For decades, healthcare medical devices functioned as freestanding tools. Glucometers, lasers, infusion pumps, pressure monitors, neonatal incubators, heart monitors – each serving its unique function independently of the others. With the widespread implementation of electronic health records (EHRs), however, and the push for increased digitization of health information, these devices have increasingly been networked into the patient information ecosystem.  They now transmit PHI between a myriad of systems including the EHR system, bed management, supply chain management, and billing systems.

The variety and use of these devices have proliferated. The HIMSS Medical Device Security Workgroup reports that hospitals and similar healthcare delivery organizations typically have “300% to 400% more medical equipment than IT devices.” In a study of US hospitals cited in Wired Magazine (3/02/17), ZingBox reported an average of 10-15 connected devices per bed. That translates into approximately 4500 connected medical devices for the average 300-bed community hospital – and up to 75,000 devices for a large metro medical center with 5,000 beds!

Are devices vulnerable to hacking?

To date, the number of medical device breaches and the number of patient records exposed by those breaches has been seemingly negligible when compared to the large-scale data losses due to hacks of healthcare organizations’ primary IT systems or losses of unencrypted mobile devices. But there have been hacks, and there are several reasons to expect medical devices to be increasingly exploited:

• As more medical device developers rely on off-the-shelf operating systems to speed development and/or facilitate integration with other systems, the vulnerabilities of the parent code are transferred to the devices, increasing their vulnerability.
• The increased networking of devices makes them a more attractive target for hackers because they provide additional points of entry to other systems.
• A Trend Micro study found a large number of devices to be discoverable on Shodan, a search engine routine for connected devices.

In fact, a study by Ponemon Institute found that 67% of medical device makers expect an attack on their devices in the next 12 months!

Didn’t the FDA pass regulations to fix this?

Yes – and no, depending on who you ask. The FDA is quoted in many news articles saying that medical device manufacturers are responsible for complying with “quality system regulations” (QSRs), which include requirements for addressing cybersecurity risks, but both law firms and industry executives say the compliance environment remains murky:

• Some devices have been downgraded from “Class III” – high risk and mandatory compliance – to “Class I” – low risk and “unregulated,” though they still could pose a cybersecurity risk.
• Once a device is in use, it’s not clear whether the device manufacturer or the healthcare delivery organization is responsible for continued patching as cyber threats evolve.
• The FDA doesn’t actually test medical devices for their compliance with the QSRs.
• Reporting of device malfunctions, including cybersecurity breaches, to the FDA is voluntary.

Know-how and budget are also factors.

Because cybersecurity of devices is still a relatively new concern in the medical device and healthcare delivery industries, lack of knowledge regarding both the threat and the appropriate risk management responses remains a problem. The ZingBox study also found that 70% of healthcare IT decision-makers believe that the same security solutions used for laptops and servers are sufficient for all their connected medical devices, a misconception that the report goes on to explain.

Despite two-thirds of medical device manufacturers anticipating an attack on their devices, only 15% of study respondents anticipate taking measures to mitigate the risk! Senior executives in the field say it usually comes down to budget and production deadlines. Because cybersecurity protections don’t improve device performance in terms of clinical care, it is often looked upon as a cost. Similarly, when cybersecurity flaws are discovered too far into the development process, decision makers often determine that the rework required to build in the cybersecurity protections is too costly. So devices go to market with known cybersecurity flaws.

So what to do?

As a healthcare delivery organization, you are the gatekeeper between the medical device vendors and patients. Regardless of who is technically at fault for a medical device breach, if a breach were to occur, it would be your patients’ information lost and your reputation damaged!  Thus it is up to you and your organization to set the standard for medical devices coming into your organization and to include medical devices in your annual security risk assessment.

Start by requesting information from your device vendors about each of the device types on your network using the Manufacturer Disclosure Statement for Medical Device Security ((MDS)²) which was collaboratively developed by the National Electrical Manufacturers Association (NEMA) and the Health Information and Management Systems Society (HIMSS).

Finally, if you have questions about assessing the risk of an Internet-connected device or need help completing a comprehensive Security Risk Assessment, contact us at info@ThirdRock.com or 512.310.0020.

If you don’t read about cybersecurity and stolen data everyday then you probably don’t read much news.  But, if you scan the news headlines once in a while you’re aware of the following:

• 2014 – The Year of the Cyber Breach
• 2015 – The Year of the Healthcare Cyber Breach
• 2016 – The Year of the Cyber Attack (it’s common news)
• 2017 – The Year of Ransomware

So, what will 2018 be dubbed?  2018 – The Year of the Meltdown?  Wait, what meltdown?  Or the Year of the Spectre?  Is that a ghost or something else?  Well unfortunately, two major hardware vulnerabilities have been discovered in almost all computer processors (CPUs).

What’s the Problem?

Meltdown and Spectre are hardware vulnerabilities in most modern computer processors (CPUs).  These critical flaws in the processor designs allow applications (computer software programs) to steal data from other applications running on the same processor.  Normally applications are blocked from reading data from other applications unless they have been given “permissions.”  But Meltdown and Spectre are hardware design flaws that allow this to happen.  A malicious software program (malware) can read data from another legitimate application without providing appropriate permissions.  This data may include your emails, passwords from browsers or password managers, instant messengers, EMRs, EHRs, practice management systems, billing systems, credit card processing systems, the list goes on and on.

What to do?

There’s not much to do about the hardware flaw, it will take years for all the hardware to be replaced with new computers. However, it is important to have your IT department or support firm apply the patches as they become available.  It is also very important to ask all of your cloud providers to confirm that they have applied the patches to all of their affected hardware.

Linux and Windows patches are already available. Chromebooks updated to Chrome OS 63 are protected.

Android devices running the latest security update, are already protected, which includes the Google phones. Other vendor’s updates are expected to be delivered soon. Users of other devices will have to wait for the updates to be pushed out by third-party manufacturers, including Samsung, Huawei and OnePlus.  So, know which devices still need to be updated and watch for the patches to become available and apply them as soon as you can.

What’s the Impact?

The potential impact is stolen protected or sensitive data; a data breach.  But, even if you install the patches and prevent a breach there is the possibility the patches will degrade your computer CPU performance.  On new CPUs (computers) the performance degradation may only be 5% based on what the experts are predicting.  But on CPUs older than five years, experts are predicting much worse performance.  Unfortunately, we’ll have to wait and see.

More Info?

For more details on Meltdown and Spectre visit the Meltdown Attack site at https://meltdownattack.com/

The Medical Device Cybersecurity Act of 2017 was introduced on August 1, 2017 by Senator Richard Blumenthal (D-CT).  The new bill is intended to improve the security of medical devices and increase transparency. If passed, it would make healthcare organizations aware of the cyber capabilities of devices and the extent to which those devices have been tested.  Is this another law adding burden to a strained healthcare industry or a vital piece of legislation designed to protect the public?  Let’s see if this bill is really needed.

Recent global cyber-attacks established the vulnerability of several medical devices that could result in the theft of electronic Protected Healthcare Information (ePHI) or worse, the potential to cause patient injury or death.  The Wannacry virus infected both Siemens and Bayer medical devices.  You might think that isn’t such a big deal as Wannacry infected a wide range of companies and systems, including a considerable number of hospitals in England that were crippled as their IT systems were rendered useless with the ransomware.

But recent studies show that the medical device manufacturers are not investing in the cybersecurity of new medical devices.  Last year, the Department of Homeland Security issued an alert about the Pyxis Supply Station from CareFusion when the drug cabinet system was found to have over 1,400 vulnerabilities.  This year researchers reviewed implantable cardiac devices and uncovered more than 8,000 security flaws in multiple devices.  It is interesting to note that a new form of MedJack malware, developed specifically to attack medical devices such as heart monitors and MRI machines, was discovered earlier this year.

The explosion of Internet of Things (IoT) devices has manufacturers rushing devices to market to beat the competition and claim market share.  Devices that are not cyber-hardened in the design process and fully tested prior to delivery to the customer (Provider) place the burden of patient protection on the care environment; on the nurses, doctors and their IT support organization who are already overburdened and underfunded. (See our previous post for caregivers Healthy Skepticism – Your Best Cyber Defense)

If we step back and look at the situation, the patients (all of us) are at risk. We are at risk of having our identities stolen and at risk of suffering harm or even death.  In summary, I hope Congress passes this legislation quickly!

Join our free monthly newsletter to stay up-to-date on HIPAA and cybersecurity.

It’s no longer news that most of us are uber-connected. We use phone apps for weather, meditation, mapping, games, travel, texting, and more.  Online management of home devices, including thermostats, coffee makers, and alarm systems make it possible for us to remotely control many aspects of our lives. These technologies offer previously unthinkable convenience – and a great deal of risk to their owner’s physical and information security.

Healthcare, too, is becoming more connected for all the same reasons you may use networked devices at home – speed, convenience, control, and situation transparency. For instance, in-room cameras are very helpful for preventing patient falls. They can also be used by nurses to determine if a patient’s telemetry alarm is due to a loose lead or a real cardiac event. All this convenience, however, comes with the same risks as an online thermostat at home – these devices are vulnerable to attack (Health Data Management, May/June 2017).

Many of the devices in use today were deployed before security standards for them had been developed. Even relatively new devices released while the FDA was working on the rules may not be up to snuff. For example, this spring an IT Director for a brand new hospital told me about receiving devices for the hospital, which he was responsible for installing and maintaining, and learning they did not adhere to some very basic security principles!

So what can members of the care team do? 

You – nurses, respiratory therapists, surgical technicians, medical technologists, radiology techs – can be the “Human Firewall.” The healthy skepticism that care team members are trained to bring to all aspects of their work can play an important role in cybersecurity as well.

Staff often assume that the “IT gurus” have carefully reviewed all devices or computer applications and deemed them “safe” – WRONG! Smart devices and applications are proliferating rapidly due to the advent of the Internet of Things.  This combination provides great opportunity to the cyber criminals! The obvious conclusion is it’s now everyone’s job to look out for the patient’s information safety.

So ask the hard questions – and protect your patients and yourself in the process.

1. Does this device transmit data?

If the answer is yes, ask more hard questions:

• Is the transmitted data encrypted during transmission?
• Does the device store data as well? If so, is the data encrypted when stored? Is the data backed up regularly?
• Where is the manufacturer’s proof that the device is cybersecure?
• Does the manufacturer’s cybersecurity claim state the standards against which they tested the device?       (Hint: You don’t have to know the standard – you only need to ask your IT and BioMed departments to validate them.)

2. Can this device or app access my Contacts? my Location?

If so, ask how to turn those “features” off – or for documentation explaining all the steps taken to ensure your phone, computer, or patient care devices won’t be hacked.

3. Can the password be changed?

For this question, the wrong answer is “No.”  Devices with hard-coded passwords – those with a single, manufacturer-issued password used by everyone on the team –  can be “weaponized” by a cyber criminal to penetrate the organization’s network and send malware to other computers. If the answer is “No,” contact management – “This device is unsafe to use.”

4. Would you feel safe if this device was being used on you or a family member, and the organization was hit with a virus or ransomware attack?

Healthcare is risky business – there are physical risks and electronic risks – and there’s no way to make it completely safe. But working together, we can certainly make it safer.

If you’re not sure your organization has taken all the proper steps to ensure patient information security, contact us to arrange for a comprehensive HIPAA security risk analysis to identify any gaps in your network security or operating procedures.

info@thirdrock.com | 512.310.0020

Protect Your Patients.  Protect Your Practice.  Protect Yourself.™

By now, most have heard or been affected by the WannaCry ransomware that has spread to over 150 countries at last count.

The WannaCry ransomware started taking over users’ files on Friday, demanding $300 to restore access.

Hundreds of thousands of computers have been affected so far. Computer giant Microsoft said the attack should serve as a wake-up call.

The first line of defense in this is always having a properly maintained firewall both on your network and on each individual computer system. However, as we all know, your network can and will be breached at some point, whether or not it is due to WannaCry or some other ransomware or virus; it will happen.

What is the best defense against ransomware and other malware?

A good backup!

It sounds simple, but amazingly most either are not doing backups or not verifying that the backup works. I worked with an organization that had been backing up for several years, but had never tested restoring the files. Well, they got hit with a bad virus, and it was determined that restoring the previous day’s backup would be the best way to recover. Unfortunately, the backup was corrupted and would not work. We went back to previous days and weeks, and none of their backups were good.

Having a backup is not good for anything if you can’t actually recover the data when you need it.

1.  To get started, investigate business level backup systems that will work in your environment. It truly is a case by case basis on which backup system is right for your organization; depending on size, speed, hours, etc.
2. Schedule restore tests on a regular basis to make sure that you have a valid backup that you can recover from in the case of an attack.
3. Maintain the backup system to ensure that it is considered “mission critical” as it is the last line of defense for your entire business.

Bottom line:  Stay ahead of ransomware by maintaining complete, working backups!

For questions about how to evaluate and improve your own backup practices or for a comprehensive Security Risk Assessment, contact us at info@ThirdRock.com.

 

“To err is human”… a pretty obvious statement. So if we all know we are going to make mistakes, why not add an extra level of security to mitigate the effects of the mistake?

I am sure we have all been in the predicament of sending John C. an email, but when we clicked on our contacts list we accidentally sent it to John B. I have conversations constantly with clients and friends about encrypting their email to protect themselves and often get the same set of questions…

• “Isn’t that expensive?”
• “How does someone unlock the email I sent?”
• “Won’t that take a lot longer for me to encrypt it?”
• “Why should I take the extra time? The person who gets it will just delete it.”

There seems to be a lack of understanding in the market place of how simple it is to take this one extra step to protect yourself and private information.

This has become an increasingly obvious issue in the healthcare space. The amount of ePHI sent daily between providers, insurers, patients, labs, etc. is vast and sooner or later mistakes will be made. When one patient receives another patient’s records this typically worries the individual who receives it and angers the patient whose information was released – accidentally or not. There are numerous low cost encrypted email services and even most of your standard email platforms come with settings for encryption. Encrypting your email ultimately protects you, your patients, and your practice.

I recently ran across an article that gives a very simple explanation of how encryption works and the advantages. When we do make mistakes and the wrong person can’t open the information, we have ultimately protected everyone with a single, simple step. Let’s do all of mankind a favor and take one small step…ENCRYPT.

I hope you enjoy the article.

https://www.ltnow.com/how-does-email-encryption-work/

We all enjoy the convenience of being somewhere, like a coffee shop, airport, hotel room, or lobby of a building waiting, and hopping on the free WiFi to catch up on some work. Unfortunately, all healthcare workers should avoid free WiFi at all costs.  It is very important to realize that if you can access the free WiFi, so can anyone else. They can even leave devices behind that stay on the WiFi, breach other systems and transmit the data back to their “home” base.  If you share a local WiFi network, it is fairly easy for someone to access your device (laptop, tablet, phone) and copy data from your device to theirs without you ever knowing it.  It’s worth noting that criminals can infect your device with a virus or malware and later take control or steal data from your device.

 

There are several things you can do to prevent a breach …

1. Don’t connect to free WiFi networks.
2. Use your mobile phone hotspot or wait until you’re on a known secure network.
3. If you do use free WiFi or connect remotely to your EMR or other applications use a VPN (virtual private network).
4. Make sure you have a properly configured firewall on your device and select “public” network when you connect.
5. Encrypt the data on your device.
6. Did I say, “Don’t use free WiFi networks.”?
7. Don’t download, access, or store PHI on mobile devices.

Their are various ways to address the above list, contact your tech expert for assistance and make it a high priority.

Take away:  Make cyber security a top priority for 2017, take a step each week to improve your cyber security.

You may have experienced the first coordinated cyber attack using “Internet of Things”, IoT. I bet you are wondering how did it affect me? How did it happen?  Did you notice on October 21^st that Facebook and LinkedIn were not available?  Maybe you noticed that Amazon couldn’t take your order, and email was really slow? This was the result of a DDoS attack, Distributed Denial of Service, which have been going on for years, but this one was different.

Typically, DDoS attacks are the result of a virus or malware infecting many PCs, and then when instructed by the malware’s author, flooding the targeted victim’s web address with thousands of messages.  This creates an Internet traffic jam and stops the victim’s ability to communicate via the Internet.  This particular attack was on a key Internet asset which acts as the Internet’s address book, and the result was a major Internet disruption on the East Coast.  It eventually spread to the West Coast as well.

Where does the “IoT” fit into all this?  This DDoS focused on IoT devices to cause the traffic jam.  Now you’re wondering, just what is an IoT device?  According to the National Institute of Standards (NIST), an IoT device must have sensing, computing, communication, and actuation capabilities.  Thus, it has a computer with software programs which enables the other 3 required attributes.  It is connected to a network and ultimately the Internet to enable communications with other devices such as your smartphone, and thus the requested data is sent back to you, after sensing that you did close your garage door after leaving for work this morning.  Or you can actuate the door locks on your Buick while lying on the sunny tropical beach.

Surely my digital thermostat, baby monitor, VCR, vacuum cleaner, garage door opener, or refrigerator couldn’t be involved in such an evil deed as a DDoS attack?  Yes, they can, and maybe they were!  All these relatively inexpensive IoT devices have very basic or no Internet security capabilities at all.  Most are installed with default passwords which can readily be found via a quick Google search.  Thus, they can be readily hacked and re-purposed to do other things.  There are numerous instances where digital thermostats have been hacked to access home networks and steal personal information and financial data.  Could your thermostat be spying on you when you are logging into your bank account?

Let’s take this up to the next level.  What about your business?  The healthcare industry, like all others, is seeing a flood of new IoT devices addressing complex issues to reduce workloads and wait times.  Whenever you install an IoT device in your practice, take time to consider the potential downsides.  Each new device on your network, is another vulnerability.  You must evaluate its security capabilities before it is installed.  Plus, consider the ability to maintain proper security in the future.  Ask yourself,

• Is the password strong enough?
• Can your IT staff or managed services provider support the device?
• How does the company selling the device service it?
• What information is it transmitting?
• Is the data encrypted on the device and during transmission?

These are not easy questions, but essential to help protect your practice’s and your patient’s sensitive data.

While meeting all the HIPAA requirements for your technology (computer, network, etc.) requires some planning, there are some quick fixes that can greatly reduce the odds of your organization being breached while at the same time starting you on your path to compliance.

Below are some common issues that we see at all sizes of organizations. How you go about correcting some of them is determined by the size and resources of your organization.

Quick Fix #1

Issue: The operating system (i.e. Windows) on your organization’s computers / laptops is out of date.

Details: Hackers are constantly finding new ways into your computers. If you do not keep your computer up to date, it leaves these vulnerabilities open for attack.

Fix: For smaller organizations you will need to manually check each of your computers to make sure automatic updates are turned on and updating. Alternatively there are centralized patch management systems that can help, if you are running on a Windows domain.

Quick Fix #2

Issue: Weak password! Simple passwords DO NOT WORK!

Details: Hackers can download a tool off of the internet to crack passwords fairly easily. The weaker the password the more likely the hacker will be able to breach your computer and network.

Fix: Require that all users have unique accounts and passwords that are a minimum of 12 characters with a mix of UPPERCASE, lowercase, numbers, and at least one special character (i.e. !@#$%^&*). You should also have your users change their password every 90 days max. If you have a Windows domain you can enforce this with a domain policy.

Quick Fix #3

Issue: Outdated Antivirus

Details: Similar to #1, if your antivirus is out of date, your computers and networks are vulnerable to the latest virus’, malware, and ransomware.

Fix: Check all of your computer’s antivirus software to ensure that it still has an active subscription, is running, and is being updated. Most major antivirus companies have business versions of their product that allow you to centrally manage the antivirus and reduce the likelihood of something happening.

Quick Fix #4

Issue: Lack of trained staff

Details: Staff that has not been trained to watch out for malware in emails or on the web is generally the most likely way for your organization to become a victim of malware or ransomware.

Fix: Ensure the staff is properly trained in HIPAA. There are plenty of online training courses that are neither expensive nor time consuming. While the return on investment may be hidden, it is huge.

If you’re like me, sometimes you’re a slow learner or you just like things the way they were. Why change a good thing, right?  Windows 10 has some nice new features, but I thought Windows 7 was simple and easy to use, plus I know it.  Here are some tips on how to navigate Windows 10 a little easier.  Hope they help.

Right Mouse Click on Windows (Start) Icon	This will pop-up a list of applications like on Windows 7.
Windows Key – Alt – Esc	Toggle through all open windows (applications)
Ctrl – Shift – Esc	Open Task Manager (click on More Details in bottom left)
Esc	Escape from current pop-up from a shortcut.
Windows Key – D	Show the Desktop.
Windows Key – Tab	Show running tasks (applications).
Windows Key – Ctrl Key – D	Open new virtual desktop window.
Windows Key – Ctrl Key – Left or Right Arrow	Move left or right between virtual desktops.
Windows Key – Ctrl Key – F4	Closes the current virtual desktop
Windows Key – Up Arrow	Changes current window from normal to full screen or from minimized to normal.
Windows Key – Down Arrow	Changes current window from full screen to normal or from normal to minimized.
Windows Key – Left or Right Arrow	Moves current window to left half of screen or right half. Combine with Up or Down Arrow keys to move to top left quarter, etc.

The HowToGeek web site has a large listing of Windows 10 keyboard shortcuts.