Category Archives: Healthcare

Healthcare related posts

The End of Fax Machines? Well Maybe. Why? Insecurity!

Seema Verma, the administrator of the Center for Medicare and Medicaid Services at the Department of Health and Human Services wants fax machines out of doctor’s offices by 2020.

CMS Administrator Verma

She wants them out of doctor’s offices because they are not cool.  She wants to replace them with super-non-secure apps for your phone that are way cool, but even less secure than that crappy fax machine.

She says that physicians are stuck in the 1990s, hence their use of fax machines, I guess.  She says that doctors are still taking notes on paper (not any doctor that I use, but I am sure there are some).  This is causing physician burnout.  Ask a physician about what is causing burnout – #1 is dealing with CMS and insurance companies and #2 is having to use those really bad apps that have already been developed Seema.

I guess she never heard of the breaches of all of the different Blue Cross affiliates a few years ago.  I am sure that if we collect all of that healthcare data in poorly written apps, no one will ever hack those repositories.  After all, what could go wrong?

We do have to remember that she is required to be a cheerleader for whatever the administration in power wants, so take all this with a grain of salt.

HOWEVER, it is fair to look at fax machines.

WHY do people still use them?  Because they are ubiquitous.  They are everywhere.  In Japan, something like a third of the private households have fax machines.  That is a feat that very few countries can match, but almost every business has a fax number (actually, we do not!).

One reason that people use them is that they are SECURE.  I am not sure what illegal substance the person who came up with that idea was ingesting, but they were not sharing.

Anyone ever get a fax that was not destined for them?

Anyone ever get a fax not destined for them that contained sensitive information?  VERY sensitive information?

Anyone ever see that sensitive fax just sitting on the fax machine?

Anyone ever see something on the fax machine, look at it, decide it was not for them and read it anyway?

How many people have a fax number that is tied to an electronic fax service like eFax or Concord fax?

So, the sender sends a fax to be secure.  Manages to dial the right number.  Sends the fax to some third party with unknown security.  Who takes that fax and sends it to you in an email.

WHY NOT JUST EMAIL IT IN THE FIRST PLACE.  THAT WOULD BE CHEAPER, FOR SURE, AND, GIVEN THERE ARE A LOT LESS MOVING PARTS, PROBABLY MORE SECURE, TOO.

To be fair, some fax services offer secure fax where they send you an email that you have a fax and then you have to log in and download it.  AND THEN YOU FORWARD THAT FAX VIA EMAIL TO YOUR COWORKERS.

Do you see a problem here?

Bottom line is faxes are not secure and should not be perceived to be secure.

So what is there to do?

First of all, if you are using faxes because email is not secure, do not use a fax to email service.

If you are using a fax to email service, you need to do a security risk assessment on the service provider.  IF YOU ARE A DOCTOR OR OTHER HEALTHCARE PROVIDER, THAT FAX SERVICE IS A BUSINESS ASSOCIATE UNDER HIPAA REGULATIONS AND YOU NEED TO HAVE A SIGNED AND AUDITED BAA WITH THAT SERVICE PROVIDER.  If the service provider won’t sign the BAA, you are breaking the law and risking a fine by using them!

Again, if you have to use fax to email, use a service that offers a secure mailbox that allows you to download the fax over an encrypted channel.

If you are using one of those old fashioned fax machines, make sure that the inbound faxes can be secured until picked up by the RIGHTFUL owner.

If you are using one of those new fangled multi-purpose print/copy/fax machines, understand those machines have a hard disk in them (except for the very cheapest ones) and must be disposed of securely at the end of the lease or when ready to be discarded.  Higher end machines have hard disks that can be removed by a technician and given to you to shred (yes, really).  Lower end ones are not designed that way and you may wind up destroying the machine to get the disk out.  But do that anyway.

A much better way to deal with the problem is to create a SECURE web portal to replace that fax machine.  Remember the goal is not to replace one insecure technology with another insecure technology.

By the way, IF THE PORTAL IS HOSTED, THEY ARE STILL A HIPAA BUSINESS ASSOCIATE.  Sorry!

If all of this gives you a headache, contact us to help you sort this out.

Source: Healthcare IT News

 

 

Facebooktwitterredditlinkedinmailby feather

Have You Planned For Cloud Outages

Allscripts, the $1.5 billion medical technology and services firm, hosts a number of cloud based applications that doctors and hospitals use to run their operations.  Hancock Health, that I wrote about on Monday, is one of their clients according to HealthcareITNews.  About a week ago Allscripts was hit with a ransomware attack caused by the malware called SamSam.

After the attack Allscripts did what too many companies do and tried to pretend that it wasn’t a big problem, that is wasn’t affecting many people and that is wasn’t a big deal.

A week later Allscripts applications are still not working right.

Doctors can get to the login screen, but they can’t actually log in.

This means that they can’t get to patient records and can’t bill insurance carriers.

Allscripts, in a continuing denial of reality, said that the system was back up but doctors still couldn’t log in.

Doctors are freaking out a bit because they are losing revenue and cannot take care of patients.  Other than that, it isn’t a problem.

It appears that today, Allscripts is finally admitting that they have a big problem.

If you run a doctor’s office or hospital and are an Allscripts client, this is a big problem for you.

Whether you are an Allscripts client or not, here are a couple of things to consider:

  • What is your business continuity plan if your cloud provider has an outage?  For an hour?  For a day?  For a week?
  • Do you have a Service Level Agreement with your cloud provider in case of an outage?  Are the penalties sufficient compensate you for your losses or are they basically meaningless?
  • Do you have cyber risk insurance?  If you do, does it cover business interruptions (BI)?  Often BI has a waiting period before coverage kicks in.  Sometimes it is as long as 12 or 24 hours.  Is your BI coverage appropriate for your business needs?

Hopefully this attack is not affecting you, but whether it is or it is not affecting you, now is a great time to make sure that you are as prepared as you can be.

And, even if your cloud service provider is yourself (AKA Amazon, Google, Microsoft, Rackspace or the like), the problem is the same.

Information for this post came from FierceHealthcare, Healthcare IT NewsHealthcare IT News, again and FierceHealthcare, again.

Facebooktwitterredditlinkedinmailby feather

Faxes are Secure, Right?

It is hard to believe that, in this day and age, people are still using faxes, but they are surprisingly popular, still, in businesses.

And extremely error prone.  There is no error checking mechanism in a fax machine.

You type in a number, stick the pages in and they are transmitted to the other end.  Where ever or whoever that might be.

Sometimes, if the other end is not where you were expecting, it is not a problem.  Maybe they throw the faxes in the trash.  Maybe they shred them.  Maybe, if you lucky, they call the sender and tell them that the faxes did not reach the intended recipient.

But what if you are a health authority and the information is confidential patient information.  And the actual recipient is a computer shop – not one where the patient is.

This was reported in Canada this week.  The Saskatchewan Health Authority sent confidential patient information to local computer shop.  The store owner said that his fax machine received a 21 page fax from a  local hospital destined for a local doctor.

The hospital has a solution to the problem – the computer shop should change its fax number (and somehow notify its customers of this).  Wonderful solution.  The shop owner was actually pretty accommodating about that.  Pay for the costs of the change and he would do that.

The computer shop says that it has received numerous faxes from the Health Authority over the last year.

We hear about this often.  Sometimes in the case of lawyers, they and even the courts, accidentally fax information to the opposing counsel or even unrelated third parties.  In situations like that, a simple mistake can result in a waiver of attorney client privilege.  That can get very messy.

In the cases where the party sending the fax is typing in the number directly, mistyping a digit will send the fax to the wrong place.

In some cases, the fax number is stored in the fax machine’s address book, but was entered incorrectly.

In a few cases, we have even heard of situations where the recipient phone number has been forwarded to another number, accidentally.

Given all these opportunities for error, why do companies continue to use fax machines, especially for sensitive information?

The simplest answer is that fax machines are universal.  Doctors and others have been using them for 50 years and don’t like to change.  Fax machines – at least simple ones – are pretty cheap and the training process is pretty simple.

But another reason is the perception that faxes are secure.  They are not.  There are a few, really high end fax machines that encrypt the faxes, but they are probably like one in 100,000 that can do that and that the users know how to use that.

Mostly it is because people don’t like change.

We use encrypted email all the time.  But it is a bit of a hassle. We use different encrypted email products with different clients.    You have to look at multiple email apps to make sure that you haven’t missed any emails.

So people, always looking for the easiest, least hassle solution, resort to faxes.

In the case of faxing medical records to the wrong person, even accidentally, it is likely a violation of privacy laws.

In this case, the computer shop owner notified the sender multiple times (remember the sender suggested that the shop owner change his phone number) and the sender refused to do anything.

Well now the computer shop owner has notified the  Saskatchewan information and privacy commissioner.   I don’t know what the penalties are going to be, but perhaps, now, given a combination of bad PR and fines, the hospital will come up with a better solution.  That are not very hard to find.

Are you still using fax machines to send sensitive information?

Information for this post came from CBC.

Facebooktwitterredditlinkedinmailby feather

Patching IoT Gets Out of Hand

In what may be the first of its kind event, the FDA recalled a pacemaker from St Jude, now owned by Abbott Labs.

Researchers discovered the flaws prior to Abbott’s acquisition of St. Jude and reported them to both the FDA and St. Jude.  Both decided to do nothing about it until the researchers went public.

In April of this year, the FDA put out a “warning” – also likely a first of it’s kind – that the devices which can be controlled remotely, were likely hackable and also had a battery problem that could cause it to go dead – possibly along with the patient  – before it was supposed to.  At that time Abbott said that they took security seriously and had fixed all the problems (see Fox Business).

Fast forward to this week and the FDA has now issued a recall of close to a half million of the supposedly fixed devices.

Since the devices are implanted inside people, the plan is NOT to perform a half million surgeries to remove them, but rather to go to their doctor to have the firmware in the device updated.

As I recall, one of the problems WAS this update capability.  The researchers were able, I think, to buy pacemaker programmers on eBay and reprogram any pacemaker from that manufacturer without authentication.    All they had to do is be in radio range of it.

Obviously, being able to reprogram the pacemaker (which has to be done in a facility that can control a patient’s heart rhythm while the pacemaker is being hacked.  Err, patched.  Err, upgraded) is a LOT safer than a half million surgeries, but still it is not without risk.

No clue what the cost of this little adventure will be, but it won’t be cheap.  Even if each doctor visit costs a hundred bucks – which is highly unlikely – that would still be a cost of $50 million.  If the cost is $500, then the total would likely be in the $250 to $500 million range when you add legal fees, fines and support costs.

One other interesting feature.  The researchers approached St. Jude about paying them a bug bounty, which is common in the tech world, and they decided not to.  Instead, the researchers approached Muddy Waters Capital, who sold the stock short, then announced the vulnerabilities.  When the stock price went down, which it did, Muddy Waters covered their short sell and made out very nicely.  Muddy Waters and the researchers had a deal to do some sort of split of the profits.  There were some people who that was a bit too capitalistic, but, it is not illegal.  Maybe next time, they will work with the researchers when they approach them.

Information for this post came from The Guardian.

Facebooktwitterredditlinkedinmailby feather

Homeland Security Issues Security Alert for Siemens Imaging Systems

We usually think of Internet of Things (IoT) devices as smart light bulbs or door locks or cameras, but there are some IoT devices that are a little bigger and a lot more expensive.

In this case, it is a multi-million dollar Cat Scanner that hospitals and imaging centers use to create diagnostic images.

Siemens says that even an attacker with a low skill level would be able to exploit the vulnerabilities.  That’s not very comforting.

The root of the problem is that there is a Windows 7 PC running the scanner and it is difficult to get approval to install patches – assuming they are even available – because it is considered a medical device.

To make matters worse – if that is possible – Siemens said that the flaw is executable remotely (from the Internet) and sample ways to exploit the bug are available on the Internet.

DHS suggests that hospitals unplug their cat scanners from the network so attackers cannot reach the scanners to attack them.

Of course, that probably is not possible, practically, to do.

Siemens says that they are working on a patch.  That’s comforting.  It is not clear how long it will take Siemens to develop a patch (Or get Microsoft to do so), how long it will take to get the patch approved or how long it will take to get hospitals to install the patch.

Since the vulnerability allows hackers to remotely execute arbitrary code, they could potentially steal any data on the scanners or use the scanners as a launching point for attacks elsewhere in the hospital.

We always tell clients that ALL IoT devices need to be isolated from any trusted internal networks and likely from other IoT devices as well.

Whether the IoT device is a $5 smart light bulb or a multi-million dollar cat scanner, that advice is still true.  To do so may require hospitals to redesign their business practices as well as to make changes to their information systems, so that won’t happen overnight either.

This represents a bit of a mess for hospitals and clinics that have cat scanners and there does not seem to be an easy fix.

The point here is that IoT devices are everywhere and often in places that you do not think about.  Some are small and relatively cheap; other are pretty large and very expensive, but they all share one commonality – they can be exploited.

It is likely to get much worse before it gets any better.

Information for this post came from Health Data Management and the DHS Security Alert.

Facebooktwitterredditlinkedinmailby feather

Hacking Pacemakers For Fun

When Dick Cheney was Veep, stories kept popping up that the Secret Service had made sure that his pacemaker was not remotely controllable.  Some people weren’t sure that it was a problem – not because they didn’t like Cheney, but because they didn’t think they were hackable.

Well now we have a different story.

Researchers bought used pacemaker programmers on eBay, some costing as little as $15.  Apparently, if you have a programmer for manufacturer X’s pacemaker, you can program any pacemaker from that manufacturer.  Apparently, there is no authentication.

The manufacturers have said that they control the distribution of the pacemakers, but if you can buy them on eBay for $15, that obviously is not working.

Whitescope researchers analyzed 4 programmers from 4 manufacturers and discovered more than 8,000 vulnerabilities.  Now doesn’t that make you feel good.

In two cases the used pacemakers came patient data that had not been wiped.  The data was not encrypted.

As medical devices become more sophisticated, they become more dangerous too.  If someone knows that you have a pacemaker from vendor X and can figure out how to hack it, that person could kill you – literally.

This is, in some sense, similar to the drug infusion pump scandal from a few years ago.  The FDA attempted to sweep the issue under the rug for a year or more until the researcher went public with the hack.  Then, all of a sudden, the FDA decided it was a problem.

Some people might say that if researchers just didn’t discover these bugs then all would be well.  Not really.  The bad guys will discover the bugs also, but they won’t be so kind and disclose them.

Obviously these manufacturers need to rethink their security programs.  Security by obscurity (such as by trying to control the distribution of pacemaker programmers) just isn’t going to work in the long run.

As the author of the article said, it is a bit disconcerting that your iPhone is more secure than your pacemaker.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather