Home » News » Currently Reading:

News 7/1/16

June 30, 2016 News 13 Comments

Top News

image

Massachusetts General Hospital (MA) notifies 4,300 patients that their information was exposed in a February 2016 breach of dental practice systems vendor Patterson Dental Supply. Dental system security guy Justin Shafer notified the company in February that all instances of its Eaglesoft software are insecure because the database uses a default username of “dba” and a password  of “sql.”

The company expressed its thanks in May 2016  by filing a Computer Fraud and Abuse Act claim in which it notified the FBI that Shafer had illegally accessed its server, leading to a pre-dawn raid on his home by a dozen armed agents who hauled him away in handcuffs.

image

SRS commented on the screenshots I ran showing hacker TheDarkOverlord (who I’ll refer to as “he” even though he or she hasn’t divulged gender) sitting on an SRS EHR log-in screen as he apparently used Remote Desktop Protocol (RDP) to steal their client’s patient data:

Protecting our clients’ patients’ information is a top priority at SRS. Upon receiving notification that patient data from one of our clients may have been compromised, we immediately launched an investigation. While our investigation has concluded that the SRS system itself was not compromised, we are working in partnership with our client to assist in any way we can. At this time, the matter has been turned over to the appropriate authorities.

The hacker published several SRS screen shots showing full patient information. SRS is right, though – accessing a system by breaching RDP isn’t taking advantage of a vulnerability of any system other than RDP. It’s just logging in using someone else’s credentials. The real question is how he obtained the log-in information. RDP can store system usernames and passwords that can be displayed with readily available utilities. It would be interesting to know whether the clinic had set up RDP for its own users or whether a software vendor had configured it for remote support use.

image

Justin Shafer (see above) speculates that the SRS client is Athens Orthopedic Clinic (GA) based on partially readable information in the SRS screen shots. DataBreaches.net contacted the clinic and received this response from its CEO:

In the last 48 hours, we were made aware of a potential data breach relating to our online patient records. Today, we also received an email requesting that we comply with the hacker’s request (which has been published in various forms online.) We take the privacy of our patients very seriously, as well as the laws that guide patient privacy, and we are investigating what may have happened through the proper channels. When we have more information to share with you and your readers, we will be in touch. Kayo Elliott, CEO, Athens Orthopedic Center.

TheDarkOverlord also named the Midwest provider from whose system 98,000 records were stolen and then listed for sale: Midwest Orthopedic Pain & Spine in Farmington, MO.

The hacker says he contacted each provider and offered to destroy his copies of their records if they paid him, with the alternative being that he would offer their records for sale. All of the providers declined. Note that this is extortion rather than a ransomware attack since he didn’t lock the users out of their own databases – he just demanded money in return for not publishing the records. He also apparently accessed the systems using manual intrusion methods rather than automated malware.

I scoured the Web for how to secure RDP:

  • Use strong passwords.
  • Keep both client and server versions current since older versions have many vulnerabilities.
  • Enable network-level authentication.
  • Administrator-level users can run RDP by default, so either remote unneeded administrator access or remove the administrator account from RDP access and add a technical group instead.
  • Set a local security polity limiting the number of password attempts.
  • Change RDP’s listening port so it can’t be easily seen in hacker network scans.

Here’s a chillingly factual description of how to hack RDP to steal the sysadmin password. The hacker uses address resolution protocol scanning software to find device IP addresses; captures the data stream when an RDP client connects to the RDP server (such as when a vendor connects to provide technical support); and then looks for passwords in the sniffer file, visible as individual user keystrokes (or the hacker can use a brute force password cracker).

Vendors, you might want to give your customers some emergency security guidance about configuring RDP, TeamViewer, LogMeIn, or any other remote support tool your support agreement requires.


Reader Comments

image

From Green Tomato: “Re: forcing consulting firm employees to sign Epic’s non-compete agreement. Here’s a copy of what my employer insists we sign. Interesting contents: (a) it completely restricts access to Epic code without ‘pursuant to a customer schedule’ language, so the company has already run into engagements that require review of Epic code; (b) it restricts access to the Chronicles database, again costing my company a couple of engagements because they needed to query Chronicles to support a customer; and (c) it includes the hugely overreaching and offensive clauses declaring that we can’t work for an Epic competitor for one year after leaving our current jobs. I’ve heard that other consulting companies have signed agreements without the non-compete clause. I am standing up to my employer in not signing the agreement and will likely lose my job in the next few weeks. Without getting a group together for class action lawsuit, I’m essentially screwed, and even with a group it would be an uphill battle.”I don’t have the expertise to evaluate the legality of a company requiring its employees to sign another company’s non-compete agreement, but firing someone for declining to sign would seem to sit in wrongful termination territory. The fact that your employer even put this in front of you is indicative of just how scared companies are of getting on Epic’s bad side. I invite legal opinion, although I think you are correct that, right or wrong, you would need a lot of time and money to mount a challenge, and by the time you prevail, you will have moved on. You also have the document in Word, so you could add “not” in a key place (such as, “This restriction will not apply to you”), print it, and sign it hoping that nobody notices your edit.

image

From ThisChangeIsNotGood: “Re: McKesson and Emdeon. They fall short in integrating acquired products and their customer service lacks. Change Healthcare and Relay have KLAS scores that lag almost 10 points behind their competitors. Why will bringing two challenged organizations together be good for customers? The obvious answer is that it won’t – it’s just a very profitable transaction for Blackstone. They acquired Emdeon for $3 billion and used at least $1.5 billion in debt, so this deal gives them $1.75 billion in cash ($250 million in profit) plus they still own 30 percent of the resulting entity. The release mentions $150 million in cost reductions which has to be mostly employees – the companies are huge cash generators because their customer contracts are old and those customers are drastically overpaying. The question is how long hospital CFOs will tolerate out-of-market prices with mediocre solutions and customer satisfaction.” There’s also the question about the degree of alienation felt by McKesson Technology Solutions customers and whether they see that getting better or worse once they’ve been dealt off to NewCo since, most importantly to McKesson, they buy a lot of non-IT stuff that McKesson actually cares about.

From HIStalkFan: “Re: [vendor name omitted.] VP of operations is leaving after the international sales VP left in the past month as well. The company has fired 20 folks in the past few months and seems to be losing business fast.” I left out the name of the cardiovascular information systems vendor for now since the VP is still listed on the company’s executive page. 

From Luke: “Re: VistA. Says its 40-year-old code is hard to manage, unlike that of commercial products.” Maybe, but Epic has been around nearly that long and Cerner Millennium was built in the 1990s. All three products have been enhanced continuously since they were developed, so it’s not like running an un-updated copy of Windows 3.11. The problem with both the DoD and the VA is that they’re going to hand billions over to contractors no matter what product they use and will probably botch their implementations via poor planning and oversight.


HIStalk Announcements and Requests

image image

Mr. H says his Texas after-school STEM class is “beyond excited” about the STEM kits we provided in funding his DonorsChoose grant request. The students have built a robot arm and analyzed pond water, with one student proudly exclaiming while experimenting with a marble roller coaster, “We are engineers in the making!”

Listening: Gary Clark, Jr., accurately characterized by the reader who recommended him as “born two generations too late, Jimi Hendrix crossed with Stevie Ray Vaughn.”

This week on HIStalk Practice: ManagementPlus launches revenue cycle solutions for eye care practices. Jonathan Bush waxes lyrical about his political plans. Allergy Partners develops app to help its patients track meds, triggers, symptoms. VillageMD partners with New Hampshire-based practices to assist with value-based care transitions. HHS selects 200 physician practices to participate in its Medicare Oncology Care Model. "Dr. Trump" promises perfect healthcare for all.


Webinars

July 13 (Wednesday) 1:00 ET. “Why Risk It? Readmissions Before They Happen.” Sponsored by Medicity. Presenter: Adam Bell, RN, senior clinical consultant, Medicity. Readmissions generate a staggering $41.3 billion in additional hospital costs each year, and many occur for reasons that could have been avoided. Without a clear way to proactively identify admitted patients with the highest risk of readmission, hospitals face major revenue losses and CMS penalties. Join this webinar to discover how to unlock the potential of patient data with intelligence to predict which admitted patients are at high risk for readmission.

Contact Lorre for webinar services. Past webinars are on our HIStalk webinars YouTube channel.


Acquisitions, Funding, Business, and Stock

image

Marketing intelligence vendor Definitive Healthcare acquires competitor Billian’s HealthData.

image

Teladoc will acquire telehealth consumer engagement platform vendor HealthiestYou for $155 million in cash and stock. Scottsdale, AZ-based HealthiestYou lost money on $10 million in FY2015 revenue, while Teladoc confirms that it will lose around $50 million in 2016. HealthiestYou offers price comparison and provider search. It seems like a ridiculous multiple for Teladoc to pay for an app that doesn’t seem all that interesting or related to its core telehealth business, but they must know what they’re doing.

image

Google Capital takes a $46 million position in publicly traded marketplace Care.com, which matches families with caregivers.

image

Allscripts sues its former chief marketing and strategy officer Dan Michelson – hired by competitor Strata Decision Technology as CEO in 2012 – as well as Strata, claiming that Michelson “has in his possession an external hard drive containing highly confidential and trade secret Allscripts documents and information.” Allscripts claims that Michelson has disclosed its information to Strata employees in violation of his Allscripts employment agreement. The lawsuit also notes that Strata hired several other Allscripts employees, several of whom worked in sales for EPSi, the Allscripts financial planning product that competes with Strata’s StrataJazz. Allscripts contends that it lost the #1 KLAS spot for Decision Support – Business in 2014 to StrataJazz because of the exposed information, causing EPSi to drop to fourth place in the 2015 report.


Sales

GoHealth Urgent Care chooses Orion Health’s Rhapsody integration engine to connect with its health system partners.


Government and Politics

Vice President Biden, questioned at a cancer summit about why medical institutions that receive government grants don’t always publish their research data, responds angrily, “I’m going to find out of it’s true. And if it’s true, I’m going to cut funding. That’s a promise.” NIH Director Francis Collins says the 2008 law requiring taxpayer-funded researchers to submit their clinical trials data to NIH-run ClinicalTrials.gov does not provide an enforcement mechanism, but he expects changes that will allow NIH to levy fines on those who don’t comply or the power to ban them from receiving further grants.

image

The Wall Street Journal says health insurance deductibles should become the next health policy debate now that 91 percent of the US population has coverage. Since 2004, co-pays have dropped, worker wages have increased modestly, and deductibles have jumped 256 percent to become the #1 health cost concern of consumers as well as the preferred tool for employers trying to rein in annual premium increases.

Congress works on a financial bailout of Puerto Rico, where 9 percent of its population has moved to the US, causing its hospitals to struggle with unfilled beds and an exodus of clinicians that may cause a further downward spiral in employment and business investment. Puerto Rico’s governor observes that its residents pay the same Medicare tax as mainland residents, but it gets less federal funding than the states. Lenders have cut off further loans as debt soars, with one surgeon noting that the hospital’s electricity was turned off for non-payment in the middle of a surgery he was performing.


Other

AMIA announces the eligibility requirements to take the exam for its Advanced Health Informatics Certification, an alternative to the physician-only clinical informatics subspecialty. Until an unspecified time until which the majority of graduate informatics programs are accredited, the requirements are:

  • Employment in an operational health informatics role.
  • Attainment of a health professions graduate degree plus a master’s in health informatics (for which 36 months of informatics experience in the US or Canada can be substituted). Examples of acceptable degrees are MSN, MPH, NP, PA, DDS, DNP, PharmD, DO, and MD.
  • 18 months of informatics work experience.

AMIA’s next steps are to develop the exam’s core content, choose a certifying entity, and launch the accreditation of graduate health informatics programs.

image

Commonwealth Fund President and former National Coordinator David Blumenthal, MD, MPP says that instead of trying to convince providers to share their patient information, a better way to eliminate information blocking is to put patients in control of their own records as a “consumer-mediated health information exchange.” Patients or their paid vendors would manage and distribute their own information to parties they specify, which could include researchers or public health authorities. Blumenthal says the next steps would be to certify and/or regulate the organizations that will help patients share their information and to give those organizations access to provider EHRs.

image

Informaticist Harris Stutman, MD ended his “Jeopardy” run Wednesday, earning second place for the day but taking home three-day winnings of $63,500.

BMJ ponders whether it’s OK for conferences to ban live-tweeting of their educational sessions. Arguments for: (a) presentations may include unpublished results and preliminary conclusions; and (b) the presenters may have granted a copyright to journal that is publishing their work. The author suggests that conferences make their tweeting policy clear and that speakers indicate on their title slide whether they are OK with having attendees tweet out photos of their other slides and handouts.


Sponsor Updates

  • Audacious Inquiry announces that its Encounter Notification Service is delivering1 million ADT notifications per month.
  • Boston Software Systems launches an EHR migration and optimization podcast series.
  • Netsmart helps prepare health and human services providers for CARF and The Joint Commission accreditations.
  • Representatives from 30 healthcare organizations in Canada visited Toronto’s Humber River Hospital, which claims to be North America’s first full digital hospital, to learn about its Meditech 6.1 system.
  • CloudWave is named by Hewlett Packard Enterprise as Preferred Healthcare Network Partner.
  • Red Hat will host its annual summit will take place May 2-5, 2017 in Boston.
  • Sagacious Consultants releases the June 2016 edition of its Sagacious Pulse newsletter.
  • SK&A publishes its annual pharmacy compliance report.
  • Sunquest Information Systems hosts a Cancer Moonshot Summit in Tucson, AZ.

Blog Posts


Contacts

Mr. H, Lorre, Jennifer, Dr. Jayne, Lt. Dan.
More news: HIStalk Practice, HIStalk Connect.
Get HIStalk updates.
Send news or rumors.
Contact us.

125x125_2nd_Circle



HIStalk Featured Sponsors

     

Currently there are "13 comments" on this Article:

  1. I can confirm that Accenture (FKA Sagacious) Epic consultants have been told many many many many times that our ‘agreement’ with Epic precludes us from looking at ‘code’, creating custom code/one-liners, configuring report templates, and a number of other things that you’d think fall under the realm of “how to do your job”.

    Can’t we all agree that Judy and her army of lawyers are simply using legal threats in order to build up their own attempt at a consulting agency and keeping the revenue in house?

  2. Re: Epic’s non-compete. It is appalling that Epic (and Cerner) can get away with the kind of non-completes that they have, especially considering the fact that both (and indeed the entire HIT industry) have benefitted immensely from federal government largesse.

    Unfortunately, neither in Wisconsin, nor in Missouri, are we likely to see the state AG pursue any sort of legal remedy, something like what the NY AG did against Jimmy John’s recently (http://www.ag.ny.gov/press-release/ag-schneiderman-announces-settlement-jimmy-johns-stop-including-non-compete-agreements). Those two AGs are too busy suing the federal government for State rights to continue polluting the environment and continue restricting women’s access to control over their own bodies.

    One bright spot in HIT seems to be one of your sponsors though (Health Catalyst). They recently completely eliminated NDAs/non-compete. I hope they will continue to set a better example for the HIT industry.

  3. EPic and Cerner are taking advantage their position in the HIT and Meditech can’t get it’s act together. Epic employees tell their clients not to hire consultants. What are they afraid of? It’s just a matter of time before another company steps into the fray.

    Epic and Cerner are not the wholesome answer to the HIT world. Someone beside KLAS has to get a better picture of their client satisfaction.

  4. I think it is important to keep in mind that just because you sign a Non-Compete doesn’t mean that it is going to be enforced either. I think most companies, especially those in software, have Non-Competes. The key is whether or not they enforce it.

    It seems to be that Epic is always enforcing their Non-Compete, regardless of the situation at hand. I have an issue with that because none should have the right to dictate where one will work. On the other hand, I understand the Non-Compete because you don’t want people stealing your code and making money off it. It’s a slippery slope.

    On the Cerner side, I can say with confidence as a former associate, they rarely enforce the Non-Compete as long as you leave the “right” way. Give enough notice, be respectful and don’t try to take proprietary information with you. I believe I have only heard of them enforcing it on a few occasions, mostly when a key Sr. level Programmer has left to go to a competitor or start up a competing business.

    Again, I think it is more about how the company enforces the agreement.

  5. Two points:
    1. When I think of what I am looking for in a high priced consulting agency, I don’t think of “legally restricted from doing the work that needs to be done.” Accenture is insane to agree to this and clients should be wary of them as long as this agreement exists.

    2. Now that most of the Epic/Cerner installs are done and client IT departments are building up their own capability, how long will it be until everyone realizes that these companies are just vendors and their bizzare demands/restrictions can simply be ignored as a joke?

  6. Maybe Epic should add “Exploit our Position” to its motto since it seems to be doing that more than it’s doing good, having fun, or making money.

  7. “Accenture is insane to agree to this”

    But the problem, Ex-Epic, if that if Accenture (or Navigate, or Deloitte, or whomever) doesn’t agree to this, Epic cuts off system access for their company. So in this case, Accenture’s choices are to a) agree to this, or b) effectively have their consultants cut off from working on the system altogether.

    Is what Epic is doing legal? Maybe.
    Is what Epic is doing standard? No. They are much more aggressive than Cerner, Meditech, Allscripts, Athena, you name it.
    Is what Epic is doing ethical? Not in my opinion

  8. @addison the consulting company I work for doesn’t have any restrictions like this from Epic so if Accenture agreed to it they are being singularity screwed.

  9. RE: Ex-Epic

    As the letter published was to Huron employees, it is clear that Epic’s effort is not just directed at Accenture.

    If your current firm is immune from this type of act from Epic, please share the name of your employer. I am sure your recruiting team will appreciate it.

  10. About a year ago, before Accenture acquired Sagacious there was a legal scuffle over some silly things like advertising in Madison, keeping client lists published. Sagacious employees lost certain privileges until they agreed to Epic’s demands. Including UserWeb access, ability to go to Epic for training, etc. Actually it was only restored in early 2016 when the Accenture acquisition went through and we had to sign a million and one documents about compliance and non-competes. Other consulting firms were in the same position, from what I heard, but I don’t know how they resolved it.

    Just another example of how Epic can make life difficult for people who don’t fall in line, even if it’s neither legal nor ethical. It’s easier to just roll over and go along with it so we can do our jobs, and hope it won’t come back to bite.

  11. Seconding Addison, the things the occur at the individual employee level don’t matter. I have never heard of an individual being singled out by Epic for breaking one of these non-compete agreements. Epic is only serious about going after the companies that break their agreements, as it’s a much easier way for Epic to quickly crush annoying competitors who don’t fall in line.

    Interestingly, I know of an example were Epic allowed a current employee to leave the company and immediately begin working on a hospital’s newly-forming Epic project team because the employee had a parent sitting on the hospital’s board, or similar, and the hospital had not yet signed its agreement with Epic to begin the implementation. So, it’s clearly a two-way street if you can effectively threaten Epic back.

  12. Re: @Luke & “Re: VistA. Says its 40-year-old code is hard to manage, unlike that of commercial products.”

    I wonder if this comment is more about the “hard to manage” and less about the age of the code. You are correct that old doesn’t have to mean problematic. Sometimes though, the speaker is just trying to summarize the problems under an easy-to-understand tag line. “40 year old code” can be that tag line.

    Google MUMPS. There are lots of discussions from experienced MUMPS programmers about how their old code is undocumented and unreadable. The early MUMPS syntax used command abbreviations for everything. Furthermore, the early stuff predates all the Structured Coding style guides. I would go so far as to say that early MUMPS code is part of the very reason Structured Coding became a thing; nearly all the early languages had great masses of disorganized and unmaintainable code written.

    So, it was maintained though, right? Not so fast. If the existing code works but is difficult to maintain, then the typical organizational response is to avoid doing so. It is put into a “minimal maintenance” mode, with only the highest priority work being approved on it. Re-writing is expensive and slow, so complete re-writes are down-rated to the lowest possible priority. Basically the organization wants to squeeze the maximum value out of it’s investment.

    The code exists as many thousands of separate objects. They have different authors and different origin dates. Meaning, a typical large operational system consists of a diverse mix of old code and new code. Lots of the newer stuff will be much better organized in every respect.

    However if “enough” of the system is old spaghetti code, then it merits a broad description of “old and hard to maintain”.







Text Ads


RECENT COMMENTS

  1. It seems that every innovation in the past 50 years has claimed that it would save money and lives. There…

  2. Well, this is predicting the future, and my crystal ball is cloudy and cracked. But my basic thesis about Meditech?…

  3. RE Judy Faulkner's foundation wishes: Different area, but read up on the Barnes Foundation to see how things work out…

  4. Meditech certainly benefited from Cerner and Allscripts stumbles and before that the failures of ECW and Athena’s inpatient expansions. I…

  5. Yes, Meditech will talk your ears off about Expanse. There are multiple factors at play here which undercut both Meditech…

Founding Sponsors


 

Platinum Sponsors


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Gold Sponsors