Category Archives: Healthcare

Healthcare related posts

Covid-19 Does NOT Mean No Ransomware

Three separate ransomware stories – all against healthcare organizations, even though SOME hackers SAID they weren’t going to hack healthcare. Of course, what makes you think you can trust folks who break the law for a living.

#1 – Largest Private Hospital Company in Europe Hit By Ransomware

Fresenius, is Europe’s largest hospital operator and a major provider of dialysis equipment and services. The company said that the hack has “limited some of its operations but that patient care continues”

You can’t expect them to say anything different, but the part of its operations that are limited are likely those that use computers. Which is pretty much everything.

They have four business units – kidney patient care, operating hospitals, pharmaceutical provider and facilities management. I am sure that none of those depend on those ransomed computers.

Fresenius employs nearly 300,000 people.

To make matters worse, the particular malware, SNAKE, targets Internet of Things devices. None of those in your average hospital.

SNAKE is one of the family of ransomware 2.0 hacks that threaten to publish your private data if you don’t pay up – so backups are not a complete defense from these attacks. Credit: Brian Krebs

#2 and #3 – Two other Ransomware 2.0 attacks went after plastic surgery clinics.

One was Dr. Kristin Tarber’s clinic in Bellevue, Washington.

There the hackers published patient medical histories.

The other is in Nashville, TN and attacked the Nashville Plastic Surgery Institute D/B/A Maxwell Aesthetics. There the hackers stole patient history data, health insurance info, surgery info an other information.

I haven’t seen the stolen/published data from these hacks, but in other plastic surgery hacks, they have published photos of plastic surgery of body parts that are not usually exposed, if you get what I mean.

The challenge for the healthcare industry is that the insurance companies and government reimbursements are really reducing margins.

Until the folks that control their reimbursements decide that getting shutdown for weeks or operating off paper charts with no visibility to patient history is a not a good thing, expect there to be a lot more breaches.

For the hackers, this is very lucrative. I would not be surprised if this is a revenue stream for North Korea.

I definitely feel for the healthcare providers. They want to do the right thing, but they don’t have the money.

This year the Department of Defense, which has had its own problems with hackers, decided that security is not optional and will actually reimburse defense contractors for the costs of implementing security.

The healthcare industry hasn’t gotten there yet. Hopefully it will. Otherwise, expect your medical information to be available for sale on the web. Credit: SC Magazine

Security News for the Week Ending October 11, 2019

Medical Practice Closes After Ransomware Attack

Wood Ranch Medical is closing their doors permanently after a ransomware attack.  The attackers not only encrypted the practice’s data, but also its backups.

In April 2019, the Brookside ENT and Hearing Center in Battle Creek also closed after a ransomware attack.

Ransomware attacks are just one reason why businesses should keep at least one backup off-site and off-line.  Source: Security Week

 

Reductor Malware Bypasses Encryption

Kaspersky, the Russian anti-malware vendor that has been banned for use by the US government, reported a new malware attack that bypasses encryption on a user’s PCs using a very novel technique.  Rather than crack the crypto, the attack compromises the random number generator on the computer, affecting the crypto algorithm and making the encryption easy to break.  Very creative.  Source: The Register

 

vBulletin Developers Release Patches for 3 More High Severity Vulnerabilities

Right after patching the critical vulnerability that took down Comodo, the developers of vBulletin have released even more patches.  This time is it a remote code execution (RCE) flaw and two SQL injection (SQLi) attacks.  vBulletin runs on at least 100,000  web sites.  While these vulnerabilities are not at bad as last week’s, you should patch them soon.  Source: The Hacker News.

 

Feds Hit the Mob with Cyberstalking Charges

A jealous mobster put a GPS tracker on his girlfriend’s car.  The mobster, a captain in the Colombo crime family and 20 of his friends were charged with racketeering, loansharking, extortion and, oh yeah, cyberstalking.  The story sounds like a Hollywood B movie, but it is, apparently, real.  Read the story here.

 

Colorado Records Another First

In response to the Intelligence Community’s assessment of foreign interference in the 2016 election, reports of attempted interference in 2018 and reports from Defcon that every one of the voting machines that they tried to attack was vulnerable, Colorado Secretary of State Jena Griswold banned counting ballots using printed barcodes.  Griswold says that a barcode is not a verifiable paper trail if the voter has no idea what it says.  Colorado’s voting machine vendor, Dominion, has agreed to provide a software upgrade for free that will print out darkened circles next to the vote instead.  Unfortunately, nothing is perfect and this doesn’t go into effect until after the 2020 election.  Now that Dominion has agreed to provide the software upgrade for free,other states will likely follow.  Source: CNN .

FDA Issues Medical Device Warning – But They Are Not Sure for What

Well that makes me feel a whole lot better.

The FDA says that devices that use the decades old IPNet software are vulnerable to hacking,

But they are not sure what devices that  may include.  Possibly insulin pumps.  Maybe pacemakers.

They also don’t know how many devices are affected.

Given that, I am not sure what use the warning is, other than to make people who use medical devices or have them implanted, worry.

They do say that they have identified 11 vulnerabilities that allow hackers to take over these devices.

The FDA also says that the bugs allow “anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.”

The FDA is working with device makers, but they say that the problem is complicated.

Well, actually, it is pretty simple, but we are talking about the government, after all.

The concept is called SOFTWARE BILL OF MATERIALS.

Think of a home appliance such as a toaster.  The bill of materials for a toaster might include a heating element or two, a timer, a glass door, a display, etc.

In the software world, a software bill of materials means a list of every piece of third party software that is used in the system that is delivered.

At one point in time, things were made out of hardware.  Now, virtually everything contains software.

Manufacturers don’t want to have to produce Bills of Materials because it tells competitors what is inside and they have to upgrade the document when they make changes.

As long as customers don’t demand bills of materials, vendors are not going to produce them and make them available.

Occasionally, not knowing what is in the software you use can cause problems.  Perhaps you have heard of a small breach at Equifax?  Because they did not realize that Apache Struts was used on a particular server, that server wasn’t completely patched.  And the rest is history.

The Department of Defense is looking at making software bills of materials a required deliverable on defense contracts.

If you as a customer know that a system that you use contains a particular software library or module, then you can proactively watch to see if that software has been updated.  You probably will have to contact the vendor at that point to get an upgrade, but at least you can ride herd on the vendor.

In the case of medical devices, things are way simpler.  Since vendors have to submit paperwork to the FDA to get devices approved, the FDA **COULD** require those vendors to provide a bill of materials.  Then that data could be entered into a database and easily searched, avoiding warnings like this one.

But, we are talking about the government, so do not hold your breath.  Source: CNBC

 

 

 

Colorado Healthcare Provider Fined $111,000 For HIPAA Violations

It seems that the US Department of Health and Human Services Office of Civil Rights is increasing enforcement actions against health care providers and their vendors (known as business associates).  While one might have suspected that enforcement actions would be down under this administration, in fact, the opposite is true and fines are up.

In this case, the Pagosa Springs (Colorado) Medical Center paid $111,000 plus for failing to terminate the access of a former employee to a patient calendar program.

The calendar only contained information on 557 patients, so this is not a massive breach.

They also did not obtain a signed Business Associate Agreement from Google, who’s software they were using.

The former employee accessed (but didn’t appear to do anything evil with the data) the data twice, two months apart.

The medical center had to enter into a corrective action program that included a number of items including improved policies, training and other items.

OCR Director Roger Severino said that enforcement will increase under his watch.

Evidence of this is that this is the third enforcement action in the last month.

On December 4th, a Florida based physicians group paid a $500,000 fine for various HIPAA violations.

A week prior to that, OCR settled with a Hartford based practice for $125,000 for impermissible disclosure of protected health information.

Putting this all together, it would seem to lend some credence to OCR’s claim that enforcements are up.

In the first case, only 557 records were involved.  That translates to a fine of $200 per record disclosed.

In addition, to fine someone for not having a BAA with a company like Google indicates that they definitely want people to obey the process, without regard to there being significant risk (on the part of Google).  After all, Google probably has as good a security as the best medical practices.

The HIPAA compliance process is complex and even daunting, but failing to follow it can be expensive.

It also appears that the Office of Civil Rights has a very long memory as one of these fines was for something that happened 7 years ago, in 2011.

Our recommendation is to follow the process and document what you have done.  Though that can be painful, so is writing a check to the government for $100,000 or even $500,000.

Information for this post came from Health IT Security.

 

 

The End of Fax Machines? Well Maybe. Why? Insecurity!

Seema Verma, the administrator of the Center for Medicare and Medicaid Services at the Department of Health and Human Services wants fax machines out of doctor’s offices by 2020.

CMS Administrator Verma

She wants them out of doctor’s offices because they are not cool.  She wants to replace them with super-non-secure apps for your phone that are way cool, but even less secure than that crappy fax machine.

She says that physicians are stuck in the 1990s, hence their use of fax machines, I guess.  She says that doctors are still taking notes on paper (not any doctor that I use, but I am sure there are some).  This is causing physician burnout.  Ask a physician about what is causing burnout – #1 is dealing with CMS and insurance companies and #2 is having to use those really bad apps that have already been developed Seema.

I guess she never heard of the breaches of all of the different Blue Cross affiliates a few years ago.  I am sure that if we collect all of that healthcare data in poorly written apps, no one will ever hack those repositories.  After all, what could go wrong?

We do have to remember that she is required to be a cheerleader for whatever the administration in power wants, so take all this with a grain of salt.

HOWEVER, it is fair to look at fax machines.

WHY do people still use them?  Because they are ubiquitous.  They are everywhere.  In Japan, something like a third of the private households have fax machines.  That is a feat that very few countries can match, but almost every business has a fax number (actually, we do not!).

One reason that people use them is that they are SECURE.  I am not sure what illegal substance the person who came up with that idea was ingesting, but they were not sharing.

Anyone ever get a fax that was not destined for them?

Anyone ever get a fax not destined for them that contained sensitive information?  VERY sensitive information?

Anyone ever see that sensitive fax just sitting on the fax machine?

Anyone ever see something on the fax machine, look at it, decide it was not for them and read it anyway?

How many people have a fax number that is tied to an electronic fax service like eFax or Concord fax?

So, the sender sends a fax to be secure.  Manages to dial the right number.  Sends the fax to some third party with unknown security.  Who takes that fax and sends it to you in an email.

WHY NOT JUST EMAIL IT IN THE FIRST PLACE.  THAT WOULD BE CHEAPER, FOR SURE, AND, GIVEN THERE ARE A LOT LESS MOVING PARTS, PROBABLY MORE SECURE, TOO.

To be fair, some fax services offer secure fax where they send you an email that you have a fax and then you have to log in and download it.  AND THEN YOU FORWARD THAT FAX VIA EMAIL TO YOUR COWORKERS.

Do you see a problem here?

Bottom line is faxes are not secure and should not be perceived to be secure.

So what is there to do?

First of all, if you are using faxes because email is not secure, do not use a fax to email service.

If you are using a fax to email service, you need to do a security risk assessment on the service provider.  IF YOU ARE A DOCTOR OR OTHER HEALTHCARE PROVIDER, THAT FAX SERVICE IS A BUSINESS ASSOCIATE UNDER HIPAA REGULATIONS AND YOU NEED TO HAVE A SIGNED AND AUDITED BAA WITH THAT SERVICE PROVIDER.  If the service provider won’t sign the BAA, you are breaking the law and risking a fine by using them!

Again, if you have to use fax to email, use a service that offers a secure mailbox that allows you to download the fax over an encrypted channel.

If you are using one of those old fashioned fax machines, make sure that the inbound faxes can be secured until picked up by the RIGHTFUL owner.

If you are using one of those new fangled multi-purpose print/copy/fax machines, understand those machines have a hard disk in them (except for the very cheapest ones) and must be disposed of securely at the end of the lease or when ready to be discarded.  Higher end machines have hard disks that can be removed by a technician and given to you to shred (yes, really).  Lower end ones are not designed that way and you may wind up destroying the machine to get the disk out.  But do that anyway.

A much better way to deal with the problem is to create a SECURE web portal to replace that fax machine.  Remember the goal is not to replace one insecure technology with another insecure technology.

By the way, IF THE PORTAL IS HOSTED, THEY ARE STILL A HIPAA BUSINESS ASSOCIATE.  Sorry!

If all of this gives you a headache, contact us to help you sort this out.

Source: Healthcare IT News

 

 

Have You Planned For Cloud Outages

Allscripts, the $1.5 billion medical technology and services firm, hosts a number of cloud based applications that doctors and hospitals use to run their operations.  Hancock Health, that I wrote about on Monday, is one of their clients according to HealthcareITNews.  About a week ago Allscripts was hit with a ransomware attack caused by the malware called SamSam.

After the attack Allscripts did what too many companies do and tried to pretend that it wasn’t a big problem, that is wasn’t affecting many people and that is wasn’t a big deal.

A week later Allscripts applications are still not working right.

Doctors can get to the login screen, but they can’t actually log in.

This means that they can’t get to patient records and can’t bill insurance carriers.

Allscripts, in a continuing denial of reality, said that the system was back up but doctors still couldn’t log in.

Doctors are freaking out a bit because they are losing revenue and cannot take care of patients.  Other than that, it isn’t a problem.

It appears that today, Allscripts is finally admitting that they have a big problem.

If you run a doctor’s office or hospital and are an Allscripts client, this is a big problem for you.

Whether you are an Allscripts client or not, here are a couple of things to consider:

  • What is your business continuity plan if your cloud provider has an outage?  For an hour?  For a day?  For a week?
  • Do you have a Service Level Agreement with your cloud provider in case of an outage?  Are the penalties sufficient compensate you for your losses or are they basically meaningless?
  • Do you have cyber risk insurance?  If you do, does it cover business interruptions (BI)?  Often BI has a waiting period before coverage kicks in.  Sometimes it is as long as 12 or 24 hours.  Is your BI coverage appropriate for your business needs?

Hopefully this attack is not affecting you, but whether it is or it is not affecting you, now is a great time to make sure that you are as prepared as you can be.

And, even if your cloud service provider is yourself (AKA Amazon, Google, Microsoft, Rackspace or the like), the problem is the same.

Information for this post came from FierceHealthcare, Healthcare IT NewsHealthcare IT News, again and FierceHealthcare, again.