UCLA Health data breach may affect 4.5 million patients

July 17, 2015 | by

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/06/keep-calm-and-secure-your-data-4.png” thumb_width=”150″ /]Breaking news out of Los Angeles this afternoon is that the UCLA Health System’s computer network was compromised by an external cyberattack, compromising an estimated 4.5 million patient records. According to the LA Times, “the hospital saw unusual activity in one of its computer servers in October and began investigating with assistance from the FBI. The investigation confirmed May 5 that the hackers had gained access to parts of UCLA Health’s computer system where some patient information was stored. The hackers gained access to names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information like patient diagnoses and procedures.” There also appears to have been a delay in the realization that the sensitive PHI had been accessed, and that the suspicious activity could have started as early as September 2014. Yet the UCLA Health statement equivocates: “At this time, there is no evidence that the attacker (more…)

The leaky roof of healthcare data (in)security–DARPA to the rescue?

June 4, 2015 | by

This week’s priceless quote:

“A lot of the response was, ‘We live in a cornfield in the middle of Minnesota,’” he said. “’Who wants to hurt us? Who can even find us here?’”–Jim Nelms, Mayo Clinic’s first chief information security officer, 

We know where you are and what you do! The precarious state of healthcare data security at facilities and with insurers, plus increased external threats from hacking has been getting noticed by Congress–when you see it in POLITICO, you know finally it’s made it into the Rotunda. It was over the horizon late last summer with the FBI alert and legislators in high dudgeon over the Community Health Systems China hack [TTA 22 Aug 14]. It’s a roof that leaks, that costs a lot to fix, doesn’t have immediate benefit (cost avoidance never does) but when it does leak it’s disastrous.

This article rounds up much of what these pages have pointed out for several years, including the Ponemon Institute/IBM study from earlier this week, the Chinese/Russian connections behind Big Hacks not only for selling data, but also IP [TTA 26 Aug 14] and how decidedly easy it is to hack devices and equipment [TTA 10 May 14]. Acknowledgement that healthcare data security is about 20 years behind finance and defense deserves a ‘hooray!’, but when you realize that on average only 3 percent of HIT spend is on security when it should be a minimum of 10 percent (HIMSS) or higher…yet the choice may be better security or uncompensated patient care particularly in rural areas, what will it be for many healthcare organizations?

The article also doesn’t go far enough in the devil’s dilemma–that the Federal Government with Medicare, HITECH, meaningful use, rural telehealth and programs like Medicare Shared Savings demand more and more data tracking, sharing and response mechanisms, stretching HIT 15 ways from sundown. At the cutely named Health Datapalooza presently going on in Washington DC, data sharing is It for Quality Care, or else. Yet the costs to smaller healthcare providers to prevent that ER readmission scenario through new care models such as PCMHs and ACOs is stunning. And the consequences may be more consolidated, less available healthcare. We are already seeing merger rumors in the insurer area and scaledowns/shutdowns/buyouts of community health organizations including smaller hospitals and clinics. Also iHealthBeat.

DARPA to the rescue? The folks who brought you the Internet may develop a solution, but it won’t be tomorrow or even the day after. The Brandeis Program is a several stage project over 4.5 years to determine how “to enable information systems that would allow individuals, enterprises and U.S. government agencies to keep personal and/or proprietary information private.” It discards the current methodology of filtering data (de-identification) or trusting third-parties to secure. Armed With Science  FedBizOpps has the broad agency announcement in addition to vendor solicitation information.

Do startups truly threaten the ‘healthcare establishment’?

May 19, 2015 | by

Or are successful startups fitting into their game? Chris Seper in MedCityNews paints the picture of one side of a quandary. The ‘healthcare establishment’ fundamentally and to its detriment does not understand and is threatened by the startup and innovation process. A startup may begin with an idea which is, in his words, ‘almost always flawed, sometimes deeply’. If the founders are smart, they will test their ideas, validate them and change them appropriately. If not, they will fail. But it is easier for the Establishment to point at the most egregious of the bad ideas and use them to rationalize the status quo.

But being congenital contrarians, we paint the house on the other side of the street. Has the Establishment caught up with–or in some cases, co-opted startups, making them and their funders ‘do their diligence’ and be more cautious before emerging? This Editor would argue yes, and largely for the better.

**The ‘Wild West’ days are over. A few years ago, a truly bad or deeply flawed health tech idea or could easily find funding, because it was all blank slate, new and ‘transformative’.The sexiest hooks were Quantified Self, sleep, employer health incentives, interactive coaching, genomics, app prescribing and (last) wearables. A lot of founders imagined themselves as the Steve Jobs of Healthcare, down to the black turtleneck. Now there is a history of success and failure. The railroads reached the dusty frontier towns.

**There’s now a ‘Startup Establishment’. National accelerators (more…)

58 percent of health data breaches due to simple theft, not hacking: JAMA

April 21, 2015 | by | 2 Comments
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/08/keep-calm-and-encrypt-your-data-5.png” thumb_width=”150″ /] Criminal activity is the cause of nearly 6 out of 10 data breaches, according to a study published in JAMA last week (subscription required). Cyberbreaches–the infamous hacking attacks–produce breaches in the millions, but the far more typical and frequent breach, if smaller, is caused by simple theft of records–electronic and paper. HealthLeaders We’ve reported previously that stolen records (over 500) have ranged from laptops to paper records as landfill and even old-style X-rays in dead storage sought after for mercury content. So if Hackermania is not always running wild, except when it is, how to keep those records secure? According to West Virginia United Health System’s assistant CIO interviewed by FierceHealthIT at HIMSS, it requires a policy change of staff education, expectations, understanding that protecting patient information is part of holistic care–and frequent audits. Trust, but verify. Encrypt–and keep passwords secure, multiple and frequently changed.

News highlights for Friday

February 6, 2015 | by

AnthemHealth didn’t encrypt, Blueprint Health collects, HealthSpot funds again, Sense4Baby goes to Europe, Apple Health pilots in hospitals and buddi gets bigger still.

Another hack attack claimed major US health insurer AnthemHealth, the former WellPoint. It’s estimated that 80 million of its customers, former customers and employees had data breached: names, addresses, dates of birth, emails, employment information, income, medical IDs and SSIs. The Wall Street Journal reports that Anthem didn’t encrypt data for analytics reasons. It’s unconfirmed where the hackers originated but Bloomberg’s latest report tags the usual Chinese state-sponsored suspects. Unusually, it was reported within days of discovery; Anthem has called in Mandiant (FireEye) to beef up its cybersecurity. Other reports: WSJ, Modern Healthcare….The Blueprint Health accelerator has a new initiative, the Collective. It is designed to pair up major healthcare providers and payers with startups and early stage companies. So far signed up are Aetna, AstraZeneca, HP, Montefiore, North Shore LIJ, New York-Presbyterian, Samsung, EmblemHealth, Philips and Razorfish Healthware. More information here….The HealthSpot Station telehealth/telemedicine kiosk is readying a $11.6 million funding round from four investors soon, based on (more…)

Dr Topol’s prescription for The Future of Medicine, analyzed

January 12, 2015 | by

The Future of Medicine Is in Your Smartphone sounds like a preface to his latest book, ‘The Patient Will See You Now’, but it is quite consistent with Dr Topol’s talks of late [TTA 5 Dec]. The article is at once optimistic–yes, we love the picture–yet somewhat unreal. When we walk around and kick the tires…

First, it flies in the face of the increasing control of healthcare providers by government as to outcomes and the shift for good or ill to ‘outcomes-based medicine’. Second, ‘doctorless patients’ may need fewer services, not more, and why should these individuals, who represent the high-info elite at least initially, be penalized by having to pay the extremely high premiums dictated by government-approved health insurance (in the US, ACA-compliant insurance a/k/a Obamacare)–or face the US tax penalties for not enrolling in same? Third, those liberating mass market smartwatches and fitness trackers aren’t clinical quality yet–fine directionally, but real clinical diagnosis (more…)

‘Hackermania running wild,’ part 2

September 5, 2014 | by

Apple flying around the iCloud for Apple HealthKit. Making headlines this week was a few overly personal celebrity photos (foolishly) stored on iCloud accounts going public online. According to Apple, the accounts were hacked probably by ‘brute force’ password attack and not through an iCloud flaw. TechRepublic  But more of concern to digital health developers eager to get all that health and fitness data integrated via the Apple HealthKit API is that Apple is saying ‘nein’ to anyone using the iCloud to store data. Why the concern? Mobihealthnews lays down Apple’s eight ground rules.

Is CyberRX 2.0 a prescription for HIT? HITRUST (Health Information Trust Alliance), with participation from (US) HHS, will be hosting an October cyber attack simulation exercise with over 750 healthcare organizations participating. Exercises are at three levels depending on organization size and will include targeting information systems, medical devices and other technology resources of government and healthcare organizations. Press release. Website.

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/09/ESD-America.png” thumb_width=”150″ /]And the weakest point may be ‘over the air’. ‘Interceptor’ fake cell towers can defeat smartphone encryption to ‘over the air’ eavesdrop on calls, read texts and possibly push spyware onto Android phones. According to the CEO of ESD America, they have detected at least 17 powerful towers, likely more, scattered around the US–many near military bases. (more…)

Now three medical device maker networks hacked

February 14, 2014 | by

St. Jude Medical, Medtronic and Boston Scientific targeted. The San Francisco Chronicle reported earlier this week, from what they termed a source close to the companies, that all three companies had data intrusions that lasted for several months during 2013, and were not aware of them until alerted by Federal authorities. None of the companies, nor the FBI, confirmed or commented on this for the Chronicle. The attacks were “very thorough” and the source stated that they showed signs of being committed by hackers in China. The attraction of all three companies–Medtronic being the world’s largest– is their intellectual property and of course patient data, with the article mentioning confidential patient data collection from clinical trials. Also iHealthBeat.

Previously in TTA: US health data breaches hit record; Healthcare.gov backdoored?

Dick Cheney’s defibrillator and medical device hacking

November 1, 2013 | by

The news this week that former US Vice President Dick Cheney and his cardiologist decided to turn off wireless access to his implanted defibrillator (ICD) in 2007 based on fears of radio-based attacks underlines the increased awareness of security threats to wireless interfacing or programmable devices. The fear of ‘death by malicious hacking’ could very well lessen the sales and acceptance of new wireless-dependent designs in pacemakers, diabetes management/artificial pancreas and even medication ingestion tracking (Proteus). One proposal outlined in medical device supplier blog Qmed is interesting: “Since most proposed attacks would take place from a distance, researchers believe that using a patient’s heartbeat signature as a password could offer an adequate level of security. Using a heartbeat signature password, pacemakers and other devices would only unlock when “fed back” an individual’s heartbeat in real time.”  Yet beyond that, an advanced ‘white hat’ hacker like the late Barnaby Jack envisioned bugs in programming which could negate this to create murdering pacemakers as well as killer insulin pumps. (A look back at Barnaby and his still mysterious death in the Daily MailDick Cheney: Heart implant attack was credible (BBC News) Hat tip to TANN Ireland’s Toni Bunting. Previously in TTA: A ‘mobilized’ artificial pancreas breakthrough included the increased awareness of hack attacks in the medical mainstream and Contributing Editor Charles on compromised smartphone apps.

The sea of security ‘red flags’ that is Healthcare.gov

October 15, 2013 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/10/120306.png” thumb_width=”170″ /]It’s just a fact of life
That no one cares to mention
She wasn’t very good
But she had good intentions

—Lyle Lovett, ‘Good Intentions’

Confirmed by experts to the more-than-mainstream Christian Science Monitor are the layers of insecurity completely feasible on the current Healthcare.gov website–and the 14 state (plus DC) websites feeding into the Federal health insurance exchange and up into the mysterious hub linked to other Federal agencies. Healthcare.gov is supposed to adhere to NIST standards but these are no guarantee–and the state sites are not required to. ‘Red flags’ cited by experts (aside from ‘Wildman’ John McAfee) make for interesting reading:

  • Cross-site request forgery
  • ‘Clickjacking’–an invisible layer over the legitimate website
  • Cookie theft, and not by the Cookie Monster
  • Problematic verification from state to Federal, from legitimate third-party assistance, from brokers and so on
  • Log in fraud–the happy hunting ground of hackers and DDOS attacks

Warnings were apparent as early as 2 October [TTA 8 Oct]. And as our later coverage has explained, undoing all of this is near-impossible even with funding, in the less-than-a-month window till the crash time deadline in mid-November and then early January. Obamacare website security called ‘outrageous’: How safe is it? (+video)

Our 11-14 October compilation is a narrative and summary of major articles on the failure of the Healthcare.gov website and its consequences like none you will see elsewhere.

A ‘mobilized’ artificial pancreas breakthrough?

August 20, 2013 | by

Neil Versel (again) profiles a mobile platform that may be the start of the end of the Continuing Battle of Stalingrad for type 1 diabetes patients.  The prototype system, Diabetes Assistant (DiAs), is a closed-loop system which combines a modified Android phone with wirelessly connected wearables attached on the skin–Dexcom glucose monitors and Insulet OmniPod insulin pumps- to effectively act as an artificial pancreas. It was developed by University of Virginia’s Center for Diabetes Technology with funding via The Juvenile Diabetes Research Foundation and the National Institutes of Health’s National Institute of Diabetes and Digestive and Kidney Diseases. Findings of the 20 patients monitored were initially presented at June’s American Diabetes Association’s annual scientific meeting and published in the July edition of the journal Diabetes Care (PDF does not require subscription). The system was designed by an international team:  Sansum Diabetes Research Institute in Santa Barbara, Calif., University of Padova in Italy and the University of Montpellier in France.  Tests continued with summer campers and the integration of Bluetooth LE into the connectivity system.  Mobihealthnews article.

But can this small miracle of a system be hacked–and can providers be held accountable? This scary thought of ‘harm or death by hacking’, with the example given of an insulin pump gone awry–was tagged at the 2011 Hacker’s Ball, a/k/a Black Hat USA by Jerome Radcliffe [yes, in TTA back in August 2011]. The late Barnaby Jack was also on the medical device hack track. The danger is only now entering the consciousness of medical administrators and the industry press in mainstream venues such as Information WeekAre Providers Liable If Hacked Medical Device Harms A Patient? (Healthcare Technology Online). Also Kevin Coleman in Information Week tells more about the liability providers may find themselves in if they don’t update their systems.

Both the diabetes closed-loop systems under development (Diabetes Assistant is one of three) and the hacking threat were addressed by Contributing Editor Charles earlier this month [TTA 5 August] in his examination of how systems should move from decision support to decision taking in order to truly reduce patient or caregiver burden.

The exploding black market in healthcare data

August 6, 2013 | by

When medical records’ black market value is estimated at an average of $50 per record–94 percent of health care organizations have had at least one breach in the past two years–and 2 million Americans were medical identity theft victims in 2011–it’s one unpleasant ‘pointer to the future.’

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/08/IDExperts_Infographic_v4_72-crop1.png” thumb_width=”150″ /]Data firm ID Experts studied a decade of data breaches and notes that medical data has become very attractive to professional hackers and cyber thieves. ID Experts’ full infographic.

  • First, there is so much of it with the increasing electronification of health data.
  • Second, so much of it resides on insecure or unsecured networks: smartphone, tablet, laptop.
  • Third, organizations and individuals still are only semi-conscious of fraud reality, and are negligent and sloppy when it comes to securing devices and over-reliance on the cloud without tight enterprise security. The new and underfunded health insurance ‘exchanges’ are particularly vulnerable as they, as well as other healthcare organizations, can over-rely on technology to protect data–which clever hackers can work around. Moreover, they can extract and sit on data till the trail goes cold. (Scroll down infographic to find out more). Also Ponemon Institute’s recent report in Healthcare Technology Online.

ID Experts’ study conclusions are reinforced by the California State Attorney General’s report that 55 percent of breaches “were intentional intrusions by outsiders or by unauthorized insiders” and that healthcare breaches were the third largest in reported incidents. A counter-measure may be the Medical ID Fraud Alliance, a collaboration in progress that is planned to include the Federal Trade Commission, the Secret Service and the Veterans Administration. More in Amednews.com (published by the American Medical Association)

Healthcare breaches due to criminal activity and plain error are becoming more common as well. All one has to do is bop over to Privacy Rights Clearinghouse, click on ‘MED’ for healthcare and 2013 and check the frequency to date (113) of breaches both tiny and huge. (By comparison, full year 2012 totaled 224.) Our TTA ‘Into The Breach’ Awards go to:   (more…)