Weekend reading: 1/3 of global healthcare orgs ransomwared, 50%+ mobile privacy problems–BMJ study, med device insecurity

Weekend reading to make you feel insecure, indeed. Healthcare continues to be one of the most vulnerable sectors to hacking, breaches, ransomware. (It likely was one of the top 5 on the list handed to Mr. Putin in Geneva a week ago.) It doesn’t help that many organizations from providers to payers, legacy devices to apps, figuratively have a ‘Welcome Hackers’ neon sign on their doors, virtual and otherwise.

Three articles from the always interesting Healthcare Dive, two by Rebecca Pifer and the third by veteran Greg Slobodkin, will give our Readers a quick and unsettling overview:

  • According to cybersecurity company Sophos in their 16-page report, 2020 was an annus horribilis for healthcare organizations and ransomware, with 34 percent suffering a ransomware attack, 65 percent confirming the attacks encrypted their data, but only 69 percent reported that the encrypted data was restored after the ransom was paid. Costs were upward of $1 million. Their conclusion: assume you will be hit, and at least three backups. Dive 24 June
  • The BMJ found that lax or no privacy policies were a key problem with over half of mobile health apps. 23 percent of user data transmissions occurred on insecure communication protocols and 28.1 percent of apps provided no privacy policies. There’s a lot to unpack in the BMJ study by the Macquarie University (Sydney) team. Our long-time Readers will recall our articles about insecure smartphone apps dating back to 2013 with Charles Lowe’s article here as an example. Dive 16 June
  • Old medical devices, continuing vulnerability that can’t be fixed. Yes, fully functioning and legacy medical devices, often costing beaucoup bucks, are shockingly running on Windows 98 (!), Windows XP, outdated software, and manufacturers’ passwords. It’s hard to believe that Dive is writing about this as it’s been an issue this Editor’s written about since (drumroll) 2013 when TTA picked up on BBC and other reports of ‘murderous defibrillators and pacemakers’. If too far back, try 2015 with Kevin Fu’s and Ponemon’s warnings then to ‘wash their hands’ of these systems even if they’re still working. Chris Gates quoted in the article: “You can’t always bolt-on security after the fact, especially with a legacy piece of equipment — I’ve literally handed checks back to clients and told them there’s no fixing this.” Dive 23 June

What to do?

  • If you are a healthcare organization, think security first. Other organizations in finance and BPO do, locking down to excruciating points. And yes, you’ll have to pay a premium for the best IT security people, up your budgets, and lower your bureaucracy to attract them. Payers are extremely vulnerable with their wealth of PHI and PII, yet tend to skimp here.
  • Consider bringing in all your IT teams to your home country and not offshoring. Much of the hacking occurs overseas where it’s tougher to secure servers and the cloud reliably and fully.
  • Pay for regular and full probes and audits done by outside experts.
  • If you supply a mobile app–design with security and privacy first, from the phone or device to the cloud or server, including data sharing. There are companies that can assist you with this. One example is Blue Cedar, but there are others.
  • If you supply hardware and software for medical devices, think updates, patches, and tracking every bit you sell to make sure your customers do what they need to do. Even if your customer is a past one.

(Side message to NHS Digital–don’t rush your GPDPR upload to the summer holidays. Make it fourth quarter. Your GPs will thank you.)

Suggestions from our Readers wanted! While your Editor has been covering security issues since early days here, she is not an expert, programmer, or developer, nor has stayed at a Holiday Inn Express lately.

Breaking: 1B CVS Health records exposed in unsecured database now secured

A potential hacker’s holiday–damage unknown, but now secured. Back in March, cybersecurity researcher Jonathan Fowler, working with the WebsitePlanet research team, discovered an unsecured database, hosted by an undisclosed third-party vendor, with information clearly linked in their view to CVS Health. Mr. Fowler and WebsitePlanet immediately notified CVS Health through a responsible disclosure notice. 

The files were production files with 1,148,327,940 records in a file of 204 GB. CVS worked quickly to secure the data that same day by shutting down public access. CVS confirmed to WebsitePlanet that it was indeed their data. No directly personally identifiable information (PII) was included of customers, members, or patients. Instead, the histories are largely log files from searching and shopping on the site. However, Mr. Fowler maintains that there was enough information in the files to derive customers’ PII, including their email addresses.

The story is breaking now on media, notably ABC-TV cited in Becker’s. While apparently not a true breach or malicious–just another one of those darn errors–it presented a real danger to CVS Health customers. Whether the publicity will force CVS Health to take remedial action is to be determined. Not ‘Hackermania Running Wild’ but could have been in this overheated world of ransomware and Healthcare Hacking. CVS needs to keep far tighter oversight on their vendors. They should post what’s left and above in the IT Department. Also Threatpoint and Becker’s Health IT

News roundup: Hacks, ransomware of medical records, security cameras spike; Withings launches new mobile-direct devices; Bluestream Health adds Leon Medical (FL) to telehealth

In recent weeks, hackermania has been romping in healthcare. A compilation of incidents revealed just in the past few weeks have affected hundreds of thousands of patients, employees, and providers:

  • Security cameras produced by Verkada, Inc. were hacked across the US, including at Tesla. Healthcare organizations affected by the hack were Daytona Beach, Fla.-based Halifax Health, where the video showed “what appeared to be eight staffers tackling a man and pinning him to a bed.” Texarkana, Texas-based Wadley Regional Medical Center and Tempe (Ariz.) St. Luke’s Hospital were also hacked. The means in was described by one of the hackers (appropriately female for this month) as through a “super admin” account where the username and password appeared online. Becker’s Health IT 10 March, Bloomberg News
  • 210,000 MultiCare patients, providers, and employees of Tacoma, Wash.-based MultiCare had personal information exposed in a December ransomware attack on their medical practice management company’s IT services vendor. Becker’s Health IT 9 March
  • A clinic in North Carolina had a six-day ransomware attack starting 23 February. Hackers demanded a $1.75 million payment in exchange for giving back the clinic access to its data. The clinic came back online 1 March but did not disclose any payment. Becker’s Health IT 5 March
  • NBC News revealed that hackers stole employee files from Gallup, New Mexico-based Rehoboth McKinley Christian Health Care Services after a ransomware attack on its computer network in February. Those employee files were posted online; information included employee job applications and background check authorizations with Social Security numbers. Earlier attacks by the same hacker group included Leon Medical Centers of Miami-Dade Florida (see following) and Nocona (Texas) General Hospital resulted in the online publishing of tens of thousands of patient records. Becker’s Health IT 4 March
  • Hackers attacked biochemical machines used to prepare samples in Oxford University’s Division of Structural Biology. Forbes received the information from Hold Security chief technology officer Alex Holden, who provided screenshots of the hackers’ access to Oxford University systems, and notified the university.
  • The cutely-named DopplePaymer attacked a county government office in Chatham County, North Carolina, and stole residents’ PHI and PII between November 2020 and this past January. Becker’s 10 Feb 
  • And on the ‘Someone Got Fired For This One’ list is the response to hacking at Boise, Idaho’s Saint Alphonsus Health System. The health system had a data breach in January. Patients were routinely notified. However, the mail merge, not the hack, created an incorrect status for some patients, sending them letters as if they were deceased or a minor. Becker’s Health IT 10 March

It’s cold comfort when the US Department of Justice announces that they are indicting three North Korean hackers who inflicted the WannaCry malware and $1.3 bn in extortion damage on the world back in 2018. All three were members of North Korea’s intelligence agency, the Reconnaissance General Bureau (RGB). The likelihood of their extradition is one word: none.

And in other news….

Withings unveils new professional devices. The Body Pro smart scale and BPM Connect Pro, distributed to doctors, out of the box will transmit health data directly from patient to doctor. Neither require Wi-Fi nor a mobile phone, since they have embedded SIM cellular cards to directly connect to a mobile network. They are both sold through Withings’ professional division. FierceHealthcare

Telehealth provider Bluestream Health has added Leon Medical Centers, a seven-location Miami-Dade FL provider. Bluestream Health provides whitelabeled secure telehealth services that combine with medical workflows to approximately 50,000 providers in 500 facilities. Release.

“All That We Let In”: health apps’ APIs are vulnerable and easy to hack, exposing and altering PHI and PII

Mobile security company Approov has issued a scary report on the hackability of popular health apps. They tested 30 apps (not named in the report) of the 300,000-odd health apps in the market, and found that the application programming interfaces (APIs) used in 100 percent of these apps had hardcoded vulnerabilities that could allow hackers to access protected health information (PHI), personally identifiable information (PII), identity, and billing information. According to the report (registration required), these apps used by patient care organizations for remote account management and telemedicine appointments may expose 23 million individuals. Of the 30 apps tested:

  • 77 percent contained hardcoded API keys, some of which do not expire
  • Seven percent had hardcoded usernames and passwords in plain text
  • 50 percent of the doors that these API vulnerabilities opened led to PHI and billing information
  • 100 percent of the API endpoints tested were vulnerable to Broken Object Level Authorization (BOLA) attacks. These involve a relatively simple process of falsifying user IDs and swapping out numbers. For some apps, the hack could gain clinician-level access and alter medical histories and records (including issuing prescriptions for medication).
  • 100 percent of the apps were vulnerable to man-in-the-middle attacks due to failure to implement certificate pinning, which forces the app to validate the server’s certificate against a known good copy

Alyssa Knight, the ‘recovering hacker’ who authored the report, also hacked into one hospital’s EHR and changed its values by one digit. She was then able to access health records and registration information. She used a hacking tool that looks like it is generating data from a mobile health app.

The use of mobile apps for telehealth and portals has become far more widespread as a result of the pandemic, yet security has lagged–even though the level of sophistication in the apps, and the amount of information they integrate, has accelerated to become the norm. It’s a wakeup call to developers, health systems, and digital health companies that off the shelf and old APIs don’t meet security demands. Unfortunately, Gartner projects that APIs will become the vector for most data breaches by 2022. CPO Magazine, FierceHealthcare

10 years in 2 months: prognosticating the longer-term effect of COVID-19 on telehealth, practices, and hospitals

crystal-ballThis Editor recounted last night in the article below on The TeleDentists’ fresh agreements with Cigna and Anthem the observation of a former associate who has been in the thick of the remote patient monitoring wars for some years that telehealth/telemedicine has progressed 10 years in 2 months. Seema Verma, the head of the Centers for Medicare and Medicaid Services (CMS), stated to the Wall Street Journal (paywalled),  “I think the genie’s out of the bottle on this one. I think it’s fair to say that the advent of telehealth has been just completely accelerated, that it’s taken this crisis to push us to a new frontier, but there’s absolutely no going back.” Even in a short period of time, CMS-reported telehealth visits as of 28 March trebled from 100,000 to 300,000. When the April numbers are in, it would not be surprising to see it grow well into seven figures.

The genie may be out of the bottle, but what will the genie do? Genies are, after all, unpredictable, and fly around.  Out of the smoke, some educated guesses:

  • Insecure, non-HIPAA compliant audio/video platforms will be the first which should be struck from CMS approval. Zoom has become a hackfest, with all sorts of alerts from mobile providers like Verizon on how to secure your phone. (An organization of which this Editor is a member had a panel this week completely disrupted by a hacker in five minutes.) Skype’s problems are well known. The winners here will be telehealth platforms that integrate well with EHRs, population health platforms (or may be part of population health platforms), and have robust security.
  • Primary care practices and specialists, who’ve been surviving on non-F2F visits, will be adjusting their practices to patient demand, and integrating telehealth with physical visits in a way that their patients will prefer. This means a search for integration of EMRs/EHRs with secure platforms and reconfiguring areas such as care coordination. If planned correctly, this could create better management of patients with multiple chronic conditions.
  • Actual physical visits will rebound, creating financial pressure on Medicare, hospitals, and private payers. How many people’s health has declined in two-three months is key. Small practices, who may see this first, will see another level of pressure, because they will be held to their Medicare quality metrics in value-based models even if adjusted. Hospitals will also rebound–if they are able. The dark side: private payers may run the numbers and scale back on benefits for the 2021 year especially if COVID is projected to make a return.
  • Behavioral health may benefit, yet drive individual practices and a wave of retirements, or a consolidation into clinic or group settings. There’s a reason why Optum is buying out AbleTo; we may see a wave of competitor acquisitions in this area with the emphasis will be on cognitive health and short courses. Why retirements? Many psychiatric practices are still independent, concentrated geographically, and the average psychiatrist is over 50. Psychiatric EHRs are both costly and not particularly suited to practices. If faced with technological challenges, a lot of MDs and senior clinical psychologists may very well exit–threatening clinics which need MDs to legally operate.
  • Rural health’s failure accelerated. USA Today’s analysis pinpointed at least 100 rural hospitals to close within the year. They already operated on thin margins, but with COVID expenses for additional equipment, the closing down of more profitable elective procedures and dependence on Medicaid, the over 1,100 unprofitable hospitals, over half of which are the only hospital in their county, have received a body blow. HHS allocated $10 billion to rural hospitals and clinics of the $100 billion aid package, but it may be too little and too late. Becker’s Hospital Review continues to track the bankruptcies and closures. Here there are no easy solutions from the digital health area.
  • A culture of cleanliness should accelerate. If the genie pulls this out of the bottle, one major benefit will be that hospital-acquired infections will decline. Effective sanitization methods that reduce human application and scrubbing will be the ones to look at: disinfecting foggers and UV full room or area systems–or combinations of same. Cleanliness and lack of virii and bacteria may become a new metric. Look and bet on companies that can provide this, from rooms to computers/mobile tablets and phones.

Readers can help with these prognostications and especially how they will play out not only in the US, but also in the UK, Europe, and worldwide.

The Breach Barometer hits a new high for healthcare–and the year isn’t over

31.6 million healthcare breached records can’t be right? But it is, and it’s double all of 2018. Protenus’ Breach Barometer for the first six months of the year tallied over double the number of patient records breached calculated for 2018 (15.1 million). The number of breach incidents reported was smaller–285 breach incidents disclosed to the US Department of Health and Human Services or the media–compared to 503 breaches in 2018, which means that individual data breaches affected far more records.

Hackermania is running wilder than ever. Nearly half the breaches were due to hacking. The big kahuna of breaches this year was reported in May at American Medical Collection Agency, a third-party billing collections firm. This eight-month breach affected 20 to 22 million records at Quest Diagnostics, LabCorp, Opko Health, under one of its subsidiaries, BioReference Laboratories, Inc., and Clinical Pathology Laboratories [TTA 5 June] This hack also involved Optum360, a Quest contractor and part of healthcare giant Optum. In terms of PII, the records breached included SSI, DOB, and physical addresses.

 Yet insider breaches are still a significant threat at 21 percent, whether from errors without malicious intent or deliberate wrongdoing. In the report, Protenus (with DataBreaches.net) calculated that 60 of the 285 breaches were insider-related affecting 3.5 million records. 35 were insider-error incidents, with 22 additional due to wrongdoing.

When it comes to breaches, the trend is easily not healthcare organizations’ friend, as 2018 tripled 2017’s total breached records. This is despite the new emphasis on healthcare IT security and insider training. Protenus release, FierceHealthcare, Protenus first half report (PDF)

Digital health: why is it a luxury good in a world crying for health as a commodity?

Why digital health still struggles to find its stride. Those of us in the healthcare field, especially Grizzled Pioneers, have been wondering for the past decade why Digital Health’s Year is always Next Year. Or Next Decade. 

Looking back only to 2000, we’ve had 9-11, a dot-com bust, a few years in between when the economy thrived and the seed money started to pollinate young companies, a prolonged recession that killed off many, and now finally a few good economic years where money has flooded into the sector, to good companies and those walking the fine line of mismanagement or fraud. We’ve seen the rise/fall/rise of sensors, wearables, and remote monitoring, giants like Google and Microsoft out and back in, the establishment of EHRs, acceptance by government and private payers, quite a bit of integration, and more. All one has to look is at the investment trends breaking all records, with funding rounds of over $10 million raising barely a notice–enough to raise fears of a bubble. Then there’s another rising tide–that of cyberattack, ransomware, insider and outsider hacking.

Is it this year? It may not be. Despite the sunshine, interoperability holds it all back. Those giant EHRs–Cerner, Epic, Athenahealth, Allscripts–are largely walled gardens and so customized by provider application that they barely are able to talk to their like systems. There are regional health exchanges such as New York’s SHIN-NY, Maryland’s CRISP, and others, but they are limited in scope to their states. The VA’s VistA, the granddaddy of the integrated system, died of old age in its garden. Paul Markovich, CEO of Blue Shield of California cites the lack of interoperability and being able to access their personal health data as a major barrier to both patients and to the large companies who want to advance AI and need the data for modeling. (China and its companies, as we’ve noted, neatly solve this problem by force. [TTA 17 Apr]) Apple is back in with Health Records, but Mr. Markovich estimates it may take 10 years to gather the volume of data it needs to establish AI modeling. Some wags demand that Apple buy Epic, as if Epic was up for sale. BSC, like others, is testing interoperability workarounds like Notable, Ooda Health, and Manifest MedEx. Mr. Markovich cites interoperability and scaling as reasons why healthcare is expensive. CNBC

And what about those thriving startups? Hold on. During the Google Cloud/Rock Health 3 June event, one of the panelists–from Partners HealthCare, which works both side of the street with Pivot Labs–noted that hospitals have figured out their own revenue models, and co-development with hospitals is key. Even if validated, not every tech is commercially ready or lowers cost. And employers are far worse than hospitals at buying in because they ultimately look at financial value, even if initially they adopt for other reasons. In addition, the bar moved higher. The new validation standard is now provider-centric–workload, provider satisfaction, and implementation metrics, because meeting clinical outcomes is a given. Mobihealthnews

And still another barrier–data breaches and cyberattack–is still with us, and growing. Quest Diagnostics’ data breach affects nearly 12 million patients. It was traced to an individual at a vendor, American Medical Collection Agency, and it involved Optum360, a Quest contractor and part of healthcare giant Optum. The unauthorized person had access to the network for eight months – between 1 August 2018, and 30 March 2019–and involved both financial and some health records. Quest now is in the #2 slot behind the massive 79 million person Anthem breach, which, based on a Federal grand jury indictment in Indianapolis in May, was executed by a Chinese group in 2015 using spearfishing and backdoors that gathered data and sent it to China. There were three other US businesses in the indictment which are not identified. Securing health data is expensive — and another limitation on the cost-lowering effects of interoperability. Healthcare IT News

Digital Health’s Year, for now, will remain Next Year–and digital health for now will remain fractional, unable to do much to commoditize healthcare or lower major costs.

Hackermania ‘bigger than government itself’–and 25% of healthcare organizations report mobile breaches

To quote reporter Andy Rooney, ‘why is that?’ Everyone in healthcare (with our Readers well ahead of the curve) has known for years that our organizations are special targets, indeed–by hackers (activists or not), spammers, ransomwarers, criminals, bad guys in China, North Korea, and Eastern Europe, plus an assortment of malicious insiders and the simply klutzy. Why? Healthcare organizations, payers, and service companies have a treasure trove of PHI and PII with Big Value. 

So to read in Healthcare IT News that Christopher Wray, the new director of the FBI, is saying that today’s cyberthreats are bigger than any one agency, and in fact bigger than the government itself, it gives you the feeling that the steamroller has not only run over us, but is on the second pass.

According to one reporting company, Bitglass, breach incidents were year-over-year flat (290), but the number of records affected in 2018 nearly tripled from 4.7 million to 11.5 million. Hacking finally became the top cause (45.9 percent) versus unauthorized access and disclosure (35.9 percent). Loss and theft is down to about 15 percent.

And mobile feels like that second pass. Verizon’s Mobile Security Index 2019 reports that 25 percent of healthcare organizations have had a mobile-related compromise. Nearly all hospitals are investing in mobile. In the field, doctors and other clinicians are either using issued devices or BYOD, whether authorized or not. Whether or not their organizations are using app security systems like Blue Cedar [TTA 17 Feb 18] or work with companies like DataArt on securing proprietary systems is entirely another question. Apparently it’s not a priority. According to the Verizon study, nearly half of all organizations sacrificed mobile security in the past year to “get the job done.” Healthcare Dive.

Back to Director Wray, who is urging public-private cooperation especially with the FBI, which itself has not hesitated to break encryption (e.g. Apple’s) in going after criminals’ phones.

Yet another NHS cyber-vulnerability: fax machines

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2018/08/attackflow1.png” thumb_width=”250″ /]Now fax machines are hackable, say the white hats at Check Point Research. Your GP or doctor thinks they are safe, but their protocols haven’t been updated since the Big ’80s. Check Point found that all a hacker needs is the fax number to hack into one. 

The ‘how to’ is in the article. New ‘all in one’ printers which are connected to phone lines and wirelessly to networks can receive a malicious fax as an entry point into the network. Data is then exfiltrated through another fax as illustrated above left. Check Point’s study cited the HP OfficeJet Pro All-in-One fax printer but others would be vulnerable as well. Online electronic fax numbers may also have problems.

NHS’ census, released via a FOIA request, indicates it uses 9,000 fax machines. NHS has minimized the risk they present. HP has since issued security updates for its fax printers. Also Digital Health. 

OpenEMR’s security flaws threaten millions of patient records; McAfee successfully alters vital signs reporting into monitoring systems

The OpenEMR system, which is an open-source patient record system used in UK hospitals and others worldwide, has dozens of security flaws in its software, according to Project Insecurity, a London-based “tight-knit computer research organization which focuses primarily on educating the masses on the topics of information security” according to their corporate description on LinkedIn. According to their report, Project Insecurity found vulnerabilities including: “a portal authentication bypass, multiple instances of SQL injection, multiple instances of remote code execution, unauthenticated information disclosure, unrestricted file upload, CSRFs including a CSRF to RCE proof of concept, and unauthenticated administrative actions.”  OpenEMR has stated that they have now supplied patches to fix the vulnerabilities listed in the report. However, these multiple flaws put potentially millions of patient records at risk for some time.

OpenEMR’s decentralized model has some drawbacks when it comes to security. According to OpenEMR, they do not know how many organizations are affected as the open-source software has voluntary registration. Patches and security fixes are announced to the registration list, the OpenEMR’s online forum and social accounts, the open-emr.org community, and OpenEMR vendors. While no data has been publicly exposed, the Project Insecurity report revealed this system’s risk to the healthcare organizations which use it. Also DigitalHealth and Project Insecurity on Twitter.

McAfee has confirmed another vulnerability–that vital signs reporting into a central monitoring station can be altered in real time. They tested a circa 2004 bedside monitor/central monitoring system reportedly still in use. The system monitored heartbeat, oxygen level, and blood pressure, used both wired and wireless networking over TCP/IP, and appeared to store patient information. The central monitoring station ran Windows XP Embedded, which presented one set of flaws, but far more accessible to a breach was the communication from the devices to the central monitoring system. In short, “the attacker simply has to send replacement data to the central station while appearing as the patient monitor.” The article proves vital signs can be altered by the time they reach the central monitoring station to create a bad diagnosis, unnecessary testing, and unneeded medication. The McAfee article lays out How to Mess With Vital Signs, Believably.

More and more into the (data) breach: 3X more patient records in Q2, UnityPoint’s breach balloons to 1.3M

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]And we thought Healthcare Hackermania was following the Hulkster into retirement. After a quiet Q1, data breaches and hack attacks blew up both in Q2 and now in this quarter.

Data compliance analytics firm Protenus’ Breach Barometer (with DataBreaches.net) has been tracking healthcare data breaches for years. It was quiet last quarter with 1.13 million patient records affected in 110 separate health data breaches. But last quarter was a true triple threat with patient records up three times to 3.14 million, 142 separate breaches–which means more per breach on average. What is also distressing is that 29.71 percent are repeat offenses among employees, up from 21 percent in the previous quarter.

  • 36.6 percent of breaches were due to external hacking, nearly double that of Q1.
  • 30.99 percent were due to insiders, either through deliberate wrongdoing (theft) or insider error. Insider wrongdoing was led by family members snooping on other family members’ records. Not Russians, Chinese, NoKos, or Bulgarians bashing about. 
  • In contrast to Q1, where the biggest data breach was a network hack of an Oklahoma-based health network (reportedly the Oklahoma State University Center for Health Sciences), compromising nearly 280,000 records, Q2’s Big Breach was a physical burglary of the California Department of Developmental Services in Sacramento affecting over 581,000 records. After the usual ransacking and theft, the burglars started a fire before they left and the sprinklers did the rest.

It routinely takes nearly forever from when a breach occurs to when it is discovered: in Q1 244 days, in Q2 204 days. In Q2 the longest discovery time was over five years –2013 to 2018. This indicates that insiders may be good at covering their tracks, and/or IT staff don’t get around to detecting and policing breaches.

Protenus and DataBreaches.net compile incidents disclosed to HHS and reported in the media, and are now adding their own proprietary, non-public data on the status of health data breaches nationwide, including a review of tens of trillions of individual
accesses to EHRs which Protenus audits as part of their healthcare systems services. More detail in Protenus Q2 and Q1 full reports, HealthITSecurity (Q1)

Certain to lead their Q3 report is the 1.4 million patient record breach at UnityPoint Health, an Iowa-based health system. In May, a small phishing breach compromised 16,000 records. This cyberattack also started with email phishing and spread through employee networks. “The phishing campaign tricked employees into providing confidential login information, which hackers used to infiltrate email accounts and access data contained within.” Were the hackers after patient data? According to UnityPoint, “The phishing attack on UnityPoint Health was more likely focused on diverting business funds from our organization.” Healthcare Analytics News

You may not want a cyberattack, but cyberattacks and hacking want you….

Healthcare cybersecurity breaches multiply like measles as far away as Singapore. Is it a matter of time before hacking kills someone?

Even if you are the Prime Minister of Singapore, you can be hacked. Prime Minister Lee Hsien Loong joined 1.5 million of his fellow Singaporeans in what they have termed an unprecedented data breach of SingHealth, considered to be a world model. There are the usual state actor suspects: Russians, Chinese–and North Koreans–starting less than two weeks (27 June) after hosting the meeting between President Donald Trump and Maximum Leader Kim Jong Un. (That is hardly a gracious thank you if it’s them (s/o).  POLITICO Morning eHealth reported on Monday 23 July. 

What’s happened since: Singapore banks have been instructed to tighten data procedures and use additional verification methods. The government believes 1) they are next and 2) that the healthcare breach data could be used to impersonate customer identities. SingHealth records include full name, national identification number, address, gender, race, and date of birth. (ZDNet)

The National (UAE) reported that the hack specifically targeted the PM. Their angle was that Singapore has ambitions to host a ‘smart city’ as does the UAE and testing Singapore means that the UAE may be next. Singapore is covering a different angle–the ‘inside job’ one. They moved to disconnect computers from the internet at public centers which may inconvenience patients and healthcare staff but which weakens data collection for this very busy centralized system. (Reuters) Watch the government press conference here.

Will the next WannaCry or NotPetya kill someone? That is the premise in this article in ZDNet and one we’ve discussed previously. It’s not a targeted attack on a particular life, but could be an infrastructure failure–for instance, an industrial control for electricity that destroys systems including those to dependent homes or hospitals. What this article doesn’t include are all those aging hackable connected devices in operating rooms, hospital rooms, and in-hospital Wi-Fi powering tablets and other connected devices. KRACK can be very wack indeed! [TTA 18 Oct 17]

WannaCry’s anniversary: have we learned our malware and cybersecurity lessons?

Hard to believe that WannaCry, and the damage this malware wreaked worldwide, was but a year ago. Two months later, there was Petya/NotPetya. We’ve had hacking and ransomware eruptions regularly, the latest being the slo-mo malware devised by the Orangeworm hackers. What WannaCry and Petya/NotPetya had in common, besides cyberdamage, was they were developed by state actors or hackers with state support (North Korea and–suspected–Russia and/or Ukraine).

The NHS managed to evade Petya, which was fortunate as they were still repairing damage from WannaCry, which initially was reported to affect 20 percent of NHS England trusts. The final count was 34 percent of trusts–at least 80 out of 236 hospital trusts in England, as well as 603 primary care practices and affiliates. 

Has the NHS learned its lesson, or is it still vulnerable? A National Audit Office report concluded in late October that the Department of Health and the NHS were warned at least a year in advance of the risk.  “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.” There was no mechanism in place for ensuring migration of Windows XP systems and old software, requested by April 2015, actually happened. Another basic–firewalls facing the internet–weren’t actively managed. Worse, there was no test or rehearsal for a cyberdisruption. “As the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications.” NHS Digital was especially sluggish in response, receiving first reports around noon but not issuing an alert till 5pm. It was fortunate that WannaCry had a kill switch, and it was found as quickly as it was by a British security specialist with the handle Malware Tech. 

Tests run since WannaCry have proven uneven at best. While there has been reported improvement, even head of IT audit and security services at West Midlands Ambulance Service NHS Trust and a penetration tester for NHS trusts, said that they were “still finding some real shockers out there still.” NHS Digital deputy CEO Rob Shaw told a Public Accounts Committee (PAC) in February that 200 NHS trusts tested against cyber security standards had failed. MPs criticized the NHS and the Department of Health for not implementing 22 recommendations laid out by NHS England’s CIO, Will Smart. Digital Health News

Think ‘cyber-resilience’. It’s not a matter of ‘if’, but ‘when’. Healthcare organizations are never going to fix all the legacy systems that run their world. Medical devices and IoT add-ons will continue to run on outdated or never-updated platforms. Passwords are shared, initial passwords not changed in EHRs. Add to firewalls, prevention measures, emphasizing compliance and best practices, security cyber-resilience–more than a recovery plan, planning to keep operations running with warm backups ready to go, contingency plans, a way to make quick decisions on the main functions that keep the business going. Are healthcare organizations–and the NHS–capable of thinking and acting this way? WannaBet? CSO, Healthcare IT News. Hat tip to Joseph Tomaino of Grassi Healthcare Advisors via LinkedIn.

Orangeworm malware running wild in hospitals for three years: multiple reports

Orangeworm hacker group finds easy pickings in hospitals and healthcare. Reports have multiplied in recent weeks of the Orangeworm hacker (or hackers) threatening healthcare organizations, frequently hospitals. Major info security groups have issued warnings: Symantec, Cynerio, BlackBerry, and Rubicon Labs. Symantec’s report states that 39 percent of the victims come from healthcare, with the remainder coming from manufacturing (15 percent), IT (15 percent), and logistics (8 percent), most with ties to the healthcare sector, and suspected vectors for a supply-chain attack.

‘Easy pickings’ include invading the old computer systems and controls prevalent worldwide in healthcare organizations: devices designed to control X-ray machines, MRIs, and even systems that help patients fill out consent forms. Orangeworm accesses IT systems using the Kwampirs trojan, taking advantage of the fact that most hospital IT systems are old, and as we know from the Petya and WannaCry attacks a year ago, their old, unprotected, and unpatched systems are uniquely vulnerable.

The semi-shocking fact is that this has been spreading quietly in healthcare organizations for over three years. The attackers used, according to both Symantec and Bleeping Computer,  malware that infected systems by copying itself across network shares, methods that are considered antiquated and “noisy”. Orangeworm also didn’t change its command and control (C&C) communication protocol over the three years, seemingly unconcerned about discovery.

The attacks appear targeted and coordinated. Speculation is that Orangeworm is a hacker or a small group of hackers targeting the rich information in healthcare records to sell on black markets. 17 percent of the attacks have been in the US, with UK, Germany, the Philippines, and Hungary at 5 percent each.

Symantec’s advice is extensive and detailed here, but can be summed up as: quit using Windows XP based systems, patch and update software and systems, use anti-virus, protect file sharing. Also Digital Health, Information Security Buzz News, Security Intelligence.

MediBioSense and Blue Cedar take a new approach to secure medical wearable data (UK/US)

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2018/01/VitalPatch_Header_Photo_Tablet.jpg” thumb_width=”150″ /]Doncaster UK-based MediBioSense Ltd. has partnered with San Francisco-based Blue Cedar to protect their VitalPatch app on smartphones and tablets. MediBioSense uses VitalPatch in their MBS HealthStream system marketed in the UK in acute care and long-term care setting. Blue Cedar is securing the app through their patented code-injected technology which protects the VitalPatch-collected data from the app to the provider database. The system with Blue Cedar’s security is available directly from MediBioSense.

VitalPatch is a single-use adhesive biosensor patch applied to the patient’s chest (see left above). It monitors eight vital signs and activity signs: heart rate, respiration, ECG, heart rate variability, temperature, body posture including fall detection/severity, and steps as an indicator of activity. MediBioSense contracted with the US-based developer, VitalConnect, to sell the system in the UK. VitalPatch is US FDA-cleared (Class II) and CE Marked for the EU.

One impetus, according to the release (PDF), is the GDPR (General Data Protection Regulation), the pan-European/UK data-protection law slated to take effect in May. This not only applies to European Union citizens’ personal data but also requires reports on how organizations safeguard that data. 

Blue Cedar, which this Editor has previously profiled [TTA 3 May 17], has developed code-injection technology that secures data from the app to the provider location on their servers or in the cloud. It secures the app without the device being managed. Devices have their own vulnerabilities when it comes to apps even when secured, as 84 percent of cyberattacks happen at the application layer (SAP). Blue Cedar’s security also enables tap-and-go from an icon versus multiple security entries, thus quick downloading from app stores or websites. For companies, the secured app provides granular analytic reports about users, app usage, devices, and operating systems which are useful for GDPR requirements.

Blue Cedar’s latest release of app security is Enforce, to secure existing mobile apps using in-app embedded controls to enforce a broad range of security policies. It is sold on the Microsoft Azure cloud platform and is primarily targeted to the value-added reseller (VAR) market. 

All the more reason to use all means to secure devices and apps. When as of last week Allscripts‘ EHR for e-prescribing was hit with a ransomware attack (FierceHealthcare), yet another hospital (Hancock Regional in Indianapolis) paid $5,000 to hackers to get back online (Digital Health), and Protenus/DataBreaches.net tracks a breach a day [TTA 29 Dec 17], cybersecurity has become Job #1 for anyone in the healthcare field. (And Big Healthcare now votes for security. Protenus today announced their $11 million Series B led by Kaiser Permanente Ventures and F-Prime Capital Partners. Release.)

Hacking, insider actions 81 percent of healthcare data breaches: Protenus

Healthcare data security company Protenus’ monthly Breach Barometer always contains interesting–and somewhat discouraging–surprises. August’s report topped July’s for the number of patients affected, with 674,000 patients involved in 33 incidents. Over 54 percent of breaches (N=18) were due to hacking (five incidents were attributed to ransomware), with over 27 percent (N=9) were from insider error (the main cause) or wrongdoing–over 81 percent in total. The remainder were due to loss, theft, or ‘unknown’. Another interesting finding was that discoveries of hacking are relatively quick at an average of 26 days from start to finish, due to the disruption they create, while insider attacks can go on for months (209.8 days)–or years. Protenus’ July report highlighted a breach at Tewksbury Hospital in Massachusetts that went unreported for a record-setting 14 years–an insider action that affected 1,100 records. Reporting to HHS is improving with reporting to HHS, the media or state attorneys general on average of 53 days. Protenus crunches its data from databreaches.net. (If you look at their reporting on TheDarkOverlord (@tdo_hackers), including their recent threats on a small Montana school system, you’ll be scared indeed.) MedCityNews 25 Sept, 23 August   Hat tip to Guy Dewsbury via LinkedIn