now browsing by tag


#hacking | US healthcare technology: Move to standardize APIs for patient data access receives mixed response

Source: National Cyber Security – Produced By Gregory Evans

Emma Woollacott

12 March 2020 at 15:38 UTC

Updated: 12 March 2020 at 15:42 UTC

Interoperability rules largely welcomed, but potential privacy and security issues must be addressed, experts warn

New rules giving patients better access to their medical data have been approved by the US Department of Health and Human Services (DHSS) – but experts warn that security may not be entirely sewn up.

Currently, many electronic health record contracts contain provisions that either prevent or are perceived to prevent the sharing of information related to the records in use, such as screenshots or video.

From the beginning of next year, though, health plans doing business in Medicare, Medicaid, CHIP, and federal exchanges will be required to share patients’ health data.

Meanwhile, a new API will allow developers to create apps allowing patients to access their own data, as well as integrating a health plan’s information with their electronic health record (EHR).

“Delivering interoperability actually gives patients the ability to manage their healthcare the same way they manage their finances, travel, and every other component of their lives,” says Don Rucker, national coordinator for health information technology.

“This requires using modern computing standards and APIs that give patients access to their health information and give them the ability to use the tools they want to shop for and coordinate their own care on their smartphones.”

Predatory apps and snake oil warning

The new rules are generally being welcomed – with reservations.

“I’m not sure diving in headfirst by giving patients apps to access their own healthcare records via mobile apps is a good idea,” says Paul Bischoff, privacy advocate for security research firm

“Patients might not know what they’re agreeing to when handing over permission to apps to access their health records. This could lead to predatory apps that leverage medical records to sell snake oil.”

Meanwhile, says Tim Mackey, principal security strategist with the Synopsys Cybersecurity Research Center, the nature of the US’ insurance-based healthcare system means that patients may need to be careful about the information they share.

“Given the sensitive nature of medical records, and the potential for a pre-existing condition to negatively influence future patient care, vetting of both app creators and medical data usage in care decisions are concerns,” he says.

“As consumers embrace apps as a proxy for physical identification and their mobile devices as a central store for their most sensitive data, both the security of those apps and the potential for compromise of a mobile device become increasing concerns.”

Much-needed security standard

According to the DHSS, similar apps already exist, in the form of Medicare Blue Button 2.0, which allows patients to securely connect their Medicare Part A, Part B and Part D claims and other data to apps and other tools.

More than 2,770 developers from over 1,100 organizations are working in the Medicare Blue Button 2.0 sandbox, it says, and 55 organizations have applications in production.

But, says David Jemmett, CEO and founder of security firm Cerberus Sentinel, it could be hard to implement a comprehensive security standard.

“As things stand currently, you don’t know if your portal has been checked for security standards unless there has been certification to meet a number of additional standards,” he says.

“Often the code itself goes unchecked and third-party companies can be building them for the interface, but there is no one to go line by line, ensuring security standards are met to certify the software.”

READ MORE EU to give €100bn MedTech industry a security health check

Source link

The post #hacking | US healthcare technology: Move to standardize APIs for patient data access receives mixed response appeared first on National Cyber Security.

View full post on National Cyber Security

#infosec | Fake Exec Tricks New York City Medical Center into Sharing Patient Info

Source: National Cyber Security – Produced By Gregory Evans

An employee at a New York City medical center was tricked into giving out patient information by a threat actor purporting to be one of the facility’s executives. 

The data was shared by an individual at community-based non-profit the VillageCare Rehabilitation and Nursing Center (VCRN) who had received what they believed to be a genuine email from a senior member of staff. 

VCRN were notified on or about Monday, December 30, that a cruel deception had taken place.

In a Notice of Data Privacy Incident statement published on VCRN’s website, the company stated: “The unauthorized actor requested certain information related to VCRN patients. Believing the request to be legitimate, the employee provided the information.”

Information obtained by the threat actor included first and last names, dates of birth, and medical insurance information, including provider name and ID number for 674 patients. 

VCRN said: “Once it became apparent that the email received by the employee was not a legitimate request, we immediately launched an investigation with the assistance of third-party forensic specialists to determine the full scope of this event.”

The medical center said that they weren’t aware of any personal patient information having been misused as a result of this event.

Becoming a victim of a phishing scam has led VCRN to review its cybersecurity practices.

The center said: “We take this incident and security of personal information in our care seriously. We moved quickly to investigate and respond to this incident, assess the security of relevant VCRN systems, and notify potentially affected individuals. This response included reviewing and enhancing our existing policies and procedures.”

VCRN has taken steps to notify all the patients who have potentially been impacted by the cyber-attack. A toll-free dedicated assistance phone line has been established for patients who wish to discuss any concerns they may have as a result of the incident. 

The data breach has been reported to law enforcement and to the relevant regulatory authorities. 

VCRN advised patients “to remain vigilant against incidents of identity theft and fraud and to review account statements, credit reports, and explanation of benefits forms for suspicious activity and report any suspicious activity immediately to your insurance company, health care provider, or financial institution.”  


#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity

Source link

The post #infosec | Fake Exec Tricks New York City Medical Center into Sharing Patient Info appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | FastMed Improves Urgent Care And Patient Privacy with Idaptive

Source: National Cyber Security – Produced By Gregory Evans For FastMed Urgent Care, speed and efficiency are about much more than creating operational excellence. It translates into prompt, personal, and high-quality medical care where and when patients need it.  With a laser focus on providing best-in-class family and occupational healthcare, FastMed is constantly looking for […] View full post on

#cybersecurity | #hackerspace | Google Slurps 150 Hospitals’ Patient Data With No Consent

Source: National Cyber Security – Produced By Gregory Evans

The mysterious Project Nightingale has been revealed as a secret Google operation to store and manipulate the healthcare data of millions of patients. Nobody consented—nobody was asked.

Google claims it’s all legal. Perhaps it is, but is it ethical? And is it a good look to be found out?

It’s no wonder people don’t trust Google any longer. In today’s SB Blogwatch, we feel sick.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: diabetuhs.

Florence Looks Cross

What’s the craic? Rob Copeland reports—“‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans”:

 Google is engaged with one of the U.S.’s largest health-care systems on a project to collect and crunch the detailed personal-health information of millions of people across 21 states. [It] appears to be the biggest effort yet by a Silicon Valley giant to gain a toehold in the health-care industry through the handling of patients’ medical data.

Google began Project Nightingale in secret last year. … Neither patients nor doctors have been notified. … Privacy experts said it appeared to be permissible under federal law [HIPAA].

The data involved in the initiative … amounts to a complete health history, including patient names and dates of birth. [But] staffers across … Google’s parent have access to the patient information.

Google, like many of its Silicon Valley peers, has at times drawn criticism for not doing enough to protect user privacy. … Google co-founder Larry Page, in a 2014 interview, suggested that patients worried about the privacy of their medical records were too cautious.

Yikes, is that true? Natasha Singer, Daisuke Wakabayashi, Reed Abelson, and Aaron Krolik second-source the claims—“Google to Store and Analyze Millions of Health Records”:

 The partnership between Google and the medical system, Ascension, could have huge reach. Ascension operates 150 hospitals. … It is legal [but] many patients may not trust Google, which has paid multiple fines for violating privacy laws, with their personal medical details.

Google’s handling of health care data is a touchy subject. … Dozens of Google employees may have access to patient data like name, birth date, race, illnesses and treatments, according to … internal documents obtained by [us].

At least a few Ascension employees in the project have raised concerns that Google employees downloaded patient data, according to the internal documents. They have also raised concerns about whether all of the Google software involved in processing Ascension patient data complies with … HIPAA.

Busted! Google’s Tariq Shaukat quickly rushes out a PR blurb about, “Our partnership with Ascension”:

 Today, we’re proud to announce more details on our partnership with Ascension. … There’s been a good deal of speculation … so we want to make sure everyone has the facts.

Our work with Ascension is … a business arrangement to help a provider with the latest technology, similar to the work we do with dozens of other healthcare providers. … All of Google’s work with Ascension adheres to industry-wide regulations.

This is standard practice. … It’s understandable that people want to ask questions.

Standard business arrangement? Nothing to see here? Bogdan Petrovan concludes, “Google rushes to explain what it’s doing with all that medical data”:

 Yesterday, a bombshell report … revealed details about a partnership between Google and Ascension. … For privacy advocates, this revelation is understandably worrying.

Shaukat confirmed Google’s work with Ascension, but said there’s nothing unusual or shady about it. … Google said it merely provides Ascension with some services.

There is … little reason to doubt its claims. … That said, the fact that Google rushed out a blog post to “proudly announce” Project Nightingale speaks volumes.

Google is becoming synonymous with a disregard for privacy, perhaps not entirely unfairly. … The average consumer won’t care, and cannot be expected to know, that Google Cloud is HIPAA compliant or that hospitals have been routinely sharing data … for decades.

Fighting this perception of untrustworthiness is a huge challenge for Google, and it’s only going to get harder.

You can say that again. rnturn doesn’t buy Google’s claims of legality:

 It’s a massive violation of the protections set up under HIPPA. Or, at least, the vast majority of Americans have been led to believe it’s a violation of the law.

Most people think that HIPPA covers any and all disclosures but … employers, insurance companies, and others … aren’t covered by that aspect of the law. This is rarely, if ever, mentioned.

But Farzad Mostashari—@Farzad_MD—worries about culture (and not the sort in a petri dish):

 The perception of Google culture is that no-one curbs the curiosity of engineers. … They have to convince people that they actually have controls in place to ensure that the data is only being used for the purposes of the agreement.

The perception [is] Google’s culture makes it more likely (than at a claims clearinghouse) for an individual engineer to play around with data, not [realizing] they are breaking the terms of [an] agreement.

However, oakmad hopes privacy fears won’t trump actual healing:

 My start up is in the healthcare space. … There’s definitely a group here who think that [patients] just need to accept that their data is going be fed into models … as it will help outcomes and costs, etc.

Having seen some of the results that AI is catching out in the field I’m tending towards universal good over personal privacy – though I may regret that.

So merely a PR flub? Yasmeen Shorish—@yasmeen_azadi—says no:

 We’re out here chasing after ethics education in data science while AI applications are being deployed in secret and potentially problematic ways. The lack of disclosure to patients and doctors is completely inexcusable.

Another example of something legal, but not very ethical.

And QuietLagoon asks the obvious question:

 If the data are so useful to those who steal it from patients and beneficial to those patients, then why perform the collection surreptitiously and without the permission of … the patients?

Meanwhile, ufgrat wonders if—on paper—Google did get permission:

 If patients are being tricked into signing away their rights, the lawsuits could be… spectacular.

And Finally:

So you’ve got diabetes; but how to pronounce it?

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: U. Texas at Austin

Source link

The post #cybersecurity | #hackerspace |<p> Google Slurps 150 Hospitals’ Patient Data With No Consent <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Hackers #access patient #data at #Oklahoma State #facility

Source: National Cyber Security – Produced By Gregory Evans

Hackers attacked Oklahoma State University Center for Health Sciences, and some 279,865 individuals have been notified that their protected health information may have been compromised.

The organization learned on Nov. 7, 2017, that an unauthorized party had gained access to data on the computer network that contained Medicaid billing information. The university removed the data from the network and the unauthorized access was terminated; and forensic specialists were called in to help determine the extent of compromise.

The investigation could not determine with certainty whether patient information was accessed, the university told affected patients in a notification letter.

Compromised data included patient names, Medicaid numbers, healthcare provider names, dates of service and limited treatment information, along with one Social Security number. To date, there is no indication of inappropriate use of patient information, according to the university.

“At OSU Center for Health Sciences, we care deeply about our patients,” the notification letter states. “Patient confidentiality is a critical part of our commitment to care, and we work diligently to protect patient information. We apologize for any concern or inconvenience this incident may cause our patients.”

A dedicated call center has been established for patients to get more information, and patients are urged to be on alert for any healthcare services they incur that they did not actually receive from their providers, and immediately contact their providers and Medicaid.

The university is not offering credit monitoring services to affected individuals, since no financial information was exposed; the one individual whose Social Security number may have been compromised was given credit protection services.

The post Hackers #access patient #data at #Oklahoma State #facility appeared first on National Cyber Security .

View full post on National Cyber Security

Pacemakers and #patient #monitors can be #hacked in seconds, #San Diego experts discuss #threat

Source: National Cyber Security – Produced By Gregory Evans

 San Diego cyber security expert Ted Harrington with Independent Security Evaluators invited us to his Downtown office to see how quickly and easily he and his colleagues demonstrate successful hacks of modern medical devices. Medical devices like pacemakers and patient monitors are some of the newest vulnerabilities to cyber attack in the healthcare industry.

The threat hits home. According to the California Life Sciences Association, the state has more medical device jobs that anywhere in the nation, with 74,000 employees. A total of 7,700 of them are based in San Diego.

San Diego is a city that’s no stranger to malicious software or “malware” assaults on the medical sector. Last year, the 306-bed Alvarado Medical Center had its computer system affected by what it called a “malware disruption”. The hospital briefly considered doing an on-camera interview with us about the security changes that have been implemented since the incident, but then it backed out.

The hospital spokesperson cited in part, “A careless slip during an interview can reveal possible [vulnerabilities] in our ‘armor’ that a hacker can take advantage of.”

Also last year, nearby Hollywood Presbyterian Medical Center made headlines when it paid a $17,000 ransom to the hacker who froze its computer system for several days.

“Healthcare is attacked more than any other industry because that’s where the money is,” writes prominent cybersecurity company Sophos in its SophosLabs 2018 Malware Forecast report.

A records check on the U.S. Department of Health and Human Services’ Office of Civil Rights website shows a total of thirteen California healthcare facilities that are currently under investigation for reported hacks.

Now, the threat to patient privacy could be challenged by a threat to patient safety.

Harrington and his team connected my finger to a sensor that was attached to a patient monitor. My healthy vitals were displayed on the patient monitor screen and on the screen representing a nurse’s computer.

In a real-world setting, that nurse’s computer would be in a different room from the patient and his or her monitor. 10News Reporter Jennifer Kastner was asked to remove my finger from the sensor, to make it look like she was flat-lining, but Harrington and his team hacked the nurse’s computer in seconds to make the nurse’s computer show that she was still healthy.

He and his team also showed us they could hack a patient’s displayed blood type.

“If the physician thinks the patient is a certain blood type and orders a transfusion of a different blood type, that directly hurts the patient. It would most likely result in a fatality,” says Harrington.

In October, the FBI put out a warning about the growing concern over cyber criminals targeting unsecured “Internet of Things (IoT)” devices, including medical devices like wireless heart monitors and insulin dispensers.

Years ago, it was reported that former Vice President Dick Cheney had his pacemaker altered to prevent an assassination attempt.

“We can’t bury our heads in the sand anymore. These types of medical cybersecurity vulnerabilities are going to become commonplace,” says Dr. Christian Dameff with UC San Diego Emergency Medicine.

Dameff is also a self-described hacker. Despite the FDA’s claim that there aren’t any known cases of patients’ devices getting hacked, Dameff believes attacks have happened and they were likely accidental, but never got reported.

“These devices in our systems are not well equipped to even discover these types of attacks,” he said. “It’s essentially like asking a toaster to figure out if your house has been hacked. They’re just not designed to find out.”

The experts we spoke to want to make it clear that while there’s a threat of cyber attacks on medical devices, the likelihood of it happening to the average patient is low. They urge people to stay mindful of the risks and talk to their healthcare providers about solutions.

The post Pacemakers and #patient #monitors can be #hacked in seconds, #San Diego experts discuss #threat appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

600 patient records breached at Trios Health

Source: National Cyber Security – Produced By Gregory Evans

600 patient records breached at Trios Health

Trios Health has terminated an employee after finding out they accessed multiple patient records without permission. So far, an internal investigation shows electronic health records of about 600 patients have been accessed by that employee. This took place between October 2013 and March of this year. Elizabeth Rice, the director…

The post 600 patient records breached at Trios Health appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Patient info stolen in hacker attack

Source: National Cyber Security – Produced By Gregory Evans

Patient info stolen in hacker attack

Hospital operator Community Health Systems says a cyber attack took information on more than 4 million patients from its computer network earlier this year. That may impact patients and families in the Eastern Carolinas. The Franklin, Tennessee, company says no […]

For more information go to, http://www., or

The post Patient info stolen in hacker attack appeared first on National Cyber Security.

View full post on National Cyber Security

Federal agencies investigating how hacker gained access to patient data

Source: National Cyber Security – Produced By Gregory Evans

Federal agencies investigating how hacker gained access to patient data

The FBI and other federal agencies are continuing to investigate a cyberattack that hacked personal information from 4.5 million U.S. health patients, including those at Spartanburg-based Mary Black Health System. Authorities determined in July that Community Health Systems, Inc. was […]

For more information go to, http://www., or

The post Federal agencies investigating how hacker gained access to patient data appeared first on National Cyber Security.

View full post on National Cyber Security