ads

,
HomePosts filed under computer security
Showing posts with label computer security. Show all posts
Showing posts with label computer security. Show all posts

Don't worry, your information's safe. Community Health Systems says data stolen in cyber attack: just a mere 4.5 million people affected this time.

I have often written about my observations of the generally unimpressive qualifications and capabilities of IT personnel, up to and including the CIO's, in healthcare settings (e.g., baccalaureate-level education in a doctoral and post-doctoral setting, usually no clinical or biomedical experience, no computer science background, no medical informatics background, and sometimes not even a formal management information systems education) compared to other sectors such as pharma and academia.  I've written about this as an impediment to health IT progress and to healthcare IT safety.

Now, I increasingly believe the healthcare IT backwater is becoming a downright societal threat, for another reason.  Yet another in my "don't worry, your information's safe" series (http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy):

Community Health Systems says data stolen in cyber attack
http://www.foxbusiness.com/industries/2014/08/18/community-health-systems-says-data-stolen-in-cyber-attack/
Published August 18, 2014
Reuters

U.S. hospital operator Community Health Systems Inc said on Monday personal data, including patient names and addresses, of about 4.5 million people were stolen by hackers from its computer network, likely in April and June.

The company said the data, considered protected under the Health Insurance Portability and Accountability Act, included patient names, addresses, birth dates, telephone numbers and Social Security numbers. It did not include patient credit card or medical information, Community Health Systems said in a regulatory filing.

It said the security breach had affected about 4.5 million people who were referred for or received services from doctors affiliated with the hospital group in the last five years.

If you're a department store, or a McDonald's, such breaches might be more understandable.  When you're a life-critical industry such as healthcare, and under HIPAA regulations regarding privacy and confidentiality, these incidents are increasingly unforgivable.

The FBI warned healthcare providers in April that their cybersecurity systems were lax compared to other sectors, making them vulnerable to hackers looking for details that could be used to access bank accounts or obtain prescriptions, Reuters previously reported.

Again, inexcusable.  Health IT amateurs (and, of course, the Management Recruiting Firms that hospital retain to find them, who are equally clueless about what it takes to be a health IT expert) don't just endanger your health; they endanger your economic well being, even when you're not ill.
The company said it and its security contractor, FireEye Inc unit Mandiant, believed the attackers originated from China. They did not provide further information about why they believed this was the case. They said they used malware and other technology to copy and transfer this data and information from its system.

Just great.

Community Health, which is one of the largest hospital operators in the country with 206 hospitals in 29 states, said it was working with federal law enforcement authorities in connection with their investigation into the attack. It said federal authorities said these attacks are typically aimed at gathering intellectual property, such as medical device and equipment development data.

Oh. that's reassuring - our data's being stolen by honest thieves who would never, EVER think of selling the data to dishonest thieves who steal people's identities, and then money...

It said that prior to filing the regulatory document, it had eradicated the malware from its systems and finalized the implementation of remediation efforts. It is notifying patients and regulatory agencies as required by law, it said.

It also said it is insured against such losses and does not at this time expect a material adverse effect on financial results.

Oh, that's very nice.  Millions of people potentially put at risk, but insurance will cover for incompetence.

Perhaps the insurers should more critically evaluate the quality of work of the people they're insuring.

-- SS
9:56 AM

Why It's Crazy to Want Your Most Confidential Information Put into An Electronic Medical Records System

Besides the reasons I outlined in posts retrievable by these query links (link, link), there's this from ZDNet.com:

Microsoft warns of first critical Windows 8, RT security flaws

It's been less than a month since Windows 8 and Windows RT-powered Surface tablets were launched and went on sale, but Microsoft is already warning that the two next-generation operating systems contain critical security vulnerabilities that are due to be patched this coming Tuesday.

Among the various flaws, versions from Windows XP (Service Pack 3) all the way through to Windows 8 are affected, including versions of the Office suite, and versions of Windows Server. Released only in September, Windows Server 2012 requires patching to maintain maximum security.

The latest vulnerabilities include three critical security vulnerabilities for Windows 8, and one critical security vulnerability for the Surface-based Windows RT operating system. These flaws are considered "critical" and could allow remote code execution on vulnerable systems.

I note that Windows XP was released worldwide for retail sale on October 25, 2001, which was more than eleven years ago.  That security vulnerabilities are still being patched in 2012 is stunning.  Also, many enterprise information systems and most hospital clients (workstations) run on Windows-based servers and Windows installed local machines (UNIX, MacOS and other OS's are very rare on general-purpose hospital workstations).

From a Microsoft website here:


This partial list includes many very large HIT sellers.  There are many others as well.

By simple reckoning, it's likely we'll be seeing critical security vulnerabilities in Windows 8 - in 2023.

It goes without saying that these security problems will continue to be exploited by identity thieves, medical information merchants, and others with no rights to "protected" information.

In my opinion, the (still not yet realized) convenience of being able to have one doctor transmit your record to another, thus avoiding a FAX machine, the Postal Service or the telephone, and the trillion-dollar "solution" to the nearly non-existent problem of being found unconscious in some foreign land with no ID, no companions, and some hidden, critical medical condition not findable on physical exam and bloodwork, EKG, x-rays etc. that will cause death if not treated in minutes, is not worth the risk of having one's most private information spilled all over the Internet.

EHR's should not be accessible on networks beyond a physician's office or the robustly encrypted network of a hospital, and the information security personnel kept on very short leashes, for the foreseeable future.

I am unwilling to cede my own privacy to cybernetic utopians who ignore alarming evidence - plain to see at the aforementioned query links at the top of this post - nor can I in good faith recommend doing so to the public in 2012.

Considering the information in the many posts at the aforementioned query links (as here: link, link -- be aware you need to hit "older posts" at the bottom of each page to see all of them), that position is straightforward.

-- SS

11/9/2012 Addendum:

Also see my Oct. 2012 post "Computer Viruses Are 'Rampant' on Medical Devices in Hospitals."

-- SS
7:50 AM

Computer Viruses Are "Rampant" on Medical Devices in Hospitals

As if there weren't enough problems with hospitals as computing backwaters, now there's this:

Computer Viruses Are "Rampant" on Medical Devices in Hospitals

A meeting of government officials reveals that medical equipment is becoming riddled with malware.

Technology Review
Published by MIT
David Talbot
Wednesday, October 17, 2012

Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable.

While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion.

I note the seemingly universal refrain "no injuries have been reported" once more (see this query link to similar statements regarding IT malfunctions), which is irrelevant since reporting mechanisms for medical errors are noted to be deficient.

Software-controlled medical equipment has become increasingly interconnected in recent years, and many systems run on variants of Windows, a common target for hackers elsewhere. The devices are usually connected to an internal network that is itself connected to the Internet, and they are also vulnerable to infections from laptops or other device brought into hospitals.  [I note that it should be impermissible to connect "alien" machines to a hospital's network without authorization, and that attaining that level of security protection is not difficult - ed.]  The problem is exacerbated by the fact that manufacturers often will not allow their equipment to be modified, even to add security features.

In a typical example, at Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews, Fu says.

In other words, let's run at high risk if it avoids the time and expense of FDA reviews that would ensure the equipment is safe and operates as expected with the software updates.

As a result, these computers are frequently infected with malware, and one or two have to be taken offline each week for cleaning, says Mark Olson, chief information security officer at Beth Israel.

It is unclear how the servers running the hospital information system, electronic health records systems, physician order entry systems etc. are immune to spread of the malware.

"I find this mind-boggling," Fu says. "Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches."

The worries over possible consequences for patients were described last Thursday at a meeting of a medical-device panel at the National Institute of Standards and Technology Information Security and Privacy Advisory Board, of which Fu is a member, in Washington, D.C. At the meeting, Olson described how malware at one point slowed down fetal monitors used on women with high-risk pregnancies being treated in intensive-care wards.

In its face, that is potentially catastrophic depending on the degree of "slowdown" and whether data is lost.

"It's not unusual for those devices, for reasons we don't fully understand, to become compromised to the point where they can't record and track the data," Olson said during the meeting, referring to high-risk pregnancy monitors. "Fortunately, we have a fallback model because they are high-risk [patients]. They are in an IC unit—there's someone physically there to watch. But if they are stepping away to another patient, there is a window of time for things to go in the wrong direction."

The reasons seem obvious to anyone who's had a serious malware infection on their PC.  I've only had one - a computer I bought at a fleamarket for $7 was so severely infected it was unusable for even basic tasks, and was resistant to virus removal.  I solved that problem by installing a fresh copy of the OS, immediately followed by all patches and the latest anti-malware software.

The computer systems at fault in the monitors were replaced several months ago by the manufacturer, Philips; the new systems, based on Windows XP, have better protections and the problem has been solved, Olson said in a subsequent interview.

This implies the older systems were running on Win 98 or earlier or an old version of Win NT.  Amazing.

At the meeting, Olson also said similar problems threatened a wide variety of devices, ranging from compounders, which prepare intravenous drugs and intravenous nutrition, to picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging devices.

Olson told the panel that infections have stricken many kinds of equipment, raising fears that someday a patient could be harmed. "We also worry about situations where blood gas analyzers, compounders, radiology equipment, nuclear-medical delivery systems, could become compromised to where they can't be used, or they become compromised to the point where their values are adjusted without the software knowing," he said. He explained that when a machine becomes clogged with malware, it could in theory "miss a couple of readings off of a sensor [and] erroneously report a value, which now can cause harm."

I opine that harm could already have occurred; it just may not been recognized as such nor reported.  Disappearing data and other EHR failure modes known to have caused harm and/or deaths could be related to malware, for example.

... Malware problems on hospital devices are rarely reported to state or federal regulators, both Olson and Fu said. This is partly because hospitals believe they have little recourse. Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don't offer updates, Fu says. And such reporting is not required unless a patient is harmed. "Maybe that's a failing on our part, that we aren't trying to raise the visibility of the threat," Olson said. "But I think we all feel the threat gets higher and higher."

I note that health IT related problems are also rarely reported, with only one vendor being the exception (see my post on the FDA MAUDE voluntary reporting database here).  The reasons likely are not because "hospitals believe they have little recourse" - the real reasons may be fear, complacency and/or incompetence.

Speaking at the meeting, Brian Fitzgerald, an FDA deputy director, said that in visiting hospitals around the nation, he has found Beth Israel's problems to be widely shared. "This is a very common profile," he said. The FDA is now reviewing its regulatory stance on software, Fitzgerald told the panel. "This will have to be a gradual process, because it involves changing the culture, changing the technology, bringing in new staff, and making a systematic approach to this," he said.

Changing the culture would be nice, considering we are now entering a national rollout of complex enterprise clinical resource and workflow control systems anachronistically known as "electronic medical records."

In an interview Monday, Tam Woodrum, a software executive at the device maker GE Healthcare, said manufacturers are in a tough spot, and the problems are amplified as hospitals expect more and more interconnectedness. He added that despite the FDA's 2009 guidance, regulations make system changes difficult to accomplish: "In order to go back and update the OS, with updated software to run on the next version, it's an onerous regulatory process."

My comment is, if you can't take the heat of work in the real-world medical setting, if you cannot be part of the medical team, then get out of the clinic.  You're likely to do more harm than good.

John Halamka, Beth Israel's CIO and a Harvard Medical School professor, said he began asking manufacturers for help in isolating their devices from the networks after trouble arose in 2009: the Conficker worm caused problems with a Philips obstetrical care workstation, a GE radiology workstation, and nuclear medical applications that "could not be patched due to [regulatory] restrictions." He said, "No one was harmed, but we had to shut down the systems, clean them, and then isolate them from the Internet/local network."

He added: "Many CTOs [chief technology officers - ed.] are not aware of how to protect their own products with restrictive firewalls. All said they are working to improve security but have not yet produced the necessary enhancements."

Then why are they CTO's?  Is this the phenomenon of generic or underqualified managers rearing its head?


Fu says that medical devices need to stop using insecure, unsupported operating systems. "More hospitals and manufacturers need to speak up about the importance of medical-device security," he said after the meeting. "Executives at a few leading manufacturers are beginning to commit engineering resources to get security right, but there are thousands of software-based medical devices out there."

One can only wonder if others have done a Ford Pinto cost-benefit analysis and decided the costs of settlement from injured and dead patients is less than the cost of remediation.

-- SS
10:15 AM

Manipulation of 12,000 Medical Records Made Easy by EHR

This from a hospital in Canberra, Australia using a common ED EHR in that part of the world, iSOFT:

Canberra Hospital embroiled in data scandal
SBI Magazine (Secure Business Intelligence)
Jul 5, 2012 

A Canberra Hospital executive has admitted to manipulating Emergency Department records to make wait times and stays appear shorter than they were.

The executive told the Director-General of the Health Directorate they had made "approximately 20 to 30 changes to hospital records" a day from "late 2010" onwards.

ABC [Australian Broadcasting Corp.] News reported that the matter has been referred to police, while the executive has been suspended without pay.

Though the data manipulation was initially said to be motivated by concerns over job security, changes in 2011 and early 2012 were said to have been made due to "managerial pressure" to improve publicly-reported performance statistics.

This raises the issue that data manipulation might have been performed not just to improve reported statistics, but to cover up medical error, computer related or not, and thus deny injured patients or their heirs the right to legal redress.

"The only thing that worked to achieve benchmark targets was to alter the data," the executive later told investigators at PricewaterhouseCoopers (PwC), which was engaged by Health to perform a forensics analysis. The analysis is detailed in a new Auditor-General report (pdf).

In total, PwC found 11,700 performance records - about six percent of all records stored in the hospital's iSOFT emergency department information solution (EDIS) - had been altered.

It is believed more staff at Canberra Hospital altered records than the executive that has so far admitted responsibility.  "While an executive has admitted to changing EDIS records, it is probable that EDIS records have also been manipulated by other persons with access to the system," the federal auditor-general noted overnight.

This is another area where electronic records make possible tasks that are probably impossible with paper.  Altering 11,000+ records would be hard in paper charts, as the alterations would likely stick out in a pronounced manner.

"The executive’s admission to Audit does not appear to account for all of the changes to EDIS records that have been made to improve timeliness performance."

For example, changes to EDIS records, albeit a much smaller number, appear to have been made on days when the executive was on leave (seven days in total in 2010-11 and early 2011-12). 

I am saddened to note, a proper term for this activity might indeed be "conspiracy":  a conspiracy is an agreement between two or more persons to break the law at some time in the future.

User access control, IT security failures

Poor controls such as generic logins and inadequate user and password security made it easy for insiders to game the data.

While EDIS was on approximately 259 workstations across the hospital and 253 users had permission to run the software, there were only 23 user accounts.

Of these user accounts, only eight were in regular use, including four named administrator accounts (specific to administrative staff) and four generic user accounts: CLERK, NURSE, DOCTOR and BEDMAN.

The generic accounts could be used by personnel across the hospital, not just within the Emergency Department.

Passwords for the four generic user accounts were "very poor" and had "never been changed". Password expiry was set at a default 999 days.

Audit logs were equally poor, not proactively checked and unreliable.

The proper term for these arrangements might be "gross mismanagement" of clinical information technology.

"A feature of the logging record is that it logs the changed field in EDIS and a number of other fields simultaneously, while not identifying which field was changed and what its original value was," auditors noted.

"Audit also notes that the logging record is also ineffective, because every entry in EDIS is logged from “Workstation 14”.  

"Although EDIS has been disseminated widely throughout the Canberra Hospital each of these users logs into EDIS using the common “Workstation 14”.

"This practice, combined with the use of generic user accounts, makes the EDIS logging information useless for investigations of unauthorised activity."

Furthermore, it was possible to edit EDIS records up to 72 hours after a patient’s treatment, providing a generous window for later unauthorised changes to the records.

These "features" sound like seller misdesign with regard to the metadata (logging records).

Noticing anomalies

It was only in April this year that a full inquiry was commissioned after "anomalies" in performance figures were spotted by the Australian Institute of Health and Welfare (AIHW).

The AIHW found an unusually high number of emergency patients that were reported to have been seen at exactly within the required time for their illness category.

For example, there was an unusually high number of patients who were reported to have been seen at exactly 30 minutes or 60 minutes.

In addition, an unusually high number of people checked out of the Emergency Department precisely 240 minutes after their recorded arrival.

If you're going to engage in this type of activity, at least be competent at it...instead of setting up a red flag bigger than the flag that used to fly over the Kremlin.

The records that were manipulated mean that publicly reported information relating to the timeliness of access to the Emergency Department and overall length of stay in the Emergency Department have been inaccurately reported.

The report could not ascertain the level of over‐estimation due to the lack of a clear audit trail identifying what were legitimate and what were fabricated entries in patients’ records.  

Timelines can be critical to proving medical negligence in court.  Further, if time data could have been manipulated, it seems clinical data could have been manipulated as well.

EHR data manipulation is of unknown magnitude worldwide, but I can imagine if it's easy to do and the benefits potentially substantial, electronic records could possibly be less trustworthy than paper records.

-- SS

Addendum:  while on the topic of clinical IT Down Under, there's also this:

Coast medical records system 'dangerous'
Stephanie Bedo
Goldcoast.com.au

July 6, 2012
SENIOR doctors say Gold Coast Heath's new multimillion dollar electronic medical record system is 'inadequate and dangerous' and could put patients' lives at risk.

Doctors have complained about the system, saying some patient documents are missing, it has log-in problems and 10-minute delays in accessing critical information.

Gold Coast Health was the first region in the state to move to electronic record-keeping, rolled out progressively from October last year.

Queensland Health spent about $200 million on the electronic medical record roll-out last year, which was delayed by 12 months because of problems with the software provider.

... Hospital cardiologist Dr Greg Aroney raised concerns about the system at a Griffith University forum on the future of health on the Gold Coast this week.

"Our system is totally inadequate and dangerous," Dr Aroney said.


Read the whole story at this link:   http://www.goldcoast.com.au/article/2012/07/06/429621_gold-coast-news.html

A similar story from the states where the doctors' complaints were actually ignored is at my Sept. 2011 post "Blake Medical Center (Bradenton, Fla.) Ignores Health IT Warning Letter From 100 Staff Physicians." 

Let's hope the Australian physicians' complaints are taken more seriously.

-- SS
1:12 PM

Banking as the Standard Healthcare Should Look Up To On Medical Information Security?

At past posts "Don't Worry, Your Electronic Medical Records Are Getting Safer With Every Passing Day", "Another Episode of "But Don't Worry, Your Records are Safe..." and "Still More Electronic Medical Data Chaos, Pandemonium, Bedlam, Tumult and Maelstrom: But Don't Worry, Your Data is Secure", "Don't Worry, Your Records are Safe - Part IV" and others, I wrote on the issue of medical record security.

Banking has been held as the standard as to which medicine has been compared, with medicine being called archaic and behind the times for its reliance on paper.  Banking security is cited as a reason why electronic medical records can also be secured.

There's this:

Fraud Ring In Hacking Attack On 60 Banks 

June 27, 2012

Some 60m euro is stolen from bank accounts in a massive cyber raid, after fraudsters raid dozens of banks around the world.

By Pete Norman, Sky News Online

Sixty million euro has been stolen from bank accounts in a massive cyber bank raid after fraudsters raided dozens of financial institutions around the world.

According to a joint report by software security firm McAfee and Guardian Analytics, more than 60 firms have suffered from what it has called an "insider level of understanding".

"The fraudsters' objective in these attacks is to siphon large amounts from high balance accounts, hence the name chosen for this research - Operation High Roller," the report said.

"If all of the attempted fraud campaigns were as successful as the Netherlands example we describe in this report, the total attempted fraud could be as high as 2bn euro (£1.6bn)."

The automated malicious software programme was discovered to use servers to process thousands of attempted thefts from both commercial firms and private individuals.

The stolen money was then sent to so-called mule accounts in caches of a few hundreds and 100,000 euro (£80,000) at a time.

Credit unions, large multinational banks and regional banks have all been attacked.

Sky News defence and security editor Sam Kiley said: "It does include British financial institutions and has jumped over to North America and South America.

"What they have done differently from routine attacks is that they have got into the bank servers and constructed software that is automated.

"It can get around some of the mechanisms that alert the banking system to abnormal activity."

The details of the global fraud come just a day after the MI5 boss warned of the new cyber security threat to UK business.

McAfee researchers have been able to track the global fraud, which still continues, across countries and continents.

"They have identified 60 different servers, many of them in Russia, and they have identified one alone that has been used to steal 60m euro," Kiley said.

"There are dozens of servers still grinding away at this fraud – in effect stealing money."

That's all very reassuring.   Let's put all of our personal medical secrets online ASAP.  Don't worry, your information's safe and secure.

-- SS


10:39 AM