Healthcare and Technology news
45.0K views | +15 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

IBM Announces Deal to Acquire Both Phytel and Explorys; Goal Is Data Transformation

IBM Announces Deal to Acquire Both Phytel and Explorys; Goal Is Data Transformation | Healthcare and Technology news | Scoop.it

Senior executives at the Armonk, N.Y.-based IBM announced in a press conference held on Monday afternoon, April 13, at the McCormick Place Convention Center in Chicago, during the course of the HIMSS Conference, that it was acquiring both the Dallas-based Phytel and the Cleveland-based Explorys, in a combination that senior IBM executives said held great potential for the leveraging of data capabilities to transform healthcare.


Both Phytel, a leading population health management vendor, and Explorys, a healthcare intelligence cloud firm, will become part of the new Watson Health unit, about which IBM said, “IBM Watson Health is creating a more complete and personalized picture of health, powered by cognitive computing. Now individuals are empowered to understand more about their health, while doctors, researchers, and insurers can make better, faster, and more cost-effective decisions.


In its announcement of the Phytel acquisition, the company noted that, “The acquisition once completed will bolster the company’s efforts to apply advanced analytics and cognitive computing to help primary care providers, large hospital systems and physician networks improve healthcare quality and effect healthier patient outcomes.”


And in its announcement of the Explorys acquisition, IBM noted that, “Since its spin-off from the Cleveland Clinic in 2009, Explorys has secured a robust healthcare database derived from numerous and diverse financial, operational and medical record systems comprising 315 billion longitudinal data points across the continuum of care. This powerful body of insight will help fuel IBM Watson Health Cloud, a new open platform that allows information to be securely de-identified, shared and combined with a dynamic and constantly growing aggregated view of clinical, health and social research data.”


Mike Rhodin, senior vice president, IBM Watson, said at Monday’s press conference, “Connecting the data and information is why we need to pull the information together into this [Watson Health]. So we’re extending what we’ve been doing with Watson into this. We’re bringing in great partners to help us fulfill the promise of an open platform to build solutions to leverage data in new ways. We actually believe that in the data are the answers to many of the diseases we struggle with today, the answers to the costs in healthcare,” he added. “It’s all in there, it’s all in silos. All this data needs to be able to be brought into a HIPAA-secured, cloud-enabled framework, for providers, payers, everyone. To get the answers, we look to the market, we look to world-class companies, the entrepreneurs who had the vision to begin to build this transformation.”

more...
No comment yet.
Scoop.it!

Anthem's Audit Refusal: Mixed Reaction

Anthem's Audit Refusal: Mixed Reaction | Healthcare and Technology news | Scoop.it

Privacy and security experts are offering mixed reviews of Anthem Inc.'s denial of a government auditor's request to perform vulnerability scans of the health insurer's IT systems in the wake of a hacker attack that affected 78.8 million individuals.

The Office of Personnel Management's Office of Inspector General, in a statement provided to Information Security Media Group, says Anthem - citing "corporate policy" - refused to allow the agency to perform "standard vulnerability scans and configuration compliance tests" this summer, as requested by the OIG. The health insurer also refused to allow the OIG to conduct those vulnerability tests in 2013 as part of an IT security audit that was performed by the agency.


"Anthem is in a no-win situation on this [most recent] request," says Dan Berger, CEO of security services firm Redspin. "It does appear Anthem has the contractual right to decline the request for an OIG vulnerability scan. But they might want to rethink that. Refusing now looks bad - both to their client OPM and to the public at large."

Security expert Mac McMillan, CEO of the consulting firm CynergisTek, notes: "Usually most companies want to cooperate with the government regulators because, quite frankly, it's in their best interest to do so. Most government contracts provide a provision for the government to conduct an audit if they deem it necessary."

But some other security experts are not surprised that Anthem refused the vulnerability tests.

"In fairness to Anthem, their position may be perfectly well-founded," says Bob Chaput, founder and CEO of Clearwater Compliance. "It's unclear what is precisely meant by vulnerability scans. Ask five people for a definition and receive eight different definitions. External and/or internal technical testing - expanding for the moment to include penetration testing as a way to identify a weakness - can be quite intrusive and disruptive to an organization's operations."

OIG Requests

OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, an OIG spokeswoman tells Information Security Media Group. However, under the standard FEHBP contract that OPM has with insurers, insurers are not mandated to cooperate with IT security audits. Sometimes amendments are made to insurers' federal contracts to specifically require the full audits, the spokeswoman says. In fact, the OIG is now seeking such an amendment to Anthem's FEHBP contract.

OIG also notes in a statement: "We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG."

A Common Practice?

David Kennedy, founder of security consulting firm TrustedSec, says it's "very common" for corporations to prohibit or limit external parties from performing vulnerability scans. "Most corporations have sanctioned tests that occur from third parties that perform the same type of testing and go even more in depth," he says. "A vulnerability scan is the most basic form of an assessment and wouldn't have prevented the Anthem breach from occurring. Most corporations will provide a summary of the assessment that was performed to provide to third parties to satisfy them for appropriate due diligence."

Although Anthem's recent refusal of the OIG audit requests might now appear to be a public relations blunder for the company, "I can see Anthem's side too, though," says Redspin's Berger. "A vulnerability scan is always going to find vulnerabilities. They may be concerned that any post-breach vulnerability report will be linked back to the recent breach. In reality, such scans are a 'point in time' assessment; it's unlikely that running a scan in the summer of 2015 would determine conclusively whether the recent breach could have been prevented."

In addition, if a security audit is not mandated by a contract, Chaput says it's probably not that unusual for private entities to refuse such requests from government agencies. "It depends on the nature of the relationship of the parties, the structure of that relationship, sensitivity of information involved, etc.," he says. "For example, is OPM a HIPAA covered entity and Anthem a HIPAA business associate in this relationship?"

Time for Change?

Also, the audit hoopla might even signal a need for OPM to overhaul its contractual practices, Chaput argues.

"In fact, it's quite possible that OPM is in violation of the HIPAA Privacy and Security Rule 'organizational requirements,'" he says. "Did OPM update all BA agreements? Do the terms and conditions of whatever agreements exist meet the requirements set forth in these HIPAA Privacy and Security Rule 'organizational requirements' to receive satisfactory assurances that this PHI and other sensitive information would be safeguarded?"

The government should negotiate stronger security protections into their contracts with insurers, Berger suggests. And that could include third-party vulnerability scans, whether conducted by OIG or others.

But McMillan of CynergisTek says Anthem's refusal of OIG's request could potentially provoke even more scrutiny by other government regulators or perhaps even legislative proposals from Congress.

Anthem likely already faces an investigation by the HIPAA enforcement agency, the Department of Health and Human Service's Office for Civil Rights, which investigates health data breaches and has the power to issue settlements that include financial penalties.

"Whether it is appropriate or allowed under [Anthem's] current contract or not - refusing a test right after a breach of this magnitude is enough to make some people say there needs to be greater accountability," McMillan says.

Safeguarding Data

Ironically, Chaput says that by denying the vulnerability tests by OIG, Anthem could be actually taking extra precautions in protecting PHI. "With over-the-top issues of government surveillance of U.S. citizens, Anthem might be thought of as having implemented a reasonable and appropriate administrative control - i.e. their 'corporate policy' to safeguard information with which it has been entrusted," Chaput says. "In the HIPAA Privacy Rule, there are standards and implementation specifications in which PHI, for example, is required to be disclosed to the Secretary of HHS. Since this technical testing could result in a disclosure of PHI, PII or other sensitive information, under what standard is OPM OIG invoking a right of potential disclosure?"

Kennedy adds that when he worked for ATM security vendor Diebold, "we never let anyone scan us. However we would always have reputable third parties perform assessments on us on a regular basis and provide those upon request when an organization wanted to evaluate our security."

more...
No comment yet.
Scoop.it!

Digital health in 2015: What's hot and what's not?

Digital health in 2015: What's hot and what's not? | Healthcare and Technology news | Scoop.it

I think it’s fair to say that digital health is warming up. And not just in one area. The sheer number and variety of trends are almost as impressive as the heat trajectory itself. The scientist in me can’t help but make the connection to water molecules in a glass — there may be many of them, but not all have enough kinetic energy to ascend beyond their liquid state. The majority are doomed to sit tight and get consumed by a thirsty guy with little regard for subtle temperature changes.


With this in mind, let’s take a look at which digital health trends seem poised to break out in 2015, and which may be fated to stay cold in the glass. As you read, keep in mind that this assessment is filtered through my perspective of science, medicine, and innovation. In other words, a “cold” idea could still be hot in other ways.

Collaboration is hot, silos are not. Empowerment for patients and consumers is at the heart of digital health. As a result, the role of the doctor will shift from control to collaboration. The good news for physicians is that the new and evolved clinician role that emerges will be hot as heck. The same applies to the nature of innovation in digital health and pharma. The lone wolf is doomed to fail, and eclectic thinking from mixed and varied sources will be the basis for innovation and superior care.

Scanners are hot, trackers are not. Yes, the tricorder will help redefine the hand-held tool for care. From ultrasound to spectrometry, the rapid and comprehensive assimilation of data will create a new “tool of trade” that will change the way people think about diagnosis and treatment. Trackers are yesterday’s news stories (and they’ll continue to be written) but scanners are tomorrow headlines.

Rapid and bold innovation is hot, slow and cautious approaches are not. Innovators are often found in basements and garages where they tinker with the brilliance of what might be possible. Traditionally, pharmaceutical companies have worked off of a different model, one that offers access and validation with less of the freewheeling spirit that thrives in places like Silicon Valley. Looking ahead, these two styles need to come together. The result, I predict, will be a digital health collaboration in which varied and conflicting voices build a new health reality.

Tiny is hot, small is not. Nanotechnology is a game-changer in digital health. Nanobots, among other micro-innovations, can now be used to continuously survey our bodies to detect (and even treat) disease. The profound ability for this technology to impact care will drive patients to a new generation of wearables (scanners) that will offer more of a clinical imperative to keep using them.

Early is hot, on-time is not. Tomorrow’s technology will fuel both rapid detection and the notion of “stage zero disease.” Health care is no longer about the early recognition of overt signs and symptoms, but rather about microscopic markers that may preempt disease at the very earliest cellular and biochemical stages.

Genomics are hot, empirics are not. Specificity — from genomics to antimicrobial therapy — will help improve outcomes and drive costs down. Therapy will be guided less and less by statistical means and population-based data and more and more by individualized insights and agents.

AI is hot, data is not. Data, data, data. The tsunami of information has often done more to paralyze us than provide solutions to big and complex problems. From wearables to genomics, that part isn’t slowing down, so to help us manage it, we’ll increasingly rely on artificial intelligence systems. Keeping in mind some of the inherent problems with artificial intelligence, perhaps the solution is less about AI in the purest sense and more around IA — intelligence augmented. Either way, it’s inevitable and essential.

Cybersecurity is hot, passwords are not. As intimate and specific data sets increasingly define our reality, protection becomes an inexorable part of the equation. Biometric and other more personalized and protected solutions can offer something that passwords just can’t.

Staying connected is hot, one-time consults are not. Medicine at a distance will empower patients, caregivers, and clinicians to provide outstanding care and will create significant cost reductions. Telemedicine and other online engagement tools will emerge as a tool for everything from peer-to-peer consultation in the ICU to first-line interventions.

In-home care is hot, hospital stays are not. “Get home and stay home” has always been the driving care plan for the hospitalized patient. Today’s technology will help provide real-time and proactive patient management that can put hospital-quality monitoring and analytics right in the home. Connectivity among stakeholders (family, EMS, and care providers) offers both practical and effective solutions to care.

Cost is hot, deductibles are not. Cost will be part of the “innovation equation” that will be a critical driver for market penetration. Payers will drive trial (if not adoption) by simply nodding yes for reimbursement. And as patients are forced to manage higher insurance deductibles, options to help drive down costs will compete more and more with efficacy and novelty.

Putting it all together: What it will take to break away in 2015?

Beyond speed lies velocity, a vector that has both magnitude and direction. Smart innovators realize that their work must be driven by a range of issues from compatibility to communications. Only then can they harness the speed and establish a market trajectory that moves a great idea in the right direction. Simply put, a great idea that doesn’t get noticed by the right audience at the right time is a bit like winking to someone in the dark. You know what you’re doing, but no one else does.


more...
No comment yet.
Scoop.it!

Health checks by smartphone raise privacy fears

Health checks by smartphone raise privacy fears | Healthcare and Technology news | Scoop.it

Authorities and tech developers must stop sensitive health data entered into applications on mobile phones ending up in the wrong hands, experts warn.

As wireless telecom companies gathered in Barcelona this week at the Mobile World Congress, the sector's biggest trade fair, specialists in "e-health" said healthcare is fast shifting into the connected sphere.

"It's an inexorable tide that is causing worries because people are introducing their data into the system themselves, without necessarily reading all the terms and conditions," said Vincent Genet of consultancy Alcimed.

"In a few years, new technology will be able to monitor numerous essential physiological indicators by telephone and to send alerts to patients and the specialists who look after them."

More and more patients are using smartphone apps to monitor signs such as their blood sugar and pressure.

The European Commission estimates the market for mobile health services could exceed 17.5 billion euros (19 billion euros) from 2017.

The Chinese health ministry's deputy head of "digital health", Yan Jie Gao, said at the congress on Wednesday that the ministry planned to spend tens of billions of euros (dollars) by 2025 to equip 90,000 hospitals with the means for patients to contact them online securely.

Patients are entering health indicators and even using online health services for long-distance consultations with doctors whom they do not know.

"There is a steady increase in remote consultations with medical practitioners," particularly in the United States, said Kevin Curran, a computer scientist and senior member of the Institute of Electrical and Electronics Engineers.

"Your doctor can be someone who's based in Mumbai. We have to be very careful about our data, because they're the ones who probably will end up storing your data and keeping a record of it."

- Cloud-based healthcare -

Other users are entering personal health data into applications on their smartphones.

This kind of "e-health" could save governments money and improve life expectancy, but authorities and companies are looking to strengthen security measures to protect patients' data before such services become even more widespread.

"I think tech companies are becoming more concerned with privacy and encryption now," said Curran.

"The problem quite often is that a lot of this data is stored not on the phone or the app but in the cloud," in virtual storage space provided by web companies, he added.

"We are at the mercy of who the app providers are and how well they secure the information, and they are at the mercy sometimes of the cloud providers."

Others fear that insurance companies will get hold of customers' health information and could make them pay more for coverage according to their illnesses.

Various sources alleged to AFP that health insurance companies have been buying data from supermarkets about what food customers were buying, drawn from the sales records of their loyalty cards, following media reports to that effect.

The kind of "e-health" indicator most sought after by patients is fitness-related rather than information on illnesses, however, said Vincent Bonneau of the research group Idate.

A study by Citrix Mobile, a specialist in wireless security, showed that more than three quarters of people using e-health applications were doing so for fitness reasons rather than for diagnosing illnesses.


more...
No comment yet.
Scoop.it!

Phishing: Learning from Anthem Breach

Phishing: Learning from Anthem Breach | Healthcare and Technology news | Scoop.it

The hack attack against Anthem Inc., which the health insurer says started with a spear-phishing campaign targeting five of its employees, is a warning sign of the kinds of sophisticated schemes that will be common in the year ahead, says Dave Jevans, co-founder of the Anti-Phishing Working Group.

"The Anthem breach is emblematic of what we see in the evolution of attacks against companies and their employees," Jevans says in an interview with Information Security Media Group.

In addition to Anthem, a growing number of cyber-attacks, including the breach of JPMorgan Chase, have originated with spear-phishing campaigns that target a small number of employees who have access to data systems and services housing sensitive customer information, Jevans says.

"It's highlighting a fundamental change we're seeing in the phishing landscape," Jevans says. "There's a big decrease, almost 25 percent, in phishing against just broad-base consumers. ... The real risk here is an increase in the attacks against [a handful of] employees ... and using that as a jumping-off point to get into the enterprise, break in and then steal data, breach systems, and spread out to vendors that are connected to the enterprise."

He notes that the JPMorgan Chase breach started with spear phishing that "targeted one employee in the IT department, who was tricked into giving out their password to a vulnerable machine inside the network. The hackers jumped in from there and compromised records. The most sophisticated attacks are waged against very small numbers of employees - we find, typically, less than six." By targeting only a handful of employees, the attackers decrease the odds that their scheme will be detected, Jevans says.

A Shift to Mobile

As spear-phishing campaigns become more common this year as a way to open the door to major cyber-attacks, the attackers will start to focus on targeting employees through their mobile devices, which have less sophisticated detection systems, Jevans predicts. For example, they may use text messages that ask employees to update a virtual private network profile.

"Today, detection methods are not in place [for SMS/text], so you can't tell when someone's been phished on their mobile phone," Jevans adds. "We will see in 2015, with many major breaches, that the forensic evidence is going to come back to the use of mobile devices involved in that initial kill chain of attack inside the company."

Stronger, multifactor authentication for employee access to sensitive data, systems and servers should be in place to thwart the impact of an employee's credentials that are compromised, Jevans stresses. But he says organizations should focus more attention on preventing phishing attacks from being successful.

"In my view, there is no credible reason why anybody internal to the company should receive e-mails claiming to be from the company with 'from' addresses that were sent from an external server," he says. "The use of SPF [sender policy framework] ... on your e-mail server, so that all outgoing e-mail is authenticated and also all inbound e-mail is authenticated and checked, particularly from your own domain, should be in place."

Also discussed during this interview:

  • Why top-level domain names, such as .bank, are likely to fuel more phishing campaigns rather than curb them;
  • How DMARC (Domain-based Message Authentication, Reporting & Conformance) is helping businesses block suspicious e-mails through enhanced e-mail authentication, before they ever hit inboxes; and
  • Why employee education related to phishing must be ongoing and consistent.

Jevans, who serves as chairman of the Anti-Phishing Working Group, is also founder and chief technology officer of mobile security firm Marble Security. His career in Internet security spans more than 20 years, having held senior management positions at Tumbleweed Communications, Valicert, Teros, Differential and Iron Key. Serving on the CEO's technology council at Apple Computer, Jevans helped to develop the company's Internet strategy.


more...
No comment yet.
Scoop.it!

USPS Breach Exposed Health Data

USPS Breach Exposed Health Data | Healthcare and Technology news | Scoop.it

As the U.S. Postal Service's investigation into its data breach continues to unfold, it's now reporting that certain health information for approximately 485,000 current and former employees was potentially compromised.


The news follows confirmation from the USPS on Nov. 10, 2014, of a breach of some of its information systems that impacted more than 800,000 employees and 2.9 million customers.

The investigation has now determined that the intruders may have compromised a file containing workers' compensation injury claim data, according to a letter detailing the incident that the USPS provided to Information Security Media Group. The file, created in August 2012, contains information associated with current and former workers' compensation claims. Information included in the file dates from November 1980 to Aug. 30, 2012, according to the USPS.

Although the type of information varies greatly based on individual cases, workers' compensation-related data that may have been exposed includes names, addresses, dates of birth, Social Security numbers, medical information and "other" information.

The total number of employees whose health data may have been exposed reflects some of those originally listed as being impacted by the breach, "but others are receiving letters for the first time," says David Partenheimer, a spokesperson at the U.S. Postal Service. Those who did not receive an earlier letter from the USPS regarding receiving free credit monitoring for one year have now been informed how to obtain the service.

The USPS says it has no evidence that any compromised employee information has been used to engage in any malicious activity, the letter says.

Although the latest breach details involve health information, the USPS is not subject to the HIPAA Privacy Rule that governs healthcare data because it is not a covered entity (a healthcare provider), Partenheimer says.

Notification Delay Explained

At a U.S. House hearing in November, Randy Miskanic, a USPS official, defended the agency's delay in notifying USPS workers of the breach, contending authorities didn't initially know what data was pilfered. The USPS first learned of the breach on Sept. 11, 2014, but didn't notify employees until Nov. 10, 2014.

Miskanic also said the government didn't want to tip off hackers that it was aware of the breach.

In its original report on the breach, USPS said employees' names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment, and emergency contacts may have been exposed. For customers, names, addresses, phone numbers and e-mail addresses may have been compromised.

As a result of the breach, the USPS in a Nov. 28 filing with postal regulators said it was forced to delay the filing of its annual financial report. The reasoning for the delay was to give USPS time to confirm that the breach didn't compromise financial information that could affect its report.


more...
No comment yet.