Why Healthcare Security Matters

guest · Aug 14, 2018

Should Staff Ever Use Personal Devices to Access Patient Data?
Incident at Oklahoma Dept. of Veterans Affairs Spotlights Tough Choices
August 14, 2018
https://www.inforisktoday.com/should-staff-ever-use-personal-devices-to-access-patient-data-a-11346

Three Oklahoma state representatives have demanded in a recent letter to Oklahoma Gov. Mary Fallin that she fire two state VA officials - executive director Doug Elliott and clinical compliance director Tina Williams, alleging that their decision to allow the VA employees access to patient records using personal devices violates HIPAA and other privacy regulations.
Good or Bad Idea?
HIPAA violation or not, is it ever a good idea to allow healthcare employees to use their personal smartphones to access patient records? What about during a crisis situation?
Special Circumstances
Providing healthcare workers with access to patient records via a personally owned device is acceptable "under the right conditions," says Keith Fricke, principal consultant at tw-Security.

"Specifically, the device must be properly secured with mobile device management software. This becomes a case of balancing security and privacy with the needs of delivering patient care," he says.
Click to expand...

guest · Aug 16, 2018

Severe Security Gaps In Maryland's Medicaid Management Information System
August 16, 2018
https://www.bleepingcomputer.com/ne...lands-medicaid-management-information-system/

Maryland’s Medicaid program is threatened by security gaps exposing data and information systems to unauthorized access and disruption of critical operations.

The conclusion comes from the Department of Health and Human Services (HHS) after auditing the security of computer systems used for the administration of the Medicaid program.

The assessment did not find evidence of vulnerabilities being leveraged by malicious actors, but doing so “could have resulted in unauthorized access to and disclosure of Medicaid data, as well as the disruption of critical Medicaid operations,” the report informs.
Click to expand...

guest · Aug 17, 2018

Phishing Attack Last Year Exposed Health Data on 417,000
Why Did It Take 10 Months to Determine a PHI Breach Occurred?
August 17, 2018
https://www.inforisktoday.com/phishing-attack-last-year-exposed-health-data-on-417000-a-11380

Augusta University Health in Georgia says it just recently determined that a phishing attack that occurred - and was detected - 10 months ago resulted in a breach potentially exposing information on 417,000 individuals. Security experts are questioning why the breach determination took so long.

Augusta University Health includes a medical center, cancer care center, children's hospital as well as several clinics and other facilities.

In a statement issued Thursday, Augusta University says it was "targeted by a series of fraudulent emails" on Sept. 10 and 11, 2017.

Some security experts say that it appears to have taken the university an unusually long time to conclude that a breach had occurred as a result of a cyberattack nearly a year ago.
Click to expand...

guest · Aug 20, 2018

NHS Loses Almost 10,000 Patient Records in a Year
August 20, 2018
https://www.infosecurity-magazine.com/news/nhs-loses-almost-10000-patient/

Parliament Street liaised with 68 NHS Trusts to examine levels of reported missing or lost patient records, compiling its findings into the report NHS Data Security: Protecting Patient Records.

The total number of misplaced records reported by the 68 trusts was 9,132, with just 16 of those claiming that they had not suffered any lost or stolen data in the last year. What’s more, many of the trusts admitted they still had data missing.

Perhaps most surprisingly, the report also revealed that 94% of NHS Trusts continue to use handwritten notes for patient record keeping, something Parliament Street highlighted as a significant security risk.

The health service remains a top target for hackers, and whether their motive is to wreak havoc or steal identities
Click to expand...

Report (PDF): http://parliamentstreet.org/wp-content/uploads/2018/08/NHS-Patient-Records-Final.pdf

ronjor · Aug 22, 2018

Health Data Breach Victim Tally for 2018 Soars

Marianne Kolbasuk McGee (HealthInfoSec) • August 21, 2018
Analyzing the Latest 'Wall of Shame' Trends
Click to expand...

ronjor · Aug 23, 2018

If it doesn't need to be connected, don't: Nurse prescribes meds for sickly hospital infosec

By John Leyden 23 Aug 2018
Pro shares healthcare horror stories
Click to expand...

ronjor · Aug 23, 2018

Medical records of high school students leaked in 'appalling' data breach

By Charlie Osborne for Zero Day | August 23, 2018
Medication, healthcare records, and conditions were all posted online for the world to see.
Click to expand...

guest · Aug 25, 2018

Lawsuit Alleges Hospital Cafeteria Workers Accessed Child's Records
August 24, 2018
https://www.inforisktoday.com/records-snooping-alleged-in-tragic-death-toddler-a-11419

Unauthorized Access Allegations
Attorney Mark Edwards, [...] alleges that McAlester's cafeteria workers were able to inappropriately access the hospital's EHR system through the credentials of one food service employee who was authorized to access patient information to check whether individuals had certain dietary restrictions or had diabetes and to confirm patient room numbers where meal were delivered.

A hospital food service employee who was authorized to access the EHR system was instructed to make those credentials - username and password - available to the other cafeteria workers by posting them on a sticky note on a computer, Edwards claims.

The lawsuit, however, alleges the hospital was guilty of negligence because it failed to keep Keon Russell's information private "per the HIPAA law and [its] internal policies."
"Healthcare organizations of all sizes must place a greater emphasis on protecting patient privacy as well as the information security of the electronic information systems that handle PHI. [...]"
Click to expand...

ronjor · Aug 27, 2018

NIST's New Advice on Medical IoT Devices

By Kevin Townsend on August 27, 2018
Medical infusion pumps, which deliver medications to patients, are archetypal examples of the expanding threat surface being delivered by connected devices. Connecting these pumps to clinical systems can improve healthcare delivery, but if not properly secured could endanger the patient and expose the health delivery organization (HDO) infrastructure to intrusion.
Click to expand...

Minimalist · Aug 30, 2018

Critical Flaws in Syringe Pump, Device Gateways Threaten Patient Safety

Two previously undocumented, critical vulnerabilities in widely deployed medical devices have sparked patient-safety and data-privacy concerns.

Flaws in the Qualcomm Life Capsule Datacaptor Terminal Server and the Becton Dickinson (BD) Alaris TIVA Syringe Pump have been acknowledged by the vendors and publicly disclosed via ICS-CERT.
Click to expand...

https://threatpost.com/critical-flaws-in-syringe-pump-device-gateways-threaten-patient-safety

guest · Aug 31, 2018

Most NHS Trusts Provide No Alternative to Consumer IM
August 30, 2018
https://www.infosecurity-magazine.com/news/most-nhs-trusts-no-alternative/

The majority of England’s NHS Trusts could be exposing themselves to privacy and compliance risk by using consumer IM tools, a new Freedom of Information request has revealed.

Mobile solutions provider CommonTime analyzed responses from 136 of the country’s 151 hospital trusts to find that over half (58%) have no policy in place to discourage the use of consumer-grade IM platforms like WhatsApp and iMessage.

A further 56% provided no approved alternative to staff for these messaging applications, six trusts listed them as official communications channels, and 17 trusts said they’d banned the apps altogether.

It found that 43% of NHS staff are reliant on instant messaging at work, with many claiming patient care would suffer if they didn’t have access to the technology.
Click to expand...

guest · Sep 1, 2018

Taiwan Hospital Launches Blockchain Platform to Improve Medical Record-Keeping
August 31, 2018
https://cointelegraph.com/news/taiw...in-platform-to-improve-medical-record-keeping

The Taipei Medical University Hospital has rolled out a blockchain-powered platform to improve medical record-keeping, Taipei Times reported August 31.

The so called “Healthcare Blockchain Platform” was reportedly developed in order to support the government’s Hierarchical Medical System policy, improve patient referral services, and integrate individual healthcare networks to enable people to access their medical records in an easier way. To make a request for their records, patients can log in to a password-protected mobile app.

Hospital superintendent Chen Ray-jade told Tapei Times that blockchain will help to minimize the risk of security breaches, adding that “blockchain technology not only helps to combine electronic medical records with electronic health records from multiple hospitals and clinics, it also incorporates the additional security feature of notification and consent before any transfer takes place.”
Click to expand...

guest · Sep 3, 2018

Forget WannaCry, staff themselves pose a risk to healthcare data
Almost 60% of breaches had an insider element in 2017
September 3, 2018
https://www.theregister.co.uk/2018/...le_for_more_than_half_of_healthcare_breaches/

More than half of all healthcare data breaches reported during 2017 could be traced back to people on the inside of victim organisations, according to an annual study by Verizon.

The company's latest Protected Health Information Data Breach Report (PHIDBR) looked at 1,368 mostly US examples, identifying 782 (57.5 per cent) as having an insider element.

A further 571 (42 per cent) were external attacks, 80 (5.9 per cent) happened via partners, and 69 (5.1 per cent) involved collusion between entities on the inside or outside.

PHIDBR is a more detailed breakdown of data from Verizon's Data Breach Investigations Report from April and comes almost a year in arrears.
Click to expand...

Verizon’s 2018 Protected Health Information Data Breach Report (PHIDBR) (PDF):
http://www.verizonenterprise.com/resources/protected_health_information_data_breach_report_en_xg.pdf

ronjor · Sep 3, 2018

Premera Blue Cross accused of destroying evidence in data breach lawsuit

By Catalin Cimpanu for Zero Day | September 3, 2018
Class-action lawsuit plaintiffs claim US health insurer Premera Blue Cross intentionally destroyed evidence despite ongoing litigation.
Click to expand...

guest · Sep 6, 2018

ronjor said: ↑

Patients should control their data, and this blockchain startup wants to make it happen
Click to expand...

Another startup:
Hu-manity launches app giving consumers legal control over medical data
September 06, 2018
https://techcrunch.com/2018/09/06/h...ng-consumers-legal-control-over-medical-data/

Hu-manity wants to change the way we share data by giving people legal ownership with contractual enforcement handled on the blockchain.
The startup is exploring the idea of making data ownership the 31st human right central to its approach and how it markets the service.

Hu-manity’s goal is to give app users the ability to set terms of data sharing, defining who can use it, and under what conditions, even getting paid for giving access. So for example, you could decide a particular drug company could use your data, but only for a single trial for a given price, and it couldn’t sell your data to another party after the trial ends.

The app uses the blockchain as an enforcement component for these rules. It chose Hyperledger Fabricas its underlying blockchain technology running on the IBM cloud.
Click to expand...

guest · Sep 6, 2018

Health minister launches code of conduct for health tech data
September 05, 2018
https://www.computerweekly.com/news...launches-code-of-conduct-for-health-tech-data

The government has launched a code of conduct for data-driven technology to encourage companies to “meet a gold-standard set of principles” to protect patient data.

It sets out 10 principles on what the NHS expects from industry and how the government is going to make it easier for industry to work with the health service.

However, it added that complex algorithms also bring two central challenges, such as defining data and structure to ensure it’s interoperable and used “appropriately, safely and securely”.
“This is an important first step towards creating a safe and trusted environment in which innovation can flourish to the benefit of all our health.”
Click to expand...

ronjor · Sep 7, 2018

Software Vendor Breach Spotlights Broad BA Risks

Marianne Kolbasuk McGee (HealthInfoSec)
A recent hacking attack targeting a revenue cycle management software and services vendor, which impacted more than 31,000 patients at 11 healthcare organizations, illustrates the potentially broad security risks posed by business associates.
Click to expand...

ronjor · Sep 13, 2018

FDA to Ramp Up Medical Device Cybersecurity Scrutiny

Marianne Kolbasuk McGee (HealthInfoSec) • September 12, 2018
New OIG Report Spells Out Need for Better Premarket Reviews
Click to expand...

guest · Sep 13, 2018

Honolulu-based Fetal Diagnostic Institute of the Pacific hit with ransomware
September 13, 2018
https://www.scmagazine.com/home/new...institute-of-the-pacific-hit-with-ransomware/

Honolulu-based Fetal Diagnostic Institute of the Pacific (FDIP) announced it was hit by a ransomware attack that may have compromised patient data.

The malware gained access to information stored on FDIP servers that held patient information and may have accessed patients’ full name, date of birth, home address, account number, diagnosis, and other types of information.

"Because this access of PHI was not for the purpose of treatment, payment or health care operations, [...] it constituted a violation of HIPAA,” the firm said in its notice of breach.

The institute has since implemented new security processes and patients are encouraged to be cautious of any suspicious communications or other activity that may be related to the compromise.
Click to expand...

ronjor · Sep 14, 2018

Are State AGs Picking Up Slack in HIPAA Enforcement?

Marianne Kolbasuk McGee (HealthInfoSec) • September 14, 2018
States Apparently More Active in Breach Settlement Activity than HHS This Year
Click to expand...

guest · Sep 17, 2018

NHS smacks down hundreds of staffers for dodgy use of social media, messaging apps
September 17, 2018
https://www.theregister.co.uk/2018/...for_dodgy_use_of_social_media_messaging_apps/

NHS workers’ use of messaging apps for their day jobs has come under scrutiny before. For instance, a small study published in BMJ Innovationslast year found that 97 per cent of staffers had shared sensitive patient information on instant messengers without obtaining consent.

Moreover, a separate study (PDF) found that 43 per cent of NHS workers used at least one consumer instant messaging app, with WhatsApp rating highest and Facebook Messenger second.

Staff have argued that such apps are now crucial for patient care – the over-reliance of the health service on outdated tech like pagers or fax machines is well documented – but the latest figures demonstrate that more care is needed on the wider use of social media and messaging services.
Click to expand...

Study (PDF): https://www.commontime.com/wp-content/uploads/2018/02/Report-Instant-Messaging-in-the-NHS.pdf

guest · Sep 17, 2018

Leeds hospital launches campaign to 'axe the fax'
Northern NHS trust to scrap 300-plus relics by new year
September 17, 2018
https://www.theregister.co.uk/2018/09/17/leeds_trust_axe_fax_new_year/

Leeds Teaching Hospital NHS Trust – which has 340 of the outdated appliances across its seven sites – today launched a campaign aimed at ditching 95 per cent of them by 1 January 2019.

"We don't underestimate the enormity of the challenge to remove all the machines in such a short time frame, but we simply cannot afford to continue living in the dark ages," said chief digital and information officer Richard Corbridge.

"The use of nhs.net is far more secure and safe than the use of faxes. We are aiming to help services safely decommission their faxes and move to email in the first instance and take it from there."

Change is already afoot, though, as some 47,905 documents were sent electronically, rather than via fax, between April and August. Eventually, it plans to remove the option to send a fax from these devices altogether.
Click to expand...

ronjor · Sep 20, 2018

Hospitals Fined $1 Million After TV Crews Film Patients

Marianne Kolbasuk McGee (HealthInfoSec) • September 20, 2018
HHS Slaps Three Boston Hospitals With HIPAA Penalties
Click to expand...

guest · Sep 21, 2018

mood said: ↑

Singapore personal data hack hits 1.5m, health authority says
July 19, 2018
https://www.bbc.co.uk/news/world-asia-44900507
Click to expand...

SingHealth data breach reveals several 'inadequate' security measures
September 21, 2018
https://www.zdnet.com/article/singhealth-data-breach-reveals-several-inadequate-security-measures/

Investigation into Singapore's most severe cybersecurity breach has uncovered several poor security practices, including the use of weak administrative passwords and unpatched workstations.

The initial response to the security breach was "piecemeal" and "inadequate", said Solicitor-General Kwek Mean Luck, during his opening statement Friday to kickstart the six-day public hearing.

[...] the workstation was running a version of Microsoft Outlook that was not updated with a patch to address the use of the hacking tool.
This provided the hackers access into SingHealth's network as early as August 2017, distributing malware and infecting other workstations after the initial breach, he said.

In addition, one local administrator accounts had used "P@ssw0rd" as a password, which could have been easily deciphered, the COI said. [...] reported local broadcaster Channel NewsAsia.
Click to expand...

guest · Sep 21, 2018

Independence Blue Cross Breach Exposed 17K Records
September 21, 2018
https://www.infosecurity-magazine.com/news/independence-blue-cross-breach/

Independence Blue Cross, a Philadelphia-based health insurer notified thousands of its members this week that a data breach had exposed some of their protected health information (PHI), according to Healthcare Informatics.

On July 19, 2018, Independence Blue Cross's privacy office announced a breach in which the personal information of approximately 17,000 members – fewer than 1% of the total membership – was potentially accessed by unauthorized individuals after an employee uploaded a file to a public-facing website on April 23, 2018. Unfortunately, the file, which contained the PHI of members remained accessible until it was removed on July 20.

“Criminals stealing your medical information or diagnosis codes is no longer a plot twist reserved for TV dramas with the latest records breach,” said Aaron Zander, senior IT engineer at HackerOne.
Click to expand...

Log in or Sign up

Why Healthcare Security Matters

guest Guest

guest Guest

guest Guest

guest Guest

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

guest Guest

ronjor Global Moderator

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

ronjor Global Moderator

guest Guest

guest Guest

ronjor Global Moderator

ronjor Global Moderator

guest Guest

ronjor Global Moderator

guest Guest

guest Guest

ronjor Global Moderator

guest Guest

guest Guest

Log in or Sign up

Why Healthcare Security Matters

guest Guest

guest Guest

guest Guest

guest Guest

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

guest Guest

ronjor Global Moderator

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

ronjor Global Moderator

guest Guest

guest Guest

ronjor Global Moderator

ronjor Global Moderator

guest Guest

ronjor Global Moderator

guest Guest

guest Guest

ronjor Global Moderator

guest Guest

guest Guest

Useful Searches