Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Medical Device Vulnerability List Topped By User Authentication Problems

Posted on August 27, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a government organization which addresses threats to US infrastructure, helps numerous industries share data on cybersecurity threats. This includes building a repository of cybersecurity advisories which medical device manufacturers can use to communicate with customers.

According to a new analysis by security vendor MedCrypt, the number of cybersecurity threats reported to ICS-CERT has been growing over time. ICS-CERT released 47 advisories related to medical devices between 2013 and August 1, 2018, which included a total of 122 cybersecurity vulnerabilities.  While 12 advisories were released between October 2013 and late December 2016, it issued 35 advisories between late December 2016 to August 1 of this year. Also, while six companies were identified as having faced cybersecurity issues during the first interval, 18 were noted during the second.

The number of vulnerabilities noted has climbed as well, from 37 during the first time period to 85 during the second. According to the MedCrypt analysis, 66% of the reported advisories were related to code defects and user authentication issues. The most common cause was user authentication, which climbed from 16 to 36 instances between the two time periods, followed by code defects, which increased from 5 to 24 instances. Other areas of vulnerability included encryption issues, third-party libraries, system configuration and operating system problems.

It’s hard to determine what all of this means by scanning these statistics, interesting though they may be, but MedCrypt had some additional observations to share about the ICS-CERT data as a whole:

  • The complexity of the vulnerabilities discovered is likely to increase. Some of the more deeply technical kinds of vulnerabilities found in other ICS-CERT participating industries haven’t turned up in medical device disclosure data, including less than 10% of those found in subcategories, but they will. “Most [advisories] have focused on ‘low hanging fruit,’ like user authentication,” the report observes.
  • So far, ICS-CERT participants have reported finding few vulnerabilities related to cryptography issues, such as vulnerability reports citing the commonly-used OpenSSL open-source encryption library.
  • User authentication problems are becoming more common, accounting for 42.3% of vulnerabilities included in advisories after January 1, 2017. The report suggests the future advisories will address concerns emerging from deeper in the technology stack as medical device cybersecurity matures.

As connected medical devices become standard in healthcare organizations, medical device makers will spend more resources on securing them, and eventually, they will bake cybersecurity protections into their engineering, R&D and quality processes, MedCrypt predicts.

Edge Computing Provides Security for EHR, Healthcare Applications

Posted on August 10, 2018 I Written By

The following is a guest blog post by Eric Fischer is the Digital Marketing Specialist for Estone Technology.

As more and more practices, both small and large, move from traditional patient records to fully electronic health records, the advantages of cloud-based EHR systems are becoming more readily apparent. In a cloud-based EHR system, data is stored on an external server, usually owned and operated by a third-party company, reducing an individual practice’s investment. Setup is often limited to installing certain software, and subsequently, data can be accessed anywhere.

However, in the modern day of HIPAA rules and patient privacy regulations, sending all of your patient data to a third party service can be dangerous if not managed properly. Even worse, as more and more devices gain intelligence and connectivity, joining the Internet of Things, patient data is often sent as soon as it as gathered, without human input, creating backlogs of pointless data and additional windows for data theft or misuse.  Though cloud-based records systems should offer flawless security, it only takes one person at any level in data processing to be careless with their password, or one device affected with malware to render patient records totally insecure. In a recently reported story, a security expert identified a data breach caused when an employee plugged their eCigarette into their work computer’s USB port to charge. The eCigarette had been loaded with secret data harvesting software.

The IoT has made the problem more severe as it grows, as many simple, connected devices lack any sort of security measures whatsoever, and simply send gathered data on as they have been programmed to do, no matter how they were programmed to do so. It is shockingly simple for these devices to be compromised and misused. The benefits of patient data recorders that automatically send their data to EHR’s is obvious, but the danger is also quite clear.

Cloud-Based IoT systems automatically send much of requested patient data from sensors directly to third party companies, ripe for data theft as well as failure in a network outage. *Data from the Journal of Intensive and Critical Care.

Fortunately, there is a solution. As small, embedded chips and boards have become more and more powerful, the need to send all data to the cloud to be processed and stored has lessened. Today, the IoT is shifting rapidly towards a new model of computing – Edge Computing. In this new computing format, data from individual IoT devices like patient monitors and data recorders is processed by intelligent, embedded boards and devices at the edge of the local network. Once the processing has been completed, any relevant data can be encrypted and forwarded to the cloud for additional processing and storage.

This improves data security in a few very simple, fundamental ways – first of all, more data stays local. Everything from blood pressure to MRI scans can be processed locally by edge devices using machine learning techniques. Most of this data is, of course, irrelevant and can be discarded. But when the Edge Computing device identifies something important, it can forward that data to the cloud-based EHR system, ready for additional use.

Secondly, since these devices are more powerful, and managed locally, they’re easier to secure than other IoT devices, or third-party managed cloud devices. It’s possible to load embedded boards performing edge computing functions with modern operating systems and anti-malware programs that keep data secure. This barrier between your internal devices, and the digital world offers a layer of protection for your most sensitive patient data.

Developers of hospital networks and hospital IT managers, EHR software developers, and other healthcare information technology professionals can work with hardware designers and manufacturing firms to discuss Edge Computing solutions for themselves and their customers.

About Eric Fischer
Eric Fischer is the Digital Marketing Specialist for Estone Technology – a designer and manufacturer of OEM/ODM computer solutions for Medical and Rugged Industries. Our solutions include specialized Tablet and Panel PCs, Embedded Boards, and Industrial Computers. We offer solutions that are IEC-60601 certified, waterproof, and antimicrobial, specialized for hospital environments.

Phishing Attack On Hospital Could Impact 1.4 Million Patients

Posted on August 3, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A hospital in West Des Moines, Iowa has entered its third month of public disclosure after experiencing a data breach which could impact 1.4 million patients.

On May 31st, UnityPoint Health discovered that a phishing attack on its business email system had created a breach. Its investigation found that the company got a series of fraudulent emails pretending to have come from an executive within UnityPoint. After contacting law enforcement and beginning to research the situation, UnityPoint disclosed the existence of the breach to the public.

The patient information exposed includes names, addresses, dates of birth, medical record numbers and insurance information. Cyber attackers may also have gotten access to patient Social Security numbers and/or drivers’ license numbers. In a limited number of cases, attackers might even have been able to access patients’ payment card or bank account numbers.

Since then, UnityPoint has continued to keep its patients aware of any news on the situation, a painful yet necessary process which can help it rebuild its credibility. After all, it’s likely that the news of UnityPoint’s breach will get consumers very upset.

In fact, a new survey by SCOUT in partnership with The Harris Poll found that 49% of America adults are extremely or very concerned about the security of their personal health information. Given the fact that they’ve been hit with news of such breaches very regularly in recent years, it’s little wonder.

It’s worth noting that many consumers aren’t using online healthcare tools very often. For example, while 39% of those aged 18 to 34 used online portals to access their health information, all told only 36% of Americans overall use this technology.

As their health information knowledge increases, though, most patients become more concerned with what providers do to protect the privacy and security of their healthcare data. They learn how valuable this data is to potential buyers, and how there’s a ready market for their data in clandestine, impossible-to-track sites on the Dark Web.

Also, as the tenor of news coverage shifts from technical terms like “data breach” to tales of what happened to specific consumers, it’s likely that consumers will develop a more realistic view of what’s at stake here. If they’re freaked out at that point, they’ve probably figured out how a breach could impact their lives.

Rate Of Healthcare Ransomware Attacks Falls In First Half of 2018

Posted on July 12, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Most research I’ve read lately suggests that the rate of healthcare cyberattacks is at an all-time high, and that ransomware is leading the parade.

But is that really true? Maybe not. A new security report has concluded that the rate of ransomware attacks on healthcare organizations actually fell during the first half of this year, and what’s more, that such attacks trended lower during the same period.

The study, which comes from security firm CryptoniteNXT, notes that cybercriminals target healthcare because they can fetch great prices for the data by reselling it on the dark web. Also, given the complexity of healthcare networks and the high number of vulnerabilities in those networks, thieves see providers as a fat and easy target.

However, when it comes to ransomware, the landscape may be changing. CryptoniteNXT found that the number of ransomware attacks impacting over 500 patient records dropped from 19 major data breaches in the first half of 2017 to 8 major breaches in the first half of 2018. That’s an impressive 57% decrease.

The biggest reported records IT/hacker-driven breach hit LifeBridge Health, affecting 538,127 individuals. Other organizations targeted included academic medical centers, medical practices, ambulatory surgical centers, health plans and government agencies.

Meanwhile, the rate of ransomware attacks as a percentage of IT/hacking events has fallen substantially, from 30.16% during the first half of 2017 to 13.6% during the first half of this year.

On the other hand, the volume of patients affected has climbed. Roughly 1.9 million patient records were breached in the first half of this year, compared with 1.7 million records the first half of 2017 and 1.8 million records the second half of that year, it concludes.

Also, the report notes that ransomware attackers are far from done with the industry. The authors say that ransomware will still pose a “formidable threat” to healthcare organizations and that new variants such as AI-based malware will pose a major threat to healthcare organizations for the next couple of years.

To fend off hacking attacks, CryptoniteNXT recommends adopting new best practices such as moving target cyber defense and network micro-segmentation, which can address the inherent weakness of TCP/IP networks.

Did hospital “kidnap” patient who wanted to leave?

Posted on September 2, 2010 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

 

Hospital? Or prison?

 

OK folks, I don’t know any more about the following story than you do, but if true, it’s an absolutely insane breakdown in hospital systems — one, I’d argue, that might not have happened in a hospital which had its, uh, finances and operations together.

The beginning of the tale sounds pretty routine. Apparently, Joseph Wheeler and his wife Felicia Ann, both in their mid-40s, were in a car accident in June and brought to Cheverly, MD-based Prince George’s Hospital.  In theory, this should have been a relatively simple case, as neither was gravely injured.

Now, let’s take a pause. Prince George’s is part of the Dimensions Healthcare System, a financially troubled institution which brought on a new CEO and an interim EVP  last month. The system, which has been forced to accept funding from the state in the past, expects to begin a restructuring plan in coming weeks.  It’s also looking for capital sources, natch.

So, back to the Wheelers.  Joseph Wheeler spent the night of June 23rd at the hospital, being treated for blunt torso trauma without other acute injuries.  The next morning he wakes up, finds a woman’s ID badge on his wrist, and is told he’s getting surgery “to have a potentially cancerous mass removed from his chest,” according to ABC News.   Need I tell you that he freaked out?

Well, all hell broke out at that point, according to the Wheelers, who have since filed a $12 million lawsuit against the hospital for false imprisonment, assault and battery and infliction of emotional distress.  According to Mr. Wheeler, he couldn’t get hospital staff to take an interest in the fact that the badge was for a woman 13 years younger than himself, so he and his wife decided to leave. 

Unfortunately, when they tried to leave the campus, they were accosted by security guards with a big chip on their shoulder. Two guards cursed the two out, then beat Mr. Wheeler severely, while attempting to take the incorrect ID bracelet away from him, the suit claims.  Ultimately, the facility let him go when Wheeler signed a form admitting he was leaving against medical advice.  He was treated at a nearby hospital with several new injuries, his suit recounts.

So, is this just an unbelievable aberration?  Has the financial strain the hospital faced left it with scared, poorly trained employees who simply got out of control?  What do you think?

Tweet roundup: Data loss at Thomas Jefferson, med records found in dump

Posted on August 15, 2010 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Happy weekend!  Here’s a group of tweets from the past few days that might be worth a second look.  If you have tweets you’d like to see in our roundup please feel free to share them.

Cheers,

Anne Z.

____________________________________________________________
Tweets for the week of 8/8/10

> @idtexpert #Medical #IdentityTheft Alert: Huge loss of patient data at Thomas Jefferson #University #Hospital in #Philadelphia ; http://bit.ly/dsTWhd

> @drchrono patient med records found in a Boston dump! sounds like yet another good reason to get an EMR: http://bit.ly/bOEPCP #emr

> @hcapr Regional Med Ctr of San Jose Uses Pocket-Sized Handout to Improve Quality Scores: http://tinyurl.com/2cp7ph2 #HCA #hospital #cms #healthcare (Hey, I’m intrigued; how about  you?)

> @ShigeoKinoshita RT @ingagenetworks: 3 ways to increase engagement and revitalize your healthcare system http://bit.ly/98Fe7s #hcsm #health20

> @AndrewPWilson: CDC Gateway to Health Communication & Social Marketing Practice http://bit.ly/b4udxS #gov20 #health20

> @HealthYRc Lone bedbug sends Kings County Hospital ER into fumigation lockdown – #New #York #Daily #News#Hospitals#Health > http://bit.ly/bSFMlS

> @HealthYRc It’s easy to buy babies at govt hospitals – #Times #of #India#Hospitals#Health > http://bit.ly/ddRmdH (ED: Sounds outrageous but check out the story)

Video: Violence at an NYC hospital

Posted on June 13, 2010 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

 Knowing hospital violence is getting worse may be discomfiting — but it’s easy to say “that only happens to other facilities.”  So here’s a more visceral way to take in the message.

In this video, a local television station offers a report on the escalating violence faced by New York City’s St. Barnabas Hospital.

Sure,  St. Barnabas is an urban hospital in the Bronx. And maybe the crime rate in its catchment area is higher than, say, a cushy suburban neighborhood.  But violent people are everywhere.

So, here way have another reminder to take action. What can hospitals do, today, to keep their facilities safe?

Joint Commission warns about rising hospital violence

Posted on June 12, 2010 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

As those of you who follow this blog know, I recently gave a severe thrashing to a hospital which got security all wrong. That hospital, based in the Las Vegas metro, attempted to prepare staffers for violence by sending an armed man in, unannounced, to conduct a ficitious terrorist attack on the staff. (Yeah, brilliant.)

Foolish behavior like the above aside, no one questions that hospital violence is a real and growing problem.  The most recent authority to weigh in is no other than the Joint Commission, which notes in its latest Sentinel Event Alert that hospitals “are being confronted with steadily increasing rates of crime, including assault, rape and murder.”  Extremely sobering stuff.

The standards group has developed a list of 13 steps hospitals can take to prevent violence in their facilities, such as doing a thorough risk assessment for your facility, putting extra security precautions in place in the ED and doing careful background checks on potential employees.  My guess is that while most hospitals are taking some of these steps, few have developed a really comprehensive program like the one the Joint Commission has in mind.

You don’t have to be a security expert to conclude that hospitals need to confront this issue. But striking the right balance is going to be a serious challenge;  after all, if your hospital’s security checkpoint resembles that found at the local airport, patients may well go elsewhere.  All in all, there’s no easy answers here.

If you want security, don’t aim a gun at your staff

Posted on June 9, 2010 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Folks, I’m almost at a loss for words here, so I’ll just shoot.  Read, with astonishment, this item below from the Las Vegas Sun:

An off-duty cop pretending to be a terrorist stormed into a hospital intensive care unit brandishing a handgun [last week], which he pointed at nurses while herding them down a corridor and into a room.

There, after harrowing moments, he explained that the whole caper was a training exercise. (Ed.: Emphasis mine)

Apparently, the hospital intended this to be a terrorism-preparedness exercise. But it didn’t go over well, to say the least. The staff at Los Vegas-based St. Rose Dominican Hospitals-Siena Campus, as the Sun reporter wryly puts it, ” found the exercise more traumatizing than instructive.”

If there’s a more half-assed way to respond to potential threats, I can’t imagine what it is. Not only does it scare the bejeezus out of the staff, it could easily distracted them from getting back to their real jobs, i.e. keeping people alive. Do patients in an ICU really deserve to be treated by terrified caregivers who have just been jolted out of their wits? Good Lord!

Please understand, I’m not here to trivialize concerns about hospital violence. It’s clearly a serious issue, especially in the hospital’s 24-hour, open access ED.

A 2009 study by the Emergency Nurses Association found that more than half of nurses reported experiencing physical violence on the job, and that one in four had experienced such violence more than 20 times in the previous three years.

Another study, published by the American College of Emergency Physicians’ Annals of Emergency Medicine in 2005, found that nearly three-quarters of 171 Michigan physicians surveyed experienced a verbal threat in the last year, and 28 percent were victims of physical assault in the same time period.

This statistics are terrifying, truly, and must be addressed if hospitals want to do their business well. But I think most professionals would agree that fake terrorism isn’t a strategy.

So what of the Los Vegas hospital?  Why did it conduct what, in retrospect, was clearly a mindbogglingly stupid experiment?  My guess is that hospital administrators thought this would be cheaper than paying for real training . (Maybe someone at  Blackwater owed them a favor?) Or that maybe they were so ignorant that they thought highly-trained professionals in a tense situation were asleep at the wheel.

Regardless, this kind of thoughtless tomfoolery can only distract professionals from noticing real threats.  If someone ever does show up with a gun, whose fault will it be if they think it’s an exercise?