AHA Appoints Senior Advisor for Cybersecurity and Risk | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

AHA Appoints Senior Advisor for Cybersecurity and Risk

February 22, 2018
by Rajiv Leventhal
| Reprints

The American Hospital Association (AHA) has announced that John Riggi has joined the association as senior advisor for cybersecurity and risk.

Riggi, who spent nearly 30 years with the FBI in a variety of assignments, will bring his practical and strategic cybersecurity and risk knowledge with the association’s more than 5,000 members, AHA officials said in the announcement.

After leaving the FBI, Riggi led the cybersecurity and financial crimes practice at Chicago-based accounting and consulting firm BDO USA, where he worked closely with the AHA to develop and lead AHA’s cybersecurity education and awareness initiatives.  

At the FBI cyber division, he led the national program to develop partnerships with healthcare and other infrastructure sectors for the investigation and exchange of information related to national security and criminal cyber threats. As such, Riggi played a national strategic role in the investigations of the largest cyber attacks targeting healthcare, government and other sectors. Riggi also served as a representative to the White House’s Cyber Response Group, Financial Services Steering Committee.

“Cybersecurity is on the top of every health leader’s mind,” AHA President and CEO Rick Pollack said in a statement. “And John is nationally recognized as one of the best experts out there on healthcare cybersecurity. His strong credentials and expertise will go a long way in helping the field strengthen their defenses against rampant cyber and physical threats.”

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


/news-item/cybersecurity/aha-appoints-senior-advisor-cybersecurity-and-risk
/news-item/cybersecurity/phishing-attack-healthcare-provider-impacts-128k-patient-records

Phishing Attack on Healthcare Provider Impacts 128K Patient Records

November 21, 2018
by Heather Landi, Associate Editor
| Reprints

New York Oncology Hematology, based in Albany, New York, is notifying its patients and employees that an unauthorized user may have gained access to several employee email accounts, and, potentially, accessed employee or patient data as a result of a phishing attack back in April.

The healthcare provider posted a message on its website stating, “NYOH has determined an unauthorized user may have gained access to several employee email accounts through a series of targeted phishing emails. While NYOH and its partners are not aware of any actual access to or attempted misuse of patient or employee information related to this incident, we continue to take steps to protect our patients and employees’ information.”

Media coverage by The Daily Gazette puts the number of employees and patients at 128,400.

According to NYOH, the phishing emails sent were sophisticated in that they appeared as a legitimate email login page, which convinced the NYOH personnel to enter their user names and passwords. “These credentials were then harvested and used by the attackers to gain access to the email accounts, which were typically only accessible for a short period of hours before access was terminated,” officials said.

On April 20, 2018, a phishing incident occurred through which an unauthorized user gained access to 14 employee email accounts –typically only for a few hours at most, the organization said. A second incident occurred between April 21, 2018 and April 27, 2018, when one additional email account became accessible. Immediately upon discovery of the incidents, NYOH’s IT vendor, took steps to reset passwords, shutting down access to these accounts.

NYOH was subsequently notified of the suspected unauthorized access by its IT vendor. NYOH initiated its incident response protocol to determine the scope and severity of the phishing attacks. NYOH hired an outside forensic firm to conduct a review of the content of the accounts.

Following a thorough analysis, on October 1, they determined that one or more of the affected email accounts contained protected health information and other personal information of patients or employees, the organization said.

The organization said the following information may have been contained in the affected email accounts: names, dates of birth, home addresses, email addresses, insurance information, medical information such as test results, diagnostic codes, account numbers, and service dates. In very limited circumstances, the accounts also contained patient and employee Social Security and driver’s license numbers.

“While we are not aware of any access to or attempted misuse of patient or employee information related to this incident, out of an abundance of caution, NYOH mailed letters to all NYOH patients and employees on November 16, 2018. This letter includes directions for enrolling in 12 months (or longer as required by law) of free identity theft and credit monitoring services through Experian,” the organization stated.

Email hack at HealthEquity

HealthEquity, a health savings account provider with headquarters in Utah, reported to the U.S. Department of Health and Human Services (HHS) data breach portal that 165,800 patient records were impacted by an email hacking incident.

According to DataBreaches.net, HealthEquity notified the California Attorney General’s Office that on October 5, the company’s IT security team identified unauthorized logins to two HealthEquity employees’ email accounts.  

The investigation was unable to conclusively rule out – or rule in – whether the attacker accessed and viewed emails in those accounts that contained personal and/or protected health information, DataBreaches.net reported.

In a statement to DataBreaches.net, HealthEquity officials stated, “Through a third-party forensic research team, we have discovered that approximately 190,000 may have been impacted. We have begun notifying these individuals and offering 5-year credit monitoring services.”

More From Healthcare Informatics

/news-item/cybersecurity/study-internal-negligence-not-hackers-responsible-half-data-breaches

Study: Internal Negligence, Not Hackers, Responsible for Half of Data Breaches

November 20, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

While high-profile data breaches perpetrated by cyber criminals and hackers often make big headlines, a recent study found that more than half of healthcare data breaches are a result of internal issues, not external factors.

With regard to health data breaches, hospitals, doctors’ offices and even insurance companies are oftentimes the culprits, according to researchers from Michigan State University and Johns Hopkins University.

For the study, John (Xuefeng) Jiang, lead author and associate professor of accounting and information systems at MSU’s Eli Broad College of Business, and co-author Ge Bai, associate professor at the John’s Hopkins Carey Business School, dove deeper to identify triggers of the PHI data breaches. They reviewed nearly 1,150 cases between October 2009 and December 2017 that affected more than 164 million patients. The study was published in JAMA Internal Medicine.

The new research follows the joint 2017 study that showed the magnitude of hospital data breaches in the United States. The research revealed nearly 1,800 occurrences of large data breaches in patient information over seven years, with 33 hospitals experiencing more than one substantial breach.

The study found that more than half of the recent personal health information (PHI) data breaches were because of internal issues with medical providers – not because of hackers or external parties.

“There’s no perfect way to store information, but more than half of the cases we reviewed were not triggered by external factors – but rather by internal negligence,” Jiang said in a press release about the study.

“Every time a hospital has some sort of a data breach, they need to report it to the Department of Health and Human Services and classify what they believe is the cause,” Jiang said. “These causes fell into six categories: theft, unauthorized access, hacking or an IT incident, loss, improper disposal or ‘other.’”

After reviewing detailed reports, assessing notes and reclassifying cases with specific benchmarks, Jiang and Bai found that 53 percent were the result of internal factors in health care entities.

“One quarter of all the cases were caused by unauthorized access or disclosure – more than twice the amount that were caused by external hackers,” Jiang said. “This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”

Of the external breaches, theft accounted for 33 percent with hacking credited for just 12 percent.

Mobile devices were involved in 46 percent of cases, while paper records accounted for just 29 percent of breaches, the researchers report in the study. Employees taking data home or forwarding it to personal email accounts contributed to 74 breaches in the study, or about 6.5 percent of cases.

Mailing mistakes accounted for two-thirds of the data breaches involving communication errors by employees, the study also found.

Some data breaches might result in minor consequences, such as obtaining the phone numbers of patients, but others can have much more invasive effects. For example, when Anthem, Inc. suffered a data breach in 2015, 37.5 million records were compromised. Many of the victims were not notified immediately, so weren’t aware of the situation until they went to file their taxes only to discover that a third-party fraudulently filed them with the data they obtained from Anthem, the study authors wrote.

As a result of their research, Jiang and Bai suggest health care providers adopt internal policies and procedures that can tighten processes and prevent internal parties from leaking PHI by following a set of simple protocols. The procedures to mitigate PHI breaches related to storage include transitioning from paper to digital medical records, safe storage, moving to non-mobile policies for patient-protected information and implementing encryption. Procedures related to PHI communication include mandatory verification of mailing recipients, following a “copy vs. blind copy” protocol (bcc vs cc) as well as encryption of content, the study authors said in the press release.

“Not putting on the whole armor opened health care entities to enemy’s attacks,” Bai said. “The good news is that the armor is not hard to put on if simple protocols are followed.”

Next, Jiang and Bai plan to look even more closely at the kind of data that is hacked from external sources to learn what exactly digital thieves hope to steal from patient data.

 

Related Insights For: Cybersecurity

/news-item/cybersecurity/cybersecurity-telehealth-and-interoperability-top-mind-it-execs-2019

Cybersecurity, Telehealth and Interoperability “Top of Mind” for IT Execs in 2019

November 19, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

As health system leaders look ahead to the challenges and opportunities of the coming year, they are increasing their spending to defend against cyberattacks, expressing optimism about reimbursement for telehealth services, and feeling anxiety about Apple, Amazon and Google entering the health care space, according to a new survey.

The second annual survey, conducted by the Pittsburgh-based Center for Connected Medicine (CCM) in partnership with the Health Management Academy, reflects the opinions of healthcare C-suite leaders from nearly 40 major U.S. health systems across the country about their IT priorities for the year ahead. CCM is a collaborative health care executive briefing center jointly operated by GE Healthcare, Nokia and UPMC. The Alexandra, Va.-based Health Management Academy is a membership organization consisting of executives from the country’s top 100 health systems focused on sharing best practices.

Conducted in three parts, the research started with a survey of health system information officers—CIOs, chief medical informatics officers (CMIOs) and chief nursing informatics officers (CNIOs— in May 2018 to determine the top areas of health IT for 2019. A quantitative survey was conducted in July 2018 with questions focused on cybersecurity, telehealth and interoperability. In September 2018, qualitative interviews were completed with 18 C-suite executives, including chief executive officers, chief operating officers, CIOs and CMIOs.

According to the survey report, “Top of Mind for Top Health Systems 2019,” health system executive leaders identified cybersecurity, telehealth and interoperability as the top three areas of health IT that will have the most impact in 2019. Cybersecurity remained at the top of the list from the previous year’s survey, and telehealth and interoperability climbed the ranking. The previous year’s Top of Mind report had identified cybersecurity, consumer-facing technology, and predictive analytics as the top three areas of focus for 2018.

“While consumerism and analytics remain hot topics in health care, it was not surprising to see telehealth and interoperability rise in the minds of health IT executives for 2019. Policymakers, in particular, have emphasized telehealth and interoperability in the past year, and the threats of cyberattacks and data breaches are constant in health care,” the report authors wrote.

While healthcare executive leaders cited those three topics as immediate, pressing concerns, when asked what health IT technologies they anticipated would have the most impact on health care five years from now, health system executive leaders identified artificial intelligence, consumer technology, and genomics. According to the report, one CNIO said: “The technology is moving so fast that it is hard to predict five years out. I would not have picked some of these for 2019 one year ago.”

Cybersecurity

Hackers and other cyber-criminals are stepping up their attacks on the health care industry, leading 87 percent of respondents to say they expect to increase spending on cybersecurity in 2019; no health system was expecting to decrease spending. Half of respondents expect a spending increase greater than five percent.

For 2019, health systems said they would invest cybersecurity resources to bolster current areas of investment, with many focusing on both staff and technology, such as firewalls, intruder detection software, and dual authentication that guard against breach of protected health information (PHI).

Despite increasing financial investment and prioritization of cybersecurity at health systems, executives did not express robust confidence in their organization’s IT recovery and business continuity plans after an attack or breach. Seven out of 10 respondents reported being “somewhat confident” in their recovery and continuity plans; only 20 percent said they were “very confident.”

The most commonly cited challenge in cybersecurity was employee education—62 percent of respondents named “staff” as greatest point of cybersecurity weakness. What’s more, phishing and spear-phishing were cited as the most common types of cyberattacks in the previous 12 months.

According to the report, one CEO commented during an interview: “The people that are up to no good have far better tools than we do on our platforms. If they really target you, they will likely find a way in.… We are not trying to make it impenetrable, but we are trying to make it more difficult to break into our system than others in our market.”

Telehealth

Health information technology (IT) leaders overwhelmingly expect government and commercial reimbursement to provide the majority of funding for telehealth services by 2022; internal funding and patient payments are expected to provide the majority of funding for telehealth in 2019.

Government policy is driving some of this optimism, the report authors wrote. “For example, CMS [The Centers for Medicare & Medicaid Services] published a proposal in July 2018 that provided three new remote patient monitoring reimbursement medical codes. While some critics have said the proposal’s $14 reimbursement for virtual check-ins is too low, the move by CMS appears to cement telehealth reimbursement as a priority for the agency.”

All responding health systems report telehealth accounts for 10 percent or less of their organization’s total care delivery, however, over the next three years, 45 percent of respondents expect use of telehealth to increase by 10 percent or more. Lack of reimbursement was cited as the most significant barrier to adopting greater telehealth services, cited by 70 percent of respondents.

Most health system executives interviewed for the study said their health system had not yet calculated a specific return on investment (ROI) for telehealth. But systems are investing anyway as a hedge that future reimbursement will outweigh the potential losses of today, according to the survey report. “For the moment, reimbursement is widely thought of in terms of physician time, but as technologies evolve, the question will be whether reimbursement will expand to hardware. Investment can also be seen as a bellwether for provider sentiment toward transformation to value-based care,” the report authors wrote.

When considering a telehealth technology system, top features/priorities are “integration with the clinical workflow” and “ease of patient triage and virtual follow-up,” according to the survey.

Need for Innovation Drives Focus on Interoperability

Interoperability has emerged as a key challenge in health care as hospitals and health systems pursue value-based care, consumerism, and other initiatives that require broad sets of data from disparate IT systems, the report noted. As the health care industry continues to evolve, provider health systems are having to think more creatively about their strategies in order to remain successful.

A lack of interoperability has made it more difficult for health systems to address certain key priorities, most commonly improved efficiency / cost reduction, and advanced analytics, the report said. Additionally, executives report challenges addressing care gap closure, longitudinal patient data, and integration with non-owned partners

More than half of respondents (61 percent) said the use of a major electronic health record (EHR) system was not stifling digital innovation at their health system. However, in qualitative interviews, several executives said an EHR was limiting their ability to innovate by locking them into a single vendor’s products, according to the report.

Seventy percent of informatics executive said they were “somewhat concerned” about big tech companies, such as Apple, Amazon and Google, disrupting the health care market; 10 percent were “very concerned,” the survey found.

The report quotes one CEO who said: “They are new competitors that look very different from traditional health care competitors. They are better in their space and can catch up quickly. Current stakeholders are resistant to change. If we’re slow and dodgy we’re going to get lapped.”

The survey also examined the role of the cloud in the future of health IT. The majority of health care data is expected to be stored in on-premises data centers (20 percent) or hybrid / private cloud (60 percent) in the next three years, according to the survey, and 10 percent said they anticipate storing health data in a public cloud.

 

See more on Cybersecurity

betebettipobetngsbahis bahis siteleringsbahis