Healthcare and Technology news
39.4K views | +0 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

Hospital employee gets indicted for fraud

Hospital employee gets indicted for fraud | Healthcare and Technology news | Scoop.it

A former employee at a major New York health system has been indicted, along with seven others, for stealing personal data of 12,000 patients, enabling more than $50,000 in fraud.


Manhattan's district attorney last week announced the indictment of Monique Walker, 32, a former assistant clerk at the eight hospital Montefiore Health System, for swiping patient data and supplying it to an identity theft ring. Walker, who had access to patient names, Social Security numbers, dates of birth, among others, reportedly printed the records of as many as 12,000 patients and supplied them to seven other individuals who used the data to make multiple purchases from department stores and retailers.


Walker, according to the New York County’s District Attorney’s office, sold the patient records for as little as $3 per record. Co-conspirators were able to open credit cards and make several unauthorized big ticket purchases at Barneys New York, Lord & Taylor and Bergdorf Goodman, among others. Defendants have been charged with grand larceny, unlawful possession of personal identification information, identity theft and criminal possession.


"In case after case, we've seen how theft by a single company insider, who is often working with identity thieves on the outside, can rapidly victimize a business and thousands of its customers," said New York County District Attorney Cyrus R. Vance Jr. in a June 18 press statement announcing the indictment. "I thank Montefiore Medical Center for taking immediate steps to alert authorities to ensure that those involved are held responsible, and moving swiftly and responsibly to notify and protect patients."

The case of insider misuse with patient data within healthcare organizations is nothing new. In fact, according toVerizon's annual data breach investigations report published this spring, security incidents caused by insider misuse – think organized crime groups and employee snooping – jumped from 15 percent last year to 20 percent in 2015.


"We're seeing organized crime groups actually position people where possible in healthcare organizations so they can steal information for tax fraud," Suzanne Windup, senior analyst on the Verizon RISK team, told Healthcare IT News this spring. "As organizations are putting in better monitoring and they're reviewing access logs, they're finding more cases of snooping."


As Cathleen A. Connolly, FBI supervisory special agent explained at Healthcare IT News' Privacy & Security Forum this past March, "your people that work for you are a very large threat," speaking in the context of combatting insider threats within healthcare.


What's more, according to data from the U.S. Department of Health and Human Services, unauthorized access or disclosure accounts for 5.3 million of the patient data compromised in HIPAA breaches. 

more...
No comment yet.
Scoop.it!

Healthcare data security is like a box of chocolates

Healthcare data security is like a box of chocolates | Healthcare and Technology news | Scoop.it

The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by Ponemon Institute had more surprises than Forrest Gump’s box of chocolates – surprises that were far from palatable. One key finding was that criminal attacks are up 125 percent and are now the leading cause of healthcare data breaches. Other results of the study were just as unsettling:


Surprise 1: Sixty-five percent of healthcare organizations do not offer any protection services for patients whose information has been lost or stolen. With cyber threats on healthcare data mounting, this is unacceptable. Ironically, the Ponemon study also found that 65 percent of healthcare organizations—the same percentage that don’t offer protection services—believe patients whose records have been lost or stolen are more likely to become victims of medical identity theft.


According to the Ponemon Medical Identity Fraud Alliance study, 2014 Fifth Annual Study on Medical Identity Theft, medical identity theft nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014. Many medical identity theft victims report they have spent an average of almost $13,500 to restore their credit, reimburse their healthcare provider for fraudulent claims and correct inaccuracies in their health records. Healthcare organizations and business associates must make available medical identity monitoring and identity restoration services to patients whose healthcare records have been exposed.


On the other hand, the majority of people still don’t understand the serious risk of medical identity theft. They pay more attention to their credit score and financial information than they do their insurance EOBs or medical records. They don’t understand that while a credit card can be quickly and easily replaced, their medical identity can take years to be restored. When their records become polluted, patients can be misdiagnosed, mistreated, denied much needed medical services, or billed for services not rendered. Medical identity theft can literally kill you, as ID Experts CEO Bob Gregg has said.


Surprise 2: The average cost of a healthcare data breach has stayed fairly consistent over the past five years – $2.1 million. This is in contrast to the average total cost of data breach in general, which has risen 23 percent over the past two years to $3.79 million, according to another recent Ponemon report, 2015 Cost of Data Breach Study: Global Analysis. Cyber liability insurance to cover notification costs, better options for identity monitoring, and more privacy attorneys offering help should reduce the cost of healthcare data breaches over time.


Healthcare organizations can take proactive steps to reduce the likelihood and impact of a data breach. This means addressing the tactical issues of protecting patient data. According to Dr. Larry Ponemon, founder and chairman of Ponemon Institute, healthcare organizations face “the dual challenge of reducing both the insider risk and the malicious outsider. Both require different approaches that can tax even the most robust IT security budget.” 


According to the Ponemon report, 96 percent of healthcare organizations had a security incident involving lost or stolen devices, and employee negligence is the greatest concern among these organizations. Dr. Ponemon says healthcare providers should create “a more aggressive training and education awareness program, as well as invest in technologies that can safeguard patient data on mobile devices and prevent the exfiltration of sensitive information.”

These training and awareness programs should center around protecting PHI, especially education on how to avoid phishing emails and what to do to ensure data is not disclosed. Healthcare organizations must also collaborate with their business associates to also ensure they have similar programs in place. 


For external risks such as the growing number of criminal attacks, Dr. Ponemon says that healthcare providers must “assess what sensitive data needs to be monitored and protected, and the location of this data.” I would add that board and executive management must recognize that professional hackers are targeting health data and records and, as mentioned earlier, that such attacks are now the leading cause of data breaches in healthcare. This awareness should spur enterprise-wide alignment in addressing cyber threats.


Surprise 3: Too many healthcare organizations take an ad-hoc approach to incident risk assessment. Only 50 percent of healthcare organizations in the study performed the four-factor risk assessment following each security incident, as required by the HIPAA Final RuleOf that 50 percent, 34 percent used an ad hoc risk assessment process, and 27 percent used a manual process or tool that was developed internally.


This practice is not acceptable. Healthcare organizations now have software tools available to help automate and streamline processes such as risk assessment and data breach response. By supporting consistent and objective analysis of security incidents, providing a central repository for all incident information, and streamlining the documentation and reporting process, these tools can improve outcomes and free an organization’s privacy and security staff to spend more time on prevention.


So far, 2015 has been a bad year for protecting patients and their data. Increasing cyber attacks mean that even more patients and their data will be put in harm’s way. While nobody can escape the inevitable security incidents, it is my hope that we can all learn lessons from the Ponemon study and each other, and work more collectively so that next year will bring fewer unpleasant surprises and many more happy ones.

more...
No comment yet.
Scoop.it!

Healthcare cybersecurity info sharing still a work in progress

Healthcare cybersecurity info sharing still a work in progress | Healthcare and Technology news | Scoop.it

While President Barack Obama issued an executive order to use information sharing and analysis organizations (ISAOs) to boost cybersecurity awareness and coordination between private entities and the government, those efforts need more development before they provide useful information, according to an article at The Wall Street Journal.


About a dozen longstanding nonprofit Information Sharing and Analysis Centers (ISACs) serve specific sectors such as finance, healthcare and energy, and work with government on infomation sharing.


Though more narrowly focused, many ISAOs already exist, Deborah Kobza, executive director of the National Health Information Sharing and Analysis Center, told HealthcareInfoSecurity.


Executives who spoke with WSJ say large entities don't get much useful information from ISACs.


"Most of us are willing to put information into it largely because it provides good initial facilitation and informal networking opportunities," Darren Dworkin, CIO of Cedars-Sinai Medical Center and a member of the healthcare ISAC, tells the newspaper. As sharing standards are developed, he adds, "expectations will mount in terms of the kinds of specific data needed as everybody figures it out."


What's more, networking within the industry, Dworkin says, tends to provide more information about what's going on. ISACs generally are more useful to smaller organizations that lack security expertise in-house, the article adds.


The Health Information Trust Alliance (HITRUST), which quickly endorsed Obama's plan, said it is one of the ISAOs. HITRUST is working with providers to test and improve their preparedness for attacks through its CyberRX 2.0 attack simulations. The need for organizations to be more open about attacks was one of the early lessons from that program.


Participants in the recent White House Summit on Cybersecurity and Consumer Protection stressed that threat data-sharing doesn't pose the danger of exposing patients' insurance and healthcare information.


more...
11 Paths's curator insight, April 8, 2015 4:30 AM

This is a great news story

Scoop.it!

Health checks by smartphone raise privacy fears

Health checks by smartphone raise privacy fears | Healthcare and Technology news | Scoop.it

Authorities and tech developers must stop sensitive health data entered into applications on mobile phones ending up in the wrong hands, experts warn.

As wireless telecom companies gathered in Barcelona this week at the Mobile World Congress, the sector's biggest trade fair, specialists in "e-health" said healthcare is fast shifting into the connected sphere.

"It's an inexorable tide that is causing worries because people are introducing their data into the system themselves, without necessarily reading all the terms and conditions," said Vincent Genet of consultancy Alcimed.

"In a few years, new technology will be able to monitor numerous essential physiological indicators by telephone and to send alerts to patients and the specialists who look after them."

More and more patients are using smartphone apps to monitor signs such as their blood sugar and pressure.

The European Commission estimates the market for mobile health services could exceed 17.5 billion euros (19 billion euros) from 2017.

The Chinese health ministry's deputy head of "digital health", Yan Jie Gao, said at the congress on Wednesday that the ministry planned to spend tens of billions of euros (dollars) by 2025 to equip 90,000 hospitals with the means for patients to contact them online securely.

Patients are entering health indicators and even using online health services for long-distance consultations with doctors whom they do not know.

"There is a steady increase in remote consultations with medical practitioners," particularly in the United States, said Kevin Curran, a computer scientist and senior member of the Institute of Electrical and Electronics Engineers.

"Your doctor can be someone who's based in Mumbai. We have to be very careful about our data, because they're the ones who probably will end up storing your data and keeping a record of it."

- Cloud-based healthcare -

Other users are entering personal health data into applications on their smartphones.

This kind of "e-health" could save governments money and improve life expectancy, but authorities and companies are looking to strengthen security measures to protect patients' data before such services become even more widespread.

"I think tech companies are becoming more concerned with privacy and encryption now," said Curran.

"The problem quite often is that a lot of this data is stored not on the phone or the app but in the cloud," in virtual storage space provided by web companies, he added.

"We are at the mercy of who the app providers are and how well they secure the information, and they are at the mercy sometimes of the cloud providers."

Others fear that insurance companies will get hold of customers' health information and could make them pay more for coverage according to their illnesses.

Various sources alleged to AFP that health insurance companies have been buying data from supermarkets about what food customers were buying, drawn from the sales records of their loyalty cards, following media reports to that effect.

The kind of "e-health" indicator most sought after by patients is fitness-related rather than information on illnesses, however, said Vincent Bonneau of the research group Idate.

A study by Citrix Mobile, a specialist in wireless security, showed that more than three quarters of people using e-health applications were doing so for fitness reasons rather than for diagnosing illnesses.


more...
No comment yet.
Scoop.it!

Health IT Security: What Can the Association for Computing Machinery Contribute?

A dazed awareness of security risks in health IT has bubbled up from the shop floor administrators and conformance directors (who have always worried about them) to C-suite offices and the general public, thanks to a series of oversized data breaches that recentlh peaked in the Anthem Health Insurance break-in. Now the US Senate Health Committee is taking up security, explicitly referring to Anthem. The inquiry is extremely broad, though, promising to address “electronic health records, hospital networks, insurance records, and network-connected medical devices.”

The challenge of defining a strategy has now been picked up by the US branch of the Association for Computing Machinery, the world’s largest organization focused on computing. (Also probably it’s oldest, having been founded in 1947 when computers used vacuum tubes.) We’re an interesting bunch, having people who have helped health care sites secure data as well as researchers whose role is to consume data–often hard to get.

So over the next few weeks, half a dozen volunteers on the ACM US Public Policy Council will discuss what to suggest to the Senate. Some of us hope the task of producing a position statement will lead the ACM to form a more long-range commmittee to apply the considerable expertise of the ACM to health IT.

Some of the areas I have asked the USACM to look at include:

Cyber-espionage and identity theft
This issue has all the publicity at the moment–and that’s appropriate given how many people get hurt by all the data breaches, which are going way up. We haven’t even seen instances yet of malicious alteration or destruction of data, but we probably will.

Members of our committee believe there is nothing special about the security needs of the health care field or the technologies available to secure it. Like all fields, it needs fine-grained access controls, logs and audit trails, encryption, multi-factor authentication, and so forth. The field has also got to stop doing stupid stuff like using Social Security numbers as identifiers. But certain aspects of health care make it particularly hard to secure:

  • The data is a platinum mine (far more valuable than your credit card information) for data thieves.
  • The data is also intensely sensitive. You can get a new credit card but you can’t change your MS diagnosis. The data can easily feed into discrimination by employees and ensurers, or other attacks on the individual victims.
  • Too many people need the data, from clinicians and patients all the way through to public health and medical researchers. The variety of people who get access to the data also makes security more difficult. (See also anonymization below.)
  • Ease of use and timely access are urgent. When your vital signs drop and your life is at stake, you don’t want the nurse on duty to have to page somebody for access.
  • Institutions are still stuck on outmoded security systems. Internally, passwords are important, as are firewalls externally, but many breaches can bypass both.
  • The stewards/owners of health care data keep it forever, because the data is always relevant to treatment. Unlike other industries, clinicians don’t eventually aggregate and discard facts on individuals.
Anonymization
Numerous breaches of public data, such as in Washington State, raise questions about the security of data that is supposedly anonymized. The HIPAA Safe Harbor, which health care providers and their business associates can use to avoid legal liability, is far too simplistic, being too strict for some situations and too lax for others.

Clearly, many institutions sharing data don’t understand the risks and how to mitigate against them. An enduring split has emerged between the experts, each bringing considerable authority to the debate. Researchers in health care point to well-researched techniques for deidentifying data (see Anonymizing Health Data, a book I edited).

In the other corner stand many computer security experts–some of them within the ACM–who doubt that any kind of useful anonymization will stand up over the years against the increase in computer speeds and in the sophistication of data mining algorithms. That side of the debate leads nowhere, however. If the cynics were correct, even the US Census could not ethically release data.

Patient consent
Strong rules to protect patients were put in place decades ago after shocking abuses (see The Immortal Life of Henrietta Lacks). Now researchers are complaining that data on patients is too hard to get. In particular, combining data from different sites to get a decent-sized patient population is a nightmare both legally and technically.
Device security
No surprise–like every shiny new fad, the Internet of Things is highly insecure. And this extends to implanted devices, at least in theory. We need to evaluate the risks of medical devices, in the hospital or in the body, and decide what steps are reasonable to secure them.
Trusted identities in cyberspace
This federal initiative would create a system of certificates and verification so that individuals could verify who they are while participating in online activities. Health care is a key sector that could benefit from this.

Expertise exists in all these areas, and it’s time for the health care industry to take better advantage of it. I’ll be reporting progress as we go along. The Patient Privacy Rights summit next June will also cover these issues.


more...
No comment yet.
Scoop.it!

Phishing: Learning from Anthem Breach

Phishing: Learning from Anthem Breach | Healthcare and Technology news | Scoop.it

The hack attack against Anthem Inc., which the health insurer says started with a spear-phishing campaign targeting five of its employees, is a warning sign of the kinds of sophisticated schemes that will be common in the year ahead, says Dave Jevans, co-founder of the Anti-Phishing Working Group.

"The Anthem breach is emblematic of what we see in the evolution of attacks against companies and their employees," Jevans says in an interview with Information Security Media Group.

In addition to Anthem, a growing number of cyber-attacks, including the breach of JPMorgan Chase, have originated with spear-phishing campaigns that target a small number of employees who have access to data systems and services housing sensitive customer information, Jevans says.

"It's highlighting a fundamental change we're seeing in the phishing landscape," Jevans says. "There's a big decrease, almost 25 percent, in phishing against just broad-base consumers. ... The real risk here is an increase in the attacks against [a handful of] employees ... and using that as a jumping-off point to get into the enterprise, break in and then steal data, breach systems, and spread out to vendors that are connected to the enterprise."

He notes that the JPMorgan Chase breach started with spear phishing that "targeted one employee in the IT department, who was tricked into giving out their password to a vulnerable machine inside the network. The hackers jumped in from there and compromised records. The most sophisticated attacks are waged against very small numbers of employees - we find, typically, less than six." By targeting only a handful of employees, the attackers decrease the odds that their scheme will be detected, Jevans says.

A Shift to Mobile

As spear-phishing campaigns become more common this year as a way to open the door to major cyber-attacks, the attackers will start to focus on targeting employees through their mobile devices, which have less sophisticated detection systems, Jevans predicts. For example, they may use text messages that ask employees to update a virtual private network profile.

"Today, detection methods are not in place [for SMS/text], so you can't tell when someone's been phished on their mobile phone," Jevans adds. "We will see in 2015, with many major breaches, that the forensic evidence is going to come back to the use of mobile devices involved in that initial kill chain of attack inside the company."

Stronger, multifactor authentication for employee access to sensitive data, systems and servers should be in place to thwart the impact of an employee's credentials that are compromised, Jevans stresses. But he says organizations should focus more attention on preventing phishing attacks from being successful.

"In my view, there is no credible reason why anybody internal to the company should receive e-mails claiming to be from the company with 'from' addresses that were sent from an external server," he says. "The use of SPF [sender policy framework] ... on your e-mail server, so that all outgoing e-mail is authenticated and also all inbound e-mail is authenticated and checked, particularly from your own domain, should be in place."

Also discussed during this interview:

  • Why top-level domain names, such as .bank, are likely to fuel more phishing campaigns rather than curb them;
  • How DMARC (Domain-based Message Authentication, Reporting & Conformance) is helping businesses block suspicious e-mails through enhanced e-mail authentication, before they ever hit inboxes; and
  • Why employee education related to phishing must be ongoing and consistent.

Jevans, who serves as chairman of the Anti-Phishing Working Group, is also founder and chief technology officer of mobile security firm Marble Security. His career in Internet security spans more than 20 years, having held senior management positions at Tumbleweed Communications, Valicert, Teros, Differential and Iron Key. Serving on the CEO's technology council at Apple Computer, Jevans helped to develop the company's Internet strategy.


more...
No comment yet.
Scoop.it!

Experts warn 2015 could be 'Year of the Healthcare Hack'

Experts warn 2015 could be 'Year of the Healthcare Hack' | Healthcare and Technology news | Scoop.it

Security experts are warning healthcare and insurance companies that 2015 will be the "Year of the Healthcare Hack," as cybercriminals are increasingly attracted to troves of personal information held by U.S. insurers and hospitals that command high prices on the underground market.

    Anthem Inc, the No. 2 U.S. health insurer, last week disclosed a massive breach of its database containing nearly 80 million records, prompting investigations by state and federal authorities. That hack followed a breach last year at hospital operator Community Health Systems, which compromised some 4.5 million records.

    "People feel that this will be the year of medical industry breaches," said Dave Kennedy, chief executive of TrustedSEC LLC.

    In the past decade, cybercriminals focused their efforts on attacking banks and retailers to steal financial data including online banking credentials and payment card numbers. But as those companies boost security, using stolen credit card numbers has become more difficult.

Their prices on criminal exchanges have also dropped, prompting hackers to turn to the less-secure medical sector, just as the amount of digital healthcare data is growing dramatically, Kennedy said.

Stolen healthcare data can be used to fraudulently obtain medical services and prescriptions as well as to commit identity theft and other financial crimes, according to security experts. Criminals can also use stolen data to build more convincing profiles of users, boosting the success of scams.

"All of these factors are making healthcare information more attractive to criminals," said Rob Sadowski, marketing director at RSA, the security division of EMC Corp.

MONETIZING STOLEN DATA

RSA Executive Chairman Art Coviello recently wrote in a letter to customers that he expected well-organized cybercriminals to turn their attention to stealing personal information from healthcare providers.

"A name, address, social and a medical identity ... That's incredibly easy to monetize fairly quickly," said Bob Gregg, CEO of ID Experts, which sells identity protection software and services. Identities can sell for $20 apiece, or more, he said.

    Insurers, medical equipment makers and other companies say they have been preparing for breaches after seeing the waves of attacks on other industries. 

    Cigna Corp has looked to financial and defense companies for best practices, including hiring hackers to break into its systems, said Chief Executive David Cordani. Attempts to break into corporate systems to probe for information are a constant, he said in an interview. 

St Jude Medical Inc CEO Daniel Starks said the company increased investment in cybersecurity significantly over the last few years, to protect both patient data and the medical devices it manufactures.

"You may see from time to time law enforcement briefings on nation-based (intellectual property) issues, espionage," he said. "Those are things that we take very seriously and have been briefed on and that we work to guard against."

    The FBI is investigating the Anthem breach alongside security experts from FireEye Inc.

The insurers UnitedHealth Group Inc and Aetna Inc have warned investors about the risks of cyber crime in their annual reports since 2011.

UnitedHealth has said the costs to eliminate or address the threats could be significant and that remediation may not be successful, resulting in lost customers.

    In response to the Anthem attack, UnitedHealth spokesman Tyler Mason said in an emailed statement: "We are in close contact with our peers in ... the industry cybersecurity organization, and are monitoring our systems and the situation closely."

Aetna has cited the automated attempts to gain access to public-facing networks, denial of service attacks that seek to disrupt websites, attempted virus infections, phishing and efforts to infect websites with malicious content.

Aetna spokeswoman Cynthia Michener said in a statement: "We closely follow the technical details of every breach that's reported to look for opportunities to continually improve our own IT security program and the health sector's information protection practices broadly."


more...
Adrián Toscano's curator insight, February 12, 2015 3:02 PM

Tendencia de los crímenes en la web. Importante.

Scoop.it!

Why So Many Hackers Are Going After the Health Care Industry

Why So Many Hackers Are Going After the Health Care Industry | Healthcare and Technology news | Scoop.it

Initial suspicions from the massive hack at Anthem are just starting to roll in, and they are suspicious. Long story short, a few unnamed people immediately jumped to the conclusion that it was China. That said, Anthem is hardly the only health care company that's been hacked lately.

It's a bit of an pandemic, actually (pardon the pun). Last year, we saw a series of attacks on hospitals and health care companies. It's way too soon—and a little bit presumptuous—to say that the Anthem attack was state-sponsored hackers from China. However, past attacks show that Chinese hackers have been targeting the health care industry, in part, because it's so easy to hack. Bad security means that hackers can gain access to personal data and possibly trade secrets that could be used or sold on the black market.

Bloomberg's sources think that the Anthem breach was part of the same strategy. There's an espionage angle, too:

In the past year, Chinese-sponsored hackers have taken prescription drug and health records and other information that could be used to create profiles of possible spy targets, according to Adam Meyers, vice president of intelligence at Crowdstrike, an Irvine, Califorinia-based cybersecurity firm…

"This goes well beyond trying to access health-care records," Meyers said. "If you have a rich database of proclivities, health concerns and other personal information, it looks, from a Chinese intelligence perspective, as a way to augment human collection."

Well, that makes an otherwise complex information security issue sound like a Bond movie, doesn't it? This isn't a movie, though. Anthem is the second-largest health insurer in the United States and some 80 million people could be affected by this. But maybe this is just the outbreak the health care industry needs in order to invest in better security.

more...
No comment yet.
Scoop.it!

USPS Breach Exposed Health Data

USPS Breach Exposed Health Data | Healthcare and Technology news | Scoop.it

As the U.S. Postal Service's investigation into its data breach continues to unfold, it's now reporting that certain health information for approximately 485,000 current and former employees was potentially compromised.


The news follows confirmation from the USPS on Nov. 10, 2014, of a breach of some of its information systems that impacted more than 800,000 employees and 2.9 million customers.

The investigation has now determined that the intruders may have compromised a file containing workers' compensation injury claim data, according to a letter detailing the incident that the USPS provided to Information Security Media Group. The file, created in August 2012, contains information associated with current and former workers' compensation claims. Information included in the file dates from November 1980 to Aug. 30, 2012, according to the USPS.

Although the type of information varies greatly based on individual cases, workers' compensation-related data that may have been exposed includes names, addresses, dates of birth, Social Security numbers, medical information and "other" information.

The total number of employees whose health data may have been exposed reflects some of those originally listed as being impacted by the breach, "but others are receiving letters for the first time," says David Partenheimer, a spokesperson at the U.S. Postal Service. Those who did not receive an earlier letter from the USPS regarding receiving free credit monitoring for one year have now been informed how to obtain the service.

The USPS says it has no evidence that any compromised employee information has been used to engage in any malicious activity, the letter says.

Although the latest breach details involve health information, the USPS is not subject to the HIPAA Privacy Rule that governs healthcare data because it is not a covered entity (a healthcare provider), Partenheimer says.

Notification Delay Explained

At a U.S. House hearing in November, Randy Miskanic, a USPS official, defended the agency's delay in notifying USPS workers of the breach, contending authorities didn't initially know what data was pilfered. The USPS first learned of the breach on Sept. 11, 2014, but didn't notify employees until Nov. 10, 2014.

Miskanic also said the government didn't want to tip off hackers that it was aware of the breach.

In its original report on the breach, USPS said employees' names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment, and emergency contacts may have been exposed. For customers, names, addresses, phone numbers and e-mail addresses may have been compromised.

As a result of the breach, the USPS in a Nov. 28 filing with postal regulators said it was forced to delay the filing of its annual financial report. The reasoning for the delay was to give USPS time to confirm that the breach didn't compromise financial information that could affect its report.


more...
No comment yet.
Scoop.it!

Should the Sony Hack Have Hospitals Concerned? | Hospital EMR and EHR

Should the Sony Hack Have Hospitals Concerned? | Hospital EMR and EHR | Healthcare and Technology news | Scoop.it

If you haven’t heard the details of the Sony hack, then lucky you. It seems that coverage of the hack has been everywhere. Long story short, Sony wasn’t careful and the hackers got a lot of really private information like emails. It was embarrassing to the company in a variety of ways and the effects of it and them eventually pulling The Interview are going to be felt for a long time to come. In fact, some of the hack included Sony’s insurance records which included medical information.

Should hospitals be concerned by the hack of Sony? The hack itself shouldn’t be of particular concern, but it should be a stark reminder that anyone is vulnerable if the hackers want to hack you enough. Unfortunately, the game of privacy and security is a cat and mouse game of trying to make what you have so difficult to access that hackers choose other, simpler targets.

With that said, if Sony, Google, Target, etc can be hacked, then anyone could be hacked. While it’s absolutely critical that you’re doing everything you can to make it hard for hackers to access your systems, it’s also important to make sure that you have proper breach procedures in place as well. How you handle a breach is going to be incredibly important for every organization.

While the Sony hack is going to cost them a lot of money. A breach in healthcare could incur some of the same embarrassment publicly, but there are also stiff HIPAA penalties for a breach. This could get very expensive for organizations that aren’t taking health IT security seriously. If you thought the coming MU penalties are bad, try to calculate in some major HIPAA fines and reduced patient load because patients no longer trust your organization. It will be devastating for organizations.

What is your organization doing to avoid breaches? Are you going beyond the HIPAA risk assessment?



more...
No comment yet.
Scoop.it!

Sony Hack Reveals Health Details on Employees and Their Children | The Health Care Blog

Sony Hack Reveals Health Details on Employees and Their Children | The Health Care Blog | Healthcare and Technology news | Scoop.it

On top of everything else, the Sony data breach revealed employees’ sensitive health information:  Top Sony executives saw lists of named employees who had costly medical treatments and saw detailed psychiatric treatment records of one employee’s son.

Like last year’s revelation by AOL’s CEO, it shows US corporations look at employees’ health information and costs. By ‘outing’ the fact that 2 of AOL’s 5,000 employees had premature infants whose treatment cost over $1 million each, the CEO violated the employees’ rights to health information privacy.

Trusted relationships simply cannot exist if individuals have no right to decide who to let in and who to keep out of pii. Current US technology systems make it impossible for us to control personal health data, inside or outside of the healthcare system.

Do you trust your employer not to snoop in your personal health information?  How can you trust your employer without a ‘chain of custody’ for  your health data? There is no transparency or accountability for the sale or use of our health data, even though Congress gave us the right to obtain an “Accounting for Disclosures (A4D)” for disclosures of protected health data from EHRs in the 2009 stimulus bill (the regulations have yet to be written).  And we have no complete map that tracks the millions of places US citizens’ health data flows. See: TheDataMap.

There is no way to know who sees, sells, or snoops in our health data unless whistleblowers or hackers expose what’s going on.  Our personal, identifiable health data is in millions of data bases unknown and inaccessible to us.  Both the Bush and Obama Administrations support this privacy-destructive business model on the Internet and in the US health care system.

The US health data broker industry consists of over 100,000 health data suppliers covering 780,000 live daily health data feeds. 

THE GREATEST DAMAGE CAUSED BY THE LACK OF CONTROL OVER PII IS THE LOSS OF TRUST— TRUSTED RELATIONSHIPS BETWEEN PEOPLE, COMPANIES, AND GOVERNMENTS ARE IMPOSSIBLE WITHOUT PERSONAL CONTROL OVER PII.

Both Angela Merkel and Jennifer Lawrence spelled out the deep and persistent effects of violating personal boundaries:

Both spoke of the deep emotional pain and costs of betrayal, and of being unable to trust or feel safe following such serious boundary violations. Trust is truly impossible unless individuals can set boundaries. People, companies, and governments must respect and honor individuals’ rights to control access to personal information to be trusted. Violating boundaries destroys trust and relationships between people and between nations.

Sadly, even though the  modern world’s concept of ‘privacy’ comes from our nation, from US Supreme Court Justice Louis D. Brandeis’ concept of privacy, and later in the computer age from Wallis Ware’s concept of Fair Information Practices, the US has lost its way and is destroying both freedom and the right to be let alone.

Among the Western Democracies, has the United States become the world’s most intrusive surveillance state?

Do we have control over any information about ourselves?  Or is every bit or byte of data about us collected, held, and sold by millions of hidden data bases?

more...
No comment yet.
Scoop.it!

Indiana medical software company hack exposes protected information of unknown number of patients

Indiana medical software company hack exposes protected information of unknown number of patients | Healthcare and Technology news | Scoop.it

Medical Informatics Engineering, a Fort Wayne, Ind.-based maker of Web-based health information-technology software, said Wednesday it was the victim of a sophisticated cyber attack that exposed the protected health information of an unknown number of patients. 

MIE emphasized that patients of only some of its clients were affected, including the Fort Wayne (Ind.) Neurological Center, Franciscan St. Francis Health Indianapolis, the Gynecology Center in Fort Wayne, Rochester Medical Group in Rochester Hills, Mich. and Concentra, a national network of primary-care and specialty clinics. The company said in a statement that it is working with a third-party forensics firm to determine an “accurate number of affected patients.”

MIE's clients include about 100 small- to medium-sized physician offices.

The hack includes MIE's NoMoreClipBoard subsidiary, which produces a personal health-record management system. 

The servers that were hacked held protected health information including patient names, mailing and email addresses, birthdates, and for some patients, social security numbers, laboratory results, dictated reports and medical conditions. Financial records were not compromised because the company does not collect or store that information, but experts told Modern Healthcare that clinical data can often be even more valuable to identity thieves. 

The company said it learned about the hack after it discovered suspicious activity on one of its servers May 26, at which point it immediately launched an investigation to resolve any system vulnerabilities, in addition to reporting the security breach to law enforcement, including the FBI, company officials said. 

Eric Jones, MIE's chief operating officer, said it's clear that, big or small, healthcare companies must deal with the serious threat of cyber attacks.

“I certainly I think it's becoming obvious to most of us that this is becoming a more common occurrence," Jones said. "There are sophisticated entities out there that want to do harm and we need to be more vigilant, we need to do a better job to protect the information that we hold."

Jones said he doesn't believe that the Web-based nature of the company's software made it an easier target.

"I think everybody is vulnerable, whether your application is Web-based or if your client server is within four walls, I think there's still high risk that you could be impacted this way," Jones said.

MIE and NoMoreClipBoard began contacting clients and patients on June 2, and are offering free credit monitoring and identity protection services to affected patients for the next 24 months. The company also established a toll-free hotline to answer questions about the hack. 

Data breaches in healthcare are the most expensive to remediate and are growing more so, according to a May report from the Ponemon Institute.

more...
No comment yet.
Scoop.it!

IBM Announces Deal to Acquire Both Phytel and Explorys; Goal Is Data Transformation

IBM Announces Deal to Acquire Both Phytel and Explorys; Goal Is Data Transformation | Healthcare and Technology news | Scoop.it

Senior executives at the Armonk, N.Y.-based IBM announced in a press conference held on Monday afternoon, April 13, at the McCormick Place Convention Center in Chicago, during the course of the HIMSS Conference, that it was acquiring both the Dallas-based Phytel and the Cleveland-based Explorys, in a combination that senior IBM executives said held great potential for the leveraging of data capabilities to transform healthcare.


Both Phytel, a leading population health management vendor, and Explorys, a healthcare intelligence cloud firm, will become part of the new Watson Health unit, about which IBM said, “IBM Watson Health is creating a more complete and personalized picture of health, powered by cognitive computing. Now individuals are empowered to understand more about their health, while doctors, researchers, and insurers can make better, faster, and more cost-effective decisions.


In its announcement of the Phytel acquisition, the company noted that, “The acquisition once completed will bolster the company’s efforts to apply advanced analytics and cognitive computing to help primary care providers, large hospital systems and physician networks improve healthcare quality and effect healthier patient outcomes.”


And in its announcement of the Explorys acquisition, IBM noted that, “Since its spin-off from the Cleveland Clinic in 2009, Explorys has secured a robust healthcare database derived from numerous and diverse financial, operational and medical record systems comprising 315 billion longitudinal data points across the continuum of care. This powerful body of insight will help fuel IBM Watson Health Cloud, a new open platform that allows information to be securely de-identified, shared and combined with a dynamic and constantly growing aggregated view of clinical, health and social research data.”


Mike Rhodin, senior vice president, IBM Watson, said at Monday’s press conference, “Connecting the data and information is why we need to pull the information together into this [Watson Health]. So we’re extending what we’ve been doing with Watson into this. We’re bringing in great partners to help us fulfill the promise of an open platform to build solutions to leverage data in new ways. We actually believe that in the data are the answers to many of the diseases we struggle with today, the answers to the costs in healthcare,” he added. “It’s all in there, it’s all in silos. All this data needs to be able to be brought into a HIPAA-secured, cloud-enabled framework, for providers, payers, everyone. To get the answers, we look to the market, we look to world-class companies, the entrepreneurs who had the vision to begin to build this transformation.”

more...
No comment yet.
Scoop.it!

Security audit of Premera identified issues prior to cyberattack

Security audit of Premera identified issues prior to cyberattack | Healthcare and Technology news | Scoop.it

Premera Blue Cross, based in Mountlake Terrace, Washington, announced March 17 that it was the victim of a cyberattack that exposed the PHI of more than 11 million subscribers, according to lexology.com.


Premera discovered January 29 that hackers gained access to its IT systems May 5, 2014, according to govinfosecurity.com. A notice on the Premera website states that the following information may have been accessed:

  • Names
  • Addresses
  • Email addresses
  • Email addresses
  • Telephone numbers
  • Dates of birth
  • Social Security numbers
  • Member identification numbers
  • Medical claims numbers
  • Some bank account information

The Office of the Inspector General (OIG) conducted a security systems audit of Premera in January and February 2014, just months prior to the attack. In an audit report dated November 28, 2014, the OIG stated that Premera implemented an incident response plan and network security program.


However, the OIG noted a number of security concerns. Although a patch management policy was in place, scans performed during the audit revealed that patches were not implemented in a timely manner. In addition, methodologies were not in place to ensure that unsupported or out-of-date software was not used and a vulnerability scan identified insecure server configurations.


At the time of the audit, Premera also lacked documentation of formal baseline configurations detailing its approved server operating settings. The insurer also failed to perform a complete disaster recovery test for all of its systems. The OIG also identified weaknesses in Premera’s claims application controls.


more...
No comment yet.
Scoop.it!

Anthem's Audit Refusal: Mixed Reaction

Anthem's Audit Refusal: Mixed Reaction | Healthcare and Technology news | Scoop.it

Privacy and security experts are offering mixed reviews of Anthem Inc.'s denial of a government auditor's request to perform vulnerability scans of the health insurer's IT systems in the wake of a hacker attack that affected 78.8 million individuals.

The Office of Personnel Management's Office of Inspector General, in a statement provided to Information Security Media Group, says Anthem - citing "corporate policy" - refused to allow the agency to perform "standard vulnerability scans and configuration compliance tests" this summer, as requested by the OIG. The health insurer also refused to allow the OIG to conduct those vulnerability tests in 2013 as part of an IT security audit that was performed by the agency.


"Anthem is in a no-win situation on this [most recent] request," says Dan Berger, CEO of security services firm Redspin. "It does appear Anthem has the contractual right to decline the request for an OIG vulnerability scan. But they might want to rethink that. Refusing now looks bad - both to their client OPM and to the public at large."

Security expert Mac McMillan, CEO of the consulting firm CynergisTek, notes: "Usually most companies want to cooperate with the government regulators because, quite frankly, it's in their best interest to do so. Most government contracts provide a provision for the government to conduct an audit if they deem it necessary."

But some other security experts are not surprised that Anthem refused the vulnerability tests.

"In fairness to Anthem, their position may be perfectly well-founded," says Bob Chaput, founder and CEO of Clearwater Compliance. "It's unclear what is precisely meant by vulnerability scans. Ask five people for a definition and receive eight different definitions. External and/or internal technical testing - expanding for the moment to include penetration testing as a way to identify a weakness - can be quite intrusive and disruptive to an organization's operations."

OIG Requests

OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, an OIG spokeswoman tells Information Security Media Group. However, under the standard FEHBP contract that OPM has with insurers, insurers are not mandated to cooperate with IT security audits. Sometimes amendments are made to insurers' federal contracts to specifically require the full audits, the spokeswoman says. In fact, the OIG is now seeking such an amendment to Anthem's FEHBP contract.

OIG also notes in a statement: "We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG."

A Common Practice?

David Kennedy, founder of security consulting firm TrustedSec, says it's "very common" for corporations to prohibit or limit external parties from performing vulnerability scans. "Most corporations have sanctioned tests that occur from third parties that perform the same type of testing and go even more in depth," he says. "A vulnerability scan is the most basic form of an assessment and wouldn't have prevented the Anthem breach from occurring. Most corporations will provide a summary of the assessment that was performed to provide to third parties to satisfy them for appropriate due diligence."

Although Anthem's recent refusal of the OIG audit requests might now appear to be a public relations blunder for the company, "I can see Anthem's side too, though," says Redspin's Berger. "A vulnerability scan is always going to find vulnerabilities. They may be concerned that any post-breach vulnerability report will be linked back to the recent breach. In reality, such scans are a 'point in time' assessment; it's unlikely that running a scan in the summer of 2015 would determine conclusively whether the recent breach could have been prevented."

In addition, if a security audit is not mandated by a contract, Chaput says it's probably not that unusual for private entities to refuse such requests from government agencies. "It depends on the nature of the relationship of the parties, the structure of that relationship, sensitivity of information involved, etc.," he says. "For example, is OPM a HIPAA covered entity and Anthem a HIPAA business associate in this relationship?"

Time for Change?

Also, the audit hoopla might even signal a need for OPM to overhaul its contractual practices, Chaput argues.

"In fact, it's quite possible that OPM is in violation of the HIPAA Privacy and Security Rule 'organizational requirements,'" he says. "Did OPM update all BA agreements? Do the terms and conditions of whatever agreements exist meet the requirements set forth in these HIPAA Privacy and Security Rule 'organizational requirements' to receive satisfactory assurances that this PHI and other sensitive information would be safeguarded?"

The government should negotiate stronger security protections into their contracts with insurers, Berger suggests. And that could include third-party vulnerability scans, whether conducted by OIG or others.

But McMillan of CynergisTek says Anthem's refusal of OIG's request could potentially provoke even more scrutiny by other government regulators or perhaps even legislative proposals from Congress.

Anthem likely already faces an investigation by the HIPAA enforcement agency, the Department of Health and Human Service's Office for Civil Rights, which investigates health data breaches and has the power to issue settlements that include financial penalties.

"Whether it is appropriate or allowed under [Anthem's] current contract or not - refusing a test right after a breach of this magnitude is enough to make some people say there needs to be greater accountability," McMillan says.

Safeguarding Data

Ironically, Chaput says that by denying the vulnerability tests by OIG, Anthem could be actually taking extra precautions in protecting PHI. "With over-the-top issues of government surveillance of U.S. citizens, Anthem might be thought of as having implemented a reasonable and appropriate administrative control - i.e. their 'corporate policy' to safeguard information with which it has been entrusted," Chaput says. "In the HIPAA Privacy Rule, there are standards and implementation specifications in which PHI, for example, is required to be disclosed to the Secretary of HHS. Since this technical testing could result in a disclosure of PHI, PII or other sensitive information, under what standard is OPM OIG invoking a right of potential disclosure?"

Kennedy adds that when he worked for ATM security vendor Diebold, "we never let anyone scan us. However we would always have reputable third parties perform assessments on us on a regular basis and provide those upon request when an organization wanted to evaluate our security."

more...
No comment yet.
Scoop.it!

Lessons from the Anthem hack

Lessons from the Anthem hack | Healthcare and Technology news | Scoop.it

Anthem experienced a major data breach recently, and reportedly some records (Social Security Numbers and other identifying information, but not health data) of up to 80 million members and employees were obtained by hackers.

There is much to be said (and much has already been said) about the need for privacy and security and protections in the case of Anthem, just as "helpful hints" have been provided after the fact to victims of all significant data breaches. My reaction, when reading about the unencrypted SSNs that were accessed in this attack, was: Why in the world are we using social security numbers as ID numbers? It doesn't have to be this way.

The social security number is the only universal unique identifier we have at our disposal in this country. It's easy to ask for, and to use, but ... it's not supposed to be used for anything other than administration of Social Security benefits. Until not all that long ago, states used SSNs as driver's license numbers. No longer (at least around these parts). Most of us get asked for the last 4 (or 5 or 6) digits of our SSNs constantly for all kinds of reasons. How many of us refuse every time?

Way back in 1998, as folks were trying to figure out how to implementHIPAA, the question arose: Gee, why don't we establish a unique patient identifier system so that we can be assured that each electronic health record is properly tied to the right individual? (Check out this vintage HHS white paper on the Unique Health Identifier, published as prologue to a rulemaking process that never went anywhere.) Eventually, that approach was taken for providers (UPIN, then NPI), but not for patients. In fact, every year since then, Congress has included a special line in the HHS budget that says "thou shalt not establish a unique patient identifier system."

This approach has spawned a sub-industry that scrubs data sets to ensure that an individual patient doesn't have duplicate records, each including only a part of the whole, by triangulating from all the data points used to perpetrate identity theft: SSN, DOB, name, address, etc. All those data points are needed in order to make sure that we're talking about the right Mr. Jones. If the only identifier attached to the health data were the patient ID number, then health records would suddenly become much less valuable to identity thieves -- and it would be easier to determine which record belongs to whom.

Using patient ID numbers (which could be encrypted and thus protected -- because, after all, who wants to get a new patient ID number? Getting a new credit card number after some system or other gets hacked is bad enough, and remember, you can't get a new SSN just because your health records have been hacked) would be one element of a data minimization approach designed to lessen the likelihood of damage resulting from a breach. Couple that with the auditing capabilities that allowed Anthem to notice its breach in short order (vs. some breaches which were exploited over the course of years before anybody noticed), and we'd be looking at some real improvements to health data security.

more...
No comment yet.
Scoop.it!

U.S. states say Anthem too slow to inform customers of breach

U.S. states say Anthem too slow to inform customers of breach | Healthcare and Technology news | Scoop.it

Ten U.S. states have sent a letter to Anthem Inc complaining that the company has been too slow in notifying consumers that they were victims of a massive data breach disclosed last week.

"The delay in notifying those impacted is unreasonable and is causing unnecessary added worry to an already concerned population of Anthem customers," said the letter, which was sent on Tuesday by Connecticut Attorney General George Jepsen on behalf of Connecticut and nine other states.

The letter asked the No. 2 U.S. health insurer to compensate any consumers who are victims of scams, if the fraud occurs before Anthem notifies them of the breach and offers them free credit monitoring.

"Anthem must commit to reimbursing consumers for any losses associated with this breach during the time period between the breach and the date that the company provides access

to credit and identity theft safeguards," said the letter.

Jepsen also asked Anthem to contact his office by Wednesday afternoon with details of its plans to "provide adequate protections" to consumers whose data was exposed in this breach.

The letter was written on behalf of Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania, and Rhode Island.

Representatives with Anthem could not immediately be reached for comment.

Anthem disclosed the massive breach last week, saying that hackers accessed a database of some 80 million consumers and employees that contained Social Security numbers and other sensitive data.

On Friday the company warned U.S. customers about an email scam targeting former and current members.


more...
No comment yet.
Scoop.it!

Hackers target health care as industry goes digital

Hackers target health care as industry goes digital | Healthcare and Technology news | Scoop.it

With more health providers and insurers incorporating IT into clinical care, hackers are viewing the health care industry as their next target.

“Cybercriminals know that the health industry is moving into EHRs and there’s more data to steal,” said Ann Peterson, program director at the Medical Identity Fraud Alliance, an organization that works to reduce medical fraud.

Electronic health records, or EHRs, are increasingly being used by hospitals and doctors’ offices to store information such as test results and treatment plans, along with data such as patient names, Social Security numbers and birth dates.

Health insurance companies also use EHRs and store other personal data, such as credit card details, making them attractive targets for hackers. This week, Anthem, one of the largest health insurers in the U.S., said sensitive information on possibly 80 million employees and customers had been exposed during a cyberattack. The information thieves made off with included patient names, Social Security numbers, birth dates and medical identification numbers.

The information can be pieced together and used to commit a variety of types of fraud, making it lucrative for hackers. Social Security numbers, for example, can be used to gain access to bank accounts, noted John Kindervag, a principal analyst at Forrester Research.

By targeting Anthem, hackers were able to access information that is commonly used to reset user names and passwords, said Ian Campbell, CEO of Nucleus Research. People are sometimes asked to enter their mother’s maiden name when signing up for services, for example. Since this information is static, it can be combined with a person’s email address to reset a person’s email account.

“People should ask ‘Will I have a problem 10 years from now because someone knows information that’s not normally available?’” he said.

The health care industry is especially vulnerable compared to retailers and banks, which are more accustomed to cyberattacks, said Lynne Dunbrack, research vice president at IDC Health Insights.

“Cybercriminals tend to think of health care organizations as soft targets. Historically, they haven’t invested much in IT, and security specifically,” she said.

The Anthem breach could affect its finances, Dunbrack said. The U.S. Health Insurance Portability and Accountability Act, which aims to keep health care data private, requires that Anthem notify each victim, a process that costs about US$350 per record, Dunbrack said. Companies that violate HIPAA can face substantial fines. Last year, a New York City hospital was fined $4.8 million after it posted the medical data of 6,800 patients to the Web.

Health care breaches can also lead to an uptick in medical fraud, Peterson said. Health records contain insurance details that people can use to impersonate a hacking victim to receive care. Some insurance plans cover costly procedures that others don’t, so there’s a demand for credentials to access better coverage.

A set of medical data that can be used to receive care may fetch between $20 and $200 on the black market, Dunbrack said.

Fraud victims often don’t realize they’ve been attacked until it’s too late. They might receive a notice from their insurer for treatment they never received. Or they may find out in a more dramatic fashion, such as having an allergic reaction to a drug after an imposter altered a medical record.

“It can be deadly, depending on the level of compromise to the medical records and how much of their data is co-mingled with your data,” said Dunbrack.

People need to be as vigilant about protecting and reviewing their medical data as they are with their credit card information, said Peterson at the Medical Identity Fraud Alliance, noting that laws protect people only to a degree.

“We need to do our part and be aware of our medical information,” he said.



more...
No comment yet.
Scoop.it!

Digital health in 2015: What's hot and what's not?

Digital health in 2015: What's hot and what's not? | Healthcare and Technology news | Scoop.it

I think it’s fair to say that digital health is warming up. And not just in one area. The sheer number and variety of trends are almost as impressive as the heat trajectory itself. The scientist in me can’t help but make the connection to water molecules in a glass — there may be many of them, but not all have enough kinetic energy to ascend beyond their liquid state. The majority are doomed to sit tight and get consumed by a thirsty guy with little regard for subtle temperature changes.


With this in mind, let’s take a look at which digital health trends seem poised to break out in 2015, and which may be fated to stay cold in the glass. As you read, keep in mind that this assessment is filtered through my perspective of science, medicine, and innovation. In other words, a “cold” idea could still be hot in other ways.

Collaboration is hot, silos are not. Empowerment for patients and consumers is at the heart of digital health. As a result, the role of the doctor will shift from control to collaboration. The good news for physicians is that the new and evolved clinician role that emerges will be hot as heck. The same applies to the nature of innovation in digital health and pharma. The lone wolf is doomed to fail, and eclectic thinking from mixed and varied sources will be the basis for innovation and superior care.

Scanners are hot, trackers are not. Yes, the tricorder will help redefine the hand-held tool for care. From ultrasound to spectrometry, the rapid and comprehensive assimilation of data will create a new “tool of trade” that will change the way people think about diagnosis and treatment. Trackers are yesterday’s news stories (and they’ll continue to be written) but scanners are tomorrow headlines.

Rapid and bold innovation is hot, slow and cautious approaches are not. Innovators are often found in basements and garages where they tinker with the brilliance of what might be possible. Traditionally, pharmaceutical companies have worked off of a different model, one that offers access and validation with less of the freewheeling spirit that thrives in places like Silicon Valley. Looking ahead, these two styles need to come together. The result, I predict, will be a digital health collaboration in which varied and conflicting voices build a new health reality.

Tiny is hot, small is not. Nanotechnology is a game-changer in digital health. Nanobots, among other micro-innovations, can now be used to continuously survey our bodies to detect (and even treat) disease. The profound ability for this technology to impact care will drive patients to a new generation of wearables (scanners) that will offer more of a clinical imperative to keep using them.

Early is hot, on-time is not. Tomorrow’s technology will fuel both rapid detection and the notion of “stage zero disease.” Health care is no longer about the early recognition of overt signs and symptoms, but rather about microscopic markers that may preempt disease at the very earliest cellular and biochemical stages.

Genomics are hot, empirics are not. Specificity — from genomics to antimicrobial therapy — will help improve outcomes and drive costs down. Therapy will be guided less and less by statistical means and population-based data and more and more by individualized insights and agents.

AI is hot, data is not. Data, data, data. The tsunami of information has often done more to paralyze us than provide solutions to big and complex problems. From wearables to genomics, that part isn’t slowing down, so to help us manage it, we’ll increasingly rely on artificial intelligence systems. Keeping in mind some of the inherent problems with artificial intelligence, perhaps the solution is less about AI in the purest sense and more around IA — intelligence augmented. Either way, it’s inevitable and essential.

Cybersecurity is hot, passwords are not. As intimate and specific data sets increasingly define our reality, protection becomes an inexorable part of the equation. Biometric and other more personalized and protected solutions can offer something that passwords just can’t.

Staying connected is hot, one-time consults are not. Medicine at a distance will empower patients, caregivers, and clinicians to provide outstanding care and will create significant cost reductions. Telemedicine and other online engagement tools will emerge as a tool for everything from peer-to-peer consultation in the ICU to first-line interventions.

In-home care is hot, hospital stays are not. “Get home and stay home” has always been the driving care plan for the hospitalized patient. Today’s technology will help provide real-time and proactive patient management that can put hospital-quality monitoring and analytics right in the home. Connectivity among stakeholders (family, EMS, and care providers) offers both practical and effective solutions to care.

Cost is hot, deductibles are not. Cost will be part of the “innovation equation” that will be a critical driver for market penetration. Payers will drive trial (if not adoption) by simply nodding yes for reimbursement. And as patients are forced to manage higher insurance deductibles, options to help drive down costs will compete more and more with efficacy and novelty.

Putting it all together: What it will take to break away in 2015?

Beyond speed lies velocity, a vector that has both magnitude and direction. Smart innovators realize that their work must be driven by a range of issues from compatibility to communications. Only then can they harness the speed and establish a market trajectory that moves a great idea in the right direction. Simply put, a great idea that doesn’t get noticed by the right audience at the right time is a bit like winking to someone in the dark. You know what you’re doing, but no one else does.


more...
No comment yet.
Scoop.it!

NIST to Address Medical Device Security

NIST to Address Medical Device Security | Healthcare and Technology news | Scoop.it

In an effort to address the cybersecurity challenges of networked medical devices, the National Institute of Standards and Technology, through the National Cybersecurity Center of Excellence, is launching a project to secure those devices from risks such as malware, hacking and access control.


The project, done in collaboration with the Technological Leadership Institute at the University of Minnesota and the medical device industry, is inviting comments on ways to properly secure medical devices that are increasingly being connected to central systems within hospitals, the NCCoE says, starting with draft use case on wireless infusion pumps.

While security experts see the move as a positive step forward in raising awareness on security risks to such devices, it may not be enough to get device manufacturers to address the issues. For one, NIST doesn't have any regulatory oversight, says Mac McMillan, CEO of security consulting firm CynergisTek. "Whatever they come up with is not going to get us where we need to go," he says. "What we need is for the Food and Drug Administration to put out a hard and fast rule that [manufacturers] have to pay attention to."

Still, NCCoE's initiative is a comprehensive effort to address medical device risks, says Christopher Paidhrin, security administration manager in the information security technology division at PeaceHealth, a healthcare system in the Pacific Northwest. "We need to start with a realistic use case, and infusion pumps are a high-use medical device."

The push by NCCoE to address medical device security comes two months after the Food and Drug Administration issued final guidance calling for manufacturers to consider cybersecurity risks as part of the design and development of medical devices.

In Aug. 2013, the FDA also issued guidance on the radio frequency of wireless medical devices, including recommending authentication and encryption for reducing security risks and related patient safety threats.

Project Details

The draft use case NCCoE is launching will focus on wireless infusion pumps, which transport fluids, drugs and nutrients into a patient's bloodstream. "A networked infusion pump can allow centralized control of the device's programming as well as automated cross checks against pharmacy records and patient data to ensure the right dose of fluids or medication are delivered," NCCoE says. "But these connected devices can introduce new risks in safety and security compared with stand-alone devices."

The case identifies the people and systems that interact with infusion pumps, defines their interactions, performs a risk assessment, identifies applicable security technologies and provides an examples method or implementation to secure the system, NCCoE says. Comments on the draft use case should be submitted by Jan. 18, 2015.

After the use case is finalized, the NCCoE will invite organizations to participate in developing a practice guide that contains materials and information needed to deploy an example solution of off-the-shelf products that address the technical security problems.

Moving into 2015, the NCCoE would like to have a set of practice guides dealing with different types of medical devices, says Gavin O'Brien, project manager at NCCoE. "For instance, MRIs ... have lots of computing power on them," he says. "They're very different than infusion pumps and all of those are different from say implantable [devices]."

But for now, the practice guide being developed around the infusion pump use case will be written in a way that people can use pieces from the guide to secure devices within their own organization, O'Brien says. "In the use case, we talk about issues that are specific to infusion pumps, but where those issues apply to other devices ... the [practice guide] will be beneficial to them."

Analyzing the Latest Effort

Before all medical devices are networked, standards and baseline security controls need to be in place, PeaceHealth's Paidhrin says. "Healthcare will leverage them, if they are available," he says. "Medical device manufacturers are wakening to the challenge, but the pace is slow compared to the advance of technology and exploits."

A key challenge will be getting the medical device manufacturers on board with the latest efforts around medical device security, says privacy and information security expert Rebecca Herold. "The overall sentiment coming from the manufacturers has been that they will basically do only the minimum necessary to secure the devices, as required by the FDA," she says.

And while the FDA recently released high-level guidance, "it really did not provide the details necessary to spur medical device manufacturers to take action and engineer their devices" with certain security controls built in, Herold says.



more...
No comment yet.
Scoop.it!

Medical records exposed in massive Sony hack | Healthcare IT News

Medical records exposed in massive Sony hack | Healthcare IT News | Healthcare and Technology news | Scoop.it

Sony last week notified employees that their medical data and Social Security numbers were swiped in a cyberattack, a breach that has prompted privacy advocates to reaffirm the need to implement further data safeguards.

Sony Pictures Entertainment on Dec. 8 sent letters to 34 Sony employees and their dependents, notifying them that their protected health information, medical diagnoses, Social Security numbers, credit card information, passwords, compensation, passport numbers and other personally identifiable information had been stolen in a "brazen cyberattack." Medical information on employees included conditions such as alcohol-induced liver cirrhosis, kidney failure and cancer, according to a Bloomberg report

Sony officials did not respond for comment by publication time. 


The attack, which transpired Nov. 24 at Sony's Culver City, Calif.-based office, caused a "significant system disruption," Sony Pictures officials wrote in the notification letter. 

U.S. government officials with information on the ongoing investigation into the hacking have said they are "fairly confident" North Korea was responsible for the cyberattack


The incident has prompted privacy advocates to speak out on the need to implement added safeguards to protect data in the digital age. 

Deborah Peel, MD, founder of Patient Privacy Rights, a non-profit health privacy advocacy group, was chief among them to weigh in.

"This stuff will haunt all those people the rest of their lives. Once it's up on the Internet it is up in perpetuity," Peel told Bloomberg. "This is a thousand times worse than that other stuff," she said, referring to salary information and personal e-mails. “Health information is the most sensitive information about you.”


The worse part about this breach, as Peel pointed out in her blog response to the Sony breach? "The greatest damage caused by the lack of control over (personally identifiable information) is the loss of trust – trusted relationships between people, companies and governments are impossible without personal control over PII."

Peel cited what transpired earlier this year with AOL after CEO Tim Armstrong revealed healthcare details about two employees to explain why the company opted to cut certain health benefits. 

What this showed? Employers do look at their employees' personal health information, said Peel. "Trusted relationships simply cannot exist if individuals have no right to decide who to let in and who to keep out of pii," she added. "Current U.S. technology systems make it impossible for us to control personal health data, inside or outside of the healthcare system."

There have already been a significant number of hacking-related health data breaches just in the last few months. 

Just in November, for instance, the Dallas-based Onsite Health Diagnostics, a medical testing and screening company, which contracts with the state of Tennessee's wellness plan – notified more than 60,000 people that their protected health information was accessed and stored by an "unknown source," for a period of three months back in April. What's more, it took officials some four months to notify those individuals affected. 


In August, in the second biggest HIPAA breach ever reported, the Franklin, Tenn.-based Community Health Systems, notified 4.5 million of its patients that their personal information was stolen by cybercriminals who reportedly exploited the Heartbleed vulnerability. 

To date, nearly 42 million individuals have had their protected health information compromised in reportable HIPAA privacy and security breaches, according to data from the Department of Health and Human Services. Some nine percent of those are hacking-related breaches.



more...
No comment yet.
Scoop.it!

Top cybersecurity predictions of 2015 - ZDNet

Top cybersecurity predictions of 2015 - ZDNet | Healthcare and Technology news | Scoop.it

As noted by Websense, healthcare data is valuable. Not only are companies such as Google, Samsung and Apple tapping into the industry, but the sector itself is becoming more reliant on electronic records and data analysis. As such, data stealing campaigns targeting hospitals and health institutions are likely to increase in the coming year.



Via Paulo Félix
more...
Vicente Pastor's curator insight, December 6, 2014 10:26 AM

I am a bit skeptic about predictions in general. Anyway, it is always a good exercise thinking about the coming trends although we do not need to wait for the "artificial" change of year since threats are continuously evolving.

Institute for Critical Infrastructure Technology's curator insight, December 9, 2014 4:57 PM

Institute for Critical Infrastructure Technology