Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

No Duh, FTP Servers Pose PHI Security Risk

Posted on April 12, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The File Transfer Protocol is so old – it was published in April 1971 – that it once ran on NCP, the predecessor of TCP/IP. And surprise, surprise, it’s not terribly secure, and was never designed to be so either.

Security researchers have pointed out that FTP servers are susceptible to a range of problems, including brute force attacks, FTP bounce attacks, packet capture, port stealing, spoofing attacks and username enumeration.

Also, like many IP specifications designed prior before standard encryption approaches like SSL were available, FTP servers don’t encrypt traffic, with all transmissions in clear text and usernames, passwords, commands and data readable by anyone sniffing the network.

So why am I bothering to remind you of all of this? I’m doing so because according to the FBI, cybercriminals have begun targeting FTP servers and in doing so, accessing personal health information. The agency reports that these criminals are attacking anonymous FTP servers associated with medical and dental facilities. Plus, don’t even know they have these servers running.

Getting into these servers is a breeze, the report notes. With anonymous FTP servers, attackers can authenticate to the FTP server using meaningless credentials like “anonymous” or “ftp,” or use a generic password or email address to log in. Once they gain access to PHI, and personally identifiable information (PII), they’re using it to “intimidate, harass, and blackmail business owners,” the FBI report says.

As readers may know, once these cybercriminals get to an anonymous FTP server, they can not only attack it, but also gain write access to the server and upload malicious apps.

Given these concerns, the FBI is recommending that medical and dental entities ask their IT staff to check their networks for anonymous FTP servers. And if they find any, the organization should at least be sure that PHI or PII aren’t stored on those servers.

The obvious question here is why healthcare organizations would host an anonymous FTP server in the first place, given its known vulnerabilities and the wide variety of available alternatives. If nothing else, why not use Secure FTP, which adds encryption for passwords and data transmission while retaining the same interface as basic FTP? Or what about using the HTTP or HTTPS protocol to share files with the world? After all, your existing infrastructure probably includes firewalls, intrusion detection/protection solutions and other technologies already tuned to work with web servers.

Of course, healthcare organizations face a myriad of emerging data security threats. For example, the FDA is so worried about the possibility of medical device attacks that it issued agency guidance on the subject. The agency is asking both device manufacturers and healthcare facilities to protect medical devices from cybersecurity threats. It’s also asking hospitals and healthcare facilities to see that they have adequate network defenses in place.

But when it comes to hosting anonymous FTP servers on your network, I’ve got to say “really?” This has to be a thing that the FBI tracks and warns providers to avoid? One would think that most health IT pros, if not all, would know better than to expose their networks this way. But I suppose there will always be laggards who make life harder for the rest of us!

Medical Device Security At A Crossroads

Posted on April 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As anyone reading this knows, connected medical devices are vulnerable to attacks from outside malware. Security researchers have been warning healthcare IT leaders for years that network-connected medical devices had poor security in place, ranging from image repository backups with no passwords to CT scanners with easily-changed configuration files, but far too many problems haven’t been addressed.

So why haven’t providers addressed the security problems? It may be because neither medical device manufacturers nor hospitals are set up to address these issues. “The reality is both sides — providers and manufacturers — do not understand how much the other side does not know,” said John Gomez, CEO of cybersecurity firm Sensato. “When I talk with manufacturers, they understand the need to do something, but they have never had to deal with cyber security before. It’s not a part of their DNA. And on the hospital side, they’re realizing that they’ve never had to lock these things down. In fact, medical devices have not even been part of the IT group and hospitals.

Gomez, who spoke with Healthcare IT News, runs one of two companies backing a new initiative dedicated to securing medical devices and health organizations. (The other coordinating company is healthcare security firm Divurgent.)

Together, the two have launched the Medical Device Cybersecurity Task Force, which brings together a grab bag of industry players including hospitals, hospital technologists, medical device manufacturers, cyber security researchers and IT leaders. “We continually get asked by clients with the best practices for securing medical devices,” Gomez told Healthcare IT News. “There is little guidance and a lot of misinformation.“

The task force includes 15 health systems and hospitals, including Children’s Hospital of Atlanta, Lehigh Valley Health Network, Beebe Healthcare and Intermountain, along with tech vendors Renovo Solutions, VMware Inc. and AirWatch.

I mention this initiative not because I think it’s huge news, but rather, as a reminder that the time to act on medical device vulnerabilities is more than nigh. There’s a reason why the Federal Trade Commission, and the HHS Office of Inspector General, along with the IEEE, have launched their own initiatives to help medical device manufacturers boost cybersecurity. I believe we’re at a crossroads; on one side lies renewed faith in medical devices, and on the other nothing less than patient privacy violations, harm and even death.

It’s good to hear that the Task Force plans to create a set of best practices for both healthcare providers and medical device makers which will help get their cybersecurity practices up to snuff. Another interesting effort they have underway in the creation of an app which will help healthcare providers evaluate medical devices, while feeding a database that members can access to studying the market.

But reading about their efforts also hammered home to me how much ground we have to cover in securing medical devices. Well-intentioned, even relatively effective, grassroots efforts are good, but they’re only a drop in the bucket. What we need is nothing less than a continuous knowledge feed between medical device makers, hospitals, clinics and clinicians.

And why not start by taking the obvious step of integrating the medical device and IT departments to some degree? That seems like a no-brainer. But unfortunately, the rest of the work to be done will take a lot of thought.

Consumer Health Devices versus Medical Devices

Posted on January 20, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I think there’s a major confusion in the current health app and device marketplace right now. The problem stems from consumers who draw conclusions even though claims aren’t really being made. I’ll use an example from my Healthcare Scene blog network.

I get asked all the time what I do for a job (like I’m sure most of you). I usually say that I’m a blogger and people then ask me what I blog about. I usually answer that I blog about healthcare IT. While people’s minds are blown by the fact that I’m a professional blogger, I can see in their eyes and often hear in their response that they didn’t really understand what it meant to blog about healthcare IT.

The most common interpretation is that I blog about health and wellness. I guess in some ways I tangentially blog about health and wellness, but no doubt in these people’s minds they’re picturing me writing about nutritional supplements, diet, fitness, and other health and wellness topics that they read in their magazines or favorite blogs online.

I never told them that I blogged about health and wellness, but they often interpret it that way since they don’t know the term healthcare IT to know what I really mean. When I try to clarify it for them, I often say that I write about how doctors use technology. That usually gets them closer.

I’ve found the same thing is happening with many consumer health devices. When you say that something is a consumer health devices they immediately draw their own conclusion that it must be a medical device that can be used by consumers. Unfortunately, the reality today is that consumer health devices are very different from medical devices.

As I’ve thought about the differences, I’ve come to realize that there’s one major difference that causes a lot of problems for those that misinterpret what they’re using. A medical device produces clinically relevant data that would be accepted and trusted by a medical professional. A consumer health device might or might not. We don’t know and therefore many medical professionals won’t use that data.

I don’t think it’s a problem that these consumer health devices don’t put out clinically relevant data. There seems to be a great business model for consumers to take a peak at their health data (regardless of how accurate it is). Plus, there are plenty of anecdotal stories about how this has helped individuals. That’s great.

The problem however comes in when we try to say that a consumer health device is something that it’s not. I think we’ll see this come into sharp focus over the next few years. Consumers will finally start to understand that not all devices are created equal. They’ll realize that some devices are clinically relevant (ie. their doctor will want and care about the data) and other devices are more for fun and intrigue than they are actually improving their health. Unfortunately, it’s just going to take us a while to get there.

Medical Device Security and Vulnerabilities with Tony Giandomenico from Fortinet

Posted on December 17, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This is one of the most interesting and scary interviews we’ve ever done. Tony Giandomenico is a security expert at Fortinet. In this interview we cover a lot of ground with Tony around healthcare IT security and medical device security. We talk about the impact of breaches, places where healthcare organizations are vulnerable, and offer some ideas on how hospitals and healthcare organizations can be more secure.

In what we’re officially calling our Q&A after party we talk about things like the national patient identifier and its impact on security. We discuss block chain and its potential in healthcare and the security of block chain. We also have a patient advocate join us to put a great patient perspective on the need for security.

Medical Device Security – Where Is the Finger Pointing?

Posted on October 23, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

If a picture is worth a thousands words, the above picture is worth about 10,000. I think this picture is best summed up by saying that the medical device industry is a heavily regulated industry. You can see why EHR vendors don’t want to be regulated by the FDA. It would get pretty crazy.

This image also illustrates to me why a company that’s built an FDA or medical device compliance capability has something of real value. Navigating the process is not easy and it helps if you’ve been there and done it before.

As to Dr. Wen’s comment on the tweet. There are a lot of challenges when it comes to medical device security. Definitely no antivirus and many are running on old operating systems that can’t be updated. We’re going to have to put some serious thought into how to solve problems like these in future medical devices.

Stay Hydrated With The Jomi Band

Posted on May 8, 2013 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

Drinking water can be the solution to a lot of health problems — it aids in weight loss, it helps the major organs of the body function better, and well, it’s just not good to be dehydrated! But many people, myself included, don’t drink enough water on a regular basis! I know for me personally, I just get so distracted throughout the day, it doesn’t even dawn on me that I didn’t drink water until 6 PM hits, and I’m totally out of it. At that point, my husband asks if I drank anything, and as I think about it…I realize I didn’t! Sometimes I think it would be nice to have a reminder.

If you follow CNN on Facebook, you may have recently read this article. It talks about an Estonian start-up called Jomi Interactive. Several of their prototypes were released last week, and one of the most interesting is the Jomi Band and Sleeve. It’s basically a device that you can attach to your water bottle, and it tracks how much you drink. If it feels that you haven’t had enough fluids, it will let you know with flashing LED lights. The device will be created to link up to a mobile device, if that’s appealing to you for some reason. 

There’s another product already on the market called Hydracoach. It’s a water bottle that has the tracking device built in. So the only main difference I can find is that the Jomi Band can be used on multiple water bottles.

It seems like an interesting idea, especially for anyone who isn’t particularly good at keeping track of how much (or little) they drink. It may seem like an easy thing to do, but when sometimes…life gets busy. This could be very helpful for anyone that needs, or even just wants, to make sure they are drinking enough water. Granted, if the bottle is filled with something other than water, it may not be as helpful.

The Jomi Band is only in the developmental stages, but if you want to be informed of it making it’s big debut, go sign up over here. If it’s not too expensive, I might just get one myself.

What Consumer Medical Device is The Best Form Factor?

Posted on March 27, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been thinking a lot about the various form factors that are being used by consumer medical device companies lately. I think this interest was sparked when I heard a couple of the following statements:

“We’re about to enter a real battle for the wrist.”

“One of the keys to broad adoption is to build a product on top of an existing habit.”

The first statement really highlights the number of wrist based monitoring devices that are on the market. I agree that there’s going to be a real battle for the wrist. Interestingly enough, the second statement highlights why there’s going to be a real battle for the wrist. Many people are use to having a watch on their wrist. So, a product that is on the wrist is building on people’s habit of wearing a wrist watch.

What are your thoughts on the various form factors that are being used for medical devices:
-Wrist Bands
-Chest Straps
-Pant Clips
-Shoe Clips
-Arm Straps
-Head Straps
-Hand Held
-Pocket Stored
-Full Shirt
-Full Shorts

Are there any other form factors I’m missing? I’d love to start a real deep discussion on the various form factors and the pros and cons of each.

FilmArray Delivers Test Results in An Hour

Posted on February 18, 2013 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

Maybe it’s because I live in Utah, so it’s easier for me to recognize the technology being created here, but it seems as if lately, I’ve been noticing a lot of medical devices created here. Last night I was reading KSL.com about a device that was recently designed that can apparently detect certain diseases — and, most impressively, in under an hour.

Waiting for lab results can be excruciating. Although I have access to the patient portal for Intermountain Healthcare, and can see results as soon as they are done (which is, most of the time, much faster than waiting for the doctor to call), it still takes longer than I would like. FilmArray is a test that can detect around 20 diseases in less than an hour.

The diseases that can be detected can be viral or bacterial, and are related to upper respiratory infections. This could be pretty helpful, especially when you or your child goes to the doctor, and they can’t really tell what’s wrong just by looking at them or listening to their lungs. It can help to get treatment started quicker, and hopefully shorten the length of the symptoms.

FilmArray also eliminates the need for someone to spend a ton of time in the lab working the results, as it takes less than about five minutes of a tech’s time. It’s a machine that is easy to learn how to use, so staff can be trained fairly easily, without much disruption in the regular schedule.

This graphic from the FilmArray website shows how easily it works, from start to finish:

filmarray_setup

The device has been available since 2011, though I don’t get the impression that it’s very mainstream yet. I think this could be a great thing for doctor’s offices and hospitals to invest it, because of it’s quickly produced results, and the ease of use involved. Even with an initial investment, it seems as if the time saved will pay it off in the end.

25 Percent of Americans Trust Apps as Much as Doctors

Posted on January 4, 2013 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

A survey done by Royal Philips Electronics revealed that about one-quarter of Americans trust mHealth apps as much as they would trust their doctor. 

This survey also showed that about 27 percent of those surveyed use mobile apps instead of going to the doctor. Even more interesting, is that 1 in 10 of those surveyed felt that “if it were not for web-based health information, ‘they might already be dead or severely incapacitated.”

I thought this was a very interesting study. The sample size was 1,003 people, with 503 men and 500 men over the age of 18, so I feel like it’s pretty legitimate. At first, I thought it was kind of strange that people trust mHealth apps as much as their doctors, but then I realized…I’m probably in that 25 percent as well. To be honest, I think I sometimes trust the Internet and mHealth apps more than our doctors.

Concerning the study, Dr. Eric Silfen, the Chief Medical Officers of Philips Healthcare, had some interesting thoughts:

We are in the early stages of the web-enabled, mHealth, mobile app world of healthcare delivery. Near-future apps will focus on tying together health information technologies, connecting with doctors, nurses, healthcare professionals and patients, all within a social context that facilitates shared medical decision-making. This evolution will harken the new vital signs of the clinical times with technologies that help prevent medical errors, lower the financial and social cost of care, sustain a higher quality of medical practice and support an evidence-based standard for medicine in general. Ultimately, the technological undercurrents of the post-PC world – the power of many, designer gadgets, cloud ecosystems, and mobile app computing -will hasten the personalization and partnerships that will transform sustainable medical care to the highest quality.

I think in the future, even more people will be trusting their mHealth apps just as much (or even more!) than their doctors. There are so many apps and technologies that are coming out, on what seems like a daily basis, and they are only going to get better. Sometimes, a doctor appointment can be rushed and a patient can leave feeling discouraged about the information they got — having access to so much health information, as well as gadgets that can diagnose illness, might become more popular. Definitely an interesting study though, and encouraging for mHealth app creators.

UK Company Developing a Biosensor Device to Detect Flu and RSV

Posted on December 26, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

‘Tis the season for the flu, colds, and other respiratory diseases. Not exactly something to put a person in the holiday spirit, right? Well, a company in the United Kingdom is currently working on some pretty cool technology, that supposedly will help detect these illnesses in their early stages — during the time when treatments are most affective.

OJ-Bio, the company that has been developing the new biosensor device, recently received government backing for the device. According to OJ-Bio, the device “is intended to provide rapid, simple and low-cost diagnoses of flu and respiratory conditions.”  Below is a picture of the device, hooked up to a smart phone:

Point of care diagnosis[2]

The device can be used just about anywhere — at home, work, school. The results are available almost immediately — which is much better than having to wait for lab results, which can sometimes take hours or even days. According to the article, OJ Bio has been working with the U.K.’s Health Protection Agency for the past few years on this project, and the device accurately detected respiratory illnesses even quicker than other methods.  Some of the viruses that were in the test protocol included Influenza A and B as well as Respiratory Synctvial Virus.

In the press release, chief executive of OJ-Bio said:

Flu viruses cause misery for millions of people each year and early diagnosis is vital. Drugs are only effective in the first few days after symptoms appear and current tests, which involve laboratory analysis of samples, simply aren’t fast enough.

I’ve mentioned before that my son had RSV when he was just two weeks old. During the experience, I came to appreciate the importance of diagnosing illnesses like that very quickly and early on. We were very lucky and caught it just when he started to get it, so he was able to receive treatment and it didn’t get as bad as it could have. However, not everyone is so lucky, and aren’t diagnosed with the flu or other respiratory illnesses until they get to the point where treatments aren’t super effective. In the winter, it is sometimes hard to go to the doctor, especially since there’s the risk of picking up other illnesses while there. Having a device like this could be so helpful in helping people know if their cold or stomachache is more than just something passing by. I’ve read a lot lately about people who have been hospitalized by the flu, and I wonder how many of those could have avoid hospitalization if something like this had been available.

I’m not sure if this will be available in the United States as well, but I sure hope it will be. Definitely another item I’d want to add to my home-health kit!