Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Nuance Takes Page from Healthcare Clients in Petya Outage Aftermath

Posted on November 6, 2017 I Written By

Colin Hung is the co-founder of the #hcldr (healthcare leadership) tweetchat one of the most popular and active healthcare social media communities on Twitter. Colin speaks, tweets and blogs regularly about healthcare, technology, marketing and leadership. He is currently an independent marketing consultant working with leading healthIT companies. Colin is a member of #TheWalkingGallery. His Twitter handle is: @Colin_Hung.

On June 27th the Petya Malware (or NotPetya or ExPteya) struck Nuance Communications (NASDAQ: NUAN). For days the company’s eScription speech-recognition platform were unavailable, forcing thousands of healthcare clients to find alternatives for their medical transcription. During the crisis and in the weeks that followed, Nuance borrowed a page from their healthcare clients: not offering false hope and deconstructing the incident to learn from it.

At the recent CHIME Fall Forum in San Antonio Texas, I had the opportunity to sit down with Brenda Hodge, Chief Marketing Officer – Healthcare and Ed Rucinski, Senior Vice President of World Wide Healthcare Sales of Nuance to talk about the Petya outage and where the company is headed.

“The challenge we faced with Petya brought us all together as a company,” explained Ed. “When our systems went offline, the entire organization rallied together. We had engineers and support staff who slept at the office on couches and cots. We had developers who went with less than 2hrs of sleep for 4 days straight because they wanted to help clients and bring our systems back online as quickly as possible. We became a nameless and rank-less organization working towards a common goal.”

As the outage went from minutes to hours to days, Nuance resisted the temptation to offer false hope to its clients. Instead, the company opted to be truthful and transparent. Nuance sent emails and directly called clients to let them know they had suffered a cyber attack, that the full extent of the damage was not known and that they did not know when their systems would be back online. The company did, however, commit to providing regular updates and being available to answer questions and address concerns.

The following is an abbreviated excerpt from a Nuance communication posted online by one of its clients:

Nuance corporate systems were unfortunately affected by a global cyber attack today. We went into immediate security protocol by shutting down our hosted production systems and platforms. There is no update at this time as to when the accounts will be back online but we will be holding regular calls throughout the day and night to gain insight into the timeline for resolution and I will update you again when I have more info. We are sorry for the inconvenience this outage has caused and we are working diligently to get things back online.

Clinicians are coached never to give patients in crisis or their families false hope. They calmly explain what happened, state the facts and talk about potential next steps. They do not, however, say that “things will be alright”, even though they know that is what everyone desperately wants to hear. Nuance used this same protocol during the Petya outage.

The company also used protocols similar to those used following an adverse event.

Healthcare is complex and despite the best efforts and best intentions of care teams, errors occur. These errors are referred to as adverse events. Adverse events that impact patient safety or that cause actual harm to patients are thoroughly documented, deconstructed and analyzed by clinical leaders as well as risk managers. The lessons gleaned from these unfortunate events are captured and used to improve operations. The goal is to prevent or mitigate the impact of similar events in the future.

After their systems were fully restored, the Nuance team embarked on a thorough review of the incident – from technical procedures to client communication protocols.

“We learned a lot through this incident” says Hodge. “We got a first-hand education on how sophisticated malware has become. We’ve gone from viruses to malware to ransomware to coordinated nation-state attacks. That’s what Petya really is – a coordinated attack on company infrastructure. Now that we have been through this type of attack, we have put in new processes and technologies to prevent similar attacks in the future. Most importantly we have made investments in improving our response to these types of attacks.”

Nuance has gone one step further. They have committed to sharing their painful lessons learned with other companies and healthcare institutions. “Like it or not, we are all in this together”, continued Hodge. “The Petya attack came on the heels of the WannaCry ransomware attack that impacted many of our healthcare clients – so there was a lot of empathy from our clients. In fact this whole incident has created a sense of solidarity in the healthcare technology community. Cyber attacks are not going to stop and we need to come together as an industry so that we are as prepared as we can be for the next one.”

“It’s unfortunate that it took an incident like this to show us what we are made of,” says Rucinski. “We had executives making coffee and fetching lunch for the support teams. We had leaders offering to run errands for staff because they knew they were too tired to keep up with those types of things. In the end we found out we truly embody the values and principles that we have hanging on posters around the office.”

Health IT Continues To Drive Healthcare Leaders’ Agenda

Posted on October 23, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

A new study laying out opportunities, challenges and issues in healthcare likely to emerge in 2018 demonstrates that health IT is very much top of mind for healthcare leaders.

The 2018 HCEG Top 10 list, which is published by the Healthcare Executive Group, was created based on feedback from executives at its 2017 Annual Forum in Nashville, TN. Participants included health plans, health systems and provider organizations.

The top item on the list was “Clinical and Data Analytics,” which the list describes as leveraging big data with clinical evidence to segment populations, manage health and drive decisions. The second-place slot was occupied by “Population Health Services Organizations,” which, it says, operationalize population health strategy and chronic care management, drive clinical innovation and integrate social determinants of health.

The list also included “Harnessing Mobile Health Technology,” which included improving disease management and member engagement in data collection/distribution; “The Engaged Digital Consumer,” which by its definition includes HSAs, member/patient portals and health and wellness education materials; and cybersecurity.

Other hot issues named by the group include value-based payments, cost transparency, total consumer health, healthcare reform and addressing pharmacy costs.

So, readers, do you agree with HCEG’s priorities? Has the list left off any important topics?

In my case, I’d probably add a few items to list. For example, I may be getting ahead of the industry, but I’d argue that healthcare AI-related technologies might belong there. While there’s a whole separate article to be written here, in short, I believe that both AI-driven data analytics and consumer-facing technologies like medical chatbots have tremendous potential.

Also, I was surprised to see that care coordination improvements didn’t top respondents’ list of concerns. Admittedly, some of the list items might involve taking coordination to the next level, but the executives apparently didn’t identify it as a top priority.

Finally, as unsexy as the topic is for most, I would have thought that some form of health IT infrastructure spending or broader IT investment concerns might rise to the top of this list. Even if these executives didn’t discuss it, my sense from looking at multiple information sources is that providers are, and will continue to be, hard-pressed to allocate enough funds for IT.

Of course, if the executives involved can address even a few of their existing top 10 items next year, they’ll be doing pretty well. For example, we all know that providers‘ ability to manage value-based contracting is minimal in many cases, so making progress would be worthwhile. Participants like hospitals and clinics still need time to get their act together on value-based care, and many are unlikely to be on top of things by 2018.

There are also problems, like population health management, which involve processes rather than a destination. Providers will be struggling to address it well beyond 2018. That being said, it’d be great if healthcare execs could improve their results next year.

Nit-picking aside, HCEG’s Top 10 list is largely dead-on. The question is whether will be able to step up and address all of these things. Fingers crossed!

Despite Abundance of Threats, Few Providers Take Serious Steps To Protect Their Data

Posted on July 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

I scarcely need to remind readers of the immensity of the threats to healthcare data security out there. Not only is healthcare data an attractive target for cybercriminals, the aforementioned keep coming up with new ways to torture security pros (the particularly evil ransomware comes to mind).

Unfortunately, healthcare organizations are also notorious for spending too little on data security. Apparently, this also extends to spending money on information security governance or risk management, according to a new study.

The study is sponsored by Netwrix Corp., which sells a visibility platform for data security and risk mitigation and hybrid environments.  (In other words, the following stats are interesting, but keep your bias alert on.)

Researchers found that 95% of responding healthcare organizations don’t use software for information security governance or risk management and that just 31% of respondents said they were well prepared to address IT risks. Still, despite the prevalence of cybersecurity threats, 68% don’t have any staffers in place specifically to address them.

What’s the source of key IT healthcare security threats? Fifty-nine percent of healthcare organizations said they were struggling with malware, and 47% of providers said they’d faced security incidents caused by human error. Fifty-six percent of healthcare organizations saw employees as the biggest threat to system availability and security.

To tackle these problems, 56% of healthcare organizations said they plan to invest in security solutions to protect their data. Unfortunately, though, the majority said they lacked the budget (75%), time (75%) and senior management buy-in (44%) needed to improve their handling of such risks.

So it goes with healthcare security. Most of the industry seems willing to stash security spending needs under a rock until some major headline-grabbing incident happens. Then, it’s all with the apologies and the hand-wringing and the promise to do much better. My guess is that a good number of these organizations don’t do much to learn from their mistake, and instead throw some jerry-rigged patch in place that’s vulnerable to a new attack with new characteristics.

That being said, the study makes the important point that employees directly or indirectly cause many IT security problems. My sense is that the percent of employees actually packaging data or accessing it for malicious purposes is relatively small, but that major problems created by an “oops” are pretty common.

Perhaps the fact that employees are the source of many IT incidents is actually a hopeful trend. Even if an IT department doesn’t have the resources to invest in security experts or new technology, it can spearhead efforts to treat employees better on security issues. Virtually every employee that doesn’t specialize in IT could probably use a brush up on proper security hygiene, anyway. And retraining employees doesn’t call for a lot of funding or major C-suite buy-in.

One Hospital Faces Rebuild After Brutal Cyberattack

Posted on July 20, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Countless businesses were hit hard by the recent Petya ransomware attack, but few as hard as Princeton, West Virginia-based Princeton Community Hospital. After struggling with the aftermath of the Petya attack, the hospital had to rebuild its entire network and reinstall its core systems.

The Petya assault, which hit in late June, pounded large firms across the globe, including Nuance, Merck, advertiser WPP, Danish shipping and transport firm Maersk and legal firm DLA Piper.  The list of Petya victims also includes PCH, a 267-bed facility based in the southern part of the state.

After the attack, IT staffers first concluded that the hospital had emerged from the attack relatively unscathed. Hospital leaders noted that they are continuing to provide all inpatient care and services, as well as all other patient care services such as surgeries, therapeutics, diagnostics, lab and radiology, but was experiencing some delays in processing radiology information for non-emergent patients. Also, for a while the hospital diverted all non-emergency ambulance visits away from its emergency department.

However, within a few days executives found that its IT troubles weren’t over. “Our data appears secure, intact, and not hacked into; yet we are unable to access the data from the old devices in the network,” said the hospital in a post on Facebook.

To recover from the Petya attack, PCH decided that it had to install 53 new computers throughout the hospital offering clean access to its Meditech EMR system, as well as installing new hard drives on all devices throughout the system and building out an entirely new network.

When you consider how much time its IT staff must’ve logged bringing basic systems online, rebuilding computers and network infrastructure, it seems clear that the hospital took a major financial blow when Petya hit.

Not only that, I have little doubt that PCH faces doubts in the community about its security.  Few patients understand much, if anything, about cyberattacks, but they do want to feel that their hospital has things under control. Having to admit that your network has been compromised isn’t good for business, even if much bigger companies in and outside the healthcare business were brought to the knees by the same attack. It may not be fair, but that’s the way it is.

That being said, PCH seems to have done a good job keeping the community it serves aware what was going on after the Petya dust settled. It also made the almost certainly painful decision to rebuild key IT assets relatively quickly, which might not have been feasible for a bigger organization.

All told, it seems that PCH survived Petya successfully as any other business might have, and better than some. Let’s hope the pace of global cyberattacks doesn’t speed up further. While PCH might have rebounded successfully after Petya, there’s only so much any hospital can take.

E-Patient Update: Reducing Your Patients’ Security Anxiety

Posted on March 31, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Even if you’re not a computer-savvy person, these days you can hardly miss the fact that healthcare data is a desirable target for cyber-criminals. After all, over the past few years, healthcare data breaches have been in the news almost every day, with some affecting millions of consumers.

As a result, many patients have become at least a bit afraid of interacting with health data online. Some are afraid that data stored on their doctor or hospital’s server will be compromised, some are afraid to manage their data on their own, and others don’t even know what they’re worried about – but they’re scared to get involved with health data online.

As an e-patient who’s lived online in one form or another since the 80s (anyone remember GEnie or Compuserve?) I’ve probably grown a bit too blasé about security risks. While I guard my online banking password as carefully as anyone else, I don’t tend to worry too much about abstract threats posed by someone who might someday, somehow find my healthcare data among millions of other files.

But I realize that most patients – and providers – take these issues very seriously, and with good reason. Even if HIPAA weren’t the law of the land, providers couldn’t afford to have patients feel like their privacy wasn’t being respected. After all, patients can’t get the highest-quality treatment available if they aren’t comfortable being candid about their health behaviors.

What’s more, no provider wants to have their non-clinical data hacked either. Protecting Social Security numbers, credit card details and other financial data is a critical responsibility, and failing at it could cost patients more than their privacy.

Still, if we manage to intimidate the people we’re trying to help, that can’t be good either. Surely we can protect health data without alienating too many patients.

Striking a balance

I believe it’s important to strike a balance between being serious about security and making it difficult or frightening for patients to engage with their data. While I’m not a security expert, here’s some thoughts on how to strike that balance, from the standpoint of a computer-friendly patient.

  • Don’t overdo things: Following strong security practices is a good idea, but if they’re upsetting or cumbersome they may defeat your larger purposes. I’m reminded of the policy of one of my parents’ providers, who would only provide a new password for their Epic portal if my folks came to the office in person. Wouldn’t a snail mail letter serve, at least if they used registered mail?
  • Use common-sense procedures: By all means, see to it that your patients access their data securely, but work that into your standard registration process and workflow. By the time a patient leaves your office they should have access to everything they need for portal access.
  • Guide patients through changes: In some cases, providers will want to change their security approach, which may mean that patients have to choose a new ID and password or otherwise change their routine. If that’s necessary, send them an email or text message letting them know that these changes are expected. Otherwise they might be worried that the changes represent a threat.
  • Remember patient fears: While practice administrators and IT staff may understand security basics, and why such protections are necessary, patients may not. Bear in mind that if you take a grim tone when discussing security issues, they may be afraid to visit your portal. Keep security explanations professional but pleasant.

Remember your goals

Speaking as a consumer of patient health data, I have to say that many of the health data sites I’ve accessed are a bit tricky to use. (OK, to be honest, many seem to be designed by a committee of 40-something engineers that never saw a gimmicky interface they didn’t like.)

And that isn’t all. Unfortunately, even a highly usable patient data portal or app can become far more difficult to use if necessary security protections are added to the mix. And of course, sometimes that may be how things have to be.

I guess I’m just encouraging providers who read this to remember their long-term goals. Don’t forget that even security measures should be evaluated as part of a patient’s experience, and at least see that they do as little as possible to undercut that experience.

After all, if a girl-geek and e-patient like myself finds the security management aspect of accessing my data to be a bummer, I can only imagine other consumers will just walk away from the keyboard. With any luck, we can find ways to be security-conscious without imposing major barriers to patient engagement.

Wide Ranging Impact of A Healthcare Cybersecurity Attack

Posted on March 8, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

David Chou recently shared this amazing graphic of the “above the surface” and “beneath the surface” impacts from cyber attacks. The above the surface attacks are those that are better know costs related to an incident. The beneath the surface attacks are the less visible or hidden costs of a cyber attack.

Which of these impacts concerns you most?

If this list of 14 impacts on your organization isn’t enough to wake you up to the importance of cybersecurity, then there isn’t much hope. However, most of the CIOs I’ve seen are well aware of this and it’s why it keeps them up at night.

Healthcare Robots! – #HITsm Chat Topic

Posted on January 31, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 2/3 at Noon ET (9 AM PT). This week’s chat will be hosted by Mr RIMP (@MrRimp, Robot-In-My-Pocket), mascot of the first ever #HIMSS17 Innovation Makerspace! (Booth 7785) (with assistance from @wareflo) We’ll be discussing the topic “Healthcare Robots!” and so it seems appropriate to have a robot hosting the chat.

In a first, #HIMSS17 has a #makerspace (Booth 7785), in the HIMSS17 Innovation Zone. It has robots! They are rudimentary, but educational and fun. One of those robots is @MrRIMP, for Robot-In-My-Pocket. Here is an YouTube interview with @MrRIMP. As you can tell, little Mr. R. has a bit of an attitude. He also wrote the questions below and will moderate tweets about them during the #HITsm tweetchat.

From the recent “How medical robots will change healthcare” (@PeterBNichol), there are three main areas of robotic health:

1. Direct patient care robots: surgical robots (used for performing clinical procedures), exoskeletons (for bionic extensions of self like the Ekso suit), and prosthetics (replacing lost limbs).  Over 500 people a day loses a limb in America with 2 million Americans living with limb loss according to the CDC.

2. Indirect patient care robots: pharmacy robots (streamlining automation, autonomous robots for inventory control reducing labor costs), delivery robots (providing medical goods throughout a hospital autonomously), and disinfection robots (interacting with people with known infectious diseases such as healthcare-associated infections or HAIs).

3. Home healthcare robots: robotic telepresence solutions (addressing the aging population with robotic assistance).

Before the #HITsm tweetchat I hope you’ll watch Robot & Frank, about a household robot and an increasingly infirm retiree (86% on Rotten Tomatoes, available on YouTube, Amazon, Itunes, Vudu, and Google for $2.99) I’ll also note a subcategory to the direct care robots: pediatric therapy robots. Consider, for example, New Friends 2016, The Second International Conference on Social Robots in Therapy and Education. I, Mr. RIMP, have a special interest in this area.

Join us as we discuss Healthcare Robots during the February 3rd #HITsm chat. Here are the questions we’ll discuss:

T1: What is your favorite robot movie? Why? How many years in the future would you guess it will take to achieve similar robots? #HITsm

T2: Robots promise to replace a lot of human labor. Cost-wise, humanity-wise, will this be more good than bad, or more bad than good? #HITsm

T3: Have you played with, or observed any “toy” robots. Impressed? Not impressed? Why? #HITsm

T4: IMO, “someday” normal, everyday people will be able design and program their own robots. What kind of robot would you design for healthcare? #HITsm

T5: Robots and workflow? Connections? Think about healthcare robots working *together* with healthcare workers. What are potential implications? #HITsm

Bonus: Isn’t @MrRIMP (Robot-In-My-Pocket) the cutest, funniest, little, robot you’ve ever seen? Any suggestions for the next version (V.4) of me? #HITsm

Here’s a look at the upcoming #HITsm chat schedule:
2/10 – Maximizing Your HIMSS17 Experience – Whether Attending Physically or Virtually
Hosted by Steve Sisko (@HITConfGuy and @shimcode)

2/17 – Enough talk, lets #GSD (Get Stuff Done)
Hosted by Burt Rosen (@burtrosen) from @healthsparq

2/24 – HIMSSanity Recovery Chat
With #HIMSS17 happening the week of this chat, we’ll take the week off from a formal chat. However, we encourage people that attended HIMSS or watched HIMSS remotely to share a “Tweetstorm” that tells a #HIMSS17 story, shares insights about a topic, rants on a topic of interest, or shows gratitude. Plus, it will be fun to test out a new form of tweetstorm Twitter chat. We’ll post more details as we get closer.

We look forward to learning from the #HITsm community! As always let us know if you have ideas for how to make #HITsm better.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

Key Components of #HealthIT Strategy and Disaster Recovery – #HITsm Chat Topic

Posted on January 24, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 1/27 at Noon ET (9 AM PT). This week’s chat will be hosted by Bill Esslinger (@billesslinger) from @FogoDataCenters on the topic of “Key Components of Health IT Strategy and Disaster Recovery“.

Medical records are worth more on the Black Market than credit cards. The value is greater because a medical record contains multiple credentials that can be used by hackers more than once or twice. A medical record contains not only a social security number but additional qualifying information, allowing thieves to penetrate layers of data, and conduct multiple acts of fraud before the data is even missing.

As healthcare organizations embark on the improved use of data sets, from analytics to precision medicine and value based care, Cybersecurity rises to the number one concern for CIO’s.

How secure is your cloud based data strategy?

Consideration must be given to the different models of service

With each delivery model: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), comes a new set of requirements and responsibilities. The key considerations for deployment and ongoing data management include on-demand 24/7 access to critical healthcare information, support for big data and small data sets, traceability, HIPAA compliance and a thorough understanding of the healthcare environment from both a security and a legal perspective.

Join us as we discuss Key Components of #HealthIT Strategy and Disaster Recovery during the January 27th #HITsm chat.

T1: How can we prepare for the unexpected in data security? #HITsm

T2: Are we making Cybersecurity a priority in risk management? #HITsm

T3: Is Your Prevention Strategy Scalable for a Ransomware Attack? #HITsm

T4: What are the top threats regarding healthcare data today? #HITsm

T5: What Service Levels are Necessary for Redundancy in Data, Power, Cooling, and Connectivity? #HITsm

Bonus: Do you worry about the security of your health information? Why or why not? #HITsm

About Fogo Data Centers
Fogo Data Centers are SSAE16, SOCII, and HIPAA compliant as well as PCI compliant. Each site provides redundancies across all support systems. Our centers of excellence provide flexible and scalable solutions to protect your critical data and applications. Colocation at a Fogo Data Centers can ease the cost of building your own facility and maintaining your own on-site dedicated servers. Properties feature full perimeter fencing with an electric gate requiring keycard access and audio/video check-in.

Our hashtag is #KnowYourCloud. We stand ready 24/7, with years of experience, integrity and legal know-how, to protect data and securely manage your cloud strategy. In the event of a disaster or incident the Fogo team can have your facility back-up and running within hours. Call us today or take a look at our facility page to learn more.

Here’s a look at the upcoming #HITsm chat schedule:

2/3 – Healthcare Robots!
Hosted by Mr RIMP (@MrRimp, Robot-In-My-Pocket), mascot of the first ever #HIMSS17 Innovation Makerspace! (Booth 7785) (with assistance from @wareflo)

2/10 – Maximizing Your HIMSS17 Experience – Whether Attending Physically or Virtually
Hosted by Steve Sisko (@HITConfGuy and @shimcode)

2/17 – Enough talk, lets #GSD (Get Stuff Done)
Hosted by Burt Rosen (@burtrosen) from @healthsparq

2/24 – HIMSSanity Recovery Chat
With #HIMSS17 happening the week of this chat, we’ll take the week off from a formal chat. However, we encourage people that attended HIMSS or watched HIMSS remotely to share a “Tweetstorm” that tells a #HIMSS17 story, shares insights about a topic, rants on a topic of interest, or shows gratitude. Plus, it will be fun to test out a new form of tweetstorm Twitter chat. We’ll post more details as we get closer.

We look forward to learning from the #HITsm community! As always let us know if you have ideas for how to make #HITsm better.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

Attackers Try To Sell 600K Patient Records

Posted on July 22, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

New research has concluded that attackers recently infiltrated U.S. healthcare institutions and stole at least 600,000 patient records, then attempted to sell more than 3 TB of associated data. The attacks, which were discovered by security firm InfoArmor, targeted not only hospitals, but also private clinics and vendors of medical equipment and supplies such as orthopedics, eWeek reports.

According to InfoArmor, the attacker gained access to the patient data by exploiting weak user credentials, and hacked Remote Desktop Protocol connections on some servers with static external IP addresses. The data thief also used a local privilege escalation exploit to access system files for added patching and backdooring, InfoArmor chief intelligence officer Andrew Komarov told eWeek.

And sadly, some healthcare institutions made it pretty easy for intruders. In some cases, data thieves were able to exfiltrate data stored in Microsoft Access desktop databases without any special user access segregation or rights control in place, Komarov told the magazine.

Future exploits may emerge through medical device connections, as many institutions aren’t paying enough attention to device security, he warns.”[Providers] think that the medical device is just a device for their specific function and sometimes they don’t [have] knowledge of misconfigured devices in their networks,” Komarov said.

So what will become of the data?  Many things, and none of them good. Some cyber criminals will sell Social Security numbers and other scammers will use to sell fraudulent healthcare services,. Cyber-grifters who steal a patient’s history of illness and their biography can use them to take advantage of consumers, he pointed out. And to sharpen their con, such criminals can even buy select data focused on geographic regions, Komarov noted in a follow-up chat with me.

To address exploits engineered by remote access sessions, one consulting firm is pitching technology allowing administrators to go over remote sessions with a fine-toothed comb.

Balazs Scheidler, CTO of security vendor BalaBit, notes that while remote access to internal IT resources is common, using protocols such as Microsoft Remote Desktop or Citrix ICA, IT managers don’t always have enough visibility into who’s accessing systems, when they are logging in and from where systems are being accessed. BalaBit is pitching a system which offers “CCTV-like” recording of user sessions, including screen contents, mouse movements, clicks and keystrokes.

But the truth is, regardless of what approach providers take, they simply have to step up security measures across the board. If attackers can access your data through a vulnerable Microsoft Access database, clearly something is out of order. And in fact many cases, it’s just that easy for attackers to get into your network.

The Downside of Interoperability

Posted on May 2, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

It’s hard to argue that achieving health data interoperability is not important — but it comes with risks. And I’ve seen little discussion of the fact that interoperability may actually increase the chance that a major attack could hit a wide swath of healthcare providers. It might be extreme to suggest that we put off such efforts until we step up the industry’s security status, but the problem shouldn’t be ignored either.

Sure, data interoperability is a critical goal for healthcare providers of all stripes. While there’s room to argue about how it should be accomplished, particularly over whether providers or patients should drive health data management, there’s no question it needs to get done. There’s little doubt that most efforts to coordinate care will fall flat if providers are operating with incomplete information.

And what’s more, with the demand for interoperability baked into MACRA, we pretty much have no choice but to make it happen anyway. To my knowledge, HHS has proposed neither carrot nor stick to convince providers to come on board – nor has it defined “widespread” interoperability to my knowledge — but the agency has to achieve something by 2018, and that means change will come.

That being said, I’m struck by how little industry concern there seems to be about the extent to which interoperability can multiply the possibility of a breach occurring. Unfortunately, security is only as good is the weakest link in the chain, and data sharing increases the length of the chain exponentially. Of course, the risk varies a great deal depending on who or what the data-sharing intermediary is, but the fact remains that a connected network is a connected network.

The problem only gets worse if interoperability is achieved by integrating applications. I’m no software engineer, but I’m pretty sure that the more integrated providers’ infrastructure is, the more vulnerabilities they share. To be fair, hospitals theoretically vet their partners, but that defeats the purpose of universal data sharing, doesn’t it?

And even if every provider in the universal data sharing network practices good security hygiene, they can still get attacked. So it’s not a matter of requiring participants to comply with some network security standard, or meet some certification criteria. Given the massive incentives these have to steal health data (and lock it up with ransomware), nobody can hold out forever.

The bottom line is that I believe we should discuss the matter of security in a fully-connected health data sharing network more often.

Yes, we almost certainly need to press ahead and simply find a way to contain the risks. We simply can’t afford our fragmented healthcare system, and data interoperability offers perhaps the best possible chance of pulling it back together.

But before we plunge into the fray, it only makes sense to stop and consider all of the risks involved and how they should be addressed. After all, universal interconnection exposes a virtually infinite number of potential points of failure to cybercrooks. Let’s put some solutions on the table before it’s too late.