Short takes: ransomware op BlackCat busted by FBI, websites shut–for now; health systems lay off IT staffers; retailers collecting way too much PII including health

FBI busts BlackCat/ALPHV ransomware. In an Eliot Ness-like move, the Federal Bureau of Investigation (FBI) got busy and delivered a nice present to healthcare organizations for Christmas. According to two 19 December articles in Bleeping Computer (article 2), the FBI seized operational darknet websites for the ALPHV ransomware operation (article 1) and created a decryptor to help approximately 500 companies recover their data for free, negating $68 million in ransom demands. The details are a little thin, but Bleeping reconstructed in article 2 what they could out of the search warrant. The FBI arranged with a confidential human source (CHS) to become a backend affiliate, meaning the CHS could log in and use ALPHV’s affiliate panel to manage extortion and ransom campaigns. It sounds like a rather nifty platform with lots of management and negotiation tools if you’re extorting a victim company. How the FBI got the decryption keys is another matter they are mum on, as not available through the affiliate panel, but “they obtained 946 private and public key pairs associated with the ransomware operation’s Tor negotiation sites, data leak sites, and management panel”. 

US law enforcement was assisted by their counterparts in Europol, plus law enforcement in Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, and Austria. This is the third breach of the same gang; as Bleeping Computer put it, they’ll “rebrand under a new name as they have done in the past” in a few months.

But maybe faster than that. Some added details from Healthcare IT News sourced from KrebsonSecurity:  BlackCat briefly unseized its darknet site, wiped out the FBI screen above (courtesy Bleeping Computer), and put in a ‘we’re unseized’ notice (in the Krebs article) that they were still open for business at a different location, offering affiliates a 90% payout, and that for affiliates, you could ransomware anything, anywhere (hospitals and nuclear plants cited!) except those located in Russia and the CIS. 

Given ransomware, hacking, cybersecurity threats, and maintaining/upgrading operations, you’d think hospitals would be hiring, not firing, IT workers. But noooooo. Becker’s listed seven health systems that are either pinkslipping IT staff or transferring them to outsourced companies. They are Kaiser–115 nationwide; Novant Health–unknown due to ‘changing up their IT system’; Tower Health (Reading PA)–outsourced staff to a vendor; Mass General Brigham–staff reduction via voluntary buyouts in effect 22 November; Bon Secours Mercy Health–layoffs plus eliminating open roles; Care New England–outsourced staff to health IT provider Kyndryl; Franciscan Health–moved 61 to a vendor. Pennywise, pound foolish.

Here’s more than money you’ve left behind with your online holiday shopping–data, and lots of it. This study from Incogni Research is unnerving, as it goes far beyond what you think you’ve shared–you buy nasal spray in the winter, allergy eyedrops in the spring, etc.– to what retailers are actually collecting on you. This Editor will cite only the companies in healthcare–CVS, Walgreens, Amazon, and Walmart–according to their study:

  • All four collect PII data that includes customers’ identifiers (like their names, online identifiers, and driver’s license numbers), characteristics of protected classifications (like marital status, ancestry, and disabilities), commercial information (like purchase history and property records), and audio/electronic/visual information (like video and/or audio recordings of consumers).
  • Walmart, CVS, and Walgreens additionally collect Social Security numbers, union membership status, and sex-life data.
  • Their apps collect 15 to 20 data points, such as exact location, personal data, financial data, health and fitness, messages, photos and videos, audio files, files and docs, app activity, web browsing, app info and performance, device or other IDs

Users can opt out of some of these, but most do not. And some go to third parties. And all had been breached at one time or another, whether at the retailer or at the vendor level. Prepare to be shocked and dismayed. Release on DR Journal

News roundup: Ancestry sells 75% to Blackstone, Cornwall NHS partners with Tunstall, most dangerous health IT trends, Slovenski departs from Walmart Health

Ancestry sells 75 percent of the genealogy/genetics company to Blackstone for $4.7 bn. The acquisition by the private equity company buys out other equity holders: Silver Lake, GIC, Spectrum Equity, Permira, and others. Ancestry’s business combines their genealogy database with consumer genomics for both heritage and health. The Blackstone release notes that their goals in the acquisition are to expand data, functionality, and product development across the Ancestry platform as part of their investment in growth businesses. If an acquisition cost of $4.7 bn seems high, Ancestry’s revenue is cited as $1 bn annually.

Once blazingly hot, both Ancestry and 23andMe saw their consumer businesses crater late last year, with layoffs in January and February. It’s an example of a quickly saturated market (one test and you’re done) flogged by annoying TV commercials over the holidays [TTA 13 Feb]. Where the profit is, of course, is not in consumer tests but in selling the genomic data to other companies, something which the market leader, 23andMe, realized early on with half-ownership by GSK ($300 million, a real bargain). 23andMe is also intensively marketing as a premium subscription service updates on health information derived from member testing. Ancestry has followed, but reportedly has not been as proactive in linking genetic information to health outcomes. STAT

 This Editor noted back in August 2018 that it was long past time for a Genomic Data Bill of Rights for consumers to be fully transparent on where their data is going, how it is being used, and to easily keep their data private without jumping through a ridiculous number of hoops. It’s a conclusion now being reached by various privacy groups according to MedCityNews. Also noted is that Ancestry, in its complex and long privacy policy, can use your “personal information to market new products from the company or its business partners, but says it will not share users’ genetic information with insurers, employers or third-party marketers without their express consent.” But when your 75 percent owner has real estate and other healthcare holdings, can you trust them?

Cornwall Partnership NHS Foundation Trust partnered with Tunstall Healthcare UK on a 26-week support program during the pandemic for young people 11+ with a range of eating disorders. The patient group used the myMobile app and the ICP triagemanager software to send in weekly reports on their vital signs and answer symptom-related questions, which are tracked over time via a secure portal to monitor progress. The myMobile app has parameters set for individual patients, where readings outside them generate a system alert that is sent to clinicians. The program was able to ascertain that 32 patients were at high risk and have been referred. Cornwall/Tunstall white paper, ATToday.co.uk

As if COVID Fear weren’t bad enough, now we have to be frightened of Dangerous IT Trends. Becker’s Health IT interviewed eight healthcare executives and came up with a list of what keeps them up at night:

  • The sluggish rate at which healthcare systems embrace new technology
  • We won’t be going back to the pre-pandemic normal and how healthcare deals with that
  • Overlooking data security and medical device vulnerabilities
  • Cutting IT staff and budgets without acknowledging the consequences
  • The consequences of hastily moving workers remote and securing their devices

All of the above are not new, and it’s rather shocking that they haven’t been addressed.

And in Comings and Goings, we have a Notable Going. Sean Slovenski, who for the past two years has been heading up Walmart US’ Health and Wellness initiatives, departed the company last week with a replacement to be named in the coming weeks. Mr. Slovenski had been heading up a variety of healthcare initiatives, including in-store primary and dental care clinics which have opened up in four Arkansas and Georgia locations with an additional eight planned plus Florida. Walmart also opened up 100 COVID testing locations in store parking lots. His efforts were acknowledged in Walmart’s departure statement to staff. Mr. Slovenski “and his team have successfully stood up the strategy we hired him to create,” Walmart’s CEO John Furner said in a memo to staff. Walmart has also laid off over 1,000 corporate employees in a recent restructuring. Mr. Slovenski is most noted in digital health circles as CEO of Care Innovations for 2 1/2 years during the Intel-GE ownership. He was also with Healthways-ShareCare and Humana. Walmart is up against a long list of heavyweight challengers in retail health, including Amazon, CVS Aetna, and Walgreens–and may be deciding that an independent run is not worth it.

Confronto Nazionale sul Software in Sanità (National Comparison on Healthcare Software), 4-5 July, Rome

Policlinico Gemelli, Rome, 4-5 July

If you are one of our Readers in Italy or curious about the state of Italian healthcare technology as part of EU developments, 14 healthcare and IT system groups have come together for a meeting on technology innovation. The meeting will examine how health system stakeholders are developing and deploying software that supports the strategic, organizational, operational and clinical processes of service provision. The main discussion will center on sustainability, usability, performance, and interoperability with a focus on the EU’s Horizon 2020 and Italy’s particular situation in (translation) “extreme institutional, managerial and technical confusion. The result of this confusion is the continuous hemorrhaging of economic, logistical and human resources for the functioning of very restricted areas of health that are not interoperable with each other.” There is considerably more information on their website or you may contact the organizer, Koncept Ltd., t. 055 357223, m. 334 7365693, email segreteria@koncept.it

Avoiding the FDA health IT-medical device regulatory trap for general IT companies (US)

If you are an IT company in the US or internationally with services which could be useful to healthcare companies or practitioners, it’s easy to be overly specific and stray into FDA-regulated territory. The always-informative Bradley Merrill Thompson of the Epstein Becker Green law firm delineates the fine regulatory line that general purpose IT companies must observe when working with healthcare customers. First there is intended use, based on how the manufacturer intends its customer to use the product; if the customer uses it for the diagnosis or treatment of disease or other conditions, FDA will regulate it as a medical device. This is less clear than it seems, and Mr Thompson explores where a general IT company can, in the old PR adage, ‘say it safely’ and avoid falling into the unwanted medical device trap by avoiding medical feature and advice claims, and keeping the context away from medical use. The Journal of mHealth (August)–online version, optional PDF download. Hat tip to Mr Thompson via the Continua LinkedIn group. Other articles of interest in the JMH are: Scottish company HCi Viocare and its ‘smart insole’ pressure sensors for foot ulcer detection following, Northwestern University’s research around patterns of smartphone usage detecting depression (page 19) and a lengthy article on transforming patient data into actionable insights (page 34).

HHS draft report on health IT framework published

Another part of the 2012 FDA Safety and Innovation Act (FDASIA) clicked into place with the US Department of Health and Human Services (HHS) publishing a draft report proposing strategy and recommendations for what is rather grandly termed a “health IT framework”. Basically it defines more unified criteria, based on risk to the patient and function of what the device does, not the platform (mobile, software, etc.). It then separates products into three broad categories. Excerpted from the FDA release and the FDASIA Health IT Report:

  1.  Products with administrative health IT functions, which pose little or no risk to patient safety and as such require no additional oversight by FDA. Examples: billing software, inventory management.
  2. Products with health management health IT functions. Examples: software for health information and data management, knowledge management, EHRs, electronic access to clinical results and most clinical decision support software. This will be coordinated largely by HHS’s Office of the National Coordinator for Health IT (ONC) as part of their activities (including their current voluntary EHR certification program), but the private sector is also cited in establishing best practices.
  3. Products with medical device health IT functions, which potentially pose greater risks to patients if they do not perform as intended. Examples: computer-aided detection software, software for bedside monitor alarms and radiation treatment software. The draft report proposes that FDA continue regulating products in this last category. (Illustration on page 13 of report.)

The report also recommends the creation of a public-private entity under ONC, the Health IT Safety Center, which “would serve as a trusted convener of stakeholders and as a forum for the exchange of ideas and information focused on promoting health IT as an integral part of patient safety.” The private sector is duly noted as a ‘stakeholder’.

The report was developed by FDA “in consultation” with ONC and, not unexpectedly, the Federal Communications Commission (FCC). Another recommendation (page 28) is the establishment of a ‘tri-Agency memorandum of understanding (MOU)’ to further determine their working relationship in this area. There’s a 90 day comment period on the 34 page report, which is perfect for weekend reading (!) How this onion will eventually be peeled, rather than quartered, remains to be seen, as does anything emanating from Foggy Bottom.  FDA release. Report. FierceMobileHealthcare.

Update 8 April: A good summary of criticism and approval of the framework to date appears in iHealthBeat from the California Health Care Foundation. The two US Senators sponsoring the PROTECT Act [TTA 28 Feb, 6 Mar] stated there is still too much regulation of low-risk technologies, and Bradley Thompson of Epstein Becker/mHealth Regulatory Coalition believes the report is weak on the issues around clinical decision support software. With praise: HIMSS, Health IT Now Coalition and ACT, which claims to represent about 5,000 mobile application developers and IT firms, but has no locatable website.

Previously in TTA: FDA finally issues proposed rule simplifying medical device classification

The PROTECT Act for HIT doesn’t: mHealth Coalition

The mHealth Regulatory Coalition, which is a four-year-old alliance of legal and software companies in the health IT/software area, and whose most vocal spokespersons are well-known industry legal counsels Brad Thompson and Kim Tyrrell-Knott of Epstein Becker Green, has come out against the PROTECT Act (S 2007). PROTECT, which was proposed by Senators Fischer and King, would limit FDA regulation of certain ‘low-risk’ clinical software in the interest of fostering innovation and reducing regulatory burden. Original reports indicated that this responsibility would be transferred to the National Institute of Standards and Technology (NIST) [TTA 28 Feb]. According to Mr. Thompson, “The rush to avoid expert reviews of complex technologies with far-reaching health ramifications ignores the fact that we cannot separate the high risk from the low risk apps using broad terms in legislation.” His example: a theoretical smartphone app designed to diagnose melanomas from photos. PROTECT is being supported by IBM, athenahealth, Software & Information Industry Association, Newborn Coalition and McKesson. The bill also would exempt certain health IT software from being charged a 2.3% medical device tax, which is perhaps the ‘long game’ being played here by the aforementioned companies, as most Washington watchers give the bill as it stands little chance of clearing both houses of Congress and a congressional committee, much less being signed into law. The question remains: how best to speed less clinically significant wellness software to market without logjamming FDA.  iHealthBeat summary, Clinical Innovation + Technology, MRC press release

Health IT funding bubble seen by veteran investor

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2012/12/crystal-ball.jpg” thumb_width=”120″ /] How is health tech like the 1990s ‘dot-com’-ers? Veteran Silicon Valley investor (HealthTech Capital) and former entrepreneur Anne DeGheest projects a ‘Series B crunch‘ in funding health tech and IT in an interview with The Wall Street Journal’s Venture Capital Dispatch. The key factors: angels and ‘unsophisticated investors’ are pouring money into all sorts of devices, apps and related services in seed and Series A stages just to get on board in a hot sector. When the founders of these companies get to Series B and present to more demanding investors, the lack of a true value proposition and a detailed business plan that answers basic questions leave them standing on, as aptly put, ‘a pier to nowhere’ or as Joe Hage termed it last month, ‘insolvent with a great idea.’

Ms. DeGheest’s view that we are reprising the elements of the ‘dot-com’ bubble is confirmed by the numbers in Rock Health‘s and PwC‘s funding reports throughout 2013:   (more…)

US, UK agreement on HIT

Edited from the HHS releaseUS Health & Human Services (HHS) Secretary Kathleen Sebelius and UK Secretary of State for Health Jeremy Hunt on Thursday 23 January signed a bi-lateral agreement for the use and sharing of health IT information and tools. The agreement strengthens efforts to cultivate and increase the use of health IT tools and information designed to help improve the quality and efficiency of the delivery of health care in both countries.  The two Secretaries signed the agreement at the Annual Meeting of the HHS Office of the National Coordinator (ONC) for Health Information Technology. It concentrates on four key areas identified at the joint June 2013 summit:

  • Sharing Quality Indicators
  • Liberating Data and Putting It to Work
  • Adopting Digital Health Record Systems
  • Priming the Health IT Market

Collaboration efforts will be showcased at the Health Innovation Expo conference at Manchester Central 3-4 March (two weeks before HC2014) and the Health Datapalooza on 1-3 June in Washington, DC. A possible good sign for telehealth as there’s a great deal of mention of ‘preventive interventions’, ‘accessing and sharing data’ and the ‘health IT marketplace’.

Full memorandum of understanding text here. Also iHealthBeat.

Health IT serving population health

From the iHT2 Health IT Summit this Editor attended two weeks ago is this presentation by Jonathan Weiner, DrPH, Professor in the Department of Health Policy and Management, Director of the Center for Population Health IT (CPHIT), Johns Hopkins Bloomberg School of Public Health, Baltimore, Maryland. Telehealth is (or should be) implicit in the data feedback loop outlined in slide 3; in the population health assessment and performance loop on slide 5; the ‘digital health milieu’ on slide 9.

Harnessing EHRs and Health IT to Achieve Population Health    Interview with Dr. Weiner

Health 2.0 NYC: Hospitals 2.0

9 October 2013, Memorial Sloan Kettering Hospital, Rockefeller Board Room, New York City, 6-9pm

How Hospitals Are Using IT/ Data to Transform Care Delivery

Leading hospital, IT, provider and payer leaders will demonstrate how IT and data analytics are being used in decision support and other medical areas. Preliminary format: 2-3 presentations by hospitals and IT services leaders, with a panel combining provider, payer and IT services leaders to discuss various approaches and initiatives for using IT to transform hospitals. $20. Sponsored and organized by the 3,200-member Health 2.0 NYC–The NY Healthcare Innovation Group. Pre-registration through Meetup required to access (free Meetup membership/registration in group) (Disclosure: Editor Donna is a co-organizer of H20NYC events)