Tag: cyber attacks

You Need a Cyber Team

Oct 20, 2021

By KIM BELLARD

Maybe you, like me, are an Olympics fan (in my case: Summer Games, track & field). Most Americans look forward eagerly to the Super Bowl, while the rest of the world (and, increasingly, many in the U.S.) are waiting for the World Cup. But too few of us are aware that next summer will be the inaugural International Cyber Security Challenge, an esports event that pits teams from multiple countries against each other in cybersecurity skills. The U.S. is sending a 25 person team.

So what, you might say? Well, if you work in healthcare (or any industry, for that matter), or use any kind of digital device, you should care. Ransomware attacks on healthcare organizations continue to proliferate. The Colonial Pipeline cyberattack this past spring illustrated the weakness of other parts of our critical infrastructure, and we’ve all almost certainly had some of our personal data exposed in data breaches.

We’re in a war, but it’s not clear that we have the right army, with the right weapons, ready to fight it. Thus the U.S. Cyber Games.

It’s (Cyber)Criminal

Nov 4, 2020

By KIM BELLARD

One of the redeeming aspects of crises is that, amidst all the confusion, suffering, and loss, there are usually moments of grace, of humans showing their best nature. With COVID-19, we’ve seen health care workers working long hours in dangerous conditions. We’ve seen other essential workers — including not just first responders but also grocery workers, meatpackers, trash collectors, and countless others — putting their own safety at risk so that our lives can go on. There are heroes all around.

Unfortunately, crises also tend to bring out the worst of our natures. With the pandemic, those trillions of dollars in play have brought out not just those seeking to profit, but also those looking to profit by breaking the law. We’ve seen people stealing or counterfeiting stimulus payments, defrauding COVID unemployment payments, getting fraudulent PPP loans, and stealing PPE.

And then there are the cyberattacks.

Last week the federal Cybersecurity & Infrastructure Security Agency, the FBI, and HHS issued a joint alert Ransomware Activity Targeting the Healthcare and Public Health Sector, warning that they have “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” I’ll spare you the technical details of the expected attack strategies or suggested mitigation efforts, but I will note that they warned: “CISA, FBI, and HHS do not recommend paying ransom.”

Hospitals could ask Universal Health Services (UHS) about that. UHS took some three weeks to resume “normal services” after a ransomware attack that hit their 250 U.S. hospitals in late September. UHS claims that “While our information technology applications were offline, patient care was delivered safely and effectively at our facilities across the country utilizing established back-up processes, including offline documentation methods.” E.g., paper records.

Or they could ask the family of the woman in Germany who died as the result of having to be diverted to another city for her medical emergency because the closer facility had suffered a ransomware attack. One suspects there may have been other deaths, and other adverse outcomes, due to cyberattacks, and that we can expect there to be more.

What You Need to Know About Patient Matching and Your Privacy and What You Can Do About It

Feb 21, 2014• 4

By Adrian Gropper, MD

Today, ONC released a report on patient matching practices and to the casual reader it will look like a byzantine subject. It’s not.

You should care about patient matching, and you will.

It impacts your ability to coordinate care, purchase life and disability insurance, and maybe even your job. Through ID theft, it also impacts your safety and security. Patient matching’s most significant impact, however, could be to your pocketbook as it’s being used to fix prices and reduce competition in a high deductible insurance system that makes families subject up to $12,700 of out-of-pocket expenses every year.

Patient matching is the healthcare cousin of NSA surveillance.

Health IT’s watershed is when people finally realize that hospital privacy and security practices are unfair and we begin to demand consent, data minimization and transparency for our most intimate information. The practices suggested by Patient Privacy Rights are relatively simple and obvious and will be discussed toward the end of this article.

Health IT tries to be different from other IT sectors. There are many reasons for this, few of them are good reasons. Health IT practices are dictated by HIPAA, where the rest of IT is either FTC or the Fair Credit Reporting Act. Healthcare is mostly paid by third-party insurance and so the risks of fraud are different than in traditional markets.

Healthcare is delivered by strictly licensed professionals regulated differently than the institutions that purchase the Health IT. These are the major reasons for healthcare IT exceptionalism but they are not a good excuse for bad privacy and security practices, so this is about to change.

Health IT privacy and security are in tatters, and nowhere is it more evident than the “patient matching” discussion. Although HIPAA has some significant security features, it also eliminated a patient’s right to consent and Fair Information Practice.

Why Healthcare Should Be Worried About the Target Cyber Attacks

Feb 11, 2014• 38

By Joe Flower

If you are a CEO or COO of a health care organization, and your IT people have been trying to get your attention, it’s time to have a serious sit-down with them.

If they haven’t been trying to get your attention, it’s time to have an more serious sit-down with them, complete with charts and graphs and arrows on fip charts.

Here’s why: Remember in November it was revealed that the Target retail chain’s computer systems were compromised? Some 70 million names, home addresses and phone numbers were stolen (pretty good raw material for identity theft) and 40 million credit card numbers.

It has turned out since then that some two dozen other companies, including Neiman-Marcus, the Michael’s arts-and-crafts chain and the White Lodging Services hotel management firm, have been hacked in similar ways, with the attackers software sitting in the companies’ servers, credit card machines and cash registers often for months before they were detected, sucking down every transaction, every bit of data moved about.

Hey wait, you say, I have every confidence in our computer security. Why we passed a security audit just recently.

Heh. So did Target — just before they discovered the break-in. They got a clean bill of health, and the auditors failed to find the malware installed on every server, every credit card terminal, every cash register.

Why? Because the attackers have gotten way more sophisticated, and they used new techniques and methods of entry. You can now buy ready-made hacking software designed to do this on the Internet for less than $1000.

Here’s the kicker: Target has security guards at the doors, it has those beeper tags on small high-value items so you can’t sneak them out without paying for them, it has burglar alarms — but the perps in the biggest heist in the company’s history entered through the thermostat.

Got that? The thermostat.