Category Archives: Healthcare

Healthcare related posts

If Covid Doesn’t Get You then Cyber Bugs in Medical Devices May

Well if that isn’t depressing ….

Experts warn that medical-device security is a chronic problem, now exacerbated by COVID-era healthcare challenges. Hospitals have been forced to prioritize budgets and staffing to focus on lifesaving care – meaning that IT security often takes a back seat. Adding insult to injury, hackers are aware of this, and are also now capitalizing on these healthcare strains with a barrage of ransomware and phishing attacks and more.

Many hospitals and healthcare services were hit by ransomware in 2020. Universal Health Services was one of the larger ones with an attack paralyzing 400 facilities.

Right now, attacks on medical devices are rare, but think about it this way. If a hacker sends you an email that says “I have hacked your pacemaker (or insulin pump or whatever device) and if you don’t pay me x Bitcoin, I will turn it on/off/change the settings. Would you pay the ransom?

One of the challenges is the medical device regulator itself. The FDA, like most government agencies, make snails look agile. That might have been acceptable in 1848 when the FDA was founded, but not in 2021. Hackers don’t move at FDA speed. Hospitals and medical device makers are not even allowed to install patches to known, actively exploited bugs, in many cases, without FDA permission.

There are a number steps that folks can take like inventorying all of their medical devices and trying to get vendors to tell them what ingredients are in their devices.

An example of one IoT (called IoMT for Internet of Medical Things) defect is a bug called Ripple20. It is *thought* that Ripple20, a bug in the device’s Internet communications software, affects around 53,000 medical device models.

A study of 5 million Internet of medical things that lasted for a year found that 86 percent of healthcare deployments had more than 10 FDA recalls inside their network. Recalled IoMT devices can be considered either defective or posing a health risk, or both. Credit: Threatpost

HHS Proposes Changes to HIPAA Privacy Rule

As is often the case when the feds do something, there is probably at least one thing that is good in this notice of proposed rulemaking and probably others that are less good.

The HIPAA privacy rule is designed to protect the privacy of patient data, but other than stopping providers from selling your health information to the media, they already share it with most of the healthcare ecosystem anyway.

The only way to REDUCE (but not eliminate) the sharing of healthcare information is to pay cash and not make an insurance claim. Other than the rich, no one does this.

The Republican administration claims that this change will offer more flexibility for disclosures in cases such as opioid overdoses and Covid-19, but of course, these changes are not limited to that.

Among the changes they propose are:

  • Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI.
  • Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).
  • Clarifying the form and format required for responding to individuals’ requests for their PHI.
  • Requiring covered entities to inform individuals that they retain their right to obtain or to direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy.
  • Reducing the identity-verification burden on individuals exercising their access rights.
  • Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans by requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive in return the requested electronic copies of the individual’s PHI in an EHR.
  • Requiring covered healthcare providers and health plans to respond to certain records requests received from other covered healthcare providers and health plans when directed by individuals pursuant to the right of access.
  • Limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR – specifying when electronic PHI must be provided to the individual at no charge.
  • Amending the permissible fee structure for responding to requests to direct records to a third party, and requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization, and, upon request, to provide individualized estimates of fees for an individual’s request for copies of PHI and itemized bills for completed requests.
  • The updated regs would also clarify the scope of permitted uses and disclosures for individual-level care coordination and case management, according to OCR – creating an exception to the “minimum necessary” standard. It would “relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations,” according to the proposed rule-making.

The goal, they say, is to allow your doctor to disclose your personal health information the the authorities (like social services) , community based organizations (whatever they are) and other similar third party providers without having to ask your permission.

Among other changes, OCR would replace the privacy standard that permits HIPAA-covered entities to make some uses and disclosures of PHI based on “professional judgment” with a standard permitting such uses or disclosures based on that entity’s “good faith belief that the use or disclosure is in the best interests of the individual,” according to the proposed rule.

But not to worry – you can sue your doctor, spend 5 years going through the court system and spend tens of thousands of dollars if you think your doctor didn’t have an (undefined term) “good faith belief”. How do you PROVE a lack of a belief in a doctor’s head?

There are probably some legitimate changes to be made to HIPAA. I am not sure that this is the list that I would propose. It seems like mostly it is designed to loosen restrictions on what the healthcare community can do with your digital health information without asking your permission or even telling you that they are doing it.

You can probably figure out what I think of these changes. Credit: Health Care IT News

FBI, Homeland Says Hospitals Under Cyberattack

I have gotten more notices on this particular alert than usual, so I suspect that means that there is more fire than anyone is admitting.

The FBI, Homeland Security and Health and Human Services issued a joint alert that hospitals and other public health organizations are being targeted by malware, especially ransomware. They are calling it an imminent threat. Security experts say that they are seeing chatter from the Russian cybercrime groups that say that they plan to deploy ransomware to 400 hospitals this week.

Just this week the Saint Lawrence Health System in upstate New York, Sky Lakes Medical Center in Oregon, The University of Vermont Health Network and several others have admitted that they have been attacked.

Mandiant says that they identified three attacks on Tuesday and one attack on Wednesday.

The result is that hospitals have to revert to paper based systems.

That also means that they do not have access to patients’ charts, their medical history, online pharmacies, automated case file transcription and other typical hospital services.

Just what doctors and nurses need during a pandemic.

One result, many times, is that hospitals are forced to refuse ambulances. When that happens, ambulances need to find another hospital, typically further away. Recently, in Germany, the first ADMITTED case happened where a patient died as a result of being turned away at a hospital that had been hacked. The cops caught the hacker later and are threatening to charge him with MURDER.

In the FBI/DHS/CISA/HHS alert, they gave hospital IT and security teams details of what strings to add to their alerting systems. Which is great if a hospital, in the time of massive craziness, has the resources to do something with that information. And also, assuming that the malware doesn’t morph (it does). Large organizations with massive IT departments probably can, but medium size and smaller hospitals can’t.

When patients die, hospitals get sued. Also not great. During a pandemic or at any other time.

Lets assume that you don’t run a hospital or other public health service – do you care? Or should you care?

The answer to this is yes because, especially in times like these, it stops these organizations from executing their mission and possibly, from saving your life. If they have to worry about how to manage patient records by hand rather than taking care of those patients, care suffers.

Every hospital will say – with a straight face – that in the case of a cyber attack, patient care doesn’t suffer, but think about this. If they could provide equally good care without all of those computers and software as with it, then why are they spending billions on those computers? It doesn’t make any sense.

Of course they have to say that – saying that patient care has suffered would open them up to even more lawsuits than the actual breach will, but still, if you or a loved one were to be hospitalized, you want that hospital to be operating with every tool that they have, not reverting to the way they did business in 1960.

And it doesn’t seem like the hacks are letting up, which will force them to divert money away from patient care and research to hiring folks like Mandiant – and they are not cheap. Brian Krebs has also written about this issue.

The Challenges of Ransomware 2.0

The Finland-based psychotherapy group Psychotherapy Center Vastaamo may need some therapy itself.

They claim that in late 2018-early 2019 hackers broke into their network.

Just this month it has come out that the company, which has 20+ offices and 300 or so shrinks may have lost the data of 40,000 patients, some of whom are high profile. The hacker(s) tried to blackmail the company to the tune of about a half million bucks, but they did not bite.

So the hackers posted the clinical files of 300 patients on the dark web as a threat and then started extorting more patients to pay a ransom of between 200 and 500 Euros not to publish their file.

The Finnish version of the FBI says don’t pay the ransom.

That is kind of easy for them.

What people tell their therapists is sometimes not great for public consumption.

It can get you fired.

It can get you divorced.

It can end your political career.

Some people even commit suicide.

It can cost you tens if not hundreds of thousands of dollars, so paying a 500 Euro bribe, even if you are not sure that it will protect you, may seem reasonable.

I asked one of my friends at the FBI what his thoughts are and I will update this post when I hear back.

Some people will decide that it is not worth the risk and not get mental health support or other treatments. Or not tell their medical professional the truth or the whole truth.

It certainly is worthwhile asking about security, but the likelihood of getting an honest answer is almost zero. After all, doesn’t every company say they care about your data? After they get hacked.

Until the financial equation changes it is unlikely that the problem will be solved. In part, this is due to the fact that strong security is inconvenient. In this case, this is a GDPR violation and it covers sensitive data, so they will likely be fined a lot.

I am not sure what it will take.

The Defense Department has one strategy. They are beginning to require that their contractors be certified by a third party. No certification, no contract. That seems like it could be effective. Credit: The Register

Ransomware. Healthcare. 1 Old, 5 New.

The Hacking Group Dark Overlord hacked Athens Orthopedic 4 years ago and they are still dealing with the fallout, including paying a 1.5 million dollar fine to the feds.

The feds say that Athens management was not being good. In fact it was being naughty. HHS audited the doctors after the attack and found systematic non-compliance with HIPAA.

The hackers stole over 600,000 patient records. A journalist found some of their patient records on the dark web. Within a few days, the hackers contacted Athens demanding a ransom.

So this points out that ransomware 2.0 – the kind where hackers steal data, encrypt your systems and then hold both your systems and your data hostage – has been around for years. It is just becoming more popular now.

In addition to losing four years of their life and $1.5 million, the doctors now have to implement a corrective action plan (CAP). A CAP is HHS’s term for getting your security act together.

Oh, yes, the source of entry for the hackers? Credentials stolen from a third party. I guess the doctors will now implement a vendor cyber risk management program. A bit late, but better late than… Credit: Health IT Security

HHS also fined 4 other healthcare providers this year, fining them as much as a million dollars.

Fast forward to today.

This month hackers have posted the data of 5 different medical practices on the dark web in an effort to extort money. UCSF paid hackers over a million dollars just a couple of months ago.

So what are we seeing now?

Assured Imaging, University Hospital New Jersey, National Western Life, The College of Nurses of Ontario and Nonim Medical are all dealing with their data being hacked and posted on the dark web.

Assured Imaging is notifying 244,000 patients that their data may have been compromised. The hacker only had access to the data from May 15 to 17.

So what does all this tell us?

  • The hackers are using any available option, including third parties.
  • They do not need to have access for a long time to do a lot of damage.
  • Some health care providers are not following the HIPAA rules including getting annual third party risk assessments.
  • The companies that get hacked will be cleaning up the mess for years.
  • And will likely pay HHS a lot of money as well as getting to execute a CAP.
  • Finally, there will be lawsuits. There always are.

So I am going to leave you with just one thought and it doesn’t only apply to healthcare. Credit: Health IT Security

Do you feel lucky, punk?

I am sure that these organizations didn’t think they were going to get attacked. At least some of them were not taking security seriously enough.

Are you taking your company’s security seriously enough?

Security News for the Week Ending September 18, 2020

Is TikTok is Going to Sell to Oracle. Maybe

Well sale is not really the right word. They call it a “trusted tech partner”. This does not solve the national security problem, so it is not clear what problem this does solve. None the less, Steve Mnuchin will present it to the President. If it provides some sort of political benefit he may accept it even though it does nothing for national security. If it shuts down, there will be 10 million unhappy people, some of whom vote. Also, it doesn’t seem that this deal fulfills the President’s requirement that the Treasury get a lot of money. It seems like they won’t get any. Credit: The Verge

Updated information says that there will be a new corporate entity set up in the U.S. to give the President some cover that he is really improving security and that Oracle will have some sort of minority stake in this new entity, but China will still control all of the intellectual property. The President’s deadline is this Sunday. Will he really shut it down pissing off millions of Americans just before the election? Credit: The Verge

Even more updated: The Commerce Department says that a partial ban will go into effect Sunday. As of Sunday, U.S. companies can no longer distribute WeChat and TikTok, but users can continue to use the software. Also beginning Sunday, it will be illegal to host or transfer traffic associated with WeChat and the same for TikTok, but on November 12 (coincidentally, after the election). I assume that will mean that users who want to use those apps will have to VPN into other countries before using the apps. Not terribly convenient, but a way to keep the pressure up on China. Credit: CNN

Cerberus Banking Trojan Source Code Available for Free

The Russian security vendor Kaspersky (reminder: the U.S. has banned it from government systems) has announced the the Cerberus source code is now available for free. This means that any hacker with the skill to integrate it can make it part of their malware. Cerberus is a pretty nasty piece of work; it even has the ability to capture two factor codes sent via text message (one reason why I say that text message two factor is the least secure method). This means that banks and people that use banks (which is pretty much most of us) need to be on high alert when it comes to our financial account security. Credit: ZDNet

Denial of Service Attacks up 151% in First Half of 2020

Denial of service attacks are a brute force attack that aims to hurt a business by stopping a company’s customers from getting access to the company’s (typically) web site. For example, if you are an online business and customers and potential customers cannot get to your web site, they will likely go to another vendor. What is now amazingly called a small attack (less than 5 gigabytes of garbage thrown at your web site per second) are up 200% over last year. Very large attacks (100 gigabytes per second or more) are up 275%, according to Cambridge University.

If you are not prepared to deal with an attack and need help, please contact us. Credit: Dark Reading

Ransomware at German Hospital Results in 1 Death

This could have wound up much worse when hackers compromised Duesseldorf University Hospital. The hospital put itself on life support and ambulances were diverted to other hospitals. While police communicated with the hackers and told them they hacked a hospital, an ambulance was diverted and the patient died. Prosecutors, if they can find the miscreants, may charge them with negligent homicide. The hackers did withdraw the ransom demand and forked up the decryption key, but not before this patient lost his or her life. Credit: Bleeping Computer