Categories

Tag: cyber attacks

It’s (Cyber)Criminal

By KIM BELLARD

One of the redeeming aspects of crises is that, amidst all the confusion, suffering, and loss, there are usually moments of grace, of humans showing their best nature.  With COVID-19, we’ve seen health care workers working long hours in dangerous conditions.  We’ve seen other essential workers — including not just first responders but also grocery workers, meatpackers, trash collectors, and countless others — putting their own safety at risk so that our lives can go on.  There are heroes all around.

Unfortunately, crises also tend to bring out the worst of our natures.  With the pandemic, those trillions of dollars in play have brought out not just those seeking to profit, but also those looking to profit by breaking the law.   We’ve seen people stealing or counterfeiting stimulus payments, defrauding COVID unemployment payments, getting fraudulent PPP loans, and stealing PPE

And then there are the cyberattacks. 

Last week the federal Cybersecurity & Infrastructure Security Agency, the FBI, and HHS issued a joint alert Ransomware Activity Targeting the Healthcare and Public Health Sector, warning that they have “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”  I’ll spare you the technical details of the expected attack strategies or suggested mitigation efforts, but I will note that they warned: “CISA, FBI, and HHS do not recommend paying ransom.”

Hospitals could ask Universal Health Services (UHS) about that.  UHS took some three weeks to resume “normal services” after a ransomware attack that hit their 250 U.S. hospitals in late September.  UHS claims thatWhile our information technology applications were offline, patient care was delivered safely and effectively at our facilities across the country utilizing established back-up processes, including offline documentation methods.”   E.g., paper records.

Or they could ask the family of the woman in Germany who died as the result of having to be diverted to another city for her medical emergency because the closer facility had suffered a ransomware attack.  One suspects there may have been other deaths, and other adverse outcomes, due to cyberattacks, and that we can expect there to be more.

Continue reading…

What You Need to Know About Patient Matching and Your Privacy and What You Can Do About It

Today, ONC released a report on patient matching practices and to the casual reader it will look like a byzantine subject. It’s not.

You should care about patient matching, and you will.

It impacts your ability to coordinate care, purchase life and disability insurance, and maybe even your job. Through ID theft, it also impacts your safety and security. Patient matching’s most significant impact, however, could be to your pocketbook as it’s being used to fix prices and reduce competition in a high deductible insurance system that makes families subject up to $12,700 of out-of-pocket expenses every year.

Patient matching is the healthcare cousin of NSA surveillance.

Health IT’s watershed is when people finally realize that hospital privacy and security practices are unfair and we begin to demand consent, data minimization and transparency for our most intimate information. The practices suggested by Patient Privacy Rights are relatively simple and obvious and will be discussed toward the end of this article.

Health IT tries to be different from other IT sectors. There are many reasons for this, few of them are good reasons. Health IT practices are dictated by HIPAA, where the rest of IT is either FTC or the Fair Credit Reporting Act. Healthcare is mostly paid by third-party insurance and so the risks of fraud are different than in traditional markets.

Healthcare is delivered by strictly licensed professionals regulated differently than the institutions that purchase the Health IT. These are the major reasons for healthcare IT exceptionalism but they are not a good excuse for bad privacy and security practices, so this is about to change.

Health IT privacy and security are in tatters, and nowhere is it more evident than the “patient matching” discussion. Although HIPAA has some significant security features, it also eliminated a patient’s right to consent and Fair Information Practice.

Continue reading…

Why Healthcare Should Be Worried About the Target Cyber Attacks

If you are a CEO or COO of a health care organization, and your IT people have been trying to get your attention, it’s time to have a serious sit-down with them.

If they haven’t been trying to get your attention, it’s time to have an more serious sit-down with them, complete with charts and graphs and arrows on fip charts.

Here’s why: Remember in November it was revealed that the Target retail chain’s computer systems were compromised? Some 70 million names, home addresses and phone numbers were stolen (pretty good raw material for identity theft) and 40 million credit card numbers.

It has turned out since then that some two dozen other companies, including Neiman-Marcus, the Michael’s arts-and-crafts chain and the White Lodging Services hotel management firm, have been hacked in similar ways, with the attackers software sitting in the companies’ servers, credit card machines and cash registers often for months before they were detected, sucking down every transaction, every bit of data moved about.

Hey wait, you say, I have every confidence in our computer security. Why we passed a security audit just recently.

Heh. So did Target — just before they discovered the break-in. They got a clean bill of health, and the auditors failed to find the malware installed on every server, every credit card terminal, every cash register.

Why? Because the attackers have gotten way more sophisticated, and they used new techniques and methods of entry. You can now buy ready-made hacking software designed to do this on the Internet for less than $1000.

Here’s the kicker: Target has security guards at the doors, it has those beeper tags on small high-value items so you can’t sneak them out without paying for them, it has burglar alarms — but the perps in the biggest heist in the company’s history entered through the thermostat.

Got that? The thermostat.

Continue reading…

Registration

Forgotten Password?