Privacy & Security
The laptop that was reported missing from Premier Healthcare on Jan. 4, has been returned via U.S. mail. According to a statement from the Bloomington, Indiana physician-led multispecialty healthcare provider, the laptop was returned on March 7.
Premiere had reported the laptop stolen from the billing department in its locked and alarmed administrative office.
[Also: Premier Healthcare faces possible data breach]
Premier hired an information security consulting firm that specializes in digital forensics and incident response to conduct a comprehensive forensic analysis, which revealed the laptop had not been powered since it went missing, Premier officials said in a statement.
Premier had feared a possible breach that could have affected nearly 206,000 patients. For 1,769 of those patients, social security numbers and financial information could also have been accessed.
Premier continues to investigate the case. It has reported return of the laptop to the Bloomington Police Department for use in their continuing investigation.
Twitter: @HealthITNews
HIMSS16 provided countless hours of must-see video content for Healthcare IT News, from fascinating interviews with thought leaders and speakers at the conference to in-depth panel discussions and show floor highlights throughout the week. We have compiled the top 5 videos to date for you to watch in case you missed them.
The U.S. Department of Health and Human Services on Wednesday named a slate of healthcare professionals from top providers and tech firms to its Health Care Industry Cybersecurity Task Force.
The Cybersecurity Information Sharing Act of 2015 tasked HHS with the creation of the panel, which is expected to come up with recommendations for helping safeguard the industry.
HHS, the Department of Homeland Security and the National Institute of Standards and Technology selected the task force members based on recommendations from a panel of subject matter experts.
[Also: HHS seeks industry pros to join healthcare cybersecurity task force]
"While all industries continue to face a growing threat of attacks on their information systems, the size and scope of attacks on healthcare information systems have accelerated particularly rapidly in the past two years," HHS officials said in a statement.
The group will schedule four in-person meetings and through teleconferences until March 2017, when the task force will disband. It is expected to report its findings and recommendations before then.
The members are:
Theresa Meadows, RN, senior vice president and CIO, Cook Children's Health Care System.
George DeCesare, a lawyer, and senior vice president and chief technology risk officer, Kaiser Permanente Health Plan
Roy Mellinger, vice president of IT security, and chief information security officer Anthem
Mark Jarrett, MD, senior vice president and chief quality officer, Northwell Health, and professor of medicine Hofstra Northwell School of Medicine
Jacki Monson, a lawyer and chief privacy and information security officer, Sutter Health
Ram Ramadoss, vice president, CRP privacy and information security and EHR compliance oversight, Catholic Health Initiatives
Fred Trotter, data journalist, CareSet Systems
David Ting, co-founder and chief technology officer, Imprivata
Christine Sublett, CISO and head of compliance, Augmedix
David Finn, health information technology officer, Symantec
Michael McNeil, global product security and services officer, Philips Healthcare
Terry Rice, vice president, IT risk management and CISO, Merck & Co.
Joshua Corman, co-founder, I Am The Cavalry
Alissa Johnson, CISO, Stryker Corp.
Vito Sardanopoli, director of cyber security services and governance, Quest Diagnostics
Dan McWhorter, vice president and chief intelligence strategist, FireEye
Anura Fernando, principal engineer, medical and software systems interoperability at UL, LLC
Emery Csulak, CISO, Centers for Medicare and Medicaid Services
Laura Laybourn, director of stakeholder engagement and cyber infrastructure resilience, Office of Cybersecurity and Communications, U.S. Department of Homeland Security
The task force will also include a representative from NIST and one from the Federal Health IT Advisory Council, but they have not yet been named.
Twitter: @HealthITNews
Kevin Johnson, CEO and Security Consultant at Secure Ideas, explains why cybersecurity is considered a top priority in healthcare and why it should be thought of as an integral part of health IT and not a separate component.
Help HIMSS understand how your healthcare organization is mitigating risk.
(SPONSORED) As IT struggles to get out in front of enterprise security risks, mobile devices are adding another wrinkle to defense plans as they become an increasingly active attack vector.
Organized criminals scoped their sights on healthcare somewhere around 2012 and found that stealing patient data enabled them to monetize that information in a number of ways. Since then tactics have grown increasingly sophisticated and attackers are launching more attempts now than ever.
Perhaps coincidentally that’s also when the stream of lost unencrypted hardware began slowing down, said Kurt Long, CEO of application security specialist FairWarning.
“That’s not to say that laptops don’t still get lost, but the peak years for that were 2008-2012,” Long determined. “I don’t know that lost laptops were all that damaging. It could be in the bottom of the Hudson River. We don’t know where that data went.”
But since healthcare organizations have to publicly disclose those incidents, whether the information was actually exposed to criminals or not, the industry swallowed a steady diet of headlines about data breaches.
The era of targeted attacks, however, appears to be significantly more threatening — and it’s already upon us.
Healthcare organizations, in fact, have been hit by one hack per month during the last year, according to a Ponemon Institute study. Ponemon questioned 535 IT security professionals working at public, private and government healthcare organizations and found that the most common threat is attackers exploiting existing software vulnerabilities that are more than three months old. Newer vulnerabilities and spearphishing -- sending targets an email aiming to get them to click on an executable or other malicious code -- ranked second and third, respectively.
[Also: Hollywood Presbyterian pays $17,000 to regain control over systems]
From the criminal’s perspective the beauty of these attacks is that they are relatively low-risk with a big potential to make plenty of money by using elegantly simple tactics, said Secure Ideas CEO Kevin Johnson.
“As much as I’d like to say it’s cool and magic, it’s really not. It’s basic IT cleanliness,” Johnson explained. “And IT cleanliness is not ingrained in healthcare.”
That fact paved the way for the years FairWarning’s Long described as an era in which organized crime squarely targeted healthcare, circa 2012-2015. By combing through public documents like court reports and reading indictments as well as interviewing Treasury Department officials, Long and colleagues showed that criminals are stealing patient records to commit medical ID theft but also to defraud the Internal Revenue Service by filing fake returns with the stolen information.
While those practices are not likely to vanish anytime soon, Long said the industry is already entering a new phase.
[Like Healthcare IT News on Facebook]
“The next wave is hacktivists and foreign nationals that want to expose some wrong they think needs to be righted as well as international crime syndicates with financial motivations,” Long said.
Long explained that typically the criminals seeking money are in Russia and eastern Europe, while the Chinese are after our state secrets or looking to blackmail U.S. ambassadors — and the hacktivists location is something we don’t even know because they could be anywhere.
Regardless of who perpetrates the attack, though, what’s on the line is trust.
“It’s the ultimate high stakes game because at some point if the trust breaks down between patients and clinicians such that people are afraid to share health information and withhold it instead because they don’t trust providers, that’s only going to escalate,” Long said. “This is a battle we have to win.”
Twitter: @SullyHIT
A recent report from the Department of Health and Human Services Office of the Inspector General claims that HHS could do better when it comes to protecting federal information.
The gaps range from monitoring to security training and contingency planning.
"Exploitation of these weaknesses could result in unauthorized access to, and disclosure of, sensitive information and disruption of critical operations for HHS," according to Ernst & Young, which conducted the independent audit for the OIG. "As a result, we believe the weaknesses could potentially compromise the confidentiality, integrity, and availability of HHS' sensitive information and information systems."
[Also: OIG identifies big HHS security shortfalls.]
Assistant Inspector General for Audit Services Thomas M. Salmon detailed the findings in a March 2016 report by identifying the 10 areas the auditors found lacking. HHS responded to each finding, concurring with some, taking issue with others:
Continuous Monitoring Management. HHS has formalized its Information Security Continuous Monitoring program through development of ISCM policies, procedures, and strategies. However, HHS has not implemented a Department-wide fully-implemented continuous monitoring program which includes continuously monitoring, updating and finalizing policies and procedures indicating how OPDIVs (operational divisions) address, implement strategies and report on DHS metrics. This includes vulnerability management, software assurance, information management, patch management, license management, event management, malware detection, asset management, and network management.
Configuration Management. Some OPDIVs did not consistently review and remediate or address the risk presented by vulnerabilities discovered in configuration baseline compliance and vulnerability scans performed through Security Content Automation Protocol tools.
Identity and Access Management. Some OPDIVs did not consistently implement account management procedures for shared accounts, new personnel, transferred personnel and terminated personnel.
Incident Response and Reporting. Oversight processes had not been implemented by HHS to enforce incident response and reporting procedures at the OPDIVs.
Risk Management. HHS did not implement procedures to oversee that system inventories are complete, accurate and effectively managed, including reconciling to the OPDIV-managed system inventory tools.
Security Training. Some OPDIVs did not monitor the completion of role-based training for significant security responsibilities and other security training for personnel using IT systems.
Plan of Action and Milestones. Plan of Action & Milestones were not consistently documented and tracked by the OPDIVs and HHS.
[Like Healthcare IT News on Facebook]
Remote Access Management. Some OPDIVs had not developed formal and finalized remote access policies and procedures.
Contingency Planning. Some OPDIVs did not complete required contingency planning documentation, including Business Impact Analysis, Continuity of Operation Plans, and Information System Contingency Plans.
Contractor Systems. Some OPDIVs did not have an effective contractor oversight protocols.
Twitter: @HealthITNews
The technology pioneer offered his thoughts on funding new projects and keeping up with change at his HIMSS16 keynote earlier this month. Here are seven takeaways.
Justice Department had alleged that the major oncology firm billed for medically unnecessary radiation treatments.