Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email

Posts Tagged ‘HIPAA’

dr-mike-kirlew

Health Canada breaches Indigenous patients’ privacy, MDs say

October 11, 2016

Northern Ontario doctors say there is double standard in privacy protection for First Nations people
By Jody Porter, CBC News Posted: Oct 10, 2016 7:00 AM ET Last Updated: Oct 10, 2016 9:57 AM ET

‘What are they doing with the data?’ Dr. Mike Kirlew spoke to a Parliamentary committee earlier this year about his concern over the detailed diagnostic information Health Canada collects about First Nations patients.
‘What are they doing with the data?’ Dr. Mike Kirlew spoke to a Parliamentary committee earlier this year about his concern over the detailed diagnostic information Health Canada collects about First Nations patients. (CBC )

‘Tremendous gap’ in health outcomes for First Nations, federal health minister says
Meet the man who walked for 17 days to keep a promise to his late wife
MPs hear from First Nations leaders on health emergencies
Lack of safe water leads to deadly infections north of Sioux Lookout, doctor says
More than 20 doctors in northwestern Ontario say they will stop following Health Canada policy starting Tuesday, because of concerns over their patients’ privacy.

For years doctors who provide care for First Nations people in remote reserves have been required to provide Health Canada clerks with detailed diagnostic information about their patients for the patients to access medical travel grants.

The doctors say that is an invasion of privacy and leads to a situation where an anonymous clerk at Health Canada can deny access to care.

“I don’t like the fact there could be a list somewhere in Ottawa of all the First Nations people who are medically incapacitated,” said Dr. Mike Kirlew of Sioux Lookout.

Health Canada demands details

Health Canada requires the detailed diagnostic information under the federal non-insured health benefits program that covers First Nations people for drugs, dental and vision care and other benefits not covered by provincial health insurance. Health Canada clerks regularly ask for a patient’s condition when Dr. Kirlew has requested travel for a patient to see a specialist or undergo a diagnostic procedure, he said.
##
“They’re not part of the circle of care,” Kirlew said. “What are they doing with that data?”

The patients Kirlew and the other doctors serve live in isolated First Nations where there are no hospitals and no resident doctors. Denying travel for them is denying access to health care, Kirlew said.

The Northern Physicians group wrote a letter to Health Minister Jane Philpott on Sept. 30, outlining their concerns and signalling their intention to stop following Health Canada policies as of Oct. 11.

Health Canada is responsible for the health needs of First Nations people living on reserve in Ontario.

Provincial health travel grants in Ontario require only a doctor’s signature with no further requirement to reveal private medical information, Dr. Kirlew said. But provincial travel grants would not cover the cost of flights from remote First Nations communities.

Double standard

There is also a double standard when it comes to assistance to pay for prescription drugs — Health Canada requires more private information than the provincial drug benefit system, he said.

The root of the problem, according to the northern doctors, is that First Nations people have fewer protections under the Federal Privacy Act than people covered by the provincial Personal Health Information Protection Act, which has much tighter controls on patient information.

NDP MP Charlie Angus, whose Timmins-James Bay riding includes several First Nations, wrote to the federal privacy commissioner about the doctors’ concerns on Thursday.

“It’s absolutely unbelievable that we could have a situation where the relationship between a doctor and a patient could be interfered with and undermined and overridden by some bureaucrat in Ottawa who decides they’ll save money by just denying treatment,” Angus said in an interview with CBC News.

For both Dr. Kirlew and Angus, the privacy issue is just one example of discrimination against Indigenous people within the Canadian health care system.

“How many other provincial safeguards are missing on reserve?” Kirlew asks. “There is so much jurisdictional ambiguity.”

A spokesperson for the Health Minister says she is aware of the doctors’ concerns and working to address them.

Tags: , , ,

Main Entrance Of Modern Hospital Building With Signs

Hackers Split On ‘Ethics’ Of Ransomware Attacks On Hospitals

September 14, 2016

Ransomware might be lucrative for some cybercriminals, but there are those who condemn holding hospitals to ransom.

Ransomware attacks against hospitals represent a growing threat which is becoming increasingly lucrative for some cybercriminals — even while other hackers are openly condemning extortion attempts against healthcare providers.
A combination of hospitals’ reliance on equipment powered by older operating systems and their often very urgent need to access medical data means that some hackers have looked at the institutions as a potentially rich target.
That was demonstrated when a Los Angeles hospital paid a $17,000 Bitcoin ransom after a Locky infection took down its network. But that wasn’t a one-off attack: there’s been a surge in ransomware-based cyberattacks against hospital networks across the globe, but particularly in the US.
Cybersecurity researchers from Intel Security analysed ransomware code from attacks against hospitals made during the first quarter of the year and discovered numerous Bitcoin wallets used to transfer ransom payments — Bitcoin having become the preferred currency of the cybercriminal — which showed that the hackers behind these hospitals attacks had amassed $100,000 from ransoms alone.
Researchers have described the ransomware attack methods used by such attackers as “effective but not very sophisticated”. While they don’t specify which variants of ransomware are being used, the description could point to the culprits using something like Cerber, which has been seen being made available as a ransomware-as-a-service scheme for use by even the most technically-illiterate wannabe cybercriminal.
Researchers also suggest the hospital attacks weren’t carried out by the sort of “malicious actors we normally face in ransomware attacks or breaches”.
Indeed, they found evidence that suggests that cyberattacks against hospitals are being carried out by those viewed as renegades even within the cybercriminal fraternity, judged negatively for their decision to carry out attacks against those which provision healthcare. In the Russian underground in particular, there’s an ‘ethical’ code of conduct which places hospitals off-limits — even in countries usually targeted by Russian-speaking hackers.
In one forum, criminals discussed the ethics of attacking hospitals at length: “Yes, this is pretty sad and a new low. These ransom attacks are bad enough, but if someone were to die or be injured because of this it is just plain wrong,” one user said, while another labelled hospital attackers as “dumbest hackers ever”.
While hospitals currently only account for a small percentage of ransomware victims, it’s feared that as ransomware becomes an increasingly appealing method of attack for hackers, more and more of them will attack the healthcare sector.
“With cybersecurity threats including ransomware rising at such a rapid rate, organisations are having to come to terms with the fact that it’s fast becoming a question of ‘when’, not ‘if’, they suffer a breach,” says Raj Samani, CTO at EMEA Intel Security. “It’s crucial that the likes of healthcare pick up the pace with cybersecurity. Vulnerabilities in these sectors provide hackers with access to extremely personal, valuable and often irreplaceable data and IP.”
Despite a few high profile cases, Intel Security researchers found that, in most instances, hospitals that became victims of ransomware didn’t pay hackers a ransom. In these cases, it’s likely that organisations found another way to decrypt the files — or they simply deemed the encrypted files to not be important enough to pay to get back.
Cybersecurity researchers and the authorities have both warned about the increasing threat of ransomware to corporate and public sector networks.

Tags: , , , , , , , ,

photolibrary_rf_photo_of_medication_in_hand

NHS Hospitals Told To Swallow Stronger Anti-Ransomware Medication

September 13, 2016

NHS Digital is set to start expanding the range of cybersecurity services available to UK hospitals and clinics.
CareCERT (Care Computer Emergency Response Team) launched in November 2015, offering a national service that helps health and care organisations to improve their cybersecurity defences by providing proactive advice and guidance about the latest threats and security best practices.
A service that initially focused on pushing out alerts about threats will be expanded to include three new services, each of which begins testing this month:
• CareCERT Knowledge – a new e-learning portal to help all health and care organisations train their staff in cybersecurity basics.
• CareCERT Assure – a service to help organisations assess their local cybersecurity measures against industry standards, including recommendations on how to reduce vulnerabilities.
• CareCERT React – advice on reducing the impact of a data security incident.
Public health and innovation minister Nicola Blackwood announced the expansion at the Health and Care Innovation Expo on Thursday. The rollouts come at a time of increasing security threats to UK hospitals and clinics, particularly from file-encrypting ransomware.
Almost half (47 per cent) of NHS trusts have been subject to a ransomware attack in the past year, according to figures from a freedom of information (FOI) request published last month. NCC Group’s FOI is based on requests to 60 trusts, 28 of which confirmed they had been victims of ransomware.
Independent infosec consultant Brian Honan, the founder and head of Ireland’s CERT, told El Reg that the increase in security services ought to be considered as a move to drive security improvements in UK hospitals in general, rather than a specific response to the ransomware threat.
“I do not see this as a reaction to ransomware as a recent FOI request submitted by Channel 4 showed that out of 152 NHS Trusts 39 were affected by ransomware,” Honan explained. “However, with the rising number of threats against computer systems this is a welcome and prudent move to enhance the security of the data, computers, systems, and networks the NHS increasingly relies on to provide its services.”

Tags: , , , , , , , ,

leikkausali_neo

Are Unsecure Medical Devices Opening the Backdoor for Hackers?

August 17, 2016

The increased adoption of connected devices into medical services and processes is streamlining and improving the manner in which medicine can be tracked, developed, sourced and distributed.
On call/off site medical staff are also able to access information and source medicine on site, improving service levels and productivity. However, the exponential advantages of integrating connected devices into this industry can potentially open up points of vulnerability which should increase security fears for decision makers.
The biggest threat to any organization, large or small, is understanding who actually has access to information and at what levels they can access the network. With the Internet of Things (IoT), access can come in many shapes and sizes, from an off site doctor accessing medical history and prescription requirements to ambulance and emergency staff needing to log cases.
Medical/health institutions must prioritize the management of user access if they want to ensure they have the adequate security levels around these access points. The variety of job roles that need to access a vast array of files from a connected network will also require different levels of access, for example a doctor on call will need access to all previous medical history and prescription requirements, whereas an on-call care worker may only need medical history and is not qualified to distribute or access prescriptive files.
Therefore organizations must ensure that the right person is accessing the network or device, each time a request takes place with the correct level of attributed trust. However, individual access identification may now not be sufficient enough to fully eliminate security and safety fears in this area.
Although the correct person may have access to a network from a specific place and use the correct logins, there is no guarantee that a rogue infiltrator hasn’t “piggy backed” the connection giving them the same level of access as the individual.
Through effectively moonlighting as the employee or third party, hackers can utilize the open connection to the network to gain the same level of access as the member of staff. This may encourage hackers to potentially target gateway devices such as medical distribution tools that require a network connection. The device in this instance doesn’t hold or contain sensitive information, however it does act as a gateway onto the network.
Now, it is here that access management solutions must be considered to allow damage limitation to take place if a hack does happen, providing granular access controls and monitoring for every access request.
We know hackers use a variety of methods to gain access from rogue emails to downloadable PDF’s that open access to personal and organizational data. However, security implications must also be considered on a more tangible level, in addition to digital and internet driven attacks. If we take reference from the Barclays hack that took place in 2013 and cost the bank £1.3 million, it helps us uncover the level of simplicity, but outright tenacity that some hackers will go to in hope of gaining access to data. This hack saw insiders pose as IT engineers and fitted a device that gave access to its network remotely and allowed them to transfer money into their own accounts.
There are two recommended strategies for organizations to protect themselves against hacks such as this. Firstly, to ensure all staff are trained on the variety of risks that are present when exchanging emails or other digital communications. Secondly, organizations need to protect their networks by securely supervising, auditing and controlling access to their assets, data and IP via a privileged access managed solution.
The increased adoption of connected devices into medical services and processes is streamlining and improving the manner in which medicine can be tracked, developed, sourced and distributed.

Tags: , , , , , , ,

static2.politico.com

Cyber Ransom Attacks Panic Hospitals, Alarm Congress

July 21, 2016

When the Obama administration pushed out a $35 billion incentive program to pay doctors and hospitals to convert to electronic records, the idea was to modernize the health care industry, not serve it up on a platter to cyber criminals.
But now, American hospitals face weekly ransom threats. If they don’t pay up, files get frozen, surgeries delayed and patients sent across town. One of these days, someone could die as a result. And no one in government has a clear plan to handle it.
Such are the unintended consequences of shovel-ready projects.
The incentive program, which started paying out cash in 2011, “thrust tens of thousands of health care providers into the digital age before they were ready,” says David Brailer, chief of health IT in the second Bush administration. “One area where they were woefully unprepared is security. It created thousands of vulnerabilities in hospitals and practices that lack the budget, staff or access to technical skills to deal with them.”
Desperate hospitals have asked the feds for new financial incentives to boost their security. But Congress seems in no mood to cough up the necessary billions. It created a task force to come up with a report on how an alphabet soup of federal agencies can establish a chain of command for health care security.
Meanwhile, cybercrime attacks are mounting so rapidly that they challenge the financial stability of some health systems, according to experts in information security. The intrusions are interfering with efforts to improve data sharing in health care — and could even threaten patient safety.
Just this week, a Kansas hospital said it paid a large ransom to unblock frozen records — then was told it had to pay more in order to free all the files.
“It’s only a matter of time before someone gets hurt,” Sen. Sheldon Whitehouse (D-R.I.) said during a hearing this month after well-publicized ransomware attacks hit hospitals in Kentucky, California and the nation’s capital.
Whitehouse and Sen. Lindsey Graham (R-S.C.) filed a bill this month to punish cyber criminals if their attacks result in health care system deaths or injuries. But first, they’d have to find perpetrators — in Russia, Eastern Europe or in hidden recesses of the Dark Web.
More rules won’t help, Brailer says. Hospital licensing requirements and medical privacy laws already include extensive security requirements, but providers rarely follow best practices, he said.
The FDA and the Office for Civil Rights in the Health and Human Services department use penalties and guidance documents to push providers and device makers to use better “cyber hygiene.”
Members of Congress also want hospitals to be more dutiful. “If you aren’t following good practices, the regulatory environment isn’t going to save you,” says Rep. Will Hurd (R-Texas), leader of the House Oversight cybersecurity subcommittee. While FBI and other agencies can do better at sharing threat intelligence, “health care has to help itself.”
More federal inspections might increase readiness, but none of these measures attack the underlying problem — the massive gap between the industry’s needs and its resources, Brailer said.
Meanwhile, hackers are launching billions of health care-focused attacks. One major health system was bombarded with a million emails in March alone seeking to implant ransomware in its computers. A small Kentucky hospital had 3,500 attacks on Mother’s Day, according to Leslie Krigstein, vice president of the CHIME.
Last year there were 54 “zero-day,” or brand new attacks; approximately once a week, in other words, hackers sent out an electronic bug so novel that no computer could recognize it.
Ransomware is of particular concern. In these attacks, hackers send out code that freeze computer files until the owner pays ransom in untraceable Bitcoins in exchange for a numeric decryption to unfreeze them. The attacks allow hackers to cash in quickly, whereas stolen medical records may be more difficult to monetize. (More than 100 million records were stolen in 2015 — some for sale on the black market or use in Medicare fraud, some by state actors, apparently for intelligence purposes).
Freakout in the C-Suite
For the first time, the threat of cyberattacks is grabbing the attention of senior health care executives, said Russell Branzell, CHIME’s CEO, who says the executives are “freaking out” as we “enter into a security war for health care.”
Cybersecurity legislation signed into law last year allows health care companies to share information about threats they’ve encountered without risk of being sued for any data breaches they reveal. Other privately run organizations also serve this purpose.
But complying with such recommendations can require major investments — millions to hire new security teams and consultants and to buy new software. Added security spending might mean forgoing a new MRI system, or delaying the hiring of new nurses.
“Cyberthreats are knocking on your door every time you open your laptop or your phone,” said Ty Faulkner, a cyber consultant. “If you aren’t monitoring and checking your data, I question whether you are following good business processes.”
But “many of our members can’t afford the technology and tools they need at this point,” said Branzell. “It’s moving so fast that you could update everything, spend way more than you’re budgeting for, then the next wave of bad guy stuff comes up and you’re already behind again.”
“If you peer into the dark minds of a lot of hospital executives, they are rolling the dice as to where they allocate their budgets,” said Clinton Mikel, an attorney with Health Law Partners.
Health care firms are spending vast sums to lure chief information security officers away from the financial and energy sector. The job description hardly existed in health care two years ago — now there are 500 just in Branzell’s organization.
Some companies are hiring security consultants on a semi-permanent basis, said Mac McMillan, co-founder and CEO of CynergisTek — one of those firms. If they don’t spend that big dough, many worry, a criminal breach of their information could result in bankruptcy levels of litigation.
Cyber insurance protects against some costs, but underwriters won’t write a policy unless the hospital system can demonstrate it is already spending plenty to defend itself.
Successful attacks are inevitable, security experts say. They talk of techniques such as compartmentalizing software, so hacks can be confined to a small area of the computer system, or programs that detect unusual computer activity within an organization, signs a bug has already penetrated the system.
“Most organizations can’t do that for themselves,” McMillan said. “More and more, people are saying to us, ‘I want a partner’ because cybercrime has become an industry.”
Medical devices: A ripe target?
The targets of attack within health care are practically limitless. “It’s hard to imagine a more complex and diverse environment than a hospital,” said Dave Palmer of Darktrace, a company whose technology searches for unusual behavior within networks.
“You have doctors and staff walking around with tablets, millions of dollars worth of scanners and sensitive machinery, all of it digitally integrated. You have visiting consultants there, maybe only a few days a week. Staff, porters, cleaning people.”
Users may not understand that bedside devices like monitors need to be secured, said Dennis Gallitano, a leading cyber attorney. Most cyber strategies are built around detecting and keeping out bugs, but “what about tunnels through the backdoor — a fax machine or pump?”
Device manufacturers are not required to meet the privacy and security standards of the Health Insurance Portability and Accountability Act (HIPAA); security experts say their protection is often lax, offering an attractive target for hackers looking for new ways into health systems. The FDA has begun working with manufacturers to improve device cybersecurity.
Security conflicts with transparency
One of the main purposes of electronic health records is to encourage information sharing among doctors, so that patients can be looked after in a more holistic way. Cyberthreats, some worry, could lead to a clampdown, because health care companies are leery of sharing data with institutions that might not be secure.
“There is very much a conflict in health care,” Branzell acknowledged. “The traditional model is, ‘Lock the world down.’ That doesn’t work in a world where we’re being asked to become more and more transparent and engage with our patients … With more patient engagement you’ve got people working from home on their Wi-Fi networks.”
Security should not be used as an excuse to block transparency, says Fred Trotter, a hacker and data journalist who serves on HHS’ Cybersecurity Task Force. In Trotter’s view, the solution is to make a distinction between ordinary cybertheft and hacking that has patient safety implications.
Cyberattacks that might, say, cripple an MRI machine until a ransom is paid, he believes, should be classed with other health IT safety issues, such as poor usability or bad software design that could lead to medical errors.
An evil genius and a wayward duck (or chicken, or pig) are equally capable of starting a lethal viral epidemic. By the same token, it shouldn’t matter whether a hacker or a stuck mouse button creates a clinical safety problem, he said.
HHS’ Office of the National Coordinator for Health IT has tried for years to create a safety center where threats and problems with software can be shared, discussed and remedied.
Congress has refused to provide the budget.

Tags: , , , , , ,

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
privacy-coins-and-bitcoin-dominance-guide
Privacy Coins and Bitcoin Dominance Guide
August 7, 2018

The advent of Bitcoin has proved to be a key landmark in the way that money is thought about because...

Read more
Web threat
Privacy Coins Fall Through The Ranks As Market Caps Decline
July 30, 2018

Bitcoin.com has reported that the market caps for many privacy coins have decreased significantly ov...

Read more
venmo_pub_priv
SECURITY NEWS THIS WEEK: MAYBE GO AHEAD AND MAKE YOUR VENMO PRIVATE
July 25, 2018

THIS WEEK STARTED with a controversial, widely derided meeting between President Trump and Russian l...

Read more
4000
WhatsApp WARNING – Chat app blasted in damning new report on privacy
July 17, 2018

The Electronic Frontiers Foundation, EFF, has published its latest annual privacy audit, dubbed Who ...

Read more
imrs
SECURITY NEWS THIS WEEK: CARRIERS STOP SELLING LOCATION DATA IN A RARE PRIVACY WIN
June 26, 2018

WHAT'S THAT? A week with nearly as much good news as bad in the world of privacy and security? It's ...

Read more