TTA’s Where Did Spring Go?: Meta Pixel captures personal health info, sending to Facebook; Oracle’s remaking of Cerner; Balwani’s Theranos trial nears verdict; data breaches skyrocket, more!

 

 

Weekly Update

Probably the most important and developing story of today is the misuse of Meta Pixel ad tracking code, its capture of personal health information from major health system sites, and sending it straight to Facebook. A corollary story is the sharp rise of health data breaches, now in the millions. Telemental Cerebral’s legal miseries pile up, Sunny Balwani of Theranos awaits legal verdict, and successful fundings a bit thin on ground. And will there even be a Cerner left after Oracle’s through with it? (The skepticism around tech fixes to Big Health Problems continues.)

Breaking: Hospitals sending sensitive patient information to Facebook through website ‘Meta Pixel’ ad tracker–study (Next week’s Big Story)
Thursday news roundup: FTC now investigating Cerebral, Balwani’s Theranos trial rests at last, Proscia pathology AI $37M Series C, health data breaches pile up (Hackermania continues to run wild)
Wednesday news roundup: Oracle scrutinizing outside vendors, cloud change coming for Cerner EHRs, audio-only telehealth can continue after PHE–HHS, Proximie connected surgery raises $80M (UK) (Will there even be a Cerner left?)
Oracle’s Big Healthcare Transformation: it’s all about ‘better information’ (sigh) (updated) (A misguided trust in tech fixes?)

Oracle’s close on their Cerner buy led the news, with the usual claims that the combined companies will ‘redefine the future of healthcare.’ For those who’ve heard that song before, the business of healthcare continues, with Apple, Amwell, Connected Health (UK), a metabolic tracker out of India, and the biggest US data breach of the year so far. Cigna tracks why loneliness is peaking, while the less lonely join class-action lawsuits against Teladoc. And considering SPACs to go public the easy way? Fuggedaboutit!

Weekend review: FDA clears Apple Watch ‘AFib History’, OS9 adds health features; Amwell’s new CMO; 2M records breached at New England provider, largest this year (Apple reinforces Watch for health)
Remote health monitoring a winning strategy…for sports? (Metabolic tracking is the angle)
Thursday news roundup: dimming SPACs, hospital-at-home pilots in DFW, Connected Health debuts bespoke home care services configurator in NIR (The decline in SPAC ‘funny money’)
A sneak peek at Oracle’s plans for healthcare prior to 9 June’s ‘The Future of Healthcare’ live (Without listening to Tony Blair! And nary a mention of DOD and VA.)
Wednesday AM roundup all about money: $28B Oracle-Cerner closes today, 9 June strategy talk; Teladoc class-action lawsuits begin; Cigna’s look at loneliness (Money and the loss of)

Last weekend was Britain’s Platinum Jubilee Weekend, which made the bank holiday very special indeed. And from the US, much respect. A potpourri of news including the likely closing of Oracle’s Cerner buy (it will, on 8 June) and the Homeward Bound second act of several Livongo veterans.

God Save The Queen on her unprecedented 70 years of service!

Thursday news roundup: bet on Oracle-Cerner closing next week, VA EHR progress reports mandated, Homeward-RiteAid rural care, Medtronic-DaVita kidney JV, Withings reenters RPM, Lightbeam buys Jvion AI (Potpourri of activity)
CVS, Walmart refuse Cerebral, Done Health controlled substance prescriptions via telehealth; Cerebral CEO replaced (Trouble in telementalhealth-land)

A little bit of everything as we arrive at the unofficial start of summer. Walmart expands its drone delivery, AWS gains a big one in the Healthcare Cloud Wars, and Verizon publishes its latest roundup on IT breaches. Oracle-Cerner moves a little closer to full international approval. There’s an Aging2.0 challenge, a substantial RPM raise, and NY seniors get robots. And to white coat or not on a telehealth consult.

Thursday’s short takes: Walmart’s delivery drones expand, AWS lands Geisinger for AI and cloud, UHG-Kaia Health partner for virtual MSK therapy (Droning on and the Cloud Wars accelerate)
ElliQ companion robot, NYSOFA partner for NY older adult assistance (Will they like it?)
Wednesday news roundup: Oracle-Cerner reportedly OK’d by EU, VitalTech RPM raises $14.1 M, Aging 2.0 interoperability challenge, what do rough times mean for investors and startups, employees cause 39% of healthcare IT breaches (Breaches multiply, and Lisa Suennen’s take on what to expect from the current financial craziness)
To white coat, or not to white coat? That is the telehealth doctor question. (A short, refreshing read through the history of the medical white coat)

Our strange May continues with a lot of legal activity, including the tale of one doctor who side gigged as Dr. Mabuse, Master Cybercriminal. Telehealth continues a wobbly path, with claims down along with Amwell’s performance. And Cerner has more problems, this time with DOD and VA. But a new Perspective gives us hope that the UK can save more than £14 bn through TEC–and there’s always self-driving cars for med delivery!  

Thursday legal news roundup: Oscar Health accused of IPO securities fraud; Venezuelan cardiologist moonlights as cybercriminal, faces slammer; Change Healthcare sues former employee now at Olive AI (When lawsuit news outstrips M&A, it’s not good)
Cerner EHR implementation with both DOD and VA running into interoperability, other problems: Federal audit (More process problems being sorted out in public)
Perspectives: Where next for technology-enabled care after 2025? (Is £14bn in savings over the next 10 years an underestimate?)
News roundup: telehealth claims drop 9% in February; Amwell’s good news, bad news Q1; tech-enabled practice Crossover Health growing; NowRx and Hyundai test semi-self-driving delivery (One hopes those Hyundai Ionics drive better than telehealth’s performing)

May’s ups and downs, with the stock market drowning out healthcare. Cerebral confirmed their Federal investigation for prescribing practices, putting a bucket of cold water on this hot sector. But good news pokes its head out, with a Johns Hopkins study that telehealth is benefiting the underserved and urban, not just the affluent and young. More good news with a telecare pioneer receiving the top award for UK enterprise.

Alertacall receives Queen’s Award For Enterprise: Innovation (An outstanding recognition for a telecare pioneer in this Platinum Jubilee Year)
CMS telehealth pandemic waivers boosted usage among disadvantaged, urban patients (Tide lifting all boats, and that’s good)
DOJ investigates telemental Cerebral on over-prescribing of controlled medications (A flashing warning sign for investors)


Have a job to fill? Seeking a position? See jobs listed with our new job search partner Jooble in the right sidebar!


Read Telehealth and Telecare Aware: https://telecareaware.com/  @telecareaware

Follow our pages on LinkedIn and on Facebook

We thank our present and past advertisers and supporters: Legrand/Tynetec, Eldercare, UK Telehealthcare, NYeC, PCHAlliance, ATA, The King’s Fund, DHACA, HIMSS, Health 2.0 NYC, MedStartr, Parks Associates, and HealthIMPACT.

Reach international leaders in health tech by advertising your company or event/conference in TTA–contact Donna for more information on how we help and who we reach. 


Telehealth & Telecare Aware: covering the news on latest developments in telecare, telehealth, telemedicine, and health tech, worldwide–thoughtfully and from the view of fellow professionals

Thanks for asking for update emails. Please tell your colleagues about this news service and, if you have relevant information to share with the rest of the world, please let me know.

Donna Cusano, Editor In Chief
donna.cusano@telecareaware.com

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Thursday news roundup: FTC now investigating Cerebral, Balwani’s Theranos trial rests at last, Proscia pathology AI $37M Series C, health data breaches pile up

Telemental health Cerebral’s miseries pile on. The Federal Trade Commission (FTC) is now investigating Cerebral on deceptive advertising and marketing practices. The Wall Street Journal (may be paywalled) reviewed the 1 June letter sent to the company. The letter requests the usual preservation of documents and asks ‘dozens of questions’ related to their business. Of particular interest to the FTC is the ‘negative option’ practice that continues the subscription fee unless the subscriber takes positive action to cancel it. Subscribers have complained that Cerebral did not cancel their subscriptions after repeated attempts to do so and did not refund their money. Reuters, FierceHealthcare

Also of interest to the FTC will be the dodgy advertising claims about ADHD and obesity which ran on TikTok and Instagram [TTA 10 May]. The WSJ reported that their ad spend topped $65 million for this year–$13 million on TikTok alone from January to May this year, making Cerebral the third-largest advertiser behind HBO and Amazon, according to research firm Pathmatics.

The FTC action follows the Department of Justice (DOJ) investigation of their prescribing of controlled (Schedule 2, high potential for abuse) substances such as Adderall and Xanax, CVS and Walmart refusing their prescriptions, the unceremonious booting of the CEO and co-founder, and a wrongful dismissal lawsuit by a former VP of product and engineering, Matthew Truebe. Certainly, its investors led by SoftBank, which raised $300 million in December less than six months after a raise of $127 million, are unhappy at watching their $4.8 billion baby crash and burn.

The second “rerun” Theranos trial of Sunny Balwani rests. This much-muted trial is winding towards its close. Receiving much less breathless and near-sensational coverage than Elizabeth Holmes’, Theranos president Balwani was tried in the same San Jose Federal district court, with the same prosecutor (Robert Leach), just about the same charges (12 counts of wire fraud), and Judge Davila presiding. Holmes was convicted and her sentencing is scheduled for September.

The prosecution rested on 20 May and the defense on 9 June. The trial took some delays due to at least two jurors falling ill from Covid. The defense strategy rested on Holmes’ founding and operating the company without Balwani for a few years and that he never sold his shares, making him as victimized as any ordinary investor. The prosecution is relying on how close Holmes and Balwani were, that he had great power at Theranos–and used it, plus in his position was well aware of the problems with the lab machines and deliberately sought to defraud investors by covering it up. Unsurprisingly, Holmes did not testify at his trial, although she was a looming presence at his as he was somewhat at hers, especially in her testimony about their relationship. Closing arguments took place on Tuesday (14 June) and the jury will be charged after their conclusion. NBC Bay Area, New York Post, Wall Street Journal

Happier news comes from Proscia, a pathology software company, funding a $37 million Series C. Highline Capital Management, Triangle Peak Partners, and Alpha Intelligence Capital led the round along with participation from five earlier investors. Their total funding is up to $72 million. Their AI-enabled Concentriq platform combines “enterprise scalability with a broad portfolio of AI applications to accelerate breakthroughs and unlock clinical insights that advance precision medicine.” Clients include 10 of the top 20 pharmaceutical companies as well as the Joint Pathology Center, Proscia release, Becker’s 

Adding to the tally of healthcare data breaches are several this week. The year-to-date winner, of course, are the 2 million at Shields Health Care Group in Massachusetts [TTA 10 June], but this week, reports have been breaking out like late spring roses:

  •  A clinical guidance software vendor’s breach reported 10 June has exposed the protected health information (PHI) of patients at Omaha, Nebraska-based CHI Health and Sioux Falls, South Dakota based Avera Health. Avera has about 900 exposed patients, but the number at CHI is not yet known. MCG Health is the vendor. Becker’s
  • Yuma (Ariz.) Regional Medical Center reported an April ransomware attack that while short in duration, exposed PHI of 700,000 patients. An unauthorized user removed files from the hospital’s system that included patient health information such as names, social security numbers, health insurance information, and limited medical information relating to care. The hospital went offline until it was resolved, including reporting to law enforcement. Becker’s, Healthcare Dive
  • UChicago Medicine had its employee accounts hacked in March by an unauthorized user. It exposed about 2,500 patient records that included patient first and last names, social security numbers, health information, legacy Medicare beneficiary identification numbers, health insurance policy numbers, and driver’s license numbers. Becker’s
  • And Kaiser Foundation Health Plan of Washington had about 70,000 patient PHIs exposed on 5 April when an unauthorized user gained access to one employee’s emails with information on patient first and last names, dates of service, laboratory test information, and medical record numbers.

Short, but certainly not sweet, and expensive.

Thursday legal news roundup: Oscar Health accused of IPO securities fraud; Venezuelan cardiologist moonlights as cybercriminal, faces slammer; Change Healthcare sues former employee now at Olive AI

To use a cliché, what a difference a year makes. In March 2021, insurtech Oscar Health successfully raised $1,4 billion in its IPO with shares at $39. Heady times didn’t last long, with shares tumbling to $5.67 as of this writing. Now the shareholder lawsuits have begun, with the complaint stating that negative effects of COVID-19 on Oscar’s business were not disclosed, specifically the growing cost of the pandemic on testing and treatment costs they would cover, and “Oscar would be negatively impacted by an unfavorable prior year Risk Adjustment Data Validation (RADV) result relating to 2019 and 2020 [and] that Oscar was on track to be negatively impacted by significant SEP membership growth”. The lack of forward-looking disclosure at an IPO is a violation of the Securities Act. The initial lawsuit has been filed in the US District Court for the Southern District Court of New York by shareholder Lorin Carpenter. Multiple law firms have invited shareholders to join in the suit — example from PR Newswire. Also named in the suit are Oscar Health co-founders CEO Mario Schlosser and Vice Chairman Joshua Kushner, plus several investment banks.

Oscar started the year with a Q1 loss of $0.36 per share versus an estimate of a loss of $0.40, but this is less than half of last year’s loss of $0.98 per share. They are also exiting the Arkansas and Colorado markets in 2023. Healthcare Dive

Cardiologist, master cybercriminal, a new Dr. Mabuse? Accused of the creation, use, and sale of ransomware is one Venezuelan doctor and practicing cardiologist, Moises Luis Zagala Gonzalez, a dual citizen of Venezuela and France. The charges by the Department of Justice (DOJ) in the Eastern District of New York also detail his “extensive support of, and profit sharing arrangements with, the cybercriminals who used his ransomware programs.” SaaS can’t hold a candle to the RaaS–ransomware-as-a-service–operation he created to sell what he dubbed ‘Thanos,’ allegedly named after a fictional cartoon villain responsible for destroying half of all life in the universe. Turns out that Iranian state-sponsored hackers and fellow ransomware designers really liked it too. If convicted, he faces 10 years in Club Fed–five years for attempted computer intrusion, and five years for conspiracy to commit computer intrusions. Designing criminal software really does test the limits of moonlighting. DOJ release, TechCrunch

Change Healthcare sues former employee at competitor Olive AI. While their merger with UnitedHealthcare is tied up in the US District Court in DC [TTA 23 Mar], Change Healthcare is not letting any courtroom grass grow under their feet. They are suing a former employee, Michael Feeney, with violating the non-compete clauses of his employment contract. The suit was filed in Tennessee Chancery Court, its HQ state. Mr. Feeney has countersued in his state of residence, stating that the non-compete violates Massachusetts law. He was VP, strategy and operations at Change handling physician revenue cycle management. At Olive AI, he is currently SVP, provider market operations. Information is a bit scarce on this and the free article this Editor has found reads machine-translated. If you have access to the Nashville Post or Modern Healthcare it’s probably more decipherable.

As to the lawsuit affecting non-competes due to the tight labor market–don’t count on it. It’s a conflict between the state the company is in enforcing non-competes, versus a state which restricts (or negates) them that is the former employee’s state of residence and work. What wins out will be the interesting part and affect many of us in the US.

Predictions, predictions for telehealth, digital health, and all those cybersecurity risks

crystal-ballJanuary is the month for predicting what’s ahead, and while this Editor has no pretensions to be Sibyl the Soothsayer despite the picture, let’s look at what others see in their cloudy crystal balls.

Frank McGillin, CEO of The Clinic by Cleveland Clinic, works intensively with telehealth in this joint venture between Cleveland Clinic and Amwell. His prediction: telehealth will evolve towards concierge care, as providers reduce “platform sprawl”, coordinate the virtual care experience, and provide multidisciplinary virtual care.

  • Telehealth is now “a permanent mode of access”, though the pandemic created “platform sprawl” as providers reached for any and all modes and providers which could be implemented quickly
  • Healthcare providers and plans now have to scale back and reconcile all this to “design a digital trajectory with intention”
  • This means developing a personalized approach to telehealth delivery and to provide a seamless, highly coordinated care experience
  • Their approach is to focus on multidisciplinary virtual visits and case analysis for patients with complex conditions, such as their Virtual Second Opinions program for conditions such as brain tumors and prostate cancer.
  • Virtual multidisciplinary support reduces the risk of suboptimal treatment plans and can eliminate long travel times and exposure to COVID-19 for vulnerable patients. For payers and employers, this can add up to better outcomes and reduced cost of care.
  • “Intelligent” remote monitoring also removes another layer of risk in providing the right care at the right time
  • Continuation of relaxed interstate licensure requirements are needed to provide fast access to medical experts, particularly for primary care providers.

Interview with Healthcare IT News 

Healthcare Dive has been running a series on industry trends, and this installment focuses on digital health.

  • Healthcare will become more predictive and proactive, with insights fed by connected devices and analytics (commonly lumped under AI) that enable organizations to collect, analyze, and act on massive amounts of data.
  • But algorithms don’t have judgment and data can have bias, leading to poor decisions, such as the distribution of vaccines. Expect more oversight from the Federal level down on AI research and policymaking, 
  • Virtual care will continue to grow in virtual diagnostics, patient-reported outcomes applications, and digital homecare platforms
  • Telehealth and digital health is integrating into the traditional delivery and payment model–partnerships with health systems, payers, and employers.
  • Virtual care access is booming in niche areas such as women’s health, hospital at home, and mental health, with investment dollars flowing in. Telemental health is moving into consolidation.
  • Cybersecurity will become more of a focal point for healthcare companies in 2021, with hackers finding their way into all these contact tracing apps designed in a hurry, plus digital health systems, many of which are poorly protected. Targeted attacks have skyrocketed.

And speaking of cybersecurity, over at HealthITSecurity, they rounded up the experts to opine on All Those Security Risks that fast implementation of telehealth and moving devices out of the hospital walled garden have created. Remote patient management is now an asset, no longer a ‘nice to have’, for providers, setting up a situation where patients are increasingly both the beneficiaries of more convenient health delivery and victims of security breaches and ransomware.

  • ‘Out of hospital’ care means that data is being transmitted between multiple points. Network security isn’t guaranteed. So attacks can originate at the weak points–either the home or hospital environment.
  • The fast implementation of telehealth during the pandemic meant not only did systems not work together well, it also meant multiple points of vulnerability
  • Over 80% of surveyed healthcare providers globally harbor concerns about data security and privacy (Kaspersky/Arlington Research). And a shocking 70% admitted that their practice used outdated legacy operating systems, exposing them to security vulnerabilities.
  • “A culture of security” means maintaining endpoint security and BYOD policies across the organization’s network, identity management and zero trust tactics, and yes, security consciousness on patients’ parts.
  • Patients should not be responsible for security, providers partly, which leaves the responsibility with the vendor. But healthcare organizations are responsible for evaluating their vendors, and how they are interacting with and storing their data.  

Weekend reading: 1/3 of global healthcare orgs ransomwared, 50%+ mobile privacy problems–BMJ study, med device insecurity

Weekend reading to make you feel insecure, indeed. Healthcare continues to be one of the most vulnerable sectors to hacking, breaches, ransomware. (It likely was one of the top 5 on the list handed to Mr. Putin in Geneva a week ago.) It doesn’t help that many organizations from providers to payers, legacy devices to apps, figuratively have a ‘Welcome Hackers’ neon sign on their doors, virtual and otherwise.

Three articles from the always interesting Healthcare Dive, two by Rebecca Pifer and the third by veteran Greg Slobodkin, will give our Readers a quick and unsettling overview:

  • According to cybersecurity company Sophos in their 16-page report, 2020 was an annus horribilis for healthcare organizations and ransomware, with 34 percent suffering a ransomware attack, 65 percent confirming the attacks encrypted their data, but only 69 percent reported that the encrypted data was restored after the ransom was paid. Costs were upward of $1 million. Their conclusion: assume you will be hit, and at least three backups. Dive 24 June
  • The BMJ found that lax or no privacy policies were a key problem with over half of mobile health apps. 23 percent of user data transmissions occurred on insecure communication protocols and 28.1 percent of apps provided no privacy policies. There’s a lot to unpack in the BMJ study by the Macquarie University (Sydney) team. Our long-time Readers will recall our articles about insecure smartphone apps dating back to 2013 with Charles Lowe’s article here as an example. Dive 16 June
  • Old medical devices, continuing vulnerability that can’t be fixed. Yes, fully functioning and legacy medical devices, often costing beaucoup bucks, are shockingly running on Windows 98 (!), Windows XP, outdated software, and manufacturers’ passwords. It’s hard to believe that Dive is writing about this as it’s been an issue this Editor’s written about since (drumroll) 2013 when TTA picked up on BBC and other reports of ‘murderous defibrillators and pacemakers’. If too far back, try 2015 with Kevin Fu’s and Ponemon’s warnings then to ‘wash their hands’ of these systems even if they’re still working. Chris Gates quoted in the article: “You can’t always bolt-on security after the fact, especially with a legacy piece of equipment — I’ve literally handed checks back to clients and told them there’s no fixing this.” Dive 23 June

What to do?

  • If you are a healthcare organization, think security first. Other organizations in finance and BPO do, locking down to excruciating points. And yes, you’ll have to pay a premium for the best IT security people, up your budgets, and lower your bureaucracy to attract them. Payers are extremely vulnerable with their wealth of PHI and PII, yet tend to skimp here.
  • Consider bringing in all your IT teams to your home country and not offshoring. Much of the hacking occurs overseas where it’s tougher to secure servers and the cloud reliably and fully.
  • Pay for regular and full probes and audits done by outside experts.
  • If you supply a mobile app–design with security and privacy first, from the phone or device to the cloud or server, including data sharing. There are companies that can assist you with this. One example is Blue Cedar, but there are others.
  • If you supply hardware and software for medical devices, think updates, patches, and tracking every bit you sell to make sure your customers do what they need to do. Even if your customer is a past one.

(Side message to NHS Digital–don’t rush your GPDPR upload to the summer holidays. Make it fourth quarter. Your GPs will thank you.)

Suggestions from our Readers wanted! While your Editor has been covering security issues since early days here, she is not an expert, programmer, or developer, nor has stayed at a Holiday Inn Express lately.

News roundup: Hacks, ransomware of medical records, security cameras spike; Withings launches new mobile-direct devices; Bluestream Health adds Leon Medical (FL) to telehealth

In recent weeks, hackermania has been romping in healthcare. A compilation of incidents revealed just in the past few weeks have affected hundreds of thousands of patients, employees, and providers:

  • Security cameras produced by Verkada, Inc. were hacked across the US, including at Tesla. Healthcare organizations affected by the hack were Daytona Beach, Fla.-based Halifax Health, where the video showed “what appeared to be eight staffers tackling a man and pinning him to a bed.” Texarkana, Texas-based Wadley Regional Medical Center and Tempe (Ariz.) St. Luke’s Hospital were also hacked. The means in was described by one of the hackers (appropriately female for this month) as through a “super admin” account where the username and password appeared online. Becker’s Health IT 10 March, Bloomberg News
  • 210,000 MultiCare patients, providers, and employees of Tacoma, Wash.-based MultiCare had personal information exposed in a December ransomware attack on their medical practice management company’s IT services vendor. Becker’s Health IT 9 March
  • A clinic in North Carolina had a six-day ransomware attack starting 23 February. Hackers demanded a $1.75 million payment in exchange for giving back the clinic access to its data. The clinic came back online 1 March but did not disclose any payment. Becker’s Health IT 5 March
  • NBC News revealed that hackers stole employee files from Gallup, New Mexico-based Rehoboth McKinley Christian Health Care Services after a ransomware attack on its computer network in February. Those employee files were posted online; information included employee job applications and background check authorizations with Social Security numbers. Earlier attacks by the same hacker group included Leon Medical Centers of Miami-Dade Florida (see following) and Nocona (Texas) General Hospital resulted in the online publishing of tens of thousands of patient records. Becker’s Health IT 4 March
  • Hackers attacked biochemical machines used to prepare samples in Oxford University’s Division of Structural Biology. Forbes received the information from Hold Security chief technology officer Alex Holden, who provided screenshots of the hackers’ access to Oxford University systems, and notified the university.
  • The cutely-named DopplePaymer attacked a county government office in Chatham County, North Carolina, and stole residents’ PHI and PII between November 2020 and this past January. Becker’s 10 Feb 
  • And on the ‘Someone Got Fired For This One’ list is the response to hacking at Boise, Idaho’s Saint Alphonsus Health System. The health system had a data breach in January. Patients were routinely notified. However, the mail merge, not the hack, created an incorrect status for some patients, sending them letters as if they were deceased or a minor. Becker’s Health IT 10 March

It’s cold comfort when the US Department of Justice announces that they are indicting three North Korean hackers who inflicted the WannaCry malware and $1.3 bn in extortion damage on the world back in 2018. All three were members of North Korea’s intelligence agency, the Reconnaissance General Bureau (RGB). The likelihood of their extradition is one word: none.

And in other news….

Withings unveils new professional devices. The Body Pro smart scale and BPM Connect Pro, distributed to doctors, out of the box will transmit health data directly from patient to doctor. Neither require Wi-Fi nor a mobile phone, since they have embedded SIM cellular cards to directly connect to a mobile network. They are both sold through Withings’ professional division. FierceHealthcare

Telehealth provider Bluestream Health has added Leon Medical Centers, a seven-location Miami-Dade FL provider. Bluestream Health provides whitelabeled secure telehealth services that combine with medical workflows to approximately 50,000 providers in 500 facilities. Release.

Weekend reading: HISTalk’s interview with Spirion’s CEO on healthcare data security

A short but must-read if you care about data security and your customers/patients/residents. Where this HISTalk interview with Kevin Coppins, CEO of Spirion, excels is leading the reader through areas that are usually filled with fog and IT jargon. The view is from his company and a healthcare organization sitting in a conference room and scoping the problem without ‘paralysis by analysis’ or a turnkey ‘solution’ that may not be one. What’s different here is the clear, and few, logic steps, particularly the first three listed, that Mr. Coppins takes to get the ball rolling rather than befogging the discussion with too many factors or the punitive consequences of regulatory non-compliance.

“The concept of data and sensitive data is at the core of both security and privacy.”

  1. How much data do you have? (Nobody really knows, admit it)
  2. Of that data, what would you consider ‘sensitive’, and how do you define ‘sensitive’? Not only by regulation/compliance directives, but what your patients, clients and the board would consider ‘sensitive’.
  3. How much of that data is actually critical? 
  4. What’s the impact? How personal is it to your organization, not just in a compliance way but in your community, etc.
  5. How do I reduce the risk of loss?
  6. If I lost the data due to hacking or ransomware, what’s the backup? How fast can this happen?

This Editor notes that these points (quantity, definition, risk of loss and recovery, and community impact) can be applied to other situation analyses.

The litany of ransomware attacks that have ramped up during the pandemic waves has pushed data security issues to the ‘gotta tackle’ list. According to Emsisoft, a security company, there were 41 attacks on healthcare organizations in first half 2020. This didn’t stop during the summer, with a rash of them at end of October and a hit list of 400 hospitals, according to Becker’s.) Hacking attacks persist but aren’t getting the headlines.

And his conclusion is pertinent: “When it comes to security and privacy and all the drama and all the noise that you hear about it and read about it, just boil it down to this — am I doing everything I can today to protect what matters most to the constituents I serve?”

Hackermania runs wild…all the way to the bank! Ransomware strikes Crozer-Keystone, UCSF med school, others

News to make you livid. After surviving (to date) the COVID pandemic, health systems and medical schools are being attacked by ransomware criminals. Both the small Crozer-Keystone Health System and the globally known University of California San Francisco School of Medicine have been attacked by the ever-so cutely named Netwalker (a/k/a MailTo). Yes, this criminal hacker gang isn’t outside banging pots for first responders or donating money, or even sticking to a brief truce (Emsisoft), but figuring ways to spread malware into healthcare organizations for fun and profit. 

And profitable it’s been. UCSF paid Netwalker the princely sum of $1.14 million (£910,000) in 116.4 bitcoins after an attack starting 1 June that was also (to add insult to injury) published on Netwalker’s public blog. In the timeline presented by BBC News, it was negotiated down (professionally) from $3 million; BBC also obtained some key parts of the negotiation via an anonymous tipoff, and it’s fascinating reading. Netwalker leads the victim to a dark web ‘customer service’ site where there’s a countdown to double payment or deletion of your now-encrypted data. They are also able to live chat with the victim.

UCSF was able to limit the malware encryption damage to servers within the School of Medicine (according to the BBC, literally unplugging computers; according to UCSF, isolating servers) but decided to pay the ransom to unlock the encrypted data and return data they obtained, stating in its public release “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good”. They will work with the FBI on the incident and have brought on board outside expert help.

According to FierceHealthcare, Netwalker was also behind the attack on the Champaign-Urbana Public Health District (Illinois) website in March and Michigan State University’s network in May.

Paying ransom is contrary to the advice of the major world security services such as the FBI, Europol, and the UK’s National Cyber Security Centre, on the simple basis that it encourages them. It’s a true damned-if-you-do, damned-if-you-don’t situation, as Brett Callow, a threat analyst at cyber-security company Emsisoft, said to the BBC: “But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?” 

Crozer-Keystone to date has refused to pay ransom. On 19 June, bitcoin publication Cointelegraph published a screenshot of Netwalker’s dark web auction page of the data. Apparently it is all financial and not medical records or PHI. Crozer also isolated the intrusion and took systems offline. Crozer is a small system of four hospitals in suburban Philadelphia (Delaware County) and serves parts of the state of Delaware and western New Jersey.

Neither Crozer nor UCSF have gone public with the source of the breach, but it is known that the main lure during the pandemic has been phishing emails with COVID-19 results or news, loaded with malware downloads.

As this Editor wrote back in May 2018 on the anniversary of WannaCry, it’s not a matter of if, but when, at highly vulnerable organizations like healthcare and academia with high-value information records. Right now, the Hakbit spear-phishing ransomware connected to an Excel spreadsheet macro is targeting mid-level individuals at pharma, healthcare, and other sectors in Austria, Germany, and Switzerland, according to tech research firm Proofpoint. TechGenix

More: Becker’s 22 June on Crozer-Keystone, 29 June on UCSF, 12 largest healthcare breaches to date, 10 healthcare system incidents for June, Kroger hacking incident exposing 11,000 health records. DataBreaches.net news page.

Hackermania ‘bigger than government itself’–and 25% of healthcare organizations report mobile breaches

To quote reporter Andy Rooney, ‘why is that?’ Everyone in healthcare (with our Readers well ahead of the curve) has known for years that our organizations are special targets, indeed–by hackers (activists or not), spammers, ransomwarers, criminals, bad guys in China, North Korea, and Eastern Europe, plus an assortment of malicious insiders and the simply klutzy. Why? Healthcare organizations, payers, and service companies have a treasure trove of PHI and PII with Big Value. 

So to read in Healthcare IT News that Christopher Wray, the new director of the FBI, is saying that today’s cyberthreats are bigger than any one agency, and in fact bigger than the government itself, it gives you the feeling that the steamroller has not only run over us, but is on the second pass.

According to one reporting company, Bitglass, breach incidents were year-over-year flat (290), but the number of records affected in 2018 nearly tripled from 4.7 million to 11.5 million. Hacking finally became the top cause (45.9 percent) versus unauthorized access and disclosure (35.9 percent). Loss and theft is down to about 15 percent.

And mobile feels like that second pass. Verizon’s Mobile Security Index 2019 reports that 25 percent of healthcare organizations have had a mobile-related compromise. Nearly all hospitals are investing in mobile. In the field, doctors and other clinicians are either using issued devices or BYOD, whether authorized or not. Whether or not their organizations are using app security systems like Blue Cedar [TTA 17 Feb 18] or work with companies like DataArt on securing proprietary systems is entirely another question. Apparently it’s not a priority. According to the Verizon study, nearly half of all organizations sacrificed mobile security in the past year to “get the job done.” Healthcare Dive.

Back to Director Wray, who is urging public-private cooperation especially with the FBI, which itself has not hesitated to break encryption (e.g. Apple’s) in going after criminals’ phones.

WannaCry’s anniversary: have we learned our malware and cybersecurity lessons?

Hard to believe that WannaCry, and the damage this malware wreaked worldwide, was but a year ago. Two months later, there was Petya/NotPetya. We’ve had hacking and ransomware eruptions regularly, the latest being the slo-mo malware devised by the Orangeworm hackers. What WannaCry and Petya/NotPetya had in common, besides cyberdamage, was they were developed by state actors or hackers with state support (North Korea and–suspected–Russia and/or Ukraine).

The NHS managed to evade Petya, which was fortunate as they were still repairing damage from WannaCry, which initially was reported to affect 20 percent of NHS England trusts. The final count was 34 percent of trusts–at least 80 out of 236 hospital trusts in England, as well as 603 primary care practices and affiliates. 

Has the NHS learned its lesson, or is it still vulnerable? A National Audit Office report concluded in late October that the Department of Health and the NHS were warned at least a year in advance of the risk.  “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.” There was no mechanism in place for ensuring migration of Windows XP systems and old software, requested by April 2015, actually happened. Another basic–firewalls facing the internet–weren’t actively managed. Worse, there was no test or rehearsal for a cyberdisruption. “As the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications.” NHS Digital was especially sluggish in response, receiving first reports around noon but not issuing an alert till 5pm. It was fortunate that WannaCry had a kill switch, and it was found as quickly as it was by a British security specialist with the handle Malware Tech. 

Tests run since WannaCry have proven uneven at best. While there has been reported improvement, even head of IT audit and security services at West Midlands Ambulance Service NHS Trust and a penetration tester for NHS trusts, said that they were “still finding some real shockers out there still.” NHS Digital deputy CEO Rob Shaw told a Public Accounts Committee (PAC) in February that 200 NHS trusts tested against cyber security standards had failed. MPs criticized the NHS and the Department of Health for not implementing 22 recommendations laid out by NHS England’s CIO, Will Smart. Digital Health News

Think ‘cyber-resilience’. It’s not a matter of ‘if’, but ‘when’. Healthcare organizations are never going to fix all the legacy systems that run their world. Medical devices and IoT add-ons will continue to run on outdated or never-updated platforms. Passwords are shared, initial passwords not changed in EHRs. Add to firewalls, prevention measures, emphasizing compliance and best practices, security cyber-resilience–more than a recovery plan, planning to keep operations running with warm backups ready to go, contingency plans, a way to make quick decisions on the main functions that keep the business going. Are healthcare organizations–and the NHS–capable of thinking and acting this way? WannaBet? CSO, Healthcare IT News. Hat tip to Joseph Tomaino of Grassi Healthcare Advisors via LinkedIn.

Breached healthcare records down 72% but incident numbers steady. Then there’s MyFitnessPal’s 150 million…

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Hackermania in healthcare may be running less wild…but what about consumer health devices? Year-end and top-of-year analyses indicate that the flood of breached records may be starting to drain. A Bitglass analysis of 2017 US Department of Health and Human Services (HHS) data from its infamous ‘Wall of Shame’ is encouraging. They found that the number of breached records decreased over the 2015-2017 period by 72 percent between 2015 and 2017 and by 95 percent from 2016. The calculation excludes the huge spike in breaches due to two 2015 incidents at Anthem and Premera Blue Cross [TTA 9 Sep 15]. Numerically, the breach incident numbers decreased but are relatively steady: 2017 at 294, 2016 at 328. Data security company Protenus in its tracking found more incidents in 2017 versus 2016 (477 in 2017 v. 450 in 2016) but the same reduction in records affected, with five times fewer records in 2017 versus 2016’s 27.3 million records.

What’s been successful has been reducing mega-breaches and containment of healthcare device loss and theft through education and enforcement of employee practices. What continues is the major cause of breaches continue to be insider-related via error and wrongdoing; this includes the major annual Verizon report. Healthcare Informatics

Protenus’ February report, while continuing the reduction trend, had its share of hacking and insider incidents. Of the 39 incidents in their report affecting over 348,000 records, insider actions such as the misuse of system credentials accounted for 51 percent of breached records while hacks were 46 percent, with the majority involving ransomware or malware. Hacking as a cause hasn’t disappeared but perhaps has shifted to easier targets.

UnderArmour’s MyFitnessPal delivers another breach blow. Late last month, the company revealed that 150 million user records were hacked in February. The MyFitnessPal mobile app (more…)

Petya/NotPetya compared to an armed attack by a ‘state actor’ by NATO, Ukraine

Aux armes, citoyens? Hold that Article 5. This US holiday weekend has been light on Petya news, but it seems that NATO has roused itself into the cyberdefense arena as a military arena for them, based on NATO Secretary General Jens Stoltenberg’s statement on Article 5’s collective defense, and a Friday brief that declared:

The global outbreak of NotPetya malware on 27 June 2017 hitting multiple organisations in Ukraine, Europe, US and possibly Russia can most likely be attributed to a state actor, concluded a group of NATO CCD COE researchers Bernhards Blumbergs, Tomáš Minárik, LTC Kris van der Meij and Lauri Lindström. Analysis of both recent large-scale campaigns WannaCry and NotPetya raises questions about possible response options of affected states and the international community.

and

Nevertheless, NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state. Other options are unlikely. The operation was not too complex, but still complex and expensive enough to have been prepared and executed by unaffiliated hackers for the sake of practice. Cyber criminals are not behind this either, as the method for collecting the ransom was so poorly designed that the ransom would probably not even cover the cost of the operation.

NATO’s Secretary General reaffirmed on 28 June that a cyber operation with consequences comparable to an armed attack can trigger Article 5 of the North Atlantic Treaty and responses might be with military means. However, there are no reports of such effects, so according to Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, self-defence or collective defence of victim states are not available options.

Well, the cyber-tanks are not rolling as of yet. The brief notes three interesting factors: low estimated deployment cost ($100,000) means that a non-state or criminal actor could have developed it, but the lack of ransom counterbalances that; the kill switch was a simple one that could be used to limit spread; and it was targeted to spread via internal networks versus the wide spread of the internet.

The brief’s options for international response seem contradictory and incomplete to this Editor. 

The number of affected countries shows that attackers are not intimidated by a possible global level investigation in response to their attacks. This might be an opportunity for victim nations to demonstrate the contrary by launching a special joint investigation.

Ukraine’s speculation (of course) is that it’s Russia, though Russian organizations were also hacked. This is of a piece with earlier Russian attempts to disrupt, and Ukrainian spokesmen pointed out, as did NATO, that Petya was easy to limit if you knew how. ZDNet

And now Australia is going on the offensive. The Australian Signals Directorate (ASD) has been authorized to “disrupt, degrade, deny, and deter” bad cyber actors, placing a national emphasis on cybersecurity for “the mums and dads, the small businesses, large businesses, government departments and agencies” according to Dan Tehan, Australian Minister Assisting the Prime Minister for Cyber Security (whew!). Can we include healthcare? Leading the way! ZDNet

Petya no pet as it spreads: is it ransomware or a vicious design for data destruction? (updated)

Breaking–The ‘more and worse’ experts predicted after WannaCry is here.  In two days, the Petya or PetyaWrap (or NotPetya) ransomware has spread from Ukraine to affect organizations in 64 countries with 2,000+ attacks involving 12,000+ machines. On the hit list are mostly Eastern European and trans-national companies: Maersk shipping, Merck, Nuance cloud services, WPP advertising, Mars and Mondelez foods, Rosneft (Russia’s largest oil producer), Chernobyl, unnamed Norwegian firms, Beiersdorf and Reckitt Benckiser in India, Cadbury and law firm DLA Piper in Australia. One local US healthcare provider affected in a near-total shutdown of their computer systems, and resorting to backups, is Heritage Valley Health System in western Pennsylvania. There are no reports to this hour that the NHS, major US, Asia-Pacific, or European health systems being affected. Update: Trading in FedEx shares were halted 29 June due to the Petya attack on its TNT Express international division. Update 30 June: The Princeton Community Hospital in rural West Virginia is running on paper records as Petya forced a complete replacement of its EHR and computer hardware. Fox Business

Like WannaCry, the ransomware exploited the EternalBlue backdoor; a report from ArsTechnica UK adds an exploit touchingly dubbed EternalRomance. But unlike WannaCry, according to ZDNet, both “Symantec and Bitdefender have confirmed that it’s a Petya ransomware strain dubbed GoldenEye, which doesn’t just encrypt files — it also encrypts hard drives, rendering entire computers useless.” ArsTechnica goes deeper into methodology. Petya uses a hacking tool called MimiKatz to extract passwords and then uses legitimate Microsoft utilities and components to spread it. (Ed. note: if you have time for only one technical article, read ArsTechnica’s as the latest and most detailed.)

The Microsoft patch–and Microsoft has just issued an update for Win10, which this Editor heartily recommends you download and install–while defending against WannaCry, still isn’t preventing the spread. It’s speedier than WannaCry, and that says a great deal. Its aim appears not to be ransom, but data destruction. Updated: this POV is confirmed in today’s ZDNet article confirming that Comae Technologies and Kaspersky Lab strongly believe that Petya is a ‘wiper’ designed to destroy data by forever blocking it on your hard drive.

Another article in ZDNet (Danny Palmer) attempts to isolate why hackers remain one step ahead of us:

Law enforcement agencies and cybersecurity firms across the world are investigating the attack – and researchers have offered a temporary method of ‘vaccinating’ against it** – but how has this happened again, just six weeks on from a previous global ransomware outbreak?

One reason this new form of Petya is proving so effective is due to improved worm capabilities, allowing it to spread across infected networks, meaning that only one unpatched machine on a whole network needs to become infected in order for the whole operation to come crashing down.

Not only that, but cybersecurity researchers at Microsoft say the ransomware has multiple ‘lateral movement’ techniques, using file-shares to transfer the malware across the network, using legitimate functions to execute the payload and it even has trojan-like abilities to steal credentials.

**  The inclusion of this link in the quote does not imply any recommendation by TTA, this Editor, or testing of said fix.

What you can do right now is to ensure every computer, every system, you own or are responsible for is fully updated with Microsoft and security patches. If you’re in an enterprise, consult your security provider. Run backups. Remind employees to not click on links in suspicious messages or odd links even from known senders–and report them immediately. Based on reports, phishing emails and watering hole attacks are the main vectors of spread, like WannaCry. (A suggestion from this Editor–limit web search to reputable sites, and don’t click on those advert links which are buggy anyway!) Be judicious on updates for your software except by Microsoft and your security provider; there is growing but still being debated evidence that the initial Ukrainian spread was through a hacked update on a popular tax accounting software, MeDoc. More on this in ZDNet’s 6 Quick Facts. Another suggestion from Wired: run two anti-virus programs on every computer you have, one free and one paid.

And no matter what you do–don’t pay the ransom! The email provider within hours blocked the email so that the payment cannot go through. Updates to come. More reading from Bleeping ComputerHealthcare IT News, CNBC, HIStalk, US-CERT, Fortune, Guardian,

Updated 15 May: 20% of NHS organizations hit by WannaCry, spread halted, hackers hunted

Updated 15 May: According to the Independent, 1 of 5 or 20 percent of NHS trusts, or ‘dozens’, have been hit by the WannaCry malware, with six still down 24 hours later. NHS is not referring to numbers, but here is their updated bulletin and if you are an NHS organization, yesterday’s guidance is a mandatory read. If you have been following this, over the weekend a British specialist known by his/her handle MalwareTech, tweeting as @malwaretechblog, registered a nonsensical domain name which he found was the stop button for the malware as designed into the program, with the help of Proofpoint’s Darien Huss.

It looks as if the Pac-Man march is over. Over the weekend, a British specialist known as MalwareTech, tweeting as @malwaretechblog, registered a nonsensical domain name which he found was the stop button for the malware, with the help of Proofpoint’s Darien Huss. It was a kill switch designed into the program. The Guardian tagged as MalwareTech a “22-year-old from southwest England who works for Kryptos logic, an LA-based threat intelligence company.”

Political fallout: The Home Secretary Amber Rudd is being scored for an apparent cluelessness and ‘wild complacency’ over cybersecurity. There are no reported statements from Health Secretary Jeremy Hunt. From the Independent: “Patrick French, a consultant physician and chairman of the Holborn and St Pancras Constituency Labour Party in London, tweeted: “Amber Rudd is wildly complacent and there’s silence from Jeremy Hunt. Perhaps an NHS with no money can’t prioritise cyber security!” Pass the Panadol!

Previously: NHS Digital on its website reported (12 May) that 16 NHS organizations have been hacked and attacked by ransomware. Preliminary investigation indicates that it is Wanna Decryptor a/k/a WannaCry. In its statement, ‘NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected.’ Healthcare IT News

According to cybersecurity site Krebs on Security, (more…)

Hackermania meets The Dark Overlord with 2.3 million 2017 health data breaches

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]It’s a cage match! Reports are soaring, with a proliferation of data breaches year to date, after a relatively quiet period in 2016.

The Dark Overlord (TDO), in the mainstream news with dumping unseen Netflix program episodes on illegal file-sharing sites and demanding ransom (Guardian), also has been hard at work dumping PHI hacked from various clinics. DataBreaches.net tallied it at 180,000 records from at least nine medical clinics.

Health data security developer/provider Protenus, whose Breach Barometer tracks the numbers, counted 2.1 million breaches in 1st Quarter. March spiked with 700,000 coming from Commonwealth Health Corporation of Kentucky.

Our standby Privacy Rights Clearinghouse counted over 175,000 to date, but 160,000 came from MedCenter Health in Protenus’ total, so their net addition was 15,000. But PRC’s detail illustrates that ransomware is alive, well, and invading smaller healthcare organizations. Other reasons are unauthorized data server access, third-party vendors, email error, and theft.

16 or 27 million 2016 breaches, 1 in 4 Americans? Data, IoT insecurity runs wild (US/UK)

What’s better than a chilly early spring dive into the North Sea of Health Data Insecurity?

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2017/03/Accenture-Health-2017-Consumer-Survey.jpg” thumb_width=”150″ /]Accenture’s report released in February calculated that 26 percent of Americans had experienced a health care-related data breach. 50 percent of those were victims of medical identity theft and had to pay out an average of $2,500 in additional cost. One-third (36 percent) believed the breach took place in hospitals, followed by urgent care and pharmacies (both 22 percent). How did they find out? Credit card and insurer statements were usual, with only one-third being notified by their provider. Interestingly, a scant 12 percent of data breach victims reported the breach to the organization holding their data. (You’d think they’d be screaming?) The samples were taken between November 2016 and January 2017. Accenture has similar surveys for UK, Australia, Singapore, Brazil, Norway, and Saudi Arabia. Release  PDF of the US Digital Trust Report

So what’s 16 million breaches between friends? Or 4 million? Or 27 million?

  • That is the number (well, 15.9 million and change) of healthcare/medical records breached in 2016 in 376 breaches reported by the Identity Theft Resource Center (ITRC), a Federally/privately supported non-profit. Healthcare, no surprise, is far in the lead with 34 percent and 44 percent respectively. The 272 pages of the 2016 End of Year Report will take more than a casual read, but much of its data is outside of healthcare.
  • For a cross-reference, we look to the non-profit Privacy Rights Clearinghouse which for many years has been a go-to resource for researchers. PRC’s 2016 numbers are lower, substantially so in the number of records: 301 breaches and 4 million records.
  • HIMSS and Healthcare IT News insist that ransomware is under-reported, (more…)