TTA’s Brrrrr Season 3: Oracle Cerner limps again, ransomware fizzles, research on blood microsamples and post-traumatic biomarkers, Dollar General clinics, Google antitrust, more!

 

 

Weekly Update

A potpourri of news this week from Google’s antitrust lawsuit (and 6% layoff) to Dollar General’s clinic pilot with DocGo mobile vans. Ransomware attacks by AlphV/BlackCat fizzled and the DOJ knocked out Hive. Significant research on microsamples of blood and post-traumatic biomarkers published. Oracle has more VA/MHS problems, engineering head departs. Some funding and grants. And did Elizabeth Holmes really attempt to flee the country?

Rounding out week: Oracle Health engineering head departs; Hive ransomware KO’d by DOJ; Google sued by DOJ on antitrust, lays off another 12,000; Pearl and Precision Neuro raise, Enabled Healthcare ADAPT grant
Mid-week news roundup: CVS Health Virtual Primary Care launches, VA’s two-day Oracle Cerner EHR slowdown, and microsampling blood + wearables for multiple tests (Not quite a return for the Theranos concept)
Healthcare cyberattack latest: NextGen EHR ransomwared by AlphV/BlackCat, back to normal – 93% of healthcare orgs had 1-5 ransomware incidents (Expect more of this–it’s a movable war)
Using wearables to monitor biomarkers related to neuropsychiatric symptoms post-traumatic event (Significant research)
Theranos Holmes trial updates: did she book a one-way flight to Mexico last year, or were the prosecutors reckless and wrong? (You decide)
CVS, Walgreens, Walmart….Dollar General health clinics? (A low-risk toe in the clinic water)

It must be Mid-Winter Blues, but the news was fairly light this week–even from the JPMorgan health conference, a soggy SFO affair indeed. (At least the streets were cleaned.) Babylon feels ‘misunderstood’, Teladoc lays off 6%. CVS keeps funding and KillNet keeps threatening IT Havoc. Good news from UKTelehealthcare with TECS help for the digital switchover. Plus ISfTeH’s annual meeting now set for Winnipeg and news from ATA.

Industry org news: ISfTeH International Conference call for presentations, new leaders for ATA Policy Council (Good news!)
UKTelehealthcare launches TECS consultancy in partnership with TECS Advisory (Expert help on the digital switch)
Interesting pickups from JPM on CVS, Talkspace, Veradigm backs Holmusk, ‘misunderstood’ Babylon Health; six takeaways (News from a damp, dreary, insane JPM)
Teladoc laying off 6%, reducing real estate, in move to “balanced growth” and profitability (Nice move if they can do it)
‘KillNet’ Russian hacktivist group targeting US, UK health info in Ukraine revenge: HHS HC3 report (Healthcare becomes a side battle)

A mulligan stew of a week. CVS moving in on primary care with (possibly) Oak Street, funding Carbon Health in-store clinics while the latter downsizes. Walgreens’ VillageMD closed on Summit Health and Teladoc paints a brighter revenue picture with BetterHelp. Rock Health quantified a deflated 2022 year in funding, but M&A/VC investment still proceeds in its ‘boring’ way. Verily, Alphabet’s wandering ‘bet’, finally gets a needed trim. And Theranos is still in the news from appeals to post-prison requirements.

Weekend short takes: Theranos’ Holmes post-prison mental health + more on Shultz and Balwani; global M&A, funding roundup
Rock Health puts a kind-of-positive spin on digital health’s ‘annus horribilis’ 2022–a boring 2023
Mid-week roundup: Teladoc gets BetterHelp to boost Q4 ’22 revenue; fundings for Array, Paytient, Telesair, three others; layoffs hit at Alphabet’s Verily, Cue Health
CVS works their plan in Oak Street Health buy talks, Carbon Health $100M investment + clinic pilot; VillageMD-Summit finalizes (updated)
Theranos trial updates: Holmes’ freedom on appeal bid opposed; Balwani files appeal to conviction

Two surprises not under the Christmas tree or New Year’s hat. The ITC upheld AliveCor patents and damages versus Apple, pending their PTAB appeal, and Amazon got its first state approval for One Medical. As expected, telehealth’s national Medicare reimbursement was extended for two years, setting policy for health plans. And NHS advanced rapid stroke diagnosis with Brainomix trial in 22 hospital trust trial, tripling near-full recoveries to 48%.

Weekend news roundup: GE Healthcare spins off, adds CTO; Allscripts now Veradigm; NHS Brainomix AI stroke trial success; Withings home urine scanner; Careficient buys Net Health EMR; CommonSpirit’s class action suit on data breach
Amazon-One Medical gains conditional OK in Oregon–a preview of coming scrutiny?
(What happens at the big state and Fed level?)
Telehealth extensions signed into US law with Federal FY 2023 omnibus bill (Major breakthrough to widen nationally reimbursed telehealth)
Split decision! ITC rules that Apple violated AliveCor patents; enforcement held for PTAB appeal (David v Goliath continues!)

A potpourri of news wraps 2022, starting with confirming how telehealth can stand on its own even in specialty care visits and its continued strength in mental health. In the US, most telehealth expansion is confirmed for two years. But as predicted, DEA is going hard after ADHD misprescribing — a unicorn may lose its horn as a result. Oracle is erasing Cerner’s home town presence as Epic stomps a patent troll. And beware of DDoS–it may distract from more nefarious cybercrimes.

We wish our Readers all the happiness of the season, as we look forward to the start of the New Year. We’ll be back with new articles after 2 January. 

We wish our Readers a happy, healthy holiday season and New Year!
News roundup: DDoS attacks may be ‘smokescreen’, DEA slams Truepill with ‘show cause’, telehealth claims stabilize at 5.4%, Epic squashes patent troll, Cerner meeting exits KC, MedOrbis, Kahun partner on AI intake (From cybercrime to Cerner, c-c-c-changes roll)
Telehealth two-year extensions included in US Federal ‘omnibus’ budget bill (Tucked into a Moby Dick-sized whale of a bill)
Few specialty telehealth visits require in-person follow up within 90 days: Epic Research study 2020-2022 (Findings, though, may be pandemically skewed)

Have a job to fill? Seeking a position? See jobs listed with our new job search partner Jooble in the right sidebar!


Read Telehealth and Telecare Aware: https://telecareaware.com/  @telecareaware

Follow our pages on LinkedIn and on Facebook

We thank our present and past advertisers and supporters: Legrand/Tynetec, Eldercare, UK Telehealthcare, NYeC, PCHAlliance, ATA, The King’s Fund, DHACA, HIMSS, Health 2.0 NYC, MedStartr, Parks Associates, and HealthIMPACT.

Reach international leaders in health tech by advertising your company or event/conference in TTA–contact Donna for more information on how we help and who we reach. 


Telehealth & Telecare Aware: covering the news on latest developments in telecare, telehealth, telemedicine, and health tech, worldwide–thoughtfully and from the view of fellow professionals

Thanks for asking for update emails. Please tell your colleagues about this news service and, if you have relevant information to share with the rest of the world, please let me know.

Donna Cusano, Editor In Chief
donna.cusano@telecareaware.com

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Healthcare cyberattack latest: NextGen EHR ransomwared by AlphV/BlackCat, back to normal – 93% of healthcare orgs had 1-5 ransomware incidents

Cyberattacks on healthcare continue their drip-drip-drip. The latest is on an EHR/practice management platform used by small to enterprise-sized specialty practices, NextGen Healthcare. The hacker group associated with the AlphV/BlackCat ransomware moved into the system on 17 January. For a short time, they reportedly exhibited NextGen information on their extortion site but later took it down. NextGen reported a short-term disruption to operations. A NextGen spokesperson stated that “We immediately contained the threat, secured our network, and have returned to normal operations,” the spokesperson said. “Our forensic review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client data. The privacy and security of our client information is of the utmost importance to us.”  NextGen has also stated to this Editor that no patient data was affected.

NextGen is used by about 2,500 practices in the US, UK, India, and Canada, including over 20 specialties.

The group behind AlphV/BlackCat ransomware has an infamous history. Reputedly, the gang has been kicking around since 2012 and was the same group of charmers that attacked the Colonial Pipeline in 2021, using the Darkside ransomware in May 2021 that dried out gas stations across the US East Coast. Their next ransomware edition, BlackMatter, targeted agriculture during fall 2021. Healthcare IT News, The Record/Recorded Future News

More severe attacks affecting 93% of healthcare organizations. While NextGen contained the attack quickly, both the Censinet/Ponemon Institute and Fortified Health Security’s 2023 Horizon Report tracked 2022 healthcare data breaches and concluded that while the number of incidents didn’t change much, their severity ramped up. More according to SC Media in these reports: 

  • Over a dozen of the biggest incidents in 2022 each impacted well over 1 million records
  • Nearly half of the respondents experienced a ransomware attack in the last two years
  • 93% faced between one to five ransomware-related incidents
  • Outages lasted upwards of 35 days

The common ground with NextGen is danger to patient safety, because electronic record damage can translate quickly into unavailable patient care.

Updated PharmaCare Services, a pharmacy management company based in Texas, is listed as a victim on BlackCat’s extortion site. They were exhibited with NextGen and remained when NextGen’s listing was challenged and then taken down. PharmaCare is staying mum on any ransomware disruptions, according to GovInfoSecurity.

One ray of hope is improved medical device security, included in the ‘omnibus’ budget package approved in late 2022. FDA will be required to enforce new standards for premarket device submissions. One is a software bill of materials, adequate evidence to demonstrate the product can be updated and patched, and a description of security testing and controls. This was before Congress in the Protecting and Transforming Cyber Health Care (PATCH) Act which didn’t go far, but elements of which found their way into the omnibus. A needed change for medical devices and long expected by manufacturers. SC Media

News roundup: DDoS attacks may be ‘smokescreen’, DEA slams Truepill with ‘show cause’, telehealth claims stabilize at 5.4%, Epic squashes patent troll, Cerner meeting exits KC, MedOrbis, Kahun partner on AI intake

Readers won’t get out of 2022 without one last cybercrime…article. DDoS attacks–distributed denial of service–escalated worldwide with Russia’s invasion of Ukraine in February. (Ukraine and military aid is a hot topic this week with President Zelenskyy’s visit to the US and Congress speech.) Xavier Bellekens, CEO of Lupovis, a cybersecurity company and a cyberpsychologist (!), postulates that DDoS attacks, as nasty as they are, may be a smokescreen for far more nefarious and damaging attacks. While IT goes into crisis mode over the DDoS, other attacks and information gathering on systems preparing for future attacks are taking place. Russian cyber groups focus on large organizations and move down the line into the most vulnerable, using both manual and automated approaches. Worth reading given the vulnerability and IT short staffing in healthcare organizations. Cybernews

The fallout from Cerebral and Schedule 2 telehealth misprescribing expands. The Drug Enforcement Agency (DEA) issued a ‘Show Cause’ to online pharmacy Truepill for inappropriate filling of ADHD Schedule 2 medications, including Adderall. A ‘Show Cause’ order is an administrative action to determine whether a DEA Certificate of Registration should be revoked, which could put Truepill out of business. The red flag for the DEA: 60% of  Truepill’s prescriptions–72,000–filled between September 2020 and September 2022 were for controlled substances, including generic Adderall. Truepill was Cerebral’s primary mail order provider, though they also used CVS and Walmart. The company stopped filling Cerebral’s ADHD prescriptions in May 2022.

In the order, the DEA cites that “Truepill dispensed controlled substances pursuant to prescriptions that were not issued for a legitimate medical purpose in the usual course of professional practice. An investigation into Truepill’s operations revealed that the pharmacy filled prescriptions that were: unlawful by exceeding the 90-day supply limits; and/or written by prescribers who did not possess the proper state licensing.”

The company stated in an emailed statement that they were fully cooperating with the investigation. If it does move to a hearing, Truepill’s chances of a successful defense are statistically low.

Truepill also fills prescriptions for Hims & Hers, GoodRx and Mark Cuban Cost Plus Drug Company. It was valued in its 2021 funding round at $1.6 billion. Companies in telemental health and prescribing of Schedule 2 ADHD medications, such as Cerebral and Done Health, are under enhanced scrutiny over their business practices [TTA 1 June]. Mobihealthnews, DEA press release, HISTalk, Digital Health Business & Technology

Telehealth medical claims stabilize. FAIR Health’s latest reports for August and September report that the percent of medical claims coded as telehealth are back up to 5.4%. June and July dropped slightly to 5.2% and 5.3% respectively. Also steady are that the vast majority of claims are for mental health services. In September, they were 66% of diagnoses far ahead of ‘acute respiratory diseases and infections’ at 3.1%. In procedure codes, psychotherapy accounts for over 43%.

A patent troll Epically bites the dust. Back in the early to mid-2010s [TTA’s index here], patent trolls (technically non-practicing entities which have no active business) presented a significant threat to early and growth-stage health tech companies. One, MMR Global (which apparently no longer exists), was notorious for buying up EHR and PHR-related patents and then filing patent infringement lawsuits against both small and large healthcare organizations with similar patents–and their users–that were generally monetarily settled. But NPEs are still active. One in south Florida, Decapolis Systems, used the same techniques as MMR Global had, suing in this case multiple Epic customers for patent infringement. Epic not only defended its customers but also sued Decapolis in the US District Court, Southern District of Florida. The court found that both Decapolis patents were invalid, ending what Epic termed ‘vexatious patent litigation’. Decapolis had successfully sued 24 other entities, including other EHRs, which settled. Owned by an inventor, this company will have to find another line of honest business. Epic release, Thomson Coburg

Oracle’s message to Kansas City: no more Cerner meetings for you. And maybe more. Cerner’s site for its annual customer/partner conference since 2007 has been in Kansas City, attracting about 14,000 visitors. Not only will it be integrated into Oracle CloudWorld in Las Vegas, 18-21 September, it’s been retitled Oracle Health with no mention of Cerner. The loss to local KC business is substantial–estimated to be in the $18 million range. While it’s logical to integrate it into the massive CloudWorld conference, it’s also another message to KC after Oracle’s sudden real estate downsizing that Cerner’s presence there will shrink…and shrink..as it’s absorbed into Oracle Health, and further confirmation that the Cerner name is gradually being sunsetted. KansasCity.com, HISTalk

A new (to this Editor) specialty care telehealth company, MediOrbis, is partnering with Kahun for an AI-enabled digital intake tool. This is a chatbot capable of conducting an initial medical assessment. Based on the patient’s answers and Kahun’s database of about 30 million evidence-based medical knowledge insights, it provides a summary for the physician before the telehealth visit and highlights areas of concern. Mobihealthnews  MediOrbis also has partnered with remote care/engagement Independa to add its capabilities to Independa’s HealthHub on their LG TVs.

Thursday news roundup: IBM Watson Health sale closed, now Merative; OneMedical inviting buyers–maybe; worst healthcare data breaches rounded up

It’s a post-Independence Day and early summer holiday relatively quiet week….

It’s Merative, not IBM Watson Health anymore. Francisco Partners‘ buy from IBM of Watson Health closed last Thursday (30 June) but didn’t make the news until after the holiday. The announcement of the new brand, Merative, was splashed on HLTH’s website today (not HIMSS) with the usual language about how their data connects and transforms health through pioneering “cloud, real-world data and industry-leading AI” through health systems, hospitals, health plans, life sciences, and government. Speaking of data points:

  • HQ now in Ann Arbor, MI
  • New CEO Gerry McCarthy from CEO of eSolutions, a former Francisco Partners portfolio company that exited to Waystar in October 2020
  • The former general manager, Paul Roma, will be a Senior Advisor to Francisco Partners
  • Merative will have six product families: Health Insights; MarketScan; Clinical Development; Social Program Management and Phytel; Micromedex, and Merge Imaging 
  • Other investors include True Wind Capital and Sixth Street

Since 2015, IBM had built up Watson Health through four acquisitions and over $4 billion in investment. They sold it for perhaps $1 billion to get it off their books. Once upon a time they were the leader, now they’re up against Oracle and a dozen other competitors like IQVIA that sell connectedness and ‘actionable insights’ across and in chunks of their business (example, life sciences). Given the track record of the controlling private equity partner, Merative needs to become profitable quickly. Merative will not be a long term investment for them. FierceHealthcare. Our prior coverage: 7 Jan, 22 Jan, 25 Feb (Who needs Watson Health?)

Also apparently up for sale to the right buyer is One Medical. The clinic group flirted with but ultimately sent packing CVS Health. One Medical offers concierge in-person and telehealth primary care in seven metros and has over 700,000 members. They bought Medicare value-based primary care provider group Iora Health a year ago [TTA 11 June] but since then their stock (trading under 1Life Healthcare) and valuation has cracked by 75%. Not mentioned in the Bloomberg article is whether Iora is included in the possible deal.

And for those who like their Hackermania on the Wild Side, there’s a massive list over at Wired that racks up the Greatest Hits. It’s only halfway through 2022, but the data breaching and ransomware perps have multiplied. From Russia/Ukraine to extortion gangs like Conti and Lapsus$ to cryptocurrency theft and China, the Old Reliable Healthcare continues to star. Our recent list is here but topping out the Wired list are Shields Health Care Group, Baptist Health System, Resolute Health Hospital, Kaiser Permanente, and Yuma Regional Medical Center. Also Becker’s.

Thursday legal news roundup: Oscar Health accused of IPO securities fraud; Venezuelan cardiologist moonlights as cybercriminal, faces slammer; Change Healthcare sues former employee now at Olive AI

To use a cliché, what a difference a year makes. In March 2021, insurtech Oscar Health successfully raised $1,4 billion in its IPO with shares at $39. Heady times didn’t last long, with shares tumbling to $5.67 as of this writing. Now the shareholder lawsuits have begun, with the complaint stating that negative effects of COVID-19 on Oscar’s business were not disclosed, specifically the growing cost of the pandemic on testing and treatment costs they would cover, and “Oscar would be negatively impacted by an unfavorable prior year Risk Adjustment Data Validation (RADV) result relating to 2019 and 2020 [and] that Oscar was on track to be negatively impacted by significant SEP membership growth”. The lack of forward-looking disclosure at an IPO is a violation of the Securities Act. The initial lawsuit has been filed in the US District Court for the Southern District Court of New York by shareholder Lorin Carpenter. Multiple law firms have invited shareholders to join in the suit — example from PR Newswire. Also named in the suit are Oscar Health co-founders CEO Mario Schlosser and Vice Chairman Joshua Kushner, plus several investment banks.

Oscar started the year with a Q1 loss of $0.36 per share versus an estimate of a loss of $0.40, but this is less than half of last year’s loss of $0.98 per share. They are also exiting the Arkansas and Colorado markets in 2023. Healthcare Dive

Cardiologist, master cybercriminal, a new Dr. Mabuse? Accused of the creation, use, and sale of ransomware is one Venezuelan doctor and practicing cardiologist, Moises Luis Zagala Gonzalez, a dual citizen of Venezuela and France. The charges by the Department of Justice (DOJ) in the Eastern District of New York also detail his “extensive support of, and profit sharing arrangements with, the cybercriminals who used his ransomware programs.” SaaS can’t hold a candle to the RaaS–ransomware-as-a-service–operation he created to sell what he dubbed ‘Thanos,’ allegedly named after a fictional cartoon villain responsible for destroying half of all life in the universe. Turns out that Iranian state-sponsored hackers and fellow ransomware designers really liked it too. If convicted, he faces 10 years in Club Fed–five years for attempted computer intrusion, and five years for conspiracy to commit computer intrusions. Designing criminal software really does test the limits of moonlighting. DOJ release, TechCrunch

Change Healthcare sues former employee at competitor Olive AI. While their merger with UnitedHealthcare is tied up in the US District Court in DC [TTA 23 Mar], Change Healthcare is not letting any courtroom grass grow under their feet. They are suing a former employee, Michael Feeney, with violating the non-compete clauses of his employment contract. The suit was filed in Tennessee Chancery Court, its HQ state. Mr. Feeney has countersued in his state of residence, stating that the non-compete violates Massachusetts law. He was VP, strategy and operations at Change handling physician revenue cycle management. At Olive AI, he is currently SVP, provider market operations. Information is a bit scarce on this and the free article this Editor has found reads machine-translated. If you have access to the Nashville Post or Modern Healthcare it’s probably more decipherable.

As to the lawsuit affecting non-competes due to the tight labor market–don’t count on it. It’s a conflict between the state the company is in enforcing non-competes, versus a state which restricts (or negates) them that is the former employee’s state of residence and work. What wins out will be the interesting part and affect many of us in the US.

Two healthcare data breaches of note: International Committee of the Red Cross and Jefferson Health

Healthcare data breaches have become so commonplace that this Editor now leaves it to others to report. They all share the same characteristics–international hackers inserting ransomware in compromised systems and demanding billions in bitcoin, disgruntled employees erasing or taking home files, burglaries, inside jobs of various stripes. A steady drumbeat despite many efforts to secure against outside attacks and continously monitor systems, still there are plenty of legacy devices floating around hospitals and clinics using outdated computer software and initial setup passwords.

But this one hits a new high of heartlessness. The International Committee of the Red Cross (ICRC), headquartered in Geneva, reported that on 18 January that servers hosting the personal information of more than 500,000 displaced people receiving aid services from the Red Cross and Red Crescent Movement program had been hacked. The servers were located in Switzerland and were directly targeted. The 515,000 records were of people in the ‘Restoring Family Links’ program which aids missing people and their families, unaccompanied or separated children, detainees, and other people as a result of armed conflict, natural disasters, or migration. The information consisted of names, locations, and contacts.  In addition, log in information of 2,000 workers was also breached. Pray tell, where’s the monetary value in this? Or is there something more nefarious? These systems and their information have been taken offline, hampering this international program. ICRC ‘What We Know’, Becker’s Health IT, Healthcare IT News

A more ‘garden variety’ breach of 9,000 patients’ protected health information (PHI) took place in November at Philadelphia’s Jefferson Health. This was an insurance portal breach that accessed patient billing information with the intent of rerouting the payments from the hospital to themselves. The hacker in the process gained access to patient billing information, names, dates of treatment, treatment codes and costs, but not the jackpot of SSI and other financial information. The article does not disclose whether payments were successfully redirected.  Becker’s Health IT

Weekend reading: 1/3 of global healthcare orgs ransomwared, 50%+ mobile privacy problems–BMJ study, med device insecurity

Weekend reading to make you feel insecure, indeed. Healthcare continues to be one of the most vulnerable sectors to hacking, breaches, ransomware. (It likely was one of the top 5 on the list handed to Mr. Putin in Geneva a week ago.) It doesn’t help that many organizations from providers to payers, legacy devices to apps, figuratively have a ‘Welcome Hackers’ neon sign on their doors, virtual and otherwise.

Three articles from the always interesting Healthcare Dive, two by Rebecca Pifer and the third by veteran Greg Slobodkin, will give our Readers a quick and unsettling overview:

  • According to cybersecurity company Sophos in their 16-page report, 2020 was an annus horribilis for healthcare organizations and ransomware, with 34 percent suffering a ransomware attack, 65 percent confirming the attacks encrypted their data, but only 69 percent reported that the encrypted data was restored after the ransom was paid. Costs were upward of $1 million. Their conclusion: assume you will be hit, and at least three backups. Dive 24 June
  • The BMJ found that lax or no privacy policies were a key problem with over half of mobile health apps. 23 percent of user data transmissions occurred on insecure communication protocols and 28.1 percent of apps provided no privacy policies. There’s a lot to unpack in the BMJ study by the Macquarie University (Sydney) team. Our long-time Readers will recall our articles about insecure smartphone apps dating back to 2013 with Charles Lowe’s article here as an example. Dive 16 June
  • Old medical devices, continuing vulnerability that can’t be fixed. Yes, fully functioning and legacy medical devices, often costing beaucoup bucks, are shockingly running on Windows 98 (!), Windows XP, outdated software, and manufacturers’ passwords. It’s hard to believe that Dive is writing about this as it’s been an issue this Editor’s written about since (drumroll) 2013 when TTA picked up on BBC and other reports of ‘murderous defibrillators and pacemakers’. If too far back, try 2015 with Kevin Fu’s and Ponemon’s warnings then to ‘wash their hands’ of these systems even if they’re still working. Chris Gates quoted in the article: “You can’t always bolt-on security after the fact, especially with a legacy piece of equipment — I’ve literally handed checks back to clients and told them there’s no fixing this.” Dive 23 June

What to do?

  • If you are a healthcare organization, think security first. Other organizations in finance and BPO do, locking down to excruciating points. And yes, you’ll have to pay a premium for the best IT security people, up your budgets, and lower your bureaucracy to attract them. Payers are extremely vulnerable with their wealth of PHI and PII, yet tend to skimp here.
  • Consider bringing in all your IT teams to your home country and not offshoring. Much of the hacking occurs overseas where it’s tougher to secure servers and the cloud reliably and fully.
  • Pay for regular and full probes and audits done by outside experts.
  • If you supply a mobile app–design with security and privacy first, from the phone or device to the cloud or server, including data sharing. There are companies that can assist you with this. One example is Blue Cedar, but there are others.
  • If you supply hardware and software for medical devices, think updates, patches, and tracking every bit you sell to make sure your customers do what they need to do. Even if your customer is a past one.

(Side message to NHS Digital–don’t rush your GPDPR upload to the summer holidays. Make it fourth quarter. Your GPs will thank you.)

Suggestions from our Readers wanted! While your Editor has been covering security issues since early days here, she is not an expert, programmer, or developer, nor has stayed at a Holiday Inn Express lately.

Breaking: 1B CVS Health records exposed in unsecured database now secured

A potential hacker’s holiday–damage unknown, but now secured. Back in March, cybersecurity researcher Jonathan Fowler, working with the WebsitePlanet research team, discovered an unsecured database, hosted by an undisclosed third-party vendor, with information clearly linked in their view to CVS Health. Mr. Fowler and WebsitePlanet immediately notified CVS Health through a responsible disclosure notice. 

The files were production files with 1,148,327,940 records in a file of 204 GB. CVS worked quickly to secure the data that same day by shutting down public access. CVS confirmed to WebsitePlanet that it was indeed their data. No directly personally identifiable information (PII) was included of customers, members, or patients. Instead, the histories are largely log files from searching and shopping on the site. However, Mr. Fowler maintains that there was enough information in the files to derive customers’ PII, including their email addresses.

The story is breaking now on media, notably ABC-TV cited in Becker’s. While apparently not a true breach or malicious–just another one of those darn errors–it presented a real danger to CVS Health customers. Whether the publicity will force CVS Health to take remedial action is to be determined. Not ‘Hackermania Running Wild’ but could have been in this overheated world of ransomware and Healthcare Hacking. CVS needs to keep far tighter oversight on their vendors. They should post what’s left and above in the IT Department. Also Threatpoint and Becker’s Health IT

News roundup: Hacks, ransomware of medical records, security cameras spike; Withings launches new mobile-direct devices; Bluestream Health adds Leon Medical (FL) to telehealth

In recent weeks, hackermania has been romping in healthcare. A compilation of incidents revealed just in the past few weeks have affected hundreds of thousands of patients, employees, and providers:

  • Security cameras produced by Verkada, Inc. were hacked across the US, including at Tesla. Healthcare organizations affected by the hack were Daytona Beach, Fla.-based Halifax Health, where the video showed “what appeared to be eight staffers tackling a man and pinning him to a bed.” Texarkana, Texas-based Wadley Regional Medical Center and Tempe (Ariz.) St. Luke’s Hospital were also hacked. The means in was described by one of the hackers (appropriately female for this month) as through a “super admin” account where the username and password appeared online. Becker’s Health IT 10 March, Bloomberg News
  • 210,000 MultiCare patients, providers, and employees of Tacoma, Wash.-based MultiCare had personal information exposed in a December ransomware attack on their medical practice management company’s IT services vendor. Becker’s Health IT 9 March
  • A clinic in North Carolina had a six-day ransomware attack starting 23 February. Hackers demanded a $1.75 million payment in exchange for giving back the clinic access to its data. The clinic came back online 1 March but did not disclose any payment. Becker’s Health IT 5 March
  • NBC News revealed that hackers stole employee files from Gallup, New Mexico-based Rehoboth McKinley Christian Health Care Services after a ransomware attack on its computer network in February. Those employee files were posted online; information included employee job applications and background check authorizations with Social Security numbers. Earlier attacks by the same hacker group included Leon Medical Centers of Miami-Dade Florida (see following) and Nocona (Texas) General Hospital resulted in the online publishing of tens of thousands of patient records. Becker’s Health IT 4 March
  • Hackers attacked biochemical machines used to prepare samples in Oxford University’s Division of Structural Biology. Forbes received the information from Hold Security chief technology officer Alex Holden, who provided screenshots of the hackers’ access to Oxford University systems, and notified the university.
  • The cutely-named DopplePaymer attacked a county government office in Chatham County, North Carolina, and stole residents’ PHI and PII between November 2020 and this past January. Becker’s 10 Feb 
  • And on the ‘Someone Got Fired For This One’ list is the response to hacking at Boise, Idaho’s Saint Alphonsus Health System. The health system had a data breach in January. Patients were routinely notified. However, the mail merge, not the hack, created an incorrect status for some patients, sending them letters as if they were deceased or a minor. Becker’s Health IT 10 March

It’s cold comfort when the US Department of Justice announces that they are indicting three North Korean hackers who inflicted the WannaCry malware and $1.3 bn in extortion damage on the world back in 2018. All three were members of North Korea’s intelligence agency, the Reconnaissance General Bureau (RGB). The likelihood of their extradition is one word: none.

And in other news….

Withings unveils new professional devices. The Body Pro smart scale and BPM Connect Pro, distributed to doctors, out of the box will transmit health data directly from patient to doctor. Neither require Wi-Fi nor a mobile phone, since they have embedded SIM cellular cards to directly connect to a mobile network. They are both sold through Withings’ professional division. FierceHealthcare

Telehealth provider Bluestream Health has added Leon Medical Centers, a seven-location Miami-Dade FL provider. Bluestream Health provides whitelabeled secure telehealth services that combine with medical workflows to approximately 50,000 providers in 500 facilities. Release.

“All That We Let In”: health apps’ APIs are vulnerable and easy to hack, exposing and altering PHI and PII

Mobile security company Approov has issued a scary report on the hackability of popular health apps. They tested 30 apps (not named in the report) of the 300,000-odd health apps in the market, and found that the application programming interfaces (APIs) used in 100 percent of these apps had hardcoded vulnerabilities that could allow hackers to access protected health information (PHI), personally identifiable information (PII), identity, and billing information. According to the report (registration required), these apps used by patient care organizations for remote account management and telemedicine appointments may expose 23 million individuals. Of the 30 apps tested:

  • 77 percent contained hardcoded API keys, some of which do not expire
  • Seven percent had hardcoded usernames and passwords in plain text
  • 50 percent of the doors that these API vulnerabilities opened led to PHI and billing information
  • 100 percent of the API endpoints tested were vulnerable to Broken Object Level Authorization (BOLA) attacks. These involve a relatively simple process of falsifying user IDs and swapping out numbers. For some apps, the hack could gain clinician-level access and alter medical histories and records (including issuing prescriptions for medication).
  • 100 percent of the apps were vulnerable to man-in-the-middle attacks due to failure to implement certificate pinning, which forces the app to validate the server’s certificate against a known good copy

Alyssa Knight, the ‘recovering hacker’ who authored the report, also hacked into one hospital’s EHR and changed its values by one digit. She was then able to access health records and registration information. She used a hacking tool that looks like it is generating data from a mobile health app.

The use of mobile apps for telehealth and portals has become far more widespread as a result of the pandemic, yet security has lagged–even though the level of sophistication in the apps, and the amount of information they integrate, has accelerated to become the norm. It’s a wakeup call to developers, health systems, and digital health companies that off the shelf and old APIs don’t meet security demands. Unfortunately, Gartner projects that APIs will become the vector for most data breaches by 2022. CPO Magazine, FierceHealthcare

10 years in 2 months: prognosticating the longer-term effect of COVID-19 on telehealth, practices, and hospitals

crystal-ballThis Editor recounted last night in the article below on The TeleDentists’ fresh agreements with Cigna and Anthem the observation of a former associate who has been in the thick of the remote patient monitoring wars for some years that telehealth/telemedicine has progressed 10 years in 2 months. Seema Verma, the head of the Centers for Medicare and Medicaid Services (CMS), stated to the Wall Street Journal (paywalled),  “I think the genie’s out of the bottle on this one. I think it’s fair to say that the advent of telehealth has been just completely accelerated, that it’s taken this crisis to push us to a new frontier, but there’s absolutely no going back.” Even in a short period of time, CMS-reported telehealth visits as of 28 March trebled from 100,000 to 300,000. When the April numbers are in, it would not be surprising to see it grow well into seven figures.

The genie may be out of the bottle, but what will the genie do? Genies are, after all, unpredictable, and fly around.  Out of the smoke, some educated guesses:

  • Insecure, non-HIPAA compliant audio/video platforms will be the first which should be struck from CMS approval. Zoom has become a hackfest, with all sorts of alerts from mobile providers like Verizon on how to secure your phone. (An organization of which this Editor is a member had a panel this week completely disrupted by a hacker in five minutes.) Skype’s problems are well known. The winners here will be telehealth platforms that integrate well with EHRs, population health platforms (or may be part of population health platforms), and have robust security.
  • Primary care practices and specialists, who’ve been surviving on non-F2F visits, will be adjusting their practices to patient demand, and integrating telehealth with physical visits in a way that their patients will prefer. This means a search for integration of EMRs/EHRs with secure platforms and reconfiguring areas such as care coordination. If planned correctly, this could create better management of patients with multiple chronic conditions.
  • Actual physical visits will rebound, creating financial pressure on Medicare, hospitals, and private payers. How many people’s health has declined in two-three months is key. Small practices, who may see this first, will see another level of pressure, because they will be held to their Medicare quality metrics in value-based models even if adjusted. Hospitals will also rebound–if they are able. The dark side: private payers may run the numbers and scale back on benefits for the 2021 year especially if COVID is projected to make a return.
  • Behavioral health may benefit, yet drive individual practices and a wave of retirements, or a consolidation into clinic or group settings. There’s a reason why Optum is buying out AbleTo; we may see a wave of competitor acquisitions in this area with the emphasis will be on cognitive health and short courses. Why retirements? Many psychiatric practices are still independent, concentrated geographically, and the average psychiatrist is over 50. Psychiatric EHRs are both costly and not particularly suited to practices. If faced with technological challenges, a lot of MDs and senior clinical psychologists may very well exit–threatening clinics which need MDs to legally operate.
  • Rural health’s failure accelerated. USA Today’s analysis pinpointed at least 100 rural hospitals to close within the year. They already operated on thin margins, but with COVID expenses for additional equipment, the closing down of more profitable elective procedures and dependence on Medicaid, the over 1,100 unprofitable hospitals, over half of which are the only hospital in their county, have received a body blow. HHS allocated $10 billion to rural hospitals and clinics of the $100 billion aid package, but it may be too little and too late. Becker’s Hospital Review continues to track the bankruptcies and closures. Here there are no easy solutions from the digital health area.
  • A culture of cleanliness should accelerate. If the genie pulls this out of the bottle, one major benefit will be that hospital-acquired infections will decline. Effective sanitization methods that reduce human application and scrubbing will be the ones to look at: disinfecting foggers and UV full room or area systems–or combinations of same. Cleanliness and lack of virii and bacteria may become a new metric. Look and bet on companies that can provide this, from rooms to computers/mobile tablets and phones.

Readers can help with these prognostications and especially how they will play out not only in the US, but also in the UK, Europe, and worldwide.

The Breach Barometer hits a new high for healthcare–and the year isn’t over

31.6 million healthcare breached records can’t be right? But it is, and it’s double all of 2018. Protenus’ Breach Barometer for the first six months of the year tallied over double the number of patient records breached calculated for 2018 (15.1 million). The number of breach incidents reported was smaller–285 breach incidents disclosed to the US Department of Health and Human Services or the media–compared to 503 breaches in 2018, which means that individual data breaches affected far more records.

Hackermania is running wilder than ever. Nearly half the breaches were due to hacking. The big kahuna of breaches this year was reported in May at American Medical Collection Agency, a third-party billing collections firm. This eight-month breach affected 20 to 22 million records at Quest Diagnostics, LabCorp, Opko Health, under one of its subsidiaries, BioReference Laboratories, Inc., and Clinical Pathology Laboratories [TTA 5 June] This hack also involved Optum360, a Quest contractor and part of healthcare giant Optum. In terms of PII, the records breached included SSI, DOB, and physical addresses.

 Yet insider breaches are still a significant threat at 21 percent, whether from errors without malicious intent or deliberate wrongdoing. In the report, Protenus (with DataBreaches.net) calculated that 60 of the 285 breaches were insider-related affecting 3.5 million records. 35 were insider-error incidents, with 22 additional due to wrongdoing.

When it comes to breaches, the trend is easily not healthcare organizations’ friend, as 2018 tripled 2017’s total breached records. This is despite the new emphasis on healthcare IT security and insider training. Protenus release, FierceHealthcare, Protenus first half report (PDF)

Digital health: why is it a luxury good in a world crying for health as a commodity?

Why digital health still struggles to find its stride. Those of us in the healthcare field, especially Grizzled Pioneers, have been wondering for the past decade why Digital Health’s Year is always Next Year. Or Next Decade. 

Looking back only to 2000, we’ve had 9-11, a dot-com bust, a few years in between when the economy thrived and the seed money started to pollinate young companies, a prolonged recession that killed off many, and now finally a few good economic years where money has flooded into the sector, to good companies and those walking the fine line of mismanagement or fraud. We’ve seen the rise/fall/rise of sensors, wearables, and remote monitoring, giants like Google and Microsoft out and back in, the establishment of EHRs, acceptance by government and private payers, quite a bit of integration, and more. All one has to look is at the investment trends breaking all records, with funding rounds of over $10 million raising barely a notice–enough to raise fears of a bubble. Then there’s another rising tide–that of cyberattack, ransomware, insider and outsider hacking.

Is it this year? It may not be. Despite the sunshine, interoperability holds it all back. Those giant EHRs–Cerner, Epic, Athenahealth, Allscripts–are largely walled gardens and so customized by provider application that they barely are able to talk to their like systems. There are regional health exchanges such as New York’s SHIN-NY, Maryland’s CRISP, and others, but they are limited in scope to their states. The VA’s VistA, the granddaddy of the integrated system, died of old age in its garden. Paul Markovich, CEO of Blue Shield of California cites the lack of interoperability and being able to access their personal health data as a major barrier to both patients and to the large companies who want to advance AI and need the data for modeling. (China and its companies, as we’ve noted, neatly solve this problem by force. [TTA 17 Apr]) Apple is back in with Health Records, but Mr. Markovich estimates it may take 10 years to gather the volume of data it needs to establish AI modeling. Some wags demand that Apple buy Epic, as if Epic was up for sale. BSC, like others, is testing interoperability workarounds like Notable, Ooda Health, and Manifest MedEx. Mr. Markovich cites interoperability and scaling as reasons why healthcare is expensive. CNBC

And what about those thriving startups? Hold on. During the Google Cloud/Rock Health 3 June event, one of the panelists–from Partners HealthCare, which works both side of the street with Pivot Labs–noted that hospitals have figured out their own revenue models, and co-development with hospitals is key. Even if validated, not every tech is commercially ready or lowers cost. And employers are far worse than hospitals at buying in because they ultimately look at financial value, even if initially they adopt for other reasons. In addition, the bar moved higher. The new validation standard is now provider-centric–workload, provider satisfaction, and implementation metrics, because meeting clinical outcomes is a given. Mobihealthnews

And still another barrier–data breaches and cyberattack–is still with us, and growing. Quest Diagnostics’ data breach affects nearly 12 million patients. It was traced to an individual at a vendor, American Medical Collection Agency, and it involved Optum360, a Quest contractor and part of healthcare giant Optum. The unauthorized person had access to the network for eight months – between 1 August 2018, and 30 March 2019–and involved both financial and some health records. Quest now is in the #2 slot behind the massive 79 million person Anthem breach, which, based on a Federal grand jury indictment in Indianapolis in May, was executed by a Chinese group in 2015 using spearfishing and backdoors that gathered data and sent it to China. There were three other US businesses in the indictment which are not identified. Securing health data is expensive — and another limitation on the cost-lowering effects of interoperability. Healthcare IT News

Digital Health’s Year, for now, will remain Next Year–and digital health for now will remain fractional, unable to do much to commoditize healthcare or lower major costs.

Hackermania ‘bigger than government itself’–and 25% of healthcare organizations report mobile breaches

To quote reporter Andy Rooney, ‘why is that?’ Everyone in healthcare (with our Readers well ahead of the curve) has known for years that our organizations are special targets, indeed–by hackers (activists or not), spammers, ransomwarers, criminals, bad guys in China, North Korea, and Eastern Europe, plus an assortment of malicious insiders and the simply klutzy. Why? Healthcare organizations, payers, and service companies have a treasure trove of PHI and PII with Big Value. 

So to read in Healthcare IT News that Christopher Wray, the new director of the FBI, is saying that today’s cyberthreats are bigger than any one agency, and in fact bigger than the government itself, it gives you the feeling that the steamroller has not only run over us, but is on the second pass.

According to one reporting company, Bitglass, breach incidents were year-over-year flat (290), but the number of records affected in 2018 nearly tripled from 4.7 million to 11.5 million. Hacking finally became the top cause (45.9 percent) versus unauthorized access and disclosure (35.9 percent). Loss and theft is down to about 15 percent.

And mobile feels like that second pass. Verizon’s Mobile Security Index 2019 reports that 25 percent of healthcare organizations have had a mobile-related compromise. Nearly all hospitals are investing in mobile. In the field, doctors and other clinicians are either using issued devices or BYOD, whether authorized or not. Whether or not their organizations are using app security systems like Blue Cedar [TTA 17 Feb 18] or work with companies like DataArt on securing proprietary systems is entirely another question. Apparently it’s not a priority. According to the Verizon study, nearly half of all organizations sacrificed mobile security in the past year to “get the job done.” Healthcare Dive.

Back to Director Wray, who is urging public-private cooperation especially with the FBI, which itself has not hesitated to break encryption (e.g. Apple’s) in going after criminals’ phones.

Yet another NHS cyber-vulnerability: fax machines

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2018/08/attackflow1.png” thumb_width=”250″ /]Now fax machines are hackable, say the white hats at Check Point Research. Your GP or doctor thinks they are safe, but their protocols haven’t been updated since the Big ’80s. Check Point found that all a hacker needs is the fax number to hack into one. 

The ‘how to’ is in the article. New ‘all in one’ printers which are connected to phone lines and wirelessly to networks can receive a malicious fax as an entry point into the network. Data is then exfiltrated through another fax as illustrated above left. Check Point’s study cited the HP OfficeJet Pro All-in-One fax printer but others would be vulnerable as well. Online electronic fax numbers may also have problems.

NHS’ census, released via a FOIA request, indicates it uses 9,000 fax machines. NHS has minimized the risk they present. HP has since issued security updates for its fax printers. Also Digital Health. 

OpenEMR’s security flaws threaten millions of patient records; McAfee successfully alters vital signs reporting into monitoring systems

The OpenEMR system, which is an open-source patient record system used in UK hospitals and others worldwide, has dozens of security flaws in its software, according to Project Insecurity, a London-based “tight-knit computer research organization which focuses primarily on educating the masses on the topics of information security” according to their corporate description on LinkedIn. According to their report, Project Insecurity found vulnerabilities including: “a portal authentication bypass, multiple instances of SQL injection, multiple instances of remote code execution, unauthenticated information disclosure, unrestricted file upload, CSRFs including a CSRF to RCE proof of concept, and unauthenticated administrative actions.”  OpenEMR has stated that they have now supplied patches to fix the vulnerabilities listed in the report. However, these multiple flaws put potentially millions of patient records at risk for some time.

OpenEMR’s decentralized model has some drawbacks when it comes to security. According to OpenEMR, they do not know how many organizations are affected as the open-source software has voluntary registration. Patches and security fixes are announced to the registration list, the OpenEMR’s online forum and social accounts, the open-emr.org community, and OpenEMR vendors. While no data has been publicly exposed, the Project Insecurity report revealed this system’s risk to the healthcare organizations which use it. Also DigitalHealth and Project Insecurity on Twitter.

McAfee has confirmed another vulnerability–that vital signs reporting into a central monitoring station can be altered in real time. They tested a circa 2004 bedside monitor/central monitoring system reportedly still in use. The system monitored heartbeat, oxygen level, and blood pressure, used both wired and wireless networking over TCP/IP, and appeared to store patient information. The central monitoring station ran Windows XP Embedded, which presented one set of flaws, but far more accessible to a breach was the communication from the devices to the central monitoring system. In short, “the attacker simply has to send replacement data to the central station while appearing as the patient monitor.” The article proves vital signs can be altered by the time they reach the central monitoring station to create a bad diagnosis, unnecessary testing, and unneeded medication. The McAfee article lays out How to Mess With Vital Signs, Believably.