The Animas OneTouch Ping insulin pump contains vulnerabilities that could be exploited by a malicious attacker to remotely trigger an insulin injection.
The post Our insulin pumps could be hacked, warns Johnson & Johnson appeared first on WeLiveSecurity.
When will there be a healthy payout from my data? IoT is bringing a healthy change in our perspective on “personal information,” by enabling us to trade data for financial benefits. Are we ready? Collecting data about myself is benefiting my health – but can it help my wallet gain weight?
The post To your health – with the IoT appeared first on Avira Blog.
Hospitals are vulnerable to cyberattacks
The recent ransomware attack on the Hollywood Presbyterian Medical Center in Los Angeles has spooked the healthcare community. Hackers installed *ransomware in the hospital computer system and held patient records hostage while demanding payment. The hospital eventually paid $17,000 to have their files unlocked.
Attacks on major insurance and healthcare systems last year including Excellus BlueCross BlueShield and Anthem Inc. resulted in 100 million individual records being stolen.
Electronic medical records are a treasure trove of data and fetch a price 20 times more than that a stolen credit card numbers. The cost for the U.S. healthcare industry is $6 billion dollars annually, with the average data breach costing a hospital $2.1 million.
According to a study by the Ponemon Institute, healthcare organizations average about one cyberattack per month with more than half of all organizations surveyed saying they experienced at least one cyberattack in the last 12 months.
Organizations major concerns are system failures (legacy software and devices are common), unsecured wearable biomedical technology that puts patients at risk, and something that other industries face – BYOD (bring your own device) – as employees increasingly using their personal devices for work-related activities. One of the real threats is that hackers can compromise healthcare mobile apps and expose confidential medical records.
Stop by to visit the Avast Virtual Mobile Platform booth at HIMMS16
This week, cybersecurity in healthcare is a major discussion point at the Healthcare Information and Management Systems Society 2016 Conference in Las Vegas. Avast Virtual Mobile Platform (VMP) will demonstrate how hospitals, insurance companies, and others can use Avast VMP to ensure secure, HIPAA-compliant access to mobile apps such as instant messaging, EHR, document storage and more. Avast will also demonstrate how VMP uses virtualization to instantly secure healthcare mobile apps.
*Ransomware commonly enters a computer system when a user is tricked into clicking an infected link in an email or an infected ad on a website. The ransomware then locks all the files in the system and demands money for a key that will unlock the files.
The fallout from a Wall Street Journal technology expose that claims Theranos has been less than transparent over its blood tests continues with Walgreens putting its partnership with the company “up for discussion”.
The post Walgreens ‘halts’ Theranos partnership following WSJ technology expose appeared first on We Live Security.
ESET security researcher Lysa Myers looks at a few of the questions she has been hearing more often about the recent surfeit of insurer breaches.
The post Are healthcare organizations ready to get serious about security … now? appeared first on We Live Security.
Although computerized hospital pumps are widely known to be beneficial for mitigating dosage errors, news of hackable hospital pumps came to public attention a few months ago when security researcher Billy Rios discovered a pump that doesn’t use authentication for its drug library – thus enabling a hacker to load a different library into the device, which in theory could lead to a deadly dose being delivered. But new findings by Rios indicate that hackers may now themselves be able to remotely administer a deadly dose of a drug to a patient.
According to Rios’s findings, a hacker could alter – from within the hospital computer network or even over the Internet – the allowable upper dosage limit to give either too low or too high a dose. Doctors or nurses could then accidentally set the machine to give too high or low a dose without the machine issuing an alert.
When the story initially broke, this alteration of dosage limits was not considered to be such a severe vulnerability as if the hacker could himself set the dosage amount (remotely). However, now Rios has found a new vulnerability that would allow hackers to remotely set the dosage amount by altering the firmware to gain total device control.
Coupling the previously known ability to change the drug library data with the newly found ability to remotely set the amount of the dose, a hacker can now potentially deliver a lethal dose of medication.
How widespread the vulnerabilities are is yet unknown, but with estimates limited to just the one manufacturer whose pumps Rios discovered these vulnerabilities in, close to half a million intravenous medicine pumps globally could be affected.
When Rios initially notified the company making the pumps in question, that its pumps could have their firmware changed by hackers, the company insisted that the pumps are safe because of partitioning between the comms module and motherboard. Rios found that, while the physical partition does exist, a serial cable connects the two components “in a way that you can actually change the core software on the pump.”
As the company uses this same approach for remotely delivering firmware updates to its computerized pumps, it is unclear as to why any computerized-equipment maker would be so skeptical of their own methods being used by hackers. Regardless, while the company works on a proof-of-concept that their devices have no vulnerabilities, Rios is working on his own proof-of-concept to the contrary, which he plans to share during the 2015 SummmerCon security conference in Brooklyn.
“You can talk to that communication module over the network or over a wireless network,” Rios told Wired (read the full Wired report here).
The post Homicide no longer requires proximity appeared first on Avira Blog.
This past week, CareFirst, a U.S. based BlueCross and BlueShield insurer with coverage in Mid-Atlantic States, revealed that 1.1 million user accounts were compromised. CareFirst is the third U.S. health insurance company to publicly acknowledge a data breach recently, following Premera Blue Cross and Anthem. It seems relatively small potatoes compared to the Premera (11 million people) and Anthem, which acknowledged that hackers broke into a database containing personal information for about 80 million of its customers and employees. But if you’re one of the 1.1 million, it isn’t small potatoes.
It can also hit very close to home. I just discovered friends of mine were among those caught up in the Anthem hack, which also led to them being part of the income tax fraud scheme that I and my fellow blogger, Tony Anscombe, have written about previously. My friends were tipped off when a new credit card arrived that they hadn’t ordered. Shortly after, they tried to file their income taxes and found they’d already been filed –and a substantial over-payment (not based on their calculations) had already been claimed by the perpetrator.
CareFirst said that the attackers gained limited, unauthorized access to a single CareFirst database. CareFirst said the attackers didn’t get access to Social Security numbers, employment info, financial data, medical data or consumer passwords –because those are encrypted and stored in a separate system.
However, attackers could have potentially acquired members’ names, birth dates, email addresses and subscriber identification number. (You can also see the full statement from CareFirst on its website.)
The attack occurred in June 2014, two months after the insurer detected an attack that the organization thought it had contained… But the hackers had left behind hidden back doors that let them re-enter later, undetected, according to reports, by the Baltimore Sun and others.
According to CareFirst, it has run comprehensive internal security tests, and hired an outside security company for further assessment, as well. It is offering two years of free credit monitoring and identity theft protection services for those members affected. Finally, it is letting those customers know who might be compromised. (Anthem did this also, though my friend was not among those notified…)
IT security has to be a priority for all businesses, but particularly for healthcare, where the stakes are so high. The healthcare industry needs to conduct extensive ongoing internal IT evaluations and adopt stricter policies – especially around what data they need to keep and for how long.
According to a new research by Ponemon Institute sponsored by IBM, “2015 Cost of Data Breaches Study”, data breaches in healthcare are the most expensive to remediate and only going up. The study covered 350 companies in 11 countries across 16 industries.
Consider the case of the UK-based Cottage Healthcare Systems. Hackers swiped 32,500 patient records and its customers sued Cottage for $4.1 million. Its insurance company, Columbia Casualty Company, settled the claims. But now Columbia has come back to Cottage to recoup the settlement, because it claims Cottage did not provide adequate and secure IT systems, so it wants its money back.
As consumers, we have to do more too. We need to monitor the activities on all of our accounts, financial and via our health care providers and insurance companies– and note anything that’s irregular or suspicious.
You can find some helpful information on the Federal Trade Commission (FTC) website to identify signs of medical identity theft, including these:
The FTC encourages visiting IdentityTheft.gov to report incidents and get information on how to recover from identity theft.
More than 1.1 million health insurance customers have been left vulnerable by a vast data breach, after criminals gained access to a CareFirst database in a “sophisticated cyberattack.”
The post CareFirst data breach leaves 1.1m health insurance customers vulnerable appeared first on We Live Security.
Security in the healthcare sector has been making headlines for all the wrong reasons in recent months, and a new report has found that the industry is showing little sign of cleaning up its act.
The post Healthcare security shows little sign of improvement, finds Verizon report appeared first on We Live Security.
After the Anthem mega-breach, questions abound about possible abuses of medical data. Here is a breakdown that offers some context.
The post Electronic health records and data abuse: it’s about more than medical info appeared first on We Live Security.
