Healthcare and Technology news
37.5K views | +12 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

HIMSS Survey Finds Two-Thirds of Healthcare Organizations Experienced a Significant Security Incident in Recent Past

HIMSS Survey Finds Two-Thirds of Healthcare Organizations Experienced a Significant Security Incident in Recent Past | Healthcare and Technology news | Scoop.it

Cybersecurity was identified as an increased business priority over the past year according to 87 percent of respondents in the newly released 2015 HIMSS Cybersecurity Survey

(http://www.himss.org/2015-cybersecurity-survey). Two-thirds of those surveyed also indicated that their organizations had experienced a significant security incident recently. Released at the Privacy and Security Forum, held in Chicago from June 30-July 1, this research reflects the continued cybersecurity concerns by healthcare providers regarding the protection of their organizations’ data assets.


“The recent breaches in the healthcare industry have been a wake-up call that patient and other data are valuable targets and healthcare organizations need a laser focus on cybersecurity threats,” said Lisa Gallagher, Vice President of Technology Solutions, HIMSS. “Healthcare organizations need to rapidly adjust their strategies to defend against cyber-attacks. This means implementing threat data,incorporating new tools and sophisticated analysis into their security process.”


The survey of 297 healthcare leaders and information security officers across the industry also found that at least half of respondents made improvements to network security, endpoint protection, data loss prevention, disaster recovery and IT continuity. Despite the protective technologies available, most respondents felt only an average level of confidence in their organizations’ ability to protect their IT infrastructure and data.


Key findings from the survey include the following:


  • Respondents use an average of 11 different technologies to secure their environment and more than half of healthcare organizations surveyed hired full time personnel to manage information security
  • 42 percent of respondents indicated that there are too many emerging and new threats to track
  • More than 50 percent of information security threats are identified by internal security teams
  • 59 percent of survey respondents feel the need for cross-sector cyber threat information sharing
  • 62 percent of security incidents have resulted in limited disruption of IT systems with limited impact on clinical care and IT operations
  • 64 percent of respondents believe a lack of appropriate cybersecurity personnel is a barrier to mitigating cybersecurity events
  • 69 percent of respondents indicated that phishing attacks are a motivator for improving the information security environment
  • 80 percent use network monitoring to detect and investigate information security incidents
  • 87 percent of respondents reported using antivirus/malware tools have been implemented to secure their healthcare organizations’ information security environment
more...
No comment yet.
Scoop.it!

Healthcare cybersecurity info sharing still a work in progress

Healthcare cybersecurity info sharing still a work in progress | Healthcare and Technology news | Scoop.it

While President Barack Obama issued an executive order to use information sharing and analysis organizations (ISAOs) to boost cybersecurity awareness and coordination between private entities and the government, those efforts need more development before they provide useful information, according to an article at The Wall Street Journal.


About a dozen longstanding nonprofit Information Sharing and Analysis Centers (ISACs) serve specific sectors such as finance, healthcare and energy, and work with government on infomation sharing.


Though more narrowly focused, many ISAOs already exist, Deborah Kobza, executive director of the National Health Information Sharing and Analysis Center, told HealthcareInfoSecurity.


Executives who spoke with WSJ say large entities don't get much useful information from ISACs.


"Most of us are willing to put information into it largely because it provides good initial facilitation and informal networking opportunities," Darren Dworkin, CIO of Cedars-Sinai Medical Center and a member of the healthcare ISAC, tells the newspaper. As sharing standards are developed, he adds, "expectations will mount in terms of the kinds of specific data needed as everybody figures it out."


What's more, networking within the industry, Dworkin says, tends to provide more information about what's going on. ISACs generally are more useful to smaller organizations that lack security expertise in-house, the article adds.


The Health Information Trust Alliance (HITRUST), which quickly endorsed Obama's plan, said it is one of the ISAOs. HITRUST is working with providers to test and improve their preparedness for attacks through its CyberRX 2.0 attack simulations. The need for organizations to be more open about attacks was one of the early lessons from that program.


Participants in the recent White House Summit on Cybersecurity and Consumer Protection stressed that threat data-sharing doesn't pose the danger of exposing patients' insurance and healthcare information.


more...
11 Paths's curator insight, April 8, 2015 4:30 AM

This is a great news story

Scoop.it!

Security audit of Premera identified issues prior to cyberattack

Security audit of Premera identified issues prior to cyberattack | Healthcare and Technology news | Scoop.it

Premera Blue Cross, based in Mountlake Terrace, Washington, announced March 17 that it was the victim of a cyberattack that exposed the PHI of more than 11 million subscribers, according to lexology.com.


Premera discovered January 29 that hackers gained access to its IT systems May 5, 2014, according to govinfosecurity.com. A notice on the Premera website states that the following information may have been accessed:

  • Names
  • Addresses
  • Email addresses
  • Email addresses
  • Telephone numbers
  • Dates of birth
  • Social Security numbers
  • Member identification numbers
  • Medical claims numbers
  • Some bank account information

The Office of the Inspector General (OIG) conducted a security systems audit of Premera in January and February 2014, just months prior to the attack. In an audit report dated November 28, 2014, the OIG stated that Premera implemented an incident response plan and network security program.


However, the OIG noted a number of security concerns. Although a patch management policy was in place, scans performed during the audit revealed that patches were not implemented in a timely manner. In addition, methodologies were not in place to ensure that unsupported or out-of-date software was not used and a vulnerability scan identified insecure server configurations.


At the time of the audit, Premera also lacked documentation of formal baseline configurations detailing its approved server operating settings. The insurer also failed to perform a complete disaster recovery test for all of its systems. The OIG also identified weaknesses in Premera’s claims application controls.


more...
No comment yet.
Scoop.it!

Anthem says at least 8.8 million non-customers could be victims in data hack

Anthem says at least 8.8 million non-customers could be victims in data hack | Healthcare and Technology news | Scoop.it

Health insurer Anthem Inc, which earlier this month reported that it was hit by a massive cyberbreach, said on Tuesday that 8.8 million to 18.8 million people who were not its customers could be victims in the attack.

Anthem, the country's second-largest health insurer, is part of a national network of independently run Blue Cross Blue Shield plans through which BCBS customers can receive medical services when they are in an area where BCBS is operated by a different company.

It is those Blue Cross Blue Shield customers who were potentially affected because their records may be included in the database that was hacked, the company said.

It is the first time that Anthem has quantified the impact of the breach on members of health insurance plans that it does not operate.

Anthem updated the total number of records accessed in the database to 78.8 million customers from its initial estimate of 80 million, which includes 14 million incomplete records that it found.

Anthem does not know the exact number of Anthem versus non-Anthem customers affected by the breach because of those incomplete records, which prevent it from linking all members with their plan, Anthem spokeswoman Kristin Binns said.

Security experts are warning that healthcare and insurance companies are especially vulnerable to cybercriminals who want to steal personal information to sell on the underground market.

Anthem continued to estimate that tens of millions of customer records were stolen, rather than simply accessed. The spokeswoman added that the company's investigation was ongoing. Federal and state authorities are also investigating.

Anthem runs Blue Cross Blue Shield healthcare plans in 14 states, while plans in states such as Texas and Florida are run independently. In all, 37 companies cover about 105 million people under the Blue Cross Blue Shield license.

Binns said the company still believes the hacked data were restricted to names, dates of birth, member ID/Social Security numbers, addresses, phone numbers, email addresses and employment information such as income data.

Anthem will start mailing letters next week to Anthem customers and other Blue Cross Blue Shield members affected by the hacking. It will offer two years of identity theft repair assistance, credit monitoring, identity theft insurance and fraud detection.


more...
No comment yet.
Scoop.it!

New malware can live inside any USB device undetected

New malware can live inside any USB device undetected | Healthcare and Technology news | Scoop.it


It turns out that the stalwart USB thumbstick, or any universal serial bus device, isn't as trustworthy as once thought. A pair of security researchers has found we need to worry about more than just malware-infected files that are stored portable drives, and now need to guard against hacks built into our geek-stick's firmware according to Wired. The proof-of-concept malware Karsten Nohl and Jakob Lell have created is invisible and installable on a USB device and can do everything from taking over a user's PC to hijacking the DNS settings for your browser. Or, if it's installed on a mobile device it can spy on your communications and send them to a remote location, similar to the NSA's Cottonmouth gadgets. If those don't worry you, perhaps that the "BadUSB" malware can infect any USB device -- including keyboards -- and wreak havoc, will. What's more, a simple reformat isn't enough to disinfect either, and the solution that Lell and Nohl suggest goes against the core of what many of us are used to doing.


The duo says that the only way around BadUSB is to more or less treat devices like hypodermic needles; trusting only those that have been used within our personal ecosystem and throwing away any that've come in contact with other computers. Hopefully you don't have a ton of untrustworthy Porsche sticks laying around.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
- The Technical Doctor Team

more...
Technical Dr. Inc.'s curator insight, August 1, 2014 8:39 AM

Contact Details :
inquiry@technicaldr.com or 877-910-0004
- The Technical Doctor Team

zheng lil's curator insight, December 29, 2014 11:31 AM

It turns out that the stalwart USB thumbstick, or any universal serial bus device, isn't as trustworthy as once thought. A pair of security researchers has found we need to worry about more than just malware-infected files that are stored portable drives, and now need to guard against hacks built into our geek-stick's firmware according to Wired. The proof-of-concept malware Karsten Nohl and Jakob Lell have created is invisible and installable on a USB device and can do everything from taking over a user's PC to hijacking the DNS settings for your browser. Or, if it's installed on a mobile device it can spy on your communications and send them to a remote location, similar to the NSA's Cottonmouth gadgets. If those don't worry you, perhaps that the "BadUSB" malware can infect any USB device -- including keyboards -- and wreak havoc, will. What's more, a simple reformat isn't enough to disinfect either, and the solution that Lell and Nohl suggest goes against the core of what many of us are used to doing.

Scoop.it!

Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer CareFirst

Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer CareFirst | Healthcare and Technology news | Scoop.it

CareFirst, a Blue Cross Blue Shield plan, on Wednesday became the third major health insurer in the United States to disclose this year that hackers had breached its computer systems and potentially compromised some customer information.

The attack could affect as many as 1.1 million of its customers, but CareFirst said that although the hackers gained access to customer names, email addresses and birthdates, they did not obtain sensitive financial or medical information like Social Security numbers, credit card information and medical claims. The company, which has headquarters in Maryland and serves the Washington area, said the attack occurred in June and described it as “sophisticated.”

Chet Burrell, CareFirst’s chief executive, said the company contacted the Federal Bureau of Investigation, which is investigating attacks against the insurers Anthem and Premera. “They are looking into it,” he said.



While it was not clear whether the attacks were related, he said the company was under constant assault by criminals seeking access to its systems.

Federal officials have yet to label the breaches at Anthem and Premera Blue Cross as state-sponsored hackings, but the F.B.I. is effectively treating them as such, and China is believed to be the main culprit, according to several people who were briefed on the investigations but spoke on the condition of anonymity. There are indications the attacks on Anthem, Premera and now CareFirst may have some common links.

Charles Carmakal, a managing director at Mandiant, a security firm retained by all three insurers, said in an emailed statement that the hacking at CareFirst “was orchestrated by a sophisticated threat actor that we have seen specifically target the health care industry over the past year.”

The Breaches at Anthem, which is one of the nation’s largest health insurers and operates Blue Cross Blue Shield plans, and Premera Blue Cross, based in Washington State, were much larger. The one at Anthem may have compromised the personal information of 79 million customers and the one at Premera up to 11 million customers.

Anthem has said the hackers may have stolen Social Security numbers but did not get access to any medical information. Premera said it was possible that some medical and bank account information may have been pilfered.

CareFirst said it was aware of one attack last year that it did not believe was successful. But after the attacks on other insurers, Mr. Burrell said he created a task force to scrutinize the company’s vulnerabilities and asked Mandiant, a division of FireEye, to perform a forensic review of its systems. Last month, Mandiant determined a breach had occurred in June 2014.

Health insurance firms are seen as prime targets for hackers because they maintain a wealth of personal information on consumers, including medical claims records and information about credit card and bank accounts.

In recent years, the attacks have escalated, said Dr. Larry Ponemon, the chairman of Ponemon Institute, which studies security breaches in health care. He said the health care industry was particularly vulnerable and that the information it had was attractive to criminals who use the data to steal the identity of consumers.

“A lot of health care organizations have been historically laggards for security,” he said.

Insurers say they are now on guard against these attacks. But Dr. Ponemon said they had taken only small steps, not “huge leaps,” in safeguarding their systems.

The motivation of the hackers in these cases, however, is unclear — whether they are traditional criminals or groups bent on intelligence-gathering for a foreign government.

In the retail and banking industries, the hackers have been determined to get access to customer credit card information or financial data to sell on the black market to other online criminals, who then can use it to make charges or create false identities.

So far, there is scant evidence that any of the customer information that might have been taken from Anthem and Premera has made its way onto the black market. The longer that remains the case, the less likely that profit was a motive for taking the information, consultants said. That suggests that the hackers targeting the health care industry may be more interested in gathering information.

“It’s such an attractive target and it’s a soft target and one not traditionally well protected,” said Austin Berglas, head of online investigations in the United States and incident response for K2 Intelligence and a former top agent with the F.B.I. in New York. “A nation state might be looking at pulling out medical information or simply looking to get a foothold, which they can use as a testing ground for tools to infiltrate other sectors,” he said.

Paul Luehr, a managing director at Stroz Friedberg, a security consulting firm, said the health care breaches could be an entry point into other systems. “It could serve as a conduit to valuable information in other sectors because everyone is connected to health information,” he said.

Or the breaches could simply be crimes of opportunity. The hackers could be making off with information and waiting to determine what to do with it.

“We want to jump to the conclusion that there is an organized chain and command,” said Laura Galante, threat intelligence manager for FireEye, who was not commenting specifically on any particular breach. “But what could be happening here is much more chaotic. It’s simply, ‘Get whatever data you can get and figure out what to do with it later.’ ”


more...
No comment yet.
Scoop.it!

Nearly Seven in 10 Patients Would Avoid Healthcare Providers That Undergo a Data Breach

Nearly Seven in 10 Patients Would Avoid Healthcare Providers That Undergo a Data Breach | Healthcare and Technology news | Scoop.it
A new survey from TransUnion Healthcare found that more than half of recent hospital patients are willing to switch healthcare providers if their current provider undergoes a data breach. Nearly seven in 10 respondents (65%) would avoid healthcare providers that experience a data breach.

Older and younger consumer groups responded differently to data breaches. While 73% of recent patients ages 18 to 34 said they were likely to switch healthcare providers, older consumers were less willing. Nearly two-thirds (64%) of patients older than 55 were not likely to consider switching healthcare providers following a data breach.

“Older consumers may have long-standing loyalties to their current doctors, making them less likely to seek a new healthcare provider following a data breach,” said Gerry McCarthy, president of TransUnion Healthcare. “However, younger patients are far more likely to at least consider moving to a new provider if there is a data breach. With more than 80 million millennials recently entering the healthcare market, providers that are not armed with the proper tools to protect and recover from data breaches run the risk of losing potentially long-term customers.”

Other survey insights on consumers’ expectations following a data breach include:

· Nearly half of consumers (46%) expect a response or notification within one day of the breach.

· 31% of consumers expect to receive a response or notification within one to three days.

· Seven in 10 (72%) consumers expect providers to offer at least one year of free credit monitoring after a breach.

· Nearly six in 10 (59%) consumers expect a dedicated phone hotline for questions.

· More than half of consumers (55%) expect a dedicated website with additional details.

“The hours and days immediately following a data breach are crucial for consumers’ perceptions of a healthcare provider,” said McCarthy. “With the right tools, hospitals and providers can quickly notify consumers of a breach, and change consumer sentiments toward their brand.”
more...
No comment yet.
Scoop.it!

Americans want health information shared easily among docs

Americans want health information shared easily among docs | Healthcare and Technology news | Scoop.it

Nearly three-quarters of Americans say it's very important that their critical health information can be easily shared among healthcare providers, a survey from the Society of Participatory Medicine reveals.

In addition, 87 percent of respondents oppose any fees being charged to either healthcare providers or patients for that transfer of information to take place.

The 1,011 adults polled were selected randomly from landline and cell phone numbers.

Nearly 20 percent of respondents said they or a family member had experienced a problem in receiving care because records could not easily be shared among providers.

Doctors are forced to pay anywhere between $5,000 to $50,000 to set up connections with blood and pathology laboratories, health information exchanges or governments, according to a recent Politico story. Sometimes additional fees are charged each time a doctor sends or receives data.

Just this week, Peter DeVault, director of interoperability at Epic Systems, revealed at a Senate committee hearing that the company charges $2.35 per patient, per year for Epic EHR clients to exchange data with other providers.

"We have the technology. What we need is for health care providers and systems developers to put patient interests ahead of business needs. None of them would exist were it not for the patients," Daniel Z. Sands, M.D., co-founder and co-chair of the Society of Participatory Medicine, says in the survey announcement.

Experts at the Senate committee hearing testified that vendors and healthcare organizations use patient data as a competitive advantage, and that data-sharing is less likely to occur in competitive markets.

In a paper from the Brookings Institution, Niam Yaraghi, a fellow in governance studies at the Center for Technology Innovation, posits that the fee-for-service reimbursement model serves as a disincentive to share data. He also argues that Stage 3 of the Meaningful Use program will likely set the interoperability bar too low and likely will help only the dominant vendors, who will need only to provide a minimum amount of interoperability.

more...
No comment yet.
Scoop.it!

U.S. states say Anthem too slow to inform customers of breach

U.S. states say Anthem too slow to inform customers of breach | Healthcare and Technology news | Scoop.it

Ten U.S. states have sent a letter to Anthem Inc complaining that the company has been too slow in notifying consumers that they were victims of a massive data breach disclosed last week.

"The delay in notifying those impacted is unreasonable and is causing unnecessary added worry to an already concerned population of Anthem customers," said the letter, which was sent on Tuesday by Connecticut Attorney General George Jepsen on behalf of Connecticut and nine other states.

The letter asked the No. 2 U.S. health insurer to compensate any consumers who are victims of scams, if the fraud occurs before Anthem notifies them of the breach and offers them free credit monitoring.

"Anthem must commit to reimbursing consumers for any losses associated with this breach during the time period between the breach and the date that the company provides access

to credit and identity theft safeguards," said the letter.

Jepsen also asked Anthem to contact his office by Wednesday afternoon with details of its plans to "provide adequate protections" to consumers whose data was exposed in this breach.

The letter was written on behalf of Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania, and Rhode Island.

Representatives with Anthem could not immediately be reached for comment.

Anthem disclosed the massive breach last week, saying that hackers accessed a database of some 80 million consumers and employees that contained Social Security numbers and other sensitive data.

On Friday the company warned U.S. customers about an email scam targeting former and current members.


more...
No comment yet.