Mid-week roundup: Colorado terms Friday Health Plans; Cano 3 continue to savage board; Amazon Pharmacy layoffs; hacking attacks: QuickBlox, Barts Health; Phreesia buys MediFind; financing pops for K Health, Amino

July 20, 2023 | by

Colorado liquidates, terminates insolvent insurtech Friday Health Plans. The Colorado Division of Insurance (DOI) had placed it into receivership in June after the company declared it would close, unable to find funds to operate its plans. On Monday, the DOI moved to liquidate its operations and terminate the plan effective 31 August. Their 30,000 policyholders on individual Affordable Care Act (ACA) exchange plans will be scrambling to find new coverage. In the receivership move, DOI had hoped that Friday had enough funds to keep the state plan solvent through end of year, but they did not. According to the Colorado Sun, Friday still owed unpaid Federal taxes as well as roughly $2 million in fee payments to the state’s insurance exchange, Connect for Health Colorado, which left the DOI without much hope. Friday had previously just about shut down its headquarters in Alamosa. This leaves not only 30,000 individuals scrambling, but also out eight months and perhaps thousands of dollars in deductibles as these plans tended to be high deductible. Colorado DOI opened a special enrollment period (SEP) for Friday policyholders and insurance brokers starting immediately through 31 October.  Providers are protected somewhat through the state’s Colorado Insurance Guaranty Association but many stopped taking Friday-covered patients last month. Friday’s crash-and-burn is the worst example of an insurtech’s demise to date and not promising for policyholders in other states such as Texas, Georgia, Oklahoma, and Nevada. Healthcare Dive

The Cano 3 attack in the continuation war with the Cano Health board. In the latest episode of this telenovela, resigned directors Barry Sternlicht, Elliot Cooperstone, and Lewis Gold, who among them have about 35% of the company’s shares, are still supporting interim CEO Mark Kent but pressing hard to oust three of the directors reelected at the last shareholder meeting, including Marlow Hernandez, the founder and former CEO. What’s new is that they have declared war on Sol Trujillo as chairman and Angel Morales as chair of the audit committee as allies of Dr. Hernandez. In addition to divesting five directors and the interim chief legal officer plus ending their high monthly equity awards, they support divesting non-core assets. Mark Kent will have to be Clark Kent ducking into the phone booth to succeed in this. Press release  Mr. Sternlicht cannot be in a good mood, as Starwood Capital Group is in default on a $212.5 million mortgage on an Atlanta office property, Tower Place 100, in the continuing souring of the commercial real estate market. Fortune

Amazon Pharmacy has laid off 80 employees, mostly pharmacy technicians and team leaders, in continuing cutbacks there. This is the former PillPack. One would think that it would be expanding based on the growing medical needs of One Medical and Amazon Clinic. About the latter which was to roll out nationally today but was questioned on data privacy grounds, as of today there is no update announcement. To date, Amazon has released an amazing 27,000 workers. Semafor, Becker’s

Cybersecurity also racked up some hacks in the past week or so:

  • A popular software framework used in telehealth and financial applications, QuickBlox, was found to have several critical security flaws. The QuickBlox SDK (Software Development Kit) and API (Application Programming Interface) that are used for developing chat and video applications had a vulnerability that led researchers to take over multiple accounts and compromise the user database and extract PHI. The vulnerability also permitted a hacker to impersonate a physician or patient and alter health records. This was reported by Team82 and Check Point Research (CPR) teams but have since been fixed. Blow-by-blow with screenshots in Cybersecuritynews and overview in Becker’s.
  • Barts Health NHS Trust was hacked by BlackCat, a/k/a ALPHV. What was stolen was about 70 terabytes of data, which BlackCat claims as the largest breach in UK medical history. ALPHV listed the stolen data, including employee identification documents, including passports and driver licenses, and internal emails labeled “confidential”, around 30 June. Barts runs five London-based hospitals and serves more than 2.5 million patients. The Barts Health hack adds to NHS misery with an earlier attack on a University of Manchester NHS dataset with information on 1.1 million patients across 200 hospitals. The same CLOP Russian ransomware gang that got Johns Hopkins [TTA 19 July] also got Ofcom, the UK’s communications regulator.  TechCrunch

Yes, there is good news in M&A and funding:

Phreesia is buying MediFind. No purchase price or management transition was disclosed. Phreesia is a patient intake platform that grew from a tablet used in practices for scheduling and patient check-in to a fully featured platform for workflow, claims, outreach and patient education. MediFind uses machine learning and analytics to connect patients with leading experts, clinical trials, health systems, and healthcare technologies. Phreesia is one of the few 2019 vintage IPOs to not crater–it’s trading on the NYSE at above $32 though as recently as end of 2021 its share price was double. Phreesia release.

K Health gained an unlettered venture round of $59 million from Cedars-Sinai, its new partner, plus current investors, including Valor Equity Partners, Mangrove Capital Partners, and Pico Venture Partners. This brings funding for this Israeli company to $330 million through a Series E. K Health’s platform uses a chat function that pre-screens patients with symptoms, uses AI to suggest possible diagnoses based on that person’s medical history, age, and gender, and will connect with a doctor or nurse if needed–which sounds somewhat like Babylon Health and Zipnosis. The chat can be used for primary care, some pediatric areas, urgent and chronic care management. K Health claims that 10 million individuals have interacted with K Health’s AI, and 3.1 million patients in 48 states have chatted with a doctor or nurse. FierceHealthcare

Amino, a navigation platform, received $42 million in credit financing from Oxford Finance. This was the final part of its $80 million venture raise in May. Amino connects physical and mental healthcare providers and benefits programs with members at self-insured employers and health plans, managed by third-party administrators, brokers, and human resources. Members access recommendations for providers and relevant benefits. Amino’s total funding is $125 million, mostly in venture rounds. Its last letter round was a Series C in 2017. It’s a busy sector with similar companies like Accolade, Rightway, and Transcarent.  Mobihealthnews

Ransomware roundup: TimisoaraHackerTeam (THT) attacks cancer centers; KillNet’s ‘Sudanese’ member; 101K ChatGPT accounts infostolen; LockBit attacker arrested on Federal charges

June 22, 2023 | by

TimisoaraHackerTeam (THT) attacked an unnamed US cancer center with malware in June, demanding a ransom of 10 bitcoins ($300,176). The Central European, possibly Romanian-based group (named after a Romanian town), was uncovered in 2018 and was last tracked to an April 2021 attack on a French hospital. The malware vectors in using legitimate software from Microsoft Bitlocker and Jetico’s BestCrypt. Reports state that it targeted Fortinet’s FortiOS SSL-VPN to exploit CVE-2022-42475, a heap-based buffer overflow vulnerability that allows remote attackers to execute code or commands using specially crafted requests. THT may be linked to other malefactors such as DeepBlueMagic and China-based APT41 based on software used and style in notes. DeepBlueMagic disabled an Israeli medical center, Hillel Yaffe, in October 2021. 

The cancer center and Heimdal Security were able to reclaim the hacked records through the use of decryption software as they were only partially encrypted, avoiding the ransomware payment. HHS’ Office of Critical Infrastructure Protection has issued its notification with details on the attack here (PDF). SC Magazine, Healthcare Dive

KillNet, the Russia-based agglomeration of anti-Western hacktivist groups, has a possible new member in the interestingly named Anonymous Sudan. Their modus operandi is to use distributed denial of service (DDoS) attacks in response to the anti-Islamic views or actions of Western, to date 24 Australian, organizations, but the DDoS claims are smokescreens that not only tie up cyberdefense resources and generally spread panic and disinformation, but also gain publicity for the group. Cyber researchers CyberCX noted that their DDoS attacks have been intense, but unusual in that Sudan (the country) apparently has not instigated the attacks nor have the attacks been monetized. SC Magazine

Surprise, surprise–infostealers using malware to get into ChatGPT accounts. Once into the accounts, the malware infects browsers to collect saved credentials, bank card details, crypto wallet information, cookies, browsing history, and other information. Most of the affected devices are in Asia-Pacific. The malware is for sale on the dark web, with most of the 101,134 accounts tallied by Group-IB were breached by Raccoon/RecordBreaker (78,348), while the remainder were hit by Vidar (12,984) and RedLine (6,773). ChatGPT is being downloaded individually and often introduced into enterprise systems from personal devices without the usual IT security and vetting. LLM models for now are unsecured and for hackers, it’s ‘happy time’.  SC Magazine

But sometimes the bad actors get caught and dragged back to New Jersey. The FBI finally caught up to Russian national Ruslan Magomedovich Astamirov, who is accused of being part of the ransomware gang dubbed LockNet. The two counts filed in the Federal District of New Jersey center on conspiracy to commit fraud and related activity in connection with computers, plus the ever-popular conspiracy to commit wire fraud for the usual extortion of money and property between 2020 and 2023. The attacks were on businesses based in West Palm Beach, France, Tokyo, and Virginia, and received about $90 million in ransom payments. Astamirov sent emails and owned IP addresses, including Amazon and Microsoft accounts used in the fraud. NJ was chosen as the location for the Court since there was one LockBit victim in Essex County. SC Magazine, Criminal Complaint filed against Astamirov (PDF)

Healthcare cyberattack latest: NextGen EHR ransomwared by AlphV/BlackCat, back to normal – 93% of healthcare orgs had 1-5 ransomware incidents

January 25, 2023 | by

Cyberattacks on healthcare continue their drip-drip-drip. The latest is on an EHR/practice management platform used by small to enterprise-sized specialty practices, NextGen Healthcare. The hacker group associated with the AlphV/BlackCat ransomware moved into the system on 17 January. For a short time, they reportedly exhibited NextGen information on their extortion site but later took it down. NextGen reported a short-term disruption to operations. A NextGen spokesperson stated that “We immediately contained the threat, secured our network, and have returned to normal operations,” the spokesperson said. “Our forensic review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client data. The privacy and security of our client information is of the utmost importance to us.”  NextGen has also stated to this Editor that no patient data was affected.

NextGen is used by about 2,500 practices in the US, UK, India, and Canada, including over 20 specialties.

The group behind AlphV/BlackCat ransomware has an infamous history. Reputedly, the gang has been kicking around since 2012 and was the same group of charmers that attacked the Colonial Pipeline in 2021, using the Darkside ransomware in May 2021 that dried out gas stations across the US East Coast. Their next ransomware edition, BlackMatter, targeted agriculture during fall 2021. Healthcare IT News, The Record/Recorded Future News

More severe attacks affecting 93% of healthcare organizations. While NextGen contained the attack quickly, both the Censinet/Ponemon Institute and Fortified Health Security’s 2023 Horizon Report tracked 2022 healthcare data breaches and concluded that while the number of incidents didn’t change much, their severity ramped up. More according to SC Media in these reports: 

  • Over a dozen of the biggest incidents in 2022 each impacted well over 1 million records
  • Nearly half of the respondents experienced a ransomware attack in the last two years
  • 93% faced between one to five ransomware-related incidents
  • Outages lasted upwards of 35 days

The common ground with NextGen is danger to patient safety, because electronic record damage can translate quickly into unavailable patient care.

Updated PharmaCare Services, a pharmacy management company based in Texas, is listed as a victim on BlackCat’s extortion site. They were exhibited with NextGen and remained when NextGen’s listing was challenged and then taken down. PharmaCare is staying mum on any ransomware disruptions, according to GovInfoSecurity.

One ray of hope is improved medical device security, included in the ‘omnibus’ budget package approved in late 2022. FDA will be required to enforce new standards for premarket device submissions. One is a software bill of materials, adequate evidence to demonstrate the product can be updated and patched, and a description of security testing and controls. This was before Congress in the Protecting and Transforming Cyber Health Care (PATCH) Act which didn’t go far, but elements of which found their way into the omnibus. A needed change for medical devices and long expected by manufacturers. SC Media

News roundup: DDoS attacks may be ‘smokescreen’, DEA slams Truepill with ‘show cause’, telehealth claims stabilize at 5.4%, Epic squashes patent troll, Cerner meeting exits KC, MedOrbis, Kahun partner on AI intake

December 22, 2022 | by

Readers won’t get out of 2022 without one last cybercrime…article. DDoS attacks–distributed denial of service–escalated worldwide with Russia’s invasion of Ukraine in February. (Ukraine and military aid is a hot topic this week with President Zelenskyy’s visit to the US and Congress speech.) Xavier Bellekens, CEO of Lupovis, a cybersecurity company and a cyberpsychologist (!), postulates that DDoS attacks, as nasty as they are, may be a smokescreen for far more nefarious and damaging attacks. While IT goes into crisis mode over the DDoS, other attacks and information gathering on systems preparing for future attacks are taking place. Russian cyber groups focus on large organizations and move down the line into the most vulnerable, using both manual and automated approaches. Worth reading given the vulnerability and IT short staffing in healthcare organizations. Cybernews

The fallout from Cerebral and Schedule 2 telehealth misprescribing expands. The Drug Enforcement Agency (DEA) issued a ‘Show Cause’ to online pharmacy Truepill for inappropriate filling of ADHD Schedule 2 medications, including Adderall. A ‘Show Cause’ order is an administrative action to determine whether a DEA Certificate of Registration should be revoked, which could put Truepill out of business. The red flag for the DEA: 60% of  Truepill’s prescriptions–72,000–filled between September 2020 and September 2022 were for controlled substances, including generic Adderall. Truepill was Cerebral’s primary mail order provider, though they also used CVS and Walmart. The company stopped filling Cerebral’s ADHD prescriptions in May 2022.

In the order, the DEA cites that “Truepill dispensed controlled substances pursuant to prescriptions that were not issued for a legitimate medical purpose in the usual course of professional practice. An investigation into Truepill’s operations revealed that the pharmacy filled prescriptions that were: unlawful by exceeding the 90-day supply limits; and/or written by prescribers who did not possess the proper state licensing.”

The company stated in an emailed statement that they were fully cooperating with the investigation. If it does move to a hearing, Truepill’s chances of a successful defense are statistically low.

Truepill also fills prescriptions for Hims & Hers, GoodRx and Mark Cuban Cost Plus Drug Company. It was valued in its 2021 funding round at $1.6 billion. Companies in telemental health and prescribing of Schedule 2 ADHD medications, such as Cerebral and Done Health, are under enhanced scrutiny over their business practices [TTA 1 June]. Mobihealthnews, DEA press release, HISTalk, Digital Health Business & Technology

Telehealth medical claims stabilize. FAIR Health’s latest reports for August and September report that the percent of medical claims coded as telehealth are back up to 5.4%. June and July dropped slightly to 5.2% and 5.3% respectively. Also steady are that the vast majority of claims are for mental health services. In September, they were 66% of diagnoses far ahead of ‘acute respiratory diseases and infections’ at 3.1%. In procedure codes, psychotherapy accounts for over 43%.

A patent troll Epically bites the dust. Back in the early to mid-2010s [TTA’s index here], patent trolls (technically non-practicing entities which have no active business) presented a significant threat to early and growth-stage health tech companies. One, MMR Global (which apparently no longer exists), was notorious for buying up EHR and PHR-related patents and then filing patent infringement lawsuits against both small and large healthcare organizations with similar patents–and their users–that were generally monetarily settled. But NPEs are still active. One in south Florida, Decapolis Systems, used the same techniques as MMR Global had, suing in this case multiple Epic customers for patent infringement. Epic not only defended its customers but also sued Decapolis in the US District Court, Southern District of Florida. The court found that both Decapolis patents were invalid, ending what Epic termed ‘vexatious patent litigation’. Decapolis had successfully sued 24 other entities, including other EHRs, which settled. Owned by an inventor, this company will have to find another line of honest business. Epic release, Thomson Coburg

Oracle’s message to Kansas City: no more Cerner meetings for you. And maybe more. Cerner’s site for its annual customer/partner conference since 2007 has been in Kansas City, attracting about 14,000 visitors. Not only will it be integrated into Oracle CloudWorld in Las Vegas, 18-21 September, it’s been retitled Oracle Health with no mention of Cerner. The loss to local KC business is substantial–estimated to be in the $18 million range. While it’s logical to integrate it into the massive CloudWorld conference, it’s also another message to KC after Oracle’s sudden real estate downsizing that Cerner’s presence there will shrink…and shrink..as it’s absorbed into Oracle Health, and further confirmation that the Cerner name is gradually being sunsetted. KansasCity.com, HISTalk

A new (to this Editor) specialty care telehealth company, MediOrbis, is partnering with Kahun for an AI-enabled digital intake tool. This is a chatbot capable of conducting an initial medical assessment. Based on the patient’s answers and Kahun’s database of about 30 million evidence-based medical knowledge insights, it provides a summary for the physician before the telehealth visit and highlights areas of concern. Mobihealthnews  MediOrbis also has partnered with remote care/engagement Independa to add its capabilities to Independa’s HealthHub on their LG TVs.

Thursday news roundup: IBM Watson Health sale closed, now Merative; OneMedical inviting buyers–maybe; worst healthcare data breaches rounded up

July 7, 2022 | by

It’s a post-Independence Day and early summer holiday relatively quiet week….

It’s Merative, not IBM Watson Health anymore. Francisco Partners‘ buy from IBM of Watson Health closed last Thursday (30 June) but didn’t make the news until after the holiday. The announcement of the new brand, Merative, was splashed on HLTH’s website today (not HIMSS) with the usual language about how their data connects and transforms health through pioneering “cloud, real-world data and industry-leading AI” through health systems, hospitals, health plans, life sciences, and government. Speaking of data points:

  • HQ now in Ann Arbor, MI
  • New CEO Gerry McCarthy from CEO of eSolutions, a former Francisco Partners portfolio company that exited to Waystar in October 2020
  • The former general manager, Paul Roma, will be a Senior Advisor to Francisco Partners
  • Merative will have six product families: Health Insights; MarketScan; Clinical Development; Social Program Management and Phytel; Micromedex, and Merge Imaging 
  • Other investors include True Wind Capital and Sixth Street

Since 2015, IBM had built up Watson Health through four acquisitions and over $4 billion in investment. They sold it for perhaps $1 billion to get it off their books. Once upon a time they were the leader, now they’re up against Oracle and a dozen other competitors like IQVIA that sell connectedness and ‘actionable insights’ across and in chunks of their business (example, life sciences). Given the track record of the controlling private equity partner, Merative needs to become profitable quickly. Merative will not be a long term investment for them. FierceHealthcare. Our prior coverage: 7 Jan, 22 Jan, 25 Feb (Who needs Watson Health?)

Also apparently up for sale to the right buyer is One Medical. The clinic group flirted with but ultimately sent packing CVS Health. One Medical offers concierge in-person and telehealth primary care in seven metros and has over 700,000 members. They bought Medicare value-based primary care provider group Iora Health a year ago [TTA 11 June] but since then their stock (trading under 1Life Healthcare) and valuation has cracked by 75%. Not mentioned in the Bloomberg article is whether Iora is included in the possible deal.

And for those who like their Hackermania on the Wild Side, there’s a massive list over at Wired that racks up the Greatest Hits. It’s only halfway through 2022, but the data breaching and ransomware perps have multiplied. From Russia/Ukraine to extortion gangs like Conti and Lapsus$ to cryptocurrency theft and China, the Old Reliable Healthcare continues to star. Our recent list is here but topping out the Wired list are Shields Health Care Group, Baptist Health System, Resolute Health Hospital, Kaiser Permanente, and Yuma Regional Medical Center. Also Becker’s.

Thursday legal news roundup: Oscar Health accused of IPO securities fraud; Venezuelan cardiologist moonlights as cybercriminal, faces slammer; Change Healthcare sues former employee now at Olive AI

May 19, 2022 | by

To use a cliché, what a difference a year makes. In March 2021, insurtech Oscar Health successfully raised $1,4 billion in its IPO with shares at $39. Heady times didn’t last long, with shares tumbling to $5.67 as of this writing. Now the shareholder lawsuits have begun, with the complaint stating that negative effects of COVID-19 on Oscar’s business were not disclosed, specifically the growing cost of the pandemic on testing and treatment costs they would cover, and “Oscar would be negatively impacted by an unfavorable prior year Risk Adjustment Data Validation (RADV) result relating to 2019 and 2020 [and] that Oscar was on track to be negatively impacted by significant SEP membership growth”. The lack of forward-looking disclosure at an IPO is a violation of the Securities Act. The initial lawsuit has been filed in the US District Court for the Southern District Court of New York by shareholder Lorin Carpenter. Multiple law firms have invited shareholders to join in the suit — example from PR Newswire. Also named in the suit are Oscar Health co-founders CEO Mario Schlosser and Vice Chairman Joshua Kushner, plus several investment banks.

Oscar started the year with a Q1 loss of $0.36 per share versus an estimate of a loss of $0.40, but this is less than half of last year’s loss of $0.98 per share. They are also exiting the Arkansas and Colorado markets in 2023. Healthcare Dive

Cardiologist, master cybercriminal, a new Dr. Mabuse? Accused of the creation, use, and sale of ransomware is one Venezuelan doctor and practicing cardiologist, Moises Luis Zagala Gonzalez, a dual citizen of Venezuela and France. The charges by the Department of Justice (DOJ) in the Eastern District of New York also detail his “extensive support of, and profit sharing arrangements with, the cybercriminals who used his ransomware programs.” SaaS can’t hold a candle to the RaaS–ransomware-as-a-service–operation he created to sell what he dubbed ‘Thanos,’ allegedly named after a fictional cartoon villain responsible for destroying half of all life in the universe. Turns out that Iranian state-sponsored hackers and fellow ransomware designers really liked it too. If convicted, he faces 10 years in Club Fed–five years for attempted computer intrusion, and five years for conspiracy to commit computer intrusions. Designing criminal software really does test the limits of moonlighting. DOJ release, TechCrunch

Change Healthcare sues former employee at competitor Olive AI. While their merger with UnitedHealthcare is tied up in the US District Court in DC [TTA 23 Mar], Change Healthcare is not letting any courtroom grass grow under their feet. They are suing a former employee, Michael Feeney, with violating the non-compete clauses of his employment contract. The suit was filed in Tennessee Chancery Court, its HQ state. Mr. Feeney has countersued in his state of residence, stating that the non-compete violates Massachusetts law. He was VP, strategy and operations at Change handling physician revenue cycle management. At Olive AI, he is currently SVP, provider market operations. Information is a bit scarce on this and the free article this Editor has found reads machine-translated. If you have access to the Nashville Post or Modern Healthcare it’s probably more decipherable.

As to the lawsuit affecting non-competes due to the tight labor market–don’t count on it. It’s a conflict between the state the company is in enforcing non-competes, versus a state which restricts (or negates) them that is the former employee’s state of residence and work. What wins out will be the interesting part and affect many of us in the US.

Two healthcare data breaches of note: International Committee of the Red Cross and Jefferson Health

January 26, 2022 | by

Healthcare data breaches have become so commonplace that this Editor now leaves it to others to report. They all share the same characteristics–international hackers inserting ransomware in compromised systems and demanding billions in bitcoin, disgruntled employees erasing or taking home files, burglaries, inside jobs of various stripes. A steady drumbeat despite many efforts to secure against outside attacks and continously monitor systems, still there are plenty of legacy devices floating around hospitals and clinics using outdated computer software and initial setup passwords.

But this one hits a new high of heartlessness. The International Committee of the Red Cross (ICRC), headquartered in Geneva, reported that on 18 January that servers hosting the personal information of more than 500,000 displaced people receiving aid services from the Red Cross and Red Crescent Movement program had been hacked. The servers were located in Switzerland and were directly targeted. The 515,000 records were of people in the ‘Restoring Family Links’ program which aids missing people and their families, unaccompanied or separated children, detainees, and other people as a result of armed conflict, natural disasters, or migration. The information consisted of names, locations, and contacts.  In addition, log in information of 2,000 workers was also breached. Pray tell, where’s the monetary value in this? Or is there something more nefarious? These systems and their information have been taken offline, hampering this international program. ICRC ‘What We Know’, Becker’s Health IT, Healthcare IT News

A more ‘garden variety’ breach of 9,000 patients’ protected health information (PHI) took place in November at Philadelphia’s Jefferson Health. This was an insurance portal breach that accessed patient billing information with the intent of rerouting the payments from the hospital to themselves. The hacker in the process gained access to patient billing information, names, dates of treatment, treatment codes and costs, but not the jackpot of SSI and other financial information. The article does not disclose whether payments were successfully redirected.  Becker’s Health IT

Weekend reading: 1/3 of global healthcare orgs ransomwared, 50%+ mobile privacy problems–BMJ study, med device insecurity

June 25, 2021 | by

Weekend reading to make you feel insecure, indeed. Healthcare continues to be one of the most vulnerable sectors to hacking, breaches, ransomware. (It likely was one of the top 5 on the list handed to Mr. Putin in Geneva a week ago.) It doesn’t help that many organizations from providers to payers, legacy devices to apps, figuratively have a ‘Welcome Hackers’ neon sign on their doors, virtual and otherwise.

Three articles from the always interesting Healthcare Dive, two by Rebecca Pifer and the third by veteran Greg Slobodkin, will give our Readers a quick and unsettling overview:

  • According to cybersecurity company Sophos in their 16-page report, 2020 was an annus horribilis for healthcare organizations and ransomware, with 34 percent suffering a ransomware attack, 65 percent confirming the attacks encrypted their data, but only 69 percent reported that the encrypted data was restored after the ransom was paid. Costs were upward of $1 million. Their conclusion: assume you will be hit, and at least three backups. Dive 24 June
  • The BMJ found that lax or no privacy policies were a key problem with over half of mobile health apps. 23 percent of user data transmissions occurred on insecure communication protocols and 28.1 percent of apps provided no privacy policies. There’s a lot to unpack in the BMJ study by the Macquarie University (Sydney) team. Our long-time Readers will recall our articles about insecure smartphone apps dating back to 2013 with Charles Lowe’s article here as an example. Dive 16 June
  • Old medical devices, continuing vulnerability that can’t be fixed. Yes, fully functioning and legacy medical devices, often costing beaucoup bucks, are shockingly running on Windows 98 (!), Windows XP, outdated software, and manufacturers’ passwords. It’s hard to believe that Dive is writing about this as it’s been an issue this Editor’s written about since (drumroll) 2013 when TTA picked up on BBC and other reports of ‘murderous defibrillators and pacemakers’. If too far back, try 2015 with Kevin Fu’s and Ponemon’s warnings then to ‘wash their hands’ of these systems even if they’re still working. Chris Gates quoted in the article: “You can’t always bolt-on security after the fact, especially with a legacy piece of equipment — I’ve literally handed checks back to clients and told them there’s no fixing this.” Dive 23 June

What to do?

  • If you are a healthcare organization, think security first. Other organizations in finance and BPO do, locking down to excruciating points. And yes, you’ll have to pay a premium for the best IT security people, up your budgets, and lower your bureaucracy to attract them. Payers are extremely vulnerable with their wealth of PHI and PII, yet tend to skimp here.
  • Consider bringing in all your IT teams to your home country and not offshoring. Much of the hacking occurs overseas where it’s tougher to secure servers and the cloud reliably and fully.
  • Pay for regular and full probes and audits done by outside experts.
  • If you supply a mobile app–design with security and privacy first, from the phone or device to the cloud or server, including data sharing. There are companies that can assist you with this. One example is Blue Cedar, but there are others.
  • If you supply hardware and software for medical devices, think updates, patches, and tracking every bit you sell to make sure your customers do what they need to do. Even if your customer is a past one.

(Side message to NHS Digital–don’t rush your GPDPR upload to the summer holidays. Make it fourth quarter. Your GPs will thank you.)

Suggestions from our Readers wanted! While your Editor has been covering security issues since early days here, she is not an expert, programmer, or developer, nor has stayed at a Holiday Inn Express lately.

Breaking: 1B CVS Health records exposed in unsecured database now secured

June 18, 2021 | by

A potential hacker’s holiday–damage unknown, but now secured. Back in March, cybersecurity researcher Jonathan Fowler, working with the WebsitePlanet research team, discovered an unsecured database, hosted by an undisclosed third-party vendor, with information clearly linked in their view to CVS Health. Mr. Fowler and WebsitePlanet immediately notified CVS Health through a responsible disclosure notice. 

The files were production files with 1,148,327,940 records in a file of 204 GB. CVS worked quickly to secure the data that same day by shutting down public access. CVS confirmed to WebsitePlanet that it was indeed their data. No directly personally identifiable information (PII) was included of customers, members, or patients. Instead, the histories are largely log files from searching and shopping on the site. However, Mr. Fowler maintains that there was enough information in the files to derive customers’ PII, including their email addresses.

The story is breaking now on media, notably ABC-TV cited in Becker’s. While apparently not a true breach or malicious–just another one of those darn errors–it presented a real danger to CVS Health customers. Whether the publicity will force CVS Health to take remedial action is to be determined. Not ‘Hackermania Running Wild’ but could have been in this overheated world of ransomware and Healthcare Hacking. CVS needs to keep far tighter oversight on their vendors. They should post what’s left and above in the IT Department. Also Threatpoint and Becker’s Health IT

News roundup: Hacks, ransomware of medical records, security cameras spike; Withings launches new mobile-direct devices; Bluestream Health adds Leon Medical (FL) to telehealth

March 13, 2021 | by

In recent weeks, hackermania has been romping in healthcare. A compilation of incidents revealed just in the past few weeks have affected hundreds of thousands of patients, employees, and providers:

  • Security cameras produced by Verkada, Inc. were hacked across the US, including at Tesla. Healthcare organizations affected by the hack were Daytona Beach, Fla.-based Halifax Health, where the video showed “what appeared to be eight staffers tackling a man and pinning him to a bed.” Texarkana, Texas-based Wadley Regional Medical Center and Tempe (Ariz.) St. Luke’s Hospital were also hacked. The means in was described by one of the hackers (appropriately female for this month) as through a “super admin” account where the username and password appeared online. Becker’s Health IT 10 March, Bloomberg News
  • 210,000 MultiCare patients, providers, and employees of Tacoma, Wash.-based MultiCare had personal information exposed in a December ransomware attack on their medical practice management company’s IT services vendor. Becker’s Health IT 9 March
  • A clinic in North Carolina had a six-day ransomware attack starting 23 February. Hackers demanded a $1.75 million payment in exchange for giving back the clinic access to its data. The clinic came back online 1 March but did not disclose any payment. Becker’s Health IT 5 March
  • NBC News revealed that hackers stole employee files from Gallup, New Mexico-based Rehoboth McKinley Christian Health Care Services after a ransomware attack on its computer network in February. Those employee files were posted online; information included employee job applications and background check authorizations with Social Security numbers. Earlier attacks by the same hacker group included Leon Medical Centers of Miami-Dade Florida (see following) and Nocona (Texas) General Hospital resulted in the online publishing of tens of thousands of patient records. Becker’s Health IT 4 March
  • Hackers attacked biochemical machines used to prepare samples in Oxford University’s Division of Structural Biology. Forbes received the information from Hold Security chief technology officer Alex Holden, who provided screenshots of the hackers’ access to Oxford University systems, and notified the university.
  • The cutely-named DopplePaymer attacked a county government office in Chatham County, North Carolina, and stole residents’ PHI and PII between November 2020 and this past January. Becker’s 10 Feb 
  • And on the ‘Someone Got Fired For This One’ list is the response to hacking at Boise, Idaho’s Saint Alphonsus Health System. The health system had a data breach in January. Patients were routinely notified. However, the mail merge, not the hack, created an incorrect status for some patients, sending them letters as if they were deceased or a minor. Becker’s Health IT 10 March

It’s cold comfort when the US Department of Justice announces that they are indicting three North Korean hackers who inflicted the WannaCry malware and $1.3 bn in extortion damage on the world back in 2018. All three were members of North Korea’s intelligence agency, the Reconnaissance General Bureau (RGB). The likelihood of their extradition is one word: none.

And in other news….

Withings unveils new professional devices. The Body Pro smart scale and BPM Connect Pro, distributed to doctors, out of the box will transmit health data directly from patient to doctor. Neither require Wi-Fi nor a mobile phone, since they have embedded SIM cellular cards to directly connect to a mobile network. They are both sold through Withings’ professional division. FierceHealthcare

Telehealth provider Bluestream Health has added Leon Medical Centers, a seven-location Miami-Dade FL provider. Bluestream Health provides whitelabeled secure telehealth services that combine with medical workflows to approximately 50,000 providers in 500 facilities. Release.

“All That We Let In”: health apps’ APIs are vulnerable and easy to hack, exposing and altering PHI and PII

February 27, 2021 | by

Mobile security company Approov has issued a scary report on the hackability of popular health apps. They tested 30 apps (not named in the report) of the 300,000-odd health apps in the market, and found that the application programming interfaces (APIs) used in 100 percent of these apps had hardcoded vulnerabilities that could allow hackers to access protected health information (PHI), personally identifiable information (PII), identity, and billing information. According to the report (registration required), these apps used by patient care organizations for remote account management and telemedicine appointments may expose 23 million individuals. Of the 30 apps tested:

  • 77 percent contained hardcoded API keys, some of which do not expire
  • Seven percent had hardcoded usernames and passwords in plain text
  • 50 percent of the doors that these API vulnerabilities opened led to PHI and billing information
  • 100 percent of the API endpoints tested were vulnerable to Broken Object Level Authorization (BOLA) attacks. These involve a relatively simple process of falsifying user IDs and swapping out numbers. For some apps, the hack could gain clinician-level access and alter medical histories and records (including issuing prescriptions for medication).
  • 100 percent of the apps were vulnerable to man-in-the-middle attacks due to failure to implement certificate pinning, which forces the app to validate the server’s certificate against a known good copy

Alyssa Knight, the ‘recovering hacker’ who authored the report, also hacked into one hospital’s EHR and changed its values by one digit. She was then able to access health records and registration information. She used a hacking tool that looks like it is generating data from a mobile health app.

The use of mobile apps for telehealth and portals has become far more widespread as a result of the pandemic, yet security has lagged–even though the level of sophistication in the apps, and the amount of information they integrate, has accelerated to become the norm. It’s a wakeup call to developers, health systems, and digital health companies that off the shelf and old APIs don’t meet security demands. Unfortunately, Gartner projects that APIs will become the vector for most data breaches by 2022. CPO Magazine, FierceHealthcare

10 years in 2 months: prognosticating the longer-term effect of COVID-19 on telehealth, practices, and hospitals

May 2, 2020 | by

crystal-ballThis Editor recounted last night in the article below on The TeleDentists’ fresh agreements with Cigna and Anthem the observation of a former associate who has been in the thick of the remote patient monitoring wars for some years that telehealth/telemedicine has progressed 10 years in 2 months. Seema Verma, the head of the Centers for Medicare and Medicaid Services (CMS), stated to the Wall Street Journal (paywalled),  “I think the genie’s out of the bottle on this one. I think it’s fair to say that the advent of telehealth has been just completely accelerated, that it’s taken this crisis to push us to a new frontier, but there’s absolutely no going back.” Even in a short period of time, CMS-reported telehealth visits as of 28 March trebled from 100,000 to 300,000. When the April numbers are in, it would not be surprising to see it grow well into seven figures.

The genie may be out of the bottle, but what will the genie do? Genies are, after all, unpredictable, and fly around.  Out of the smoke, some educated guesses:

  • Insecure, non-HIPAA compliant audio/video platforms will be the first which should be struck from CMS approval. Zoom has become a hackfest, with all sorts of alerts from mobile providers like Verizon on how to secure your phone. (An organization of which this Editor is a member had a panel this week completely disrupted by a hacker in five minutes.) Skype’s problems are well known. The winners here will be telehealth platforms that integrate well with EHRs, population health platforms (or may be part of population health platforms), and have robust security.
  • Primary care practices and specialists, who’ve been surviving on non-F2F visits, will be adjusting their practices to patient demand, and integrating telehealth with physical visits in a way that their patients will prefer. This means a search for integration of EMRs/EHRs with secure platforms and reconfiguring areas such as care coordination. If planned correctly, this could create better management of patients with multiple chronic conditions.
  • Actual physical visits will rebound, creating financial pressure on Medicare, hospitals, and private payers. How many people’s health has declined in two-three months is key. Small practices, who may see this first, will see another level of pressure, because they will be held to their Medicare quality metrics in value-based models even if adjusted. Hospitals will also rebound–if they are able. The dark side: private payers may run the numbers and scale back on benefits for the 2021 year especially if COVID is projected to make a return.
  • Behavioral health may benefit, yet drive individual practices and a wave of retirements, or a consolidation into clinic or group settings. There’s a reason why Optum is buying out AbleTo; we may see a wave of competitor acquisitions in this area with the emphasis will be on cognitive health and short courses. Why retirements? Many psychiatric practices are still independent, concentrated geographically, and the average psychiatrist is over 50. Psychiatric EHRs are both costly and not particularly suited to practices. If faced with technological challenges, a lot of MDs and senior clinical psychologists may very well exit–threatening clinics which need MDs to legally operate.
  • Rural health’s failure accelerated. USA Today’s analysis pinpointed at least 100 rural hospitals to close within the year. They already operated on thin margins, but with COVID expenses for additional equipment, the closing down of more profitable elective procedures and dependence on Medicaid, the over 1,100 unprofitable hospitals, over half of which are the only hospital in their county, have received a body blow. HHS allocated $10 billion to rural hospitals and clinics of the $100 billion aid package, but it may be too little and too late. Becker’s Hospital Review continues to track the bankruptcies and closures. Here there are no easy solutions from the digital health area.
  • A culture of cleanliness should accelerate. If the genie pulls this out of the bottle, one major benefit will be that hospital-acquired infections will decline. Effective sanitization methods that reduce human application and scrubbing will be the ones to look at: disinfecting foggers and UV full room or area systems–or combinations of same. Cleanliness and lack of virii and bacteria may become a new metric. Look and bet on companies that can provide this, from rooms to computers/mobile tablets and phones.

Readers can help with these prognostications and especially how they will play out not only in the US, but also in the UK, Europe, and worldwide.

The Breach Barometer hits a new high for healthcare–and the year isn’t over

August 15, 2019 | by

31.6 million healthcare breached records can’t be right? But it is, and it’s double all of 2018. Protenus’ Breach Barometer for the first six months of the year tallied over double the number of patient records breached calculated for 2018 (15.1 million). The number of breach incidents reported was smaller–285 breach incidents disclosed to the US Department of Health and Human Services or the media–compared to 503 breaches in 2018, which means that individual data breaches affected far more records.

Hackermania is running wilder than ever. Nearly half the breaches were due to hacking. The big kahuna of breaches this year was reported in May at American Medical Collection Agency, a third-party billing collections firm. This eight-month breach affected 20 to 22 million records at Quest Diagnostics, LabCorp, Opko Health, under one of its subsidiaries, BioReference Laboratories, Inc., and Clinical Pathology Laboratories [TTA 5 June] This hack also involved Optum360, a Quest contractor and part of healthcare giant Optum. In terms of PII, the records breached included SSI, DOB, and physical addresses.

 Yet insider breaches are still a significant threat at 21 percent, whether from errors without malicious intent or deliberate wrongdoing. In the report, Protenus (with DataBreaches.net) calculated that 60 of the 285 breaches were insider-related affecting 3.5 million records. 35 were insider-error incidents, with 22 additional due to wrongdoing.

When it comes to breaches, the trend is easily not healthcare organizations’ friend, as 2018 tripled 2017’s total breached records. This is despite the new emphasis on healthcare IT security and insider training. Protenus release, FierceHealthcare, Protenus first half report (PDF)

Digital health: why is it a luxury good in a world crying for health as a commodity?

June 5, 2019 | by

Why digital health still struggles to find its stride. Those of us in the healthcare field, especially Grizzled Pioneers, have been wondering for the past decade why Digital Health’s Year is always Next Year. Or Next Decade. 

Looking back only to 2000, we’ve had 9-11, a dot-com bust, a few years in between when the economy thrived and the seed money started to pollinate young companies, a prolonged recession that killed off many, and now finally a few good economic years where money has flooded into the sector, to good companies and those walking the fine line of mismanagement or fraud. We’ve seen the rise/fall/rise of sensors, wearables, and remote monitoring, giants like Google and Microsoft out and back in, the establishment of EHRs, acceptance by government and private payers, quite a bit of integration, and more. All one has to look is at the investment trends breaking all records, with funding rounds of over $10 million raising barely a notice–enough to raise fears of a bubble. Then there’s another rising tide–that of cyberattack, ransomware, insider and outsider hacking.

Is it this year? It may not be. Despite the sunshine, interoperability holds it all back. Those giant EHRs–Cerner, Epic, Athenahealth, Allscripts–are largely walled gardens and so customized by provider application that they barely are able to talk to their like systems. There are regional health exchanges such as New York’s SHIN-NY, Maryland’s CRISP, and others, but they are limited in scope to their states. The VA’s VistA, the granddaddy of the integrated system, died of old age in its garden. Paul Markovich, CEO of Blue Shield of California cites the lack of interoperability and being able to access their personal health data as a major barrier to both patients and to the large companies who want to advance AI and need the data for modeling. (China and its companies, as we’ve noted, neatly solve this problem by force. [TTA 17 Apr]) Apple is back in with Health Records, but Mr. Markovich estimates it may take 10 years to gather the volume of data it needs to establish AI modeling. Some wags demand that Apple buy Epic, as if Epic was up for sale. BSC, like others, is testing interoperability workarounds like Notable, Ooda Health, and Manifest MedEx. Mr. Markovich cites interoperability and scaling as reasons why healthcare is expensive. CNBC

And what about those thriving startups? Hold on. During the Google Cloud/Rock Health 3 June event, one of the panelists–from Partners HealthCare, which works both side of the street with Pivot Labs–noted that hospitals have figured out their own revenue models, and co-development with hospitals is key. Even if validated, not every tech is commercially ready or lowers cost. And employers are far worse than hospitals at buying in because they ultimately look at financial value, even if initially they adopt for other reasons. In addition, the bar moved higher. The new validation standard is now provider-centric–workload, provider satisfaction, and implementation metrics, because meeting clinical outcomes is a given. Mobihealthnews

And still another barrier–data breaches and cyberattack–is still with us, and growing. Quest Diagnostics’ data breach affects nearly 12 million patients. It was traced to an individual at a vendor, American Medical Collection Agency, and it involved Optum360, a Quest contractor and part of healthcare giant Optum. The unauthorized person had access to the network for eight months – between 1 August 2018, and 30 March 2019–and involved both financial and some health records. Quest now is in the #2 slot behind the massive 79 million person Anthem breach, which, based on a Federal grand jury indictment in Indianapolis in May, was executed by a Chinese group in 2015 using spearfishing and backdoors that gathered data and sent it to China. There were three other US businesses in the indictment which are not identified. Securing health data is expensive — and another limitation on the cost-lowering effects of interoperability. Healthcare IT News

Digital Health’s Year, for now, will remain Next Year–and digital health for now will remain fractional, unable to do much to commoditize healthcare or lower major costs.

Hackermania ‘bigger than government itself’–and 25% of healthcare organizations report mobile breaches

March 7, 2019 | by

To quote reporter Andy Rooney, ‘why is that?’ Everyone in healthcare (with our Readers well ahead of the curve) has known for years that our organizations are special targets, indeed–by hackers (activists or not), spammers, ransomwarers, criminals, bad guys in China, North Korea, and Eastern Europe, plus an assortment of malicious insiders and the simply klutzy. Why? Healthcare organizations, payers, and service companies have a treasure trove of PHI and PII with Big Value. 

So to read in Healthcare IT News that Christopher Wray, the new director of the FBI, is saying that today’s cyberthreats are bigger than any one agency, and in fact bigger than the government itself, it gives you the feeling that the steamroller has not only run over us, but is on the second pass.

According to one reporting company, Bitglass, breach incidents were year-over-year flat (290), but the number of records affected in 2018 nearly tripled from 4.7 million to 11.5 million. Hacking finally became the top cause (45.9 percent) versus unauthorized access and disclosure (35.9 percent). Loss and theft is down to about 15 percent.

And mobile feels like that second pass. Verizon’s Mobile Security Index 2019 reports that 25 percent of healthcare organizations have had a mobile-related compromise. Nearly all hospitals are investing in mobile. In the field, doctors and other clinicians are either using issued devices or BYOD, whether authorized or not. Whether or not their organizations are using app security systems like Blue Cedar [TTA 17 Feb 18] or work with companies like DataArt on securing proprietary systems is entirely another question. Apparently it’s not a priority. According to the Verizon study, nearly half of all organizations sacrificed mobile security in the past year to “get the job done.” Healthcare Dive.

Back to Director Wray, who is urging public-private cooperation especially with the FBI, which itself has not hesitated to break encryption (e.g. Apple’s) in going after criminals’ phones.

Yet another NHS cyber-vulnerability: fax machines

August 23, 2018 | by

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2018/08/attackflow1.png” thumb_width=”250″ /]Now fax machines are hackable, say the white hats at Check Point Research. Your GP or doctor thinks they are safe, but their protocols haven’t been updated since the Big ’80s. Check Point found that all a hacker needs is the fax number to hack into one. 

The ‘how to’ is in the article. New ‘all in one’ printers which are connected to phone lines and wirelessly to networks can receive a malicious fax as an entry point into the network. Data is then exfiltrated through another fax as illustrated above left. Check Point’s study cited the HP OfficeJet Pro All-in-One fax printer but others would be vulnerable as well. Online electronic fax numbers may also have problems.

NHS’ census, released via a FOIA request, indicates it uses 9,000 fax machines. NHS has minimized the risk they present. HP has since issued security updates for its fax printers. Also Digital Health.