Short takes: states curbing healthcare cyberattack liability, North Korean hospital ransomwareiste indicted, Walmart leases out 23 clinics to Humana’s CenterWell, Nuro robot delivery revives, $100M Series E for Spring Health

News that class-action specialist law firms won’t like. States are considering limiting hospital cyberattack liability if they adopt cybersecurity measures. Currently, four states–Tennessee, Connecticut, Ohio, and Utah–have laws that curb liability for cyberattacks and data breaches. A fifth state, Florida, is considering it with the governor, Ron DeSantis, pushing for a tougher version to encourage strong cybersecurity adoption. The state lawmakers’ rationale centers on the admission that cyberattacks on hospitals are inevitable and that when hospitals have security in place, they are not negligent. On the opposite side, law firms that specialize in consumer class-action lawsuits argue that hospitals would rather profit than put into place expensive protection for consumer data. 

This Editor’s view tends to be even stronger than that of Governor DeSantis. How can state regulators actually know that a hospital has strong, effective cybersecurity? Hospitals not only have to spend money to constantly update their monitoring, but also have to hire the humans to implement it. In other words, what people or agency on the state level can assess that a hospital or health system has adequate cybersecurity in place and is acting in good faith to protect consumers against predatory data breaches or ransomware? The article in Politico is unfortunately very scant on how these laws work, the liability limitations, and the mechanisms for judging hospital cybersecurity. More to come on this. Also DataBreaches.net–this Editor’s go-to spot for research.

A North Korean ransomwareiste indicted, but he’ll be hard to serve if convicted.  A grand jury in the Federal District Court for the District of Kansas has indicted Rim Jong Hyok of ransomware attacks on 17 hospitals and systems across 11 states plus attacks on government entities from May 2021 through April 2023. The US Department of Justice (DOJ) charge is that Mr. Rim was working for the North Korean intelligence agency, the Reconnaissance General Bureau (RGB), in a cyberhacking group known as Andariel. Andariel developed the Maui ransomware type and used it to attack healthcare and governmental entities.  The ransoms collected from the hospitals were then used to fund cyber attacks and data exfiltration on government agencies, military bases, and multiple companies supporting the US military. The State Department is offering a reward of up to $10 million to locate Rim and others infiltrating US systems. It is highly unlikely that even with a conviction, Rim will serve any US time, but a conviction could initiate sanctions and other national measures. FierceHealthcare, US District Court indictment, US State Department ‘Rewards for Justice’ release

Walmart gives Humana a crack at reopening in-store clinics. After their well-publicized failure in retail health, Walmart is leasing out nearly half of their former Supercenter clinics over to Humana’s CenterWell healthcare services operation. By first half 2025, 23 of the 51 closed Walmart Health clinics in Florida, Georgia, Missouri, and Texas will convert to CenterWell Senior Primary Care and Conviva Care Centers. The focus will be on senior coordinated care with a staff of board-certified physicians, nurse practitioners, medical assistants, social workers, and other staff. Clinics are planned for Tampa/St Petersburg, Orlando, Jacksonville, Atlanta, Dallas/Fort Worth, and Kansas City. Medicare Advantage plans and Original Medicare will be accepted, though no mention is made of the ‘duals’ who are on both Medicare and Medicaid. Walmart will continue to operate pharmacy and optical locations. The CenterWell/Conviva network at present serves 318,000 seniors in about 300 centers across 15 states. Financial terms of the agreement were not disclosed. In retrospect, they should have done this several years ago. CenterWell release, MedCityNews

Another revival–the Nuro robot vehicle delivery service. Some years back, these driverless cars were envisioned to carry everything from pharmacy deliveries to groceries to prepared food, but the robot vehicles had problematic fully autonomous driving software that proved to be unsuitable for crowded urban areas as well as satisfactorily retrofitting or specially designed EVs. Now in another AI-assisted generation with the R3, about 100 retrofitted Toyota Priuses able to go up to 45 mph will be tested in the California Bay Area in Mountain View, Palo Alto, Los Altos, and Menlo Park. Other vehicles to be upgraded to the new software are from Chinese EV manufacturer BYD, which has become famous for exploding cars in its home market. Timing after the California Motor Vehicle approval now is set for Uber Eats deliveries in test in early fall. TechCrunch

Telemental health fundings continue on a roll with Spring Health. Their $100 million Series E has increased their valuation from $2.5 billion to $3.3 billion. This round was led by Generation Investment Management with participation from existing investors, including Kinnevik, William K Warren Foundation, RRE, and Northzone. Their $71 million Series D was in drought-ridden April 2023. Their total funding now is $466.5 million. Spring Health’s concentration is in mental health support and care management as part of employer benefits and for payers, covering 10 million lives through 450 directly contracted employers, strategic payer relationships, and 27,000 groups that access the solution through a channel partner. As noted in Rock Health’s H1 report [TTA 30 July], the competitive telemental health category still leads by far as the most funded clinical category, with about $700 million in raises, over double that of cardiovascular and oncology, and will likely surpass 2023. Release, Mobihealthnews, FierceHealthcare

Weekend news roundup: Teladoc adds to Primary360; Novartis, Medtronic support UK digital cardiac startups; Bluestream adds PrimaryOne Health; NoKo ransomware threatens healthcare; more Fed scrutiny on telehealth Rx, billed time may be coming

Teladoc had some positive news this week with additions to Primary360, its new primary care service for the provider/payer market. It added in-network referrals and care coordination capabilities, free, same-day prescription delivery from Capsule, and in-home, on-demand phlebotomy from Scarlet Health. The release notes that about half of patients fail to pick up their prescriptions. In addition, Priority Health, a nonprofit health benefits company serving Michigan, has added Primary360 to its fully insured virtual first plan design for employers. FierceHealthcare

Some good news from the UK in a time of government upheaval. Novartis is supporting cardiac digital health startups through the Novartis Biome UK Heart Health Catalyst 2022. This investor partnership is to identify and scale innovations for non-invasive lipid testing and at-home blood pressure testing using software as a medical device. Partners in support are Medtronic, RYSE Asset Management and Chelsea and Westminster Hospital NHS Foundation Trust and its official charity CW+. Successful applicants will receive support from partners during the competition process, the opportunity of investment up to £3 million provided by RYSE Asset Management, subject to due diligence at RYSE`s discretion, access to the Novartis Biome UK eco-system located in White City, and opportunities to work with our NHS partners to set up and deliver a pilot evaluation of the winning innovation. Applications must be in by 31 August–form is here. FierceBiotech

Bluestream Health adds PrimaryOne Health. Bluestream provides a white-labeled customized virtual care service that will be integrated into PrimaryOne’s services. This medical group of 11 community healthcare facilities across central Ohio serves 48,000 patients with primary care, OB-GYN, pediatric, vision, dental, behavioral health, nutrition, pharmacy, physical therapy, and specialty care.  Release

North Korea’s Maui Ransomware is no Hawaiian vacation. The threat has built enough since May 2021 for the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) to release a joint Cybersecurity Advisory (CSA) on Thursday warning healthcare and public sector health organizations. It is state-sponsored North Korean malicious cyber activity. The CSA provides a sample of how it executes, what it targets, how it encrypts files, and how to respond. Hackermania, NoKo Style, is Running Wild with breaches piling up [TTA 7 July], and not only in healthcare. Healthcare Dive, Healthcare IT News

And in Dog Bites Man News, a former US assistant district attorney for Massachusetts predicts that Federal entities such as the Department of Justice (DOJ) may not stop with telemental prescribing. They will not only be ramping up their scrutiny of telemental health companies–but also telehealth billing. For Cerebral and Done Health that facilitate the prescribing of Schedule 2 drugs, this assumption of scrutiny has become a no-brainer. What it also is: a caution for mainstream telehealth providers such as Teladoc and Amwell charging into psychiatric telehealth.  But the former ADA, Miranda Hooker, now a health sciences area partner with Troutman Pepper in Boston, makes a broader prediction. Prosecuted telehealth fraud, as this Editor has noted, has grown in other areas, such as prescriptions for durable medical equipment (DME) billed to Medicare [TTA 6 May] and cardiologists moonlighting as Dr. Mabuse, Master Cybercriminal [TTA 19 May]. But the next frontier may be time-specified telehealth consults billed to Medicare under various CPT codes (e.g. 994XX). A 15-minute consult billed as a more lucrative 30-minute consult can be considered fraud. The Cerebral investigation, according to Hooker, marks a shift by the DOJ into investigating the actual provision of telehealth services and whether they are being billed properly. FierceHealthcare

Dry the tears: WannaCry stymied, North Korea hackers suspect. Is this a poke for a worse attack?

Breaking News This morning’s (Tuesday 16 May) news is about reputable security organizations–Kaspersky Lab and Symantec–connecting the dots that lead for now to a North Korea-linked hacking organization, the Lazarus Group. This group has been identified in previous hack attacks and is based upon WannaCry code appearing in Lazarus programs. US Homeland Security has admitted seeing the same similarities, but all are working to gain more information.

Lazarus has been previously identified as the source of the 2014 Sony attack and the theft of $81 million from the Bangladesh central bank, again linked to fundraising for North Korea for its missiles, army, EMP and nuclear arming while its terrorized people starve. However, this attack was a flop; according to US Homeland Security, about $70,000 was raised in ransom. The Homeland Security spokesman also distanced the NSA from the original information which targeted weaknesses in Microsoft’s systems.

According to reports, WannaCry disproportionately affected Russia, Taiwan, Ukraine and India, according to Czech security firm Avast. No US Federal government systems were affected. China on Monday reported that it attacked traffic police and school systems.

The Telegraph has posted a speculative list of 34 NHS organizations which suffered IT failure during the WannaCry attack. The article includes a map produced by MalwareTech that geographically spots the infection locations; the Boston to Washington corridor is a sea of blue dots. And…Marcus Hutchins has been identified as the young UK tech working for Kryptos Logic who redirected the attacks by buying a domain embedded in the WannaCry code. How it worked, according to PC World, is that if the malware can’t connect to the unregistered domain, it infects the system. By registering the domain and creating a page for the malware to connect to, he stopped the malware spread. (Video in Telegraph article)  Also FoxNews

But is this a prelude to more and worse? Is this testing our preparedness? If so, we’ve been found wanting on an enterprise level with vulnerable systems and administrators not updating their software and OS. George Avetisov, the CEO of HYPR, a biometric authentication company, in The Hill, summarized it neatly today: “We’ve also learned the hard way that, simply through a coordinated phishing attack on unsuspecting users, hackers can disrupt the day-to-day activities of enterprises that provide communications, travel, freight and healthcare administration simply by remotely deploying malware.” He then goes on to praise President Trump’s executive order (EO), “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which he signed on Thursday–right before all this began. As if in confirmation…ShadowBrokers, the group that hacked the NSA files, today announced the availability of a subscription to a ‘members only data dump’ like a Wine of the Month Club. Watch out, banks and healthcare, it’s open season! NHS, better pay attention to another kind of hygiene–cyberhygiene. Without it, plans for patient apps and data sharing will go sideways–and deserved fodder for Dame Fiona [TTA 10 May]. The Hill  Earlier coverage here