Anatomy of Medical Device Cyber Attacks

On Cyber Attacks

[By Bertran Mesko, MD PhD]

According to studies by PWC and the SANS Institute, 94% of healthcare organizations have been victims of a cyber-attack.

As we use more and more devices from smartphones to wearable sensors, your online privacy can have a very real impact on our health and well-being. When hacked, even simple wearables can yield private information about our vital signs and reveal personal health problems and insight into our habits (like when we regularly go running) that’s best kept from the public eye.

More threatening are the findings of security researchers who managed to prove that a deadly overdose of medication could be administered remotely via a vulnerability in certain insulin pumps.

HIT Dangers

Let’s see the dangers facing our health information, and a few easy tips you can use to boost your privacy levels quickly.

***

The dangers facing healthcare privacy

Assessment

Arxan recently surveyed trends and dangers threatening the privacy of healthcare data.

Conclusion

Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

Dictionary of Health Insurance and Managed Care

Product DetailsProduct DetailsProduct Details

***

Advertisements

3 Responses

  1. TheDarkOverlord’s extortion which I discovered on Twitter three days ago, was no hoax after all.

    “Cyber extortion gang hits again, striking ABC, clinics across U.S. – The cybercrime gang known as The Dark Overlord appears to operate from an English-speaking country, although details are murky.” By Tim Johnson for McClatchy News, June 12, 2017.

    http://www.mcclatchydc.com/news/nation-world/national/article155732029.html

    thedarkoverlord‏ @tdohack3r: “La Quinta Center for Cosmetic Dentistry refused our kind offer, so here’s their 6.300 records”

    The reporting of the tweet was intentionally delayed, I assume, to properly warn over 12,000 patients whose identities were posted on the internet. Perhaps the delay of reporting on publicly-available identities was prudent. If I were one of the thousands of dental patients whose identities are available I would certainly want to know about it before the word gets out.

    But then again, immediately is probably not soon enough: “FTC finds thieves attempt to use stolen data within 9 min of breach” By Robert Abel for SC Media, May 26, 2017.

    https://www.scmagazine.com/ftc-finds-data-breach-info-exploited-in-under-9-minutes/article/664540/

    Neither is the 60 days HIPAA allows before providers must notify patients of a breach. Crime moves faster than HIPAA, and digital dental records have always been soft targets with huge payoff. Anyone interested in de-identification yet?

    Damn, I miss Justin Shafer. The security expert who has been publicly thanked by Homeland Security on 8 occasions for reporting software vulnerabilities affecting hundreds of thousands of patients sits in jail. The world misses you, Justin.

    D. Kellus Pruitt DDS

    Like

  2. Cloud-based EHRs have become increasingly available as huge, rich targets for identity thieves.

    “Microsoft Sounds Alarm on Weaponized Virtual Machines on the Cloud – Attackers are targeting cloud accounts, hoping to weaponize virtual machines and gain access to valuable information.” By Pedro Hernandez for eWeek, August 22, 2017

    http://www.eweek.com/security/microsoft-sounds-alarm-on-weaponized-virtual-machines-on-the-cloud

    Hernandez: “Microsoft has some bad news for businesses hoping to find a safe haven from cyber-attackers in the cloud. IT departments can now add weaponized virtual machines on the cloud to their ever-expanding list of cybersecurity concerns.”

    Salespeople for Dentrix Ascend, Curve Dental and other cloud-based dental EHRs should probably stop promising better security than office-based software… which is also far less secure than paper dental records.

    D. Kellus Pruitt DDS

    Like

  3. Cybersecurity need not be expensive, or complicated
     
    “Myth busted: A wait-and-see approach to cybersecurity is a terrible idea – While the costs tied to protection can be daunting, especially for small organizations, the costs only increase after an attack. By Jessica Davis for Healthcare IT News, September 26, 2017.
    http://www.healthcareitnews.com/news/myth-busted-wait-and-see-approach-cybersecurity-terrible-idea
     
    Davis:  “It should come as no shock that hackers have spent the last two years pummeling the healthcare industry with cyberattacks. In 2017, the healthcare sector has already reported 233 breaches and is on pace to exceed last year’s rate of one healthcare breach per day. For healthcare organizations that are already struggling with staffing shortages and tight budgets, there’s just too much to be done. And so they often undertake minimum requirements to reach HIPAA compliance and wait for an incident to react.”
     
    De-identification anyone? Still too early?
     
    De-identified health records have been the source of safe data for medical research even before computers, and unlike EHRs, the security of de-identification is improving daily. For example:
     
    “New guide for de-identifying data – The Office of the Australian Information Commissioner (OAIC) has linked with the CSIRO’s Data61 to release a new guide to assist organisations dealing with private personal information to de-identify their data effectively.” PSN news.com (Australia), September 26, 2017.
    http://www.psnews.com.au/aps/570/news/new-guide-for-de-identifying-data
     
    If dental patients’ identities are unavailable, they simply cannot be stolen. What’s more, cybercriminals have no interest in stolen dental histories which cannot be re-identified – even if they wanted to.
     
    Somebody go wake up the American Dental Association. Our hidden, secretive leadership is heading in the wrong direction. Full disk encryption is not happening as they promised, and at least one dental technology consultant has stopped promoting dental EHRs. (See: “9 questions to ask about EHR” By Lauren Krzyzostaniak for Dental Products Report, June 9, 2017)
    http://www.dentalproductsreport.com/dental/article/9-questions-ask-about-ehr-0
     
    D. Kellus Pruitt DDS

    Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: