Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches
Jun24

Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches

Cybercriminals are managing to find and exploit vulnerabilities to gain access to healthcare networks and patient data with increasing regularity. The past two months have been the worst and second worst ever months for healthcare data breaches in terms of the number of breaches reported. Phishing attacks on healthcare organizations have increased and email is now the most common location of breached protected health information. However, a recent analysis of the data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in the past 12 months has revealed servers to be the biggest risk. Servers were found to be involved in more than half of all healthcare data breaches. Clearwater Cyberintelligence Institute (CCI) analyzed the 90 healthcare data breaches reported to OCR in the past 12 months. Those breaches resulted in the exposure, impermissible disclosure, or theft of the records of more than 9 million individuals. The CCI analysis revealed 54% of all reported breaches of 500 or more healthcare records were in some way related to servers....

Read More
ONC Report Reveals Trends in Access and Viewing of Medical Records Online
May22

ONC Report Reveals Trends in Access and Viewing of Medical Records Online

Most hospitals and physicians have now adopted electronic medical records, yet only half of patients have been offered access to their medical records online, according to a new report from the HHS’ Office of the National Coordinator for Health Information Technology (ONC). Two of the aims of the 21st Century Cures Act were to make it easier for patents to access their health information and to improve education of patients about their rights to access their health data. The ONC conducted its Health Information Trends Survey (HINTS) to determine whether patients are being offered access to their medical records online and whether they have exercised that right and have viewed medical records that have been made available. In 2018, there was no change in the number of patients being offered access to their medical records online. As was the case in 2017, 51% of patients were given that opportunity. However, the number of patients using that access to view or download their medical records increased. 30% of patients who were given the option had viewed their records at least once,...

Read More
AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan
May21

AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan

The American Academy of Neurology (AAN) has voiced concerns about the interoperability plans of the Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC). In February, both ONC and CMS proposed new rules that aim to reduce information blocking and improve interoperability. The AAN supports ONC and CMS efforts to reduce information blocking and improve interoperability. Data blocking and interoperability problems force clinicians to spend more time on clerical work, which means less time is spent providing direct care to patients. The AAN believes many of the provisions in the new rules are necessary for empowering patients and providers by providing comprehensive access to patient data; however, in a recent letter to CMS Administrator Seema Verma, the AAN has expressed concern about patient safety and security if the ONC and CMS interoperability plans are implemented. The AAN supports efforts to advance the use of standardized Fast Healthcare Interoperability Resources (FHIR) based APIs to allow patients to easily gain...

Read More
CMS and ONC Tell Senate HELP Committee Rapid Progress is Required to Advance Interoperability
May10

CMS and ONC Tell Senate HELP Committee Rapid Progress is Required to Advance Interoperability

The second Senate HELP Committee hearing on the proposed roles for implementing the electronic medical records provisions of the 21st Century Cures Act has taken place this week. The Committee heard from National Coordinator for Health IT, Donald Rucker, and Director and Center for Medicare And Medicaid Services Chief Medical Officer, Kate Goodrich, M.D. The hearings aim to find a way forward to ensure the efficient accessing and sharing of health information between care providers and patients. The prevention of information blocking is one of the main goals. By allowing health information to flow freely between providers and be shared with patients, the cost of healthcare can be significantly reduced. According to Dr. Brett James of the National Academies, as much as 50% of the costs of healthcare are unnecessary. Patients are having to repeat tests because their information cannot be shared between different healthcare providers and there is considerable duplication of administrative tasks as a result of information blocking. Earlier this year both the CMS and ONC proposed new...

Read More
NIST Issues RFI Seeking Comments to Inform the Development of AI Standards and Tools
May07

NIST Issues RFI Seeking Comments to Inform the Development of AI Standards and Tools

The National institute of Standards and Technology (NIST) has issued a request for information (RFI) seeking feedback from industry stakeholders to inform the development of new standards and tools to support systems that use artificial intelligence (AI) technologies. February’s Executive Order on Maintaining American Leadership in Artificial Intelligence requires NIST to create a plan for developing technical standards and tools to support the creation of reliable, robust and trustworthy AI-based systems, along with tools that will are necessary or helpful in reducing barriers to the safe testing and deployment of AI-based systems. NIST is seeking comments from stakeholders to improve its understanding of the current uses of AI, the opportunities offered by AI-based systems, and the challenges currently faced.  NIST hopes stakeholder comments will help to determine current priority areas. The RFI has three main areas of focus: The status of and plans for AI technical standards and related tools development Defining and achieving U.S. leadership in AI standards Prioritizing federal...

Read More
MD Anderson Cancer Center Fires Three Scientists Over Concerns About Theft of Research Data
Apr25

MD Anderson Cancer Center Fires Three Scientists Over Concerns About Theft of Research Data

MD Anderson Cancer Center, the world’s leading cancer research center, has recently fired three scientists over espionage fears after being alerted by the National Institutes of Health (NiH) to irregularities involving grant recipients. NiH, the largest public funder of biomedical research in the United States, had been instructed by federal officials to investigate certain professors who were believed to be in violation of granting agency policies. NiH, assisted by the FBI, discovered potential conflicts of interest and unreported foreign income by five members of MD Anderson staff. NiH sent emails to MD Anderson in 2018 and demanded a response within 30 days. The failure to take action could potentially result in NiH withholding essential funding. MD Anderson received $148 million in NiH grants in 2018. In response to the accusations, MD Anderson conducted an investigation and initiated termination procedures for three professors, two of whom resigned from their posts before proceedings started. The fourth professor was investigated but termination was not deemed to be warranted....

Read More
HHS’ ONC Releases Second Draft of Trusted Exchange Framework and Common Agreement
Apr24

HHS’ ONC Releases Second Draft of Trusted Exchange Framework and Common Agreement

The HHS’ Office of the National Coordinator for Health IT (ONC) has released the second draft of its Trusted Exchange Framework and Common Agreement (TEFCA) and is seeking comments on the updated text. The purpose of TEFCA is to help ensure there is seamless, interoperable exchange of health information, which is critical to the creation of a health system that empowers providers and patients and delivers better healthcare at a lower cost. The 21st Century Cures Act promoted a national framework and common agreement for the trusted exchange of health information. The framework is required as there is currently no core exchange mechanism that can be used by healthcare providers, health plans, vendors, public health departments, and federal, state, local and tribal governments. Trusted exchange is too complex. Currently, multiple exchange methods need to be used. The majority of hospitals use three or four exchange methods and three in ten use more than five methods. This approach is inefficient and expensive. Healthcare organizations are having to build several point-to-point...

Read More
HHS Extends Comment Period on Proposed Rules to Improve ePHI Interoperability
Apr23

HHS Extends Comment Period on Proposed Rules to Improve ePHI Interoperability

The Department of Health and Human Services has extended the deadline for submitting comments on its proposed rules to promote the interoperability of health information technology and electronic protected health information. Two new rules were released on February 11, 2019 by the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS). The purpose of the new rules is to support the secure access, exchange, and use of electronic health information. The rules cover technical and healthcare industry factors that are proving to be barriers to the interoperability of health information and are limiting the ability of patients to gain access to their health data. The deadline has been extended to give the public and industry stakeholders more time to read the proposed rules and provide meaningful input that can be used to help achieve the objectives of the rules. The extension has come in response to feedback from many stakeholders who have asked for more time to review the rules, which have potential to cause a range of issues for...

Read More
AWS Chief Technology Officer Allays Fears about Cloud Security and Talks about the Huge Potential of Alexa Voice Technology
Apr12

AWS Chief Technology Officer Allays Fears about Cloud Security and Talks about the Huge Potential of Alexa Voice Technology

Amazon Web Services’ chief technology officer, Werner Vogels, has been dispelling security myths about cloud computing at the Dublin Tech Summit in Ireland this week. Concerns have been raised about the security of data stored in the cloud, especially following the discovery that 540 million Facebook records had been exposed on AWS: One of several high-profile data breaches that have involved AWS-stored data in the past 12 months. Fears About Compliance and the Cloud Companies required to comply with General Data Protection Regulation (GDPR) must ensure that the personal data of EU citizens is secured and kept private and confidential. Since GDPR came into effect on May 25, 2018, the potential penalties for data exposures have increased significantly. It is therefore understandable that companies are concerned about storing data in the cloud rather than on-premise infrastructure that they feel better able to secure. Germany’s federal commissioner, Ulrich Kelber, spoke before Vogels at the Tech Summit and voiced his concerns about American cloud storage providers, stating that they...

Read More
How Much Does Cisco Umbrella Cost?
Apr10

How Much Does Cisco Umbrella Cost?

Cisco is a leading DNS filtering solution provider that offers a web filtering product called Cisco Umbrella, which was previously known as OpenDNS. Discover how much does Cisco Umbrella cost and whether it is a viable option financially for your organization. Why is Cisco Umbrella Necessary? A DNS filter serves two main purposes. A DNS filter provides IT teams with visibility into online activities by staff and guest users and allows restrictions to be placed on online activities to prevent certain types of website from being accessed. With a DNS filter it is possible to enforce acceptable internet usage policies and block categories of content such as pornography, gambling, or social media websites. The solution helps with compliance, can prevent HR issues, and by blocking certain types of website it is possible to improve productivity. The solution also allows SafeSearch browsing to be enforced. A DNS filter also improves security posture by blocking downloads of certain file types, such as those commonly used to hide malware and ransomware. A DNS filter is also an important...

Read More
FDA Considers New Review Framework for AI-Based Medical Devices
Apr09

FDA Considers New Review Framework for AI-Based Medical Devices

AI-based medical devices can be used to identify diseases and individuals at risk of developing medical conditions. They can perform a great deal of time-consuming work on behalf of doctors and radiologists and can help to speed up the diagnosis of diseases. Faster diagnoses mean patients can receive treatment more quickly at a time when it is most likely to be effective. They can also help to identify the most effective treatments to allow personalized medicine to be provided. Currently, the U.S. Food & Drug Administration (FDA) performs reviews of medical devices as part of its market authorization processes. Generally, in order to be granted market authorization the algorithms used by the devices need to be locked and not have the ability to learn each time they are used. These locked algorithms can be subsequently updated by developers at intervals using new data, but after those updates have been applied, the devices need to be subjected to a further manual review and the updated algorithm must be validated. The FDA authorized two AI-based medical devices in 2018: An...

Read More
Amazon Announces 6 New HIPAA Compliant Alexa Skills
Apr05

Amazon Announces 6 New HIPAA Compliant Alexa Skills

Six new HIPAA compliant Alexa skills have been launched by Amazon that allow protected health information to be transmitted without violating HIPAA Rules. The new HIPAA compliant Alexa skills were developed by six different companies that have participated in the Amazon Alexa healthcare program. The new skills allow patients to schedule appointments, find urgent care centers, receive updates from their care providers, access their latest blood sugar reading, and check the status of their prescriptions. This is not the first time that Alexa skills have been developed, but a stumbling block has been the requirements of the HIPAA Privacy Rule, which limit the use of voice technology with protected health information. Now, thanks to HIPAA compliant data transfers, the voice assistant can now be used by a select group of healthcare organizations to communicate PHI without violating the HIPAA Privacy Rule.  You can read more about the issues related to virtual assistants and HIPAA compliance here. Amazon has stated that it plans to work with many other developers through an invite-only...

Read More
Malware Alters CT Scans and Creates and Removes Tumors
Apr05

Malware Alters CT Scans and Creates and Removes Tumors

There is growing concern about hackers gaining access to medical devices and conducting attacks to cause harm to patients. Now malware has been created that can add fake tumors to CT scans. The malware is not being used in real-world attacks. It has been created by researchers at the Ben Gurion University Cybersecurity Center in Israel to demonstrate just how easy it is to exploit vulnerabilities in medical imaging equipment. In addition to adding tumors to medical images the malware could be used to remove real tumors. The former could be conducted for political reasons such as preventing a candidate from running for office, the latter would prevent individuals from receiving treatment for a life-threatening illness. The technique could also be used for insurance fraud, sabotaging of medical trials, and cyber terrorism. Prior to a patient being prescribed radiation therapy or chemotherapy additional tests would be performed and the incorrect diagnosis would be identified, but patients would still be caused considerable emotional distress. The removal of tumors to make the patient...

Read More
Study Reveals Health Information the Least Likely Data Type to be Encrypted
Apr03

Study Reveals Health Information the Least Likely Data Type to be Encrypted

Health information is the least likely data type to be encrypted, according to the Global Encryption Trends Study conducted by the Ponemon Institute on behalf of cryptographic solution provider nCipher. The study was conducted on 5,856 people across several industry sectors in 14 countries, including the United States. The aim of the study was to investigate data encryption trends, the types of data most likely to be encrypted, how extensively encryption has been adopted to improve security, and the challenges faced by companies when encrypting data. The study shows the use of encryption has steadily increased over the past four years. 45% of surveyed organizations said they have an overall encryption plan or strategy that is applied across the whole organization. 42% said they have a limited encryption plan or strategy, with encryption only used on certain applications and data types. 13% of respondents said they do not use encryption at all on any type of data. The use of encryption varies considerably from country to country. Germany leads the world with the highest prevalence...

Read More
Amazon Launches New System for De-identifying Medical Images
Apr02

Amazon Launches New System for De-identifying Medical Images

Amazon has announced that it has developed a new system that allows identifying protected health information contained in medical images to be automatically removed to prevent patients from being identified from the images. Medical images often have patients’ protected health information stored as text within the image, including the patient’s name, date of birth, age, and other metrics. Prior to the images being used for research, authorization must be obtained from the patient or all identifying data must be permanently removed.  Removing PHI from images requires a manual check and alteration of the image to redact the PHI and that can be an expensive and time-consuming process, especially when large number of images must be de-identified. The new system uses Amazon’s Rekognition machine-learning service, which can detect and extract text from images. The text is then fed through Amazon Comprehend Medical to identify any PHI. In combination with Python code it is possible to quickly redact any PHI in the images. The system works on PNG, JPEG, and DICOM images. A confidence score...

Read More
Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs
Mar22

Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs

Two vulnerabilities have been identified in the Conexus telemetry protocol used by Medtronic MyCarelink monitors, CareLink monitors, CareLink 2090 programmers, and 17 implanted cardiac devices. Both vulnerabilities require a low level of skill to exploit, although adjacent access to a vulnerable device would be required to exploit either vulnerability. The most serious vulnerability, rated critical, is a lack of authentication and authorization controls in the Conexus telemetry protocol which would allow an attacker with adjacent short-range access to a vulnerable device to inject, replay, modify, and/or intercept data within the telemetry communication when the product’s radio is turned on. An attacker could potentially change memory in a vulnerable implanted cardiac device which could affect the functionality of the device. The vulnerability is being tracked as CVE-2019-6538 and has been assigned a CVSS v3 base score of 9.3. A second, medium severity vulnerability concerns the transmission of sensitive information in cleartext. Since the Conexus telemetry protocol does not use...

Read More
Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices
Mar15

Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices

U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, and Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT) have introduced The Internet of Things Improvement Act, which requires all IoT devices purchased by the U.S. government to meet minimum security standards. A companion bill has been introduced in the House by Representatives by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX). Ericcson has predicted there will be 18 billion IoT devices in use by 2022 and IDC predicts IoT spending will reach $1.2 trillion the same year. As the number of IoT devices in use grows, so does concern about the security risk posed by the devices. Sen. Warner wants to make sure that a baseline for security is achieved before any IoT device is allowed to connect to a government network and wants to use the purchasing power of the U.S. government to help establish minimum standards of security for IoT devices. Currently IoT devices are coming to market with scant cybersecurity protections. When cybersecurity measures are integrated into IoT devices, it is...

Read More
Is Microsoft Teams HIPAA Compliant?
Mar15

Is Microsoft Teams HIPAA Compliant?

Microsoft Teams is a popular communications platform used by many businesses to communicate more effectively, but can the solution be used in healthcare? Is Microsoft Teams HIPAA compliant? Microsoft Teams is a unified communication platform that includes workplace chat, video meetings, and file sharing and can be integrated into a range of different applications. The platform can be used to improve communication and collaboration in the workplace and with business associates. The platform is based on Office 365 (click here for information on Office 365 and HIPAA). Office 365 can be used in a HIPAA compliant manner, but in order for Microsoft Teams to be HIPAA compliant it must include a range of security features to keep any electronic protected health information secure. In the security compliance section of the Microsoft website, Microsoft explains that Microsoft Teams delivers advanced security and compliance and is included in its Tier-D compliance category. Tier D services have safeguards active by default and are compliant with ISO 27001, ISO 27018, SSAE16 SOC 1 and SOC 2,...

Read More
Workplace Safety Survey Shows Communication Issues are Placing Employees at Risk
Mar14

Workplace Safety Survey Shows Communication Issues are Placing Employees at Risk

Framingham, MA-based Rave Mobile Safety has published the results of its annual workplace safety and preparedness survey. The report shows that while preparedness for emergency is better than in 2017, there is still considerable room for improvement, especially in healthcare and education. The survey was conducted on 540 full time employees in the United States across several industries. The aim of the survey was to identify trends in emergency planning, obtain the views of employees about workplace safety, and find out more about the efforts that have been made to ensure effective communication in the event of an emergency and alert employees at risk. The survey shows companies are increasingly developing plans for modern emergencies, such as active shooters, workplace violence, and cyberattacks and system outages. However, greater effort is required to ensure that emergency plans are communicated to employees. Some 20% of workers were unaware of emergency plans for cyberattacks and system outages and 18% of workers were unaware of the emergency plan for active shooters and...

Read More
HIPAA Compliant Online Forms
Mar12

HIPAA Compliant Online Forms

Web forms offer healthcare organizations an easy way to digitally collect information from patients, but care must be taken not to violate HIPAA Rules. To collect any health data, HIPAA compliant online forms must be used. HIPAA Compliant Online Forms Must be Used for Collecting Health Information The HIPAA Privacy and Security Rules requires all HIPAA-covered entities and business associates to implement a range of safeguards to ensure the confidentiality, integrity, and availability of protected health information. Online forms are not specifically mentioned in the HIPAA text, but the Privacy and Security Rules do apply to online forms. Large healthcare organizations are more likely to have in-house staff with the skills to create forms that comply with HIPAA Rules, but many covered entities take advantage of the convenience of third-party webform solutions. There are many companies that offer HIPAA compliant online forms software that allows forms to be quickly spun up and used for a wide range of purposes such as onboarding new patients, obtaining consent, collecting payments,...

Read More
25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months
Mar11

25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months

The Verizon Mobile Security Index 2019 report indicates 25% of healthcare organizations have experienced a security breach involving a mobile device in the past 12 months. All businesses face similar risks from mobile devices, but healthcare organizations appear to be addressing risks better than most other industry sectors. Out of the eight industry sectors surveyed, healthcare experienced the second lowest number of mobile security incidents behind manufacturing/transportation. Healthcare mobile security breaches have fallen considerably since 2017 when 35% of surveyed healthcare organizations said they had experienced a mobile security breach in the past 12 months. While the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon suggests that may not necessarily be the case. Healthcare organizations may simply be struggling to identify security incidents involving mobile devices. 85% of surveyed healthcare organizations were confident that their security defenses were effective and 83% said they believed they would be able to...

Read More
NHS to Phase Out Pagers by End of 2021
Feb26

NHS to Phase Out Pagers by End of 2021

The National Health Service (NHS) has commissioned a report on the costs of pagers and the extent of their use in NHS Trusts in the UK. The study revealed around 130,000 pagers are used in NHS Trusts – Approximately 10% of the world’s pagers – and the annual cost is around £6.6 million ($8.73 million). Advantages and Disadvantages of Pagers in Healthcare Pagers have served the healthcare industry well for several decades and they are still useful devices. Pagers are easy to use, they are small, easy to carry, and batteries can last months between charges. The pager system uses its own transmitters and frequencies and the signals can pass through structures. Consequently, coverage is excellent, and communication is fast and reliable. Pagers have one function and they perform that task very well. However, there are many drawbacks to pagers in healthcare. Most of the pagers used by NHS Trusts do not support two-way communication. When a message is received, a doctor must find a phone and call a number to receive the message. When an immediate response is not possible, messages are...

Read More
NIST NCCoE Releases Mobile Device Security Guide
Feb22

NIST NCCoE Releases Mobile Device Security Guide

The National Cybersecurity Center of Excellence (NCCoE) has released final guidance on mobile device security to help organizations secure mobile devices and prevent data breaches. Mobile devices offer convenience and allow data to be accessed from any location. Not only do they allow healthcare organizations to make cost savings, they are vital for remote workers who need access to patients’ health information. Mobile devices allow onsite and offsite workers to communicate information quickly and they can help to improve patient care and outcomes. However, mobile devices introduce security risks. Stolen devices can be used to gain access to corporate email accounts, contacts, calendars, and other sensitive information stored on the devices or accessible through them. There have been many cases where mobile healthcare devices have been lost or stolen causing the exposure of patients’ protected health information. Mobile device security failures have resulted in several financial penalties for HIPAA covered entities, including a $4,348,000 civil monetary penalty for University of...

Read More
ONC and CMS Propose New Rules on Patient Access and Information Blocking
Feb12

ONC and CMS Propose New Rules on Patient Access and Information Blocking

On Monday, February 11, 2019, the HHS’ Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS) released new rules covering patient data access and information blocking. The aim of the new rules is to advance interoperability and support the meaningful exchange and use of health information. The rules are intended to increase competition, encourage innovation, and give patients control over their health data. One of the main goals is to make health information accessible via application programming interfaces (APIs). Currently consumers use a wide range of smartphone apps for paying bills and accessing information. It should be just as easy to gain access to healthcare data through apps and for healthcare data to be provided electronically at no cost. One of the main requirements of the new rules is for healthcare providers and health plans to implement data sharing technologies that support the transition of care to new healthcare providers and health plans. Whenever a patient wishes to start seeing a new...

Read More
HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns
Feb12

HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns

Each year, HIMSS conducts a survey to gather information about security experiences and cybersecurity practices at healthcare organizations. The survey provides insights into the state of cybersecurity in healthcare and identifies attack trends and common security gaps. 166 health information security professionals were surveyed for the 2019 HIMSS Cybersecurity Survey, which was conducted from November to December 2018. This year’s survey revealed security incidents are a universal phenomenon in healthcare. Almost three quarters (74%) of healthcare organizations experienced a significant security breach in the past 12 months. 22% said they had not experienced a significant security incident in the past year. The figures are in line with the 2018 HIMSS Cybersecurity Survey, when 21% of respondents said they had not experienced a significant security incident. In 2018, 82% of hospital systems reported a significant security incident, as did almost two thirds of non-acute and vendor organizations. The most common actors implicated in security incidents were online scam artists (28%)...

Read More
EHR Vendor False Claims Act Violation Case Settled for $57.25 Million
Feb07

EHR Vendor False Claims Act Violation Case Settled for $57.25 Million

The Tampa, FL-based electronic health record (EHR) software developer Greenway Health LLC has agreed to settle violations of the False Claims Act with the Department of Justice for $57.25 million. The case concerns Greenway Health’s EHR product Prime Suite. The DOJ alleged that by misrepresenting the capabilities of the product, users submitted false claims to the U.S. government. Further, Greenway Health was alleged to have provided unlawful remuneration to users to induce them to recommend the EHR product to other healthcare providers. The U.S. government provided incentives to healthcare organizations to encourage them to transition to EHRs from paper records through the Meaningful Use program. Most healthcare providers have now made the change and now rely on EHR systems to support the healthcare decision process. It is therefore essential that EHR products allow patient health information to be recorded and transmitted accurately. In order for healthcare providers to qualify for Meaningful Use payments, they must only use EHR products that have been certified as meeting...

Read More
New Cybersecurity Framework for Medical Devices Issued by HSCC
Jan30

New Cybersecurity Framework for Medical Devices Issued by HSCC

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued a new cybersecurity framework for medical devices. Medical device vendors, healthcare providers, and other healthcare industry stakeholders that adopt the voluntary framework will be able to improve the security of medical devices throughout their lifecycle. The HSCC is a coalition of private sector critical healthcare infrastructure entities that have partnered with the government to identify and mitigate threats and vulnerabilities facing the healthcare sector. The group comprises more than 200 healthcare industry and government organizations. Together they work on developing strategies to address current and emerging cybersecurity challenges faced by the healthcare sector. More than 80 organizations contributed to the development of the Medical Device and Health IT Joint Security Plan (JSP), which builds on recommendations made by the Healthcare Industry Cybersecurity Task Force established by the Department of Health and Human Services following the passing of the Cybersecurity Information Sharing...

Read More
Vulnerability Identified in BD FACSLyric Flow Cytometry Solution
Jan30

Vulnerability Identified in BD FACSLyric Flow Cytometry Solution

Becton, Dickinson and Company (BD) has identified an improper access control vulnerability in its BD FACSLyric flow cytometry solution. If the flaw is exploited, an attacker could gain access to administrative level privileges on a vulnerable workstation and execute commands. The vulnerability requires a low level of skill to exploit. BD extensively tests its software for potential vulnerabilities and promptly corrects flaws. BD is currently taking steps to mitigate the vulnerability for all users of vulnerable FACSLyric flow cytometry solutions. The flaw (CVE-2019-6517) is due to improper enforcement of user access control for privileged accounts. It has been given a CVSS v3 base score of 6.8 – Medium severity. BD self-reported the vulnerability to the National Cybersecurity & Communications Integration Center (NCCIC). The vulnerability is present in the following cytometry solutions: BD FACSLyric Research Use Only, Windows 10 Professional Operating System, U.S. and Malaysian Releases (Nov 2017 and Nov 2018) The U.S. release of BD FACSLyric IVD Windows 10 Professional...

Read More
New Report Reveals Spiraling Cost of Cyberattacks
Jan23

New Report Reveals Spiraling Cost of Cyberattacks

A new report from Radware has provided insights into the threat landscape in 2018 and the spiraling cost of cyberattacks. The report shows there has been a 52% increase in the cost of cyberattacks on businesses in since 2017. For the report, Radware surveyed 790 managers, network engineers, security engineers, CIOs, CISOs, and other professionals in organizations around the globe. Respondents to the survey were asked about the issues they have faced preparing for and mitigating cyberattacks and the estimated cost of those attacks. The 2018 Threat Landscape 93% of surveyed firms said they had experienced a cyberattack in the past 12 months. The biggest threat globally was ransomware and other extortion-based attacks, which accounted for 51% of all attacks. In 2017, 60% of cyberattacks involved ransoms. The reduction has been attributed to cybercriminals switching from ransomware to cryptocurrency mining malware. Political attacks and hacktivism accounted for 31% of attacks, down from 34% in 2017. The motive behind 31% of attacks was unknown, which demonstrates that attackers are now...

Read More
Hospital Associations Call for Industry-Wide Effort to Accelerate Interoperability
Jan23

Hospital Associations Call for Industry-Wide Effort to Accelerate Interoperability

Seven leading hospital associations, including the American Hospital Association (AHA), are calling for an industry-wide effort to improve data sharing. The new report seeks to enlist and expand public and private stakeholder support to accelerate interoperability and help remove the barriers to data sharing. In order to achieve the full potential of the nation’s healthcare system, health data must flow freely. Only then will it be possible to provide the best possible care to patients, properly engage people in their health, improve public health, and ensure new models of healthcare succeed. Effective sharing of patient data strengthens care coordination, improves safety and quality, empowers patients and their families, increases efficiency, reduces healthcare costs, and supports the accurate tracking of diseases and the creation of robust public health registries. The report explains that great progress is being made to improve interoperability of health IT systems and ensure that patients data can be accessed regardless of location or system. 93% of hospitals now allow patients...

Read More
Vulnerabilities Identified in Dräger Infinity Delta Patient Monitors
Jan23

Vulnerabilities Identified in Dräger Infinity Delta Patient Monitors

The U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Team (US-CERT) has issued an advisory about three vulnerabilities affecting Dräger Infinity Delta patient monitoring devices. The flaws affect all versions of Infinity Delta, Delta XL, Kappa, and infinity Explorer C700 patient monitoring devices. The flaws could lead to the disclosure of sensitive information stored in device logs, be leveraged to conduct Denial of Service (DoS) attacks, or could potentially allow an attacker to gain full control of the operating system of a vulnerable device. The flaws were discovered by Marc Ruef and Rocco Gagliardi of scip AG. The vulnerabilities are detailed below, in order of severity: CVE-2018-19014 (CWE-532) – Exposure of Information in Log Files Log files are not appropriately secured and are accessible over an unauthenticated network. An attacker could gain access to device log files and view sensitive information relating to the internals of the monitor, location of the device, and its wired network configuration. The flaw has been assigned a CVSS v3 base...

Read More
IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity
Jan03

IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity

The Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) has issued an alert about increased Chinese malicious cyber activity targeting IT service providers such as Managed Service Provider (MSPs), Managed Security Service Providers (MSSPs), Cloud Service Providers (CSPs) and their customers. The attacks take advantage of trust relationships between IT service providers and their customers. A successful cyberattack on a CSP, MSP or MSSP can give the attackers access to healthcare networks and sensitive patient data. The DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued technical details on the tactics and techniques used by Chinese threat actors to gain access to services providers’ networks and the systems of their customers. The information has been shared to allow network defenders to take action to block the threats and reduce exposure to the Chinese threat actors’ activities. Guidance has been released for IT service providers and their customers on the steps that should be taken to improve security to prevent...

Read More
HHS Publishes Cybersecurity Best Practices for Healthcare Organizations
Jan02

HHS Publishes Cybersecurity Best Practices for Healthcare Organizations

The U.S. Department of Health and Human Services has issued voluntary cybersecurity best practices for healthcare organizations and guidelines for managing cyber threats and protecting patients. Healthcare technologies are essential for providing care to patients, yet those technologies introduce risks. If those risks are not properly managed they can result in disruption to healthcare operations, costly data breaches, and harm to patients. The HHS notes that $6.2 billion was lost by the U.S. Health Care System in 2016 as a result of data breaches and 4 out of 5 physicians in the United States have experienced some form of cyberattack. The average cost of a data breach for a healthcare organization is now $2.2 million. “Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health,” said Janet Vogel, HHS Acting Chief Information Security Officer. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems...

Read More
NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity
Nov23

NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) has released a draft paper covering the privacy and security risks of telehealth and remote monitoring devices along with best practices for securing the telehealth and remote monitoring ecosystem. Patient monitoring systems have traditionally been deployed within healthcare facilities; however, there has been an increase in the use of remote patient monitoring systems in patients’ homes in recent years. While these systems are straightforward to secure in a controlled environment such as a hospital, the use of these systems in patients’ homes introduces new risks. Managing the risks and ensuring the remote monitoring systems and devices have an equivalent level of security as in-house systems can be a major challenge. The purpose of the paper is to create a reference architecture which addresses the security and privacy risks and provides practical steps that can be taken to improve the overall security of the remote patient monitoring environment. The paper addresses...

Read More
AMIA Calls for Greater Alignment of Federal Data Privacy Rules
Nov20

AMIA Calls for Greater Alignment of Federal Data Privacy Rules

The American Medical Informatics Association (AMIA) is calling for the Trump Administration to tighten data privacy rules through greater alignment of HIPAA and the Common Rule and recommends adoption of a more integrated approach to privacy that includes both the healthcare and consumer sectors. The call follows a request for comment by the NTIA to initiate a conversation about consumer privacy. In a letter to the National Telecommunications and Information Administration (NTIA), a division of the Department of Commerce, AMIA explained that its comments are informed by extensive experience of dealing with both the Health Insurance Portability and Accountability Act and the Federal Protections for Human Subjects Research (Common Rule). Currently, there is a patchwork of federal and state regulations that complicates compliance and creates information sharing challenges which results in ‘perverse outcomes’ due to different interpretations of existing privacy policies. AMIA illustrated the problem of the current patchwork of privacy policies using Pennsylvania and New Jersey as an...

Read More
Congress Passes CISA Act: New Cybersecurity Agency to be Formed Within DHS
Nov15

Congress Passes CISA Act: New Cybersecurity Agency to be Formed Within DHS

The U.S. Department of Homeland Security will be forming a new agency solely focused on cybersecurity following the passing of new legislation by Congress. The Cybersecurity and Infrastructure Security Agency Act of 2018 (CISA Act) amends the Homeland Security Act of 2002 can calls for DHS to form a new Cybersecurity and Infrastructure Security Agency. The CISA Act was unanimously passed by the House of Representatives and just awaits the president’s signature. The new agency will be formed through the reorganization of the National Protection and Programs Directorate (NPPD) and will have the same status as other DHS agencies such as the U.S. Secret Service. The NPPD is already responsible for reducing and eliminating threats to U.S. critical physical and cyber infrastructure, with cybersecurity elements covered by the Office of Cybersecurity and Communications and the National Risk Management Center. NPPD currently coordinates IT security initiatives with other entities, local, state, tribal and territorial governments and the private sector and oversees cybersecurity at federal...

Read More
Vulnerabilities Identified in Roche Point of Care Handheld Medical Devices
Nov08

Vulnerabilities Identified in Roche Point of Care Handheld Medical Devices

ICS-CERT has issued an advisory concerning five vulnerabilities that have been identified in Roche Point of Care handheld medical devices. Four vulnerabilities are high risk and one has been rated medium risk. Successful exploitation of the vulnerabilities could allow an unauthorized individual to gain access to the vulnerable devices, modify system settings to alter device functionality, and execute arbitrary code. The vulnerabilities affect the following Roche Point of Care handheld medical devices. Accu-Chek Inform II (except Accu-Chek Inform II Base Unit Light and Accu-Chek Inform II Base Unit NEW with Software 04.00.00 or later) CoaguChek Pro II CoaguChek XS Plus & XS Pro Cobas h 232 POC Including the related base units (BU), base unit hubs and handheld base units (HBU). CVE-2018-18564 is an improper access control vulnerability. An attacker in the adjacent network could execute arbitrary code on the system using a specially crafted message. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.3. The vulnerability is present in:...

Read More
OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices
Nov08

OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices

The HHS’ Office of Inspector General (OIG) has published the findings of an audit of the FDA’s policies and procedures for addressing medical device cybersecurity in the postmarket phase.  Several deficiencies in FDA policies and procedures were identified by OIG auditors. Ensuring the safety, security, and effectiveness of medical devices is a key management challenge for the Department of Health and Human Services. It is the responsibility of the U.S. Food and Drug Administration (FDA) to ensure all medical devices that come to market are secure and incorporate cybersecurity protections to prevent cyberattacks that could alter the functionality of the devices which could cause harm to patients. The FDA has developed policies and procedures to ensure that cybersecurity protections are reviewed before medical devices come to market and the agency has plans and processes for addressing medical device issues, such as cybersecurity incidents, in the postmarket stage. However, OIG determined that those plans and practices are insufficient in several areas. One area of weakness concerns...

Read More
FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity
Oct18

FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity

The U.S. Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) have announced a memorandum of agreement to implement a new framework to increase collaboration and improve coordination of their efforts to increase medical device security. The security of medical devices has long been a concern. Cybersecurity flaws in medical devices could potentially be exploited to cause patients harm, and with an increasing number of medical devices now connecting to healthcare networks, it is more important than ever to ensure adequate protections are in place to ensure patient safety and threats are rapidly identified, addressed and mitigated. Medical devices are a potential weak point that could be exploited to gain access to healthcare networks and sensitive data, they could be used to gain a foothold to launch further cyberattacks that could prevent healthcare providers from providing care to patients. Vulnerabilities could also be exploited to deliberately cause harm to patients. While the latter is not believed to have occurred to date, it is a very real...

Read More
Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering
Oct17

Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering

Earlier this year, spam and web filtering solution provider TitanHQ partnered with Datto Networking, the leading provider of MSP-delivered IT solutions to SMBs. The new partnership has allowed Datto to enhance security on the Datto Networking Appliance with enterprise-grade web filtering technology supplied by TitanHQ. The new web filtering functionality allows users of the appliance to carefully control the web content that can be accessed by employees and guests and provides superior protection against the full range of web-based threats. TitanHQ and Datto Networking will be holding a webinar that will include an overview of the solution along with a deep dive into the new web filtering functionality. Webinar Details: Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering Date: Thursday, October 18th Time: 11AM ET | 8AM PT | 4PM GMT/BST Speakers: John Tippett, VP, Datto Networking Andy Katz, Network Solutions Engineer Rocco Donnino, EVP of Strategic Alliances, TitanHQ Click here to register for the...

Read More
FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers
Oct16

FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers

The U.S. Food and Drug Administration (FDA) has issued a warning about vulnerabilities in certain Medtronic implantable cardiac device programmers which could potentially be exploited by hackers to change the functionality of the programmer during implantation or follow up visits. Approximately 34,000 vulnerable programmers are currently in use. The programmers are used by physicians to obtain performance data, to check the status of the battery, and to reprogram the settings on Medtronic cardiac implantable electrophysiology devices (CIEDs) such as pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors. The flaws are present in Medtronic CareLink 2090 and CareLink Encore 29901 programmers, specifically how the devices connect with the Medtronic Software Distribution Network (SDN) over the internet. The connection is required to download software updates for the programmer and firmware updates for Medtronic CIEDs. While a virtual private network (VPN) is used to establish a connection between the programmers and the Medtronic SDN,...

Read More
Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards
Oct04

Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards

The ECRI Institute, a non-profit organization that researches new approaches to improve patient care, has published its annual list of the top ten health technology hazards for 2019. The purpose of the list is to help healthcare organizations identify possible sources of danger or issues with technology that have potential to cause patients harm to allow them to take action to reduce the risk of adverse events occurring. To create the list, ECRI Institute engineers, scientists, clinicians and patient safety analysts used expertise gained through testing of medical devices, investigating safety incidents, assessing hospital practices, reviewing literature and talking to healthcare professionals and medical device suppliers to identify the main threats to medical devices and systems that warrant immediate attention. Weighting factors used to produce the final top 10 list includes the likelihood of hazards causing severe injury or death, the frequency of incidents, the number of individuals likely to be affected, insidiousness, effect on the healthcare organization, and the actions...

Read More
NIST Releases Guidance on Managing IoT Cybersecurity and Privacy
Oct01

NIST Releases Guidance on Managing IoT Cybersecurity and Privacy

The National Institute of Standards and Technology (NIST) has released a draft guidance document that aims to help federal agencies and other organizations understand the challenges associated with securing Internet of Things (IoT) devices and manage the cybersecurity and privacy risks that IoT devices can introduce. The guidance document – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) is the first in a series of new publications address cybersecurity and privacy together and the document is the foundation for a series of further publications that will explore IoT device cybersecurity and privacy in more detail. “IoT is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices,” explained NIST. In the guidance document, NIST identifies three high-level...

Read More
JotForm Announces Enterprise Version of its Encrypted HIPAA Forms Software
Sep20

JotForm Announces Enterprise Version of its Encrypted HIPAA Forms Software

Jotform has announced that it has released an enterprise version of its HIPAA forms software to allow large healthcare organizations to collect and manage data more efficiently. JotForm is a leading developer of online form software and has more than four million users worldwide. The company’s software solution has been adopted by many enterprises for creating a wide range of data collection forms, although up until now, they were required to use multiple accounts within the same organization. In order to centralize and simplify data collection, the company developed a product to specifically meet the needs of enterprises. Enterprise users can now manage all of their data through a single umbrella account. JotForm Enterprise has no submission limits nor restrictions on the number of forms that can be created and used. The solution includes custom domains for forms, white-labeling for branding purposes, and a suite of management tools. Earlier in 2018, JotForm announced that it is now a HIPAA forms software provider and will sign business associate agreements with healthcare...

Read More
Final Participation Request: Emergency Preparedness Survey
Sep17

Final Participation Request: Emergency Preparedness Survey

Do you want to help determine the state of emergency preparedness in healthcare? Over 100 HIPAA Journal readers have already participated in this survey and this is the last chance to contribute by completing this short anonymous survey on emergency preparedness and security communications trends. This is an opportunity for you to find out how your healthcare industry colleagues nationwide communicate in emergency preparedness and security matters and where they expect to take these practices next. After you complete the survey, you will have the chance to enter into a raffle for a $150 gift card from the survey sponsor (RaveMobileSafety). If you provide your email address, you’ll receive the published (anonymous) results before they are released. HIPAA Journal will eventually publish the results. Note: HIPAA Journal is not conducting this survey and HIPAA Journal does not receive any payment for promoting this survey.  If your organization is running a survey that is interesting to healthcare professionals, you can contact us with the...

Read More
Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI
Sep06

Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI

In its August 2018 cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA-covered entities of the importance of implementing physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is processed, transmitted, or stored on electronic media and devices. Electronic devices such as desktop computers, laptops, servers, smartphones, and tablets play a vital role in the healthcare, as do electronic media such as hard drives, zip drives, tapes, memory cards, and CDs/DVDs. However, the portability of many of those devices/media means they can easily be misplaced, lost, or stolen. Physical controls are therefore essential. Anyone with physical access to electronic devices or media, whether healthcare employees or malicious actors, potentially have the ability to view, change, or delete data. Device configurations could be altered or malicious software such as ransomware or malware could be installed. All of these actions...

Read More
NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
Aug31

NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations

The National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) have released the final version of the NIST Cybersecurity Practice Guide for Securing Wireless Infusion Pumps in healthcare delivery organizations. Wireless infusion pumps are no longer standalone devices. They can be connected to a range of different healthcare systems, networks, and other devices and can be a major cybersecurity risk. If malicious actors are able to gain access to the wireless infusion pump ecosystem, settings could be altered on the pumps or malware could be installed that causes the devices to malfunction, resulting in operational and safety risks. An attack on the devices could result in patients coming to harm, protected health information could be exposed, and a compromise could result in disruption to healthcare services, reputation damage, and considerable financial costs. Securing wireless infusion pumps is a challenge. Standard cybersecurity solutions such as anti-virus software may affect the ability of the device to function correctly...

Read More
Warnings Issued About Vulnerabilities in Philips PageWriter Cardiographs and IntelliVue Information Center iX
Aug23

Warnings Issued About Vulnerabilities in Philips PageWriter Cardiographs and IntelliVue Information Center iX

Over the past few months, several vulnerabilities have been discovered in Philips medical devices, software and systems. This week, two further advisories have been issued by the Industrial Control Systems Cyber Emergency Team (ICS-CERT) about vulnerabilities the firm’s real-time central monitoring system, Philips IntelliVue Information Center iX, and its PageWriter cardiographs. All three of the vulnerabilities are classed as medium risk with CVSS v3 base scores ranging between 5.7 and 6.1. CVE-1999-0103 is a denial of service vulnerability that affects the Philips IntelliVue Information Center iX version B.02. The flaw was discovered by a user of the system and was reported to Philips, which in turn reported the vulnerability to the National Cybersecurity and Communications Integration Center’s (NCCIC). The vulnerability can be exploited remotely and does not require a high level of skill. If multiple initial UDP requests are made, it could compromise the availability of the device by causing the operating system to become unresponsive. The vulnerability has been assigned a...

Read More
At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018
Aug09

At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018

In total, there were 143 data breaches reported to the media or the Department of Health and Human Services’ Office for Civil Rights (OCR) in Q2, 2018 and the healthcare records of at least 3,143,642 patients were exposed, impermissibly disclosed, or stolen. Almost three times as many healthcare records were exposed or stolen in Q2, 2018 as Q1, 2018. The figures come from the Q2 2018 Breach Barometer Report from Protenus. The data for the report came from OCR data breach reports, data collected and collated by Databreaches.net, and proprietary data collected through the Protenus compliance and analytics platform, which monitors the tens of trillions of EHR access attempts by its healthcare clients. Q2 2018 Healthcare Data Breaches Month Data Breaches Records Exposed April 45 919,395 May 50 1,870,699 June 47 353,548   Q2, 2018 saw five of the top six breaches of 2018 reported. The largest breach reported – and largest breach of 2018 to date – was the 582,174-record breach at the California Department of Developmental Services – a burglary. It is unclear if any healthcare...

Read More
More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched
Aug09

More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched

OpenEMR is an open-source electronic health record management system that is used by many thousands of healthcare providers around the world. It is the leading free-to-use electronic medical record platform and is extremely popular. Around 5,000 physician offices and small healthcare providers in the United States are understood to be using OpenEMR and more than 15,000 healthcare facilities worldwide have installed the platform. Around 100 million patients have their health information stored in the database. Recently, the London-based computer research organization Project Insecurity uncovered a slew of vulnerabilities in the source code which could potentially be exploited to gain access to highly sensitive patient information, and potentially lead to the theft of all patients’ health information. The Project Insecurity team chose to investigate EMR and EHR systems due to the large number of healthcare data breaches that have been reported in recent years. OpenEMR was the natural place to start as it was the most widely used EMR system and with it being open-source, it was easy...

Read More
Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps
Aug08

Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps

An advisory has been issued by ICS-CERT about vulnerabilities in MedTronic MyCareLink Patient Monitors and the MiniMed 508 Insulin Pump. This is the second advisory to be issued about MyCareLink Patient Monitors in the past six weeks. In June, ICS-CERT issued a warning about the use of a hard-coded password (CVE-2018-8870) and an exposed dangerous method or function vulnerability (CVE-2018-8868). The latest vulnerabilities to be discovered are an insufficient verification of data authenticity flaw (CVE-2018-10626) and the storage of passwords in a recoverable format (CVE-2018-10622). The vulnerabilities are present in all versions of the Medtronic MyCareLink 24950 and 24952 Patient Monitors. If an attacker were to obtain per-product credentials from the monitor and the paired implanted cardiac device, it would be possible for invalid data to be uploaded to the Medtronic Carelink network due to insufficient verification of the authenticity of uploaded data. The vulnerability has been assigned a CVSS v3 score of 4.4 (medium severity). The way that passwords are stored could allow...

Read More
Healthcare Organizations Reminded of HIPAA Rules for Disposing of Electronic Devices
Aug07

Healthcare Organizations Reminded of HIPAA Rules for Disposing of Electronic Devices

In its July Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA covered entities about HIPAA Rules for disposing of electronic devices and media. Prior to electronic equipment being scrapped, decommissioned, returned to a leasing company or resold, all electronic protected health information (ePHI) on the devices must be disposed of in a secure manner. HIPAA Rules for disposing of electronic devices cover all electronic devices capable of storing PHI, including desktop computers, laptops, servers, tablets, mobile phones, portable hard drives, zip drives, and other electronic storage devices such as CDs, DVDs, and backup tapes. Healthcare organizations also need to be careful when disposing of other electronic equipment such as fax machines, photocopiers, and printers, many of which store data on internal hard drives. These devices in particular carry a high risk of a data breach at the end of life as they are not generally thought of as devices capable of storing ePHI. If electronic devices are not disposed of securely...

Read More
Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform
Jul30

Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform

Cofense has developed a new product which will soon be added to its portfolio of anti-phishing solutions for healthcare organizations and incorporated into its phishing-specific security orchestration, automation and response (SOAR) platform. The announcement comes at a time when the healthcare industry has been experiencing an uptick in phishing attacks. The past few months have seen a large number of healthcare organizations fall victims to phishing attacks that have resulted in cybercriminals gaining access to employee’s email accounts and the PHI contained therein. Perimeter security defenses can be enhanced to greatly reduce the number of malicious emails that reach employees’ inboxes, but even when multiple security solutions are deployed they will not block all phishing threats. Security awareness training is essential to reduce susceptibility to phishing attacks by conditioning employees to stop and think before clicking links in emails or opening questionable email attachments and to report suspicious emails to their security teams. However, security teams can struggle to...

Read More
Warnings Issued Following Increase in ERP System Attacks
Jul27

Warnings Issued Following Increase in ERP System Attacks

The United States Computer Emergency Readiness Team (US-CERT) has warned businesses about the increasing risk of cyberattacks on enterprise resource planning (ERP) systems such as the cloud-based ERPs developed by SAP and Oracle. These web-based applications are used to manage a variety of business operations, including finances, payroll, billing, logistics, and human resources functions. Consequently, these systems contain a treasure trove of sensitive data – The exact types of data sought by cybercriminals for fraud and cyber espionage. Further, many businesses rely on their ERP systems to function. A cyberattack that takes those systems out of action can have catastrophic consequences, making the systems an attractive target for sabotage by hacktivists and nation state backed hacking groups. The US-CERT warning follows a joint report on the increasing risk of ERP system attacks by cybersecurity firms Digital Shadows and Onapsis. The report focused on two of most widely used ERP systems: SAP HANA and Oracle E-Business. The authors explained that the number of publicly available...

Read More
FDA Issues New Guidance on Use of EHR Data in Clinical Investigations
Jul19

FDA Issues New Guidance on Use of EHR Data in Clinical Investigations

The U.S. Food and Drug Administration has released new guidance on the use of EHR data in clinical investigations and emphasized that appropriate controls should be put in place to ensure the confidentiality, integrity, and availability of data. While the guidance is non-binding, it provides healthcare organizations with valuable information on steps to take when deciding whether to use EHRs as a source of data for clinical investigations, how to use them and ensure the quality and integrity of EHR data, and how to make sure that any data collected and used as an electronic source of data meets the FDA’s inspection, recordkeeping and data retention requirements. The aim of the guidance is to promote the interoperability of EHR and EDC systems and facilitate the use of EHR data in clinical investigations, such as long-term studies on the safety and effectiveness of drugs, medical devices, and combination products. The guidance does not apply to data collected for registries and natural history studies, the use of EHR data to evaluate the feasibility of trial design or as a...

Read More
Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data
Jul10

Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data

The UK’s National Health Service (NHS) has announced that approximately 150,000 patients who had opted out of having their health data shared for the purposes of clinical research and planning have had their data shared against their wishes. In the UK, there are two types of opt-outs patients can choose if they do not want their confidential health data shared. A type 1 opt-out allows patients to stop the health data held in their general practitioner (GP) medical record from being used for anything other than their individual care. A Type 2 opt-out is used to prevent health care data being shared by NHS Digital for purposes other than providing individual care. 150,000 patients who had registered a Type 2 opt-out have had their data shared. The impermissible sharing of health data occurred as a result of an error by one of its EHR vendors, TPP. TPP provides the NHS with the SystmOne EHR system, which is use in many GP practices throughout the UK. A coding error in the system meant that these Type 2 requests were not passed on to NHS Digital, and as a result, NHS Digital was...

Read More
HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks
Jul06

HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks

HIMSS has released its June Healthcare and Cross-Sector Cybersecurity Report in which healthcare organizations are warned about the risk of exploitation of vulnerabilities in application programming interfaces, man-in the middle attacks, cookie tampering, and distributed denial of service (DDoS) attacks. Healthcare organizations have also been advised to be alert to the possibility of USB devices being used to gain access to isolated networks and the increase in used of Unicode characters to create fraudulent domains for use in phishing attacks. API Attacks Could Be the Next Big Attack Vector Perimeter defenses are improving, making it harder for cybercriminals to gain access to healthcare networks. However, alternative avenues are being explored by hackers looking for an easier route to gain access to sensitive data. Vulnerabilities in API’s could be a weak point and several cybersecurity experts believe APIs could well prove to be the next biggest cyber-attack vector. API usage in application development has become the norm, after all, it is easier to use a third-party solution...

Read More
AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule
Jul05

AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule

The American Hospital Association (AHA) has voiced the concerns of its members about the HHS’ Centers for Medicare and Medicaid Services’ hospital inpatient prospective payment system proposed rule for fiscal year 2019, including the requirement to allow any health app of a patient’s choosing to connect to healthcare providers’ APIs. Consumer Education Program Required to Explain that HIPAA Doesn’t Apply to Health Apps Mobile health apps can con collect and store a considerable amount of personal and health information – in many cases, the same information that would be classed as protected Health Information (PHI) under Health Insurance Portability and Accountability Act (HIPAA) Rules. However, HIPAA does not usually apply to health app developers and therefore the health data collected, stored, and transmitted by those apps may not be protected to the level demanded by HIPAA. When consumers enter information into the apps, they may not be aware that the safeguards in place to protect their privacy may not be as stringent as those implemented by their healthcare providers. There...

Read More
Qcentive Controls AWS Costs & Enables Cloud Computing in Healthcare with ParkMyCloud
Jul02

Qcentive Controls AWS Costs & Enables Cloud Computing in Healthcare with ParkMyCloud

The Massachusetts-based healthcare startup Qcentive, the developer of a cloud-based platform that helps healthcare companies with the creation and management of value-based contracts, was one of the first companies authorized to move healthcare data to the cloud. The first-in-class transaction platform has been certified as HIPAA compliant and incorporates appropriate safeguards to ensure the confidentiality, integrity, and availability of ePHI. The company uploads patient and healthcare contract information to AWS, where the data are accessed by the company’s application. The platform helps its health plan clients and their value-based contracting providers analyze claims data and patient information such as emergency room visits and use the information to quickly calculate potential savings. While developing the platform, Qcentive uploaded large quantities of patient and claim data to AWS and created AWS resources as necessary, although as many companies discover, AWS costs can quickly mount up. Qcentive tried to find a way to keep its AWS costs under control, starting with...

Read More
Vulnerabilities Identified in Medtronic MyCareLink Patient Monitors
Jul02

Vulnerabilities Identified in Medtronic MyCareLink Patient Monitors

ICS-CERT has issued an advisory about two recently discovered vulnerabilities in Medtronic MyCareLink patient monitors. The devices are used by patients with implantable cardiac devices to transmit their heart rhythm data directly to their clinicians. While the devices have safeguards in place and transmit information over a secure Internet connection, the vulnerabilities could potentially be exploited by a malicious actor to gain privileged access to the operating system of the devices. The vulnerabilities – a hard-coded password vulnerability (CWE-259 / CVE-2018-8870) and an exposed dangerous method of function (CWE-749 / CVE-2018-8868) vulnerability – exist in all versions of 24950 and 24952 MyCareLink Monitors. The former has been assigned a CVSS v3 score of 6.4 and the latter a CVSS v3 score of 6.2. The vulnerabilities were discovered by security researcher Peter Morgan of Clever Security, who reported the issues to NCCCIC. Exploitation of the hard-coded password vulnerability would require physical access to the device. After removing the case, an individual could...

Read More
Acumera Partners with TitanHQ to Offer Web Filtering to Customers
Jun26

Acumera Partners with TitanHQ to Offer Web Filtering to Customers

The Galway, Ireland-based cybersecurity firm TitanHQ has announced the formation of a new partnership with the Austin, TX-based managed services provider Acumera. Acumera is a leading provider of managed network security services in the United States. Securing widely distributed networks consisting of hundreds or thousands of locations is one of the main strengths of Acumera, with the managed services provider able to meet the unique connectivity, operational, and data security challenges that these large networks create. The company offers network security, connectivity, and visibility services for a wide range of industry sectors. Acumera has been chosen by many healthcare provider networks who have chosen to outsource cybersecurity and provides network security services for drug stores, automated parking garages, and has secured the POS systems and networks of some of the best-known retailers in the United States, including 7-Eleven, Circle K, Subway, Valero service stations, Benetton, and Pluckers. One area where Acumera’s managed services required a boost was web filtering,...

Read More
Medical Device Security a Major Concern, Yet Funds Not Available to Improve Security
Jun13

Medical Device Security a Major Concern, Yet Funds Not Available to Improve Security

A recent HIMSS survey has confirmed that medical device security is a strategic priority for most healthcare organizations, yet fewer than half of healthcare providers have an approved budget for tackling security flaws in medical devices. For the study, HIMSS surveyed 101 healthcare industry practitioners in the United States and Asia on behalf of global IT company Unisys. 85% of respondents to the survey said medical device security was a strategic priority and 58% said it was a high priority, yet only 37% of respondents had an approved budget to implement their cybersecurity strategy for medical devices. Small to medium sized healthcare providers were even less likely to have appropriate funds available, with 71% of companies lacking the funds for medical device security improvements. Vulnerabilities in medical devices are frequently being identified. ICS-CERT has issued several recent advisories about flaws in a wide range of devices. In many cases, flaws are identified and corrected before they can be exploited by cybercriminals, although the WannaCry attacks last year showed...

Read More
More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes
Jun12

More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes

90% of hospitals and 94% of physicians have adopted mobile technology and say it is helping to improve patient safety and outcomes, according to a recent survey conducted by Black Book Research. The survey was conduced on 770 hospital-based users and 1,279 physician practices between Q4, 2017 and Q1, 2018. The survey revealed 96% of hospitals are planning on investing in a new clinical communications platform this year or have already adopted a new, comprehensive communications platform. 85% of surveyed hospitals and 83% of physician practices have already adopted a secure communication platform to improve communications between care teams, patients, and their families. Secure text messaging platform are fast becoming the number one choice due to the convenience of text messages, the security offered by the platforms, and the improvements they make to productivity and profitability. 98% of hospitals and 77% of physician practices said they have implemented secure, encrypted email and are using intrusion detection systems to ensure breaches are detected rapidly. Many providers of...

Read More
Apple Launches API for Developers to Allow EHR Data to be Used in Care Management Apps
Jun06

Apple Launches API for Developers to Allow EHR Data to be Used in Care Management Apps

Apple has launched a new application programming interface (API) for developers that will allow them to create health apps that incorporate patients’ EHR data. Patients who load their EHR data into the Apple Health Records app will be able to pass the information directly to third party apps. The move allows app developers to create a wide range of apps that can help patients manage their care.  The first apps that will be allowed to access EHR data, if permitted by the patient, should be available in the fall to coincide with the release of iOS 12. One such app that can be used in connection with EHR data through the Apple Health Records app is Medisafe. The Medisafe app will allow patients of participating health systems to download their prescriptions lists and set reminders when their medications need to be taken. The app will also alert them to any potentially harmful interactions between their medications. Apple suggests apps could be developed to help patients manage their medical conditions. Access to EHR data will allow those apps to provide more accurate and useful...

Read More
Warnings Issued Over Vulnerable Medical Devices
May14

Warnings Issued Over Vulnerable Medical Devices

Warnings have been issued by the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) about vulnerabilities in several medical devices manufactured by Silex Technology, GE Healthcare, and Phillips. If the vulnerabilities were to be exploited, an unauthorized individual could potentially take control of the devices. Phillips Brilliance CT Scanners In early May, Phillips alerted the National Cybersecurity and Communications Integration Center (NCCIC) about security vulnerabilities affecting its Brilliance CT scanners. Phillips has been working to remediate the vulnerabilities and has been working with DHS to alert users of its devices to help them reduce risk. There have been no reports received to suggest any of the vulnerabilities have been exploited in the wild. Three vulnerabilities have been discovered to affect the following scanners: Brilliance 64 version 2.6.2 and below Brilliance iCT versions 4.1.6 and below Brillance iCT SP versions 3.2.4 and below Brilliance CT Big Bore 2.3.5 and below See ICS-CERT advisory...

Read More
How to Defend Against Insider Threats in Healthcare
Apr26

How to Defend Against Insider Threats in Healthcare

One of the biggest data security challenges is how to defend against insider threats in healthcare. Insiders are responsible for more healthcare data breaches than hackers, making the industry unique. Verizon’s Protected Health Information Data Breach Report highlights the extent of the problem. The report shows 58% of all healthcare data breaches and security incidents are the result of insiders. Healthcare organizations also struggle to detect insider breaches, with many breaches going undetected for months or even years. One healthcare employee at a Massachusetts hospital was discovered to have been accessing healthcare records without authorization for 14 years before the privacy violations were detected, during which time the records of more than 1,000 patients had been viewed. Healthcare organizations must not only take steps to reduce the potential for insider breaches, they should also implement technological solutions, policies, and procedures that allow breaches to be detected rapidly when they do occur. What are Insider Threats? Before explaining how healthcare...

Read More
House Committee Seeks Advice from Industry Stakeholders on Fixing Cybersecurity Flaws
Apr25

House Committee Seeks Advice from Industry Stakeholders on Fixing Cybersecurity Flaws

The continued use of outdated software and the failure to patch vulnerabilities promptly is making cyberattacks on healthcare organizations too easy. This was clearly highlighted by the WannaCry ransomware attacks in May 2017. U.S healthcare providers may have escaped relatively unscathed, but that was not the case across the Atlantic in the UK. The NHS was hit particularly badly by WannaCry. Were it not for the discovery of a kill switch by a security researcher, it could have been a similar story in the U.S. This week, Symantec published a report on a recently discovered threat group that has been attacking healthcare organizations for three years and accessing highly sensitive information. Lateral movement within a network has been made easy due to the continued use of outdated operating systems. These are just two examples of several over the past couple of years and the attacks will continue unless action is taken to address the issue. In the UK, a post-WannaCry assessment by the health industry’s governing body revealed the NHS is still badly prepared for similar attacks....

Read More
JotForm Announces HIPAA Compliant Form Software
Apr14

JotForm Announces HIPAA Compliant Form Software

Healthcare providers that want to collect data from patients via websites and patient portals need to develop their own forms that meet HIPAA requirements or use HIPAA compliant form software. Regardless of the option chosen, safeguards must be incorporated into forms to ensure the confidentiality and integrity of protected health information (PHI) and satisfy the requirements of the HIPAA Security Rule. Safeguards must protect PHI throughout the collection process, both at rest and in transit. Collecting information using physical forms is practical in certain situations, although that places an administrative burden on employees who must enter form data into hospital systems. Transitioning to digital forms improves efficiency. Patients can complete prescription fill requests online, provide updates to their medical histories, and make online online. Healthcare providers can also create digital onboarding forms to efficiently sign up new patients, obtain consent forms, and create online questionnaires. Healthcare providers can avoid headaches by using third-party HIPAA compliant...

Read More
What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?
Apr02

What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996, and was updated by the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005, but how did the Health Information Technology for Economic and Clinical Health (HITECH) Act change HIPAA and what is the relationship between HITECH, HIPAA, and electronic health and medical records? What is the Relationship Between HITECH and HIPAA and Medical Records? Title I of HIPAA is concerned with the portability of health insurance and protecting the rights of workers between jobs to ensure health insurance coverage is maintained, which have nothing to do with the HITECH Act. However, there is a strong relationship between HITECH and HIPAA Title II. Title II of HIPAA includes the administrative provisions, patient privacy protections, and security controls for health and medical records and other forms of protected health information (PHI). One of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives for...

Read More
Healthcare Data Breach Statistics
Mar20

Healthcare Data Breach Statistics

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website. The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR. Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published. There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches...

Read More
HIPAA Social Media Rules
Mar12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees. Healthcare organizations must therefore implement a HIPAA social media policy to reduce the risk of privacy violations. There are many benefits to be gained from using social media. Social media channels allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media websites. However, there is also considerable potential for HIPAA Rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media The first rule of using social media in healthcare is to never disclose...

Read More
What is HIPAA Certification?
Mar06

What is HIPAA Certification?

Many vendors would like HIPAA certification to confirm they are fully compliant with HIPAA Rules and understand all aspects of the Health Insurance Portability and Accountability Act (HIPAA), but is it possible to obtain HIPAA certification to confirm HIPAA compliance? What is HIPAA Certification? In an ideal world, HIPAA certification would confirm that all aspects of HIPAA Rules are understood and being followed. If a third-party vendor such as a transcription company was HIPAA certified, it would make it easier for healthcare organizations looking for such as service to select an appropriate vendor. Many companies claim they have been certified as HIPAA compliant or in some cases, that they are ‘HIPAA Certified’. However, ‘HIPAA Certified’ is a misnomer. There is no official, legally recognized HIPAA compliance certification process or accreditation. There is a good reason why this is the case. HIPAA compliance is an ongoing process. An organization may be determined to be in compliance with HIPAA Rules today, but that does not mean that they will be tomorrow or at some point in...

Read More
PhishMe Rebrands as Cofense and Announces Acquisition by Private Equity Syndicate
Feb26

PhishMe Rebrands as Cofense and Announces Acquisition by Private Equity Syndicate

PhishMe, the leading provider of human phishing defense solutions, has announced that from February 26, 2018, the firm will be known as Cofense. Along with the name change, the firm has announced it has been acquired by a private equity syndicate, which valued the firm at $400 million. PhishMe was formed in 2007 with the aim of developing products and services to tackle the growing threat from phishing. Employees have long been viewed as the weakest link in security, yet the human element of security defenses was often neglected. Over the years, PhishMe developed its products and services to help companies improve their last line of defense and turn security liabilities into security assets. PhishMe has helped thousands of organizations improve their defenses against phishing through training and phishing simulations. The firm has also developed a range of associated products and services including a reporting platform that has now been adopted by more than 2 million users, as well as incident response and threat intelligence services. While phishing defense is still at the heart...

Read More
What Covered Entities Should Know About Cloud Computing and HIPAA Compliance
Feb19

What Covered Entities Should Know About Cloud Computing and HIPAA Compliance

Healthcare organizations can benefit greatly from transitioning to the cloud, but it is essential to understand the requirements for cloud computing to ensure HIPAA compliance. In this post we explain some important considerations for healthcare organizations looking to take advantage of the cloud, HIPAA compliance considerations when using cloud services for storing, processing, and sharing ePHI, and we will dispel some of the myths about cloud computing and HIPAA compliance. Myths About Cloud Computing and HIPAA Compliance There are many common misconceptions about the cloud and HIPAA compliance, which in some cases prevent healthcare organizations from taking full advantage of the cloud, and in others could result in violations of HIPAA Rules. Some of the common myths about cloud computing and HIPAA compliance are detailed below: Use of a ‘HIPAA compliant’ cloud service provider will ensure HIPAA Rules are not violated False: A cloud service provider can incorporate all the necessary safeguards to ensure the service or platform can be used in a HIPAA compliant manner, but it is...

Read More
Is Box HIPAA Compliant?
Feb13

Is Box HIPAA Compliant?

Is Box HIPAA compliant? Can Box be used by healthcare organizations for the storage of documents containing protected health information or would doing so be a violation of HIPAA Rules? An assessment of the security controls of the Box cloud storage and content management service and its suitability for use in healthcare. What is Box? Box is a cloud storage and content management service that supports collaboration and file-sharing. Users can share files, invite others to view, edit or upload content. Box can be used for personal use; however, businesses need to sign up for either a business, enterprise, or elite account. Is Box Covered by the Conduit Exception Rule? The HIPAA conduit exception rule was introduced to allow HIPAA covered entities to use certain communications channels without having to obtain a business associate agreement. The conduit exception rule applies to telecoms companies and Internet service providers that act as conduits through which data flows. Cloud storage services are not covered under the HIPAA conduit exception rule, even if those entities claim...

Read More
Eligible Hospitals Must Now Use QNet for Meaningful Use Attestation
Jan30

Eligible Hospitals Must Now Use QNet for Meaningful Use Attestation

The Centers for Medicare & Medicaid Services (CMS) has recently issued a reminder that eligible hospitals and Critical Access Hospitals (CAHs) participating in Electronic Health Record Incentive Schemes must use the QualityNet Secure Portal (QNet) to submit Meaningful Use attestations in 2018. Back in October, CMS announced it was transitioning Meaningful Use attestations to QNet. Previously two separate systems had been used for attestations and reporting clinical quality measures; but, in order to simplify reporting requirements and streamline data submissions, the QNet portal would be used for both from January 2nd 2018. From October, eligible hospitals and CAHs new to QNet had the opportunity to enroll on the system and get used to how it worked, while existing QNet users were advised to add an MU role to their accounts. From the beginning of this month, the QNet system opened for attestations relating to the 2017 calendar year. The attestation period closes on February 28th. Different Processes for Medicare and Medicaid Hospitals Although attempting to simplify the...

Read More
iPhone Users Can View Their Health Records Through the Apple Health App
Jan26

iPhone Users Can View Their Health Records Through the Apple Health App

Patients are being encouraged to obtain copies of their health records and to take a more active role in their own healthcare. Many hospitals are now providing patients with access to some of their health records through patient portals. Apple has now taken ease of access one step further. The company’s Health app has been updated to include a section that allows users to view their medical records directly on their iPhones. The health app will show allergies, test results, diagnoses, procedures, immunizations, and medications and other health information that is typically available through patient portals. When new information is added to patients’ records, they will receive a notification from the app. The Health app is available with iOS 11.3, and is based on Fast Healthcare Interoperability Resources (FHIR) – a standard for transferring and sharing electronic medical records. Data transmitted to the user’s iPhone is encrypted to prevent unauthorized access, and the app is protected by the user’s iPhone passcode to keep the records confidential. Participating hospitals and...

Read More
Amazon Seeks HIPAA Expert for New Healthcare Venture
Jan17

Amazon Seeks HIPAA Expert for New Healthcare Venture

Amazon has posted a new job vacancy for a HIPAA Compliance Lead, confirming the retail giant is making a move into the healthcare sector. The HIPAA Compliance Lead will be responsible for creating a HIPAA compliance program to ensure its technology and business processes meet the terms of its BAA and the management of all aspects of that compliance program. The new recruit should have at least 5 years of HIPAA experience in an enterprise, experience with the FDA and 510(k) process, 7+ years’ experience in an information technology setting including exposure to software development/auditing, a thorough understanding of HIPAA/HITECH and OIG compliance standards, and experience with business intelligence and analytics tools. Applicants must also have an understanding of HIPAA privacy and security requirements, and how those standards map to ISO 27001, SOC 1/2/3, NIST 800-53. Amazon already offers its cloud platform – Amazon Web Services (AWS) – to healthcare organizations, with AWS supporting HIPAA compliance and Amazon prepared to sign a business associate agreement with...

Read More
Largest Healthcare Data Breaches of 2017
Jan04

Largest Healthcare Data Breaches of 2017

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches. 2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen. 2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations...

Read More
CMS Clarifies Position on Use of Text Messages in Healthcare
Jan03

CMS Clarifies Position on Use of Text Messages in Healthcare

In November, the Centers for Medicare and Medicaid Services (CMS) explained in emails to healthcare providers that the use of text messages in healthcare is prohibited due to concerns about security and patient privacy. SMS messages are not secure. The CMS was concerned that the use of text messages in healthcare will lead to the exposure of sensitive patient data and could threaten the integrity of medical records. While this is understandable as far as SMS messages are concerned, many secure messaging applications satisfy all the requirements of HIPAA – e.g. transmission security, access and authentication controls, audit controls, and safeguards to ensure the integrity of PHI. The use of secure messaging platforms was raised with the CMS by some hospitals; however, the position of the CMS, based on the emails, appeared to be a total ban on the use of text messages in healthcare, even the use of secure messaging platforms. In the emails, the CMS said, “After meeting with vendors regarding these [secure messaging] products, it was determined they cannot always ensure the privacy...

Read More
70% of Healthcare Organizations Have Adopted Off-Premises Computing
Dec15

70% of Healthcare Organizations Have Adopted Off-Premises Computing

A recent survey of 144 U.S-based healthcare organizations has shown the majority have already adopted off-premises computing for applications and IT infrastructure. The popularity of off-premises solutions is growing steadily. The KLAS Research study revealed 70% of healthcare organizations have moved at least some of their applications and IT infrastructure to the cloud. Out of the organizations that have, almost 60% are using a cloud or hosting environment for EHR applications. 69% of healthcare organizations said they would consider utilizing off-premises cloud solutions, or are actively expanding the use of those solutions. Cerner is the leader in off-premises computing for EHR applications, although Epic is attracting considerable interest, with many of its customers considering switching from its on-premises solutions to its data center. One of the fastest growing areas is Infrastructure-as-a-Service (IaaS) as it enables healthcare organizations to leverage off-premise infrastructure rather than having to build a data center. Amazon leads the way in this area and is the...

Read More
Is GoToMeeting HIPAA Compliant?
Dec08

Is GoToMeeting HIPAA Compliant?

Is GoToMeeting HIPAA complaint? Can GoToMeeting be used by HIPAA-covered entities and their business associates for communicating protected health information without violating HIPAA Rules? GoToMeeting is an online meeting and video conferencing solution offered by LogMeIn. The service is one of many conferencing and desktop sharing solutions that can improve communication and collaboration, with many benefits for healthcare organizations. In order for collaboration tools to be used by healthcare organizations that are required to comply with Health Insurance Portability and Accountability Act Rules, tools must a subject to a risk analysis and determined to meet the security standards demanded by HIPAA. Fail to ensure that a particular service is HIPAA compliant and you could violate the privacy of patients, breach HIPAA Rules, and potentially have to cover a sizable financial penalty for non-compliance. It should be pointed out that no software or communications platform can be truly HIPAA-compliant. Even if appropriate safeguards are incorporated to ensure the confidentiality,...

Read More
How to Make Your Email HIPAA Compliant
Dec07

How to Make Your Email HIPAA Compliant

Many healthcare organizations would like to be able to send protected health information via email, but how do you make your email HIPAA compliant? What must be done before electronic PHI (ePHI) can be sent via email to patients and other healthcare organizations? How to Make Your Email HIPAA Compliant Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. If you will only ever send emails internally, it may not be necessary to make your email HIPAA compliant. If your email network is behind a firewall, it is not necessary to encrypt your emails.  Encryption is only required when your emails are sent beyond your firewall. However, access controls to email accounts are required, as it is important to ensure that only authorized individuals can access email accounts that contain ePHI. If you want to use email to send ePHI externally – beyond your firewall – you will need to make your email HIPAA-compliant. There are many email service providers that offer an encrypted email service, but not all are HIPAA compliant and incorporate all...

Read More
Survey Reveals Poor State of Email Security in Healthcare
Nov29

Survey Reveals Poor State of Email Security in Healthcare

A recent survey showed 98% of top healthcare providers have yet to implement the DMARC (Domain-based Message Authentication, Reporting & Conformance) email authentication standard. The National Health Information Sharing and Analysis Center (NH-ISAC), the Global Cybersecurity Alliance (GCA), and cybersecurity firm Agari investigated the level of DMARC adoption in the healthcare industry and the state of healthcare email security. For the report, Agari analyzed more than 500 domains used by healthcare organizations and pharmaceutical firms, as well as more than 800 million emails and over 1,900 domains from its Email Trust Network. The report – Agari Industry DMARC Adoption Report for Healthcare – shows that while DMARC can all but eliminate phishing attacks that impersonate domains, only 2% of the top healthcare organizations and fewer than 23% of all healthcare organizations have adopted DMARC. Only 21% of healthcare organizations are using DMARC to monitor for unauthenticated emails, yet those organizations are not blocking phishing emails. Only 2% are protecting...

Read More
Electronic Records and HIPAA Compliance
Nov24

Electronic Records and HIPAA Compliance

Make sure you understand the relationship between electronic records and HIPAA compliance. It can be more complicated than many Covered Entities believe. Security Officers in the healthcare industry with a responsibility for electronic records and HIPAA compliance have plenty to keep themselves occupied. In the majority of healthcare-related organizations across the country, thousands of electronic health records (ePHI) are being created every day before being used, transmitted and stored. Maintaining the integrity of ePHI is a key element of compliance with HITECH and the HIPAA Security Rule; yet, when you look at the big picture, the scale of the requirement is staggering. Not only does ePHI created and used within an organization have to be safeguarded, but also ePHI transmitted outside of an organization´s network, and ePHI stored in the cloud. Start by Conducting a Risk Analysis One of the primary issues with electronic records and HIPAA compliance is that the technical, physical and administrative safeguards of the HIPAA Security Rule were published three years before...

Read More
President Trump Nominates Alex Azar for HHS Secretary
Nov13

President Trump Nominates Alex Azar for HHS Secretary

Former Deputy Secretary of the Department of Health and Human Services, Alex Azar, is tipped to take over from former Secretary Tom Price after receiving the presidential nomination for the role. Azar previously served as general counsel to the HHS and Deputy Secretary during the George W. Bush administration. President Trump confirmed on Twitter that he believes Azar is the man for the job, tweeting “Happy to announce, I am nominating Alex Azar to be the next HHS Secretary. He will be a star for better healthcare and lower drug prices!” The position of Secretary of the Department of Health and Human Services was vacated by former Secretary Tom Price in September, following revelations about his controversial use of military aircraft and expensive charter flights to travel around the country. While there were several potential candidates tipped to receive the nomination, including commissioner of the Food and Drug Administration, Scott Gottlieb, and administrator of the Centers for Medicare and Medicaid Services, Seema Verma, President Trump has made a controversial choice. Alex...

Read More
In What Year Was HIPAA Passed into Legislature?
Nov13

In What Year Was HIPAA Passed into Legislature?

The Health Insurance Portability and Accountability Act or HIPAA was passed into legislature on August 21, 1996, when Bill Clinton added his signature to the bill. Initially, the purpose of HIPAA was to improve portability and continuity of health insurance coverage, especially for employees that were between jobs. HIPAA also standardized amounts that could be saved in pre-tax medical savings accounts, prohibited tax-deduction of interest on life insurance loans, enforced group health plan requirements, simplified the administration of healthcare with standard codes and practices, and introduced measures to prevent healthcare fraud. Many of the details of the five titles of HIPAA took some time to be developed, and several years passed before HIPAA Rules became enforceable. The HIPAA Enforcement Rule, which allows the Department of Health and Human Services’ Office for Civil Rights to impose financial penalties for noncompliance with HIPAA Rules, was not passed until February 16, 2006 – A decade after HIPAA was first introduced. There have been several important dates in the past...

Read More
FDA Publishes Final Guidance for Medical Device Manufacturers Sharing Information with Patients
Nov02

FDA Publishes Final Guidance for Medical Device Manufacturers Sharing Information with Patients

The U.S. Food and Drug Administration (FDA) has released final guidance for medical device manufacturers sharing information with patients at their request. Legally marketed medical devices collect, store, process, and transmit medical information. When patients request copies of the information recorded by or stored on the devices, manufacturers may share patient-specific information with the patient that makes the request. The FDA encourages information sharing as it can help patients be more engaged with their healthcare providers. When patients give their healthcare providers data collected by medical devices, it can help them make sound medical decisions. While information sharing is not a requirement of the Federal Food, Drug, and Cosmetic Act (FD&C Act), the FDA felt it necessary to provide medical device manufacturers with recommendations about sharing patient-specific information with patients. The guidelines are intended to help manufacturers share information appropriately and responsibly. The FDA explains that in many cases, patient-specific information recorded by...

Read More
Tips for Reducing Mobile Device Security Risks
Nov01

Tips for Reducing Mobile Device Security Risks

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level. As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI). As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records. 17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand...

Read More
Is AWS HIPAA Compliant?
Oct27

Is AWS HIPAA Compliant?

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, violating HIPAA Rules. Amazon Will Sign a Business Associate Agreement for AWS Amazon is keen for healthcare organizations to use AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required under HIPAA. Previous, under the terms of the AWS BAA, the AWS HIPAA compliance program required covered entities and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the case. As part of its efforts to help healthcare organizations use AWS safely and securely without violating...

Read More
How to Secure Patient Information (PHI)
Oct13

How to Secure Patient Information (PHI)

HIPAA requires healthcare organizations of all sizes to secure protected health information (PHI), but how can covered entities secure patient information? If you are asked how you secure patient information, could you provide an answer? How Can You Secure Patient Information? HIPAA requires healthcare organizations and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although there is little detail provided on how to secure patient information in HIPAA regulations. This is intentional, as the pace that technology is advancing is far greater than the speed at which HIPAA can be updated. If details were included, they would soon be out of date. Technology is constantly changing and new vulnerabilities are being discovered in systems and software previously thought to be secure. Securing patient information is therefore not about implementing security solutions and forgetting about them. To truly secure patient information you must regularly review your security controls, update policies and procedures, maintain...

Read More
Why is HIPAA Important?
Oct12

Why is HIPAA Important?

The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of legislation, but why is HIPAA important? What changes did HIPAA introduce and what are the benefits to the healthcare industry and patients? HIPAA was introduced in 1996, primarily to address one particular issue: Insurance coverage for individuals that are between jobs. Without HIPAA, employees faced a loss of insurance coverage when they were between jobs. A second goal of HIPAA was to prevent healthcare fraud and ensure that all ‘protected health information’ was appropriately secured and to restrict access to health data to authorized individuals. Why is HIPAA Important for Healthcare Organizations? HIPAA introduced a number of important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely. The standards for recording health data and electronic...

Read More
New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity
Oct10

New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity

A new partnership has been announced between CHIME’s Association for Executives in Healthcare Information Security (AEHIS) and the Foundation for Innovation, Translation and Safety Science’s Medical Device Innovation, Safety and Security Consortium (MDISS). The aim of the new collaboration is to help advance medical device cybersecurity and improve patient safety. The two organizations will work together to help members identify, mitigate, and prevent cybersecurity threats by issuing cybersecurity best practices, educating about the threats to device security, training members, and promoting information sharing. For the past three years, AEHIS has been helping healthcare organizations improve their information security defences. More than 700 CISOs and other healthcare IT security leaders have benefited from the education and networking opportunities provided by AEHIS. AEHIS helps its members protect patients from cyber threats, including cyberattacks on their medical devices, though its educational efforts, sharing best practices, and many other activities. MDISS now consists of...

Read More
What Does HIPAA Stand For?
Oct10

What Does HIPAA Stand For?

What does HIPAA stand for? HIPAA is an acronym of the Health Insurance Portability and Accountability Act of 1996 – a legislative act that had the primary aim of improving portability and accountability of healthcare coverage for employees between jobs. HIPAA also helped to ensure employees with pre-existing health conditions were provided with health insurance coverage. HIPAA also introduced standards that healthcare organizations were required to follow to reduce the paperwork burden and simplify the administration of health insurance. The HIPAA administrative simplification regulations streamlined billing, sending and receiving payments, and verifying eligibility. They also helped to ensure the smooth transition from paper to electronic health records and transitions. Since 1996, there have been several major updates to HIPAA, notably the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Enforcement Rule, the inclusion of the Health Information Technology for Economic and Clinical Health (HITECH) Act requirements (The HIPAA Omnibus Final Rule), and the Breach Notification...

Read More
Internet of Medical Things Resilience Partnership Act Bill Introduced
Oct09

Internet of Medical Things Resilience Partnership Act Bill Introduced

The Internet of Medical Things Resilience Partnership Act has been introduced in the U.S. House of Representatives. The main aim of the bill is to establish a public-private stakeholder partnership, which will be tasked with developing a cybersecurity framework that can be adopted by medical device manufacturers and other stakeholders to prevent data breaches and make medical devices more resilient to cyberattacks. The range of medical devices now being used in healthcare is considerable and the number is only likely to grow. As more devices are introduced, the risk to patients increases. These devices are currently used in hospitals, worn by patients, fitted surgically, or used at home. The devices include drug infusion pumps, ventilators, radiological technologies, pacemakers, and monitors. If appropriate safeguards are not incorporated into the devices, they will be vulnerable to attack. Those attacks could be performed to gain access to the data stored or recorded by the devices, to use the devices to launch attacks on healthcare networks, or to alter the function of the...

Read More
53% of Businesses Have Misconfigured Secure Cloud Storage Services
Oct09

53% of Businesses Have Misconfigured Secure Cloud Storage Services

The healthcare industry has embraced the cloud. Many healthcare organizations now use secure cloud storage services to host web applications or store files containing electronic protected health information (ePHI). However, just because secure cloud storage services are used, it does not mean data breaches will not occur, and neither does it guarantee compliance with HIPAA. Misconfigured secure cloud storage services are leaking sensitive data and many organizations are unaware sensitive information is exposed. A Business Associate Agreement Does Not Guarantee HIPAA Compliance Prior to using any cloud storage service, HIPAA-covered entities must obtain a signed business associate agreement from their service providers. Obtaining a signed, HIPAA-compliant business associate agreement prior to the uploading any ePHI to the cloud is an important element of HIPAA compliance, but a BAA alone will not guarantee compliance. ePHI can easily be exposed if cloud storage services are not configured correctly. As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA...

Read More
Is Amazon Alexa HIPAA Compliant?
Oct03

Is Amazon Alexa HIPAA Compliant?

Is Amazon Alexa HIPAA compliant? Can Alexa be used in healthcare in conjunction with patients’ protected health information without violating HIPAA Rules? Amazon already supports HIPAA compliance for its cloud platform AWS and is keen to see its voice recognition technology used more extensively in healthcare. However, before the true potential of Alexa can be realized, Amazon must first make Alexa HIPAA compliant. Alexa certainly has considerable potential in healthcare. Alexa could be used by physicians to transcribe medical notes or as a virtual assistant in physicians’ offices. Alexa is currently used in around 30 million U.S. homes, and the technology could easily be used to remotely monitor patients. The technology could also help to engage patients more in their own healthcare. Some healthcare organizations have already started experimenting with Alexa. WebMD has developed an Alexa skill to deliver some of its web content to consumers via their Alexa devices at home. Beth Israel Deaconess Medical Center (BIDMC) has run a pilot scheme to test Alexa’s capabilities in an...

Read More
National Cyber Security Awareness Month: What to Expect
Oct02

National Cyber Security Awareness Month: What to Expect

October is National Cyber Security Awareness Month – A month when attention is drawn to the importance of cybersecurity and several initiatives are launched to raise awareness about how critical cybersecurity is to the lives of U.S. citizens. National Cyber Security Awareness Month is a collaborative effort between the U.S. Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA) and public/private partners. Throughout the month of October, the DHS, NCSA, and public and private sector organizations will be conducting events and launching initiatives to raise awareness of the importance of cybersecurity. Best practices will be shared to help U.S. citizens keep themselves safe online and protect their companies, with tips and advice published to help businesses improve their cybersecurity defenses and keep systems and data secure. DHS and NCSA will focus on a different aspect of cybersecurity each week of National Cyber Security Awareness Month: National Cyber Security Awareness Month Summary Week 1: Simple Steps to Online Safety (Oct. 2-6) Week 2:...

Read More
The Benefits of Using Blockchain for Medical Records
Sep26

The Benefits of Using Blockchain for Medical Records

Blockchain is perhaps best known for keeping cryptocurrency transactions secure, but what about using blockchain for medical records? Could blockchain help to improve healthcare data security? The use of blockchain for medical records is still in its infancy, but there are clear security benefits that could help to reduce healthcare data breaches while making it far easier for health data to be shared between providers and accessed by patients. Currently, the way health records are stored and shared leaves much to be desired. The system is not efficient, there are many roadblocks that prevent the sharing of data and patients’ health data is not always stored by a single healthcare provider – instead a patients’ full health histories are fragmented and spread across multiple providers’ systems. Not only does this make it difficult for health data to be amalgamated, it also leaves data vulnerable to theft. When data is split between multiple providers and their business associates, there is considerable potential for a breach. The Health Insurance Portability and Accountability Act...

Read More
FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange
Sep12

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems. The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.” Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices. The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely;...

Read More
Researchers Call for Updates to Guidelines for Emailing Patients
Aug30

Researchers Call for Updates to Guidelines for Emailing Patients

Researchers from Indiana University have conducted a study of current guidelines on emailing patients and have identified major weaknesses, a lack of up-to-date best practices, and outdated security practices that are no longer required due to changes in technology. Additionally, they confirmed there is a lack of information on new methods of communication such as secure texting and a lack of evidence showing the effectiveness of proposed practices for emailing and texting patients. There was little to no evidence on how using email or text messages to communicate with patients could improve patient outcomes and a lack of information on how new communication tools could be used effectively by practitioners. The researchers studied 11 sets of guidelines on electronically communicating with patients and found weaknesses across the board. The pace of change of technology is not reflected in the available guidelines, with many of the recommendations no longer required. The researchers were unsure if any of the valid recommendations in the guidelines are actually being followed. The...

Read More
NIST Updates Digital Identity Guidelines and Tweaks Password Advice
Aug22

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords. Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.” The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security. To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator. NIST suggests...

Read More
Phillips Ships DoseWise Portal with Serious Vulnerabilities
Aug22

Phillips Ships DoseWise Portal with Serious Vulnerabilities

The Phillips web-based radiation monitoring app – DoseWise Portal (DWP) – has been shipped with serious vulnerabilities that could be easily exploited by hackers to gain access to patients’ protected health information. ISC-CERT has warned healthcare providers the vulnerabilities could be remotely exploited by hackers with a low level of skill to gain access to medical data. Two vulnerabilities have been identified. The first (CVE-2017-9656) is the use of hard-coded credentials in a back-end database with high privileges that could jeopardize the confidentiality, integrity and availability of stored data and the database itself. In order for an attacker to exploit the vulnerability, elevated privileges would be required to gain access to the system files of the back-office database. Even so, ICS-CERT says an attacker with a low level of skill could exploit the vulnerability and has given it a CVSS v3 rating of 9.1 out of 10. The second vulnerability (CVE-2017-9654) involves cleartext storage of sensitive information in back-end system files. The vulnerability has been given a CVSS...

Read More
Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere
Aug17

Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere

A recent Deloitte survey conducted on 370 professionals with involvement in the IoT medical device ecosystem revealed more than a third (36%) of organizations have experienced a security incident related to those devices in the past year. Respondents were medical device or component manufacturers, healthcare IT organizations, medical device users or regulators. When asked about the biggest challenges with IoT medical devices, 30% said identifying and mitigating risks of fielded and legacy connected devices was the biggest cybersecurity challenge. Other major challenges were incorporating vulnerability management into the design process (20%), monitoring for and responding to cybersecurity incidents (20%), and the lack of collaboration on threat management throughout the medical device supply chain (18%). 8% of respondents rated meeting regulatory requirements as the biggest challenge. Identifying and mitigating risks is only part of the problem. There will be times when cyberattacks succeed and malicious actors gain access to the devices. Healthcare organizations and device...

Read More
HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs
Aug11

HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs

HIMSS has published the findings of its 2017 Cybersecurity Survey. The survey was conducted on 126 cybersecurity professionals from the healthcare industry between April and May 2017. Most of the respondents were executive and non-executive managers who were primarily responsible or had some responsibility for information security in their organization. The report shows healthcare organizations in the United States are increasingly making cybersecurity a priority and have been enhancing their cybersecurity programs over the past 12 months. More healthcare organizations have increased their cybersecurity staff and adopted holistic cybersecurity practices and perspectives in key areas. The survey revealed 75% of respondents are now conducting regular penetration tests to identify potential vulnerabilities and determine how resilient they are to cyberattacks. In response to the considerable threat from within, 75% of respondents have implemented insider threat management programs and 85% are now conducting risk assessments at least once every 12 months. While these results are...

Read More
HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management
Aug08

HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management

The Health Information Trust Alliance (HITRUST) has announced a new partnership with Trend Micro. The aim of the partnership is to speed the delivery of cyber threat research and education and improve organizational threat management. The partnership has seen the creation of the Cyber Threat Management and Response Center which will help to expand cyber threat information sharing and improve the service to healthcare organizations at all levels of cybersecurity maturity, helping them to deal with the increasing range of cyber threats and frequency of attacks. HITRUST already shares cyber threat intelligence with organizations that have signed up with its Cyber Threat Xchange (CTX) – the most widely adopted threat information sharing organization for the healthcare industry. HITRUST collects, analyses and distributes cyber threat information through CTX, including indicators of threats and compromise and has been working hard over the past 18 months to expand the collection of cyber threat information through its Enhanced IOC Collection Program. HITRUST now leads the industry in the...

Read More
Medical Device Cybersecurity Act Takes Aim at Medical Device Security
Aug08

Medical Device Cybersecurity Act Takes Aim at Medical Device Security

A new bill has been introduced in Congress that aims to ensure the confidential medical information of patients on medical devices is protected and security is improved to make the devices more resilient to hacks. The bill – The Medical Device Cybersecurity Act of 2017 – was introduced on August 1, 2017 by Senator Richard Blumenthal (D-CT) and is supported by the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS). Recent ransomware and malware attacks and hacks have demonstrated how vulnerable some medical devices are. Ransomware incidents have resulted in medical devices being taken out of action, causing major disruptions at hospitals and delaying the treatment of patients. There is no sign of these incidents slowing or stopping. In all likelihood, they will increase. While healthcare organizations are working hard to improve their defenses against cyberattacks, medical device manufacturers are not doing enough to ensure their devices are secure and remain so for the lifespan of the...

Read More
Warning Issued Over Vulnerabilities in Siemens PET/CT Scanners: Exploits Publicly Available
Aug07

Warning Issued Over Vulnerabilities in Siemens PET/CT Scanners: Exploits Publicly Available

Warnings have been issued about four vulnerabilities in Siemens PET/CT scanner systems. Siemens is currently developing patches to address the vulnerabilities.  Exploits for the vulnerabilities are already publicly available. The flaws affect multiple Siemens medical imaging systems including Siemens CT, PET, SPECT systems and medical imaging workflow systems (SPECT Workplaces/Symbia.net) that are based on Windows 7. The vulnerabilities allow remote code execution, potentially giving attackers access to the scanners and networks to which the systems are connected. One of the main risks is malware and ransomware infections, which in the case of the latter can prevent the devices from being used. It is also possible that a malicious actor could interfere with the systems causing patients harm. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has also issued an alert, warning healthcare organizations to ensure the devices are run on a “dedicated, network segment and protected IT environment” until the patches are applied....

Read More
Only One Third of Patients Use Patient Portals to View Health Data
Jul27

Only One Third of Patients Use Patient Portals to View Health Data

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits patients to access the health information held by their providers, yet relatively few patients are exercising that right, according to a recent U.S. Government Accountability Office (GAO) report, at least through patient portals. The Medicare Electronic Health Record Incentive Program encouraged healthcare providers to transition from paper to electronic medical records and now almost 90% of patients of participating providers have access to patient portals where they can view their health data. Even though patients have been provided with access, fewer than a third of patients are using patient portals to view their health information. GAO looked at patient health information access from the patients’ perspective, conducting interviews with patients to find out why they are not taking advantage of this valuable resource. Out of the healthcare organizations that participated in the Medicare EHR Program, 88% of hospitals and 87% of professionals offered patients access to their health information...

Read More
Survey Shows Only a Quarter of Hospitals Have Implemented Secure Text Messaging Platforms
Jul25

Survey Shows Only a Quarter of Hospitals Have Implemented Secure Text Messaging Platforms

The use of secure text messaging platforms in healthcare has grown over the past few years, although a recent survey published in the Journal of Hospital Medicine suggests adoption of HIPAA-compliant messaging systems remains relatively low, with only a quarter of hospitals using a secure platform for sending messages to clinicians. The survey was conducted on 620 hospital-based clinicians identified from the Society of Hospital Medicine database. Secure text messaging platforms comply with HIPAA Rules and feature end-to-end encryption to prevent messages from being intercepted. Access controls are also incorporated to ensure only the intended recipient can view messages. Since messages cannot be sent outside the system, the platforms prevent accidental disclosures of PHI. Multi-media messages can also be sent, including test results and images. Secure text messaging platforms are a natural replacement for outdated pagers, allowing much more meaningful communication, although the survey suggests only 26.6% of hospitals have introduced the systems. Even when secure messaging systems...

Read More
Is Google Drive HIPAA Compliant?
Jul21

Is Google Drive HIPAA Compliant?

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant? Is Google Drive HIPAA Compliant? The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner that violates HIPAA Rules. G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not violate HIPAA Rules provided HIPAA Rules are followed by users. G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied. The use of any software or cloud platform in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business...

Read More
ONC Offers Help for Covered Entities on Medical Record Access for Patients
Jul13

ONC Offers Help for Covered Entities on Medical Record Access for Patients

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule requires covered entities to give medical record access for patients on request. Patients should be able to obtain a copy of their health records in paper or electronic form within 30 days of submitting the request. Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for covered entities on providing patients with access to their medical records. A series of videos was also released to raise awareness of patients’ rights under HIPAA to access their records. In theory, providing access to medical records should be a straightforward process. In practice, that is often not the case. Patients often have difficulty accessing their electronic health data with many healthcare organizations unable to easily provide health records electronically. Patient portals often provide information for patients, although the information available via patient portals can be incomplete or inaccurate. When patients need to obtain their health information to give to other...

Read More
Mayo Clinic Investing $1.5 Billion in HIPAA Compliant EHR System
Jul13

Mayo Clinic Investing $1.5 Billion in HIPAA Compliant EHR System

The Rochester, MN-based Mayo Clinic – the world’s first and largest integrated not-for-profit medical group practice – has invested $1.5 billion in a new HIPAA compliant EHR system. The Mayo Clinic chose Epic, a leading EHR provider whose systems are used to store and maintain the electronic health records of more than 190 million patients. Up until recently, the Mayo Clinic has been using three EHR systems, provided by General Electric and Cerner Corp. The new EHR system – An integrated electronic medical record and billing system – will see those three systems combined into one. $1.5 billion is a sizable investment, but it was necessary. Operating three separate EHR systems is far from ideal. It means staff need to learn how to use multiple systems, inefficiencies are introduced that are difficult to resolve, and multiple systems inevitably lead to interoperability issues that have potential to hamper collaboration. The new single HIPAA compliant EHR system will help the Mayo Clinic store, use, and share patient health information more efficiently and better serve its...

Read More
AMIA Urges HHS to Provide More Information on Common Rule Updates
Jul07

AMIA Urges HHS to Provide More Information on Common Rule Updates

The Federal Policy for the Protection of Human Subjects, otherwise known as the Common Rule, was first adopted in 1991; however, there have been numerous calls for the policy to be updated. The purpose of the Common Rule is to provide a framework for protecting human research subjects across the entire federal government. The Common Rule was introduced at a time when research was mainly conducted at medical institutions and universities. At the time, digital data was not in use. The past 26 years have seen considerable changes to where research is conducted, how much information is now available, how easy it is for information to be shared and for research participants to be identified. Earlier this year, proposed Common Rule updates were published by the HHS. The Trump administration is reviewing the Common Rule updates, although at this stage it is unclear whether any changes will be made, and if so, when those changes will be implemented. The updates were subjected to a 40-day regulatory freeze; but more than 150 days have now passed and there has been no further communication...

Read More
U.S. Healthcare Providers Affected by Global Ransomware Attack
Jun29

U.S. Healthcare Providers Affected by Global Ransomware Attack

NotPetya ransomware attacks have spread to the U.S. Decryption may not be possible even if the ransom is paid. Details of how to prevent attacks are detailed below. NotPetya Ransomware Attacks Spread to the United States Tuesday’s global ransomware attack continues to cause problems for many organizations in Europe, with the attacks now having spread to North America. The spread of the ransomware has been slower in the United States than in Europe, although many organizations have been affected including at least three healthcare systems. Pennsylvania’s Heritage Valley Health System has confirmed that its computer systems have been infected with the ransomware. The ransomware has affected the entire health system including both of its hospitals and its satellite and community facilities. While medical services continue to be provided, computer systems were shut down and some non-urgent medical procedures were postponed. 14 of the health system’s community facilities were closed on Wednesday as a result of the attack and lab and diagnostic services were also affected The health...

Read More
FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products
Jun22

FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products

Food and Drug Administration (FDA) Commissioner Scott Gottlieb, M.D., has announced the FDA will be launching a new, risk-based regulatory framework in the fall for overseeing connected medical technology, including health apps and medical devices. The FDA wants to encourage and promote innovation that will lead to the development of new and beneficial medical technologies; however, it is essential that these technologies can benefit patients without placing their health or privacy at risk. Gottlieb said the FDA has now developed a new Digital Health Innovation Plan that will foster “innovation at the intersection of medicine and digital health technology.” The plan includes a novel post-market approach that will allow the regulation of digital medical devices and health-related apps. In a recent blog post, Gottlieb pointed out that close to 165,000 health-related apps have now been released for Smartphones and Apple devices, with forecasts estimating the apps will be downloaded 1.7 billion times by the end of this year. These apps have the potential to improve the health of...

Read More
Study: 1 in 5 Enterprise Users Have Set Weak Passwords
Jun15

Study: 1 in 5 Enterprise Users Have Set Weak Passwords

The sharing of passwords across multiple platforms is a bad idea. If one platform suffers a data breach, all other systems that have the same password set could also easily be compromised. Even though the reuse of passwords is unwise, and many organizations have policies in place prohibiting employees from recycling passwords, it remains a common practice. Many organizations have implemented policies, procedures and technology to prevent weak passwords from being used and they force end users to change their passwords frequently, but it is difficult for organizations to prevent password recycling. The practice has recently been investigated by Preempt. Preempt has developed a tool that can be used by enterprises to assess the strength of the passwords used by their employees. The tool reports on the accounts that have weak passwords set, allowing the enterprise to take action. The tool also compares passwords to a database of 10 million passwords compromised in previous data breaches that are now in the hands of cybercriminals. An analysis of data from enterprises that downloaded...

Read More
ONC Announces Winners of Move Data Forward and Privacy Policy Snapshot Challenges
Jun08

ONC Announces Winners of Move Data Forward and Privacy Policy Snapshot Challenges

The HHS’ Office of the National Coordinator for Health Information Technology (ONC) has announced the winners of its Privacy Policy Snapshot Challenge. Participants in the challenge were required to develop a Model Privacy Notice (MPN) generator capable of generating customizable MPNs for healthIT developers. While resources are available to help HIPAA covered entities, many technology companies are not subject to HIPAA requirements. It was therefore important for a resource to be developed for those businesses to help them adhere to other federal regulations. While a MPN had already been released by ONC in 2011, since then the range of digital health technologies has increased considerably. One MPN would not be suitable for all organizations that collect consumer information. On March 1, 2016, ONC issued a request for information to find out more from the public about the practices that should be disclosed to consumers and how that information should be presented. The challenge to develop a MPN generator was issued in December 2016, with participants leveraging an updated MPN that...

Read More
VA Chooses Cerner to Provide Replacement for VistA EHR
Jun07

VA Chooses Cerner to Provide Replacement for VistA EHR

The U.S. Department of Veteran Affairs (VA) has selected Cerner Corp., to provide a replacement for the outdated self-developed VistA EHR system.  Earlier this year, United States Secretary of Veterans Affairs David Shulkin said a decision needed to be made about the VA EHR system, suggesting an off-the-shelf EHR system was the best choice and that a final decision would be made by July 1. Shulkin said, “Seamless care is fundamentally constrained by ever-changing information sharing standards, separate chains of command, complex governance, separate implementation schedules that must be coordinated to accommodate those changes from separate program offices that have separate funding appropriations, and a host of related complexities requiring constant lifecycle maintenance.” The cost of continued development of VistA was considered to be too great, especially with the prospect of ongoing interoperability problems.  The VA has already invested hundreds of millions of dollars into VistA, yet the EHR is still only semi-interoperable with the system used by the Department of Defense...

Read More
Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts
Jun02

Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts

Ransomware, malware and unaddressed software vulnerabilities threaten the confidentiality, integrity and availability of PHI, although healthcare organizations should take steps to deal with the threat from within. This year has seen numerous cases of employees snooping and accessing medical records without authorization. The HIPAA Security Rule 45 CFR §164.312(b) requires covered entities to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information,” while 45 CFR §164.308(a)(1)(ii)(D) requires covered entities to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” Logs create an audit trail that can be followed in the event of a data breach or privacy incident. Those logs can be checked to discover which records have been accessed without authorization. If those logs are monitored continuously, privacy breaches can be identified quickly and action taken to...

Read More
Medical Device Security Testing Only Performed by One in Twenty Hospitals
May26

Medical Device Security Testing Only Performed by One in Twenty Hospitals

The security of medical devices has attracted a lot of attention in recent months due to fears of device vulnerabilities being exploited by cybercriminals to cause harm to patients, gain access to healthcare networks and steal patient data. Cybercriminals have extensively targeted the healthcare industry due to the high value of patient data on the black market, combined with relatively poor cybersecurity defenses. While there have been no reported cyberattacks on medical devices with the specific aim of causing harm to patients, there are fears it is only a matter of time before such an attack occurs. Even if harming patients is not the goal of cybercriminals, ransomware attacks – which take essential computer systems out of action – can place patient safety at risk. Those attacks are already occurring. Some healthcare providers experienced medical device downtime as a result of the recent WannaCry ransomware attacks. Much attention has focused on device manufacturers for failing to incorporate appropriate security protections to prevent cyberattacks and not considering security...

Read More
Purple Move on WiFi Security Sets Example for All Public WiFi Deployments
May25

Purple Move on WiFi Security Sets Example for All Public WiFi Deployments

Wireless networks offer many benefits to healthcare organizations. Healthcare professionals can access networks and data from any location using portable devices, without the need to plug in to the network. Many medical devices connect wirelessly to WiFi networks improving clinical workflows. However wireless networks can also introduce risks. If any PHI is transmitted over wireless networks, HIPAA requires appropriate controls to be applied to safeguard the confidentiality, integrity and availability of PHI. If WiFi networks lack appropriate security, unauthorized individuals could intercept WiFi packets and view sensitive data, including protected health information. Securing internal WiFi networks is therefore essential. The failure to secure WiFi networks would place an organization at risk of a HIPAA penalty. The risk of a HIPAA violation or data breach is a real concern for healthcare organizations. Security concerns have prevented many hospitals from offering WiFi access to patients, even though offering WiFi can improve the patient experience. Many healthcare organizations...

Read More
Medical Device Cybersecurity Gaps Discussed at FDA Workshop
May19

Medical Device Cybersecurity Gaps Discussed at FDA Workshop

This week, the U.S. Food and Drug Administration (FDA) is hosting a two-day workshop to identify current cybersecurity gaps that could be exploited by cybercriminals to gain access to medical devices. Best practices and cybersecurity tools that can be adopted to improve defenses against cyberattacks are under discussion. This is the third time the FDA has held such a workshop on medical device security and it comes at an appropriate time. The recent WannaCry ransomware attacks resulted in Siemens, Bayer and other manufacturers’ devices having data encrypted. Cyberattacks on medical devices have potential to cause considerable harm to patients. Cybercriminals could also target medical devices to obtain sensitive information on patients or use the devices to launch attacks on healthcare networks. This week, the attacks only resulted in data being encrypted. Bayer reported that both of the healthcare organizations that were affected were able to recover data and restore the functionality of their medical devices within 24 hours. The medical devices were not specifically targeted and...

Read More
Guidance on Securing Wireless Infusion Pumps Issued by NIST
May11

Guidance on Securing Wireless Infusion Pumps Issued by NIST

The National Institute of Standards and Technology (NIST), in collaboration with the National Cybersecurity Center of Excellence (NCCoE), has released new guidance for healthcare delivery organizations on securing wireless infusion pumps to prevent unauthorized access. Infusion pumps, and many other medical devices, used to interact only with the patient and healthcare provider; however, advances in technology have improved functionality and now the devices can interact with a much wider range of healthcare systems and networks.  The additional functionality of the devices has allowed vulnerabilities to be introduced that could be easily exploited to cause patients to come to harm. Wireless infusion pumps are of particular concern. Vulnerabilities could be exploited by malicious actors allowing drug doses to be altered, the functioning of the infusion pumps to be changed or patients’ protected health information to be accessed.  Typically, the devices have poor cybersecurity protections in place to prevent unauthorized access. The risks introduced by the devices have been widely...

Read More
Majority of Organizations Failing to Protect Against Mobile Device Security Breaches
May05

Majority of Organizations Failing to Protect Against Mobile Device Security Breaches

A recent report published by Dimensional Research has highlighted the growing threat of mobile device security breaches and how little organizations are doing to mitigate risk. Cybercriminals may view employees as one of the weakest links in the security chain, but mobile devices are similarly viewed as an easy way of gaining access to data and corporate networks. According to the report, the threat of mobile cyberattacks in growing. Two out of ten companies have already experienced a mobile device cyberattack, although in many cases, organizations are not even aware that a cyberattack on a mobile device has occurred. The survey, which was conducted on 410 security professionals, found that two thirds of respondents were doubtful they would be able to prevent a cyberattack on mobile devices and 51% believed the risk of data theft/loss via mobile devices was equal to or greater than the risk of data theft/loss from PCs and laptops. Yet, a third of respondents said they did not adequately protect mobile devices. 94% of respondents said cyberattacks on mobile devices will become more...

Read More
Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure
May04

Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure

A recent survey by Accenture has explored consumers’ attitudes about healthcare data security and revealed the impact healthcare data breaches have had on consumers. The survey showed the extent to which individuals had suffered losses as a result of a data breach, how consumers felt their organization handled data breaches and the effect those breaches had on trust. Trust in Healthcare Providers and Insurers is High In the United States, trust in healthcare providers’ and health insurers’ ability to keep sensitive data secure is high. 88% of respondents said they trusted their physician or other healthcare providers ‘somewhat’ (53%) or ‘a great deal’ (36%). Trust in hospitals was slightly lower at 84% (54% somewhat / 30% a great deal). Health insurers and laboratories that process medical tests fared slightly worse, both somewhat trusted by 54% of respondents and trusted a great deal by 28% of respondents. Distrust –not at all trusted or not trusted very much – was highest in urgent care clinics (25%), non-medical staff at physicians’ and healthcare providers’ offices (36%)...

Read More
HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape
May03

HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape

Next week, the HIMSS Privacy and Security Forum will be taking place in San Francisco. The two-day conference provides an opportunity for CISOs, CIOs and other healthcare leaders to obtain valuable information from security experts on the latest cybersecurity threats, along with practical advice on how to mitigate risk. More than 30 speakers will be attending the event and providing information on a broad range of healthcare cybersecurity topics, including securing IoT devices, preventing phishing and ransomware attacks, creating compliant security relationships and effective strategic communication and risk management. The conference will include keynote speeches from George Decesare, Senior VP and Chief Technology Risk Officer at Kaiser Permanente, Jane Harper, Director of Privacy & Security Risk Management at the Henry Ford Health System, CERT’s Matt Trevors, and M.K. Palmore, FBI San Francisco’s Assistant Special Agent in Charge of the SF Cyber Branch. George Decesare leads Kaiser Permanente’s cybersecurity, technology risk and compliance programs and identity and access...

Read More
Webroot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined
Apr24

Webroot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined

A Webroot AV update failure has caused havoc for thousands of customers. An April 24 update saw swathes of critical files miscategorized as malicious. While occasional false positives can be expected on occasion, in this case the error was severe. The Webroot AV update failure resulted in hundreds of Windows system files being miscategorized, resulting in serious stability issues. Many users’ servers and PCs were crippled after the automatic update occurred. The problem did not only affect Windows files. Scores of signed executables and third-party apps were blocked and prevented from running. The error affected all Windows versions and saw critical system files categorized as W32.Trojan.Gen. Those files were moved to Webroot’s quarantine folder after the April 24 update. Once the files were moved, users’ computers started to experience severe problems with many displaying errors. In some cases, the moving of system files to the quarantine folder caused computers to crash. In other cases, apps were prevented from running causing major disruption to businesses. Webroot AV also...

Read More
Abbot Labs Warned of Medical Device Cybersecurity Issues by FDA
Apr18

Abbot Labs Warned of Medical Device Cybersecurity Issues by FDA

Abbot Labs, which acquired St. Jude Medical in January 2017, has been warned by the Food and Drug Administration (FDA) that previously identified cybersecurity vulnerabilities in some of its products may not have been corrected. Those vulnerabilities have potential to jeopardize the safety of patients. The investigation of Abbot Labs was conducted February 7-14 at St. Jude Medical facilities in Sylmar, CA, following the public disclosure of potential vulnerabilities in certain St. Jude Medical devices. Those vulnerabilities could potentially be exploited by malicious actors to cause the devices to malfunction and patients to come to harm.  Flaws in the devices were uncovered by MedSec Holdings and were passed to Muddy Waters Capital, which announced the findings in a research report published in August last year. Multiple vulnerabilities were discovered in certain implantable pacemakers and defibrillators manufactured by St. Jude Medical, including the susceptibility to man-in-the-middle attacks that could cause the batteries in the products to be prematurely drained and the...

Read More
Healthcare Providers Are Wasting Millions on Cloud Hosting
Apr12

Healthcare Providers Are Wasting Millions on Cloud Hosting

A study by Communications for Research showed that healthcare organizations are now spending $40 billion a year on IT programs, while MarketsandMarkets research indicates $3.73 billion of that budget is spent on cloud services. By 2020, cloud spending is expected to triple and reach $9.5 billion. MedGadget healthcare market research suggests there will be a 21.95 percent CAGR for spending on cloud computing by the healthcare industry by 2019. More and more healthcare organizations are seeing the benefits that can be gained from switching to cloud computing, especially as a way of reducing IT spending. The public cloud is elastic and capacity can be increased or decreased on demand, but the reality is most organizations use of the cloud involves considerable wastage. Organizations are paying for the public cloud and are ensuring their instances have sufficient capacity, yet for a lot of the time much of the capacity that is paid for is redundant. The 2017 Rightscale State of the Cloud Report suggests 46% of enterprises are carefully monitoring cloud use and are rightsizing their...

Read More
AMIA Suggests it’s Time for a HIPAA Update
Apr11

AMIA Suggests it’s Time for a HIPAA Update

The American Medical Informatics Association has suggested now is the time to update the Health Insurance Portability and Accountability Act (HIPAA) to make sure the legislation fits today’s connected world. The legislation was first introduced more than 20 years ago at a time when the Internet was just in its infancy. Over the past two decades, technology has advanced in ways that could not have been predicted when the legislation was written. Updates are now required to ensure HIPAA maintains pace with technology. HIPAA is perhaps best known for its privacy provisions, although these are commonly misunderstood by patients and healthcare providers alike. The HIPAA Privacy Rule allows patients to access their health data; although many patients are confused about what data they are able to access and what their rights actually are. The Department of Health and Human Services produced video guides last year to help patients understand their right to access their healthcare data under HIPAA; however, AMIA suggests more should be done to clarify the HIPAA right to access. Healthcare...

Read More
Small Business Cybersecurity Bill Heads to Senate
Apr06

Small Business Cybersecurity Bill Heads to Senate

New legislation to help small businesses protect their data and digital assets has been approved by the Senate Commerce, Science and Transportation Committee this week. The new bill, which was introduced by Sen. Brian Schatz (D-Hawaii) last week, will now head to the U.S Senate. The legislation – the MAIN STREET (Making Information Available Now to Strengthen Trust and Resilience and Enhance Enterprise Technology) Cybersecurity Act will require the National Institute of Standards and Technology (NIST) to develop new guidance specifically for small businesses to help them protect themselves against cyberattacks. New NIST guidance should include basic cybersecurity measures that can be adopted to improve resilience against cyberattacks and mitigate basic security risks. Guidance and security frameworks have been developed by NIST to help larger organizations protect their assets and data, although for smaller businesses with limited knowledge of cybersecurity and a lack of trained staff and resources they can be difficult to adopt. What is needed is specific guidance for small...

Read More
Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing
Apr06

Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing

With the healthcare industry under a sustained attack and the cyber threat landscape constantly evolving, law enforcement, the government, and private industry need to collaborate to counter the threat of cyberattacks. Cybercrime cannot be effectively tackled by organizations acting in isolation. The sharing of threat information is essential in the fight against cybercrime. Dissemination of this information makes it easier for law enforcement and government agencies to combat cybercrime. Accessing that information also allows healthcare entities to to take timely action to address vulnerabilities before they are exploited. Government and law enforcement agencies are educating healthcare organizations on the importance of sharing threat intelligence, although currently too few entities are sharing threat information. At a Congressional Energy and Commerce Committee hearing this week, cybersecurity experts made suggestions on how congress can improve threat information sharing and improve healthcare cybersecurity. At the hearing, Denise Anderson, president of the National Health...

Read More
Dr. Donald Rucker Named New National Coordinator for Health IT
Apr03

Dr. Donald Rucker Named New National Coordinator for Health IT

Dr. Donald Rucker has been named as the new National Coordinator of the Department of Health and Human Services’ Office of the National Coordinator for Healthcare Information Technology. Nether the Department of Health and Human Services nor the Office of the National Coordinator for Healthcare Information Technology has officially announced the new appointment, although Dr. Donald Rucker’s name now appears in the HHS directory as National Coordinator. Donald Rucker will replace acting National Coordinator, Jon White, M.D., who took over the position following the resignation of Dr. Vindell Washington in January 2016. White is expected to return to his former position as deputy national coordinator. Prior to joining the ONC, Donald Rucker was an adjunct professor at the Department of Biomedical Informatics at Ohio State University’s College of Medicine. Prior to that appointment, Rucker was Chief Medical Officer at Premise Health for a year and CMO at Siemens Healthcare USA for 13 years. While at Siemens Healthcare USA, Rucker led the team that designed the computerized physician...

Read More
WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks
Mar22

WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks

WEDI, the Workgroup for Electronic Data Interchange, has issued a new white paper exploring some of the common cybersecurity vulnerabilities that are exploited by threat adversaries to gain access to healthcare networks and patient and health plan members’ protected health information. The white paper – The Rampant Growth of Cybercrime in Healthcare – is a follow up to a primer released in 2015 that explored the anatomy of a cyberattack. WEDI points out the seriousness of the threat faced by the healthcare industry. Cyberattacks are costing the healthcare industry around $6.2 billion each year, with the average cost of a healthcare data breach around $2.2 million. Cyberattacks and other security incidents having risen sharply in recent years. More records are now being exposed than at any other time in history and the number of healthcare data incidents being reported reached record levels last year. The Department of Health and Human Services’ Office for Civil Rights received 315 reports of major healthcare data breaches last year and recent research by Fortinet showed that in the...

Read More
NY State HIE Improves Care Quality and Operational Efficiency of Emergency Departments
Mar17

NY State HIE Improves Care Quality and Operational Efficiency of Emergency Departments

A recent study of the Health Information Exchange adopted in New York State has shown the value of investing in an HIE and the positive impact it has on patient outcomes and operational efficiency. Following considerable investment in the New York State HIE, patient stays have been reduced, the likelihood of readmission has fallen, as have the number of physicians needed to examine patients in emergency departments. The study has shown that quality of care has been improved along with operational efficiency, resulting in considerable cost savings and improved patient outcomes. The study examined almost 86,000 emergency department encounters over a period of 19 months between July 1, 2012 and January 31, 2014 at four emergency departments linked to the HealthLinkNY Health Information Exchange. During that time, there were 46,270 patient visits which were attended by 326 physicians. Emergency departments were selected for the study as they are high pressure environments where physicians are required to treat patients with a wide range of medical conditions and must gather information...

Read More
VA to Abandon EHR In Favor of Commercial EHR System
Mar15

VA to Abandon EHR In Favor of Commercial EHR System

The challenges of developing and maintaining a custom EHR system have proved too great for the Department of Veteran Affairs. The VA developed its EHR system – VistA – in house; however, it was labor intensive, costly and time consuming to maintain and use. According to VA secretary, David Shulkin, the system is “too complex and too difficult to maneuver”. A decision needed to be taken on whether to continue to plough money and resources into getting VistA to work as it should, or to call it quits and opt for a new, commercially available system. The VA has more important priorities than software development and has opted for the latter. Shulkin wants veterans to have more choice about where they receive care. Having an EHR that allows data to be easily shared is essential to ensure veterans get the best medical treatment possible. Yet the VistA system often resulted in care being delayed which had a negative effect on patient outcomes. The decision to ditch VistA has been a long time coming. The system has been extensively discussed at hearings and last year feedback was sought on...

Read More
87% of Healthcare Organizations Will Adopt Internet of Things Technology by 2019
Mar01

87% of Healthcare Organizations Will Adopt Internet of Things Technology by 2019

The healthcare industry is embracing Internet of Things technology. 60% of healthcare organizations have already introduced IoT into their infrastructure – The third highest adoption rate of any industry. According to a recent study by Hewlett Packard subsidiary Aruba, in just two years, 87% of healthcare organizations will have adopted Internet of Things technology. The study revealed that the most common area where IoT is being utilized is for patient monitoring and maintenance. 73% of surveyed healthcare executives said they used IoT in this area, while 42% said this was the main use for IoT. The healthcare industry leads the way in this area with the highest adoption rate of any industry sector. 64% of respondents said they use IoT for patient monitors, 56% use IoT for energy meters, and 33% use IoT for imaging devices. Remote operation and control was the second most common use of IoT, used by 50% of providers, while the third most common use is for location-based services, with adoption at 47%. The benefits of IoT are clear. 80% of healthcare executives said IoT has improved...

Read More
Healthcare Industry Threat Landscape Explored by Trend Micro
Feb22

Healthcare Industry Threat Landscape Explored by Trend Micro

Trend Micro has issued a new report that explores the healthcare industry threat landscape, the new risks that have been introduced by the inclusion of a swathe of IoT devices, and how cybercriminals are stealing and monetizing health data. Cybercriminals are attacking healthcare organizations with increased vigor. More attacks occurred last year than any other year, while 2015 saw a massive increase in stolen healthcare records. While the health data of patients is an attractive target, health records are not always being sold for big bucks on underground marketplaces. Health insurance cards can cost as little as $1, while EHR records start at around $5 per record set. However, cybercriminals are now increasing their profits by processing and packaging the stolen data.  Data are used to obtain government-issued iDs such as driver’s licenses, passwords and birth certificates. Farmed identities of individuals who have died are being sold, which can see prices of more than $1,000 charged per identity, or even more if IDs are also supplied. A large haul of health data from an EHR...

Read More
Majority of Healthcare Organizations Struggling with EHR Interoperability
Feb13

Majority of Healthcare Organizations Struggling with EHR Interoperability

A recent survey from Black Book Market Research has highlighted what hospital administrators and physicians know all too well. Great strides may have been made toward a fully interoperable healthcare system, but important medical data is still not accessible. There are still many problems getting hold of electronic health record data and making it accessible to the people who need it most. Many EHR systems do not have the required connectivity. Even when data from healthcare providers’ EHR systems does get sent to other providers, the data are often in an unusable or difficult to use format. 3,391 users of EHRs were surveyed for the Black Book survey. 25% of respondents said they are unable to use any data sent by other healthcare providers, while 22% of surveyed hospital administrators said they receive medical record data from other healthcare organizations in a format that does not allow data to be easily incorporated into their own EHR systems. 70% of hospitals were not using external EHR information because the data were missing from their systems’ workflow. Receiving data in...

Read More
IoT and Mobile Application Vulnerabilities Not Being Adequately Addressed
Jan31

IoT and Mobile Application Vulnerabilities Not Being Adequately Addressed

Organizations around the world are taking advantage of IoT and mobile applications to improve efficiency, yet too little is being done to ensure the applications are secure.  A key lesson from a recent Ponemon Institute survey is application usability and not just data security should always be factored into application development and cloud cost management or users will resist security measures and find workarounds. Organizations can benefit greatly from IoT and mobile technology, yet it is all too easy for major security risks to be introduced. Hackers are well aware of vulnerabilities in mobile and IoT applications and leverage those vulnerabilities to gain access to networks and sensitive data. IoT infrastructure is vulnerable to attack, although the greatest risks are introduced by embedded software in gateways and the cloud. Many IT security practitioners are well aware of the security risks that can potentially be introduced, yet according to a recent survey conducted by the Ponemon Institute, little is being done to mitigate risk. 593 IT and IT security professionals were...

Read More
L.A. Care Health Plan Information Exchange Platform Links 21 Hospitals
Jan06

L.A. Care Health Plan Information Exchange Platform Links 21 Hospitals

Members covered by the L.A. Care Health Plan in Los Angeles are now benefiting from improved health information sharing with healthcare providers following the launch of a new health information exchange platform. L.A. Care Health Plan (formerly known as Local Initiative Health Authority of Los Angeles County) is a public entity providing an accountable care program and other health plans (such as L.A. Care Covered, L.A. Care’s Healthy Kids and PASC-SEIU Homecare Workers Health Care Plan) for Los Angeles residents. Through its 6 health care plans, L.A. Care Health Plan provides coverage for more than 2 million individuals including some of the most vulnerable populations in the County, and is now the largest publicly operated health plan in the United States. Last year, the health plan conducted a pilot with the eConnect information exchange platform supplied by Safety Net Connect. The eConnect platform enables users to provide real-time alerts on admissions, discharges, and transfers using the HL7 Admit Discharge Transfer Protocol. The pilot was a success and in August 2015, L.A....

Read More
Patients Holding Back Health Information Over Data Privacy Fears
Jan05

Patients Holding Back Health Information Over Data Privacy Fears

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers. However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial medical histories, the usefulness of health data will be limited. Unfortunately, many patients are reluctant to provide their full medical histories to their healthcare providers, and even when information is provided, many patients do not want that information shared with anyone other than their primary healthcare provider. Privacy and security issues are a major concern, and the problem is growing. As healthcare data breaches continue to increase year on year, consumer confidence is decreasing. This has a direct impact on the willingness of patients to share their health data. Important Medical Information is Being Withheld by Patients The extent to...

Read More
New Report Published on Privacy Risks of Personal Health Wearable Devices
Dec29

New Report Published on Privacy Risks of Personal Health Wearable Devices

Wearable technology is now ubiquitous. Consumers have embraced the wide range of trackers and health apps that have come to market in recent years and manufacturers have responded to demand and have created an even broader range of wearable devices that track and monitor health metrics. Wearable devices have expanded from trackers that monitor heart rates, exercise levels, and sleep quality, to devices that collect a far greater range of health data. The data collected from those devices now includes information classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). While the data collected by HIPAA-covered entities must be protected from unauthorized access under the HIPAA Privacy and Security Rules, those Rules only apply to healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities. Non-covered entities are not required to implement the safeguards demanded by HIPAA Rules to keep ‘PHI’ secure. If a wearable device is provided to a patient by a HIPAA-covered entity, the...

Read More
FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers
Dec28

FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers

The U.S. Food and Drug Administration (FDA) has published final cybersecurity guidance for medical device manufacturers to help them better protect their devices from cyberattacks. The guidance will help device manufacturers implement a system for identifying and reporting potential security vulnerabilities to ensure flaws can be addressed before they are exploited by hackers. The threat of hackers using vulnerabilities in medical devices to gain access to sensitive data or cause patients to come to harm has been widely publicized in recent years. This year, many cybersecurity professionals have called for device manufacturers to do more to ensure their products – including defibrillators, pacemakers, and drug pumps – are made more secure. The FDA has previously issued warnings to device manufacturers and healthcare providers about medical device security risks. In 2015, the FDA warned of a vulnerability affecting Hospira insulin pumps, which could potentially be exploited by hackers to alter insulin doses to cause patients to come to harm. Earlier this year, short-selling...

Read More
ONC Publishes Final 2017 Interoperability Standards Advisory
Dec21

ONC Publishes Final 2017 Interoperability Standards Advisory

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has published its Final 2017 Interoperability Standards Advisory (ISA). The ISA is a catalog of standards and implementation specifications that can be used by healthcare organizations to address specific interoperability needs. The purpose of the ISA is to serve as a single resource for the healthcare industry to obtain standards and implementation specifications to meet their specific interoperability needs. The ISA covers healthcare data stored in electronic health records, although the resource is intended to be used for a range of health IT that support interoperability needs. ONC points out that the scope of the resource is limited to ‘what’ could be used to address an organization’s interoperability needs, and not necessarily ‘how’ those needs should be met, such as the specific interfaces or tools that should be used. The resource also has a broader scope than the version released in 2016. This year, ONC transitioned from a static document to an online...

Read More
TigerText Announces Record-Breaking Year for Growth
Dec16

TigerText Announces Record-Breaking Year for Growth

TigerText, the nation’s leading secure healthcare messaging platform provider, has announced it has recorded another record-breaking year for growth, signing up over 300 healthcare organizations in 2016. The company now boasts more than 3,000 healthcare customers in the United States, including five of the top ten largest health systems in the country. More than 10 million secure messages are now being sent via the TigerText platform every day and the platform is used in over 5,000 healthcare facilities in the United States. TigerText was originally developed as a standalone messaging platform, yet over the course of the past 6 years it has evolved into a comprehensive clinical communications platform. The platform has been tailored to meet the exacting needs of healthcare organizations, including the strict privacy and security controls required by the Health Insurance Portability and Accountability Act (HIPAA). This year has seen two major new developments. Earlier this year, the TigerText platform achieved the prestigious HITRUST certification and in October the company launched...

Read More
Security Cameras Could Be Your Biggest Security Weakness
Dec09

Security Cameras Could Be Your Biggest Security Weakness

Could a networked device that’s designed to enhance security be exploited by hackers to gain access to your network? In the case of security cameras, it is a distinct possibility. Security and surveillance camera security weaknesses could be exploited by hackers to gain access to the networks to which they connect. The cameras could also be used to check for physical security weaknesses or to spy on workers and patients. The past few weeks have clearly shown the need for better security controls to be incorporated into these IoT devices. Hackers have taken advantage of scant security controls to gain access to cameras (and other IoT devices) and have used them for massive Distributed Denial of Service (DDoS) attacks. Many device manufacturers are guilty of failing to incorporate adequate security controls, although not all of the blame can be placed at the door of the manufacturers. IT departments have installed the devices, yet have failed to change default passwords. Weak passwords can easily be guessed by hackers, and in many cases, the default passwords are readily available...

Read More
OCR Warns Covered Entities of Risk of DDoS Attacks
Dec08

OCR Warns Covered Entities of Risk of DDoS Attacks

There has been a surge in Distributed Denial of Service (DDoS) and Denial of Service (DOS) attacks over the past few weeks. The attacks involve flooding systems with information and requests to cause those systems to crash. The attacks have resulted in large sections of the Internet being taken offline, email systems have crashed, and other computer equipment taken out of action. DDoS attacks on healthcare organizations could prevent patients from accessing web services such as patient portals during an attack, but they can also prevent healthcare employees from accessing systems that are critical for healthcare operations. EHRs, payroll systems, or even software-based medical equipment such as drug infusion pumps and MRIs can potentially be taken out of action. Not only do DDoS attacks prevent these systems from being accessed, they can also result in substantial hardware damage and the cost of repair can be considerable. The scale of the recent attacks has been astonishing. Whereas last year, DDoS attacks of the order of 300 Gbps something of a rarity, this year we have seen...

Read More
Lawmakers Seek Clarification from FDA on Efforts to Protect Medical Devices
Nov09

Lawmakers Seek Clarification from FDA on Efforts to Protect Medical Devices

Concern about the security of medical devices has been growing in recent weeks following the potential discovery of security vulnerabilities in St. Jude Medical devices. While vulnerabilities in medical devices do not appear to have been exploited by cybercriminals, the potential for networked medical devices to be used to attack healthcare organizations and patients cannot be ignored. Currently, around 10-15 million medical devices are in use in the United States, with that number expected to grow considerably over the next few years. With so many connected devices, many of which are approaching end of life and use technology that could potentially be exploited buy cybercriminals, there is naturally concern about device security and how it can be improved. The threat to patients may currently be low, but if action is not taken to improve device security patients could be harmed and vulnerabilities may be exploited to gain access to healthcare data. Last week, Congresswomen Diana DeGette (D-CO) and Susan Brooks (R-IN) sought clarification from the Food and Drug Administration (FDA)...

Read More