Massachusetts General Hospital (MA) notifies 4,300 patients that their information was exposed in a February 2016 breach of dental practice systems vendor Patterson Dental Supply. Dental system security guy Justin Shafer notified the company in February that all instances of its Eaglesoft software are insecure because the database uses a default username of “dba” and a password of “sql.”
The company expressed its thanks in May 2016 by filing a Computer Fraud and Abuse Act claim in which it notified the FBI that Shafer had illegally accessed its server, leading to a pre-dawn raid on his home by a dozen armed agents who hauled him away in handcuffs.
SRS commented on the screenshots I ran showing hacker TheDarkOverlord (who I’ll refer to as “he” even though he or she hasn’t divulged gender) sitting on an SRS EHR log-in screen as he apparently used Remote Desktop Protocol (RDP) to steal their client’s patient data:
Protecting our clients’ patients’ information is a top priority at SRS. Upon receiving notification that patient data from one of our clients may have been compromised, we immediately launched an investigation. While our investigation has concluded that the SRS system itself was not compromised, we are working in partnership with our client to assist in any way we can. At this time, the matter has been turned over to the appropriate authorities.
The hacker published several SRS screen shots showing full patient information. SRS is right, though – accessing a system by breaching RDP isn’t taking advantage of a vulnerability of any system other than RDP. It’s just logging in using someone else’s credentials. The real question is how he obtained the log-in information. RDP can store system usernames and passwords that can be displayed with readily available utilities. It would be interesting to know whether the clinic had set up RDP for its own users or whether a software vendor had configured it for remote support use.
Justin Shafer (see above) speculates that the SRS client is Athens Orthopedic Clinic (GA) based on partially readable information in the SRS screen shots. DataBreaches.net contacted the clinic and received this response from its CEO:
In the last 48 hours, we were made aware of a potential data breach relating to our online patient records. Today, we also received an email requesting that we comply with the hacker’s request (which has been published in various forms online.) We take the privacy of our patients very seriously, as well as the laws that guide patient privacy, and we are investigating what may have happened through the proper channels. When we have more information to share with you and your readers, we will be in touch. Kayo Elliott, CEO, Athens Orthopedic Center.
TheDarkOverlord also named the Midwest provider from whose system 98,000 records were stolen and then listed for sale: Midwest Orthopedic Pain & Spine in Farmington, MO.
The hacker says he contacted each provider and offered to destroy his copies of their records if they paid him, with the alternative being that he would offer their records for sale. All of the providers declined. Note that this is extortion rather than a ransomware attack since he didn’t lock the users out of their own databases – he just demanded money in return for not publishing the records. He also apparently accessed the systems using manual intrusion methods rather than automated malware.
I scoured the Web for how to secure RDP:
- Use strong passwords.
- Keep both client and server versions current since older versions have many vulnerabilities.
- Enable network-level authentication.
- Administrator-level users can run RDP by default, so either remote unneeded administrator access or remove the administrator account from RDP access and add a technical group instead.
- Set a local security polity limiting the number of password attempts.
- Change RDP’s listening port so it can’t be easily seen in hacker network scans.
Here’s a chillingly factual description of how to hack RDP to steal the sysadmin password. The hacker uses address resolution protocol scanning software to find device IP addresses; captures the data stream when an RDP client connects to the RDP server (such as when a vendor connects to provide technical support); and then looks for passwords in the sniffer file, visible as individual user keystrokes (or the hacker can use a brute force password cracker).
Vendors, you might want to give your customers some emergency security guidance about configuring RDP, TeamViewer, LogMeIn, or any other remote support tool your support agreement requires.
From Green Tomato: “Re: forcing consulting firm employees to sign Epic’s non-compete agreement. Here’s a copy of what my employer insists we sign. Interesting contents: (a) it completely restricts access to Epic code without ‘pursuant to a customer schedule’ language, so the company has already run into engagements that require review of Epic code; (b) it restricts access to the Chronicles database, again costing my company a couple of engagements because they needed to query Chronicles to support a customer; and (c) it includes the hugely overreaching and offensive clauses declaring that we can’t work for an Epic competitor for one year after leaving our current jobs. I’ve heard that other consulting companies have signed agreements without the non-compete clause. I am standing up to my employer in not signing the agreement and will likely lose my job in the next few weeks. Without getting a group together for class action lawsuit, I’m essentially screwed, and even with a group it would be an uphill battle.”I don’t have the expertise to evaluate the legality of a company requiring its employees to sign another company’s non-compete agreement, but firing someone for declining to sign would seem to sit in wrongful termination territory. The fact that your employer even put this in front of you is indicative of just how scared companies are of getting on Epic’s bad side. I invite legal opinion, although I think you are correct that, right or wrong, you would need a lot of time and money to mount a challenge, and by the time you prevail, you will have moved on. You also have the document in Word, so you could add “not” in a key place (such as, “This restriction will not apply to you”), print it, and sign it hoping that nobody notices your edit.
From ThisChangeIsNotGood: “Re: McKesson and Emdeon. They fall short in integrating acquired products and their customer service lacks. Change Healthcare and Relay have KLAS scores that lag almost 10 points behind their competitors. Why will bringing two challenged organizations together be good for customers? The obvious answer is that it won’t – it’s just a very profitable transaction for Blackstone. They acquired Emdeon for $3 billion and used at least $1.5 billion in debt, so this deal gives them $1.75 billion in cash ($250 million in profit) plus they still own 30 percent of the resulting entity. The release mentions $150 million in cost reductions which has to be mostly employees – the companies are huge cash generators because their customer contracts are old and those customers are drastically overpaying. The question is how long hospital CFOs will tolerate out-of-market prices with mediocre solutions and customer satisfaction.” There’s also the question about the degree of alienation felt by McKesson Technology Solutions customers and whether they see that getting better or worse once they’ve been dealt off to NewCo since, most importantly to McKesson, they buy a lot of non-IT stuff that McKesson actually cares about.
From HIStalkFan: “Re: [vendor name omitted.] VP of operations is leaving after the international sales VP left in the past month as well. The company has fired 20 folks in the past few months and seems to be losing business fast.” I left out the name of the cardiovascular information systems vendor for now since the VP is still listed on the company’s executive page.
From Luke: “Re: VistA. Says its 40-year-old code is hard to manage, unlike that of commercial products.” Maybe, but Epic has been around nearly that long and Cerner Millennium was built in the 1990s. All three products have been enhanced continuously since they were developed, so it’s not like running an un-updated copy of Windows 3.11. The problem with both the DoD and the VA is that they’re going to hand billions over to contractors no matter what product they use and will probably botch their implementations via poor planning and oversight.
HIStalk Announcements and Requests
Mr. H says his Texas after-school STEM class is “beyond excited” about the STEM kits we provided in funding his DonorsChoose grant request. The students have built a robot arm and analyzed pond water, with one student proudly exclaiming while experimenting with a marble roller coaster, “We are engineers in the making!”
Listening: Gary Clark, Jr., accurately characterized by the reader who recommended him as “born two generations too late, Jimi Hendrix crossed with Stevie Ray Vaughn.”
This week on HIStalk Practice: ManagementPlus launches revenue cycle solutions for eye care practices. Jonathan Bush waxes lyrical about his political plans. Allergy Partners develops app to help its patients track meds, triggers, symptoms. VillageMD partners with New Hampshire-based practices to assist with value-based care transitions. HHS selects 200 physician practices to participate in its Medicare Oncology Care Model. "Dr. Trump" promises perfect healthcare for all.
July 13 (Wednesday) 1:00 ET. “Why Risk It? Readmissions Before They Happen.” Sponsored by Medicity. Presenter: Adam Bell, RN, senior clinical consultant, Medicity. Readmissions generate a staggering $41.3 billion in additional hospital costs each year, and many occur for reasons that could have been avoided. Without a clear way to proactively identify admitted patients with the highest risk of readmission, hospitals face major revenue losses and CMS penalties. Join this webinar to discover how to unlock the potential of patient data with intelligence to predict which admitted patients are at high risk for readmission.
Acquisitions, Funding, Business, and Stock
Marketing intelligence vendor Definitive Healthcare acquires competitor Billian’s HealthData.
Teladoc will acquire telehealth consumer engagement platform vendor HealthiestYou for $155 million in cash and stock. Scottsdale, AZ-based HealthiestYou lost money on $10 million in FY2015 revenue, while Teladoc confirms that it will lose around $50 million in 2016. HealthiestYou offers price comparison and provider search. It seems like a ridiculous multiple for Teladoc to pay for an app that doesn’t seem all that interesting or related to its core telehealth business, but they must know what they’re doing.
Google Capital takes a $46 million position in publicly traded marketplace Care.com, which matches families with caregivers.
Allscripts sues its former chief marketing and strategy officer Dan Michelson – hired by competitor Strata Decision Technology as CEO in 2012 – as well as Strata, claiming that Michelson “has in his possession an external hard drive containing highly confidential and trade secret Allscripts documents and information.” Allscripts claims that Michelson has disclosed its information to Strata employees in violation of his Allscripts employment agreement. The lawsuit also notes that Strata hired several other Allscripts employees, several of whom worked in sales for EPSi, the Allscripts financial planning product that competes with Strata’s StrataJazz. Allscripts contends that it lost the #1 KLAS spot for Decision Support – Business in 2014 to StrataJazz because of the exposed information, causing EPSi to drop to fourth place in the 2015 report.
GoHealth Urgent Care chooses Orion Health’s Rhapsody integration engine to connect with its health system partners.
Government and Politics
Vice President Biden, questioned at a cancer summit about why medical institutions that receive government grants don’t always publish their research data, responds angrily, “I’m going to find out of it’s true. And if it’s true, I’m going to cut funding. That’s a promise.” NIH Director Francis Collins says the 2008 law requiring taxpayer-funded researchers to submit their clinical trials data to NIH-run ClinicalTrials.gov does not provide an enforcement mechanism, but he expects changes that will allow NIH to levy fines on those who don’t comply or the power to ban them from receiving further grants.
The Wall Street Journal says health insurance deductibles should become the next health policy debate now that 91 percent of the US population has coverage. Since 2004, co-pays have dropped, worker wages have increased modestly, and deductibles have jumped 256 percent to become the #1 health cost concern of consumers as well as the preferred tool for employers trying to rein in annual premium increases.
Congress works on a financial bailout of Puerto Rico, where 9 percent of its population has moved to the US, causing its hospitals to struggle with unfilled beds and an exodus of clinicians that may cause a further downward spiral in employment and business investment. Puerto Rico’s governor observes that its residents pay the same Medicare tax as mainland residents, but it gets less federal funding than the states. Lenders have cut off further loans as debt soars, with one surgeon noting that the hospital’s electricity was turned off for non-payment in the middle of a surgery he was performing.
AMIA announces the eligibility requirements to take the exam for its Advanced Health Informatics Certification, an alternative to the physician-only clinical informatics subspecialty. Until an unspecified time until which the majority of graduate informatics programs are accredited, the requirements are:
- Employment in an operational health informatics role.
- Attainment of a health professions graduate degree plus a master’s in health informatics (for which 36 months of informatics experience in the US or Canada can be substituted). Examples of acceptable degrees are MSN, MPH, NP, PA, DDS, DNP, PharmD, DO, and MD.
- 18 months of informatics work experience.
AMIA’s next steps are to develop the exam’s core content, choose a certifying entity, and launch the accreditation of graduate health informatics programs.
Commonwealth Fund President and former National Coordinator David Blumenthal, MD, MPP says that instead of trying to convince providers to share their patient information, a better way to eliminate information blocking is to put patients in control of their own records as a “consumer-mediated health information exchange.” Patients or their paid vendors would manage and distribute their own information to parties they specify, which could include researchers or public health authorities. Blumenthal says the next steps would be to certify and/or regulate the organizations that will help patients share their information and to give those organizations access to provider EHRs.
Informaticist Harris Stutman, MD ended his “Jeopardy” run Wednesday, earning second place for the day but taking home three-day winnings of $63,500.
BMJ ponders whether it’s OK for conferences to ban live-tweeting of their educational sessions. Arguments for: (a) presentations may include unpublished results and preliminary conclusions; and (b) the presenters may have granted a copyright to journal that is publishing their work. The author suggests that conferences make their tweeting policy clear and that speakers indicate on their title slide whether they are OK with having attendees tweet out photos of their other slides and handouts.
- Audacious Inquiry announces that its Encounter Notification Service is delivering1 million ADT notifications per month.
- Boston Software Systems launches an EHR migration and optimization podcast series.
- Netsmart helps prepare health and human services providers for CARF and The Joint Commission accreditations.
- Representatives from 30 healthcare organizations in Canada visited Toronto’s Humber River Hospital, which claims to be North America’s first full digital hospital, to learn about its Meditech 6.1 system.
- CloudWave is named by Hewlett Packard Enterprise as Preferred Healthcare Network Partner.
- Red Hat will host its annual summit will take place May 2-5, 2017 in Boston.
- Sagacious Consultants releases the June 2016 edition of its Sagacious Pulse newsletter.
- SK&A publishes its annual pharmacy compliance report.
- Sunquest Information Systems hosts a Cancer Moonshot Summit in Tucson, AZ.
- How Long Should Organizations Take to Notify After a Breach? (ID Experts)
- Earned Media is the Best Media (Influence Health)
- Engineering Solutions to Improve Quality of Care (Ingenious Med)
- The Journey to EMR Adoption: Persistence Pays Off (InterSystems)
- Medical Image Exchange: Which Docs Use it Most? (LifeImage)
- 4 ways to set yourself up for effective data governance (The Advisory Board Company)
- The Biggest Risk of Social Media for Physicians? Not Using It! (Meditech)
- Preparing for the Health System of the Future: 3 Strategies You Should Know (Navicure)
- Managed Services: Your EHR challenges, our solutions (Nordic)
- A Different Kind of Patient Record (Orion Health)
- Re-imagining Healthcare IT (PatientKeeper)
- Is Your Old EMR and Open Door for Hackers? (Mica Health)
- Building an effective care team collaboration strategy: 4 focal points (PerfectServe)
- Addressing the Address Issue in the “Good Neighbor” Policy (Phynd Technologies)
- If You Value Health Data, Set it Free (PMD)
- Spotlight on the Heart of MUSE 2016 (Summit Healthcare)
- Finding Success in Health IT Adoption for LTPAC (Surescripts)