Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

“Shadow” Devices Expose Networks To New Threats

Posted on June 4, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new report by security vendor Infoblox suggests that threats posed by “shadow” personal devices connected to healthcare networks are getting worse.

The study, which looks at healthcare organizations in the US, UK, Germany, and UAE, notes that the average organization has thousands of personal devices connected to their enterprise network. Including personal laptops, Kindles and mobile phones.

Employees from the US and the UK report using personal devices connected to their enterprise network for multiple activities, including social media use (39%), downloading apps (24%), games (13%) and films (7%), the report says.

It would be bad enough if these pastimes only consumed network resources and time, but the problem goes far beyond that. Use of these shadow devices can open up healthcare networks to nasty attacks. For example, social media is increasingly a vector of malware infection, where bad actors launch attacks successfully urging them to download unfamiliar files.

Health IT directors responding to the study also said there were a significant number of non-business IoT devices connected to their network including fitness trackers (49%), digital assistants like Amazon Alexa (47%), smart TVs (46%), smart kitchen devices such as connected kettles of microwaves (33%) and game consoles such as the Xbox or PlayStation (30%).

In many cases, exploits can take total control of these devices, with serious potential consequences. For example, one can turn a Samsung Smart TV into a live microphone and other smart TVs could be used to steal data and install unwanted apps.

Of course. IT directors aren’t standing around and ignoring these threats and have developed policies for dealing with them. But the report argues that their security policies for connected devices aren’t as effective as they think. For example, while 88% of the IT leaders surveyed said their security policy was either effective or very effective, employees didn’t even know it was in effect in many cases.

In addition, 85% of healthcare organizations have also increased their cybersecurity spending over the past year, and 12% of organizations have increased it by over 50%. Most HIT leaders appear to be focused on traditional solutions, including antivirus software (60%) and cybersecurity investments (57%). In addition, more than half of US healthcare IT professionals said their company invests in encryption software.

Also, about one-third of healthcare IT professionals said the company is investing in employee education (35%), email security solutions and threat intelligence (30%). One in five were investing in biometric solutions.

Ultimately, what this report makes clear is that health IT organizations need to reduce the number of unauthorized personal devices connected to their network. Nearly any other strategy just puts a band-aid on a gaping wound.

The State Of Healthcare Cybersecurity (Part 2)

Posted on May 22, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In Part 1 of this series, which drew data from a study by Black Book Market Research, I described how insecure healthcare leaders felt their cybersecurity protections to be. I also noted that a large number of providers are struggling to recruit senior health IT experts, and as a result are basically winging it when it comes to breach protection.

Healthcare organizations’ data security problems run deeper than that, however, the study suggests. Not only are C-level execs finding security investments to be troublesome, IT managers responding to the survey admit that they, too, feel that they are not fully prepared to defend their institution’s data.

To begin with, 74% of surveyed CIOs admitted that they failed to evaluate the total cost of ownership before signing a deal with a cybersecurity solution or service provider, and 89% said they bought their cybersecurity solution to be compliant with security regs, and often, not necessarily to reduce security risks.

And the failure to protect critical information doesn’t stop there.  For example, 57% of IT managers said that they hadn’t taken stock of the full variety of cybersecurity solutions that currently exist, notably mobile security environments, intrusion detection, attack prevention, forensics and testing.

Also, many healthcare institutions seem to react only after they’ve been invaded. According to Black Book, 58% of hospitals didn’t select their current security vendor until after a data security incident, and 32% of healthcare organizations hadn’t scanned for vulnerabilities before an attack.

What’s more, 83% of healthcare organizations haven’t staged a cybersecurity drill which included an incident response process, which arguably leaves them particularly unprepared. Not only that, when an attack comes, some won’t catch it right away, as 29% said they don’t have an adequate solution to instantly detect and respond to cyberattacks.

Meanwhile, 16% of respondents reported being uncomfortable working with vendors that do a hard sell when they find security flaws and vulnerabilities. These insecurities aren’t surprising given that 60% of healthcare enterprises haven’t formally identified specific security objectives and requirements and integrated them into a strategic and tactical plan for breach prevention.

Given how unfocused many security plans are, it’s not surprising that 22% of provider organizations believe their cybersecurity position will worsen between now and the second quarter of 2019. Only 12% of hospitals and 9% of physician organizations reported that they expected to see cybersecurity improvements.

The bottom line here is that if the Black Book research is correct, many healthcare organizations are frighteningly unprepared to protect their data, much less survive a serious attack relatively unscathed. For everyone’s sake, let’s hope that providers wise up to the need for strategic, substantial investments in security technology and staff.

Privacy Fears May Be Holding Back Digital Therapeutics Adoption

Posted on May 3, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Consumers were already afraid that their providers might not be able to protect the privacy of their health data. Given the daily news coverage of large data breaches and since the Facebook data scandal blew up, consumers may be even less likely try out new digital health approaches.

For example, a new study by innovation consultancy Enspektos has concluded that patients may be afraid to adopt digital therapeutics options. Many fear that the data might be compromised or the technology may subject them to unwanted personal surveillance.

Without a doubt, digital therapeutics could have a great future. Possibilities include technologies such as prescription drugs with embedded sensors tracking medication compliance, as well as mobile apps that could potentially replace drugs. However, consumers’ appetite for such innovations may be diminishing as consumer fears over data privacy grow.

The research, which was done in collaboration with Savvy Cooperative, found that one-third of respondents fear that such devices will be used to track their behavior in invasive ways or that the data might be sold to a third party without the permission. As the research authors note, it’s hard to argue that the Facebook affair has ratcheted up these concerns.

Other research by Enspektos includes some related points:

  • Machine-aided diagnosis is growing as AI, wearables and data analytics are combined to predict and treat diseases
  • The deployment of end-to-end digital services is increasing as healthcare organizations work to create comprehensive platforms that embrace a wide range of conditions

It’s worth noting that It’s not just consumers who are worried about new forms of hacker intrusions. Industry CIOs have been fretting as it’s become more common for cybercriminals to attack healthcare organizations specifically. In fact, just last month Symantec identified a group known as Orangeworm that is breaking into x-ray, MRI and other medical equipment.

If groups like Orangeworm have begun to attack medical devices — something cybersecurity experts have predicted for years — we’re looking at a new phase in the battle to protect hospital devices and data. If one cybercriminal decides to focus on healthcare specifically, it’s likely that others will as well.

It’s bad enough that people are worried about the downsides of digital therapeutics. If they really knew how insecure their overall medical data could be going forward, they might be afraid to even sign in to their portal again.

CES Really Scared Me. Will HIMSS Make Me Feel Any Better?

Posted on February 22, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Are Consumer Health Care Products Accurate & Safe Enough for Your Healthcare?

At CES, the monstrous electronics show, I saw lots of consumer devices advertised for personal fitness and healthcare. There was even a Digital Health Summit, with a wide range of industry experts.

Some companies were promoting their ability to send data to healthcare providers. That’s scary, since there are no standards governing many of these devices.

A clear message from CES is that the divisions between ‘technology’ and ‘devices’ are diminishing. Alexa, Google Home, and Siri, won’t be tied to stand-alone devices for long. They will be integrated into a wide range of consumer products across a home network, your car, portable devices, and the Internet. It’s not a big leap of the imagination to think that you will be telling Alexa, in your refrigerator, to reset the alarm clock in your bedroom, for an early meeting. And that Alexa will be telling you that you gained a pound, and send that data to your doctor.

Considering the recent news about Amazon getting into healthcare, with Warren Buffet and JP Morgan, it’s logical to think that Amazon will be delivering our healthcare along with our packages. Will you get a colonoscopy notification from Amazon because someone orders a 50th birthday card for you? (Will they only use lubricant if you have Prime? Ok, that might have been a little harsh.)

Loud and clear from CES is the consumerization of healthcare, and it’s scary.

Will data from your consumer products be accurate enough for a health care provider to form a professional opinion?

Will your devices be safe from hacking and interference?

Who will be liable if something bad happens to you because your data wasn’t accurate, or was delayed in transmission?

Should there be a government or industry-based organization setting standards and certifying devices?

ACCURACY

Valencell makes biometric sensor chips for companies to use in their consumer products. They displayed stylish brand-name smart watches that imbed their biometric-sensor chips.

Valencell’s President, Steven LeBoeuf, said that there are no standards for consumer heart monitors. His chips are voluntarily lab-tested and certified for accuracy. He said that some of their competitors’ products can confuse a person’s steps, as they are walking or running, as a heartbeat.

While that might not matter too much to a person casually checking their own vitals, what will happen if incorrect data is sent upstream to your healthcare provider?

This diagram, produced by iHealth, a company that makes ‘consumer-friendly, mobile personal healthcare products that connect to the cloud’, clearly shows their expectation that your data will be communicated to hospitals.

iHealth aptly describes this as a Systematic Framework. Think about how many vendors will be involved in the system. Device manufacturers, chip manufacturers, software designers, programmers, computer companies, communication networks, Internet service providers, cloud services, and more, all before data gets to the hospital.

What if there is a failure? What happens to you if your healthcare is depending on a consumer device? Who is responsible for the security and accuracy of the data through the system? Wanna bet that everyone will be pointing their finger at someone else?

SAFETY

What will protect you from your devices? There are an increasing numbers of stories of consumer products and autonomous cars – the Internet of Things (IoT) – being hacked.

In August, 2017, the FDA issued a warning that a pacemaker was vulnerable to hackers who could remotely kill the battery or modify the performance of the pacemaker. Killing the battery could kill the patient. Remember that this recall occurred because a pacemaker is a medical device governed by the FDA, which doesn’t govern consumer healthcare products.

The Equifax breach, the Spectre and Meltdown flaws in computer microchips, and hackers hijacking baby monitors and surveillance cameras, all show the importance of being able to apply software and firmware patches and updates.

It took a long time for the government to require car companies to recall vehicles for safety problems. How many people will be hurt, or die, before consumer health care products get regulated?

LIABILITY

At CES, AIG Insurance presented this graphic of survey results showing who is liable for a driverless vehicle crash.

Imagine personal injury attorneys salivating over consumer health care product failures. Imagine new types of insurance coverage – or new types of policy exceptions – related to managing healthcare based on consumer product data.

STANDARDS & REGULATIONS

What’s the difference between a medical device and a consumer health care product? What defines a heart monitor? How accurate is a scale? How will a consumer health care product receive security patches? How will consumers be notified their health care products aren’t safe?

Do we want the federal government involved? In 1966, the National Traffic and Motor Vehicle Safety Act required auto manufacturers to notify the government and consumers of safety defects, and recall vehicles. Could our dysfunctional Congress ever agree on a plan to regulate consumer health care products?

What about the industry policing itself? At his annual briefing at CES, electronics industry veteran Shelly Palmer made his case for a Self-Regulatory Organization (SRO) to create and enforce standards to protect consumers from risks associated with the Internet of Things.

The model for this could be PCI-DSS, the Payment Card Industry Data Security Standards, that govern organizations that accept and process credit cards. This standard is self-regulated by a council founded by the credit card companies, and is not overseen by federal or state agencies. It covers credit card processing from end-to-end, from certifying the swipe device on the store’s counter all the way through the merchant processors and banks.

According to its website, the council “provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.

If you are a healthcare professional, isn’t this the level of integrity and security you want for consumer products sending patient data to you?

Who would take on the responsibility, not to mention the liability, of policing consumer products sending data to healthcare organizations? The Consumer Technology Association (CTA), or the Health Information Management Systems Society (HIMSS)?

Will it take a disaster for us to find out?

Maybe I will find some answers at the HIMSS health IT conference. I sure hope so.

Happtique Halts Mobile Health App Certification

Posted on December 20, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’ve written a number of articles over the years about Happtique. Much like I railed against the meaningless CCHIT certification, I felt that Happtique was the same as CCHIT but for mobile health. I was partially comforted by the criteria that came out because they were so general and broad. They were still meaningless, but I felt they could have been much worse. Either way, I don’t think a certification has any value when it comes to mHealth. They don’t know how or can’t measure the right things.

As the tweet above mentions, Happtique as halted their app certification after a developer revealed a number of major security holes in 2 of the Happtique certified apps.

The blog posts on the developer site are well worth the read. The thing that stood out to me was how the security issues were very simple security practices. It wasn’t like the developer used some complex hack to find the security holes. The passwords were stored in plain text. I mean really? They didn’t use any encryption in transit. Amazing!

Of course all this reminds me of all the HIPAA breaches we hear about where a laptop wasn’t encrypted. There are at least a few things in healthcare that should be considered no brainer decisions. Encryption is one of them.

Hopefully a number of good things will come out of this situation. First, people won’t trust a mobile health certification. Second, mobile health developers will see that they need to take security and privacy more seriously.

I created a little poll for you to share your thoughts on mobile health app certifications. Plus, feel free to pontificate in the comments.