Healthcare Data and Security at Risk

Healthcare data at risk: why medical records are easy to hack, lucrative to sell

Stolen healthcare data can be worth 10 to 50 times more than payment card data in the cyber underground. Electronic health records fetch around $50 per record, according to the FBI. Some experts put that number as high as $500 for some type of medical records.
Credit and debit card numbers, by contrast, can sell for as little as $1 to $2 per account number.

“There’s an enormous online marketplace for these records,” says Kurt Stammberger, senior vice president of marketing at Norse, a security company that monitors malicious and criminal Internet traffic. “It’s like eBay — people bid, and there’s a ‘buy now’ price.’ ”

Costly exposures
Healthcare companies are taking major financial hits—and writing off this exposure as an extraordinary cost of doing business. Details on the pain level for breached companies are surfacing, thanks to data breach disclosure rules under the Healthcare Insurance Portability and Accountability Act (HIPAA.) For instance:
• WellPoint Inc., a managed-care company, settled a case with the U.S. Department of Health and Human Services for $1.7 million last year. WellPoint allegedly left electronic records of more than 600,000 people accessible over the internet due to a security weakness.
• New York and Presbyterian Hospital and Columbia University agreed to a $4.8 million settlement earlier this year after substandard security led to 6,800 patient records becoming accessible by search engines online.
Individual consumers are getting harmed financially, as well, to the tune of $12.3 billion last year. Ponemon’s 2013 Survey on Medical Identity Theft found that more than one third of victims paid an average of $18,660 out of pocket to recover from data theft. That included being compelled to reimburse healthcare providers for services supplied to an impersonator.

Prevention hurdles
Healthcare experts, privacy advocates and law enforcement officials acknowledge that the fundamental problem is mushrooming and won’t be easy to stabilize.
Part of the challenge is financial. The Affordable Care Act mandates that providers expend 80 to 85 percent of premiums on quality care—and that doesn’t include any provisions to prevent services from going to an identity thief.

According to Forrester research, only 18 percent of healthcare organizations’ tech spending budget goes to security, compared to 21 percent across all sectors. And most providers plan minimum or zero increase in budget.

Media reports concerning the Anthem breach have indicated that the compromised personal information wasn’t encrypted. Encryption – strong, modern algorithms properly implemented with tight key management – is the most effective way to protect data in 2015.

How do we know this? Edward Snowden, of course. He made it clear that the NSA is unable to break strong encryption. It’s likely no one else can, either. Many have expressed surprise that the Anthem data, clearly of a confidential nature and describing millions of people, was not encrypted. This may be because Anthem, like many companies operate strictly in their primary business – be it health care insurance, retail, banking or something else. Unfortunately, the reality of 2015 is that almost every business is an IT business, and part of IT is cybersecurity. It’s not an optional component. And when it comes to protecting data at rest or in motion, nothing works as well as encryption.

While encryption algorithms are relatively easy to implement in software, the ecosystem required to support them is much harder to put in place. Encryption systems are all about key management–making sure the proper key for the required operation can be found and used in a properly authorized manner. Some familiar (and older) forms of encryption, like S-MIME for e-mail and whole disk encryption like BitLocker, use a single key per system or user.

In the application space, large, sophisticated database vendors charge millions of dollars for bolt-on encryption modules. Organizations then have to alter their application software to take advantage of this technology, which is both expensive and time consuming.

To be effective and support the multiple applications needing access, multiple keys will have to be used. Distributing and managing the keys for these software modules adds friction to the system and makes it hard to keep everything in sync – raising maintenance and support costs. To further complicate use, glitches in the system could lead to lost data.

There is a better way: adding an encryption abstraction layer in between the application and the data storage and transport that’s invisible to the application and requires little change to either hardware or applications. Think of this as an encryption service or broker. It handles key management, authentication, and the actual encryption.

Such systems interface with existing LDAP-based identity management systems and are available today. While not without cost, such systems are more effective than an application rewrite. Organizations need to realize they are all in the IT business, and make 2015 the year of encryption.

Integra Systems, Inc., is working with enable the first ever point to point secure solution to directly target this requirement and need.

Nordic Semiconductor Demo

https://www.youtube.com/watch?v=dO3DDwAzn8E - Pretty interesting demo of how Nordic is changing the game for IOT.

Bluetooth LE and IOT

A good video by Laird that helps understand the importance of BTLE to the enterprise space.

http://www.lairdtech.com/support/learning-center/videos/iot-videos?utm_source=Incisor%20email&utm_medium=email%20&utm_content=video&utm_campaign=Incisor%20TV%20roundtable%20

Cyber Security Protection at the New Healthcare Point of Care

It seems that the face of healthcare is changing with the advent of the walk-in clinics..this area it seems is growing by leaps and bounds. It solves the supply chain security end to end versus the model of current our silo based healthcare system. When you make things easy for the consumer it just naturally creates a new business model.

http://www.walgreens.com/topic/pharmacy/healthcare-clinic/our-services.jsp

Not only are the integrated delivery networks in the business of the delivery of care; but also retail establishments like above mentioned are coming up everywhere. Hospital emergency rooms do not often support the efficiencies of care (unless it is real emergency) and how long do you have to wait these days to see your family doctor? At the end of the day..the consumer should be empowered to make his/her own decision.

The What If....
I would like to see the BluStor card being "The card" for not only your complete medical record that "you carry with you", but also the payment system. This one card would have your complete medical history, all medications, a past EKG, and also your eye prescription, dental records...everything. The size and thickness of a credit card.

For the first time..."you the patient" are in control of your personal and medical information. Why should not you be?

The strong multi-factor biometric finger print and facial authentication, prevents hackers to get to your medical data. The Cybergate platform.

Gone are the days of trying to get information from multiple different places with systems that are not maybe "secure enough" that "never" will be fully integrated...at least not in my lifetime.

2014 Year of Mega Security Breaches - It has only started

Starting out in 2015, welcome to a major, major health insurance compromise. This not going away anytime soon. Understand that North America has had the largest number of attacks. A lot of what we do is just not smart, like using antiquated magnetic strip credit cards...as well as just common sense in the corporate side of things. Integra Systems, Inc is working with several key technology players to develop an "end to end" point to point secure solution for both medical devices and healthcare. We also have provided presentations and subject matter expertise regarding to business and authorities.

Download Breach-Level-Index-Annual-Report-2014

Download Secure_the_breach_manifesto

www.breachlevelindex.com

Turnkey Wireless Solutions on the Rise

Adding low-power wireless connectivity to a product has become less of a challenge as chipmakers serve up proven silicon, reference designs, and development kits. But designing an RF link from scratch is still not a trivial exercise. Quick to spot opportunities, commercial vendors now offer pre-engineered wireless solutions in the form of modules. Such devices have been optimised by the manufacturer to provide maximum range and bandwidth while meeting the regulatory requirements for operation in the Industrial, Scientific, Medical (ISM) 2.4-GHz band. Some are even delivered with certification proving they comply with a particular wireless standard.

The market is rapidly expanding: According to analyst IHS, worldwide revenue for the low-power wireless modules market will reach $1.40 billion this year, up a robust 14 percent from $1.23 billion in 2013. The company says this is the third consecutive year of double-digit expansion for the market.

“Low-power wireless modules play an important role in the wireless ecosystem, providing a turnkey solution that includes a radio, microcontroller, nonvolatile memory, and antenna - all in a small, affordable package,” said Lee Ratliff, principal analyst for connectivity at IHS in a statement.

Modules are popular in low-volume applications because they eliminate the high non-recurring engineering costs associated with RF design, verification, and certification while cutting lengthy development times, notes Ratliff. But modules also find favor in devices that ship in millions of units because they simplify manufacturing and increase flexibility. A single module design, for example, can be reused across multiple products, easing the problem of supporting numerous unique wireless designs.

Applications that matter
IHS forecasts that the fastest-growing markets for low-power wireless modules in the immediate future will be sports and fitness monitoring, with a compound annual growth rate (CAGR) of 49 percent. Other important markets will be consumer electronics with a CAGR of 36 percent, automotive with 32 percent, and residential automation with 30 percent.

The underlying growth in the application of wireless technologies in these markets will be the primary reason for the increase in module shipments. However, a secondary reason for expansion is the high rate of adoption of Bluetooth Smart, ANT+, EnOcean, RF4CE, and Z-Wave.

While these multivendor solutions are enjoying growth, low-power wireless technology is moving away from proprietary protocols, according to IHS. Proprietary protocols made up 88 percent of module shipments in 2011, but will only account for about 50 percent by 2018. A key driver for this trend is that customers are looking for interoperable communications across diverse systems, and wanting devices to communicate with mobile platforms like smartphones, tablet computers and laptops without requiring dongles.

Nordic Semiconductor-powered products are at the forefront of the wireless module revolution. For example, Nordic’s long-term design partner, ANT Wireless, has announced a dual protocol ANT SoC module, the N548, based on the nRF51422 SoC. This 2.4-GHz solution enables ANT and Bluetooth Smart protocols to run concurrently. The N548 measures 14 by 9.8 by 2.0mm and is a turnkey solution targeted at wearable, home, and industrial applications.

In a second example, Stollmann, a Nordic design partner based in Hamburg, Germany, has recently added a small form factor Bluetooth Smart module based on Nordic’s nRF51822 multiprotocol System-on-Chip (SoC) to its Embedded Bluetooth Module family. The module measures just 17 by 10 by 2.6 mm and has a line-of-sight maximum range of 50 m.

And French multidie system-in-package (SiP) design specialist, Insight SiP, has developed a Nordic nRF51822 System-on-Chip (SoC)-based Bluetooth Smart module that requires no specialist RF engineering experience to employ. The chip measures 8 by 11 by 1.2 mm and is claimed to be a complete “drop-in” Bluetooth Smart module solution.

The Unique Medical Device Requirement for Healthcare

Integra Systems, Inc. will be releasing an authored white paper on the behalf of www.lairdtech.com in February.

Please see this link for signing up for the early download of the white paper of which will be released March 10, 2015.

http://www.summitdata.com/blog/requirements-unique-wireless-medical-devices/

border="0" />

Healthcare Recent Security Compromise - Major Insurance Provider

Much is in the news about this. What is interesting is that RSA provided an incident response of an emerging threat profile called Shell_Crew or Deep Panda in January of 2014. (This is provided as an attachment for review). This is a very detailed description of techniques, tools, mitigation and remediation schemas.
This should be read by all IT organizations to ensure a security plan of action. Integra Systems is working to develop an end to end solution that crosses multiple biometric front authentication to a revolutionary data base structure that will change the game.

Download H12756-wp-shell-crew

Medtronic and Covidien

If you look at the new Medtronic web site…it is pretty interesting now that Medtronic and Covidien are coming together. “Medtronic has advanced it’s position to become the world’s premier technology and services” company."

This is changing the landscape of how “technology companies” conduct business with integrated delivery networks. Starting next year, 30% of physicians pay will be tied to the quality of care they deliver seen through improving outcomes. If patients are re-admitted within 30 days of discharge with certain conditions, Medicare may penalize them. It seems that both these companies are embarking upon projects and managed services solutions to help healthcare systems improve operations to satisfy these requirements.

In the past many years there has not been a lot of concern about telemedicine in the United States, however that is shifting rapidly. Most recently we have witnessed several medical device companies have desired to develop solutions to ensure compliance; as well to gather all data upon discharge to form the complete “electronic medical record”. The EMR being defined as "inpatient", at home, and/or anywhere.. So “wireless connectivity” , “the cloud”, “data analytics”, is taking off on several converged fronts in a rapid fashion. It only makes sense as other vertical markets have moved quickly to a IOT (Internet of Things), business model to gather information on a real time basis to improve their bottom line.

As said in the past, no new monitoring of physiological parameter in my opinion has come out in the recent years that has demonstrated great quality improvements or decrease in risk.

Companies need to understand it is not about the “widget”, but the overall solution that impacts cost, risk, and complete the full circle of care of the patient. In addition care now needs to extend outside the “four walls of the facility”…as well within every square inch of the facility tied to demonstrated metrics for the improvement of care.

It will be interesting to see how “traditional medical device companies”, now move to a culture of “medical solution companies” in 2015.

Cisco Systems Annual Security Report 2015

This is the latest security report from Cisco. A very, very well done report.

Download AST-0137700_Cisco_ASR_FINAL_011715