Why Healthcare Security Matters

ronjor · Oct 23, 2018

Hundreds of health crowdfunding campaigns are for sham treatments

Cathleen O'Grady - 10/23/2018
Millions of crowdfunded dollars are going to unsafe or ineffective therapies.
The analysis identified some of the practitioners in question, mentioned in the crowdfunding campaigns: nine individual clinics, including stem cell clinics across the US, Mexico, Panama, and Asia, as well as homeopathic and naturopathic clinics in Germany and Mexico. Almost all of the campaigns were on GoFundMe, with just two percent on YouCaring and none on CrowdRise or FundRazr.
Click to expand...

guest · Oct 26, 2018

Medicaid Data Breach Trends: An Analysis
One Big Hacker Incident Responsible for Most Victims Impacted in 2016
October 25, 2018
https://www.inforisktoday.com/medicaid-data-breach-trends-analysis-a-11642

Medicaid agencies and their contractors reported more than 1,200 data breaches in 2016. And while those breaches included only a handful of hacking incidents, one of those affected more than 70 percent of all individuals that were impacted by Medicaid data breaches, according to a new federal watchdog agency report.

[...] 1,260 breaches reported by state Medicaid agencies and their contractors in 2016 - which impacted a total of 515,000 individuals [...]
"I am surprised that there aren't more hacking incidents, and I suspect there are more incidents than are reported. But I do not know whether there is a choice not to report or the entity does not know there has been an incident."
Few Hacking Incidents, But Big Impact
Less than 1 percent of the breaches - nine incidents - were reported as hacking incidents, but the largest of those hacks impacted 370,000 individuals, or 72 percent of all Medicaid beneficiaries affected by breaches in 2016, OIG writes.
Click to expand...

guest · Oct 26, 2018

40K Customers Affected After Jones Eye Clinic and Surgery Center Attack
All data locked by the ransomware was restored from backups
October 25, 2018
https://news.softpedia.com/news/40k...clinic-and-surgery-center-attack-523447.shtml

According to a security incident notification issued by the Jones Eye Clinic, a security attack on the clinic's computer network which potentially affected the protected health data of over 40,000 patients was discovered on August 23, as reported by the Sioux City Journal.

However, the clinic's staff helped by multiple tech companies was able to recover all encrypted files using up to date data backups, therefore not having to pay the ransom requested by the actors behind the cyber attack.

The clinic's billing and scheduling software contained patients'"full name, address, date of birth, date of service, medical record number, and a general description of the clinic visit or surgery," says the incident report.

Furthermore, "For some individuals, information may have included Social Security number, insurance status, and claims information. The information did not include other financial information such as bank account or credit information."
Click to expand...

guest · Oct 29, 2018

Could your brain be a target for hackers?
October 29, 2018
https://betanews.com/2018/10/29/brain-target-hackers/

Implanted brain stimulation devices are used by scientists to explore how memories are created in the brain. New research shows that vulnerabilities mean they could be be targeted in future to steal personal information, alter or erase memories or cause physical harm.

Researchers from Kaspersky Lab and the University of Oxford Functional Neurosurgery Group have used practical and theoretical analysis to explore the very real vulnerabilities that could exist in implanted devices used for deep brain stimulation.

Researchers found a number of existing and potential risk scenarios, each of which could be exploited by attackers. [...] insecure or unencrypted data transfer between the implant, the programming software and any associated networks, as well as design constraints intended to ensure patient safety.

Insecure behavior by medical staff is a problem too, with devices holding patient-critical software found being left with default passwords, used to browse the internet or with additional apps downloaded onto them.
Click to expand...

You can find out more about the study on the Kaspersky Securelist blog.
Click to expand...

ronjor · Oct 29, 2018

Health Data Breach Tally: Analyzing the Latest Trends

Marianne Kolbasuk McGee (HealthInfoSec) • October 29, 2018
Sorting Out What Kinds of Incidents Are Most Common This Year
Click to expand...

ronjor · Oct 29, 2018

Who's rating doctors on RateMDs? The invisible hand of 'reputation management'

Kelly Crowe · CBC News · Posted: Oct 27, 2018
Ottawa physician shocked to learn he could pay site to hide bad ratings
Click to expand...

guest · Oct 30, 2018

The real victim in health data breaches? Patients' medical identities
Hackers can perform synthetic identify theft long after a cybersecurity event by piecing together data to conduct medical and insurance fraud.
October 29, 2018
https://www.healthcareitnews.com/news/real-victim-health-data-breaches-patients-medical-identities

Synthetic identity theft
The Harvard Data Map Project tracks the flow of patient records throughout a patient’s journey. While there are obvious locations -- payer, health provider and discharge data -- there are a vast amount of other third-party vendors that may have some or all of a patient’s data.
“There’s no evidence the data was misused”
One of the most common phrases used by healthcare organizations after a breach is that “there’s no evidence the data was misused.” But how can officials know that for certain?
“When you hear there’s no damage, the fact is they have no idea,” said Bowen.
What can be done?
“But it’s very difficult to protect your data if you don’t know where it is,” said Bowen. “What we’re finding is that data is still all over the place.” [...]
Click to expand...

guest · Oct 30, 2018

Phishing spikes as private health continues to be most breached sector in Australia
October 29, 2018
https://www.zdnet.com/article/phish...nues-to-be-most-breached-sector-in-australia/

Overall, the Office of the Australian Information Commissioner (OAIC) received 245 data breach notifications for the period, an increase of three, with a pair of breaches impacting between 100,000 and 250,000 people being the largest reported.

Broken down by sector, 45 breaches were reported to private health providers, followed by finance reporting, at 35; and the legal, accounting, and management services sector reporting 34 breaches.

The majority of the health breaches were due to human error, and the rest made up by malicious attacks, with the exception of one breach due to system error.

The report only covers private health service providers under the NDB, the OAIC said, with public hospitals and health services covered by the My Health Records Act and hence not included in the report.
Click to expand...

ronjor · Oct 31, 2018

The Push to Allow Cybersecurity Technology Donations

Marianne Kolbasuk McGee (HealthInfoSec) October 31, 2018
Advisory Council Seeks Changes in Law to Help Smaller Healthcare Providers Improve Security
Click to expand...

guest · Oct 31, 2018

Social Security Numbers, PII Stolen in NorthBay Healthcare Data Breach
Affected people who applied from December 2012 to May 2018
October 31, 2018
https://news.softpedia.com/news/soc...-northbay-healthcare-data-breach-523548.shtml

NorthBay Healthcare Corporation suffered a data breach incident which affected the information of everyone who applied for a position within the organization between December 2012 and May 2018.

Jobscience Inc is "a contracted vendor that provides NorthBay with online employment application management system services," according to NorthBay's data breach notice (PDF).

As detailed by Jobscience Inc's report, during the data breach incident the first and last names, home addresses, dates of birth, email addresses, Social Security numbers, or alien registration numbers may have been stolen by the bad actor who managed to compromise the organization's database.
Click to expand...

NorthBay's data breach notice (PDF): https://oag.ca.gov/system/files/W026_v02.pdf_CA%20Notice_0.pdf

ronjor · Nov 2, 2018

HHS Tries Again: New Cyber Coordination Center Launched

Marianne Kolbasuk McGee (HealthInfoSec) November 1, 2018
Agency Went Back to the Drawing Board After Initial Effort Got Off to Rocky Start
Click to expand...

ronjor · Nov 5, 2018

Breach Settlement Has Unusual Penalty

Marianne Kolbasuk McGee (HealthInfoSec) November 5, 2018
In Addition to $200,000 Fine, Vendor Banned From Owning or Managing a Business in New Jersey
Click to expand...

ronjor · Nov 7, 2018

Keeping health data under lock and key

November 7, 2018, Technische Universitat Darmstadt
Researchers from the Collaborative Research Center CROSSING at Technische Universität Darmstadt (Germany) have developed a solution that will ensure decades of safe storage for sensitive health data in a joint project with Japanese and Canadian partners. An initial prototype was presented during a recent conference in Beijing, China. The system will go into trial operation in Japan in the coming weeks.
Click to expand...

ronjor · Nov 7, 2018

FDA Reacts to Critique of Medical Device Security Strategy

Marianne Kolbasuk McGee (HealthInfoSec) November 7, 2018
Watchdog Agency Cited Deficiencies, But Agency Says Many Have Already Been Addressed
Click to expand...

guest · Nov 8, 2018

Welsh NHS IT programme is ‘outdated’ and could put patients at risk, report finds
November 8, 2018
https://www.computerweekly.com/news...d-and-could-put-patients-at-risk-report-finds

The committee’s inquiry into the NWIS programme, which aims to develop and roll out new IT systems across all Welsh health boards, found little evidence that it’s working. Instead, it found “archaic and fragile IT systems which don’t deliver on their promises” and a big culture problem.

“Digital transformation requires an open culture, but the committee found that the culture at NWIS was the antithesis of this.”
Outdated IT and infrastructure
[...] “Quite clearly, this report raises some alarming findings about the weaknesses of IT in the Welsh NHS, findings which may look familiar to those working in it.
Click to expand...

The committee’s inquiry (PDF): http://www.assembly.wales/laid%20documents/cr-ld11822/cr-ld11822-e.pdf

guest · Nov 10, 2018

mood said: ↑

HealthCare.gov Portal Suffers Data Breach Exposing 75,000 Consumers
October 19, 2018
https://gizmodo.com/healthcare-gov-portal-suffers-data-breach-trump-offici-1829877392
Click to expand...

Income, tax and immigration data stolen in Healthcare.gov breach
November 09, 2018
https://www.engadget.com/2018/11/09/healthcare-gov-hack-income-tax-data-stolen/

The Centers for Medicare and Medicaid Services (CMS) now has details about the data stolen in the breach of Healthcare.gov that occurred last month. According to the government agency, a significant amount of personal information including partial Social Security numbers, tax information and immigration status was compromised in the breach. No financial information was stolen.

In a post hidden on a Healthcare.gov page titled "How we use your data," the CMS confirmed the breach occurred and said it started to alert via phone call the 75,000 affected people starting November 5th. That notification will be followed by a letter detailing the breach and what information was compromised.

In the letter, CMS discloses the entirety of the information stolen by hackers, and it's a fairly substantial list of data points: [...]
Click to expand...

Breach Notification (PDF): https://www.healthcare.gov/downloads/marketplace-breach-notification.pdf

guest · Nov 11, 2018

Breach notice issued for patients of Florida Department of Health clinics
https://www.wkrg.com/news/northwest...orida-department-of-health-clinics/1584318622

In an abundance of caution, the Florida Department of Health in Okaloosa is issuing a federally required breach notice to patients of its clinics located in District 1, which includes Escambia, Okaloosa, Santa Rosa and Walton counties.

The department completed an investigation and found that an unauthorized user compromised a Children’s Medical Services employee’s Microsoft Outlook 365 account between October 8 – October 16, 2018.

It is possible that individuals served by the District 1 Child Protection Team may have had their names, psychological, and medical conditions accessed as a result of this incident.
As a precautionary measure, clients are encouraged to review their credit history for any fraudulent or suspicious activities they have not authorized.
Click to expand...

guest · Nov 12, 2018

NHS issues guidance for instant messaging use in acute settings
November 12, 2018
https://www.computerweekly.com/news...e-for-instant-messaging-use-in-acute-settings

The government has published guidance telling NHS staff to judge for themselves when it’s safe to use instant messaging apps in acute settings, and to be aware of data privacy and security rules.

The guidance, issued jointly by NHS England, the Department for Health and Social Care, Public Health England and NHS Digital, recognises the need for instant messaging software, but adds that staff should only use standalone apps such as WhatsApp or Viber when the local NHS organisation doesn’t provide a “suitable alternative”.

When choosing an app, staff should check if it meets NHS encryption standards, has user verification, password protection and the ability to remotely wipe the messages, should the device get lost or stolen.
Click to expand...

"Information governance considerations for staff on the use of instant messaging software in acute clinical settings" (PDF):
https://digital.nhs.uk/binaries/content/assets/website-assets/data-and-information/ig-resources/information-governance-considerations-for-individuals-on-the-use-of-instant-messaging-software-in-acute-clinical-settings.pdf

guest · Nov 13, 2018

DeepMind hands off role as health app provider to parent Google
November 13, 2018
https://techcrunch.com/2018/11/13/deepmind-hands-off-role-as-health-app-provider-to-parent-google/

DeepMind’s recent foray into providing software as a service to UK hospitals has reached the end of its run.

The Google-owned AI division has just announced it will be stepping back from providing a clinicial alerts and task management healthcare app to focus on research — handing off the team doing the day to day delivery of the Streams to its parent, Google.

Announcing the move in a blog post entitled ‘Scaling Streams with Google’, DeepMind’s co-founders write: “Our vision is for Streams to now become an AI-powered assistant for nurses and doctors everywhere [...]"
“The Streams team will remain in London, under the leadership of former NHS surgeon and researcher Dr Dominic King,” write the DeepMind co-founders now.

So provision of any health AIs that DeepMind develops in the future will be left to Google to deploy and scale. As will the task of winning patient trust — which may well prove the biggest challenge here.
Click to expand...

guest · Nov 14, 2018

IoT and the NHS: Why the Internet of Things will create a healthcare revolution
November 14, 2018
https://www.zdnet.com/article/iot-a...f-things-will-create-a-healthcare-revolution/

With the NHS struggling under the dual pressures of a growing demand for its services and chronic underfunding, could the Internet of Things help make healthcare more efficient?
For the NHS, the IoT could present big benefits for patient care by enabling hospitals to track and monitor patients from the moment they arrived at hospital [...]

The NHS, however, appears to be taking a more cautious approach. As part of an initiative to set up testbeds to pilot new technologies in the health service, NHS England and the Department of Health has awarded £10m in funding to two 'test bed' projects that it describes as "IoT-led".

The trend for medical devices to increasingly come with internet connectivity is also likely to force the NHS towards greater use of IoT. Medical devices, from blood pressure monitors to pacemakers to pill bottles and inhalers, are gaining connectivity, allowing doctors to monitor and refine treatment in real time.
Click to expand...

ronjor · Nov 14, 2018

Google accused of 'trust demolition' over health app

By Jane Wakefield
Lawyer and privacy expert Julia Powles, who has closely followed the development of Streams, responded on Twitter: "DeepMind repeatedly, unconditionally promised to 'never connect people's intimate, identifiable health data to Google'.

"Now it's announced... exactly that. This isn't transparency, it's trust demolition," she added.
Click to expand...

stapp · Nov 14, 2018

I find the whole thing extremely worrying.
Google will have all my personal health info.
This demolition of trust is being wrapped in a blanket of ''it will be good for you''

guest · Nov 16, 2018

ronjor said: ↑

HealthEquity breach affects 23,000 individuals
Click to expand...

New HealthEquity Data Breach Exposes PII/PHI of Almost 21,000 Customers
HealthEquity was also the victim of a data breach in June
November 16, 2018
https://news.softpedia.com/news/new...i-phi-of-almost-21-000-customers-523829.shtml

[...] was breached when an intruder accessed the email accounts of two HealthEquity team members, exposing protected health information (PHI)/personally identifiable information (PII) of 20,906 subscribers.
According to HealthEquity's data breach notification, "The unauthorized access occurred, in the case of one account, on October 5, and in the case of the other, on different occasions between September 4, 2018, and October 3, 2018. "

The data exposed by the two compromised email accounts during the security breach includes a combination of employee names, employer names, associated plans, account types (HSA, HRA, FSA, LPFSA, DCRA), and health plan enrollment data, in varying degrees.

The data breach notice also says that "Although we have no evidence that the unauthorized individual viewed any of the emails in the email accounts, HealthEquity cannot conclusively rule out this possibility."
Click to expand...

ronjor · Nov 17, 2018

Texas Hospital Hit With Dharma Ransomware Attack

Marianne Kolbasuk McGee (HealthInfoSec) November 16, 2018
Altus Baytown Hospital Among Latest Healthcare Cyberattack Victims
Click to expand...

ronjor · Nov 20, 2018

OIG: HHS Must Do More to Address Cybersecurity Threats

Marianne Kolbasuk McGee (HealthInfoSec) November 20, 2018
The report states: "Healthcare data is a prime target for cybercriminals, and the value of compromised electronic health records has been reported to be as much as 10 times that of a credit card number. In addition to identity threats, compromising the integrity and availability of HHS systems can adversely affect patient care."
Click to expand...

Log in or Sign up

Why Healthcare Security Matters

ronjor Global Moderator

guest Guest

guest Guest

guest Guest

ronjor Global Moderator

ronjor Global Moderator

guest Guest

guest Guest

ronjor Global Moderator

guest Guest

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

ronjor Global Moderator

stapp Global Moderator

guest Guest

ronjor Global Moderator

ronjor Global Moderator

Log in or Sign up

Why Healthcare Security Matters

ronjor Global Moderator

guest Guest

guest Guest

guest Guest

ronjor Global Moderator

ronjor Global Moderator

guest Guest

guest Guest

ronjor Global Moderator

guest Guest

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

ronjor Global Moderator

stapp Global Moderator

guest Guest

ronjor Global Moderator

ronjor Global Moderator

Useful Searches