Healthcare and Technology news
37.0K views | +0 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

Healthcare cybersecurity info sharing still a work in progress

Healthcare cybersecurity info sharing still a work in progress | Healthcare and Technology news | Scoop.it

While President Barack Obama issued an executive order to use information sharing and analysis organizations (ISAOs) to boost cybersecurity awareness and coordination between private entities and the government, those efforts need more development before they provide useful information, according to an article at The Wall Street Journal.


About a dozen longstanding nonprofit Information Sharing and Analysis Centers (ISACs) serve specific sectors such as finance, healthcare and energy, and work with government on infomation sharing.


Though more narrowly focused, many ISAOs already exist, Deborah Kobza, executive director of the National Health Information Sharing and Analysis Center, told HealthcareInfoSecurity.


Executives who spoke with WSJ say large entities don't get much useful information from ISACs.


"Most of us are willing to put information into it largely because it provides good initial facilitation and informal networking opportunities," Darren Dworkin, CIO of Cedars-Sinai Medical Center and a member of the healthcare ISAC, tells the newspaper. As sharing standards are developed, he adds, "expectations will mount in terms of the kinds of specific data needed as everybody figures it out."


What's more, networking within the industry, Dworkin says, tends to provide more information about what's going on. ISACs generally are more useful to smaller organizations that lack security expertise in-house, the article adds.


The Health Information Trust Alliance (HITRUST), which quickly endorsed Obama's plan, said it is one of the ISAOs. HITRUST is working with providers to test and improve their preparedness for attacks through its CyberRX 2.0 attack simulations. The need for organizations to be more open about attacks was one of the early lessons from that program.


Participants in the recent White House Summit on Cybersecurity and Consumer Protection stressed that threat data-sharing doesn't pose the danger of exposing patients' insurance and healthcare information.


more...
11 Paths's curator insight, April 8, 2015 4:30 AM

This is a great news story

Scoop.it!

Security audit of Premera identified issues prior to cyberattack

Security audit of Premera identified issues prior to cyberattack | Healthcare and Technology news | Scoop.it

Premera Blue Cross, based in Mountlake Terrace, Washington, announced March 17 that it was the victim of a cyberattack that exposed the PHI of more than 11 million subscribers, according to lexology.com.


Premera discovered January 29 that hackers gained access to its IT systems May 5, 2014, according to govinfosecurity.com. A notice on the Premera website states that the following information may have been accessed:

  • Names
  • Addresses
  • Email addresses
  • Email addresses
  • Telephone numbers
  • Dates of birth
  • Social Security numbers
  • Member identification numbers
  • Medical claims numbers
  • Some bank account information

The Office of the Inspector General (OIG) conducted a security systems audit of Premera in January and February 2014, just months prior to the attack. In an audit report dated November 28, 2014, the OIG stated that Premera implemented an incident response plan and network security program.


However, the OIG noted a number of security concerns. Although a patch management policy was in place, scans performed during the audit revealed that patches were not implemented in a timely manner. In addition, methodologies were not in place to ensure that unsupported or out-of-date software was not used and a vulnerability scan identified insecure server configurations.


At the time of the audit, Premera also lacked documentation of formal baseline configurations detailing its approved server operating settings. The insurer also failed to perform a complete disaster recovery test for all of its systems. The OIG also identified weaknesses in Premera’s claims application controls.


more...
No comment yet.
Scoop.it!

U.S. states say Anthem too slow to inform customers of breach

U.S. states say Anthem too slow to inform customers of breach | Healthcare and Technology news | Scoop.it

Ten U.S. states have sent a letter to Anthem Inc complaining that the company has been too slow in notifying consumers that they were victims of a massive data breach disclosed last week.

"The delay in notifying those impacted is unreasonable and is causing unnecessary added worry to an already concerned population of Anthem customers," said the letter, which was sent on Tuesday by Connecticut Attorney General George Jepsen on behalf of Connecticut and nine other states.

The letter asked the No. 2 U.S. health insurer to compensate any consumers who are victims of scams, if the fraud occurs before Anthem notifies them of the breach and offers them free credit monitoring.

"Anthem must commit to reimbursing consumers for any losses associated with this breach during the time period between the breach and the date that the company provides access

to credit and identity theft safeguards," said the letter.

Jepsen also asked Anthem to contact his office by Wednesday afternoon with details of its plans to "provide adequate protections" to consumers whose data was exposed in this breach.

The letter was written on behalf of Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania, and Rhode Island.

Representatives with Anthem could not immediately be reached for comment.

Anthem disclosed the massive breach last week, saying that hackers accessed a database of some 80 million consumers and employees that contained Social Security numbers and other sensitive data.

On Friday the company warned U.S. customers about an email scam targeting former and current members.


more...
No comment yet.
Scoop.it!

Obama Gives Data Security Some Needed Momentum

Obama Gives Data Security Some Needed Momentum | Healthcare and Technology news | Scoop.it

Every year, I see Mac McMillan at HIMSS and wonder if he’ll ever be positive.

Of course I’m joking, but in a way you can’t blame McMillan—a renowned data security expert, chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Policy Task Force, and CEO of the consulting firm, CynergisTek—for being a “Debbie Downer.” Data security in healthcare has been and is abysmal.

Every year, the Traverse City, Mich.-based Ponemon Institute releases its annual patient privacy and security study and the results are somewhat startling. This past year, 90 percent of respondents say they’ve had at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same time period. The economic impact of a breach has remained steadily high.

And this is just one study of many, one voice of many, and one indication that healthcare has a big problem with data security. It’s not exactly far-reaching to say we have a long ways to go if these abysmal statistics are to reverse.

Moreover, it could get worse before it gets better. Hackers are now starting to target healthcare data holders. This week, Jason Roos, CTO at Stanford Hospital & Clinics and Stanford University Medical Center in Palo Alto, Calif., explained to me why the exposure of the threat is significant in healthcare, compared to other sectors.

 One of the big problems is that it seems like a lot of high-level executives in hospitals don’t care about data security until it’s too late. They don’t want to be put in protections, do a risk analysis, and pay for extensive training until they have the Department of Health and Human Services’ (HHS) Office of Civil Right (OCR) knocking at their door.

It’s not just healthcare that lags in this way. The retail, entertainment, finance, education, and government sectors seem to have this problem too. In our podcast conversation, McMillan called 2014 the year of the incident. You could say that again. Sony, JP Morgan, Community Health, Home Depot all had high profile breaches. Incidents were everywhere in 2014.

I guess that’s why I was excited to read about President Barack Obama’s dedication to data security, which made the news this week. Specific information on his proposal is sparse, with most details expected to be announced during the State of the Union on Tuesday, but let’s just acknowledge that something is better than nothing. As a privacy expert said in this CNET article, "This is a huge shot in the arm to a much-needed advancement for our legislative protections.”

A nationally recognized data security policy tells every higher up, whether they are in healthcare or not, “Respect the threat. Be prepared.”  

In New York, Attorney General Eric Schneiderman quietly took it a step farther. He proposed a bill that would expand the definition of private information to include email addresses in combination with a password or security question and answer; require entities that store private data have reasonable technical and physical safeguards, assess risks regularly, and obtain third-party certifications showing compliance with these requirements; incentivize companies to provide higher levels of data security and share forensic reports with law enforcement officials. I admire the fact that he wants the strongest data security law in the country.

While these measures are not directed at the healthcare industry specifically, they very well could have a trickledown effect that gives it the kick start that is so desperately needed. In other words, maybe in a few years, I’ll go to HIMSS and Mac McMillan will be a little less annoyed at the way things are with data security in healthcare.


more...
No comment yet.
Scoop.it!

Top 3 trends reshaping the cloud in healthcare IT | Healthcare IT News

Top 3 trends reshaping the cloud in healthcare IT | Healthcare IT News | Healthcare and Technology news | Scoop.it

2015 is all about cloud platforms for healthcare IT, which means the New Year will bring dramatic changes to the cloud landscape. Three factors that are reshaping the cloud moving into 2015 are cost, customization, and collaboration.

1) Cost. Cost is a significant consideration when talking about cloud technology because most healthcare IT systems are expensive. The software is costly and the number of servers that providers need to purchase gets prohibitively expensive. Moving into the cloud means moving into a completely foreign pricing model for most healthcare IT firms, with a fully virtualized cloud environment that does not require space or additional servers, which can help eliminate costs. 

Multi-tenancy is also a way to control cost in the cloud. With multi-tenancy, healthcare IT firms can create a single instance of a database server to serve all of their clients /tenants. The application has to be architected to be secure within a multi-tenant environment, but as the healthcare IT firm crafts its applications to be a multi-tenant application, they can share more pieces of the infrastructure puzzle.

With a legacy/turn-key application, healthcare IT firms might have been able to share the database but couldn’t share the application servers or the front-end user experience.  As they morph their application to be truly multi-tenant, now they can share the database servers and the application servers, and potentially the user experience.  

2) Customization. Customizations are different in the cloud. In the traditional IT environment, healthcare IT firms would branch off of a client's environment and modify their UI (User Interface) to get their own special installation. Healthcare IT firms don't want to do this in the cloud because they want to be able to share these instances between multiple tenants. So now, software has to get more intelligent with data-driven configurations versus having a different binary for Tenant A versus Tenant B.

The customizations are modeled in the configuration database, so when Tenant A comes in, the healthcare IT firm retrieves the configuration from their database and it says Tenant A gets this color-scheme, Tenant A can see these fields, but Tenant B has a personalized, tweaked customization experience.  

Legitimately, everything has been moving that way even within in-house turn-key solutions because it is a challenge from a development standpoint to manage 20 branches of code that are all customized. With the cloud, data-driven configurations are modeled within the database.

3) Collaboration. These days, it seems everything is going to cloud and healthcare IT is no exception to this trend. 

Nowadays, healthcare IT firms, like Invidasys, are enabling the collaboration layer within their software, with the Lync component. Healthcare IT firms can integrate the entire user account experience within their application so that applications such as Word for Office 365 are supported directly in the application.

For instance, a user can pull up a Word online document, have real-time collaboration on a web page, and pull in additional CSRs, or customer support reps, that are looking at particular data on the screen for an online chat. With the cloud, these kinds of integrations for the user’s benefit occur seamlessly and can be updated at any time because they are always available in the cloud. 

In conclusion, 2015 is going to be a big year for the cloud and healthcare IT firms, especially with factors like cost, customization and collaboration. With the cloud, healthcare IT services are becoming more cost effective for the industry, because there is less need for in-office space for servers, costly software upgrades or hardware replacements etc.

The cloud is still as customizable as traditional hardware because features are written into the code during development to allow for a streamlined, configurable user experience. Now that all software is available online, it is easy to collaborate with others and for systems to collaborate with each other. There is no need for sharing versions of work or communicating on separate platforms because having everything accessible in the cloud, all the time, allows for anytime access for anyone on the team.


more...
No comment yet.
Scoop.it!

NIST to Address Medical Device Security

NIST to Address Medical Device Security | Healthcare and Technology news | Scoop.it

In an effort to address the cybersecurity challenges of networked medical devices, the National Institute of Standards and Technology, through the National Cybersecurity Center of Excellence, is launching a project to secure those devices from risks such as malware, hacking and access control.


The project, done in collaboration with the Technological Leadership Institute at the University of Minnesota and the medical device industry, is inviting comments on ways to properly secure medical devices that are increasingly being connected to central systems within hospitals, the NCCoE says, starting with draft use case on wireless infusion pumps.

While security experts see the move as a positive step forward in raising awareness on security risks to such devices, it may not be enough to get device manufacturers to address the issues. For one, NIST doesn't have any regulatory oversight, says Mac McMillan, CEO of security consulting firm CynergisTek. "Whatever they come up with is not going to get us where we need to go," he says. "What we need is for the Food and Drug Administration to put out a hard and fast rule that [manufacturers] have to pay attention to."

Still, NCCoE's initiative is a comprehensive effort to address medical device risks, says Christopher Paidhrin, security administration manager in the information security technology division at PeaceHealth, a healthcare system in the Pacific Northwest. "We need to start with a realistic use case, and infusion pumps are a high-use medical device."

The push by NCCoE to address medical device security comes two months after the Food and Drug Administration issued final guidance calling for manufacturers to consider cybersecurity risks as part of the design and development of medical devices.

In Aug. 2013, the FDA also issued guidance on the radio frequency of wireless medical devices, including recommending authentication and encryption for reducing security risks and related patient safety threats.

Project Details

The draft use case NCCoE is launching will focus on wireless infusion pumps, which transport fluids, drugs and nutrients into a patient's bloodstream. "A networked infusion pump can allow centralized control of the device's programming as well as automated cross checks against pharmacy records and patient data to ensure the right dose of fluids or medication are delivered," NCCoE says. "But these connected devices can introduce new risks in safety and security compared with stand-alone devices."

The case identifies the people and systems that interact with infusion pumps, defines their interactions, performs a risk assessment, identifies applicable security technologies and provides an examples method or implementation to secure the system, NCCoE says. Comments on the draft use case should be submitted by Jan. 18, 2015.

After the use case is finalized, the NCCoE will invite organizations to participate in developing a practice guide that contains materials and information needed to deploy an example solution of off-the-shelf products that address the technical security problems.

Moving into 2015, the NCCoE would like to have a set of practice guides dealing with different types of medical devices, says Gavin O'Brien, project manager at NCCoE. "For instance, MRIs ... have lots of computing power on them," he says. "They're very different than infusion pumps and all of those are different from say implantable [devices]."

But for now, the practice guide being developed around the infusion pump use case will be written in a way that people can use pieces from the guide to secure devices within their own organization, O'Brien says. "In the use case, we talk about issues that are specific to infusion pumps, but where those issues apply to other devices ... the [practice guide] will be beneficial to them."

Analyzing the Latest Effort

Before all medical devices are networked, standards and baseline security controls need to be in place, PeaceHealth's Paidhrin says. "Healthcare will leverage them, if they are available," he says. "Medical device manufacturers are wakening to the challenge, but the pace is slow compared to the advance of technology and exploits."

A key challenge will be getting the medical device manufacturers on board with the latest efforts around medical device security, says privacy and information security expert Rebecca Herold. "The overall sentiment coming from the manufacturers has been that they will basically do only the minimum necessary to secure the devices, as required by the FDA," she says.

And while the FDA recently released high-level guidance, "it really did not provide the details necessary to spur medical device manufacturers to take action and engineer their devices" with certain security controls built in, Herold says.



more...
No comment yet.
Scoop.it!

Sony Hack Reveals Health Details on Employees and Their Children | The Health Care Blog

Sony Hack Reveals Health Details on Employees and Their Children | The Health Care Blog | Healthcare and Technology news | Scoop.it

On top of everything else, the Sony data breach revealed employees’ sensitive health information:  Top Sony executives saw lists of named employees who had costly medical treatments and saw detailed psychiatric treatment records of one employee’s son.

Like last year’s revelation by AOL’s CEO, it shows US corporations look at employees’ health information and costs. By ‘outing’ the fact that 2 of AOL’s 5,000 employees had premature infants whose treatment cost over $1 million each, the CEO violated the employees’ rights to health information privacy.

Trusted relationships simply cannot exist if individuals have no right to decide who to let in and who to keep out of pii. Current US technology systems make it impossible for us to control personal health data, inside or outside of the healthcare system.

Do you trust your employer not to snoop in your personal health information?  How can you trust your employer without a ‘chain of custody’ for  your health data? There is no transparency or accountability for the sale or use of our health data, even though Congress gave us the right to obtain an “Accounting for Disclosures (A4D)” for disclosures of protected health data from EHRs in the 2009 stimulus bill (the regulations have yet to be written).  And we have no complete map that tracks the millions of places US citizens’ health data flows. See: TheDataMap.

There is no way to know who sees, sells, or snoops in our health data unless whistleblowers or hackers expose what’s going on.  Our personal, identifiable health data is in millions of data bases unknown and inaccessible to us.  Both the Bush and Obama Administrations support this privacy-destructive business model on the Internet and in the US health care system.

The US health data broker industry consists of over 100,000 health data suppliers covering 780,000 live daily health data feeds. 

THE GREATEST DAMAGE CAUSED BY THE LACK OF CONTROL OVER PII IS THE LOSS OF TRUST— TRUSTED RELATIONSHIPS BETWEEN PEOPLE, COMPANIES, AND GOVERNMENTS ARE IMPOSSIBLE WITHOUT PERSONAL CONTROL OVER PII.

Both Angela Merkel and Jennifer Lawrence spelled out the deep and persistent effects of violating personal boundaries:

Both spoke of the deep emotional pain and costs of betrayal, and of being unable to trust or feel safe following such serious boundary violations. Trust is truly impossible unless individuals can set boundaries. People, companies, and governments must respect and honor individuals’ rights to control access to personal information to be trusted. Violating boundaries destroys trust and relationships between people and between nations.

Sadly, even though the  modern world’s concept of ‘privacy’ comes from our nation, from US Supreme Court Justice Louis D. Brandeis’ concept of privacy, and later in the computer age from Wallis Ware’s concept of Fair Information Practices, the US has lost its way and is destroying both freedom and the right to be let alone.

Among the Western Democracies, has the United States become the world’s most intrusive surveillance state?

Do we have control over any information about ourselves?  Or is every bit or byte of data about us collected, held, and sold by millions of hidden data bases?

more...
No comment yet.
Scoop.it!

Study to Probe Healthcare Cyber-Attacks

Study to Probe Healthcare Cyber-Attacks | Healthcare and Technology news | Scoop.it

In the wake of the recent hacker attacks on Anthem Inc. and Premera Blue Cross that compromised personal data on millions of individuals, the Health Information Trust Alliance is attempting to launch a study to get a better understanding of the severity and pervasiveness of cyber-attacks in the healthcare sector, as well as the attackers' methods.


HITRUST, best known for its Common Security Framework hopes to recruit hundreds of participants for its "Cyber Discovery" study. Organizations that join the study will monitor for signs of attacks for a 90-day period using data gathered with Trend Micro's threat discovery technology, which works with security information and event management systems. "It's like a big sandbox that works in a passive mode and collects everything and tries to analyze everything that comes into the sandbox," Dan Nutkis, HITRUST CEO, tells Information Security Media Group.


Participants can use the data that's collected and analyzed by the technology for their own cyber-intelligence activities. For the study, the participating organizations will provide anonymized data regularly to HITRUST for analytical purposes. "We don't have the name of the organization, just the type of organization," Nutkis says.

Security expert Mac McMillan, CEO of security consulting firm CynergisTek, says that as long as HITRUST can guarantee the data collected from healthcare organizations is anonymized, the alliance might be able to attract participants. And if there are enough participants, "a study such as this based on empirical data can paint a relevant picture with respect to the risk that healthcare entities face, and therefore, would be very valuable if done correctly," adds McMillan, chair of the HIMSS Privacy & Security Policy Task Force.

HITRUST hopes to have the necessary software and hardware installed at all the participating organizations by the end of May, Nutkis says. It will publish an initial report of findings and recommendations approximately four months from the launch of the project.

Digging In

The organization is seeking about 210 voluntary participants from the healthcare sector, including insurers, hospitals, accountable care organizations and clinics. Each will participate for 90 days or longer, Nutkis says. Participants do not have to be members of HITRUST to qualify.


Each participating healthcare organization will get free use the Trend Micro technology during the study. Trend Micro will install the appliance and train organizations how to use it and how to conduct the forensics analysis, Nutkis says.


"The goal is to understand the threat actors, the methods and their targets," he says. Among the questions to be addressed, he says, are: "Are these actors targeting health plans or are they targeting specific types of equipment or types of data? Are they after PHI or PII? What's the level of persistence? What's the duration of them trying to get in? Do they keep coming back?"


The study aims to accurately identify attack patterns as well as the magnitude and sophistication of specific threats across enterprises, he says.

Recent Attacks

When it comes to the recent attacks on Anthem and Premera, and their significance to the healthcare sector, "there's a lot speculation and conjecture about what's going on," he says. "There was a great level of concern after the Community Health System attack" last year, in which hackers compromised data of about 4.5 million individuals. Because they were reported about six weeks apart, the Anthem and Premera breaches raised concerns about whether they were related, he says. While those breach investigations are still ongoing, the healthcare sector is trying to understand who's being targeted, how and for what data, he explains.


Nutkis says HITRUST will consider whether to repeat the study annually to track emerging trends.


McMillan, the consultant, says the value of the study to the healthcare sector will ultimately depend on what is examined. "For instance, will it address social engineering or things like phishing? Phishing is a huge issue for healthcare right now and is believed to have had a role in the many of the high-profile breaches of last year."


more...
No comment yet.
Scoop.it!

Phishing: Learning from Anthem Breach

Phishing: Learning from Anthem Breach | Healthcare and Technology news | Scoop.it

The hack attack against Anthem Inc., which the health insurer says started with a spear-phishing campaign targeting five of its employees, is a warning sign of the kinds of sophisticated schemes that will be common in the year ahead, says Dave Jevans, co-founder of the Anti-Phishing Working Group.

"The Anthem breach is emblematic of what we see in the evolution of attacks against companies and their employees," Jevans says in an interview with Information Security Media Group.

In addition to Anthem, a growing number of cyber-attacks, including the breach of JPMorgan Chase, have originated with spear-phishing campaigns that target a small number of employees who have access to data systems and services housing sensitive customer information, Jevans says.

"It's highlighting a fundamental change we're seeing in the phishing landscape," Jevans says. "There's a big decrease, almost 25 percent, in phishing against just broad-base consumers. ... The real risk here is an increase in the attacks against [a handful of] employees ... and using that as a jumping-off point to get into the enterprise, break in and then steal data, breach systems, and spread out to vendors that are connected to the enterprise."

He notes that the JPMorgan Chase breach started with spear phishing that "targeted one employee in the IT department, who was tricked into giving out their password to a vulnerable machine inside the network. The hackers jumped in from there and compromised records. The most sophisticated attacks are waged against very small numbers of employees - we find, typically, less than six." By targeting only a handful of employees, the attackers decrease the odds that their scheme will be detected, Jevans says.

A Shift to Mobile

As spear-phishing campaigns become more common this year as a way to open the door to major cyber-attacks, the attackers will start to focus on targeting employees through their mobile devices, which have less sophisticated detection systems, Jevans predicts. For example, they may use text messages that ask employees to update a virtual private network profile.

"Today, detection methods are not in place [for SMS/text], so you can't tell when someone's been phished on their mobile phone," Jevans adds. "We will see in 2015, with many major breaches, that the forensic evidence is going to come back to the use of mobile devices involved in that initial kill chain of attack inside the company."

Stronger, multifactor authentication for employee access to sensitive data, systems and servers should be in place to thwart the impact of an employee's credentials that are compromised, Jevans stresses. But he says organizations should focus more attention on preventing phishing attacks from being successful.

"In my view, there is no credible reason why anybody internal to the company should receive e-mails claiming to be from the company with 'from' addresses that were sent from an external server," he says. "The use of SPF [sender policy framework] ... on your e-mail server, so that all outgoing e-mail is authenticated and also all inbound e-mail is authenticated and checked, particularly from your own domain, should be in place."

Also discussed during this interview:

  • Why top-level domain names, such as .bank, are likely to fuel more phishing campaigns rather than curb them;
  • How DMARC (Domain-based Message Authentication, Reporting & Conformance) is helping businesses block suspicious e-mails through enhanced e-mail authentication, before they ever hit inboxes; and
  • Why employee education related to phishing must be ongoing and consistent.

Jevans, who serves as chairman of the Anti-Phishing Working Group, is also founder and chief technology officer of mobile security firm Marble Security. His career in Internet security spans more than 20 years, having held senior management positions at Tumbleweed Communications, Valicert, Teros, Differential and Iron Key. Serving on the CEO's technology council at Apple Computer, Jevans helped to develop the company's Internet strategy.


more...
No comment yet.
Scoop.it!

Experts warn 2015 could be 'Year of the Healthcare Hack'

Experts warn 2015 could be 'Year of the Healthcare Hack' | Healthcare and Technology news | Scoop.it

Security experts are warning healthcare and insurance companies that 2015 will be the "Year of the Healthcare Hack," as cybercriminals are increasingly attracted to troves of personal information held by U.S. insurers and hospitals that command high prices on the underground market.

    Anthem Inc, the No. 2 U.S. health insurer, last week disclosed a massive breach of its database containing nearly 80 million records, prompting investigations by state and federal authorities. That hack followed a breach last year at hospital operator Community Health Systems, which compromised some 4.5 million records.

    "People feel that this will be the year of medical industry breaches," said Dave Kennedy, chief executive of TrustedSEC LLC.

    In the past decade, cybercriminals focused their efforts on attacking banks and retailers to steal financial data including online banking credentials and payment card numbers. But as those companies boost security, using stolen credit card numbers has become more difficult.

Their prices on criminal exchanges have also dropped, prompting hackers to turn to the less-secure medical sector, just as the amount of digital healthcare data is growing dramatically, Kennedy said.

Stolen healthcare data can be used to fraudulently obtain medical services and prescriptions as well as to commit identity theft and other financial crimes, according to security experts. Criminals can also use stolen data to build more convincing profiles of users, boosting the success of scams.

"All of these factors are making healthcare information more attractive to criminals," said Rob Sadowski, marketing director at RSA, the security division of EMC Corp.

MONETIZING STOLEN DATA

RSA Executive Chairman Art Coviello recently wrote in a letter to customers that he expected well-organized cybercriminals to turn their attention to stealing personal information from healthcare providers.

"A name, address, social and a medical identity ... That's incredibly easy to monetize fairly quickly," said Bob Gregg, CEO of ID Experts, which sells identity protection software and services. Identities can sell for $20 apiece, or more, he said.

    Insurers, medical equipment makers and other companies say they have been preparing for breaches after seeing the waves of attacks on other industries. 

    Cigna Corp has looked to financial and defense companies for best practices, including hiring hackers to break into its systems, said Chief Executive David Cordani. Attempts to break into corporate systems to probe for information are a constant, he said in an interview. 

St Jude Medical Inc CEO Daniel Starks said the company increased investment in cybersecurity significantly over the last few years, to protect both patient data and the medical devices it manufactures.

"You may see from time to time law enforcement briefings on nation-based (intellectual property) issues, espionage," he said. "Those are things that we take very seriously and have been briefed on and that we work to guard against."

    The FBI is investigating the Anthem breach alongside security experts from FireEye Inc.

The insurers UnitedHealth Group Inc and Aetna Inc have warned investors about the risks of cyber crime in their annual reports since 2011.

UnitedHealth has said the costs to eliminate or address the threats could be significant and that remediation may not be successful, resulting in lost customers.

    In response to the Anthem attack, UnitedHealth spokesman Tyler Mason said in an emailed statement: "We are in close contact with our peers in ... the industry cybersecurity organization, and are monitoring our systems and the situation closely."

Aetna has cited the automated attempts to gain access to public-facing networks, denial of service attacks that seek to disrupt websites, attempted virus infections, phishing and efforts to infect websites with malicious content.

Aetna spokeswoman Cynthia Michener said in a statement: "We closely follow the technical details of every breach that's reported to look for opportunities to continually improve our own IT security program and the health sector's information protection practices broadly."


more...
Adrián Toscano's curator insight, February 12, 2015 3:02 PM

Tendencia de los crímenes en la web. Importante.

Scoop.it!

Digital health in 2015: What's hot and what's not?

Digital health in 2015: What's hot and what's not? | Healthcare and Technology news | Scoop.it

I think it’s fair to say that digital health is warming up. And not just in one area. The sheer number and variety of trends are almost as impressive as the heat trajectory itself. The scientist in me can’t help but make the connection to water molecules in a glass — there may be many of them, but not all have enough kinetic energy to ascend beyond their liquid state. The majority are doomed to sit tight and get consumed by a thirsty guy with little regard for subtle temperature changes.


With this in mind, let’s take a look at which digital health trends seem poised to break out in 2015, and which may be fated to stay cold in the glass. As you read, keep in mind that this assessment is filtered through my perspective of science, medicine, and innovation. In other words, a “cold” idea could still be hot in other ways.

Collaboration is hot, silos are not. Empowerment for patients and consumers is at the heart of digital health. As a result, the role of the doctor will shift from control to collaboration. The good news for physicians is that the new and evolved clinician role that emerges will be hot as heck. The same applies to the nature of innovation in digital health and pharma. The lone wolf is doomed to fail, and eclectic thinking from mixed and varied sources will be the basis for innovation and superior care.

Scanners are hot, trackers are not. Yes, the tricorder will help redefine the hand-held tool for care. From ultrasound to spectrometry, the rapid and comprehensive assimilation of data will create a new “tool of trade” that will change the way people think about diagnosis and treatment. Trackers are yesterday’s news stories (and they’ll continue to be written) but scanners are tomorrow headlines.

Rapid and bold innovation is hot, slow and cautious approaches are not. Innovators are often found in basements and garages where they tinker with the brilliance of what might be possible. Traditionally, pharmaceutical companies have worked off of a different model, one that offers access and validation with less of the freewheeling spirit that thrives in places like Silicon Valley. Looking ahead, these two styles need to come together. The result, I predict, will be a digital health collaboration in which varied and conflicting voices build a new health reality.

Tiny is hot, small is not. Nanotechnology is a game-changer in digital health. Nanobots, among other micro-innovations, can now be used to continuously survey our bodies to detect (and even treat) disease. The profound ability for this technology to impact care will drive patients to a new generation of wearables (scanners) that will offer more of a clinical imperative to keep using them.

Early is hot, on-time is not. Tomorrow’s technology will fuel both rapid detection and the notion of “stage zero disease.” Health care is no longer about the early recognition of overt signs and symptoms, but rather about microscopic markers that may preempt disease at the very earliest cellular and biochemical stages.

Genomics are hot, empirics are not. Specificity — from genomics to antimicrobial therapy — will help improve outcomes and drive costs down. Therapy will be guided less and less by statistical means and population-based data and more and more by individualized insights and agents.

AI is hot, data is not. Data, data, data. The tsunami of information has often done more to paralyze us than provide solutions to big and complex problems. From wearables to genomics, that part isn’t slowing down, so to help us manage it, we’ll increasingly rely on artificial intelligence systems. Keeping in mind some of the inherent problems with artificial intelligence, perhaps the solution is less about AI in the purest sense and more around IA — intelligence augmented. Either way, it’s inevitable and essential.

Cybersecurity is hot, passwords are not. As intimate and specific data sets increasingly define our reality, protection becomes an inexorable part of the equation. Biometric and other more personalized and protected solutions can offer something that passwords just can’t.

Staying connected is hot, one-time consults are not. Medicine at a distance will empower patients, caregivers, and clinicians to provide outstanding care and will create significant cost reductions. Telemedicine and other online engagement tools will emerge as a tool for everything from peer-to-peer consultation in the ICU to first-line interventions.

In-home care is hot, hospital stays are not. “Get home and stay home” has always been the driving care plan for the hospitalized patient. Today’s technology will help provide real-time and proactive patient management that can put hospital-quality monitoring and analytics right in the home. Connectivity among stakeholders (family, EMS, and care providers) offers both practical and effective solutions to care.

Cost is hot, deductibles are not. Cost will be part of the “innovation equation” that will be a critical driver for market penetration. Payers will drive trial (if not adoption) by simply nodding yes for reimbursement. And as patients are forced to manage higher insurance deductibles, options to help drive down costs will compete more and more with efficacy and novelty.

Putting it all together: What it will take to break away in 2015?

Beyond speed lies velocity, a vector that has both magnitude and direction. Smart innovators realize that their work must be driven by a range of issues from compatibility to communications. Only then can they harness the speed and establish a market trajectory that moves a great idea in the right direction. Simply put, a great idea that doesn’t get noticed by the right audience at the right time is a bit like winking to someone in the dark. You know what you’re doing, but no one else does.


more...
No comment yet.
Scoop.it!

Wearables will cause data breaches in the enterprise, says Good Technology: 2015 Tech Predictions | SiliconANGLE

Wearables will cause data breaches in the enterprise, says Good Technology: 2015 Tech Predictions | SiliconANGLE | Healthcare and Technology news | Scoop.it

2015 will be the year of the smart watch, with compelling offerings arriving on both the Apple and Android platforms. But we will also see popular consumer mobile applications creating huge security issues for the enterprise, with major security breaches happening due to human error. This is all according to Nicko van Someren, CTO of Good Technology, a provider of secure mobility software.

van Someren’s predictions about emerging technologies are all part of our second annual Technology Predictions series in which industry experts share their predictions with us about the hot tech trends that they think will take center stage in 2015. We’ll be sharing all of their predictions with you over the next several days. Read on for more from van Someren.

 

.


Prediction No. 1: Human error will lead to more major security breaches

Cyber-attacks are getting more sophisticated and complex. This will continue in 2015 but it appears that many companies are not moving fast enough to keep up and the likely result will be major security breaches. The biggest contributing factor to these security risks will be human error and lack of awareness.

.

Prediction No. 2: Consumer technologies will cause security issues for enterprises

Consumer technology will also be a big concern in 2015. Consumer devices and consumer-centric technologies act as a gateway for corporate data to move between controlled, corporate environments and parts unknown. Modern consumer devices are inherently prone to leaks by design because they are built to explicitly make it easy for users to share data. Popular consumer mobile applications can easily move data outside of corporate controls without the user knowing, creating huge security issues for the enterprise.

.

Prediction No. 3: 2015 will be the year of the smart watch

2015 will be the year of the smart watch, with compelling offerings arriving on both the Apple and Android platforms. The emergence of new technology will result in the emergence of new security threats and vulnerabilities, putting users’ data at risk. We don’t yet know how hard it will be to break into these devices but we do know that, if hackers can infiltrate your smart watch, then they can potentially make transactions from Apple Pay and, possibly, reach back into the database on your smartphone to capture all sorts of sensitive information.

.

Prediction No. 4: Wearables will cause data breaches in the enterprise

As of now, wearables are mainly consumer-driven. Their arrival in the workplace in 2015 is certain but most businesses are woefully unprepared for this. Unless businesses move swiftly to limit how corporate data is delivered to and consumed on these devices, some sort of data breach is inevitable.


more...
No comment yet.
Scoop.it!

Should the Sony Hack Have Hospitals Concerned? | Hospital EMR and EHR

Should the Sony Hack Have Hospitals Concerned? | Hospital EMR and EHR | Healthcare and Technology news | Scoop.it

If you haven’t heard the details of the Sony hack, then lucky you. It seems that coverage of the hack has been everywhere. Long story short, Sony wasn’t careful and the hackers got a lot of really private information like emails. It was embarrassing to the company in a variety of ways and the effects of it and them eventually pulling The Interview are going to be felt for a long time to come. In fact, some of the hack included Sony’s insurance records which included medical information.

Should hospitals be concerned by the hack of Sony? The hack itself shouldn’t be of particular concern, but it should be a stark reminder that anyone is vulnerable if the hackers want to hack you enough. Unfortunately, the game of privacy and security is a cat and mouse game of trying to make what you have so difficult to access that hackers choose other, simpler targets.

With that said, if Sony, Google, Target, etc can be hacked, then anyone could be hacked. While it’s absolutely critical that you’re doing everything you can to make it hard for hackers to access your systems, it’s also important to make sure that you have proper breach procedures in place as well. How you handle a breach is going to be incredibly important for every organization.

While the Sony hack is going to cost them a lot of money. A breach in healthcare could incur some of the same embarrassment publicly, but there are also stiff HIPAA penalties for a breach. This could get very expensive for organizations that aren’t taking health IT security seriously. If you thought the coming MU penalties are bad, try to calculate in some major HIPAA fines and reduced patient load because patients no longer trust your organization. It will be devastating for organizations.

What is your organization doing to avoid breaches? Are you going beyond the HIPAA risk assessment?



more...
No comment yet.
Scoop.it!

80 Percent Of Patients Worry For Health Data Security

80 Percent Of Patients Worry For Health Data Security | Healthcare and Technology news | Scoop.it

Though 2015 will begin to show the U.S. health industry as a “true market” a new report indicates consumers remain concerned about medical technology and the security of their health information and data.

A new report released today at the Forbes Healthcare Summit by PwC’s Health Research Institute shows U.S. patients concerned about the digital age, according to a survey of 1,000 U.S. consumers who were interviewed. The report comes as millions more Americans are gaining health coverage under the Affordable Care Act and the $2.8 trillion U.S. health care sector undergoes major transformation.

Nearly 70 percent of those who responded say they are concerned about health data via their smart phones and 78 percent are concerned about medical data security in general, PwC’s report, linked here, shows.

Despite these concerns, however, PwC’s report indicates consumers are ready to take more charge of their health care and so-called “do-it-yourself” healthcare working with doctors and other providers who will assist them with care in the home and other remote patient-monitoring, the survey indicates.

“Established healthcare companies and new entrants are rapidly developing cost-efficient products and services tailored directly to consumers,” said Kelly Barnes, PwC partner and US health industries leader.

Consumers are ready for medical care providers other than physicians to deliver their care, which is good news for companies like Walgreen WAG -0.67% (WAG), CVS Health (CVS), Wal-Mart (WMT) and others. PwC said 75 percent of their survey respondents were open to “extenders” like pharmacists and nurse practitioners delivering their care.



more...
No comment yet.