medical

now browsing by tag

 
 

#cybersecurity | #hackerspace | Billions of Medical Images Leaked in Huge Privacy Puzzle

Source: National Cyber Security – Produced By Gregory Evans

Security researchers say healthcare providers are failing to secure highly sensitive patient medical data. Mind-boggling amounts of health info are just sitting on internet-connected servers, with only a well-known default password—or no password at all.

And it’s despite frequent warnings. The scale of the problem has only grown in recent months.

Imagine that. In today’s SB Blogwatch, we prescribe radical surgery.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Nice pipes (giggity).


HIPAA PACS FAIL

What’s the craic, Zack? Mister Whittaker reports—“A billion medical images are exposed online, as doctors ignore warnings”:

 Hundreds of hospitals, medical offices and imaging centers are running insecure storage systems, allowing anyone … to access over 1 billion medical images of patients. … About half of all the exposed images, which include X-rays, ultrasounds and CT scans, belong to patients in the United States.

The problem is well-documented. Greenbone found … more than 720 million medical images in September. … Two months later, [it doubled]. The problem shows little sign of abating.

Medical images … are typically stored in … a PACS server. … But many doctors’ offices disregard security best practices and connect their PACS server directly to the internet without a password. … Some of the largest hospitals and imaging centers in the United States are the biggest culprits.

Many patient scans include … the patient’s name, date of birth and sensitive information about their diagnoses. … Yet, patients are unaware that their data could be exposed on the internet for anyone to find.

HIPAA created the “security rule” … designed to protect electronic personal health information. … The law also holds healthcare providers accountable for any security lapses [which] can lead to severe penalties. … Experts who have warned about exposed servers for years say medical practices have few excuses.

And Renée Fabian adds—“Unsecured Medical Images Are an Underrated Threat”:

 Compromised medical data is life-altering — worse than having your financial information stolen — and in some cases, even life-threatening. … But the general public still has their eyes on financial identity theft as the bigger threat.

However, when your health-related information is used by someone else … it can have a much bigger impact than stolen financial data. … Here’s how:

Errors in your medical record constitutes one of the biggest dangers. … A diagnosis you don’t have, medication you’re allergic to, the wrong blood type or treatments you never actually get [can] make it into your permanent health care file. [So] you may end up in a situation where you’re treated with something that’s harmful.

You could also fail a physical job exam because a medical condition you don’t have ends up in your medical record. … It puts you at greater risk of discrimination, especially at work.

Your legitimate [insurance] claims may be denied. The company may flag or cancel your policy because of a suspicious number of claims or another person’s information on your record. [Or] you may be denied health or life insurance in the future.

Medical data includes more personal information than your financial data, which is why it sells for an estimated 10 times as much on the dark web. … Criminals get more bang for their buck out of your health data.

Are you sure we’re not hyping this up a bit? Mark Davis is horrified:

 Images, as actually used, usually do contain demographics. But they also often contain indications and sometimes diagnosis and treatments. Those are the absolute most sensitive of all information.

Indications are the reason for the image and would be something like “suspected pneumonia.” Diagnoses are official labels of sickness/illness/disease, like “AIDS.”

I can’t overstate how bad disclosing such information is, when it comes to protecting privacy.

Specifically, what are the legalities? Here’s Oliver Jones:

 It’s possible to see so-called “protected health information” (PHI) in these images. … HIPAA and ARRA 2009 (followon legislation) made it a federal crime to knowingly or negligently disclose PHI.

Natural persons can be tried and convicted, even if they were acting on behalf of corporations. … The Centers for Medicare and Medicaid Services (CMS) has a Breach Notification Rule, requiring holders of data to notify patients and CMS themselves if PHI is breached.

It wouldn’t surprise me if the people involved in securing these sloppily configured … servers are in a state of panic. … I was involved in dealing with an unintentional breach of 44 patient records a few years back, and yeah … it stinks to be them.

So doctors are to blame? prostheticvamp thinks that’s too simplistic:

 I have never, in all my years of working in healthcare, seen a hospital or physicians office directly install and manage PACS. They pay a third-party—usually the vendor—to install, configure, and walk them through it.

Healthcare-related technologically was largely pushed on the industry via legislation. … When a technology is forced on you at a loss, from a vendor with little incentive to optimize ease of use or utility, you get a terrible piece of **** that no one wants to invest more time and money into than absolutely needed.

When it comes to healthcare, everything is always the doctor’s fault. It’s convenient to have a single target to blame. … Never mind that most physicians are just employees … in massive organizations, with extremely heavy regulatory oversight.

If an organization that runs three hospitals can’t … secure their PACS system with a decent password, that’s the fault of the physician about as much as it’s the fault of the nurse, the janitor, the cafeteria chef, etc. … We’re just line workers. We try to do our best by patients, but we ain’t in charge of anything.

OK, but what can IT do about it? imidan’s suggestion is clouded by their gender presumption:

 The IT guy needs to talk to the lawyer and the insurance guy. The lawyer will **** his pants at the HIPAA violation, and the insurance guy will **** his pants at the likely cost of judgment for the inevitable prosecution.

The three of them can go to the person in charge and explain the problem in terms of the technical, legal, and financial. When it’s clear that the fallout of prosecution includes fines so big they make the practice uninsurable, jail time for personnel who wantonly violated, and the loss of license for doctors, I would hope they’d listen.

It gets worse. wswope has this head-meets desk moment:

 Fun experiment: use Google Maps API to search a major US metro area for medical practices. Pick out any websites that don’t use TLS. Crawl them for HTML forms that include common PHI keywords. You’ll find a lot.

Meanwhile, what of our neighbors to the north? Here’s ceoyoyo:

 Here in Canada, hospitals are super paranoid about their PACS. As originally designed, PACS really couldn’t transmit images over the Internet at all, and most hospitals still have it configured that way.

And Finally:

Riccardo Bonci is going straight to Heck

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Stephen Hampshire (cc:by)

Source link

The post #cybersecurity | #hackerspace |<p> Billions of Medical Images Leaked in Huge Privacy Puzzle <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Connected Medical Device & IOT Security Summit

Source: National Cyber Security – Produced By Gregory Evans

General Cybersecurity Conference

 January 25 – 26, 2018 | Baltimore, Maryland, United States

Cybersecurity Conference Description 

Healthcare providers and medical device companies are currently facing ever growing financial, legal, operational, and patient safety challenges as a result of cybersecurity threats. Malware attacks are evolving and becoming more sophisticated, while preventable privacy breaches are becoming more common in all industries across the globe. The fall in the black market price of stolen data along with improvements in “Black Hat” customer service implies we are facing a mature, evolving, and resilient enemy.

The Healthcare industry is moving to new revenue models, value based care, shared risk, and precision medicine, creating a growing proliferation of distributed and connected medical devices, and cloud based IT systems incorporating personal genetic, medical, and behavioral data. These systems must share not only clinical data, but also financial, risk, and vulnerabilities with each other.

As connections grow and devices move out of the hospital into patients’ homes and to geographically distributed providers, new threats, new vulnerabilities, attack surfaces, and hazards are created that go far beyond the typical concerns of stand-alone components. Stolen information is being combined with stolen financial and publicly disclosed personal data to create new black market “products”. Safeguarding our entire care delivery systems requires meeting the daunting challenge of maintaining regulatory compliance, ensuring patient confidence, detecting insider threats, and maintaining the integrity of shared data all without interfering with patient care.

Addressing these issues involves an ever-expanding body of stakeholders: regulated and unregulated manufacturers, public and private payers, both the healthcare financial and technology industries, regulators, standards bodies, as well as hospitals, providers, payers, the law enforcement community and – not least of all – patients.

We are at a critical juncture in Healthcare. As an industry, we must combat these threats in multiple dimensions and on many fronts. The Summit will bring together healthcare, medical device, and security experts to offer a unique complete end-to-end perspective on the cybersecurity environment – from the economics and motivations of ransomware authors to the needs of the patient. The Summit will offer practical solutions to many of the daunting security challenges facing medical device and connected health technology companies, healthcare providers, payers and patients.

The post Connected Medical Device & IOT Security Summit appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

How the #FDA #Pushes #Medical Device #Cybersecurity

Source: National Cyber Security – Produced By Gregory Evans

How the #FDA #Pushes #Medical Device #Cybersecurity

A phony myth might be fun on Halloween, but spooky is no good in the medical device industry. Still, quite a few legends surrounding the FDA’s role in promoting the cybersecurity of medical devices have bounced around the healthcare-technology sphere. Today, a higher-up in the agency made clear what exactly the regulator does to encourage strong digital defenses—and why that goal is crucial.

Suzanne B. Schwartz, MD, MBA, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health, wrote a blog post championing a thorough approach to device security, from a project’s early days to long after it enters the market.

“With so many devices dependent on software and internet access today, having a plan in place to address cybersecurity risks is as essential to the device development process as coming up with a novel new product,” Schwartz wrote. “Working with the medical device industry and other federal agencies, FDA will continue its work to ensure the safety and effectiveness of medical devices at all stages of their lifecycles against potential cyber threats.”

For one, the regulator has published guidances encouraging device manufacturers to track cybersecurity risks throughout a product’s life, she noted. The agency “incentivizes industry” to update marketed and distributed devices to reduce cyberattack risks, she said.

The recommendations are meant to help companies navigate the complex nature of “critical safety systems,” requiring a “collaborative approach to finding solutions,” Schwartz wrote.

Released in late 2016, the guidance for post-market management is a 30-page document that lists specific vulnerabilities that companies should test, how they should go about doing that, threat reporting recommendations, and more. For instance, the document notes that changes to a medical device made solely to boost security—like a patch—are considered enhancements and don’t need to be reported.

The FDA also aims to work with manufacturers and the public to dispel myths. Some common bogus claims?
The FDA is the only federal body responsible for medical device cybersecurity. (It’s not.)
Cybersecurity for medical devices is optional. (Federal regulations require risks to be addressed.)
Medical manufacturers can’t update devices for security. (They always can.)
Healthcare organizations can’t patch devices to beef up their cyber defenses. (The FDA recommends they “work closely” with manufacturers.)
The FDA validates security software changes. (That’s up to the manufacturer.)
The FDA tests the cybersecurity of medical devices. (Again, that task falls on the company.)
Developers of off-the-shelf software used in medical devices must ensure the code is secure for healthcare uses. (Yet another responsibility of the device maker.)
The regulator considers cybersecurity efforts in this area important not just due to the potential loss or theft of patient medical data, but also because the health implications, Schwartz wrote. “A breach that potentially impacts the safety and effectiveness of a medical device can threaten the health and safety of an individual or patients using the device,” she explained.

She pointed to cyberattacks, like WannaCry and Petya, which have exposed vulnerabilities in healthcare across the globe in 2017. If healthcare is to stay on top of these “constant” threats, hospitals, device makers, and other organizations must team up, Schwartz wrote.

The post How the #FDA #Pushes #Medical Device #Cybersecurity appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

How healthcare providers can curb medical identity theft

Source: National Cyber Security – Produced By Gregory Evans

Medical records are valued at 20 to 50 times more than financial identities on the black market. Medical identity theft is on the rise. Medical records are a hot target for hackers because, according to the FBI, medical identities are valued at 20 to 50 times more than financial identities…

The post How healthcare providers can curb medical identity theft appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Siemens to update medical scanner software amid Homeland Security warning machines could be hacked

Source: National Cyber Security – Produced By Gregory Evans

German industrial group Siemens expects to update software in some of its medical scanners by the end of the month to deal with vulnerabilities that could, in theory, allow some of this equipment to be hacked, a company spokesman said on Monday. Last week, the U.S. Department of Homeland Security…

The post Siemens to update medical scanner software amid Homeland Security warning machines could be hacked appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

CYBERSECURITY BILL TAKES AIM AT VULNERABILITIES IN MEDICAL DEVICES

Source: National Cyber Security – Produced By Gregory Evans

On July 27, U.S. Senator Richard Blumenthal (D-CT) introduced the Medical Device Cybersecurity Act of 2017, a bill that CHIME supports. The legislation, S.1656, would make the cybersecurity capabilities of medical devices more transparent to providers, clarifies expectations concerning security enhancements and maintenance of medical devices and establishes a cybersecurity…

The post CYBERSECURITY BILL TAKES AIM AT VULNERABILITIES IN MEDICAL DEVICES appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Stolen medical records uncovered in identity theft scheme

Source: National Cyber Security – Produced By Gregory Evans

MARIETTA, Okla. (KXII)– Authorities confirmed Thursday that medical records were stolen in addition to mail, in two identity theft arrests made last month. “We’ve been violated as a hospital, the community’s been violated, and we suffered the theft of some records that was inappropriate, and will not happen again.” Mercy…

The post Stolen medical records uncovered in identity theft scheme appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

UA grads battle medical hacking

Source: National Cyber Security – Produced By Gregory Evans

TUCSON (KGUN9-TV) – Two University of Arizona grads are working to educate healthcare providers to stop hackers from taking control of medical devices in peoples’ bodies. Dr. Christian Dameff and Dr. Jeff Tully recently participated in the first CyberMed Summit, which simulated what would happen if a hospital or a…

The post UA grads battle medical hacking appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Mother accused of trying to smother child has medical background

To Purchase This Product/Services, Go To The Store Link Above Or Go To http://www.become007.com/store/ CHARLOTTE, N.C. – A mother who is accused of trying to smother her 1-year-old son with her hands and a pillow while at Levine Children’s Hospital made her first appearance in …

The post Mother accused of trying to smother child has medical background appeared first on Become007.com.

View full post on Become007.com

NEET: Medical entrance server was hacked, two held, say cops

To Purchase This Product/Services, Go To The Store Link Above Or Go To http://www.become007.com/store/ Source: National Cyber Security – Produced By Gregory Evans With the arrest of two people, Delhi Police have cracked a case wherein computer servers were allegedly hacked during the National Eligibility …

The post NEET: Medical entrance server was hacked, two held, say cops appeared first on Become007.com.

View full post on Become007.com