Weekend reading to make you feel insecure, indeed. Healthcare continues to be one of the most vulnerable sectors to hacking, breaches, ransomware. (It likely was one of the top 5 on the list handed to Mr. Putin in Geneva a week ago.) It doesn’t help that many organizations from providers to payers, legacy devices to apps, figuratively have a ‘Welcome Hackers’ neon sign on their doors, virtual and otherwise.
Three articles from the always interesting Healthcare Dive, two by Rebecca Pifer and the third by veteran Greg Slobodkin, will give our Readers a quick and unsettling overview:
- According to cybersecurity company Sophos in their 16-page report, 2020 was an annus horribilis for healthcare organizations and ransomware, with 34 percent suffering a ransomware attack, 65 percent confirming the attacks encrypted their data, but only 69 percent reported that the encrypted data was restored after the ransom was paid. Costs were upward of $1 million. Their conclusion: assume you will be hit, and at least three backups. Dive 24 June
- The BMJ found that lax or no privacy policies were a key problem with over half of mobile health apps. 23 percent of user data transmissions occurred on insecure communication protocols and 28.1 percent of apps provided no privacy policies. There’s a lot to unpack in the BMJ study by the Macquarie University (Sydney) team. Our long-time Readers will recall our articles about insecure smartphone apps dating back to 2013 with Charles Lowe’s article here as an example. Dive 16 June
- Old medical devices, continuing vulnerability that can’t be fixed. Yes, fully functioning and legacy medical devices, often costing beaucoup bucks, are shockingly running on Windows 98 (!), Windows XP, outdated software, and manufacturers’ passwords. It’s hard to believe that Dive is writing about this as it’s been an issue this Editor’s written about since (drumroll) 2013 when TTA picked up on BBC and other reports of ‘murderous defibrillators and pacemakers’. If too far back, try 2015 with Kevin Fu’s and Ponemon’s warnings then to ‘wash their hands’ of these systems even if they’re still working. Chris Gates quoted in the article: “You can’t always bolt-on security after the fact, especially with a legacy piece of equipment — I’ve literally handed checks back to clients and told them there’s no fixing this.” Dive 23 June
What to do?
- If you are a healthcare organization, think security first. Other organizations in finance and BPO do, locking down to excruciating points. And yes, you’ll have to pay a premium for the best IT security people, up your budgets, and lower your bureaucracy to attract them. Payers are extremely vulnerable with their wealth of PHI and PII, yet tend to skimp here.
- Consider bringing in all your IT teams to your home country and not offshoring. Much of the hacking occurs overseas where it’s tougher to secure servers and the cloud reliably and fully.
- Pay for regular and full probes and audits done by outside experts.
- If you supply a mobile app–design with security and privacy first, from the phone or device to the cloud or server, including data sharing. There are companies that can assist you with this. One example is Blue Cedar, but there are others.
- If you supply hardware and software for medical devices, think updates, patches, and tracking every bit you sell to make sure your customers do what they need to do. Even if your customer is a past one.
(Side message to NHS Digital–don’t rush your GPDPR upload to the summer holidays. Make it fourth quarter. Your GPs will thank you.)
Suggestions from our Readers wanted! While your Editor has been covering security issues since early days here, she is not an expert, programmer, or developer, nor has stayed at a Holiday Inn Express lately.
Or are successful startups fitting into their game? Chris Seper in MedCityNews paints the picture of one side of a quandary. The ‘healthcare establishment’ fundamentally and to its detriment does not understand and is threatened by the startup and innovation process. A startup may begin with an idea which is, in his words, ‘almost always flawed, sometimes deeply’. If the founders are smart, they will test their ideas, validate them and change them appropriately. If not, they will fail. But it is easier for the Establishment to point at the most egregious of the bad ideas and use them to rationalize the status quo.
But being congenital contrarians, we paint the house on the other side of the street. Has the Establishment caught up with–or in some cases, co-opted startups, making them and their funders ‘do their diligence’ and be more cautious before emerging? This Editor would argue yes, and largely for the better.
**The ‘Wild West’ days are over. A few years ago, a truly bad or deeply flawed health tech idea or could easily find funding, because it was all blank slate, new and ‘transformative’.The sexiest hooks were Quantified Self, sleep, employer health incentives, interactive coaching, genomics, app prescribing and (last) wearables. A lot of founders imagined themselves as the Steve Jobs of Healthcare, down to the black turtleneck. Now there is a history of success and failure. The railroads reached the dusty frontier towns.
**There’s now a ‘Startup Establishment’. National accelerators (more…)
Vandrico has recently updated its List of Wearable Devices which now features (at the time of this post) 118 such items, plus some interesting analysis. It is indeed a most comprehensive and impressive listing, that underlines the growing importance of this sector. And still there are others, such as Apple, apparently still to join.
One aspect not mentioned by Vandrico, which is becoming increasingly concerning is the extent to which the business models of such apps might involve selling persona fitness data. In spite of denials, this Mother Jones article suggests that worries persist. iMedicalApps reports that the practice is already well established with medical apps used by physicians in the US (more…)
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/10/120306.png” thumb_width=”170″ /]It’s just a fact of life
That no one cares to mention
She wasn’t very good
But she had good intentions
—Lyle Lovett, ‘Good Intentions’
Confirmed by experts to the more-than-mainstream Christian Science Monitor are the layers of insecurity completely feasible on the current Healthcare.gov website–and the 14 state (plus DC) websites feeding into the Federal health insurance exchange and up into the mysterious hub linked to other Federal agencies. Healthcare.gov is supposed to adhere to NIST standards but these are no guarantee–and the state sites are not required to. ‘Red flags’ cited by experts (aside from ‘Wildman’ John McAfee) make for interesting reading:
- Cross-site request forgery
- ‘Clickjacking’–an invisible layer over the legitimate website
- Cookie theft, and not by the Cookie Monster
- Problematic verification from state to Federal, from legitimate third-party assistance, from brokers and so on
- Log in fraud–the happy hunting ground of hackers and DDOS attacks
Warnings were apparent as early as 2 October [TTA 8 Oct]. And as our later coverage has explained, undoing all of this is near-impossible even with funding, in the less-than-a-month window till the crash time deadline in mid-November and then early January. Obamacare website security called ‘outrageous’: How safe is it? (+video)
Our 11-14 October compilation is a narrative and summary of major articles on the failure of the Healthcare.gov website and its consequences like none you will see elsewhere.
Unlike the rampant data insecurity present in the state health insurance exchanges and the Federal HealthCare.gov, Texas is moving forward to secure data from providers within the state. The Texas Health Services Authority and the Health Information Trust Alliance (HITRUST) are developing and managing the Texas Covered Entity Privacy and Security Certification Program. Organizations must assess their compliance with privacy and security regulations, and if they do will receive a certification recommendation from HITRUST. According to iHealthBeat quoting a VP there, how this is implemented will have repercussions far beyond the state. A major goal, according to Health Data Management, is to reduce data breaches which are levied in Texas alone between $5,000 and $1.5 million–not including HHS. Also Modern Healthcare, HITRUST process page.
22-23 October 2013, Earls Court 2, London
While this event is all about the apps and M2M in every area, the organizers are reaching out to the health tech area in both the exhibition and with speakers such as Subir Mondal, Deputy Director IS, NHS – Royal Free London NHS Foundation Trust, myHealthPal and BleepBleeps. Parts are free with registration, others are paid. Keynote speakers include Steve Wozniak, co-founder of Apple at the free Developer World. The free part also includes the 250-exhibitor expo along with 3 keynote talks within the 5 free-to-attend workshops (registration here). The Enterprise World speaker track on both days is free and includes the NHS speaker on security. M2M and Automotive is a paid track and includes content (Health & Wearables, Connected Car) relating to telehealth with myHealthPal and BleepBleeps. Passes range from £250 (networking) to £995 (2 day Gold). According to a posting on LinkedIn, there is a 25 percent savings when you use this code for registration: LINKEDIN25. More information here.