Category Archives: Healthcare

Healthcare related posts

GAO Says Insurers Limit Coverage in High Risk Areas

When insurance companies first started writing cyber risk insurance, it was unbelievably profitable. They were writing many policies and not processing many claims, so they were very happy.

Over the last few years customers discovered that it did not make any sense to buy insurance and not make a claim when a bad event happened. That started making insurance companies nervous. Events like SolarWinds only makes things worse.

Last fall, as part of the National Defense Authorization Act, the GAO was chartered to survey the cyber insurance landscape.

The GAO interviewed folks at the Treasury, industry trade associations, a large cyber insurance provider and others to understand the landscape and come up with some suggestions on what to do.

The first thing the GAO discovered is that the number of people who decided to be “self insured” has gone down a lot. Their report says that the percentage of insurance clients opting for cyber coverage rose from 26% in 2016 to 47% in 2020. No one likes writing a check for a million dollars out of their own checkbook. That is good because it increases the risk pool.

But cyber is different than many other coverages. It is not local. If there is a fire in one city it does not cause claims in another. But with cyber, attacks are not geographically constrained.

With an increase in claims, insurers responded.

For example, they reduced coverage limits to healthcare and education, two sectors that had finally decided that insurance was not optional. The healthcare sector saw one of the largest increases in demand between 2016 and 2020.

Recently, underwriting capacity has contracted, especially in high risk sectors such as healthcare, education and public entities. Brokers say this is due to the fact that insurers are worried that these sectors are not prepared to repel attacks. As a result, they are declining to write coverage or charging higher premiums.

In fact, the GAO says, underwriters are increasing scrutiny everywhere and for some that could mean that cyber risk coverage may become unaffordable. When underwriters review a company’s cyber risk program, they may decide that it is not strong enough and the risk of providing coverage is too high.

Policies are also becoming more clear about what is covered or, more importantly, what is not covered. That means that customers need to read those policies way more carefully than they have in the past. Insurance underwriters are unlikely to say “although we covered ‘x’ last year, we are not going to cover ‘x’ this year”. It is more like “see if you can figure out what we removed from the policy this time”. And, oh yeah, your premium is going up.

Part of this is due to the insurance underwriters’ inability to predict risk. When it comes to, say, fire insurance, underwriters have a couple hundred years of data to use to predict with and, if anything, buildings are becoming safer. When it comes to cyber, realistically, underwriters have 5-10 years worth of relevant data and the risk factor is anything but safer.

Another factor is the new rule by Treasury that paying ransoms could land you a 20 year all-expenses-paid vacation in a federal “crossbar hotel”. Insurance companies tend to pay the ransom as the least expensive way to fix their problem. If they can’t do that, costs – and risk – go up.

The industry says that they need more incident data. The bad news is that more data will likely show more previously unreported events, making underwriters even more nervous.

What does that mean to you and me? It means that it may be harder to find coverage, the underwriting process may be more invasive, the premiums may be higher and the coverage may be more restrictive. Plan for it.

Finally, if your broker is not an expert in cyber coverage, you may not get the best advice. A broker who writes a couple of policies every now and then is not going to spend the time to learn enough to give you the best advice.

Credit: Health IT Security

Could America’s Healthcare Suffer Similar Fate to Ireland’s

About ten days ago Ireland’s healthcare system was forced to shut down its computers due to a ransomware attack. Ireland’s health minister said the attack was having a severe impact on the health and social services.

In today’s healthcare world, having doctors and hospitals run without computers means no patient charts and a very labor intensive process to take care of emergencies. Many healthcare visits get cancelled.

BBC is reporting that there were actually two separate attacks. Because they have to figure out how deep the hackers burrowed into the network, it will take a while to recover. That will also depend on how good their backups are and how well they have planned for a situation like this. It also depends on how quickly they were able to contain it so that maybe, not every computer was infected.

The system has some 2,000 software applications to rebuild and as of a couple of days ago, some appointments are still being cancelled.

Unlike the Colonial Pipeline company or CNA insurance, Ireland says they are not paying the hackers. That might be an indication that after Not Petya, they started taking security more seriously and have better disaster recovery and business continuity plans.

Just to understand, this is the only safe way to recover from an attack – they are having experts build a completely new, separate network and rebuilding systems on that network. That is a huge amount of work. Some of these systems have been in use since the 1980s, so likely their security model is a bit old.

Could this happen in the U.S.?

Well, probably not, but maybe.

One thing that is different between the U.S. healthcare system and the healthcare system in Ireland is that in Ireland there is basically one healthcare system for the entire country. In the U.S. there are probably millions of separate healthcare systems – from individual doctors, to clinics, to private hospitals to public ones. Each one uses their own healthcare system.

BUT, there are common weaknesses. Many medical facilities have outsourced their systems to one of a few big providers. While these providers likely spend a lot of effort trying to protect their systems, they are a common weakness.

Going back to 2015, Epic, one of those shared health records systems, said that their software contained the records on 54% of Americans and 2.5% of patients worldwide. While they have a lot of competitors and even Epic doesn’t house all of those records in one system, that would be the one place to attack if you wanted to maximize the harm. Likely both Epic and the feds realize this.

So could an attack like what we saw in Ireland happen in the U.S.? It seems that is definitely possible. Hundreds of hospitals in the U.S. have already been hit by ransomware attacks and likely thousands of other medical practices have too – just more quietly.

Unfortunately, this is likely to get worse before it gets better.

What can help is getting better prepared. That is what, likely, allowed Ireland to flip hackers the bird.

It is also, likely, what forced CNA insurance to pay a $40 million ransom. Ransom demands are getting higher, so assume that whatever people paid last year is obsolete this year.

Are you prepared? Or you hoping that you are lucky? Luck is not a strategy.

Credit: Metacurity, BBC, WSJ

Vaccine Passports

Talk about a political football, oh my.

Florida has passed a law outlawing them. Not sure that Florida is a bastion of privacy – just wants to stick it to certain folks.

But, if some other state or other company requires it, the law is meaningless. Lets say, just making something up, that New York requires a vaccine passport to enter. Joe gets on a plane in Florida and when he arrives in New York, they say “Passport please”. Joe doesn’t have one and complains that Florida law makes that illegal. Joe now gets to get back on the plane and return to Florida. Foreign countries are unlikely to be moved by such a law in Florida.

But some lawyers are saying that even in Florida, such a law may be unenforceable – kind of an illegal law. I guess we have to wait for the courts to decide that one.

But one company has decided to capitalize on this.

CLEAR, the company that runs the fast lane at airports for folks that pay hundreds of dollars a year to go to the front of the line, has created a vaccine passport app. I don’t *think* there is a cost to the user for this one. That probably would not be popular. Businesses, on the other hand, are likely fair game.

Currently 60 stadiums and venues are deploying the CLEAR app, including the New York Mets and the San Francisco Giants. You can use paper proof, but the motivation is that CLEAR is faster.

It seems likely that CLEAR will store your data, probably including every time you use the app.

Privacy advocates are rightfully concerned about this.

United Airlines is already using the app in their LA to Hawaii flights since Hawaii has requirements for vaccines and/or negative tests.

Excelsior pass is New York’s version of CLEAR. Built by IBM and only for New York residents, it is another competitor in what is going to be a crowded field.

Several European countries have built apps for access to transportation, gyms and even restaurants.

To use the CLEAR app, you take a picture of your drivers license and upload it with a selfie. They then connect to hundreds of labs to look for results. Not sure what happens if your name is not in one of those databases.

I am sure that these apps are unhackable. That is certainly a valid concern, depending on how much data they keep.

This battle is far from over. It is not clear how it is going to turn out. On the other hand, you might be right, but still get your butt shoved back in an airplane seat to go home — at your cost — instead of starting your vacation, so you do have to consider whether that is a battle that you are willing to fight.

Also remember that getting in the face of airline personnel, border agents and police can get you thrown into jail, particularly in some foreign countries, but even in the U.S. This week an airline passenger on a Miami to New York flight had to be zip-tied by an off-duty copy after she assaulted a flight crew member. The passenger said that the cops weren’t going to do anything, just before they zip-tied her into her seat. She was arrested when the plane landed in New York and is being charged with several felonies. Credit: Yahoo

Credit: Cybernews and MSNBC

If Covid Doesn’t Get You then Cyber Bugs in Medical Devices May

Well if that isn’t depressing ….

Experts warn that medical-device security is a chronic problem, now exacerbated by COVID-era healthcare challenges. Hospitals have been forced to prioritize budgets and staffing to focus on lifesaving care – meaning that IT security often takes a back seat. Adding insult to injury, hackers are aware of this, and are also now capitalizing on these healthcare strains with a barrage of ransomware and phishing attacks and more.

Many hospitals and healthcare services were hit by ransomware in 2020. Universal Health Services was one of the larger ones with an attack paralyzing 400 facilities.

Right now, attacks on medical devices are rare, but think about it this way. If a hacker sends you an email that says “I have hacked your pacemaker (or insulin pump or whatever device) and if you don’t pay me x Bitcoin, I will turn it on/off/change the settings. Would you pay the ransom?

One of the challenges is the medical device regulator itself. The FDA, like most government agencies, make snails look agile. That might have been acceptable in 1848 when the FDA was founded, but not in 2021. Hackers don’t move at FDA speed. Hospitals and medical device makers are not even allowed to install patches to known, actively exploited bugs, in many cases, without FDA permission.

There are a number steps that folks can take like inventorying all of their medical devices and trying to get vendors to tell them what ingredients are in their devices.

An example of one IoT (called IoMT for Internet of Medical Things) defect is a bug called Ripple20. It is *thought* that Ripple20, a bug in the device’s Internet communications software, affects around 53,000 medical device models.

A study of 5 million Internet of medical things that lasted for a year found that 86 percent of healthcare deployments had more than 10 FDA recalls inside their network. Recalled IoMT devices can be considered either defective or posing a health risk, or both. Credit: Threatpost

HHS Proposes Changes to HIPAA Privacy Rule

As is often the case when the feds do something, there is probably at least one thing that is good in this notice of proposed rulemaking and probably others that are less good.

The HIPAA privacy rule is designed to protect the privacy of patient data, but other than stopping providers from selling your health information to the media, they already share it with most of the healthcare ecosystem anyway.

The only way to REDUCE (but not eliminate) the sharing of healthcare information is to pay cash and not make an insurance claim. Other than the rich, no one does this.

The Republican administration claims that this change will offer more flexibility for disclosures in cases such as opioid overdoses and Covid-19, but of course, these changes are not limited to that.

Among the changes they propose are:

  • Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI.
  • Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).
  • Clarifying the form and format required for responding to individuals’ requests for their PHI.
  • Requiring covered entities to inform individuals that they retain their right to obtain or to direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy.
  • Reducing the identity-verification burden on individuals exercising their access rights.
  • Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans by requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive in return the requested electronic copies of the individual’s PHI in an EHR.
  • Requiring covered healthcare providers and health plans to respond to certain records requests received from other covered healthcare providers and health plans when directed by individuals pursuant to the right of access.
  • Limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR – specifying when electronic PHI must be provided to the individual at no charge.
  • Amending the permissible fee structure for responding to requests to direct records to a third party, and requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization, and, upon request, to provide individualized estimates of fees for an individual’s request for copies of PHI and itemized bills for completed requests.
  • The updated regs would also clarify the scope of permitted uses and disclosures for individual-level care coordination and case management, according to OCR – creating an exception to the “minimum necessary” standard. It would “relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations,” according to the proposed rule-making.

The goal, they say, is to allow your doctor to disclose your personal health information the the authorities (like social services) , community based organizations (whatever they are) and other similar third party providers without having to ask your permission.

Among other changes, OCR would replace the privacy standard that permits HIPAA-covered entities to make some uses and disclosures of PHI based on “professional judgment” with a standard permitting such uses or disclosures based on that entity’s “good faith belief that the use or disclosure is in the best interests of the individual,” according to the proposed rule.

But not to worry – you can sue your doctor, spend 5 years going through the court system and spend tens of thousands of dollars if you think your doctor didn’t have an (undefined term) “good faith belief”. How do you PROVE a lack of a belief in a doctor’s head?

There are probably some legitimate changes to be made to HIPAA. I am not sure that this is the list that I would propose. It seems like mostly it is designed to loosen restrictions on what the healthcare community can do with your digital health information without asking your permission or even telling you that they are doing it.

You can probably figure out what I think of these changes. Credit: Health Care IT News

FBI, Homeland Says Hospitals Under Cyberattack

I have gotten more notices on this particular alert than usual, so I suspect that means that there is more fire than anyone is admitting.

The FBI, Homeland Security and Health and Human Services issued a joint alert that hospitals and other public health organizations are being targeted by malware, especially ransomware. They are calling it an imminent threat. Security experts say that they are seeing chatter from the Russian cybercrime groups that say that they plan to deploy ransomware to 400 hospitals this week.

Just this week the Saint Lawrence Health System in upstate New York, Sky Lakes Medical Center in Oregon, The University of Vermont Health Network and several others have admitted that they have been attacked.

Mandiant says that they identified three attacks on Tuesday and one attack on Wednesday.

The result is that hospitals have to revert to paper based systems.

That also means that they do not have access to patients’ charts, their medical history, online pharmacies, automated case file transcription and other typical hospital services.

Just what doctors and nurses need during a pandemic.

One result, many times, is that hospitals are forced to refuse ambulances. When that happens, ambulances need to find another hospital, typically further away. Recently, in Germany, the first ADMITTED case happened where a patient died as a result of being turned away at a hospital that had been hacked. The cops caught the hacker later and are threatening to charge him with MURDER.

In the FBI/DHS/CISA/HHS alert, they gave hospital IT and security teams details of what strings to add to their alerting systems. Which is great if a hospital, in the time of massive craziness, has the resources to do something with that information. And also, assuming that the malware doesn’t morph (it does). Large organizations with massive IT departments probably can, but medium size and smaller hospitals can’t.

When patients die, hospitals get sued. Also not great. During a pandemic or at any other time.

Lets assume that you don’t run a hospital or other public health service – do you care? Or should you care?

The answer to this is yes because, especially in times like these, it stops these organizations from executing their mission and possibly, from saving your life. If they have to worry about how to manage patient records by hand rather than taking care of those patients, care suffers.

Every hospital will say – with a straight face – that in the case of a cyber attack, patient care doesn’t suffer, but think about this. If they could provide equally good care without all of those computers and software as with it, then why are they spending billions on those computers? It doesn’t make any sense.

Of course they have to say that – saying that patient care has suffered would open them up to even more lawsuits than the actual breach will, but still, if you or a loved one were to be hospitalized, you want that hospital to be operating with every tool that they have, not reverting to the way they did business in 1960.

And it doesn’t seem like the hacks are letting up, which will force them to divert money away from patient care and research to hiring folks like Mandiant – and they are not cheap. Brian Krebs has also written about this issue.