Healthcare and Technology news
45.8K views | +3 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

The Security Risks of Medical Devices

The Security Risks of Medical Devices | Healthcare and Technology news | Scoop.it
There are a large number of potential attack vectors on any network. Medical devices on a healthcare network is certainly one of them. While medical devices represent a potential threat, it is important to keep in mind that the threat level posed by any given medical device should be determined by a Security Risk Assessment (SRA) and dealt with appropriately.

So let’s assume the worst case and discuss the issues associated with medical devices. First off, it must be recognized that any device connected to a network represents a potential incursion point. Medical devices are regulated by the FDA, and that agency realized the security implications of medical devices as far back as November 2009, when it issued this advisory. In it, the FDA emphasized the following points:

Medical device manufacturers and user facilities should work together to ensure that cybersecurity threats are addressed in a timely manner.
The agency typically does not need to review or approve medical device software changes made for cybersecurity reasons.
All software changes that address cybersecurity threats should be validated before installation to ensure they do not affect the safety and effectiveness of the medical devices.


Software patches and updates are essential to the continued safe and effective performance of medical devices.


Many device manufacturers are way behind on cybersecurity issues. As an example, many devices are still running on Windows XP today, even though we are one year past the XP support deadline. They are often loathe to update their software for a new operating system. In other situations device manufacturers use the XP support issue as a way to force a client to purchase a new device at a very high price. All healthcare facilities would be well advised to review any purchase and support contracts for medical devices and make sure that things such as Windows upgrades do not force unwanted or unnecessary changes down the road. While there are options to remediate risks around obsolete operating systems, they are unnecessary and costly. Manufacturers should be supporting their products in a commercially reasonable manner.

Why would anyone be interested in hacking into a medical device? Of course there are those that would argue that anything that can be hacked will be hacked, “just because”. While it is possible that hacking could also occur to disrupt the operations of the device, the more likely reason is that getting onto a medical device represents a backdoor into a network with a treasure trove of PHI that can be sold for high prices on the black market. Medical devices are often accessible outside of normal network logon requirements. That is because manufacturers maintain separate, backdoor access for maintenance reasons.


Hackers armed with knowledge of default passwords and other default logon information can have great success targeting a medical device. For example, this article details examples of a blood gas analyzer, a PACS system and an X-Ray system that were hacked. Many times healthcare IT departments are unaware or unable to remediate backdoor access to these systems. These are perhaps more “valuable” as a hack because they are hard to detect and can go unnoticed for a long period of time. As a reminder, the Target data breach last year was initiated because the access that a third party had to the retailer’s network was compromised. A complete SRA should inventory all network connected medical devices and analyze the access/credentials that a device has, and any associated security threat. The best defense is a good offense – make sure that networked devices have proper security built in and implemented. Then your devices will no longer be “the weak link in the chain”.

more...
No comment yet.
Scoop.it!

Nearly Seven in 10 Patients Would Avoid Healthcare Providers That Undergo a Data Breach

Nearly Seven in 10 Patients Would Avoid Healthcare Providers That Undergo a Data Breach | Healthcare and Technology news | Scoop.it
A new survey from TransUnion Healthcare found that more than half of recent hospital patients are willing to switch healthcare providers if their current provider undergoes a data breach. Nearly seven in 10 respondents (65%) would avoid healthcare providers that experience a data breach.

Older and younger consumer groups responded differently to data breaches. While 73% of recent patients ages 18 to 34 said they were likely to switch healthcare providers, older consumers were less willing. Nearly two-thirds (64%) of patients older than 55 were not likely to consider switching healthcare providers following a data breach.

“Older consumers may have long-standing loyalties to their current doctors, making them less likely to seek a new healthcare provider following a data breach,” said Gerry McCarthy, president of TransUnion Healthcare. “However, younger patients are far more likely to at least consider moving to a new provider if there is a data breach. With more than 80 million millennials recently entering the healthcare market, providers that are not armed with the proper tools to protect and recover from data breaches run the risk of losing potentially long-term customers.”

Other survey insights on consumers’ expectations following a data breach include:

· Nearly half of consumers (46%) expect a response or notification within one day of the breach.

· 31% of consumers expect to receive a response or notification within one to three days.

· Seven in 10 (72%) consumers expect providers to offer at least one year of free credit monitoring after a breach.

· Nearly six in 10 (59%) consumers expect a dedicated phone hotline for questions.

· More than half of consumers (55%) expect a dedicated website with additional details.

“The hours and days immediately following a data breach are crucial for consumers’ perceptions of a healthcare provider,” said McCarthy. “With the right tools, hospitals and providers can quickly notify consumers of a breach, and change consumer sentiments toward their brand.”
more...
No comment yet.
Scoop.it!

Could a Greater Investment in Cyber Insurance Have Saved Anthem?

According to the Identity Theft Resource Center, last year saw 287 breaches and more than 7.7 million records compromised in the medical and healthcare industry alone. Healthcare breaches have made up more than 10 percent of the year’s attacks, proving what those in the industry already know—personal health information is valuable and sought after by hackers.

To this end, the recent breach of the Indianapolis-based health insurer Anthem was a massive one, exposing the personal data of approximately 80 million of its plan members. Shortly after the breach, it was estimated that the hack of Anthem could end up costing more than a billion dollars in total. "It's that big. We wouldn't be surprised to see the costs of the Anthem breach exceed a billion dollars,” said Daniel W. Berger, president and CEO of Redspin, a Carpinteria, Calif.-based health IT security consultant.

What’s more, according to a Business Insurance report, Anthem has $150 million to $200 million in cyber insurance, including excess layers of cyber coverage, sources told the publication. Anthem's primary cyber insurer is Lexington Insurance Co., a unit of American International Group (AIG), Business Insurance revealed, explaining that Anthem has $10 million in primary cyber coverage above a $10 million self-retention with Lexington. However, when a company has up to 80 million current customers, former customers, employees and investors to notify—in addition to lawsuits— this amount may not be enough, says Natalie Lehr, co-founder of cybersecurity firm TSC Advantage, based in Washington, D.C.

Indeed, various news media outlets have suggested that Anthem’s insurance policy could be exhausted. Lehr says that generally speaking, when companies put together their investment for security, they look for a standard where they meet their compliance obligation. The challenge with cases such as Anthem, Lehr says, is that even when the organization’s investments in security are to meet those standards, it’s still insufficient because it may not protect you against the ongoing liability, in this case on the class-action lawsuit side. “This is one of the big reasons why I see this as a watershed moment for the industry in terms of the scale of data taken,” Lehr says. “The intangible financial loss that a company could face can exceed the insurable loss calculation that has historically taken place with the transference of risk to the insurers.”

As such, Lehr notes that if organizations exceed the standard, it reduces the likelihood of compromise, and also the probability of compromise in the future. “It is a testament to any organization that invests in maturity beyond the standard,” she says. “Part of what we have done with our insurance partners is set up a way to measure the security level so clients who do exceed the standard can get a discount on their premium. Historically, that’s not part of the dialogue or pre-binding process thought,” she adds.

Lehr further says that with Anthem specifically, a sophisticated data loss prevention solution could have been put in place, so if the bulk of material from the file transfer protocol (FTP) network, the organization could look through that traffic and look for categories of data that include social security numbers, for instance. “We don’t know for sure if they had that in place, but it seems that with the bulk of the losses that occurred with Anthem, there was a determination made that it was internal data, which wasn’t necessarily required to be encrypted from a compliance standard,” she says. “But there’s a whole host of additional controls that could be applied, and it’s about the nature in which organizations address that.”

At the end of the day, Lehr says while that no one ever envisioned anything being stolen on the scale of what happened at Anthem, it is critical to make sure that you’re leading in terms of security posture, and that you’ve focused your investment around the core parts of your business. “If we look at the past as a marker of the type of cyber breach we’ll see in the future, we’re sort of kidding ourselves,” she says. “We talk to our clients about making sure their strategy isn’t to respond to an incident. That’s not enough. Investment in prevention is testament to investment in future.”


more...
Brian S. Smith, CIC, ARM's curator insight, March 26, 2015 8:16 PM

Interesting article about the data breach event suffered by Anthem.  The insurance costs are staggering as is the exposure.

Scoop.it!

Should Google Be Allowed to Mine Your Health Care Data?

Should Google Be Allowed to Mine Your Health Care Data? | Healthcare and Technology news | Scoop.it

On the heels of the I/O keynote on Thursday, Google cofounder Larry Page spilled his guts to Farhad Manjoo from The New York Times. "Right now we don't data-mine health care data," Page said. "If we did we'd probably save 100,000 lives next year." But is that actually a good idea?

Mining health care is a very slippery slope, whether it's done by Google or some government agency or anyone really. The privacy concerns alone have always kept prying eyes out of your health records. But now that technology has advanced to the point where we could anonymize the data and use the information to cure diseases, it's worth revisiting that topic.

The data store is only going to get bigger, too, as gadgets like fitness and health trackers become more ubiquitous. (Google, of course, is leading the charge on this front as well.) While Page's 100,000 figure is probably completely made up—and not even that many lives in the grander scheme of things—it seems pretty clear that a better understanding of health care data is a good thing.

So what do you think? Is it time to chill out about privacy so that Google algorithms can start saving some lives? Or would you rather keep your personal health care data personal?

more...
No comment yet.
Scoop.it!

USPS Breach Exposed Health Data

USPS Breach Exposed Health Data | Healthcare and Technology news | Scoop.it

As the U.S. Postal Service's investigation into its data breach continues to unfold, it's now reporting that certain health information for approximately 485,000 current and former employees was potentially compromised.


The news follows confirmation from the USPS on Nov. 10, 2014, of a breach of some of its information systems that impacted more than 800,000 employees and 2.9 million customers.

The investigation has now determined that the intruders may have compromised a file containing workers' compensation injury claim data, according to a letter detailing the incident that the USPS provided to Information Security Media Group. The file, created in August 2012, contains information associated with current and former workers' compensation claims. Information included in the file dates from November 1980 to Aug. 30, 2012, according to the USPS.

Although the type of information varies greatly based on individual cases, workers' compensation-related data that may have been exposed includes names, addresses, dates of birth, Social Security numbers, medical information and "other" information.

The total number of employees whose health data may have been exposed reflects some of those originally listed as being impacted by the breach, "but others are receiving letters for the first time," says David Partenheimer, a spokesperson at the U.S. Postal Service. Those who did not receive an earlier letter from the USPS regarding receiving free credit monitoring for one year have now been informed how to obtain the service.

The USPS says it has no evidence that any compromised employee information has been used to engage in any malicious activity, the letter says.

Although the latest breach details involve health information, the USPS is not subject to the HIPAA Privacy Rule that governs healthcare data because it is not a covered entity (a healthcare provider), Partenheimer says.

Notification Delay Explained

At a U.S. House hearing in November, Randy Miskanic, a USPS official, defended the agency's delay in notifying USPS workers of the breach, contending authorities didn't initially know what data was pilfered. The USPS first learned of the breach on Sept. 11, 2014, but didn't notify employees until Nov. 10, 2014.

Miskanic also said the government didn't want to tip off hackers that it was aware of the breach.

In its original report on the breach, USPS said employees' names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment, and emergency contacts may have been exposed. For customers, names, addresses, phone numbers and e-mail addresses may have been compromised.

As a result of the breach, the USPS in a Nov. 28 filing with postal regulators said it was forced to delay the filing of its annual financial report. The reasoning for the delay was to give USPS time to confirm that the breach didn't compromise financial information that could affect its report.


more...
No comment yet.
Scoop.it!

IBM Announces Deal to Acquire Both Phytel and Explorys; Goal Is Data Transformation

IBM Announces Deal to Acquire Both Phytel and Explorys; Goal Is Data Transformation | Healthcare and Technology news | Scoop.it

Senior executives at the Armonk, N.Y.-based IBM announced in a press conference held on Monday afternoon, April 13, at the McCormick Place Convention Center in Chicago, during the course of the HIMSS Conference, that it was acquiring both the Dallas-based Phytel and the Cleveland-based Explorys, in a combination that senior IBM executives said held great potential for the leveraging of data capabilities to transform healthcare.


Both Phytel, a leading population health management vendor, and Explorys, a healthcare intelligence cloud firm, will become part of the new Watson Health unit, about which IBM said, “IBM Watson Health is creating a more complete and personalized picture of health, powered by cognitive computing. Now individuals are empowered to understand more about their health, while doctors, researchers, and insurers can make better, faster, and more cost-effective decisions.


In its announcement of the Phytel acquisition, the company noted that, “The acquisition once completed will bolster the company’s efforts to apply advanced analytics and cognitive computing to help primary care providers, large hospital systems and physician networks improve healthcare quality and effect healthier patient outcomes.”


And in its announcement of the Explorys acquisition, IBM noted that, “Since its spin-off from the Cleveland Clinic in 2009, Explorys has secured a robust healthcare database derived from numerous and diverse financial, operational and medical record systems comprising 315 billion longitudinal data points across the continuum of care. This powerful body of insight will help fuel IBM Watson Health Cloud, a new open platform that allows information to be securely de-identified, shared and combined with a dynamic and constantly growing aggregated view of clinical, health and social research data.”


Mike Rhodin, senior vice president, IBM Watson, said at Monday’s press conference, “Connecting the data and information is why we need to pull the information together into this [Watson Health]. So we’re extending what we’ve been doing with Watson into this. We’re bringing in great partners to help us fulfill the promise of an open platform to build solutions to leverage data in new ways. We actually believe that in the data are the answers to many of the diseases we struggle with today, the answers to the costs in healthcare,” he added. “It’s all in there, it’s all in silos. All this data needs to be able to be brought into a HIPAA-secured, cloud-enabled framework, for providers, payers, everyone. To get the answers, we look to the market, we look to world-class companies, the entrepreneurs who had the vision to begin to build this transformation.”

more...
No comment yet.
Scoop.it!

Americans want health information shared easily among docs

Americans want health information shared easily among docs | Healthcare and Technology news | Scoop.it

Nearly three-quarters of Americans say it's very important that their critical health information can be easily shared among healthcare providers, a survey from the Society of Participatory Medicine reveals.

In addition, 87 percent of respondents oppose any fees being charged to either healthcare providers or patients for that transfer of information to take place.

The 1,011 adults polled were selected randomly from landline and cell phone numbers.

Nearly 20 percent of respondents said they or a family member had experienced a problem in receiving care because records could not easily be shared among providers.

Doctors are forced to pay anywhere between $5,000 to $50,000 to set up connections with blood and pathology laboratories, health information exchanges or governments, according to a recent Politico story. Sometimes additional fees are charged each time a doctor sends or receives data.

Just this week, Peter DeVault, director of interoperability at Epic Systems, revealed at a Senate committee hearing that the company charges $2.35 per patient, per year for Epic EHR clients to exchange data with other providers.

"We have the technology. What we need is for health care providers and systems developers to put patient interests ahead of business needs. None of them would exist were it not for the patients," Daniel Z. Sands, M.D., co-founder and co-chair of the Society of Participatory Medicine, says in the survey announcement.

Experts at the Senate committee hearing testified that vendors and healthcare organizations use patient data as a competitive advantage, and that data-sharing is less likely to occur in competitive markets.

In a paper from the Brookings Institution, Niam Yaraghi, a fellow in governance studies at the Center for Technology Innovation, posits that the fee-for-service reimbursement model serves as a disincentive to share data. He also argues that Stage 3 of the Meaningful Use program will likely set the interoperability bar too low and likely will help only the dominant vendors, who will need only to provide a minimum amount of interoperability.

more...
No comment yet.
Scoop.it!

Anthem says at least 8.8 million non-customers could be victims in data hack

Anthem says at least 8.8 million non-customers could be victims in data hack | Healthcare and Technology news | Scoop.it

Health insurer Anthem Inc, which earlier this month reported that it was hit by a massive cyberbreach, said on Tuesday that 8.8 million to 18.8 million people who were not its customers could be victims in the attack.

Anthem, the country's second-largest health insurer, is part of a national network of independently run Blue Cross Blue Shield plans through which BCBS customers can receive medical services when they are in an area where BCBS is operated by a different company.

It is those Blue Cross Blue Shield customers who were potentially affected because their records may be included in the database that was hacked, the company said.

It is the first time that Anthem has quantified the impact of the breach on members of health insurance plans that it does not operate.

Anthem updated the total number of records accessed in the database to 78.8 million customers from its initial estimate of 80 million, which includes 14 million incomplete records that it found.

Anthem does not know the exact number of Anthem versus non-Anthem customers affected by the breach because of those incomplete records, which prevent it from linking all members with their plan, Anthem spokeswoman Kristin Binns said.

Security experts are warning that healthcare and insurance companies are especially vulnerable to cybercriminals who want to steal personal information to sell on the underground market.

Anthem continued to estimate that tens of millions of customer records were stolen, rather than simply accessed. The spokeswoman added that the company's investigation was ongoing. Federal and state authorities are also investigating.

Anthem runs Blue Cross Blue Shield healthcare plans in 14 states, while plans in states such as Texas and Florida are run independently. In all, 37 companies cover about 105 million people under the Blue Cross Blue Shield license.

Binns said the company still believes the hacked data were restricted to names, dates of birth, member ID/Social Security numbers, addresses, phone numbers, email addresses and employment information such as income data.

Anthem will start mailing letters next week to Anthem customers and other Blue Cross Blue Shield members affected by the hacking. It will offer two years of identity theft repair assistance, credit monitoring, identity theft insurance and fraud detection.


more...
No comment yet.
Scoop.it!

Big Data in Healthcare: A Cause for Concern?

Big Data in Healthcare: A Cause for Concern? | Healthcare and Technology news | Scoop.it

A federal advisory panel has kicked off discussions about the privacy and security challenges related to the use of big data in healthcare, with a goal of making policy recommendations in the coming weeks.


During the Jan. 12 meeting of the Health IT Policy Committee's Privacy and Security Workgroup - formerly called the Tiger Team - members began sorting through a number of key big data themes that emerged from two public hearings the group hosted in December. The workgroup and the committee will make recommendations to the Office of the National Coordinator for Health IT, which could ultimately lead to new policies from the Department of Health and Human Services.


Last month's hearings included testimony from a number of stakeholders from various segments of the healthcare sector. For instance, testimony highlighted that while analyzing big data can bring big potential benefits, including better treatment outcomes and lower costs, it also can bring privacy risks to individuals, says workgroup Chair Deven McGraw, an attorney at the law firm Manatt, Phelps & Phillips, LLP.

The workgroup will now help to assess whether the nation has the right policy framework in place "in order to maximize what is good about what health data presents for us, while addressing the concerns that are raised," McGraw says.

Big Data Challenges

Big data concerns that emerged from the hearings in December included whether various "tools" that are commonly used to help protect an individual's health data privacy are sufficient, given the complexities of various big data use cases, McGraw says.

Those "tools" include data de-identification methods; patient consent; transparency to patients and consumers about how their data might be used; various practices related to data collection, use and purpose; and security measures to protect data.

Other concerns arising from the testimony that the workgroup plans to dig into relate to the legal landscape, such as whether there are regulatory gaps in HIPAA and other laws regarding keeping health data used for big data analytics private.

The workgroup, which will continue its discussion on Jan. 26, will also consider the harm that could be caused if big data is not kept private, including discrimination, medical identity theft, and mistrust of the healthcare system.

In early February, however, the workgroup will temporarily shift gears to discuss ONC's 10-year interoperability roadmap, which is expected to be released in late January. The roadmap will focus on secure health data exchange.

Nevertheless, the workgroup hopes to hammer out some preliminary findings or early recommendations about protecting big data so that it can make a presentation at the March 10 meeting of the HIT Policy Committee, McGraw says.


more...
No comment yet.