Hacker The Dark Overlord, who has breached at least three healthcare organizations and then listed their patient data for sale when they refused to pay him, advertises for sale the digital assets of a healthcare IT vendor that appears to be PilotFish Technology, which offers integration tools and middleware to several industries that include healthcare. He’s asking $500,000 for HL7 source code, signing keys, and a licensing database. He says he stole the information by gaining full root-level access to the company’s servers. The Dark Overlord listed the information for sale after the company declined to pay him the $500,000 to keep quiet.
The hacker says he has inserted a backdoor in PilotFish’s software that was pushed out in its most recent update and has since stolen the EHR records of all of the company’s customers.
Not only is PilotFish’s business at great risk, so is the information of its customers, among them Utah Health Information Network and the State of Connecticut. PilotFish launched its healthcare business in February 2014.
The Dark Overlord breaches systems using Remote Desktop Protocol exploits, so I’ll recommend again that everybody either secure it or shut it down. He also seems to prefer targeting SRS EHR clients. His latest round of tweets suggests that at least one of the providers he hacked paid him to keep quiet last week.
From Sharon M: “Re; LabCorp. I’m surprised HIStalk did not cover the IT crash that affected five states. Are you so biased that you only print the favorable reports about HIT?” This comment comes from a frequent anti-EHR troll who assumes multiple identities in unsuccessfully trying to avoid being called out, which even without the technical clues would be obvious since 99 percent of readers complain that I’m too critical of health IT instead of accusing me of being a cheerleader for it. I haven’t seen any mention of LabCorp problems anywhere, so given that I did not personally have tests performed recently in those five states, I have zero information about any downtime and have received nothing from users (including the phony Sharon M). In other anti-technology news, a traffic light went out for an hour recently, so it’s time to replace all of those unreliable devices with stop signs.
From Lysander: “Re: redirects. Why do you redirect the link from HIStalk.com to HIStalk2.com? I know it was originally related to a hosting switch, although if I know your style, that inside joke might be part of the fun.” It’s been nearly 10 years since I switched from a proprietary-technology web host while temporarily running both sites to prevent readers from getting lost. That change isn’t easy to undo, I’ve learned. I had my web host look into it yet again Friday night after your inquiry and they messed things up a bit temporarily, plus the change would probably screw up links to years’ worth of articles. I’ll add that to my inside joke collection (along with smoking doctor logos) and the list of things I’m too lazy to worry about.
From Little Bit: “Re: mission and vision statements. I remember an academic medical center whose mission didn’t have one word about patients in it. There’s also an EHR vendor who talked a lot about their ‘Do Right’ principle, although I think they veered away from that one.” I’ve worked for executives who turfed off creation of mission and vision statements (they didn’t even understand the difference) to their underlings and it was a disaster. The back-stabbing, suck-up directors fought for attention in trying to distill a large, complex operation into a single overinflated, pithy sentence (it ended up with a lot of commas). My takeaway: leaders without vision and character might as well have a crappy, eye-rolling vision statement that will be forgotten immediately because it’s not going to help anyway. My other takeaway is that committees are a poor substitute for leadership since they suck the life out of everything they do, and as such, should be limited to an advisory role to a clearly defined leader rather than to have actual power themselves. Give the buck a place to stop.
HIStalk Announcements and Requests
Three-quarters of poll respondents don’t think levying HIPAA fines improves privacy or security. New poll to your right or here: what is your overall opinion of the Affordable Care Act? You can’t just leave us hanging by voting without explaining, so click the poll’s Comments link afterward to elucidate.
Welcome to new HIStalk Platinum Sponsor Evariant. The Farmington, CT company offers enterprise-class CRM platforms for patients, consumers, and physicians that empower the marketing and physician relations teams of leading hospital networks. Evariant’s patient and consumer marketing CRM system drives targeted service line growth with attributable ROI, while its patient acquisition and engagement platform allows hospitals to target appropriate audiences for marketing as well as for education and wellness programs. Hospitals use its physician engagement technology to track referral patterns and physician loyalty in designing effective physician outreach activities. The company offers a free e-book titled “Creating Extended 360° Patient and Physician Views with Big Data Analytics.” Client success stories include Orlando Health, Wake Forest Baptist Health, University of Chicago Medicine, and Dignity Health. Thanks to Evariant for supporting HIStalk.
I found this Evariant client testimonial from University of Chicago Medicine on YouTube.
Mrs. Roepke in Missouri had never had a DonorsChoose grant request fully funded until we provided her elementary school class with interactive math stations. She says her students cheered when they opened the box and saw the electronic flashcards and are using the many tools that were included in their small group work, to the point that they even refer to the game while working in other groups, which she calls “a proud teacher moment.”
I’ve realized what I hate about the phrase “pop health,” other than the fact that it’s an annoying shorthand for “population health,” which in this industry is invariably misused in describing “population health management” or “population health management technology,” which are entirely different things. Reporters and bloggers who bandy the term about from their cheap seats in their unwillingness to enunciate the daunting four syllables of “population” haven’t earned the right to lapse into jargon. Just like it’s insulting to Marines when people who have never served in the military shout out “Semper Fi.”
Listening: the almost-new album of one of my favorite bands, the highly listenable and brilliant Nada Surf, whose stock in trade is thoughtful lyrics, sweet harmonies, and ragged independence. Their catchy, sometimes jangly power-pop is hard to beat and they exhibit the maturity of a band whose lineup hasn’t changed in nearly 25 years. I’m offsetting that with the hard-rocking operatic Finnish metal of Nightwish, who I didn’t realize has commendably added the incomparable Floor Jansen (After Forever) as lead singer.
Last Week’s Most Interesting News
- The VA takes more Congressional heat for lack of DoD interoperability and hints harder at replacing VistA with commercially available software in a Senate Appropriations Committee hearing.
- A survey finds that most doctors haven’t heard of MACRA and hate the idea of tying their income to their quality.
- OHSU pays $2.7 million to settle two HIPAA charges involving only 7,000 patients in incidents involving a stolen laptop and residents using Google Docs to store patient information.
- Imprivata and Valence Health are acquired.
- HHS issues ransomware guidance in declaring that a reportable HIPAA breach has occurred any time PHI is encrypted by malware.
- CMS levies a death sentence on lab processor Theranos, banning Elizabeth Holmes from clinical laboratory ownership for two years and halting Medicare and Medicaid payments to the company.
Acquisitions, Funding, Business, and Stock
GE Healthcare’s management consulting group signs a five-year collaboration agreement with ThoughtWire, which offers machine intelligence software that GE Healthcare will roll out as real-time process alerting and decision support.
University of Virginia Health System selects Evariant’s Physician Relationship Management and Physician Market Solver solutions for physician alignment.
The Medical Information Network – North Sound (WA) HIE adds Jiva Population Health Management to its ZeOmega rollout.
Commonwealth Health (PA) names Denis Tucker (Main Line Health) as CIO.
Government and Politics
England’s Secretary of State for Health and digital health supporter Jeremy Hunt is reappointed under new Prime Minister Theresa May.
The Defense Health Agency awards a five-year, $70 million to EHR Total Solutions. I found next to nothing about the company, which seems to exist purely to get military contracts. It previously reported $9 million in annual MHS contracts, so this will raise its total a lot.
A US District Court orders MedSignals CEO Vesta Brue to pay $4.5 million for grant fraud. Her Lexington, KY companies received five NIH grants to develop electronic pillboxes, but she spent the money on plastic surgery, jewelry, and massages. She will also pay restitution and serve jail time for grant fraud related to Telehealth Holdings, Inc., a company operated by her partner Jerome Hahn.
GE Healthcare sues 23-bed West Feliciana Parish Hospital (LA), complaining that it unfairly chose Hitachi Medical Systems to provide imaging equipment at a price below GEHC’s bid.
I’m tiring of the Pokemon Go phenomenon as quickly as I did other pointless, imitative fads like the Ice Bucket Challenge and the phrase “threw up in my mouth a little bit,” but this is cool: C.S Mott Children’s Hospital (MI) is using the game to get hospitalized children to leave their beds and interact with employees and other patients. That won’t be offset by the hospital influx of dolts who are hurting themselves in their rare interactions with their actual physical surroundings while staring at their phones, but it’s a small plus. Speaking of which, as I predicted last week, game developer Niantic announces monetization plans in which it will offer retailers the ability to sponsor locations on a cost-per-visit basis in hopes of boosting their foot traffic. I predict the game will be a cringingly-recalled embarrassment in six months, just like Second Life and Google Glass.
The former IT administrator of an Alaska health system faces 99 years in prison after pleading guilty to possessing and distributing 2 million images and 13,000 videos of child pornography that obtained using the hospital’s network. He was not charged for distributing another disturbing image, the photo above from his LinkedIn profile.
The Houston paper covers the “cost versus choice” out-of-network conundrum in describing a 175-bed, oncologist-owned hospital that brings in annual revenue of $1.5 billion despite not accepting any form of insurance. Aetna sued after finding that the hospital was reducing the patient responsibility portion of its bills to in-network levels by applying a “prompt pay discount,” but was sticking Aetna for their full part of the out-of-network charges (such as $200,000 to treat an abscess). Aetna claimed racketeering, while the hospital counter-sued for being blacklisted. The judge denied Aetna’s demand for $225 million in refunds, saying it’s up to Aetna to decide what part of medical costs it pays in applying usual and customary limits.
Bizarre: several doctors in India, one of them a government official, are arrested for running a child trafficking ring from their hospital, caught as they tried to sell a four-month-old. Police are also investigating whether the doctors are running their hospital legally and whether they have actual medical degrees.
- T-System will exhibit at the FHIMA Annual Meeting July 18-21 in Orlando.
- Stella Technology is sponsoring and exhibiting at the Redwood Mednet conference in Santa Rosa, CA this week.
- Datanami.com profiles TransUnion’s management and use of big data.
- Valence Health will host its value-based industry conference, Further 2016, September 14-16 in Chicago.
- Swedish Medical Group Clinics Optimize Care Delivery with Versus Advantages Clinic (Versus Technology)
- EHRs, Interoperability, and Workflow (TeleTracking)
- OCR is doing a good thing by making us “Eat our Vegetables” (Iatric Systems)
- Hurricane Warning: Is Your Business Ready? (Tierpoint)
- Taking Action on Maternity Care Viability (Verisk Health)
- First-class calling. (Voalte)
- Report from AHIP16 – The Expanding Role of Pharmacy in Patient Care (First Databank)