wide Web?” Chances are, not very many. How many times have you thought about the wonder of switching on a switch and having light instantly? Probably never. Soon, the Internet of Things, and connectivity in general, is going to be so common place, we also won’t think about it. It will just be part of life and the benefits and technology that wow us right now will cease to be memorable.

This Editor continues to be concerned about how hackers can get into devices, (more…)

Hospitals should ‘wash their hands’ of older medical devices, OS: expert

December 5, 2015 | by

Our Readers are likely well aware that older medical devices may present a Hacker’s Holiday, but putting a very fine point on it was Kevin Fu, associate professor of electrical engineering and computer science at University of Michigan, speaking at a Healthcare IT News healthcare cybersecurity forum this week in Boston. Mr Fu pointed out that many hospitals are actively using old devices and old PC systems; one local hospital had 600 supposedly unpatched Windows XP (!) boxes deployed. Older medical devices were not designed with security in mind, which he likens to basic sanitation:

“If you’re using this old software, these old operating systems, you’re vulnerable to all that malware – that garden-variety malware – that has been out in the wild for more than 10 years.” and “This is not rocket science; this is basic hygiene. This is forgetting to wash your hands before going into the operating room. Here we have medical devices where, if malware gets through the perimeter, there is very little defense.”

The press has been concentrating on the big breaches and external hacking (they do make good copy–Ed.), and we’ve expended a lot of air on things like the EHR Wars, but the real threats are more mundane, as Ponemon and others in the field have warned for years. Software updates and infected USB flash drives can spread malware. A vendor can be a regular Typhoid Mary unintentionally corrupting systems and devices down the line.  (more…)

90% of industries have had PHI data breach: Verizon (HIMSS Connected Health)

November 10, 2015 | by

Reporting from the HIMSS Connected Health Conference (CHC)

Cybersecurity is one of the three central themes of this year’s HIMSS CHC, and excellent timing for releasing the highlights of Verizon’s first ever PHI (Protected Health Information) Data Breach Report. This is a spinoff of their extensive, eight years running international Data Breach Investigations Report (DBIR). 

It’s not just your doctor’s office, hospital or payer. It will be no surprise to our Readers that the healthcare sector is #7 in breaches–but that a PHI breach may come from non-healthcare (in US, HIPAA-covered) sources. This Editor spoke with Suzanne Widup, the lead author of the PHI Report and an info security/forensics expert, and included in that 90 percent are workers’ compensation programs, self-insured companies, the public sector, financial/insurance companies and–as a damper on this highly competitive (but hard to gauge results) area–wellness programs. Most organizations, according to Ms Widup, aren’t even conscious that they are holding this information and need to specially protect it from intrusion, as “PHI is like gold for today’s cybercriminal.”

Consistent with other authoritative tracking studies like Ponemon Institute’s and ID Experts’, the threat is from within: physical theft and loss, insider misuse and ‘miscellaneous’ account for 77 percent of theft. And as Bryan Sartin, managing director of Verizon’s RISK team noted in his keynote today, attacks take over a seven-month period on average to even be noticed. The breaches are long term, start small and sneaky. 2/3 of organizations don’t find out on their own, only when it starts to affect other partners. (Surprise!) Despite the proven Chinese and Black Vine involvement in several high profile, high-volume data hacks (Anthem), and ‘brute force’ hacks that make headlines (iCloud last year), the average breach is an inside job where “assets grow legs and walk off” in Dr Widup’s words, or privilege misuse.

When I asked Ms Widup about the Internet of Things (which is moving high on the hype curve, from what your Editor has experienced to the nth degree at this conference), she confirmed that this is an area that needs extra cybersecurity protection. (more…)

China’s Anthem hack: they just wanna understand US healthcare

October 30, 2015 | by

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/02/gimlet-eye.jpg” thumb_width=”150″ /]Knock yersself out! The Gimlet Eye files via Bottle from A Dot On The Map off the New York coast. One of the stranger follow ups of the past week–one that is difficult to read with straight face–is the report in the Financial Times that the Chinese hacked into insurer Anthem’s 80-million strong beneficiary database in order to study up on the American healthcare system and benefit their aging population. Neil Versel with raised eyebrow in MedCityNews quoting the FT story: “The Chinese hackers had trained their sights on the U.S. health sector to help the country understand how other nations deal with medical care, people familiar with the Anthem investigation said.” You’d think it would be easier for the Chinese to go to a few conferences, meet a few executives and learn a few things first. Then maybe they could do a ‘deal deal’ with an insurer on their IP, or bring them into China on a JV. With so many services for sale from the thundering horde of data analytics companies and multiple middleware providers, write a check already. But that would destroy the Fun of Hacking!

How the FT could actually print without a hint of skepticism this ‘nothing to see here, move on’ story rolls the Eye. (more…)

Hackers hit another Blue Cross, put 10.5 million members at risk (Breaking)

September 9, 2015 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]BREAKING NEWS This time the data breach is at Excellus Blue Cross Blue Shield, which covers upstate New York (Rochester-Syracuse area). It was discovered by Excellus on 5 August but dated back to 23 Dec 13, and reportedly has compromised members’ names, addresses, telephone numbers, Social Security numbers, financial account information and in some cases sensitive medical information. According to the AP/NBC, it also breached other divisions of Excellus and the corporate parent, Lifetime Healthcare: Lifetime Benefit Solutions, Lifetime Care, Lifetime Health Medical Group, The MedAmerica Companies and Univera Healthcare. The source of the hack has not yet been determined.

Excellus joins fellow BCBS members Anthem [TTA 11 Feb], soon to be merging with Cigna, with 80 million; Premera Blue Cross [TTA 24 Mar] with 11 million, Care First with a ‘bag o’ shells’ 1.1. million [TTA 2 June]. The pattern has been such that the national Blue Cross Blue Shield Association (BCBSA) announced in July that it will offer all 106 million of its members identity protection starting next January. (Note for our mathematicians: Anthem has millions of non-BCBS members) Chinese hackers are suspected in the Anthem breach.

FierceHealthPayer broke the story, in this Editor’s estimation, to the healthcare trade area. Rochester Democrat & Chronicle. Excellus message to policyholders. The NBC/AP report also has a video interview with Eugene Kaspersky of the eponymous anti-virus software (and whose Kaspersky Lab was also a hacking victim earlier this year)

Updated via the Rochester Democrat & Chronicle:  FireEye is becoming the ‘go-to’ security company for health organization breaches–Excellus hired them in the wake of the Anthem breach and they discovered the vulnerability facilitating the breach.

Australian military health data went straight to China: report

August 7, 2015 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]The Australian Defence Department confirmed to the Sydney Morning Herald that protected health data of hundreds of Defence Forces personnel went to (guess where!) China. However, as breaches go, this was an easy hack–it was sent by a health contractor, Luxottica Retail Australia, which contracts with manufacturer Tristar Optical in Dongguan, Guangdong province. Those affected included soldiers posted overseas to Afghanistan and special forces commandos who went on to be deployed to Iraq. Luxottica has since lost its contract with principal contractor Medibank Health Solutions. Both Medibank and Defence have had a lot of ‘splainin’ to do with the Government. According to the SMH, “the revelations raised particular concern within the Defence establishment because of China’s extensive involvement in state-sponsored hacking and cyber-espionage, with Beijing showing a particular interest in accessing personal records of government workers in the US.” A ‘twin-spin’ of Data Insecurity: healthcare and military! Hat tip to Malcolm Fisk of Coventry University via LinkedIn updates.

“Who do I call?” when the cyberalarm goes off

July 10, 2015 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”175″ /]A top read for the weekend is this short article by Gillian Tett in the FT on the lack of coordination in the US in not only protecting systems from cyberattack, but also the lack of coordination between public and private sectors in protection–and when something does go wrong. As Henry Kissinger famously said about Europe when various crises loomed, ‘who do I call?’

Indicators of a gathering storm are everywhere:

* Wednesday’s hours-long, still unexplained outages at the NYSE and United Airlines. (The Wall Street Journal website going down for a bit was the topping on the jitters)

* A joint report from Cambridge University and Lloyds insurance group, also released Wednesday, estimated that a hack shutting down the US electrical grid would create $1 trillion in damage. (more…)

“The data security fault, dear Brutus, is not China, but in the company org chart”

June 30, 2015 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/06/Org-chart1.jpg” thumb_width=”150″ /]Mansur Habib, PhD and cybersecurity strategist, formerly CIO for the Baltimore City Health Department, proposes that any data breach analysis should start first with a hard look at the organizational chart. If the CIO or the chief information security officer (CISO) doesn’t report directly to the CEO, the executive clearly does not place priority on IT and data security, treating it as a cost center to be restricted; in his words, they do not ’embrace cybersecurity risk as business risk’. In his 2013 doctoral research in 2013 and subsequently, Dr Habib observed that about half of US HIT and cybersecurity heads report to the chief financial officer (CFO) or some other executive like a CAO (administrative). His withering take on most CEOs are that they are more concerned with stock price (more…)

The pileup of Federal ‘titanic serial IT disasters’ (US)

June 26, 2015 | by

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/06/keep-calm-and-secure-your-data-4.png” thumb_width=”150″ /]Don’t feel bad, HIT execs–the Feds are even worse. Complementary to our coverage of the increased danger of hacked health IT systems and data breaches (the trail of tears is here and here) is the oddly muted press clamor around the 4 June hacking report of the Federal Office of Personnel Management (OPM). Chinese hackers roamed around two OPM databases–personnel and security clearances–for nearly a year, according to CNN’s Senate briefing coverage. The breach likely exceeded 18 million records, though the real number may never be known. Privacy Rights Clearinghouse summarizes it and provides an interesting link to a timeline by Brian Krebs, whose independent reporting beat is IT security. Megan McArdle, a reformed IT consultant writing for Bloomberg News and independently, points at the Federal lack of urgency around having adequate IT that doesn’t fail. Example–the much chronicled failure around Healthcare.gov and the so-called health exchanges, which appear to be functioning better, but reports say they are nearly porous and hackable as they were in 2013. She notes that it’s all about ‘scorched-earth determination’ and that the direction has to come from the top, meaning the President. And ‘voters have never held Obama responsible for his administration’s appalling IT record’. A thought that should give those in telehealth and telemedicine who are working with CMS value-based program ACOs a great deal of pause. NY Post editorial via Press Reader.

58 percent of health data breaches due to simple theft, not hacking: JAMA

April 21, 2015 | by | 2 Comments
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/08/keep-calm-and-encrypt-your-data-5.png” thumb_width=”150″ /] Criminal activity is the cause of nearly 6 out of 10 data breaches, according to a study published in JAMA last week (subscription required). Cyberbreaches–the infamous hacking attacks–produce breaches in the millions, but the far more typical and frequent breach, if smaller, is caused by simple theft of records–electronic and paper. HealthLeaders We’ve reported previously that stolen records (over 500) have ranged from laptops to paper records as landfill and even old-style X-rays in dead storage sought after for mercury content. So if Hackermania is not always running wild, except when it is, how to keep those records secure? According to West Virginia United Health System’s assistant CIO interviewed by FierceHealthIT at HIMSS, it requires a policy change of staff education, expectations, understanding that protecting patient information is part of holistic care–and frequent audits. Trust, but verify. Encrypt–and keep passwords secure, multiple and frequently changed.

“Data moves at the speed of trust”–RWJF report

April 2, 2015 | by

The report issued today by the influential Robert Wood Johnson Foundation (RWJF), ‘Data for Health: Learning What Works’ advocates a fresh approach to health data through greater education on the value/importance of sharing PHI, improved security and privacy safeguards and investing in community data infrastructure. If the above quote and the first two items sound contradictory, perhaps they are, but current ‘strict’ privacy regulations (that’s you, HIPAA), data siloing and the current state of the art in security aren’t stemming Hackermania (or sheer bad data hygiene and security procedures). Based on three key themes, the RWJF is recommending a suite of actions (see below) to build what they term a ‘Culture of Health. All of which, from the 10,000 foot view, seem achievable. The need–and importantly, the perception of need–to integrate the rising quantity of data from all these devices, pry it out of its silos (elaborated upon earlier this week in ‘Set that disease data free!), analyze it and make it meaningful plus shareable to people and their doctors/clinicians keeps building. (‘Meaningful’ here is not to be confused with the HITECH Act’s Meaningful Use.)

But who will take the lead? Who will do the work? Will the HIT structure, infrastructure and very importantly, the legal framework follow? We wonder if there is enough demand and bandwidth in the current challenged system. Release. RWJF ‘Data for Health’ page with links to study PDF, executive summary which adds details to the recommendations below, more.[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/04/Data-For-Health-Advisory-Committee-RWJF.png” thumb_width=”400″ /]

Data breaches top 120 million since 2009 (US)

March 24, 2015 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”200″ /]“The medical industry is years and years behind other industries when it comes to security.”–Dave Kennedy, TrustedSEC CEO.

We admire the Washington Post for arriving at the conclusion we did in 2010–that healthcare organizations are uniquely vulnerable to cyberattack because of the high value of patient data, and an often lighter level of HIT security. But now we get the finger wag that ‘it’s only going to get worse.’ (Beyond 120 million breached records?) Data security, of which HIPAA patient information protection is a part, wasn’t primary for years, especially in organizations overwhelmed with transitioning EHRs, getting EMRs to speak with EHRs, Meaningful Use, new care and payment models, 30-day readmissions and ‘oh, by the way, how will we get paid?’ The Premera Blue Cross (Washington state) breach of 11 million records was the second largest in healthcare history (after Anthem Health‘s February bunker buster of a breach). Most breaches are from stolen laptops or shared/easy to guess passwords (or none at all)–but these have not been in the millions. Premera’s theft took place on 5 May 2014 and was only discovered in January; it included SSIs, bank information, claims data, patient name/address and date of birth. Those affected were in California and Alaska primarily, but also included Federal employees.

But Premera can’t say they were not warned. The US Office of Personnel Management’s Office of the Inspector General (OPM OIG) independently audited Premera in April 2014 detailing several vulnerabilities, including a lack of timely patch implementations, a lack of methodology to “ensure that unsupported or out-of-date software is not utilized” and insecure server configurations, and the need to upgrade physical access controls in their data center. FierceHealthIT

Premera’s medical files data may expose other payers, which in turn may legally come after Premera, according to FierceHealthIT.

Only now are health systems and practices focusing on securing all information  (more…)