FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers
Dec28

FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers

The U.S. Food and Drug Administration (FDA) has published final cybersecurity guidance for medical device manufacturers to help them better protect their devices from cyberattacks. The guidance will help device manufacturers implement a system for identifying and reporting potential security vulnerabilities to ensure flaws can be addressed before they are exploited by hackers. The threat of hackers using vulnerabilities in medical devices to gain access to sensitive data or cause patients to come to harm has been widely publicized in recent years. This year, many cybersecurity professionals have called for device manufacturers to do more to ensure their products – including defibrillators, pacemakers, and drug pumps – are made more secure. The FDA has previously issued warnings to device manufacturers and healthcare providers about medical device security risks. In 2015, the FDA warned of a vulnerability affecting Hospira insulin pumps, which could potentially be exploited by hackers to alter insulin doses to cause patients to come to harm. Earlier this year, short-selling...

Read More
ONC Publishes Final 2017 Interoperability Standards Advisory
Dec21

ONC Publishes Final 2017 Interoperability Standards Advisory

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has published its Final 2017 Interoperability Standards Advisory (ISA). The ISA is a catalog of standards and implementation specifications that can be used by healthcare organizations to address specific interoperability needs. The purpose of the ISA is to serve as a single resource for the healthcare industry to obtain standards and implementation specifications to meet their specific interoperability needs. The ISA covers healthcare data stored in electronic health records, although the resource is intended to be used for a range of health IT that support interoperability needs. ONC points out that the scope of the resource is limited to ‘what’ could be used to address an organization’s interoperability needs, and not necessarily ‘how’ those needs should be met, such as the specific interfaces or tools that should be used. The resource also has a broader scope than the version released in 2016. This year, ONC transitioned from a static document to an online...

Read More
TigerText Announces Record-Breaking Year for Growth
Dec16

TigerText Announces Record-Breaking Year for Growth

TigerText, the nation’s leading secure healthcare messaging platform provider, has announced it has recorded another record-breaking year for growth, signing up over 300 healthcare organizations in 2016. The company now boasts more than 3,000 healthcare customers in the United States, including five of the top ten largest health systems in the country. More than 10 million secure messages are now being sent via the TigerText platform every day and the platform is used in over 5,000 healthcare facilities in the United States. TigerText was originally developed as a standalone messaging platform, yet over the course of the past 6 years it has evolved into a comprehensive clinical communications platform. The platform has been tailored to meet the exacting needs of healthcare organizations, including the strict privacy and security controls required by the Health Insurance Portability and Accountability Act (HIPAA). This year has seen two major new developments. Earlier this year, the TigerText platform achieved the prestigious HITRUST certification and in October the company launched...

Read More
Security Cameras Could Be Your Biggest Security Weakness
Dec09

Security Cameras Could Be Your Biggest Security Weakness

Could a networked device that’s designed to enhance security be exploited by hackers to gain access to your network? In the case of security cameras, it is a distinct possibility. Security and surveillance camera security weaknesses could be exploited by hackers to gain access to the networks to which they connect. The cameras could also be used to check for physical security weaknesses or to spy on workers and patients. The past few weeks have clearly shown the need for better security controls to be incorporated into these IoT devices. Hackers have taken advantage of scant security controls to gain access to cameras (and other IoT devices) and have used them for massive Distributed Denial of Service (DDoS) attacks. Many device manufacturers are guilty of failing to incorporate adequate security controls, although not all of the blame can be placed at the door of the manufacturers. IT departments have installed the devices, yet have failed to change default passwords. Weak passwords can easily be guessed by hackers, and in many cases, the default passwords are readily available...

Read More
OCR Warns Covered Entities of Risk of DDoS Attacks
Dec08

OCR Warns Covered Entities of Risk of DDoS Attacks

There has been a surge in Distributed Denial of Service (DDoS) and Denial of Service (DOS) attacks over the past few weeks. The attacks involve flooding systems with information and requests to cause those systems to crash. The attacks have resulted in large sections of the Internet being taken offline, email systems have crashed, and other computer equipment taken out of action. DDoS attacks on healthcare organizations could prevent patients from accessing web services such as patient portals during an attack, but they can also prevent healthcare employees from accessing systems that are critical for healthcare operations. EHRs, payroll systems, or even software-based medical equipment such as drug infusion pumps and MRIs can potentially be taken out of action. Not only do DDoS attacks prevent these systems from being accessed, they can also result in substantial hardware damage and the cost of repair can be considerable. The scale of the recent attacks has been astonishing. Whereas last year, DDoS attacks of the order of 300 Gbps something of a rarity, this year we have seen...

Read More
Lawmakers Seek Clarification from FDA on Efforts to Protect Medical Devices
Nov09

Lawmakers Seek Clarification from FDA on Efforts to Protect Medical Devices

Concern about the security of medical devices has been growing in recent weeks following the potential discovery of security vulnerabilities in St. Jude Medical devices. While vulnerabilities in medical devices do not appear to have been exploited by cybercriminals, the potential for networked medical devices to be used to attack healthcare organizations and patients cannot be ignored. Currently, around 10-15 million medical devices are in use in the United States, with that number expected to grow considerably over the next few years. With so many connected devices, many of which are approaching end of life and use technology that could potentially be exploited buy cybercriminals, there is naturally concern about device security and how it can be improved. The threat to patients may currently be low, but if action is not taken to improve device security patients could be harmed and vulnerabilities may be exploited to gain access to healthcare data. Last week, Congresswomen Diana DeGette (D-CO) and Susan Brooks (R-IN) sought clarification from the Food and Drug Administration (FDA)...

Read More
Physicians Not Getting Full Benefits from EHR Systems
Nov08

Physicians Not Getting Full Benefits from EHR Systems

Incentive payments for transitioning from paper records to electronic health records has prompted many physicians to purchase electronic health record systems. By 2015, 77.9% of office-based physicians had installed and were using EHRs. However, while EHRs are now in use in most physicians’ offices, the vast majority of physicians are not getting the full benefits of their EHR systems, according to a recent report from the U.S. Department of Health and Human Services’ Centers for Disease Control and Prevention (CDC). CDC took data from the 2015 National Electronic Health Records Survey (NEHRS) for the report: State Variation in Electronic Sharing of Information in Physician Offices: United States. 2015. Survey data were used to describe the extent to which EHR systems were being used by physicians and the report provides a snapshot of the interoperability of medical records. While the systems are now in place to allow the sharing of health information with other healthcare providers, there are still many barriers which are preventing data sharing and consequently, physicians and...

Read More
A NICE New Framework for Developing A Skilled Cybersecurity Workforce
Nov04

A NICE New Framework for Developing A Skilled Cybersecurity Workforce

On Tuesday this week at the NICE conference and Expo in Kansas City, Missouri, the Department of Commerce’s National Institute of Standards and Technology (NIST) announced the release of a new draft version of its NICE Cybersecurity Workforce Framework (NCWF). According to NIST, the new Framework “will allow our nation to more effectively identify, recruit, develop and maintain its cybersecurity talent,” and help U.S. organizations develop a well-trained cybersecurity workforce. The Framework has been developed by the National Initiative for Cybersecurity Education (NICE) and is the product of extensive collaboration between academic institutions, private sector organizations, and government agencies including the U.S. Department of Defense and Department of Homeland Security. The new framework provides common language to categorize different cybersecurity roles and describes job titles and responsibilities in detail. The Framework serves as a workforce dictionary that can be used by organizations to define and share information about the cybersecurity workforce in a detailed,...

Read More
ONC Draws Attention to New Resources to Help Providers Maintain Access to ePHI
Nov02

ONC Draws Attention to New Resources to Help Providers Maintain Access to ePHI

The majority of healthcare providers have now transitioned to electronic health records, yet ensuring ePHI is always accessible when it is needed is sometimes a challenge. Should providers not be able to access ePHI, the health and safety of patients may be put at risk. To prevent harm to patients and HIPAA violations, the Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC) has drawn attention to a number of new resources that have been made available to providers to help ensure ePHI access is maintained. The ONC has drawn attention to a new FAQ that was recently published by Department of Health and Human Services’ Office for Civil Rights (OCR) which explains how Health Insurance Portability and Accountability Act (HIPAA) Rules apply to health IT vendors, such as EHR vendors. Health IT vendors are classed as business associates of HIPAA-covered entities, and as such they are required to abide by the HIPAA Privacy, Security, and Breach Notification Rules. The FAQ explains that under the HIPAA Privacy Rule, EHR vendors must ensure that the...

Read More
$1.5 Million in Grants Awarded by HHS to Improve the Flow of Health Data
Sep30

$1.5 Million in Grants Awarded by HHS to Improve the Flow of Health Data

Grants totaling $1.5 million have recently been awarded to seven organizations by the Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) to develop standards-based solutions to improve the exchange of health information. New approaches to health information exchange will be developed and tested, and the results of the Cooperative Agreement programs will help to improve medication management, data exchange, and the coordination of care. According to the ONC, more than 35 applications were received for the High Impact Pilot and Standards Exploration Award grants, which were announced at the Health Datapalooza Conference in May. The $1.5 million will be shared between the seven winning applicants. As Vindell Washington, MD, national coordinator for health information technology explained, “These programs will serve as key building blocks for improving the patient and provider experience with the flow of health information.” Announcing the winners of the awards, Washington said the aim is to “advance the use of common...

Read More
ONC Issues Guidance for Negotiating EHR Contracts
Sep27

ONC Issues Guidance for Negotiating EHR Contracts

The Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC) has issued guidance for HIPAA covered entities to assist them when negotiating EHR contracts. The guidance offers advice on how to select and negotiate terms with EHR vendors, and helps covered entities understanding the fine print of contracts. The benefits of EHR systems are clear; however, in practice those systems do not always live up to expectations. If mistakes are made in the selection of EHR systems, or errors made negotiating contracts, the systems can result in unexpected costs being incurred, business efficiency can be disrupted, and covered entities may even be prevented from accessing patient records. Many healthcare organizations fail to appreciate that while an EHR system includes the data repository and software for creating, maintaining, and accessing data, the EHR will need to be interoperable with other healthcare IT systems. Compatibility issues with those systems can prove extremely costly. Many of the implementation, maintenance, and access problems that...

Read More
Sharing of Health Data with Patients: 95% of Hospitals Now Offer ePHI Access
Sep16

Sharing of Health Data with Patients: 95% of Hospitals Now Offer ePHI Access

The Department of Health and Human Services has been encouraging patients to take a more active role in their own healthcare and to engage more with their healthcare providers. Not only will this help to improve patient outcomes, it will also help to reduce healthcare costs. Healthcare organizations have also been encouraged to improve patient engagement, in part by ensuring that patients can easily access their ePHI. Under the Shared Nationwide Interoperability Roadmap, healthcare providers should allow patients not only to view their health data, but also to download copies and transmit those data to any healthcare provider of their choosing. This week, the Office of the National Coordinator for Health IT has released statistics showing the progress that has been made and the extent to which electronic capabilities for patient engagement have been implemented by U.S. hospitals. According to the data brief, significant progress has been made. The vast majority of U.S. Non-Federal Acute Care Hospitals are now allowing patients online access to their ePHI. There has also been a...

Read More
Have You Remediated the EXTRABACON Vulnerability in your Cisco ASA?
Sep08

Have You Remediated the EXTRABACON Vulnerability in your Cisco ASA?

If you use a Cisco Adaptive Security Appliance (ASA) in your organization and have not patched the device to remediate the EXTRABACON vulnerability, the flaw could be exploited by hackers and used to steal ePHI. On August 13, 2016, a group operating under the name Shadow Brokers released an exploit for EXTRABACON. The vulnerability affects a number of Cisco ASA network security devices and could potentially be used by hackers to gain full control of the devices. Should that happen, it would be possible for a hacker to decrypt VPN traffic, or access internal systems, including those used to store ePHI. The EXTRABACON vulnerability affects versions 1, 2c, and 3 of the Simple Network Management Protocol (SNMP) in a number of Cisco devices including its ASA, ASAv, Firepower, and PIX Firewall products. The vulnerability could allow attackers to create a buffer overflow and run arbitrary code by sending specially crafted SNMP packets to an SNMP-enabled interface. In order to exploit the EXTRABACON vulnerability, the attacker would need to have knowledge of a configured SNMP community...

Read More
Muddy Waters Device Hacking Claims Questioned by Researchers
Sep01

Muddy Waters Device Hacking Claims Questioned by Researchers

Last week, Carson Block – founder of short-selling firm Muddy Waters – released a report saying St. Jude Medical’s Merlin@home device for monitoring pacemakers contained critical security flaws that could be remotely exploited. Those exploits could be used to disrupt the function of the devices and cause them to fail. The research for the report was conducted by security firm MedSec. MedSec had been testing a range of devices from multiple manufacturers as part of an 18-month study of device security. MedSec chose not to present the findings to St. Jude, instead the research was offered to Muddy Waters. The two companies entered into a partnership with MedSec being paid a consultancy fee. MedSec will also benefit financially from any shorting of St. Jude Stock. Block was able to short St. Jude’s stock, with the value of shares falling by 5% last Thursday following the publication of the report. However, leading medical device security researchers from the University of Michigan have conducted their own experiments to test St. Jude devices for security vulnerabilities. Their...

Read More
ONC Announces Winners of the Healthcare Blockchain Challenge
Aug31

ONC Announces Winners of the Healthcare Blockchain Challenge

Last month, the US Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) launched a challenge to explore the potential uses of Blockchain technology in healthcare and health-related research. While Blockchain is best known for its use in the digital currency Bitcoin, Blockchain technology has tremendous potential to benefit the healthcare industry, in particular to improve data privacy, security, and interoperability. Blockchain certainly shows great potential and is attracting considerable investment. In 2014, $299 million was invested in Blockchain by VC-backed companies and that figure rose to $474 million in 2015. Critics of Blockchain have expressed concern about the level of computing power needed and the cost of implementing Blockchain technology, claiming the use of the technology would therefore be extremely limited in healthcare. However, even though there are potential stumbling blocks, there was no shortage of potential applications submitted to the ONC. The ONC received more than 70 whitepapers from research...

Read More
St. Jude’s Medical Accused of Failing to Address ‘Stunning’ Cybersecurity Flaws
Aug26

St. Jude’s Medical Accused of Failing to Address ‘Stunning’ Cybersecurity Flaws

When security researchers at MedSec discovered flaws in a suite of medical products, instead of contacting the manufacturer of the devices – St. Jude Medical – the company divulged the information to Carson Block, a short seller who runs investment capital firm Muddy Waters Capital LLC. MedSec will receive payment from Muddy Waters for the disclosure. Block has taken a short position against the manufacturer and the bigger the fall in stock prices, the more MedSec stands to make. St. Jude Medical was the second most popular stock with large hedge funds in Q2, 2016. Block recently issued a report through Muddy Waters explaining the flaws which sent stock prices tumbling. After the report was published, St. Jude Medical stock lost 8% of its value and closed the day 5% down. In the report, Block predicted that St. Jude Medical could end up losing half of its annual revenue for at least the next two years while the flaws are remediated. The revelation also threatens to derail the recent $25 billion acquisition of the company by Abbot Technologies. The security...

Read More
Locky Ransomware Attacks on Hospitals Increase
Aug22

Locky Ransomware Attacks on Hospitals Increase

According to a new report from security firm FireEye, Locky ransomware attacks on hospitals have surged this month. Criminal gangs that have previously used the Dridex banking Trojan for attacks appear to have switched to Locky and the healthcare sector is being targeted. Hospitals now face an increased risk of experiencing Locky crypto-ransomware attacks. FireEye discovered a number of “massive” email campaigns were launched this month. Each of those campaigns has been unique. The attackers have used different text for the phishing emails, one-off code for each campaign, different malicious URLs, and unique encoding functions and keys for each campaign. The Rise of Locky Locky ransomware was first discovered in early 2016 and has been used in a number of attacks on healthcare organizations. Most notably, the attack on Hollywood Presbyterian Medical Center in February. That attack resulted in a ransom of $17,000 being paid in order to obtain keys to decrypt locked data. Early Locky campaigns have used JavaScript downloaders to install the crypto-ransomware, with the malicious files...

Read More
Healthcare Leaders Need to Move Faster to Meet Cybersecurity Challenges
Aug19

Healthcare Leaders Need to Move Faster to Meet Cybersecurity Challenges

The response from the healthcare industry to current cybersecurity threats has not been fast enough and basic IT security measures are still not being adopted, according to a Nashville-based FBI Supervisory Special Agent. Speaking at last week’s CHIME/AEHIS LEAD Forum Event at Sheraton Downtown Nashville, Scott Augenbaum – an FBI Supervisory Special Agent in the Memphis Division – explained the attendees that too little is being done to keep healthcare data secure. He also pointed out that in the majority of cases, healthcare data breaches could easily have been prevented. When Augenbaum is called upon to visit healthcare organizations following breaches of protected health information, he usually discovers that simple data security measures could have prevented the exposure or theft of PHI. “90 percent of what I see could easily have been prevented. I do not go into a data breach situation where I don’t say, now, wow, that was sophisticated.” He also said that while investment in cybersecurity has increased in the healthcare industry, the situation is not getting better....

Read More
HITRUST CyberAid Cybersecurity Initiative Trialed in North Texas on Small Healthcare Organizations
Aug17

HITRUST CyberAid Cybersecurity Initiative Trialed in North Texas on Small Healthcare Organizations

Large healthcare organizations have the budgets and resources for complex cybersecurity solutions to prevent intrusions and keep the protected health information of patients secure. However, smaller healthcare organizations, in particular physician groups with fewer than 75 employees, face considerable challenges. Many cybersecurity solutions are not ideal for the small business environment and the cost of implementing appropriate defenses against cyberattacks can be prohibitively expensive. However, effective cybersecurity solutions must be deployed. Healthcare organizations are now being targeted by cybercriminals and smaller organizations face a high risk of attack. Hackers are well aware that the defenses of small healthcare organizations can lack sophistication. This can make small practices a target for hackers. If a successful cyberattack occurs it can be catastrophic for small practices. The cost of mitigating risk after a cyberattack is considerable. Many healthcare organizations lack the funds to deal with cyberattacks. This was clearly demonstrated by the cyberattack on...

Read More
13.6% Growth Expected in Hospital Cybersecurity Market to Combat New Threats
Aug12

13.6% Growth Expected in Hospital Cybersecurity Market to Combat New Threats

Over the next five to six years, growth in the healthcare cybersecurity solution market is expected to increase by 13.6%, according to a new Frost & Sullivan report. Healthcare organizations now have to protect a much broader attack surface now that the vast majority of organizations have transitioned from paper to digital PHI formats. Keeping data protected from attacks by malicious actors is now a major concern for healthcare organizations. The threat landscape has changed considerably and traditional cybersecurity solutions are failing to prevent increasingly sophisticated attacks. The increase in cybersecurity threats will fuel considerable growth in the hospital cybersecurity market. As we have seen in the past few weeks, the Department of Health and Human Services’ Office for Civil Rights has stepped up enforcement of HIPAA regulations and has issued a number of multi-million dollar files to companies that have failed to protect adequately protect the ePHI of patients. The FTC and state attorneys general have also taken action against healthcare organizations that have...

Read More
Karen DeSalvo Leaves ONC: Vindell Washington Takes Over
Aug12

Karen DeSalvo Leaves ONC: Vindell Washington Takes Over

For the past two years, Karen DeSalvo has served as the National Coordinator for Health Information Technology of the Office of the National Coordinator for Health Information Technology (ONC). That role has now come to an end, as today, DeSalvo will be stepping down. The new ONC head will be the former deputy national coordinator, Dr. Vindell Washington. DeSalvo will not be leaving the Department of Health and Human Services (HHS) as she will continue in her role as acting assistant secretary for health, a position she has held since October 2014. DeSalvo took on that post to oversee the nation’s response to the Ebola crisis. Leaving the position of national coordinator will allow DeSalvo to concentrate on that position. Before DeSalvo joined the ONC, one of the ONC’s main roles was to oversee the adoption of electronic health records by the healthcare industry. When DeSalvo took over as head the ONC was becoming increasingly involved with promoting interoperability. DeSalvo played an important part in driving the meaningful use EHR incentive program forward and advancing...

Read More
TigerText Receives HITRUST CSF Certification
Jul28

TigerText Receives HITRUST CSF Certification

Secure healthcare messaging platform provider TigerText has achieved CSF Certification from the Health Information Trust Alliance (HITRUST). TigerText is the first vendor in its class to earn HITRUST CSF certification. HITRUST CSF was developed to help organizations in the healthcare sector certify that they have implemented the necessary privacy and security controls in compliance HIPAA and HITECH legislation, in addition to globally recognized standards and frameworks developed by NIST, ISO, PCI, FTC, and COBIT. Since the HITRUST CSF was developed it has fast become the most widely-adopted security framework in the U.S. healthcare industry. In order for organizations to earn HITRUST CSF certification they must be able to demonstrate that they meet key healthcare regulations covering the protection of sensitive healthcare information and that they are effectively managing risk. As Ken Vander Wal, Chief Compliance Officer at HITRUST, explains “The HITRUST CSF has become the information protection framework for the healthcare industry, and the CSF Assurance program is bringing a new...

Read More
Could New Database Methodology End Massive Healthcare Data Breaches?
Jul22

Could New Database Methodology End Massive Healthcare Data Breaches?

If a hacker succeeds in breaking through network security defenses and gains access to patient data, hundreds of thousands of healthcare records can be stolen in an instant. In the case of Anthem, tens of millions of records were obtained by data thieves. However, a new methodology for protecting relational databases has been devised by Washington D.C-based MD and computer scientist, William Yasnoff M.D. Yasnoff, a managing partner of the National Health Information Infrastructure (NHII) Advisors, believes that the new architecture could help healthcare organizations avoid large-scale data breaches. In a paper published in the Journal of Biomedical Informatics, Yasnoff explains that he has developed a new health record storage architecture that allows healthcare organizations to store and encrypt individual patient’s data separately. By using Yasnoff’s “personal grid” methodology, healthcare organizations can greatly reduce the risk to patients in the event of a data breach. The technique is not being sold by Yasnoff, but can be used free of charge by healthcare organizations and...

Read More
Large Privacy and Security Gaps at Non-HIPAA Covered Entities Highlighted by ONC Report
Jul20

Large Privacy and Security Gaps at Non-HIPAA Covered Entities Highlighted by ONC Report

Consumers’ health data is potentially being placed at risk by entities that are not covered by HIPAA Rules, according to a recent report issued by the ONC. The report – Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA – was produced following a study of the application of privacy and security requirements to non-HIPAA covered entities and business associates.  The report also draws on work conducted by the FTC, National Committee on Vital and Health Statistics (NCVHS), and OCR. The ONC explains in the report that a large number of organizations are now collecting, storing, and transmitting health data, yet many of those organizations are not subject to the same rules concerning the protection of ePHI as traditional healthcare organizations. Data and privacy protections at non-HIPAA-covered entities are not always robust and numerous gaps exist that place the health data of individuals at risk. The Scope of HIPAA is Limited HIPAA covers traditional healthcare organizations that perform electronic transactions –...

Read More
Lifting of Joint Commission Ban on Secure Text Orders Delayed until Fall
Jul18

Lifting of Joint Commission Ban on Secure Text Orders Delayed until Fall

The lifting of the Joint Commission ban on secure text orders was welcomed by healthcare organizations and secure messaging providers; however, the ban is now back in place. Text orders cannot currently be sent, even if a secure messaging platform is used. Joint Commission Ban on Secure Text Orders Lifted Only for a Month The lifting of the Joint Commission ban on secure text orders was announced in the May Perspectives newsletter, although the June Newsletter explained that organizations wishing to use a secure messaging platform must first be provided with further guidance to help them incorporate the texting of orders into their policies and procedures. The May Perspectives newsletter explained that “effective immediately” the Joint Commission ban on secure text orders was lifted. The newsletter explained that in order for healthcare organizations to start using text messages to transmit orders a number of conditions needed to be satisfied. Standard text messaging platforms could not be used due to the risk of data being intercepted. The texting of orders would only be permitted...

Read More
Three Hospitals’ Medical Devices Hacked Using Ancient XP Exploits
Jun28

Three Hospitals’ Medical Devices Hacked Using Ancient XP Exploits

Cybercriminals are using increasingly sophisticated methods to gain access to healthcare networks, although according to a recent report – MEDJACK.2 Hospitals Under Siege – from Trap X Research Labs, old school malware and ancient exploits can still be effective. Three hospitals have been discovered to have been infected with malware via medical devices running on legacy systems. The researchers discovered “a multitude of backdoors and botnet connections,” that had been installed using ancient exploits of the unsupported Windows XP platform. Hackers had succeeded in compromising the machines even though the hospitals had modern, sophisticated cybersecurity defenses in place. The initial attacks used old malware which was not detected by advanced security software. The malware was not deemed to pose a threat as the vulnerabilities that the malware exploited had been addressed in Windows 7 and did not exist in later Windows versions. Sophisticated Cybersecurity Defenses Failed to Identify Windows XP Malware Infections One of the hospitals tested by TrapX researchers had a...

Read More
Healthcare Organizations Need to Be Proactive and Hunt for Security Threats
Jun22

Healthcare Organizations Need to Be Proactive and Hunt for Security Threats

Many organizations are now opting to outsource cybersecurity to managed security services providers (MSSPs) due to a lack of internal resources and expertise. However, many MSSPs are unable to offer the advanced threat detection services necessary to significantly improve cybersecurity posture. Raytheon Foreground Security recently commissioned a Ponemon Institute study to investigate how MSSPs were being used by organizations.  Raytheon surveyed 1,784 information security leaders from a range of organizations – including healthcare providers – in North America, the Middle East, Europe, and the Asia-Pacific region. Respondents were asked about the role of MSSPs, how important their services are, and how MSSPs fit in to business strategies. 80% of organizations that have enlisted the services of MSSPs say that they are an important element of their IT overall security strategy and provide a range of services that cannot be managed in house. Many organizations do not have sufficient IT personnel to make their cybersecurity strategies more effective, and when staff are available they...

Read More
VA Implements New Measures to Improve Medical Device Cybersecurity
Jun21

VA Implements New Measures to Improve Medical Device Cybersecurity

In May, a top official at the Veteran’s administration said that the risk of medical devices being hacked to give patients’ overdoses or otherwise cause them to come to harm is relatively unlikely; however, VA deputy director of health information security Lynette Sherrill did point out that medical devices could be a weak link that cyberattackers attempt to exploit. One of the problems is medical devices are not always patched promptly. The devices connect to networks via traditional operating systems such as Windows. When patches are released by Microsoft, medical devices are often the last devices to have the updates applied. The Information Security Monthly Activity Report sent by the VA to congress often shows that medical devices have been infected with malware. In January, the VA discovered three medical devices had been infected, with a further case in February and two more in April. Since malware infections started to be tracked by the VA in 2009, 181 medical device infections have been discovered. These infections have all been contained and are not believed to have...

Read More
NIST Cybersecurity Framework to be Updated
Jun15

NIST Cybersecurity Framework to be Updated

In 2014, the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. The Framework details a set of standards, procedures, and processes that can be adopted by organizations to help them align their policy, business, and technological approaches to deal with cybersecurity risks. In December 2015, NIST issued a request for information (RFI) seeking feedback on use of the Cybersecurity Framework. NIST also asked for comments regarding long-term governance of the Framework and suggestions on how best practices for use should be shared. 105 responses were received. Further feedback was sought from stakeholders at an April 6-7 workshop in Gaithersburg, MD, specifically on best practice sharing, case studies, further development of the Framework, and comment on the NIST Roadmap for Improving Critical Infrastructure Cybersecurity. The feedback received from the RFI and the workshop indicated the Framework had proved to be a useful organization and system level tool, and that it has proved to be valuable for coordinating cybersecurity. Organizations...

Read More
FDA Issues Guidance for Medical Device Makers to Facilitate Data Sharing with Patients
Jun14

FDA Issues Guidance for Medical Device Makers to Facilitate Data Sharing with Patients

The Food and Drug Administration (FDA) has issued new draft guidance for medical device manufacturers offering recommendations to facilitate the sharing of medical device data with patients. The FDA believes that sharing medical data such as oximetry data, heart electrical activity, and cardiac rhythms with patients will help to empower them to become more engaged in their own healthcare, and will help them to make sound medical decisions. In the guidance, the FDA explains that while the data recorded by these devices is primarily for physicians and hospitals, device manufacturers should make the data recorded by their devices available to patients. The data included in the FDA’s definition of patient-specific information include, but is not limited to, healthcare provider inputs, device usage/output statistics, incidences of alarms, records of device malfunctions or failures, or any data recorded by the devices. Device manufacturers have previously suggested that FDA approval would be necessary before they provided medical device data to patients. The FDA has issued the guidance...

Read More
ONC Releases Videos Explaining Patients’ HIPAA Rights
Jun03

ONC Releases Videos Explaining Patients’ HIPAA Rights

Earlier this year, the HHS’ Office for Civil Right (OCR) released guidance for healthcare organizations on patients’ HIPAA rights in an attempt to clear up confusion over access and ensure that covered entities were aware of their obligations under the HIPAA Privacy Rule. The guidance covered many of the questions commonly asked by healthcare organizations, including the models that can be adopted by healthcare organizations for charging for PHI copies. Now that covered entities are prepared, efforts have shifted to advising patients of their access rights under HIPAA. This week, the Office of the National Coordinator for Health Information Technology (ONC) -in conjunction with the OCR – released a series of educational videos to improve understanding of patients’ HIPAA rights. The ONC wants to improve patient engagement and get patients to take greater interest in their health. Encouraging patients to obtain copies of their ePHI can help in this regard. Having access to medical records allows patients to check for errors, provide their data to other healthcare providers or...

Read More
Verity Health System Victim of Phishing Attack
Jun03

Verity Health System Victim of Phishing Attack

Verity Health System has fallen victim to a phishing attack resulting in sensitive employee data being emailed outside the company. Employee names, addresses, Social Security numbers, amount earned in the financial year, and details of tax withheld have been disclosed to the attacker. The breach only affected past and present employees who would have received a W-2 for the past financial year. No patient data was compromised in the breach. An email was received on April 27, 2016., which appeared to have been sent from an individual inside the organization. The email asked for information on Verity employees, which was sent as requested. The scam was discovered just over three weeks later. The Oregon-based healthcare provider is one of a large number of companies that have fallen victim to this kind of scam this year. These phishing attacks are often referred to as business email compromise scams, although internal email accounts are not always compromised. Oftentimes, attackers purchase a similar domain to that used by the targeted organization. The letter ‘I’ could be replaced...

Read More
TigerText Announces Collaboration with Honeywell
Jun02

TigerText Announces Collaboration with Honeywell

TigerText, the leading provider of secure text messaging solutions for the healthcare industry, has announced that users of the Honeywell’s new Dolphin™ CT50h smartphone can now use the TigerText secure messaging app. TigerText has been working closely with Honeywell to develop a customized version of its app which can be downloaded onto the Dolphin smartphone. The new version of the TigerText app works with the next-generation scanner on Honeywell’s Dolphin™ CT50h smartphone, which can be used to verify patients’ identities. TigerText has incorporated its bot technology which allows healthcare data to be pulled directly from healthcare providers’ electronic medical record systems. Physicians can use the app to retrieve critical up-to-date health information about patients’ medications by scanning barcodes with the Dolphin smartphone. The TigerText app allows physicians to obtain EMR data in real time, ensuring they can access all patient data including recent procedures and notes entered by all members of the care team. Having access to the most up-to-date patient information will...

Read More
CHIME Launches New Cybersecurity Center and Program Office
May31

CHIME Launches New Cybersecurity Center and Program Office

The College of Healthcare Information Executives (CHIME) has announced the opening of a new Cybersecurity Center and Program Office which will help healthcare organizations deal with cyber threats and better protect patient data and information systems. Announcing the opening of the new office, CHIME President and CEO Russell Branzell explained the need for better collaboration within the healthcare industry. “Cyber threats are becoming more sophisticated and more dangerous every day.” He went on to say, “Today the focus is ransomware, tomorrow it will be something else. As an industry, we need to pull together and share what’s working so that we can effectively safeguard our systems and protect patients.” The new office will be manned by CHIME staff, although assistance will be sought from Association for Executives in Healthcare Information Security (AEHIS) members, who will serve as security advisors to the center as well as to the healthcare industry. The Cybersecurity Center and Program Office will develop a range of resources to help healthcare organizations develop better...

Read More
HHS Announces Release of the Final Data Security Policy Principles Framework
May27

HHS Announces Release of the Final Data Security Policy Principles Framework

HHS Secretary Sylvia Matthews Burwell has announced the release of the final Data Security Policy Principles Framework for the Precision Medicine Initiative (PMI) which was launched by President Obama in early 2015. The Security Principles Framework was developed to help healthcare organizations that participate in the PMI understand the security measures that must be adopted to protect sensitive health, genetic, and environmental information. According to the HHS, the PMI will help to “enable a new era of medicine – one where doctors and clinicians are empowered to tailor their treatments to their patients’ needs, and patients can get individualized care,” The PMI is intended to help “deliver the right treatment to the right patient at the right time, taking into account an individual’s health history, genetics, environment, and lifestyle.” In February, the Obama Administration announced that great progress has been made so far, and that more than 40 commitments have been made by the private sector to advance precision medicine. Those commitments include a promise by leading EHR...

Read More
Cybersecurity Training Failing to Tackle Insider Threat
May27

Cybersecurity Training Failing to Tackle Insider Threat

A recent Ponemon Institute/Experian study – Managing Insider Risk Through Training & Culture – has shown that companies are failing to provide adequate cybersecurity training to prevent negligent behavior by employees and to reduce the risk of an insider data breach. For the latest study, over 600 individuals from a wide range of organizations were questioned about their cybersecurity training programs. Respondents included C-suite executives, managers, and IT professionals from companies that had a data protection and privacy training (DPPT) program in place. The study revealed that 55% of companies have experienced a data breach in the past that was caused by employee negligence or human error. When asked about the risk of a data breach as a result of negligence or employee error the majority of companies were aware of the risk. 66% of respondents said they believed employees are the weakest link in the security chain, yet more than half of respondents said their cybersecurity training programs were not effective. When asked about training programs and employees...

Read More
Apple to Recruit HIPAA Expert as Privacy Counsel
May25

Apple to Recruit HIPAA Expert as Privacy Counsel

Apple is seeking a Privacy Counsel with extensive experience in healthcare privacy and a thorough understanding of HIPAA regulations. The new position confirms that Apple is planning on developing its products to be more valuable to healthcare professionals and patients, and that the company is intent on making more of a mark in the healthcare sector. The new recruit will be required to work on cutting edge projects, providing essential input on privacy and security, working on privacy by design reviews, supporting compliance and auditing frameworks, drafting policies and procedures to ensure compliance with privacy laws, and assisting with privacy complaints and breaches. The individual will also play a major part in designing privacy solutions for Apple products. The new position could indicate Apple is intent on developing HIPAA-compliant apps or may be working on a HIPAA-compliant backend for its frameworks to enable patient data to be stored and transmitted securely, in accordance with HIPAA Rules. Apple has already developed products and frameworks for monitoring patient...

Read More
Kansas Heart Hospital Ransomware Attack: Ransom Paid, Second Demand Issued
May23

Kansas Heart Hospital Ransomware Attack: Ransom Paid, Second Demand Issued

As last week’s Kansas Heart Hospital ransomware attack clearly demonstrates, paying a ransom may not necessarily result in decryption keys being supplied by attackers to allow files to be unlocked. Ransomware Claims Another Healthcare Victim This year a number of healthcare organizations have had vital data locked by malicious file-encrypting software. In February, Hollywood Presbyterian Medical Center felt there was little alternative but to pay a ransom to attackers to obtain decryption keys to unlock files that had been locked with ransomware. The attackers issued a Bitcoin ransom demand of approximately $17,000. Upon paying the ransom, the medical center was provided with a security key for each of the devices that had been infected. Other healthcare providers have also been attacked this year. MedStar Health was reportedly issued a 45 Bitcoin ($19,000) ransom demand, although the ransom was not paid, instead files were recovered from backups. Other attacked healthcare providers were also able to avoid paying a ransom and recovered their locked files by restoring their systems...

Read More
Engineer Indicted on Charges of Trade Secret Theft from Medical Device Companies
May20

Engineer Indicted on Charges of Trade Secret Theft from Medical Device Companies

The United States Department of Justice has charged an engineer with the theft and possession of trade secrets belonging to two medical device manufacturers. 43-year old Wenfeng Lu of Irvine, California, was indicted on 12 charges by a grand jury on Wednesday this week. Lu is alleged to have stolen proprietary trade secures from EV3 Covidien while employed at the company between January 2009 and October 2011, and from Edwards Lifesciences Corp., where he was employed between November, 2011 and November, 2012. Lu is alleged to have stolen information and emailed the confidential data to his personal email account. It has also been alleged that Lu took photographs of equipment and copied company reports, presentations, emails, and test results. Lu visited the People’s Republic of China (PRC) on multiple occasions after obtaining data. It is alleged that Lu was attempting to set up his own company with associates in PRC and planned to use the trade secrets to manufacture medical devices in PRC. Lu was arrested by the FBI in 2012 while preparing to board a plane bound for PRC. Lu was...

Read More
Department of Veteran Affairs Seeks Vendors to Search for Stolen Data
May17

Department of Veteran Affairs Seeks Vendors to Search for Stolen Data

Even when appropriate controls are implemented to secure electronic protected health information (ePHI), data breaches can still occur. Mistakes are made with the configuration of firewalls, ePHI is accidentally disclosed to unauthorized individuals, and phishing attacks and malware allow criminals to gain access to ePHI. Healthcare data breaches have now become as inevitable as death and taxes despite the best efforts of healthcare organizations to keep ePHI secured. The Department of Veteran Affairs is the largest integrated health system in the United States, with more than 1,700 locations providing healthcare services to more than 8.76 million veterans. The VA stores a considerable volume of ePHI which makes it a large target for cyberattackers. In April alone, the VA blocked 77.69 million intrusion attempts, blocked and/or contained almost 460 million malware samples, as well as more than 105 million malicious emails. With so many attempted attacks, occasional data breaches are to be expected. When breaches occur, lessons are learned, systems are improved, and security...

Read More
TigerText Launches HealthBot Capable of Automating the Provision of Healthcare Information to Patients
May13

TigerText Launches HealthBot Capable of Automating the Provision of Healthcare Information to Patients

TigerText has launched a new secure, HIPAA-compliant, messenger service for web portals and mobile applications which automates a wide range of tasks that previously required the time of support staff. All too often patients face extended wait times when calling hospitals and other healthcare facilities and hold times in excess of 30 minutes are far from uncommon. Obtaining answers to questions and making routine appointments is rarely a quick process, causing considerable frustration for patients. Patient web portals are a convenient way of communicating with patients more efficiently, yet healthcare staff are still required to man the web portals. Many of the questions asked by patients via web portals can be easily handled by a messenger bot. Automating these services can reduce patient waiting times and provide patients with instant answers to their questions. With the cost of healthcare expected to increase by 5.8% each year, healthcare organizations need to find new ways to improve efficiency and lower operational costs. Messenger bots can allow patients to receive...

Read More
Anti-Malware Scan Stops Cardiac Catheterization Procedure
May12

Anti-Malware Scan Stops Cardiac Catheterization Procedure

It is important for anti-malware solutions to be used to protect medical devices, although care must be taken when configuring software. As was recently highlighted at a U.S. hospital, a software misconfiguration has the potential to have an adverse effect on patients. Earlier this year, a cardiac catheterization procedure had to be halted when a hemo monitor PC was prevented from communicating with the hemo monitor. This resulted in the hemo monitor screen going black, preventing the operating room staff from viewing the patient’s physiological data. There was a delay to the procedure of around five minutes while the application was rebooted, during which time the patient was sedated. The procedure continued after the application was brought back online and was completed successfully, although the delay could potentially have caused the patient to come to harm. The Food and Drug Administration (FDA) has recently issued a report on the incident, which occurred on February 8, 2016. The FDA investigation revealed that the temporary failure of the equipment – Merge Hemo V9.40.1...

Read More
Brookings Offers Breach Prevention Advice to OCR and Healthcare Organizations
May11

Brookings Offers Breach Prevention Advice to OCR and Healthcare Organizations

A recent report issued by the Brookings Institution delves into the problems faced by the healthcare industry now that so much patient data is being collected, stored, and transmitted by healthcare institutions. In its report, Brookings offers advice to healthcare organizations and the Department of Health and Human Services’ Office for Civil Rights (OCR) about how patient privacy can be better protected, and strategies that can be adopted to prevent data breaches. 23% of All Data Breaches Affect the Healthcare Industry Over the past two years, the number of breaches suffered by healthcare organizations has increased significantly. 23% of all data breaches now affect the healthcare industry. Since OCR started publishing details of data breaches reported by healthcare organizations six years ago, almost 1,500 separate data breaches have occurred. Those breaches have exposed the healthcare data of over 155 million Americans. To investigate the problem, the Brookings Institution conducted a study to find out more about why healthcare data breaches are occurring with such regularity,...

Read More
HIPAA Incident Highlights Importance of Using a Secure Messaging Platform
May11

HIPAA Incident Highlights Importance of Using a Secure Messaging Platform

Earlier this year, BioReference Laboratories Inc., (BRLI) discovered that a number of phlebotomists had adopted the practice of using their smartphones to take photographs of laboratory test requests in order to transmit them to BLRI. The practice was drawn to the attention of BRLI on February 9 this year. An investigation was conducted which revealed smartphones had been used by some of the company’s phlebotomists in Florida for this purpose since January 2013. The practice continued until February 10, 2016. Over the course of four years, the lab test requests relating to 3,563 individuals had been photographed and transmitted over an unsecured network. The data typically photographed included full names of patients, birth dates, addresses, medical record numbers, admission/discharge dates, health insurance information, details of the laboratory tests that were ordered, diagnosis codes, and Social Security numbers. BRLI has no reason to believe that any of the photographs were intercepted, obtained, or viewed by unauthorized individuals or that any data have been used in...

Read More
OIG Report: Veterans Benefits Administration Not Tracking Information Security Violations
May11

OIG Report: Veterans Benefits Administration Not Tracking Information Security Violations

In April last year, the Office of Inspector General received an anonymous tip-off alleging the Veterans Benefits Administration (VBA) had not integrated appropriate audit logs into the Veterans Benefits Management System. The subsequent investigation substantiated the allegation and revealed that the VBA had not been identifying and logging all security violations accurately. OIG checked for the existence of audit logs and tested their accuracy by having 17 employees try to access same-station veteran employee compensation claims in the Veterans Benefits Management System (VBMS). Those that were logged were identified as existing in the Share application used by VA Regional Offices (VAROs) or said to have occurred in an unknown system. The actions of two of the 17 employees were not tracked and recorded in the audit logs. The tests were conducted at two VAROs in Texas (Houston and Waco) and one in Washington (Seattle). OIG was unable to determine why two employees’ audit logs were not recorded, although OIG did conclude that the Office of Business Process Integration (OBPI) had not...

Read More
23K Patients of Mayfield Clinic Sent Malware-Infected Email
May10

23K Patients of Mayfield Clinic Sent Malware-Infected Email

In February, patients of the Mayfield Clinic of Cincinnati, Ohio were sent an email containing a malicious attachment which downloaded ransomware onto their devices. The entry on the HHS’ Office for Civil Rights breach portal indicates 23,341 patients were sent the email, although it is unclear how many email recipients opened the malicious attachment and infected their computers. The email was sent by an individual who gained access to a database held by one of Mayfield’s vendors. That vendor was contracted to send out newsletters, invitations, announcements, and educational information via email to patients, event attendees, business associates, website contacts, and other friends of Mayfield. The emails were sent out on February 23, 2016 and had the subject line “Important Information: invoice 11471.” Opening the attached file triggered the download of ransomware – malware that encrypts files preventing them from being accessed. The victims are then told they must pay a ransom to obtain the key to unlock the encryption. The individual who gained access to the email database was...

Read More
FDA Must do More to Improve Medical Device Interoperability, says CHIME
May05

FDA Must do More to Improve Medical Device Interoperability, says CHIME

In January, the Food and Drug Administration (FDA) released draft guidance for manufacturers to help with the development of interoperable medical devices. Late last month, The College of Healthcare Information Management Executives (CHIME) submitted comments to the FDA on the proposed guidance – Design Considerations and Premarket Submission Recommendations for Interoperable Medical Devices. In a letter sent to Food and Drug Administration (FDA) Commissioner Robert M. Califf, MD, CHIME expressed concern that the draft guidance represents a set of suggested principles, yet what CHIME members require is assurance that medical devices are interoperable. At present, manufacturers are claiming their devices are interoperable, when the reality is that they are not. CHIME explained that medical devices are being purchased from manufacturers who claim that the devices are interoperable, yet once the devices have been purchased, clinicians discover that the data generated by the devices cannot be loaded to their EHR systems directly without the use of third party software. That...

Read More
Verizon: Human Error the Main Cause of Security Incidents
Apr29

Verizon: Human Error the Main Cause of Security Incidents

The Verizon 2016 Data Breach Investigations Report was released this week. The biggest cause of security incidents over the past 12 months has been what Verizon calls “miscellaneous errors,” a category which includes misconfigured IT systems, improper disposal of company data, lost and stolen devices and email errors. In the case of the latter, 26% of breaches were caused by individuals emailing data to incorrect individuals. Weak passwords continue to cause organizations problems. 63% of confirmed data breaches were attributed to either poor passwords, default login credentials that had not been changed, or the use of stolen login credentials. Cyberattacks are often made possible due to the failure to install patches promptly. In the majority of cases, hackers exploit vulnerabilities that have existed for months, even though patches have been made available. Verizon reports that 85% of successful exploits of took advantage of the top 10 known vulnerabilities. The biggest cause of data breaches this year is web application attacks, which have increased by 33% since the 2015 report....

Read More
American Dental Association Mails Malware-Infected USB Drives to Members
Apr29

American Dental Association Mails Malware-Infected USB Drives to Members

A recent mailing sent to American Dental Association (ADA) members included a USB stick containing malware. The USB drive contained a file with code that directed users to a domain which could enable cybercriminals to install malware, potentially allowing them to gain control of computers. The USB stick sent by the ADA was a credit card-sized drive that can be plugged into a laptop computer or a desktop. The device was used to send an electronic copy of the 2016 CDT manual containing dental procedure codes. One recipient of the device decided to check the contents of the USB stick on a spare machine as he was wary of using the device on a machine that contained sensitive data. He discovered the drive contained an HTML launcher in a hidden iframe that contained a potentially malicious URL with a Chinese ccTLD. An autorun file was also included on the device according to his DLS Reports post. ADA was informed about the malware infection and an investigation was launched. ADA informed Krebs on Security that the infection was introduced on certain devices during production in China....

Read More
Chicago Hospital Council Files Lawsuit to Prevent Deletion of Patient Data
Apr28

Chicago Hospital Council Files Lawsuit to Prevent Deletion of Patient Data

A lawsuit has been filed against Sandlot Solutions, Inc., and its parent company Santa Rosa Consulting by the MCHC-Chicago Hospital Council in an attempt to prevent the deletion of more than 2 million patient records from Sandlot’s servers. The MCHC-Chicago Hospital Council (MCHC), which includes over 30 area hospitals, operates the MetroChicago Health Information Exchange (HIE). The HIE was formed to allow all participating hospitals to quickly and easily share patient health information and ensure that up-to-date medical records of patients could always be obtained by doctors and healthcare professionals. The HIE contains patient data collected over the past seven years. The HIE is hosted by healthcare information technology company Sandlot Solutions, Inc. On March 28, 2016., Sandlot notified MCHC that it would be winding down its operations and would soon be going out of business. Sandlot is alleged to have shut down access to the HIE a day later. MCHC was also advised that Sandlot would be deleting all HIE data from its servers within 24 hours of providing the council with a...

Read More
California Ransomware Bill Passed by State Senate Committee
Apr15

California Ransomware Bill Passed by State Senate Committee

Californian Senator Bob Hertzberg introduced a new bill (Senate Bill 1137) in February which proposes an amendment to the penal code in California to make it a crime to knowingly install ransomware on a computer. The bill has now been passed by the senate’s Committee on Public Safety, taking it a step closer to being introduced into the state legislature. The bill must now go before the state Senate Appropriations Committee; after which it will be considered by both houses. Currently, state law in California covers crimes relating to computer services including “knowingly introducing a computer contaminant,” as well as extortion, the latter being defined as “obtaining the property of another, with his or her consent, induced by a wrongful use of force or fear.” Under existing laws, extortion is punishable with a prison term of 2,3, or 4 years. Ransomware is covered under current laws, although Senator Hertzberg believed an update was necessary given the extent to which ransomware is now being used to extort money from businesses. FBI figures suggest that in the first 3 months of...

Read More
Unpatched 2007 Vulnerability Exploited in MedStar Ransomware Attack, Says AP
Apr07

Unpatched 2007 Vulnerability Exploited in MedStar Ransomware Attack, Says AP

The ransomware attack on MedStar Health could easily have been avoided had its software been patched according to a recent AP article, although this has been denied by MedStar Health. The vulnerability in the Red Hat-supported JBoss application server was first uncovered in 2007. A further warning about the problem was issued by Red Hat in 2010, with another warning issued earlier this month. A patch to correct the vulnerability has existed for almost a decade. The patch removes two lines of code that enables the JBoss system to be accessed remotely. The flaw existed as a result of a common JBoss application server misconfiguration. According to an Ars Technica report, more than 2.1 million installations around the world are vulnerable to this type of attack. The failure to implement the 2007/2010 patches allows attackers to exploit the vulnerability and gain access to Internet facing servers. Once access has been gained attackers are able to use a host of security tools to gain access to other parts of a network and deploy ransomware. As media reports circulate claiming it was...

Read More
One In Five Companies Has Suffered a Data Breach Involving Mobile Devices
Apr03

One In Five Companies Has Suffered a Data Breach Involving Mobile Devices

One in five companies has suffered a data breach involving mobile devices according to a study recently published by Crowd Research Partners. 39% of respondents said malware had been downloaded onto devices supplied to employees by their company or used under BYOD schemes, and almost a quarter of respondents said devices had connected to malicious Wi-Fi networks. The number of devices that had been compromised is a concern; however, what is more worrying is the extent to which organizations are monitoring the devices that are allowed to connect to their networks. When asked whether devices had connected to malicious networks, 48% of respondents said they were not sure. When asked whether malware had been downloaded onto mobile devices, 35% said they were not sure, and 37% could not say whether mobile devices were involved in security breaches at their organizations. These results suggest that while mobile devices are allowed to connect to work networks, the controls put in place to keep those devices secure were insufficient in many organizations. When asked about the risk control...

Read More
Ransomware and HIPAA: Are Attacks Reportable?
Apr01

Ransomware and HIPAA: Are Attacks Reportable?

Following a number of high-profile ransomware attacks on hospitals, the issue of whether ransomware attacks are reportable under HIPAA has been raised by a number of privacy experts. So far attacks on hospitals, including the Hollywood Presbyterian Medical Center attack in February, have not been added to the HHS breach portal and are unlikely to appear. The healthcare organizations that have announced they have been hit with ransomware infections claim that while files were encrypted, patient data were unaffected. But what about situations when malicious file-encrypting software does lock files containing the PHI of patients? Would those ransomware attacks be reportable under HIPAA? The Department of Health and Human Services’ Office for Civil Rights must be informed of malware attacks that result in hackers gaining access to PHI, but with ransomware the situation is less clear. If ransomware encrypts the Protected Health Information of patients, the attackers are the only individuals with a security key to unlock the data. That does not mean that PHI has been viewed or acquired...

Read More
Transition to HIPAA Electronic Administrative Transactions Could Save Industry $8 Billion, says CAQH
Mar31

Transition to HIPAA Electronic Administrative Transactions Could Save Industry $8 Billion, says CAQH

On Wednesday this week, the 2015 CAQH Index was released. The data show that many healthcare organizations are continuing to rely on manual administrative processes for basic transactions such as verifying patient coverage, submitting claims, prior authorization, and referral certification, even though these tasks can easily be performed electronically. The CAQH Index is released once a year and is a measure of the adoption of electronic transactions for routine business processes in the healthcare industry. The aim of the report is to raise awareness of the potential cost savings that can be made by switching to electronic HIPAA transactions. The data used for the CAQH Index in 2015 represents some 440 million transactions relating to 92 million patients. The reliance on manual processes rather than HIPAA electronic administrative transactions is costing the healthcare industry dearly. CAQH believes the continued reliance on resource-intensive manual processes is costing the healthcare industry $8 billion each year. Each time health plans and healthcare providers perform a manual...

Read More
1,400 Vulnerabilities Found in Popular Drug Cabinet System
Mar31

1,400 Vulnerabilities Found in Popular Drug Cabinet System

According to an advisory issued by the Department of Homeland Security, a popular drug cabinet system has been found to have over 1,400 vulnerabilities, many of which could be exploited remotely using publically available exploits. Furthermore, the exploits could be executed by an attacker with a low level of skill. The drug cabinet discovered to contain these vulnerabilities is version 8.1.3 of the Pyxis SupplyStation by CareFusion, which has not been updated since April 2010. However, vulnerabilities exist with a number of older versions of the system, many of which are still in operation and are used in a number of facilities in the United States. The automated drug cabinets dispense products and maintain an accurate stock inventory in real time. Two independent security researchers, Billy Rios and Mike Ahmadi, obtained a decommissioned Pyxis SupplyStation and conducted a static binary analysis against the system’s firmware to search for vulnerabilities. The researchers discovered 1,418 vulnerabilities existed in the version they tested. The vulnerabilities do not exist in the...

Read More
Government Accountability Office Report Identifies Many HealthCare.Gov Security Flaws
Mar29

Government Accountability Office Report Identifies Many HealthCare.Gov Security Flaws

A new report published by the Government Accountability Office has highlighted a number of security weaknesses with the HealthCare.gov website “that could place sensitive information at risk of unauthorized disclosure, modification or loss.” Under the Patient Protection and Affordable Care Act, the Centers for Medicare and Medicaid Services is responsible for overseeing state-based marketplaces that allow consumers to compare and purchase health insurance and for securing federal systems to which marketplaces connect, which include its data hub. GAO was requested to conduct a review of security issues relating to the data hub, in addition to assessing CMS oversight of state-based marketplaces. The review included describing security incidents reported by CMS, assessing incident data, analyzing security controls, and reviewing its policies and procedures. The report indicates there were 316 security incidents involving the HealthCare.gov web portal between October 2013 and March 2015. In one instance a hacker was able to break through security defenses and succeeded in...

Read More
Virus Forces Shutdown of Medstar Health System’s 10-Hospital Computer Network
Mar29

Virus Forces Shutdown of Medstar Health System’s 10-Hospital Computer Network

On Monday March 28, 2016, Medstar Health System discovered a computer virus had been installed on its computer network. The Columbia-based health system, which runs 10 hospitals and more than 250 outpatient facilities throughout Maryland and Washington D.C., was forced to shut down its electronic health record (EHR) and email systems to prevent the spread of the virus. The virus was discovered on Monday morning and the health system acted rapidly to contain the infection and prevent its spread throughout the organization. The security breach was reported to the FBI and an investigation into the attack has been launched. The health system is currently working with its IT and security partners to determine the exact nature of the cyberattack, the extent to which data and systems have been compromised, and how best to deal with the virus. Medical services are still being provided to patients and all of the health system’s facilities remain operational; however, the decision to take the EHR and email systems offline will have an impact on patients. Medstar Health employs around 30,000...

Read More
Two More Californian Hospital Ransomware Attacks Reported
Mar23

Two More Californian Hospital Ransomware Attacks Reported

Two more hospitals in Southern California have reported being attacked with ransomware. The Chino Valley Medical Center and Victorville’s Desert Valley Hospital, which are both operated by Prime Healthcare, were attacked on Friday last week. A number of computers had data locked with the file-encrypting malware and the attackers managed to infiltrate some of the hospitals’ servers before the attack was discovered and contained. As soon as the ransomware attacks were discovered, IT systems were taken offline to prevent the spread of the infections. While some computers and servers were taken out of action, patient health records were not compromised and the attack did not affect patient safety. Healthcare services are still being provided to patients at both hospitals, although the attack did cause significant disruption to the hospitals’ IT systems on Friday last week. Prime Healthcare Spokesperson, Fred Ortega, said “most of the systems and critical infrastructure has been brought back online.” A ransom demand was received by Prime Healthcare, although no details have been...

Read More
HHS Effort to Address Confusion over Mobile Apps is Disappointing, Say Federal Legislators
Mar23

HHS Effort to Address Confusion over Mobile Apps is Disappointing, Say Federal Legislators

Last month the Department of Health and Human Services issued new guidance to clear up confusion about HIPAA Regulations and how they apply to mobile health apps. The four-page document explained how HIPAA Rules apply to health information that is created by patients and entered into health apps, and set out to explain when developers of health apps needed to comply with HIPAA Rules. The guidance covered six scenarios and explained how and when HIPAA Rules applied. The guidance has helped to explain some of the obligations mobile health app developers have under HIPAA Rules, but according to one bipartisan group of congressmen, the guidance only covered a very narrow set of circumstances, and has “led to more questions than answers.” Reps Tom Marino (R-Pa.), Peter DeFazio (D-Ore.), Earl Blumenauer (D-Ore.), Blake Farenthold (R-Texas), Ted Lieu (D-Calif.), Suzanne Bonamici (D-Ore.), Renee Ellmers (R-N.C.), and Rep. Will Hurd (R-Texas) signed a letter sent to HHS Secretary Sylvia Mathews Burwell earlier this month in which the efforts of the HHS to address the confusion over HIPAA...

Read More
TigerText´s Latest Update Will Help Deliver Faster, High Quality Healthcare
Mar23

TigerText´s Latest Update Will Help Deliver Faster, High Quality Healthcare

TigerText has released a number of new features on its secure messaging solution that will help deliver faster, high quality healthcare in compliance with HIPAA. According to Brad Brooks – the company´s co-founder and president – the new features in the latest Spring 16 TigerText release are the result of listening to and translating customer feedback into useful and relevant updates. He explained that through TigerText´s “voice of the customer” program, requests for new features were shared regularly with the product development team, who prioritized the most relevant requests and brought them to market. Among the innovative features in the latest TigerText release: • A new self-updating desktop app with built-in alerts will allow any authorized user to access TigerText from a PC or Mac. • Messages will automatically be auto-forwarded to a colleague when a user´s app is in “Do Not Disturb” mode. • Priority messages will now remain at the top of the recipient´s inbox and emit a distinctive ring for instant differentiation. • TigerText users will now be able to set up...

Read More
VA Information Security Weaknesses Will Take Further 22 Months To Remediate
Mar22

VA Information Security Weaknesses Will Take Further 22 Months To Remediate

Last week, the VA Office of Inspector General issued a report of a 2015 Department of Veteran Affairs (VA) audit conducted to determine whether the VA’s Security Program complied with Federal Information Security Modernization Act (FISMA) requirements and NIST guidelines. The audit report indicates progress has been made to improve cybersecurity protections at the VA, but there is still a long way to go before the VA’s InfoSec program raises standards to the level required by FISMA. Auditors discovered a number of significant security deficiencies in the VA’s identity management and access controls, configuration management controls, contingency planning processes, incident response and monitoring procedures, contractor systems oversight, continuous monitoring, system development/change management controls, and its agency-wide security management program. While some efforts have been made to improve access and configuration management controls, security control standards had not yet been applied to all servers, databases, and network devices and a number of system security...

Read More
Methodist Hospital in Lockdown After Ransomware Attack
Mar21

Methodist Hospital in Lockdown After Ransomware Attack

Methodist Hospital in Henderson, KY., is currently in lockdown after a ransomware attack. The hospital has declared an “internal state of emergency,” after critical files were copied and locked. The hospital responded to the cyberattack quickly and was able to contain the malware, although as a result of the lockdown access to electronic communications and web-based systems remains limited. The malicious software was inadvertently installed on the network resulting in files containing patient data being copied and encrypted. According to a statement issued by Methodist COO David Park, “the hackers have copied patients records and locked those copies. They’ve deleted the originals.” Methodist Hospital was able to activate a backup system. Normal operations are continuing at the hospital without any interruption to patient services, but the issue has yet to be resolved and the main network remains locked. The FBI has been notified and an investigation into the cyberattack has commenced. Methodist Hospital is working with the FBI to determine the best way to resolve the issue. A...

Read More
Non-Compliant Hospital Pager Use Persists
Mar18

Non-Compliant Hospital Pager Use Persists

Communicating protected health information (PHI) over unsecured networks is not permitted under Health Insurance Portability and Accountability Act (HIPAA) Rules, which means pagers cannot be used to send PHI unless messages are encrypted. Encryption alone is not sufficient to ensure compliance with HIPAA. Not only must messages be encrypted to prevent interception, there must be a means of verifying the identity of the user. User authentication is essential, as there is no guarantee that a message containing PHI will be received by the intended recipient. If a pager is lost, stolen, or is left unattended, PHI could potentially be accessed by an unauthorized individual. It is also necessary to implement controls to automatically log off users and allow messages to be remotely erased in the event that a pager is lost or stolen. Due to the cost implications of applying these safeguards, and the difficult in doing so, many hospitals implement policies that prohibit the transmission of PHI over the pager network. If PHI needs to be communicated, a pager message is sent and the...

Read More
80% of Organizations Concerned About Large Data Breaches
Mar14

80% of Organizations Concerned About Large Data Breaches

Most organizations now understand that it is no longer a case of whether a breach will occur, but a matter of when their defenses will be breached, yet many organizations appear to be ill equipped to deal with a data breach when one does occur, according to a recent ID Experts survey. The survey, conducted on behalf of insurance analyst firm Advisen, asked 203 risk assessment experts about data breach preparedness and the measures in place to deal with data breaches when they did occur. The aim of the survey was to find out more about how organizations are managing data breach risk, and how insurance coverage gaps are being addressed. Recent large scale data breaches have got many CISOs worried that their organization will be attacked. 80% of respondents said they are worried about their organization suffering a large data breach. 17% of respondents said they had already suffered at least one data breach in the past 12 months. The very real threat of a data breach has prompted 64% of organizations to purchase data breach insurance, yet those policies may offer little benefit....

Read More
Economics of Cyberattacks Explored
Mar11

Economics of Cyberattacks Explored

A Ponemon Institute survey commissioned by Palo Alto Networks has explored the motivations behind cyber-attacks and offers some insight into how organizations can develop defenses to thwart attackers. The survey was conducted in the United States, United Kingdom, and Germany and asked 304 threat experts their opinions on the reasons why criminals chose to attack organizations, how targets are selected, and how much attackers actually make from their criminal acts. In the majority of cases, the main motivation for conducting an attack is money. Respondents indicated that in 67% of cases, attacks are conducted for financial gain. The average earnings for conducting those attacks were determined to be $28,744 per year. In order to earn that amount, hackers spent an average of 705 hours attacking organizations. The figures show that hacking far less profitable than working as a private or public sector security professional, with earnings of four times that figure possible. The report, Flipping the Economics of Attacks, indicates that the majority of hackers look for easy targets. 72%...

Read More
Ponemon: 48% of Healthcare Organizations Suffered a PHI Breach in the Past Year
Mar09

Ponemon: 48% of Healthcare Organizations Suffered a PHI Breach in the Past Year

A study recently published by the Ponemon Institute has revealed that almost half of healthcare organizations (48%) have experienced a data breach in the past 12 months that has resulted in the loss or exposure of the protected health information of patients. The survey, conducted on behalf of software security firm ESET, asked 535 IT security professionals questions about cyberattacks on their organizations, the consequences of those data breaches, and cybersecurity concerns. The survey provides an insight into the current state of healthcare cybersecurity, the effect data breaches are having on healthcare organizations, and the seriousness of the current threat level. Cyberattacks on healthcare organizations are now taking place at a rate of one every month. Hackers were able to evade intrusion prevention systems (IPS) at 49% of organization surveyed, while 37% of respondents said cyberattackers had evaded detection by their antivirus protections and other traditional security measures. A quarter said they were unsure if that was the case. Protections against advanced persistent...

Read More
HIMSS Conference 16 Roundup
Mar04

HIMSS Conference 16 Roundup

The past 5 days have seen almost 42,000 industry professionals attend the HIMSS Conference & Exhibition in Las Vegas; the largest health IT educational event of the year. Each year health IT professionals, executives, vendors, and clinicians from all over the world attend the conference to learn about the latest cutting edge IT products, and to take part in education programs, thought leader sessions, and roundtable discussions. The purpose of the conference is to show how health and healthcare can be improved by the use of IT, and to explain the power information technology has to transform healthcare organizations and increase profits. Attendees were provided with a wealth of information to help them leverage new technology to provide better services to patients. This year attendees were treated to presentations from high-profile keynote speakers including Super Bowl-winning quarterback & five time NFL MVP, Peyton Manning; Dr. Jonah Berger, the author of the best-selling book Contagious: Why Things Catch On, Dell CEO Michael Dell, and the highest healthcare official in...

Read More
SpamTitan Technologies Awarded Ninth VB+ Award
Mar04

SpamTitan Technologies Awarded Ninth VB+ Award

SpamTitan Technologies is celebrating its ninth VBSpam+ award – and thirty-fifth VB award overall – for a high performance in blocking spam emails. Virus Bulletin is a security information service that conducts independent testing on anti-malware and anti-spam solutions. It only distributes VB awards to vendors whose software achieves excellence in preventing web-borne threats – VBSpam+ being the highest award the organization can bestow. The most recent Virus Bulletin anti-spam test took place in January, with sixteen anti-spam solutions undergoing rigorous testing. For the fourth time in a row, SpamTitan Technologies´ anti-spam solution blocked more than 99.9% of spam and, for the third time in a row, it did so without any false positives. Martijn Grooten – responsible for conducting Virus Bulletin´s comparative reviews – commented on the importance of spam filters and how ‘spam filters make the email lives of users a lot easier – and a lot more secure”. Speaking about the performance of SpamTitan Technologies´ anti-spam solution, Martijn said...

Read More
Healthcare Companies Commit to Improving Health Information Flow
Mar04

Healthcare Companies Commit to Improving Health Information Flow

At this year’s Health Information Management Systems Society conference, U.S. Department of Health and Human Services Secretary Sylvia M. Burwell announced that all major Health information technology developers and the top health systems have all pledged to implement three core commitments to help improve the flow of healthcare data to consumers and healthcare providers. A pledge has now been made by 17 health IT developers, 16 health systems, and 17 provider, technology, and consumer organizations. Seven of the biggest healthcare systems providing healthcare services in 46 states are all on board, with Community Health Systems, Hospital Corporation of America, Tenet Healthcare, Ascension Health, Trinity Health, Catholic Health Initiatives, and Kaiser Permanente all having committed to improving health information sharing, as are the Health IT companies responsible for providing 90% of EHRs used by U.S. hospitals. All have agreed to help improve consumer access to healthcare records, implement national interoperability standards, and will not to engage in information blocking. At...

Read More
HiMSS Publishes Report on Pagers
Feb29

HiMSS Publishes Report on Pagers

HiMSS Analytics has published a new report offering insight into the real cost of pagers in healthcare. The report quantifies the cost of pagers and highlights the advantages that can be gained from switching to more efficient methods of healthcare communication such as HIPAA-compliant secure messaging apps. Healthcare Providers Reluctant to Retire Pagers Many industries have embraced new communications technology and are now using smartphones to communicate with employees; however, many healthcare organizations are still using outdated pager technology to communicate with physicians and nurses. Pagers have served the healthcare industry well for decades, yet they are inefficient, only allow one-way communication, and can cause communication delays and workflow disruptions. While it is clear that the technology is outdated and needs to be replaced, a great many healthcare providers have been slow to make the move to new channels of communication. This has been attributed, in part, to misconceptions about the value offered by pagers and inaccurate estimates of the actual cost of...

Read More
TigerText´s Latest Collaboration with Box will Accelerate Consults and Diagnoses
Feb29

TigerText´s Latest Collaboration with Box will Accelerate Consults and Diagnoses

The latest collaboration between TigerText and Box adds DICOM imaging to the types of files that can be shared between medical professionals on the TigerText platform. Digital Imaging and Communications in Medicine (DICOM) is a healthcare industry standard for managing, storing, printing and transmitting information associated with medical imaging that has a file format definition designed to eliminate data inoperability barriers. DICOM facilitates the integration of servers, workstations, scanners, printers and network hardware from various manufacturers into a universal picture archiving and communication system that is widely used by hospitals and other medical facilities to share X-rays, CT scans and ultrasounds. Now, due to the collaboration between TigerText and Box, medical professionals will be able to collaborate on DICOM images securely and with no risk of HIPAA compliance issues – accelerating consults and diagnoses, and enhancing patient care. Improving Communications across the Healthcare Continuum TigerText first announced the integration of secure messaging...

Read More
TigerText´s Secure Messaging Apps Available for Salesforce Health Cloud
Feb29

TigerText´s Secure Messaging Apps Available for Salesforce Health Cloud

TigerText has announced that the integration of its secure messaging apps will be available to extend the capabilities of Salesforce Health Cloud. Salesforce Health Cloud is a patient relationship management solution that enables healthcare providers to gain a complete view of the patient using data from electronic medical records (EMRs) and wearable electronic health apps. The concept behind the management solution is that it enables greater patient engagement across their caregiver networks, enabling healthcare providers to make better informed care decisions. The platform also enables healthcare providers to safely and securely manage patient data. With the addition of TigerText´s secure messaging apps, Salesforce Health Cloud customers will now be able to embed the TigerText secure messaging service in their Health Cloud portals, enabling healthcare providers to conduct HIPAA-compliant conversations for streamlined care coordination and patient handoffs. Communication the Key to Effective Care Delivery According to Joshua Newman – Chief Medical Office at Salesforce...

Read More
Perceptions of Privacy and Security of Medical Records and Health Data Exchange Explored by ONC
Feb28

Perceptions of Privacy and Security of Medical Records and Health Data Exchange Explored by ONC

Great strides are being made toward a fully interoperable health IT infrastructure. Adoption of certified health IT is growing and healthcare organizations and office-based physicians are increasingly exchanging health information electronically, but how do patients feel about the electronic exchange of their PHI? Is concern over data security growing? The Office of the National Coordinator for Health Information Technology (ONC) has been assessing public feeling and has recently issued a brief detailing the findings of surveys it has conducted on consumers over the past few years. Between 2012 and 2014, ONC conducted a nationwide survey which examined security concerns about electronic health records and electronic health information exchange. The number of individuals who are very or somewhat concerned about the privacy and security of their medical records has been decreasing and the number of individuals who expressed a lack of concern about the privacy and security of their medical records is increasing. In 2012, 7% of individuals were choosing to withhold information from...

Read More
OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule
Feb26

OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule

The risk of cyberattack faced by healthcare providers and other HIPAA-covered entities is greater than ever before. It is therefore essential for robust data security measures to be implemented to keep electronic protected health information secure. However, the healthcare industry lags behind other industries when it comes to implementing cybersecurity protections. Many vulnerabilities have been allowed to persist and cybercriminals have taken advantage. Targeted attacks on covered entities had led to record numbers of data breaches. 2015 was a particularly bad year for the healthcare industry. More than one in three Americans had their confidential medical data exposed or stolen in 2015. Over 113 million healthcare records were obtained by unauthorized individuals. Over the past 3 years, more that 40% of data breaches have affected the healthcare industry. USAToday reports that 91% of healthcare organizations have experienced a breach of electronic protected health information. Addressing Security Gaps and Improving Cybersecurity Posture In 2014, the Framework for Improving...

Read More
New Research Reveals the Hidden Costs of Pagers for Healthcare Organizations
Feb26

New Research Reveals the Hidden Costs of Pagers for Healthcare Organizations

New research has revealed that the “soft costs” of pagers in healthcare organizations could mean that hospitals are overpaying to maintain legacy paging services. The study – sponsored by TigerText – was conducted by HIMSS Analytics and concerned pager use in more than 200 hospitals throughout the U.S. The majority of the survey´s participants had a direct role in the selection, purchase or management of pagers, and the study was supported by interview-based research with senior executives at the largest participating hospitals. The report resulting from the study – “The Hidden Cost of Pagers in Healthcare” revealed that 90% of the surveyed organizations still use pagers and on average spend around $180,000 per year – with the average paging service costing $9.19 per month per device, compared to TigerText´s own research showing the cost of their secure messaging alternative to be less than $5 per month per user. Commenting on the conclusion of the survey, Bryan Fiekers – Director of the Advisory Services Group for HIMSS Analytics – said: “This...

Read More
OIG Publishes 2013 Security Report on South Carolina’s Medicaid Agency
Feb22

OIG Publishes 2013 Security Report on South Carolina’s Medicaid Agency

The U.S. Department of Health and Human Services’ Office of Inspector General has published a report of an investigation into South Carolina’s Medicaid agency. The investigation was conducted in 2013 following the 2012 hacking of the Revenue Department and a data breach at the state’s Department of Health and Human Services the same year. 74 gigabytes of data were stolen from the Revenue Department, which included the tax returns of 3.8 million adults and Social Security numbers of 1.9 million dependents. 3.3 million businesses’ bank account numbers were also stolen. An employee of the Department of Health and Human Services was discovered to have inappropriately accessed the records of 228,000 Medicaid recipients and emailed the data to a personal email account. The employee was arrested and was sentenced to three years of probation and community service, although the hackers responsible for the cyberattack on the Revenue department were never caught. The purpose of the investigation was to determine whether the state had properly safeguarded data stored in the Medicaid...

Read More
Mobile Device Ransomware Warnings Becoming More Urgent
Feb18

Mobile Device Ransomware Warnings Becoming More Urgent

A special report on CNBC.com into mobile device ransomware was compiled in the aftermath of the Hollywood Presbyterian Medical Center ransomware cyberattack. The attack crippled the hospital´s internal computer system, shut down its email servers and prevented access to EMRs. The hospital had no option but to pay a $17,000 ransom to obtain the encryption key that would unlock its data and communications system. Although investigations are still ongoing into how the crippling malware found its way into the hospital´s system, mobile device ransomware has not been ruled out. Indeed, the CNBC.com article starts with cyber security expert Robert Herjavec commenting that 40% of threats come from inside and – knowing this – cybercriminals are taking advantage of mobile device ransomware to launch more sophisticated cyberattacks. Not the First Ransomware Attack on a Medical Facility Ransomware – a type of computer malware – is an effective weapon for cybercriminals. Traditionally it has been used to encrypt files on a computer to make them inaccessible, and normally...

Read More
Healthcare Ransomware Infection Removed After $17K Ransom Paid
Feb18

Healthcare Ransomware Infection Removed After $17K Ransom Paid

Healthcare ransomware infections can cause major disruption and can have a negative impact on patient health. This week, Hollywood Presbyterian Medical Center took the decision to give into a ransom demand and paid cybercriminals nearly $17,000 for a security key to unlock its EHR. What is Ransomware? Just as healthcare providers take the decision to use data encryption to prevent criminals from gaining access to patient data on laptop computers and portable storage media, encryption can also be used against healthcare providers. Ransomware locks computer files with powerful encryption. To unlock the data a security key must be used. However, the key needed to unlock the data is held by the cybercriminals behind the ransomware attack. The security key cannot be cracked like a password. The only way to recover from a healthcare ransomware infection is to pay the ransom or restore all encrypted data from a backup. This is not always straightforward. Backups are not conducted every second, so some data loss is inevitable. Restoring data from backup files is also not always successful...

Read More
TitanHQ Launches Web Filtering Solution for Hospital Wi-Fi Networks
Feb17

TitanHQ Launches Web Filtering Solution for Hospital Wi-Fi Networks

TitanHQ – a world leader in email and web security solutions – has launched a DNS-based Web filtering solution for hospital Wi-Fi networks. Wi-Fi in hospitals has been acknowledged as a feature that increases patient satisfaction and has been associated with faster patient recuperation. Certainly providing patients with a means of communicating with their families via email and social media makes their stay more bearable. However, providing unfiltered Wi-Fi access to patients can have negative consequences. Patients that spend all day live streaming sports events can eat up bandwidth – preventing other patients from being able to access the Internet at all. Patients can access inappropriate web content in eyeshot of other patients or minors, and – potentially a more serious consequence – is the installation of malware and viruses that may not only infect the user´s device, but also the entire Wi-Fi network. TitanHQ has developed a solution for these potential issues – WebTitan Cloud for Wi-Fi. With Wi-Fi filtering for hospitals, administrators...

Read More
Cyberattack Detection: Confidence High Even If Detection is Often Slow
Feb16

Cyberattack Detection: Confidence High Even If Detection is Often Slow

Detecting a cyberattack promptly is critical in order to minimize the damage caused, but how quickly are cyberattacks actually detected? Tripwire, a leading provider of advanced security and compliance solutions, set out to find out whether IT professionals believed they had the technology and policies in place to enable them to identify a cyberattack rapidly. For the study, 763 IT security professionals from public sector organizations and the energy, financial services and retail industries were asked about the efficacy of seven key security controls that should be implemented to detect a cyberattack while it is taking place. Accurate hardware inventory Accurate software inventory Continuous configuration management and hardening Comprehensive vulnerability management Patch management Log management Identity and access management The results of the study have been published in the Tripwire 2016 Breach Detection Study. Confidence High in Ability to Detect a Cyberattack… The majority of respondents were confident that the measures they had put in place to detect a cyberattack...

Read More
OCR Issues Further Guidance on Health App Use
Feb12

OCR Issues Further Guidance on Health App Use

The Department of Health and Human Services’ Office for Civil Rights has issued new guidance to help mobile health application developers get to grips with HIPAA and determine whether they fall under the classification of a HIPAA Business Associate. Last fall, OCR launched a new developer portal to improve understanding of how the Health Insurance Portability and Accountability Act applied to mobile health app developers. The aim was to improve understanding of HIPAA rules among mhealth app developers. The portal was also used by OCR to anonymously gather information that it could use to direct its focus for future guidance and determine which aspects of HIPAA were proving problematic or confusing for app developers. The new guidance was deemed necessary after OCR assessed the comments and questions that had been submitted via the app developer portal. It is hoped that the new guidance, which has also been posted on OCR’s mHealth Developer Portal, will help app developers avoid falling afoul of HIPAA rules and will help answer some of the questions that are frequently asked. There...

Read More
OCR Launches New Cyber-Awareness Initiative
Feb03

OCR Launches New Cyber-Awareness Initiative

The New Year has already seen the Department of Health and Human Services’ Office for Civil Rights issue new guidance for HIPAA-covered entities. That has now been followed up with the launch of a new initiative to improve cyber-awareness of the latest security threats. By increasing awareness of the threats to healthcare data security it is hoped that many healthcare data breaches can be avoided. As was highlighted by the recent Online Trust Alliance security report, the majority of healthcare data breaches can be easily avoided by implementing basic security principles, such as educating staff members on the latest data security threats. OCR has kicked off the initiative with advice on two growing security threats: Ransomware and tech support scams, both of which are increasing in prevalence over the past 12 months. OCR Offers Advice to Assist HIPAA-Covered Entities Avoid Ransomware   Criminal gangs have been using ransomware with increasing regularity. Ransomware is a form of malware that locks computer files with encryption, preventing the user from gaining access to their...

Read More
Secure Healthcare Messaging Vendors Assessed by KLAS
Jan29

Secure Healthcare Messaging Vendors Assessed by KLAS

Which is the top vendor for HIPAA-compliant secure messaging? It depends. Established players and up and coming companies have recently been assessed by KLAS. The independent research company has rated the current options available to healthcare providers looking to improve communication between care teams without falling afoul of HIPAA Regulations. The cost of healthcare provisioning is rising, placing increasing pressure on healthcare providers to reduce operational costs, improve efficiency, and increase the productivity of healthcare employees. Currently many physicians, nurses and other healthcare professionals are forced to use slow and inefficient communications systems, resulting in many hours of wasted time each week per employee. The use of SMS text messages would solve many of these problems. The communication channel is fast, convenient, and practical, but SMS messages are unsecure. This poses a problem for healthcare providers and other HIPAA-liable entities. HIPAA Rules prohibit the transmission of Protected Health Information (PHI) via SMS as the messages can all too...

Read More
5 EHR Vendors Agree to Carequality Interoperability Framework
Jan29

5 EHR Vendors Agree to Carequality Interoperability Framework

Following the publication of the Carequality Interoperability Framework last month, five major EHR vendors have signed up and agreed to adopt the Sequoia Project’s Carequality initiative. The Sequoia Project has announced that athenahealth Inc., eClinicalWorks, Epic Systems Corporation, NextGen Healthcare, and Surescripts have all agreed to adopt the new framework. Universal interoperability may be some way off, but the addition of the EHR vendors is seen as a major step in the right direction. Thanks to the comprehensive framework, the companies will reap a number of connectivity benefits that were previously difficult to attain until the Framework put an end to the need to enter into separate legal agreements with organizations before data sharing was possible. The announcement confirms that EHR vendors are committed to making total interoperability a reality for both patients and healthcare providers, and shows that universal interoperability could soon become a reality. Sequoia Project’s CEO Mariann Yeager recently said in an interview with EHRIntelligence, “We know there...

Read More
Happy Data Privacy Day
Jan28

Happy Data Privacy Day

October is National Cybersecurity Awareness Month, but today – January 28 – is Data Privacy Day: An international day conceived as a way of improving awareness of privacy issues. It is a day when organizations in Europe and the United States recognize the importance of safeguarding data, protecting privacy, and building the trust of consumers (and patients). Given the volume of healthcare records exposed in 2015 and the number of data breaches still being suffered by HIPAA-covered entities, this year Data Privacy Day is more important than ever before. Happy Data Privacy Day – May the Next 24 Hours be Free of Privacy Breaches!   Data Privacy Day started in 2007 across the pond in Europe, where it is known as European Data Protection Day. 47 European countries honor the day and are involved in campaigns to raise awareness of data privacy issues and share information that can help corporations and individuals better protect stored and shared data. With a unanimous vote of 402-0, the House of Representatives followed suit two years later and also chose to use January 28 as a day to...

Read More
CHIME Launches $1 Million Competition to Solve the National Patient Identifier Problem
Jan22

CHIME Launches $1 Million Competition to Solve the National Patient Identifier Problem

Matching patient records to the correct patient is a complicated business. In theory at least, with patient information recorded digitally, it should be possible to match records with the correct patient no matter where the patient information is accessed or where the data is located. In an ideal world this would happen 100% of the time. Unfortunately, this is not an ideal world and patients and records are frequently mismatched. This can naturally have serious consequences for patients. Records and Patients only Correctly Matched 90% of the Time Studies suggest that the probability of records and patients being paired correctly is around 90% on average. Provided of course, that the records are located within a single health system. Should some records be located in a different health system, the chance of those records being correctly matched is much lower. In fact, when records are shared across different health systems the figure falls to around 80%. If a patient is to receive the best possible level of care, this is a problem that must be resolved. Solving the Problem of...

Read More
Health System’s Network Taken out by Qbot Malware
Jan22

Health System’s Network Taken out by Qbot Malware

Royal Melbourne Hospital’s pathology department’s network was taken down this week by a new variant of Qbot malware, highlighting the damage that can result from tardy software upgrades and patch installations. Microsoft stopped issuing patches for Windows XP in April 2014, leaving the operating system prone to attack. There were fears that as soon as the patches stopped being issued a wave of cyberattacks via zero-day exploits would follow. Those attacks failed to materialize, but any system running the defunct operating system was left vulnerable when support was retired. The decision to keep using Windows XP rather than upgrading has proved extremely costly for Royal Melbourne Hospital’s pathology department. A zero-day vulnerability in XP was exploited resulted in the hospital’s pathology department network being infected with malware, taking the network out of action. The malware also attacks Windows 7 machines and a number of XP and Windows 7 machines were infected. With the network taken down, the hospital’s pathology department was forced to manually process...

Read More
Only 45 Percent of Organizations Confident in Ability to Repel a Cyberattack
Jan21

Only 45 Percent of Organizations Confident in Ability to Repel a Cyberattack

According to the Cisco 2016 Annual Security Report released on Tuesday, fewer than half of worldwide organizations are confident in their ability to repel a cyberattack due to the sophisticated and resilient nature of campaigns now being launched by hackers. The report indicates 45% of organizations are no longer confident of their security posture. 48% of security executives said they were very concerned about security, while 41% indicated they were much more concerned than they were three years ago. There are very real causes for concern. Many organizations are operating an aging infrastructure and the vast majority – 92% – of Internet-connected devices in use contain known security vulnerabilities. Just under a third of devices being used no longer have vendor support. Highly Sophisticated Cyberattacks Proving Hard to Repel Investment in cybersecurity defenses has increased considerably in recent years to address the elevated risk of attack. However, attackers have upped the ante and are conducting ever more sophisticated attacks that are proving difficult to repel....

Read More
Hippocratic Oath for Connected Medical Devices Required, says Cybersecurity Association
Jan20

Hippocratic Oath for Connected Medical Devices Required, says Cybersecurity Association

A cybersecurity volunteer association has written an open letter to healthcare industry stakeholders calling for the adoption of a Hippocratic Oath for connected medical devices. I am the Cavalry says the move would better protect the privacy of patients and ensure their safety. The growing risk of cyberattack coupled with the inherent security vulnerabilities present in many medical devices prompted I am the Cavalry to pen the letter. It is believed that while medical devices allow life-saving therapies to be provided to patients, greater efforts must be made to ensure the data they record are kept secure. Additional safeguards must also be incorporated to ensure the devices cannot be hacked. It is believed that a Hippocratic Oath for connected medical devices would help in this regard. The group also claims that such a measure would serve to preserve trust in the healthcare industry and would help to improve the safety of the devices. The aim is to encourage developers of medical devices to implement a host of safeguards to ensure their devices are resilient to attack and, as far...

Read More
Medical Device Manufacturers Receive New FDA Cybersecurity Recommendations
Jan18

Medical Device Manufacturers Receive New FDA Cybersecurity Recommendations

On January 15, 2015, the Food and Drug Administration (FDA) released draft guidance on the Postmarket Management of Cybersecurity in Medical Devices. The guidance has been released for public comment and will be open for a comment period of 90 days. The aim of the guidance is to help manufacturers of medical devices develop and implement controls to ensure their devices are secure to better protect patients. The guidance contains a number of steps manufacturers should follow to address cybersecurity vulnerabilities after devices have come to market to ensure the continuing safety of patients. These include the monitoring of devices, and conduction of risk assessments to identify security vulnerabilities after devices have come to market. Manufacturers of medical devices must ensure cybersecurity protections are built into devices and are a central part of the design. It is not possible to eliminate all cybersecurity risks at the design phase. Cybersecurity risks may arise at any point in the lifecycle of the products. It is therefore essential that medical devices are constantly...

Read More
Calculating the Cost of Spear Phishing
Jan17

Calculating the Cost of Spear Phishing

Spear phishing attacks are on the increase and healthcare providers have had to increase spending considerably to deal with the threat and mitigate risk. A recent survey conducted by Cloudmark/Vanson Bourne has helped to quantify the current level of spending on anti-phishing precautions and has produced an estimate of the cost of spear phishing. Spear Phishing: A growing problem for healthcare providers The sending of mass spam emails has long been a tactic used by cybercriminals to get individuals to reveal their login credentials, often indirectly after being fooled into installing malware on their computers. The vast majority of these email campaigns have been poorly written and ill conceived. That said, they have still proved to be effective way of delivering malware, although spam filtering technology has improved considerably in recent years and many of these emails are now being blocked. Cybercriminals have realized that more targeted phishing emails have a much better chance of not only getting past spam filters, but are also more likely to elicit the desired response....

Read More
How Secure are Mobile Health Apps?
Jan16

How Secure are Mobile Health Apps?

How secure are mobile health apps? It may not come as a surprise to find out that many mobile health apps have security vulnerabilities, but what about the health apps that have been tested and approved by the Food and Drug Administration (FDA)? How Secure are Mobile Health Apps? Apparently, even mobile health apps that have gained FDA approval are unsecure. A recent study conducted by Arxan Technologies indicates that 84% of FDA-approved health apps have at least two security vulnerabilities that pose a significant risk of exposing data or that could lead to the devices being compromised. For the study, Arxan assessed 71 of the top health apps used in the United States, United Kingdom, Japan, and Germany, and tested each using tools developed by Mi3, a leading application security company. Mi3 has developed tools that assess potential for data leaks, susceptibility to malware, and privacy risks. Each app was tested for susceptibility to Open Web Application Security Project’s (OWASP) top ten critical security risks. Overall, 86% of the apps were discovered to be vulnerable to at...

Read More
TigerText Launches Healthcare Pager and Fax Replacement
Jan15

TigerText Launches Healthcare Pager and Fax Replacement

TigertText has announced the release of two new communication solutions for healthcare providers. The two new products have clear potential, and could convince many healthcare providers to start phasing out pagers and faxes. The new products, named TigerPage & TigerFax, are aimed at healthcare providers that would like to transition to a more secure, HIPAA-compliant method of communication but who are reluctant to give up the communication tools they have relied on for decades. Rather than totally replacing pagers and faxes, the new solutions allow them to continue to be used. If fact, the speed and efficiency that pages and faxes can be received and responded to is greatly improved. Rather than carrying a pager and a Smartphone, healthcare workers can have pages and faxes sent directly to their Smartphone. Healthcare Providers Reluctant to Relinquish the Pager Pagers and faxes have been an essential communication tool for the healthcare industry for decades, yet despite reliable, HIPAA-compliant communication systems being available for some time, healthcare providers are...

Read More
The Slow Pace of Technology Adoption in Healthcare Explained
Jan14

The Slow Pace of Technology Adoption in Healthcare Explained

When it comes to implementing new technology, the healthcare industry lags behind every other industry sector. It is a well-known fact that the industry appears to resist change, even when those changes stand to significantly benefit patients. In an age of Smartphones, tablets, and the Internet of Things, many people would be amazed to find out that archaic communication methods such as pagers and faxes not only still exist, but are extensively used throughout the healthcare industry. In some cases, the new technology now being introduced by healthcare providers was first introduced in other industry sectors many years ago. There are very good reasons why the pace of change is so much slower in the healthcare industry rather than, say, the financial sector or manufacturing industry. Itamar Kandel, Chief Strategy Officer of TigerConnect, is well aware of the slow pace of change. During his time working with healthcare organizations at VERITAS Software and more recently at TigerConnect, he discovered the reasons why adoption of new technology is slow, even when technology can clearly...

Read More
Beware of Medical Device Ransomware in 2016 Warns Forrester Research
Jan13

Beware of Medical Device Ransomware in 2016 Warns Forrester Research

The spate of data breaches suffered by HIPAA-covered entities is set to continue in 2016 according to predictions by security experts. Malware and phishing attacks on healthcare providers are likely to continue to be used to obtain PHI from healthcare providers this year. While phishing and social engineering was used to gain access to data last year (Anthem, Premera), ransomware attacks have not plagued the healthcare industry, even though the use of the malicious software has grown. Hackers have preferred attacking healthcare providers for the data they hold rather than locking computers and demanding a ransom. Far greater rewards can be gained from obtaining millions of healthcare records than from locking a handful of computers. However, that does not mean that ransomware is not a problem, in fact, research and advisory company Forrester Research has predicted that ransomware attacks are going to be more of a problem in 2016, and the company believes that medical devices and wearables will be targeted. If the prediction turns out to be true, medical devices could be attacked...

Read More
Upgrade Internet Explorer to Remain HIPAA Compliant
Jan11

Upgrade Internet Explorer to Remain HIPAA Compliant

On Wednesday January 12, 2016., Microsoft will be stopping support and security updates for Internet Explorer 8, 9 and 10. All users of Internet Explorer must therefore upgrade to Internet Explorer 11, or make the switch over to Microsoft Edge in order to continue receiving support, security updates, and patches. 18 months ago, Microsoft announced that its internet browser updates for IE8, IE9, and IE10 would be stopping. Any user who has not yet upgraded now has just two days left before their browser officially becomes obsolete. Whenever software is discontinued and support and security patches are stopped, that software becomes a security risk. Vulnerabilities are discovered that are not patched, and hackers are likely to be able to take advantage. Microsoft recently issued a warning saying continued use of IE 10, 9 and 8 would leave individuals “at risk of viruses and other malicious software that exploit security flaws and bugs in the browsers.” Figures from Netmarketshare.com and Duo Security put the number of Internet Explorer users with IE10 and below installed at between...

Read More
NSF Grant Funds Development of Mobile Cloud Dietary Assessment Tool
Jan08

NSF Grant Funds Development of Mobile Cloud Dietary Assessment Tool

Many mHealth apps lack sufficient controls to keep patient data secure. In late 2014, a Trustworthy Health and Wellness (THaW) project funded by the National Science Foundation (NSF) determined that 63% of popular mHealth apps were not encrypting data (out of a test sample of 22), potentially placing data at risk of theft. Furthermore, 81% of mHealth apps were using third party storage or hosting services. The benefits of mHealth apps for patients and healthcare providers are considerable. Unfortunately, healthcare providers wishing to use mHealth apps are prevented from doing so by HIPAA. Unless developers of mHealth apps encrypt stored and transmitted data to a nationally accepted standard, or implement other controls to keep data secure, use of the apps by the healthcare industry will be limited. Secure Mobile Cloud Dietary Assessment Tool Under Development University of Massachusetts Medical School and UMass Lowell have recently embarked on a new National Science Foundation grant funded project to test a new mHealth infrastructure that will allow patient data to be collected...

Read More
Henry Schein Gets 20-Year Consent Order and $250K FTC Fine for False Advertising of Data Encryption
Jan08

Henry Schein Gets 20-Year Consent Order and $250K FTC Fine for False Advertising of Data Encryption

The HIPAA Security Rule defines encryption as the “use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” 45 CFR 164.304. Covered entities must ensure that the strength of the encryption software is appropriate. Not all encryption software protects data to the same degree. In fact, some methods of encryption are better referred to as data camouflage rather than data encryption. The Department of Health and Human Services’ Office for Civil Rights recommends using robust encryption that conforms to a nationally recognized standard such as the Advanced Encryption Standard (AES), recommended by the National Institute of Standards and Technology (NIST). Henry Schein Practice Solutions, Inc., a vendor of software solutions for dental practices, chose a different encryption standard for its Dentrix G5 software solution. The software allows dentists to enter and store patient data, process claims and payments, and send appointment reminders. Dentists are covered under HIPAA and must...

Read More
Benefits of Healthcare Text Messaging Highlighted by New Study
Jan06

Benefits of Healthcare Text Messaging Highlighted by New Study

Further evidence has emerged showing the benefits of healthcare text messaging. A study recently published in the Journal of the American Heart Association clearly showed that an automated mHealth intervention using text messages and Smartphone tracking apps can prove to be an effective strategy for increasing patients’ physical activity levels. The benefits of increasing activity levels, in particular for sufferers of cardiovascular disease, cannot be underestimated. However, under 50% of adults are failing to reach the recommended daily exercise targets, in spite of many initiatives to get the nation more active. In fact, activity levels have not increased substantially since they were assessed as part of the National Health and Nutrition Examination Surveys conducted between 1988 and 1994. According to the American Heart Association, there is a critical need for research into new, effective strategies that can be used to promote increasing daily activity levels. With this in mind, Seth S. Martin, MD, MHS et al, conducted a study at an ambulatory cardiology center in Baltimore to...

Read More
Online Medical Record Access Not Possible for the Majority of Patients
Dec31

Online Medical Record Access Not Possible for the Majority of Patients

A recent survey commissioned by personal clinical engagement platform vendor, HealthMine, indicates patients are still finding it difficult to gain online access to their healthcare data, even though the majority of healthcare providers store healthcare data in digital form. 2013 data suggest that 78% of healthcare providers use EHRs and could therefore conceivably provide online access patient medical data. The recent survey was conducted on 502 consumers that intended to enroll in a 2016 health plan. The survey took place between October and November, 2015. The results of that survey show that over half of consumers (53%) do not yet have online access to their medical records, and almost a third (32%) of Americans have difficulty accessing their medical records. 31% of respondents indicated they have trouble accessing biometric information, 29% said they struggled to gain access to lab records and insurance information. A quarter of respondents had trouble accessing their prescription history. 74% of Americans believe that having access to all of their clinical notes and medical...

Read More
Repeat HIPAA Violators Revealed: Database of Offenders Created
Dec30

Repeat HIPAA Violators Revealed: Database of Offenders Created

ProPublica has created a database of healthcare organizations that have violated patient privacy to make it easier for consumers to find repeat HIPAA violators. The biggest offenders have now been exposed. Since late 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing self-reported data breaches suffered by HIPAA-covered entities. The list of data breaches, often referred to as OCR’s “Wall of Shame” currently list 1425 data breaches dating from October 21, 2009. Some healthcare organizations have suffered a single data breach, while others have suffered more. However, it is difficult to quickly ascertain how many breaches have been suffered by a particular entity. Not all data breaches are listed under the same company name. A search for a particular healthcare provider may reveal just one breach has been suffered, when in actual fact a great deal more have occurred. One good example of a bad example is CVS Health; a search for which would produce one result: A 12,914 record breach suffered this year. A search for CVS Caremark would...

Read More
Study Shows Value of Phishing Simulation Exercises
Dec23

Study Shows Value of Phishing Simulation Exercises

A recent report indicates the probability of members of staff responding to a phishing campaign can be effectively reduced to zero if phishing simulation exercises are completed regularly. The Growing Threat of Healthcare Phishing Attacks The Office for Civil Rights recently issued its first financial penalty to an organization that suffered a data breach after its employees responded to a phishing campaign. The case resulted in University of Washington Medicine agreeing to a $750,000 fine to settle potential HIPAA violations. UWM had already had to cover significant data breach resolution costs after suffering a 90,000-record breach. The fine and data breach costs could potentially have been avoided if staff members had been trained how to identify phishing emails. The healthcare industry is now being targeted by cybercriminals, and phishing is the most commonly used method of gaining access to patient data. Even when multi-million-dollar security defenses are employed to keep networks secure, a single response to a phishing email can be all it takes to compromise the records of...

Read More
IT Pro’s Security Concerns for 2016 Probed by Spiceworks Survey
Dec21

IT Pro’s Security Concerns for 2016 Probed by Spiceworks Survey

A new IT security report issued by Austin-based IT firm Spiceworks indicates 80% of organizations have suffered an IT security incident this year. The company conducted a survey of 200 U.S. IT professionals to find out more about the security incidents suffered in 2015 and to gather opinions on the biggest data security threats for 2016. This year was challenging for IT professionals, with numerous IT security incidents suffered. In spite of this, optimism appears to be high. 71% of respondents said they are planning to increase security in 2016 to deal with cybersecurity threats and next year should seem them much better prepared to deal with security threats. The Biggest Data Security Threats in 2015 In 2015, the biggest security threats came from malware, with 51% of organizations reporting they had suffered a malware attack during the past 12 months. Phishing is still a major problem, with 38% or organizations reporting a phishing incident, while spyware infections were reported by 34% of respondents. Interestingly, when it came to the biggest threats for 2016, 80% or IT...

Read More
TigerText Launches HIPAA Compliant Secure Texting App for Desktops
Dec18

TigerText Launches HIPAA Compliant Secure Texting App for Desktops

TigerText, the leading provider of secure text messaging solutions for the enterprise, has announced the launch of its latest initiative, TigerText Anywhere: A HIPAA compliant secure texting app for desktop computers. TigerText’s HIPAA compliant text message platform is already hugely successful. To date, more than 250,000 healthcare professionals have adopted the secure messaging platform. The company now counts 4 out of 5 of the largest for-profit healthcare systems in the United States among its clients. According to TigerText co-founder and CEO, Brad Brooks, “TigerText has reached the scale necessary to truly improve the quality of care our healthcare customers deliver, while at the same time reducing the costs to do so.” In fact, the potential cost savings from using the HIPAA compliant secure texting app are considerable, as Brooks explains. “By connecting electronic health records, critical alerts, real time shift data, and other essential components of patient care and productivity, we think that secure, real-time messaging could save the healthcare industry $30-$50 billion...

Read More
Adoption of Cloud Applications by the Healthcare Industry Increases Dramatically
Dec17

Adoption of Cloud Applications by the Healthcare Industry Increases Dramatically

The healthcare industry may have been slow to start using cloud applications, but over the course of the past 12 months, healthcare cloud app adoption has increased significantly. Last year, only 8% of healthcare organizations had started using cloud apps. This year that figure has jumped to 36%. Bitglass Report Shows Major Increase in Healthcare Cloud App Usage While there has been a massive jump in the adoption of cloud apps by healthcare organizations, the industry is still well behind almost all other sectors. Heavy regulation and fears about the security of the cloud has held organizations back. It is a similar story for the financial sector. Uptake has been rapid over the course of the past 12 months, but with an adoption rate of just 37.5%, it is only barely above the healthcare industry. Bitglass figures show an increase of more than 71% in adoption rates across all industries, but there are big differences between regulated and unregulated industries. Last year, 15% of organizations in regulated industries were using cloud applications. This the figure has risen to 39%....

Read More
Study Shows Only 49% of Hospitals Use 2-Factor Authentication to Improve ePHI Security
Dec13

Study Shows Only 49% of Hospitals Use 2-Factor Authentication to Improve ePHI Security

Under HIPAA Rules, access to Protected Health Information must be strictly controlled. HIPAA-covered entities must therefore implement technical safeguards to ensure that only authorized individuals are able to gain access to data. EHRs and other software systems that are used to store or send ePHI must be protected by a minimum of a username and password, and any attempt to gain access to ePHI must be logged and periodically audited. Improving ePHI Security with Two-Factor Authentication Data security can be greatly enhanced by the use of two-factor authentication. Two factor authentication requires an additional identification factor (other than a username/password combo) to be entered prior to access to ePHI being granted. Under the HIPAA Security Rule – 45 CFR § 164 – this control is strongly advisable but not mandatory; however, under the DEA’s Electronic Prescription for Controlled Substances rules, it is mandatory for 2-factor authentication to be used by all entities that e-prescribe controlled substances. Typically, the additional factor is a security question,...

Read More
Two Thirds of Healthcare Organizations Lack Confidence in Data Sharing
Dec12

Two Thirds of Healthcare Organizations Lack Confidence in Data Sharing

A recent survey conducted by Privacy Analytics, a Canadian technology firm specializing in data masking and data de-identification technology, indicates two out of three healthcare organizations do not have complete confidence in their ability to share patient health information without placing patient privacy at risk. HIPAA and Data Sharing Under the HIPAA Privacy Rule, covered entities are not permitted to share the Protected Health Information unless prior authorization has been obtained from the patient, unless those data have first been de-identified – 45 CFR §164.502(d). When de-identifying data, covered entities must ensure the risk of re-identification of patients is kept to an acceptable level: the use of Expert Determination and the Safe Harbor model are suggested – 45 CFR §164.514(a)-(b). When sharing data, many HIPAA-covered entities opt for the Safe Harbor model, which requires the removal of 18 identifiers from the data prior to those data being disclosed to a third party for research studies, policy assessment, etc. Unfortunately, removing this...

Read More
HIPAA Right to Privacy Being Waived for Pharmacy Discounts
Nov30

HIPAA Right to Privacy Being Waived for Pharmacy Discounts

The HIPAA right to privacy can be waived if patients agree to let healthcare providers, insurers, and other covered entities access and share their data. A number of insurers have trialed issuing subscribers with wearable devices that monitor health metrics. In exchange for agreeing to wear the devices that track heart rate, exercise levels, and other vital signs, subscribers are provided with discounts on their premiums. In such cases there is a benefit to both patient and provider. Insurance companies are able to gain a better understanding of the health of subscribers and they can adjust policies and charges accordingly. Subscribers get to monitor their health and wellness more closely and they get a financial reward. Some pharmacies have also started operating similar schemes. Instead of giving discounts on insurance premiums they give discounts on their products and prescriptions, if customers download a Smartphone app and agree to share their data. By offering discounts the pharmacies are able to secure more business. Just like reward cards, the scheme improves brand loyalty....

Read More
Major Mobile Health Application Growth Predicted
Nov29

Major Mobile Health Application Growth Predicted

Mobile technology has potential to revolutionize the provision of healthcare. Mobile technology is already having a major impact on the industry. According to PwC, one of the few limiting factors is how the technology can be implemented to allow healthcare providers to obtain the full benefits of the technology. This does not appear to have hindered growth in the sector. PwC has predicted growth to increase six-fold over the course of the next two years. Growth in the sector will mostly come from the development of new mHealth applications and from monitoring services. A new report published by healthcare market research firm Kalorama Information suggests that the growth of mobile health applications will outstrip all other mobile application areas over the next four years. The Kalorama report highlights the substantial growth already seen in the mHealth market so far in 2015. Manufacturers of devices, software developers, and providers of wireless services are capitalizing on growing demand. By the end of the year, the industry is expected to have generated close to $34 billion....

Read More
Major Data Exfiltration Discovered at Muhlenberg Community Hospital
Nov17

Major Data Exfiltration Discovered at Muhlenberg Community Hospital

Patient, employee, and contractor data have potentially been obtained by unknown third parties as a result of a multi-computer malware infection at Owensboro Health Muhlenberg Community Hospital, KY. According to the breach notice submitted to the Office for Civil Rights, 84,681 individual have been affected by the cyberattack. The security breach was discovered by the FBI after unusual third party network activity was noticed on the hospital’s servers. An alert was issued on September 16, 2015, and the hospital immediately brought in external computer forensics experts to determine the cause of the activity. That investigation revealed a number of computers had been infected with a type of malware that logs all keystrokes on the affected computers. This type of malware then communicates those keystrokes to the hacker’s command and control server. All data entered on the infected computers have therefore potentially be transmitted to the hacker(s) responsible for the attack.  The suspicious network activity was only recently discovered, but the investigation revealed that the...

Read More
WebTitan Gains Accreditation as Friendly Wi-Fi Approved Vendor
Nov11

WebTitan Gains Accreditation as Friendly Wi-Fi Approved Vendor

WebTitan´s Wi-Fi filtering solution has been considered to be of a sufficiently suitable standard to gain accreditation in the UK´s Friendly Wi-Fi scheme. In 2013, the UK´s Prime Minister – David Cameron – announced that a commitment had been received from the UK’s main Wi-Fi vendors that their standard public Wi-Fi service will automatically filter the Internet to comply with the Internet Watch Foundation “watch list” and block access to pornography. The Friendly Wi-Fi Scheme was subsequently created in collaboration with the UK Council for Child Internet Safety (UKCCIS). The motive behind the Scheme is to prevent children and young adults from accessing inappropriate pornographic material themselves and limit accidental exposure to inappropriate material that nearby adults might be viewing in public. “Friendly Wi-Fi” accreditation is given by the Registered Digital Institute to vendors and businesses who commit to protecting minors from exposure to inappropriate web content. TitanHQ has just announced that the company´s WebTitan for Wi-Fi has been accredited by...

Read More
Over Half of IT Security Pro’s Do Not Believe They Will be Targeted by Hackers
Oct30

Over Half of IT Security Pro’s Do Not Believe They Will be Targeted by Hackers

Major cyberattacks have been suffered by a number of HIPAA-covered entities this year. The frequency of cyberattacks on healthcare providers and insurers has increased. However, over half of IT security professionals do not believe their organization will become a victim of a cyberattack, according to a new report issued by the Ponemon Institute. Should this belief turn out to be true it is great news, as 61% of IT pros do not believe their organization is well prepared to deal with a cyberattack if one does occur. If they are wrong, it is very bad news indeed. Cybersecurity Survey Produces Worrying Results   The results of the Ponemon survey are worrying. Evidence suggests cyberattacks on healthcare providers have increased, and the volume of records exposed in those attacks has spiraled this year. Unfortunately, despite the increase in attack frequency and severity, HIPAA-covered entities do not appear to be doing much to counter the threat according to the report. IT security professionals were asked what measures they were planning to deploy over the coming 12 months, and...

Read More
Healthcare Software Security Assessed by BSIMM Study
Oct20

Healthcare Software Security Assessed by BSIMM Study

Aetna, ANDA, McKesson, The Advisory Board Company, Siemens and Zephyr Health have all been assessed as part of the latest Building Security in Maturity Model (BSIMM) study, published yesterday, with healthcare software security discovered to be well behind other industry sectors. This is the first time that healthcare firms have been assessed by the study, which looks at 12 different software security practices. The study assesses enterprise software security development, which for the healthcare industry is severely lagging behind other industries in all 12 of the software security practices tested. This is the first time in the history of the study that one industry has performed so consistently poorly, and has come bottom of the list in all of the security practices tested. The main industries assessed as part of the study were healthcare, the financial services, consumer electronics organizations and independent software companies, as well as a smaller number of organizations from the insurance, retail and telecoms industries. The results of the BSIMM study give organizations...

Read More
Kaspersky Labs Report Probes Security Attitudes Among BYOD Participants
Oct19

Kaspersky Labs Report Probes Security Attitudes Among BYOD Participants

The rise in popularity of mobile devices has seen many companies adopt a Bring Your Own Device (BYOD) scheme. According to a recent survey by Kaspersky Labs, over half of consumers are now using their own mobiles, laptops and tablets at work and take part in such a scheme. Due to the benefits of BYOD schemes, they have now been adopted by many HIPAA-covered entities, although the strict regulations covering data privacy and security have, to a certain extent, restricted use of the devices for work purposes more than in other, less well regulated industries. A Lack of Concern for Work Data   The latest Kaspersky BYOD survey may have shown BYOD schemes have been widely adopted in the United States, but organizations operating such a scheme must effectively deal with the cybersecurity risks the schemes can introduce. While operators of the schemes may address security issues, not all organizations have fully assessed the risks posed by the devices. Furthermore, it would appear that many participants in BYOD schemes are not particularly concerned about data security. Only 10% of...

Read More
Is the Risk of Cyberattacks Really Increasing? Study Says No
Oct19

Is the Risk of Cyberattacks Really Increasing? Study Says No

The Department of Health and Human Services’ Office for Civil Rights breach portal lists all of the self-reported healthcare data breaches submitted by HIPAA covered entities, for all data-exposing security incidents, including hacks. A look at the headlines would suggest hackers are gaining access to patient data with increasing regularity, as malicious attacks on healthcare networks are widely reported in the media. When hacking incidents do occur, they tend to be headline news as they often involve the exposure of vast quantities of data.  So far in 2015, multi-million-record data breaches have been suffered by a number of healthcare providers, health plans and Business Associates of covered entities, but is the risk of cyberattacks actually increasing? A recent study conducted by the University of New Mexico’s Department of Computer Science suggests that despite a number of major healthcare cybersecurity breaches being reported in 2014 and 2015, the risk of cyberattacks occurring has actually changed very little over the past decade, and that we are perhaps not actually in as...

Read More
Android Smartphone Security Continues to Cause Concern
Oct17

Android Smartphone Security Continues to Cause Concern

How Secure is an Android Smartphone? Android Smartphone security continues to cause concern, even after Google’s decision to start issuing monthly security updates for the Android platform. Fears about Android device security were not alleviated by a new University of Cambridge (UK) study (partially funded by Google) which suggests that despite the new monthly security updates, 87.7% of Android Smartphones contain at least one critical security vulnerability. Study Confirms Serious Android Smartphone Security Issues The study involved researchers collecting version numbers and build numbers of over 20,400 devices, via the Device Analyzer App available through Google Play Store. Each phone was also tested against 13 known “critical” security vulnerabilities. The study looked at different Android mobile phone manufacturers and assessed the security of the devices, revealing there are considerable differences in the degree of protection offered to users. Each manufacturer was assigned a security score by the research team, the calculation of which involved an analysis of a number of...

Read More
How to Spot a Phishing Email
Oct14

How to Spot a Phishing Email

October is National Cyber Security Awareness Month, a time of the year when events are organized and new initiatives are launched to increase cybersecurity awareness and highlight the risk of cyberattacks, computer fraud, phishing campaigns and other data security and privacy issues. When President Obama’s declared October National Cyber Security Awareness Month, his aim was to increase resiliency of the nation in the event of a cyber incident, and great strides have been made already to make his dream a reality. The Cybersecurity Threat is Greater Than Ever Before Unfortunately for healthcare providers, cybercriminals are now upping their game. They are developing ever more sophisticated methods of attack in an effort to gain access to healthcare data. The United States now faces the highest risk of cyberattack and all healthcare providers must now invest heavily in defenses to protect their computer equipment and systems from the onslaught of attacks. One of the commonest methods used by cybercriminals to gain access to healthcare networks is phishing. The perpetrators of...

Read More
2016 Global State of Cybersecurity Study Released
Oct13

2016 Global State of Cybersecurity Study Released

The threat landscape is ever changing and the risk of cyberattacks has grown enormously in recent years; however, organizations have responded to the increased threat level by implementing a range of new cybersecurity defenses to keep networks and data secure, according to a recent report on the global state of cybersecurity. Cloud-enabled cybersecurity defenses have been deployed, advanced authentication software installed, and big data analytics are increasingly common. As a result, cybersecurity risks are, in many cases, being effectively managed. One of the main advances has been the use of cybersecurity intelligence, which allows insights to be gained into the biggest security threats. This has allowed IT security professionals to manage risks more effectively, and allocate resources to deal with the biggest threats. We are now also seeing organizations adopt a more collaborative approach to data security, with greater sharing of intel between corporations to deal with a common threat. Global State of Cybersecurity Assessed by PWC   The new Pricewaterhouse Coopers (PWC)...

Read More
Physicians Choose Secure Texts to Engage Patients
Oct10

Physicians Choose Secure Texts to Engage Patients

In today’s healthcare environment it is essential to involve patients more in their own healthcare and greater efforts must be made to engage patients. Physicians are now expected to achieve more during patient consultations, yet the cost of healthcare provision must also be decreased. There are numerous ways this can be achieved. Pre-visit check-ins can be performed, patients can be enrolled in remote health monitoring programs, and offered telehealth services. More online visits should also be conducted. However, the Health Insurance Portability and Accountability Act, specifically the Security Rule, poses problems for physicians looking to improve care and engage patients in their own healthcare. The Security Rule places a number of requirements on HIPAA covered entities to ensure that patients’ Protected Health Information (PHI) is protected at all times. Any healthcare provider wishing to take advantage of the wealth of new technology now available must ensure that efforts are made to keep private data secure. If insecure communication channels are used to communicate with...

Read More
CMS Finalizes Meaningful Use Rules
Oct08

CMS Finalizes Meaningful Use Rules

The Centers for Medicare & Medicaid Services (CMS) has released the final rule modifying Meaningful Use Program requirements (2015-2017) in addition to postponing mandatory adoption of Meaningful Use Stage 3 requirements.   The changes simplify the Meaningful Use requirements for eligible hospitals and healthcare professionals. The changes have taken some time to be finalized. Following on from the interim rule, comments were requested from the general public. Over 2,500 comments were received and reviewed, many of which highlighted the considerable reporting burden placed on healthcare professionals and hospitals participating in the Meaningful Use program. After considering the comments, modifications were made to simplify Stage 3 requirements and add more flexibility to the program, which should ease the reporting burden. Changes were also made to support interoperability and improves outcomes. Dr. Patrick Conway, M.D., M.Sc., CMS deputy administrator for innovation and quality and chief medical officer, said ““We have a shared goal of electronic health records helping...

Read More
ONC Releases Final 10-Year Interoperability Roadmap
Oct08

ONC Releases Final 10-Year Interoperability Roadmap

On Tuesday this week, the Office of the National Coordinator for Health IT released the long-awaited final 10-Year Interoperability Roadmap. Following the release of the draft version of the roadmap in January 2015, the ONC sought comments from stakeholders. Over 250 comments were received, which were used to fine tune the roadmap ahead of the release of the final version. The final Nationwide Interoperability Roadmap explains the ONCs 10-year vision to achieve an interoperable health IT infrastructure, stipulating the steps which must be followed if the ONCs goal of an interoperable health IT system is to be achieved over the next 10 years. The ONC’s vision is to create a health IT environment that “makes the right data available to the right people at the right time across products and organizations in a way that can be relied upon and meaningfully used by recipients.” National Coordinator for Health IT, Karen DeSalvo, says one of the main aims of the roadmap was to focus on methods that can be used “to align incentives, develop an appropriate governance structure and implement...

Read More
OCR Web Portal for Mobile Health App Developers Launched
Oct06

OCR Web Portal for Mobile Health App Developers Launched

The Department of Health and Human Services’ Office for Civil Rights has launched a new web portal for mobile health app developers. The portal will allow application developers to get answers to the burning questions they have about HIPAA Rules and compliance requirements. The new portal is intended to encourage application developers, in particular mobile app developers, to submit comments and questions regarding HIPAA. In a recent email bulletin following the launch, the OCR explained the sort of questions it hopes will be asked. “We are asking stakeholders to provide input on the following issues: What topics should we address in guidance? What current provisions leave you scratching your heads? How should this guidance look in order to make it more understandable, more accessible? The information gathered via the portal will also help the OCR develop future guidance covering mobile health apps. New mHealth Guidance has been a Long Time Coming   The Health Insurance Portability and Accountability Act was first introduced in 1996, many years before the first Smartphones...

Read More
7th Annual mHealth Summit to Focus on Mobile Solutions for Health and Wellness
Oct05

7th Annual mHealth Summit to Focus on Mobile Solutions for Health and Wellness

The 7th Annual mHealth Summit is fast approaching. This year, the 4-day conference will be bigger and better than ever before, exploring the impact mobile health, telehealth and connected health are having on healthcare delivery, clinical care management and patient/consumer engagement. The event will also focus on how mobile solutions for health and wellness can improve the delivery of healthcare and patient outcomes. This year the event will take a slightly different format, including the new HIMSS Connected Health Conference, which has been billed as an “all-inclusive event highlighting how technology is enabling the transformation of healthcare delivery.” It promises to be the most comprehensive event in its seven-year history, incorporating industry-leading keynote presentations covering mHealth, mobile apps, wearable technology, interoperability, the Internet of Things, as well as the usual presentations to assist HIPAA-covered entities achieve and maintain compliance. The event offers attendees the opportunity to network, discuss new ideas, and learn about the latest...

Read More
How to Respond to a Healthcare Data Breach
Oct02

How to Respond to a Healthcare Data Breach

HIPAA-covered entities that have spent time developing and testing a health data breach response plan will be able to respond more quickly to a suspected data breach and execute an efficient HIPAA breach response. Those that have not invested time and effort into planning, are likely to struggle to react quickly and delays can prove costly. As the Ponemon Institute’s 2017 Cost of a Data Breach study showed, having a health data breach response plan helps organizations to execute an efficient HIPAA breach response. The faster the response, the easier it will be to contain the breach quickly and limit the harm caused. Organizations that are able to respond to a data breach quickly end up paying less in breach resolution costs. The cost of a data breach increases the longer it takes to respond and deal with the breach. Cyberattacks and Data Breaches Are Inevitable With hackers targeting healthcare providers for the protected health information (PHI) they hold, data breaches are no longer a probability but an inevitability. If fact, it is now highly likely that healthcare providers,...

Read More
How Secure are Your Medical Devices?
Oct02

How Secure are Your Medical Devices?

How secure are medical devices? According to a data security study presented at the recent DerbyCon Security Conference, not very, it would appear. Not only can hackers gain access to MRIs, drug infusion pumps, X-ray machines and other radiology and medical equipment, even a couple of patients have discovered they can access their drug pumps and increase their morphine dosage. In some cases it doesn’t actually take much technical skill at all to gain access to medical devices. A quick search on the internet can reveal the login credentials for machines from many manufacturers. Of course, anyone looking to gain access to a medical device, and potentially the network it is connected to, would need to know where to look. That is not a difficult task, according to the researchers. The search engine Shodan contains lists of thousands of networked medical devices, and even gives names of the devices, what they do, where they are located (what hospital and where exactly in that hospital) and even the doctors who are assigned to use the equipment in some cases. The latter is worrying, as...

Read More
HealthCare.gov Security Vulnerability Critical, Says OIG
Sep30

HealthCare.gov Security Vulnerability Critical, Says OIG

A “critical” HealthCare.gov security vulnerability has been discovered which could potentially be exploited by hackers looking to gain access to highly confidential data, according to the Department of Health and Human Services’ Office of the Inspector General. The government’s team of ethical hackers were let loose on the HealthCare.gov website, and discovered a critical weakness in its otherwise robust security features. The team used standard techniques known as vulnerability scanning, which simulate an attack by malicious outsiders. The scans therefore assessed security vulnerabilities that could realistically be exploited by external hackers. The team of “white hat” hackers discovered the vulnerability, although they were not able to exploit it to gain access to data due to a range of other security defenses installed to safeguard stored data. The HealthCare.gov website is the gateway to taxpayer-subsidized health plans and is used by 36 states, with those health plans subscribed to by millions of Americans. The data potentially accessible through the site is extensive. The...

Read More
McAfee Study Investigates How Hackers Exfiltrate Data
Sep24

McAfee Study Investigates How Hackers Exfiltrate Data

A new data exfiltration study has been released by McAfee, which examines the actors and tactics used by criminals to obtain Protected Health Information and other sensitive data, in addition to effective detection and preventative measures employed by companies to thwart cyberattacks and data theft. The report details the commonest methods used by hackers to get data out of systems once access has been gained. Most cybersecurity reports focus instead of how hackers manage to gain access to computer systems. McAfee has instead concentrated on the little studied area of data exfiltration. Participants in the study were interviewed by the company’s researchers and asked questions about their main security concerns, the threats they face on a day to day basis, the tools used to identify data exfiltration, as well as being asked to provide details of how data were actually exfiltrated. The results of the study provide IT professionals around the world with valuable intel, which can be used to determine the most important measures to address security risks and prevent data theft and...

Read More
Glidewell Laboratories Reports Breach of Employee Data
Sep23

Glidewell Laboratories Reports Breach of Employee Data

An unauthorized individual has been discovered to have stolen the personal information of a number of employees of James R. Glidewell, Dental Ceramics, Inc., according to a breach notice submitted to the California Department of Justice. The breach notice does not specifically mention whether the security breach was the work of a malicious insider or outsider, although the breach notice hints that the breach was caused by a former Glidewell employee. Glidewell has told employees “we are continuing to explore all available means of legal recourse and plan to pursue civil and/or injunctive relief, as may be appropriate.” Upon discovery of the data breach, law enforcement agencies were notified and Glidewell enlisted the help of external data security experts to conduct an internal forensic investigation. The investigations into the data theft are continuing. Patient data were not exposed in the incident, although confidential data of employees have been stolen. The information that has been compromised includes employee names, addresses, financial account information related to...

Read More
Microsoft Issues Warning over Effectiveness of EHR Data Encryption
Sep08

Microsoft Issues Warning over Effectiveness of EHR Data Encryption

Researchers at Microsoft have recently issued a paper questioning the effectiveness of EHR data encryption. A warning has been issued to healthcare providers about security vulnerabilities in some electronic medical record systems, which have been shown to leak information, even when data encryption software is used. The results of the study are due to be presented at the ACM Conference on Computer and Communications Security next month, although the research paper can be viewed now, ahead of the ACM presentation. During the study, Microsoft researchers successfully managed to view patient data that included names, race, age, hospital admission information and other data, by exploiting security vulnerabilities. The paper cites four methods that can be used by hackers to gain access to the Protected Health Information of patients. The researchers were so concerned about the high risk of data exposure, it was deemed necessary to issue a warning to healthcare providers and other HIPAA-covered entities that were using CryptDB based protections. They were told in no uncertain terms to...

Read More
Healthcare Workers Risk Data Exposure from Smartphone Gambling Apps
Sep07

Healthcare Workers Risk Data Exposure from Smartphone Gambling Apps

Healthcare providers and other HIPAA-covered entities operating Bring Your Own Device (BYOD) schemes will be aware that the use of mobile devices carries risks; however a recent study has highlighted just how risky unauthorized apps can be, with employees’ use of Smartphone gambling apps deemed to be especially risky. If healthcare workers are allowed to use their own personal devices for work purposes, policies must be put in place covering the permitted use of apps on the device. Apps must be assessed, and employees informed of the applications which can be used securely on the devices. While an app may never be used for work purposes, if it is installed on a device, security vulnerabilities in that app could potentially be exploited by hackers. An app could therefore be used to gain access to the data stored on the device, or the computer network that the device connects to. New Study Highlights Data Security Risk from Gambling Apps   A recent study conducted by the security company Veracode, suggests that the average sized company has at least one gambling app being used...

Read More
Data Security Report Shows Main Points of Cyberattack by Industry Sector
Sep03

Data Security Report Shows Main Points of Cyberattack by Industry Sector

SurfWatch, a leading provider of cyber risk intelligence analytics and applications, recently released a mid-year cyber risk intelligence report detailing the most common methods used by hackers to gain access to confidential patient and business data, including the main points of cyberattack by industry sector. The company discovered that despite a number of highly sophisticated attacks on healthcare providers in recent months, the majority of hackers are still using the same tried and tested methods to break through security defenses as they have for years. The most common points of attack are poorly secured websites and applications, patient and customer accounts, and endpoints, which account for 77% of all cyberattacks evaluated by SurfWatch analysts. The main aim of the SurfWatch Labs 2015 Mid-Year Report was to identify the most effective ways organizations can reduce the risk of suffering cyberattacks. Big money is being diverted to improve cybersecurity defenses and to protect against hackers; however it is important that organizations look closely at all potential attack...

Read More
Have Your Mitigated Your Mobile Device Security Risks?
Sep03

Have Your Mitigated Your Mobile Device Security Risks?

Mobile devices have potential to improve efficiency in the healthcare industry, which in turn leads to increased productivity of the workforce and a reduction in operational costs. However, tablets, Smartphones, laptops and other portable networked devices also introduce new security risks, and can potentially give hackers an easy entry point into a healthcare network. Unfortunately, banning the use of mobile devices in the workplace is no longer a feasible option. The only choice for healthcare providers and other HIPAA covered entities is to leverage the benefits of the devices, while mitigating the risks they pose, as far as is practical and possible. Mobile Devices Carry a High Risk of PHI Exposure   Mobile devices carry a high risk of accidental PHI exposure. The devices can be used to connect to healthcare networks and view PHI in many cases, and data can also be stored on the devices; however since they are portable, they are also easily lost or stolen. They can also be used to connect to healthcare networks via insecure public Wi-Fi, and apps are often downloaded to...

Read More
4 out of 5 Healthcare Providers Have Been Hacked, Say KPMG
Aug30

4 out of 5 Healthcare Providers Have Been Hacked, Say KPMG

The healthcare industry is under attack. Hackers are targeting healthcare providers, insurers and other HIPAA-covered entities for the precious data they hold, yet health firms are still unprepared to deal with the threat. The seriousness of the situation has been illustrated in a recent cybersecurity report from KPMG. The company commissioned a survey (conducted by Forbes Insights) which shows that 81% of health firms has suffered a cyberattack in the past two years, but only 53% of providers and 66% of payers consider themselves ready to defend against a cyberattack. The survey was conducted on CIOs, CTOs and Chief Compliance Officers in healthcare organizations with revenues in excess of $500 million per annum. Healthcare providers and insurers’ cybersecurity measures assessed via the questionnaire. The report shows that in spite of the increased threat to data security, healthcare organizations are ill prepared for an attack. A quarter of respondents said their organizations were not able to detect cyberattacks in real time, as they lack the necessary software systems to do so....

Read More
Secure Texting Can Help Patients with Insulin Management Says New Study
Aug30

Secure Texting Can Help Patients with Insulin Management Says New Study

Secure text messaging has been shown to help patients manage their dosage of insulin according to a recent study published in the Journal of Medical Internet Research. The study was conducted by researchers at Bellevue Hospital in New York City with the aim of assisting patients with insulin dosing, with a primary focus on assisting low-income individuals. 61 participants consented to take part in the Mobile Insulin Titration Intervention Diabetes Program. 33 patients were sent reminders to check their blood glucose levels every day, and had to send their blood glucose readings to the hospital via text message. By sending the information to the hospital, nurses were able to remotely monitor blood glucose levels: If the readings were too low or too high, patients had their insulin dosage altered accordingly. The control group, consisting of the 27 participants, received standard care, and titrated their insulin at home during visits from remote healthcare workers. The results of the survey clearly show the benefits of Bellevue’s diabetes program: 88% of participants were able to get...

Read More
Mobile Devices Biggest Enterprise Cybersecurity Vulnerability
Aug24

Mobile Devices Biggest Enterprise Cybersecurity Vulnerability

A news release issued by Check Point Software suggests mobile devices now represent the biggest threat in the security chain; a potential problem for healthcare organizations operating a BYOD scheme. Mobile devices are now viewed as one of the easiest entry points into an otherwise protected computer network and are now the biggest enterprise cybersecurity vulnerability according to the report. Large healthcare providers should take note, as they are likely to be particularly vulnerable to attack, purely because of the number of mobile devices they have in operation. According to Check Point Researchers, organizations allowing 2,000 or more mobile devices to connect to the network have a 50% chance of at least six devices being infected or having been targeted by cybercriminals. 72% of IT professionals agreed that for the coming year, the top security challenge is securing corporate information; however in close second place (67%) was dealing with personal device security. Securing, storing and segregating personal and corporate data on mobile devices is a major challenge. Key...

Read More
New Android Smartphone Data Security Warnings Issued
Aug12

New Android Smartphone Data Security Warnings Issued

New Android Smartphone data security warnings have been issued, alerting users to new security flaws in the software which could potentially allow hackers to gain control of the devices. The Android security flaw discovered by IBM’s X-Force Application Security Research Team could affect 55% of Android phone owners, while Check Point’s discovery could similarly affect millions. These announcements come after Samsung, Google and LG had stated they will now be providing monthly security updates for Android devices, including a fix for the Stagefright vulnerability. Unfortunately, Android devices often include additional software installed by the device manufacturer, a problem Apple and Blackberry do not share: Both companies have developed their own hardware and software. As a result the latter companies can roll out security updates much more quickly. With the open-source Android platform, security fixes will always be issued more slowly. ‘Certifi-gate’ Security Breach Reported   Android Smartphone data security warnings are now being issued with increasing frequency. The...

Read More
SpamTitan Technologies Undergoes Rebranding Exercise – Emerges as TitanHQ
Aug11

SpamTitan Technologies Undergoes Rebranding Exercise – Emerges as TitanHQ

From today, SpamTitan Technologies – one of the world´s leading providers of email and web security solutions – will be known as TitanHQ. To support its continued evolution as a provider of email and web security solutions, SpamTitan Technologies has rebranded as TitanHQ. The company has had seen substantial growth over the past five years due to the release of new products, the introduction of cloud security services and through relationships with partners throughout the world. As the company continues to grow, its leadership has decided on the rebranding as part of its future plans. TitanHQ´s CEO – Ronan Kavanagh – said “As our customers’ needs have evolved so too has our product suite. We have added great new products and product brands such as SpamTitan, WebTitan and ArcTitan. The company continues to respond to consumer demand and this rebrand is part of this response. We now feel it is right to incorporate all of our great products under one umbrella brand which will allow us communicate one core message through one central platform to our customers”....

Read More
Hospital Drug Pump Hacking Risk Discovered
Aug06

Hospital Drug Pump Hacking Risk Discovered

In addition to having to deal with the threat to electronic health records from hackers, hospitals must also be wary of attacks on their medical devices; as evidenced by a new Food and Drug Administration (FDA) warning over a drug pump hacking risk that exists with Hospira’s Symbiq drug pump. Symbiq Drug Pump Hacking Risk Warning Issued by FDA   Only a few days ago, two hackers discovered it was possible to hack into the onboard computers of Fiat Chrysler automobiles and take control of the vehicle; now patient’s plugged into the Symbiq drug pump could potentially be at the mercy of malicious hackers. Such is the severity of the Symbiq drug pump hacking risk, on Friday last week the FDA issued a warning to all hospitals using the device, instructing them to retire the devices and make the transition to other, more secure drug infusion pumps. In the meantime the FDA recommended that healthcare providers should “disconnect the pumps from their networks and update their drug libraries manually.” Since the vulnerability can be exploited via unused ports on the devices, the FDA...

Read More
Hackers Stole Anthem Data for Espionage; Not Fraud
Aug03

Hackers Stole Anthem Data for Espionage; Not Fraud

The colossal data breach suffered by Anthem Inc., appears to have occurred for reasons related to espionage, not financial gain, according to Symantec. Hackers often break into healthcare databases to steal patient health data and Social Security numbers, which have a high value on the black market. The data can be used to commit identity fraud, file false tax returns, and obtain credit in the names of victims; but that is not the only way data can be used. Human intelligence (HUMINT) has potential to be much more valuable. The Anthem cybersecurity attack has been linked to a group of hackers operating under the name of Black Vine. Black Vine hackers are well funded, operate out of China, and are understood to have ties to the Chinese Government, although this is understandably denied by Beijing. The group has previously been linked to major security incidents throughout the U.S, conducted on aviation companies, gas turbine manufacturers, military installations, the financial sector, and some healthcare organizations. Black Vine is not known to engage in cybercrime for financial...

Read More
HIPAA Survey Shows Compliance Assessments Can Increase Business
Jul27

HIPAA Survey Shows Compliance Assessments Can Increase Business

A recent series of customer polls conducted by RapidFire Tools Inc., a leading provider of HIPAA-compliance assessment tools, showed that Managed Service Providers (MSPs) are using compliance assessments to engage prospects and increase business. Furthermore, those assessments are now proving more effective at increasing business and winning new contracts than in previous years. The polls were conducted on MSP customers using RapidFire’s Network Detective HIPAA Compliance Module. The results clearly show that compliance assessments are allowing MSPs to capture new clients and create new projects, as well as being instrumental in obtaining extended service agreements. MSPs were asked about instances where they have been able to use the compliance assessment tools to justify the services being provided to clients. Respondents explained that the compliance assessments enabled them to show that the protections currently in place to safeguard Protected Health Information were far inferior to those being offered. The recent spate of successful hacks on healthcare providers’ servers and...

Read More
NCCoE Cybersecurity Practice Guide for Mobile Devices Released: Comments Requested
Jul26

NCCoE Cybersecurity Practice Guide for Mobile Devices Released: Comments Requested

The use of Smartphones and other portable devices in healthcare is growing and the federal government is concerned. The devices carry a high risk of causing a data breach, and the feds are concerned that physicians and other healthcare workers may accidentally expose patient data, or worse still, give hackers an entry point into hospital EHRs. Medical identity theft costs billions of dollars every year, and patient’s privacy is being violated on an almost daily basis. Hackers are targeting healthcare organizations, thieves are looking for portable devices to steal, and malicious insiders are copying data from EHRs; however, Smartphones have potential to cause even more data breaches. The reason? The data security and privacy protections used to safeguard data stored on the devices is often inadequate.   NCCoE Takes Steps to Protect Mobile Healthcare Devices   The National Cybersecurity Center of Excellence (NCCoE) was formed by National Institutes of Standards in Technology (NIST), the state of Maryland, and Montgomery County, Md in 2012, and during the past three years...

Read More
Four Unpatched Internet Explorer Vulnerabilities Announced
Jul24

Four Unpatched Internet Explorer Vulnerabilities Announced

Four “new” Internet Explorer vulnerabilities have been announced this week. The announcement did not come from Microsoft; security researchers revealed the flaw because Microsoft has been too slow to address the issue. A patch has still not been released to address the security flaws even though Microsoft was made aware of the problems more than that seven months ago. The announcement came via Hewlett-Packard’s Zero Day Initiative (ZDI) program, which pays security professionals to identify software flaws that could potentially be used by hackers to gain access to computers, or infect them with malware. The ZDI team announces security flaws that have not been addressed by software developers in a reasonable time-frame: 120 days from the date of discovery of a vulnerability. Since this time-frame has been exceeded, ZDI researchers have now released limited details of the issues to the public. The ZDI team only issues partial information on the location and nature of the security flaws, and does not disclose information that would tip off hackers and allow them to take...

Read More
American Hospital Association Opposes HIPAA HPID Use
Jul24

American Hospital Association Opposes HIPAA HPID Use

Earlier this week, the Vice President and Deputy Director of the American Hospital Association (AHA) sent a letter to the Centers for Medicare & Medicaid Services (CMMS) expressing concern over the implementation of Health Plan Identification numbers (HPIDs) and Other Entity Identifiers (OEIDs). HPID Use and HIPAA When HIPAA was introduced, it required national identification numbers to be used by healthcare providers, health plans and individuals. A national ID number was introduced in 2004, although the IDs were only for providers, not individuals. In September 2012, the HPID proposed rule was published, although it took until November 2014 before the rule was finalized. HPIDs and OEIDs will now be required to be used for HIPAA transactions from Nov 7, 2016. It is not a requirement for health plans to be identified in HIPAA transactions, but if they are, from Nov 7, next year a HPID must be used. AHA States Opposition to HPID Use in HIPAA Transactions   The letter, sent from Ashley Thompson to Andy Slavitt, the acting administrator for CMMS, stated the AHAs opposition to...

Read More
New HIPAA Compliance Tool Released for Small Dental Practices
Jul24

New HIPAA Compliance Tool Released for Small Dental Practices

Achieving compliance with HIPAA Privacy and Security Rules can be a challenge for all organizations, regardless of size; however smaller healthcare providers tend to have more problems. Budgets tend to be more restrictive, and a lack of suitable staff means slow progress is made. This was clear from the results of the pilot round of HHS compliance audits. Regulatory bodies such as the Department of Health and Human Services’ Office for Civil Rights (OCR), State Comptrollers, and Attorneys General, investigate data breaches for HIPAA violations, and periodic audits are conducted to assess compliance. The next round of OCR HIPAA compliance audits will assess how well organizations have implemented the requirements laid down in the Privacy Rule, Security Rule and Breach Notification Rule. Healthcare organizations, health plans, healthcare clearinghouses – and Business Associates of the above – will have their compliance efforts put to the test. The audits will be conducted on large healthcare providers, multiple hospital systems, the nation’s largest health insurers;...

Read More
The Healthcare Cybersecurity Challenge: How to Keep ePHI Secure
Jul20

The Healthcare Cybersecurity Challenge: How to Keep ePHI Secure

The healthcare industry faces many challenges, but perhaps one of the biggest at present is how to keep electronic protected health information of patients secure. Hackers are targeting healthcare providers for the data they hold, HIPAA-covered entities large and small are under attack, and the volume of cyberattacks is increasing at an incredible rate. New malware is evolving fast, employees are stealing data more frequently and worse still; the threat landscape is ever changing. The Workgroup for Electronic Data Interchange (WEDI) Offers Assistance   The Workgroup for Electronic Data Interchange (WEDI) is a not-for-profit organization and a leading authority on healthcare IT security. One of the main aims of the organization is to help healthcare providers improve the quality of care provided to patients, while introducing efficiencies to drive down costs. One of the ways it achieves this objective is by offering guidance on improvements that can be made to healthcare information exchanges. The organization was formed nearly 25 years ago by the Secretary of Health and Human...

Read More
Survey Shows U.S Companies Are Saying Bye Bye to BYOD
Jul17

Survey Shows U.S Companies Are Saying Bye Bye to BYOD

Bring Your Own Device (BYOD) schemes have proved popular in the healthcare industry. Physicians, nurses and other healthcare workers have petitioned healthcare providers to allow the use of personal Smartphones, tablets and laptops at work, and many have given in and introduced BYOD schemes.   The Benefits of BYOD   Financial constraints often hinder the uptake of new technology, and BYOD offers a cheap and convenient solution. The benefits of Smartphones and tablets can be gained, without the cost of having to purchase, maintain – and replace every 2-3 years – mobile devices for all physicians, nurses, and care providers. Uptake was rapid in many industries, although slower in the healthcare industry due to heavy regulations covering data privacy and security. Over the past five years, more and more healthcare providers have started to embrace BYOD and are now enjoying the benefits; as are physicians, nurses and other healthcare workers opting into the scheme.   BYOD Security Risks   Personal devices can be used in a healthcare setting, although not...

Read More
Healthcare Big Data: Privacy and Security Workgroup Gives Preliminary Report
Jul16

Healthcare Big Data: Privacy and Security Workgroup Gives Preliminary Report

Big data has considerable potential to improve the quality of care provided to patients, and even improve patient outcomes; however, there are risks. Privacy advocates worry that the disclosure of health data together with personally identifiable information could result in the data being used for discriminatory purposes, or could otherwise cause patients to be harmed. Analysts predict that big data can, and will, be used to reduce the cost of healthcare delivery; however first the issue of patient privacy needs to be resolved. Big data, no matter how useful for the advancement of medical science, can only be used if patients’ right to privacy is assured. The potential benefits for the healthcare are too valuable to ignore; however deciding on the allowable uses of data, while preserving patient’s right to privacy, is a difficult task. It is a problem the Whitehouse is trying to address, and it has turned to stakeholders for help.   How to Leverage Big Data While Protecting Patients’ Privacy Rights   President Obama requested assistance from the Department of Health and...

Read More
2015 Biannual Healthcare Data Breach Report Released
Jul15

2015 Biannual Healthcare Data Breach Report Released

The healthcare industry had a particularly torrid time last month with 18 data breaches reported to the OCR, exposing 1,455,863 records, the bulk of which came from the CareFirst data breach. This month the number of data breaches reported has increased to 21, although the number of new victims created was much lower, with 159,231 individuals affected. An analysis of the data breach reports for the past three years shows that little has changed since 2014, “the year of the data breach,” at least not for the better. Fewer data breaches have been reported in 2015 than in 2014, 122 compared to 131, up until the end of June. However, measure the year in the number of victims created and 2015 is on an entirely different scale. 89,439,761 new data breach victims have been created so far this year, compared to 12,503,190 last year and 851,433 in 2013. Many of this year’s victims are now data breach veterans having had their data exposed by their insurer and their healthcare provider. Biannual Data Breach Report 2014 saw a big rise in the number of reported data breaches, and this year...

Read More
Two More Flash Vulnerabilities Discovered: Calls for Software to be Retired
Jul14

Two More Flash Vulnerabilities Discovered: Calls for Software to be Retired

A useful and valuable software platform or a collection of security holes held together with code? Opinion is divided on the usefulness of Adobe Flash, when hackers can apparently exploit vulnerabilities with ease. Some are calling for Adobe Flash to be consigned to the annals of history following after five security flaws have recently been discovered: Flaws that are already being used by hackers to gain access to computers and data. Three zero-day vulnerabilities have already been discovered this year, including one just a few days ago. Now a further two zero-day vulnerabilities have been identified. The latest two are arguably the most serious; one of which allows hackers to use the Adobe Flash security flaw to take full control of a computer. Patches not Yet Developed to Address Latest Adobe Flash Security Vulnerabilities   The flaws were uncovered as a result of the recent data breach at Hacking Team, and have been identified as CVE-2015-5122 and CVE-2015-5123. They affect Adobe Flash operating on Windows, OS X and Linus systems. The new bugs are similar to the security...

Read More