patient
now browsing by tag
#hacking | US healthcare technology: Move to standardize APIs for patient data access receives mixed response
Source: National Cyber Security – Produced By Gregory Evans
Interoperability rules largely welcomed, but potential privacy and security issues must be addressed, experts warn
New rules giving patients better access to their medical data have been approved by the US Department of Health and Human Services (DHSS) – but experts warn that security may not be entirely sewn up.
Currently, many electronic health record contracts contain provisions that either prevent or are perceived to prevent the sharing of information related to the records in use, such as screenshots or video.
From the beginning of next year, though, health plans doing business in Medicare, Medicaid, CHIP, and federal exchanges will be required to share patients’ health data.
Meanwhile, a new API will allow developers to create apps allowing patients to access their own data, as well as integrating a health plan’s information with their electronic health record (EHR).
“Delivering interoperability actually gives patients the ability to manage their healthcare the same way they manage their finances, travel, and every other component of their lives,” says Don Rucker, national coordinator for health information technology.
“This requires using modern computing standards and APIs that give patients access to their health information and give them the ability to use the tools they want to shop for and coordinate their own care on their smartphones.”
Predatory apps and snake oil warning
The new rules are generally being welcomed – with reservations.
“I’m not sure diving in headfirst by giving patients apps to access their own healthcare records via mobile apps is a good idea,” says Paul Bischoff, privacy advocate for security research firm Comparitech.com.
“Patients might not know what they’re agreeing to when handing over permission to apps to access their health records. This could lead to predatory apps that leverage medical records to sell snake oil.”
Meanwhile, says Tim Mackey, principal security strategist with the Synopsys Cybersecurity Research Center, the nature of the US’ insurance-based healthcare system means that patients may need to be careful about the information they share.
“Given the sensitive nature of medical records, and the potential for a pre-existing condition to negatively influence future patient care, vetting of both app creators and medical data usage in care decisions are concerns,” he says.
“As consumers embrace apps as a proxy for physical identification and their mobile devices as a central store for their most sensitive data, both the security of those apps and the potential for compromise of a mobile device become increasing concerns.”
Much-needed security standard
According to the DHSS, similar apps already exist, in the form of Medicare Blue Button 2.0, which allows patients to securely connect their Medicare Part A, Part B and Part D claims and other data to apps and other tools.
More than 2,770 developers from over 1,100 organizations are working in the Medicare Blue Button 2.0 sandbox, it says, and 55 organizations have applications in production.
But, says David Jemmett, CEO and founder of security firm Cerberus Sentinel, it could be hard to implement a comprehensive security standard.
“As things stand currently, you don’t know if your portal has been checked for security standards unless there has been certification to meet a number of additional standards,” he says.
“Often the code itself goes unchecked and third-party companies can be building them for the interface, but there is no one to go line by line, ensuring security standards are met to certify the software.”
READ MORE EU to give €100bn MedTech industry a security health check
The post #hacking | US healthcare technology: Move to standardize APIs for patient data access receives mixed response appeared first on National Cyber Security.
View full post on National Cyber Security
#infosec | Fake Exec Tricks New York City Medical Center into Sharing Patient Info
Source: National Cyber Security – Produced By Gregory Evans
An employee at a New York City medical center was tricked into giving out patient information by a threat actor purporting to be one of the facility’s executives.
The data was shared by an individual at community-based non-profit the VillageCare Rehabilitation and Nursing Center (VCRN) who had received what they believed to be a genuine email from a senior member of staff.
VCRN were notified on or about Monday, December 30, that a cruel deception had taken place.
In a Notice of Data Privacy Incident statement published on VCRN’s website, the company stated: “The unauthorized actor requested certain information related to VCRN patients. Believing the request to be legitimate, the employee provided the information.”
Information obtained by the threat actor included first and last names, dates of birth, and medical insurance information, including provider name and ID number for 674 patients.
VCRN said: “Once it became apparent that the email received by the employee was not a legitimate request, we immediately launched an investigation with the assistance of third-party forensic specialists to determine the full scope of this event.”
The medical center said that they weren’t aware of any personal patient information having been misused as a result of this event.
Becoming a victim of a phishing scam has led VCRN to review its cybersecurity practices.
The center said: “We take this incident and security of personal information in our care seriously. We moved quickly to investigate and respond to this incident, assess the security of relevant VCRN systems, and notify potentially affected individuals. This response included reviewing and enhancing our existing policies and procedures.”
VCRN has taken steps to notify all the patients who have potentially been impacted by the cyber-attack. A toll-free dedicated assistance phone line has been established for patients who wish to discuss any concerns they may have as a result of the incident.
The data breach has been reported to law enforcement and to the relevant regulatory authorities.
VCRN advised patients “to remain vigilant against incidents of identity theft and fraud and to review account statements, credit reports, and explanation of benefits forms for suspicious activity and report any suspicious activity immediately to your insurance company, health care provider, or financial institution.”
____________________________________________________________________________________________________________________
#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity
____________________________________________________________________________________________________________________
The post #infosec | Fake Exec Tricks New York City Medical Center into Sharing Patient Info appeared first on National Cyber Security.
View full post on National Cyber Security
#cybersecurity | #hackerspace | FastMed Improves Urgent Care And Patient Privacy with Idaptive
Source: National Cyber Security – Produced By Gregory Evans For FastMed Urgent Care, speed and efficiency are about much more than creating operational excellence. It translates into prompt, personal, and high-quality medical care where and when patients need it. With a laser focus on providing best-in-class family and occupational healthcare, FastMed is constantly looking for […] View full post on AmIHackerProof.com
Hackers #access patient #data at #Oklahoma State #facility
Source: National Cyber Security – Produced By Gregory Evans
Hackers attacked Oklahoma State University Center for Health Sciences, and some 279,865 individuals have been notified that their protected health information may have been compromised.
The organization learned on Nov. 7, 2017, that an unauthorized party had gained access to data on the computer network that contained Medicaid billing information. The university removed the data from the network and the unauthorized access was terminated; and forensic specialists were called in to help determine the extent of compromise.
The investigation could not determine with certainty whether patient information was accessed, the university told affected patients in a notification letter.
Compromised data included patient names, Medicaid numbers, healthcare provider names, dates of service and limited treatment information, along with one Social Security number. To date, there is no indication of inappropriate use of patient information, according to the university.
“At OSU Center for Health Sciences, we care deeply about our patients,” the notification letter states. “Patient confidentiality is a critical part of our commitment to care, and we work diligently to protect patient information. We apologize for any concern or inconvenience this incident may cause our patients.”
A dedicated call center has been established for patients to get more information, and patients are urged to be on alert for any healthcare services they incur that they did not actually receive from their providers, and immediately contact their providers and Medicaid.
The university is not offering credit monitoring services to affected individuals, since no financial information was exposed; the one individual whose Social Security number may have been compromised was given credit protection services.
The post Hackers #access patient #data at #Oklahoma State #facility appeared first on National Cyber Security .
View full post on National Cyber Security
Pacemakers and #patient #monitors can be #hacked in seconds, #San Diego experts discuss #threat
Source: National Cyber Security – Produced By Gregory Evans
San Diego cyber security expert Ted Harrington with Independent Security Evaluators invited us to his Downtown office to see how quickly and easily he and his colleagues demonstrate successful hacks of modern medical devices. Medical devices like pacemakers and patient monitors are some of the newest vulnerabilities to cyber attack in the healthcare industry.
The threat hits home. According to the California Life Sciences Association, the state has more medical device jobs that anywhere in the nation, with 74,000 employees. A total of 7,700 of them are based in San Diego.
San Diego is a city that’s no stranger to malicious software or “malware” assaults on the medical sector. Last year, the 306-bed Alvarado Medical Center had its computer system affected by what it called a “malware disruption”. The hospital briefly considered doing an on-camera interview with us about the security changes that have been implemented since the incident, but then it backed out.
The hospital spokesperson cited in part, “A careless slip during an interview can reveal possible [vulnerabilities] in our ‘armor’ that a hacker can take advantage of.”
Also last year, nearby Hollywood Presbyterian Medical Center made headlines when it paid a $17,000 ransom to the hacker who froze its computer system for several days.
“Healthcare is attacked more than any other industry because that’s where the money is,” writes prominent cybersecurity company Sophos in its SophosLabs 2018 Malware Forecast report.
A records check on the U.S. Department of Health and Human Services’ Office of Civil Rights website shows a total of thirteen California healthcare facilities that are currently under investigation for reported hacks.
Now, the threat to patient privacy could be challenged by a threat to patient safety.
Harrington and his team connected my finger to a sensor that was attached to a patient monitor. My healthy vitals were displayed on the patient monitor screen and on the screen representing a nurse’s computer.
In a real-world setting, that nurse’s computer would be in a different room from the patient and his or her monitor. 10News Reporter Jennifer Kastner was asked to remove my finger from the sensor, to make it look like she was flat-lining, but Harrington and his team hacked the nurse’s computer in seconds to make the nurse’s computer show that she was still healthy.
He and his team also showed us they could hack a patient’s displayed blood type.
“If the physician thinks the patient is a certain blood type and orders a transfusion of a different blood type, that directly hurts the patient. It would most likely result in a fatality,” says Harrington.
In October, the FBI put out a warning about the growing concern over cyber criminals targeting unsecured “Internet of Things (IoT)” devices, including medical devices like wireless heart monitors and insulin dispensers.
Years ago, it was reported that former Vice President Dick Cheney had his pacemaker altered to prevent an assassination attempt.
“We can’t bury our heads in the sand anymore. These types of medical cybersecurity vulnerabilities are going to become commonplace,” says Dr. Christian Dameff with UC San Diego Emergency Medicine.
Dameff is also a self-described hacker. Despite the FDA’s claim that there aren’t any known cases of patients’ devices getting hacked, Dameff believes attacks have happened and they were likely accidental, but never got reported.
“These devices in our systems are not well equipped to even discover these types of attacks,” he said. “It’s essentially like asking a toaster to figure out if your house has been hacked. They’re just not designed to find out.”
The experts we spoke to want to make it clear that while there’s a threat of cyber attacks on medical devices, the likelihood of it happening to the average patient is low. They urge people to stay mindful of the risks and talk to their healthcare providers about solutions.
The post Pacemakers and #patient #monitors can be #hacked in seconds, #San Diego experts discuss #threat appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
600 patient records breached at Trios Health
Source: National Cyber Security – Produced By Gregory Evans
Trios Health has terminated an employee after finding out they accessed multiple patient records without permission. So far, an internal investigation shows electronic health records of about 600 patients have been accessed by that employee. This took place between October 2013 and March of this year. Elizabeth Rice, the director…
The post 600 patient records breached at Trios Health appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Patient info stolen in hacker attack
Source: National Cyber Security – Produced By Gregory Evans
Hospital operator Community Health Systems says a cyber attack took information on more than 4 million patients from its computer network earlier this year. That may impact patients and families in the Eastern Carolinas. The Franklin, Tennessee, company says no […]
For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com
The post Patient info stolen in hacker attack appeared first on National Cyber Security.
View full post on National Cyber Security
Federal agencies investigating how hacker gained access to patient data
Source: National Cyber Security – Produced By Gregory Evans
The FBI and other federal agencies are continuing to investigate a cyberattack that hacked personal information from 4.5 million U.S. health patients, including those at Spartanburg-based Mary Black Health System. Authorities determined in July that Community Health Systems, Inc. was […]
For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com
The post Federal agencies investigating how hacker gained access to patient data appeared first on National Cyber Security.
View full post on National Cyber Security
D5 Creation