Monday, June 24, 2013

Medical Device Vulnerability Alert from Department of Homeland Security (DHS)



Recently over 300 medical devices were found to have password vulnerabilities.  This prompted the DHS’ Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) to issue an advisory to all manufacturer, healthcare facilities and users.
 
            One of the major concerns surrounding this vulnerability is the possibility of unauthorized users accessing critical settings and making changes that could be harmful to patients.  Firmware modifications were also a concern.  Typically company technicians only know this type of password, but researchers working for a security vendor were able to easily exploit the passwords and gain access.   

These researchers are now advocating for a digital signature requirement for programming modifications to firmware to prevent hackers and other malicious technicians from tampering with device settings.  Because so many legacy devices still exist in the healthcare setting, the researchers are recommending this change be implemented in any device approved by the FDA beginning in 2014. 

Many agree this is a good idea, but believe this type of change will take years to make a difference.  Hospitals have been reluctant to install anti-viral software on medical devices for fear that something could go wrong, and manufacturers would have a difficult time keeping devices updated.

I too believe that it would take many many years before this change would make any difference.  Healthcare organizations keep equipment an average of 10-15 years, and sometimes even 20.  Just finding devices can be a challenge, so ensuring they all have the latest software would create an almost impossible situation for both biomedical and IT departments.

That being said, hospitals need to start somewhere because I believe this will eventually become mandatory, much like the current “meaningful use” initiatives.

For heaven’s sake, people drive around cars that appear to be smarter than the devices keeping loved ones alive.

Article referenced:

http://www.healthcareinfosecurity.com/medical-device-vulnerability-alert-issued-a-5847/p-2


Posted by at No comments:

Monday, June 17, 2013

Data Breach Insurance in Demand!




     In light of “meaningful use” and the ever-increasing use of technology in the healthcare setting, hospitals are beginning to invest in data breach insurance.  According to Fierce Health IT, healthcare organizations are predicted to see this as one of many tactics used to protect themselves when data breaches occur.   This may be exactly what California based Sutter Health System will need.  Just days ago they announced that nearly 5000 patients will be notified that their personally identifiable information has been stolen.  Discovered during a drug raid, police officers found a patient list containing social security numbers, dates of birth, addressed, names of employer, work numbers and marital status. 

            Sutter Health is no stranger to the patient notification process.  In 2011 an unencrypted computer was stolen making this one of the largest HIPAA breaches in the US.

            On the opposite coast, another healthcare system called Bon Secours has recently reported another HIPAA breach affecting 5000 patients as well.  Apparently unauthorized employees accessed the same personal information exposed in the Sutter Health report.

            Given the number of hospitals who are repeat offenders of HIPAA violations, it seems apparent that greater measures must be taken to ensure the safety of patient information.  While I realize that hospitals employee a large number of employees and that alone can pose significant challenges, I believe greater due diligence must be demanded of these organizations.  Entrusting ones health to a bunch of strangers can be stressful enough, but worrying about your personal information while you’re worrying about your health is just more than I think any patient should have to deal with!
Posted by at No comments:

Thursday, June 13, 2013

HIPAA Omnibus Rule - Increased PHI Security Requirements

Since the mandate for "meaningful use," healthcare organizations have struggled to comply with the numerous regulations surrounding patient information and keeping it secure.  The HIPAA Omnibus Rule is making things even more challenging, especially for those who work as subcontractors, consultants, and vendors for these organizations.  This new rule has increased accountability and compliance regulations for these groups, making organizations responsible for guaranteeing their compliance.  Previously vendors were only accountable to the terms outlined in in their "business associate agreement."
So, what exactly does this mean for an organization??

  • They must ensure vendors understand responsibilities associated with patient data such as the requirements for how it's maintained and stored.
  • Contracts must now be very detailed and clearly delineate responsibilities associated with PHI.
  • System reporting capabilities must be robust and in compliance should an audit by Health and Human Services occur.
I believe protecting patient data should be top priority.  That being said, the number of requirements healthcare organizations have for vendors is mind boggling.  Between policies, vaccines, background checks and education, something may have to give.  Thankfully, it won't be patient privacy as the Omnibus rule is coming from the government where most other rules are coming from third party vendor management companies.  In some facilities, vendors are held to even higher standards than the full-time employees.
This rule became effective March 26, 2013, but organizations have until September, 2013 to comply.  Working as one of these vendors, I'm waiting to hear about the requirements my customers will have.  I'll let you know!



Article Referenced:

http://www.healthcareitnews.com/blog/new-omnibus-rule-how-will-it-impact-healthcare-it-vendors?page=1




Posted by at No comments:

Tuesday, June 11, 2013

Apple's iOS Just Became More Secure

Everyone who knows me knows that I'm a huge Apple fan.  I began using Apple products before Apple was cool.  So...I'm always interested in any new announcements they make.  At today's Worldwide Developer's Conference Apple announced a variety of changes, but what caught my eye were the security changes.  

Activation lock is a new feature that will prevent thieves from erasing the data and then reselling it because they'll need the password before the iPhone or iPad will start working again.  Not that I've ever lost a device, but it's nice to know that no one else could use it if I did.  




Lock screen message.Even after a remote erase, Find My iPhone can continue to display a message with your phone number on the Lock screen.






Your iPhone made it home.If you get your iPhone back after you’ve already erased it, just enter your Apple ID and password to reactivate it.





iOS 7 (BLock This Caller 002)



Some additional features will be a per app activation for a VPN and message blocking. I can't help but wonder where the blocked message will go?  Does it bounce back?  Will the sender know they've been blocked?  I guess we won't know until iOS7 is released in the Fall!


Article Referenced:
http://news.cnet.com/8301-1009_357588581-83/activation-lock-to-tighten-ios-security/
Photos courtesy of:
http://www.apple.com/ios/ios7/features/#control-center
Posted by at No comments:
Subscribe to: Comments (Atom)