3 min reading time

Any bets on which group member will “pull an Anthem?”

Anthem Blue Cross, America’s second-biggest health insurer, did not encrypt the 80-million customer and patient records now in the hands of hackers.

Encryption would have rendered the stolen data useless.

The Wall Street Journal understates the damage and impact:

“Anthem didn’t encrypt the data taken in the theft as a short-term cost savings measure, that will likely cost them dearly in the long run.”

Your security is only as strong as your weakest link. In this case, the hackers tricked five Anthem employees into downloading malicious software, thereby revealing their passwords.

Marc Goodman, author of http://medgroup.biz/Future-Crimes, February’s #1 recommended nonfiction book in Apple’s iBook store, said, “Here are three ways Anthem’s cautionary tale is immediately relevant to medical device players:

First, a data breach (where customer, financial, or health information is leaked) is enough to seriously compromise a company’s long-term viability.

Second, devices can be compromised – for example, hacker devices like the Bluetooth cannon can subvert diabetic pumps and dump too much insulin into a patient’s body.

Third, most wearables sync with a user’s mobile phone, via either Bluetooth or Wi-Fi connectivity. When they do, personal health information joins the Internet of Things, and can be hacked just like other IoT objects.

52 percent of fitness apps have no available privacy policies. How is that data being secured? How can it be shared with third parties? What are the liabilities and risks?”

Marc added, “Joe, some readers may consider your post alarmist but if they saw what I’ve seen, they might revisit their data security policies and techniques right away. It’s not a matter of ‘if’ a medical device company will implode over data, it’s a matter of ‘when.'”

So what do you think, Group?

Alarmist or a needed wake-up call?

++++++++++

REMEMBER SONY?

That was just seven weeks ago.

Target? Home Depot?

I wonder if some of us think we’re safe because we’re small and Anthem, Sony, Target, and Home Depot are huge (and worthwhile?) targets.

Medical device cybersecurity is a major initiative at CDRH/FDA.

See http://medgroup.biz/CDRH-security. We invited FDA to cover this topic at the 10x Medical Device Conference in May.

++++++++++

DISCUSSIONS

Will Sony finally scare you into action?

Siemens, Pfizer, Hospira, and You (89 comments)

Is it Time for the Management Review Already?

How is 3D printing impacting the design and manufacture of medical devices?

Have you received a FOIA request for de novo reclassification order and/or decision summaries? How long did it take?

++++++++++

Make it a great week.

Joe Hage
Medical Devices Group Leader

---

Lisa Weeks
Content Marketing Professional ✺ Driving Lead Generation Through Strategic Content Marketing
Joe, Imagine my surprise when, only three days after we discussed the need for device companies to pay more attention to cyber security in 2015, I received an email from my insurance provider (you guessed it, Anthem) alerting me to the data breach. You were spot on with this prediction! Needless to say, cyber security will be making it into my white paper as a top 5 trend.

Karl Schulmeisters
Principal and Founder at ExStreamVR
Ruben’s points about the value of healthcare data is well made. It is precisely why the more optimistic/hype based assertions about the significance of Stanford’s use of Apple’s Healthkit and the advent of the iWatch an other mHealth wearables is not realistic.

In building out the content for our [http://ClearRoadmap.com|leo://plh/http%3A*3*3ClearRoadmap%2Ecom/3-No?_t=tracking_disc] mHealth guidance solution I got to dive in to some of the standards that apply here. Its not true that

>>Expecting every company to take the time to develop a rocksolid secure system, is probably doomed to failure.<< 21 CFR 11, HIPAA and other regulations do require that companies pay close attention to such security. Perversely it is the competiveness of the marketplace that undermines this. The competitiveness drives companies often to ship products before they have been fully tested - this is particularly true of startups, which means more opportunities for " 'sploits" (security vulnerabilities). But the real issue is not so much new systems as it is integration with older systems (which is why a modular backbone based system is probably not a good idea). A great example is the now somewhat infamous "Heartbleed Bug" [http://heartbleed.com/|leo://plh/http%3A*3*3heartbleed%2Ecom*3/_xjT?_t=tracking_disc] in the open source SSL libraries. For non-techies, this is the code that implements the encryption that is part of HTTPS connections. And this bug has been in the code since the late 1980s.

So this is code that has been looked at by very many folks, used by millions and still roughly 1% of all software systems on the internet have not fixed the bug. One reason in some cases is that the ability to recompile and redeploy the existing solution is not possible: the tools no longer are 100% available, the developers are gone or it was integrated into your system via a component from a company that is no longer in business.

This argues strongly for a return to the somewhat discredited SOA (Service Oriented Architecture) approach of building healthcare systems. To some extent Apple’s Healthkit and Microsoft’s HealthVault do take this approach. They are both “secure” services that your component applications can connect to. And similarly by building your components as services (though not the “legos plugging into a backbone” approach) that then are explicitly interconnected to other services you have validated as trustworthy – you enable the ability to swap out the components at minimal cost if they cease to be functional.

Rob Koch
Security- en Privacy-awareness, AVG/GDPR implementations, IT-Security advise, enthusiastic speaker
In order to increase the cyber-resilience of a company, you need to address three main pillars: People, Processes and Technique. The “Technical” pillar is clear. This includes the technical securiy solutions (Virus scanners, Firewalls, Identity & Access Management, etc.) that are implemented in the network and on the workstations to prevent unwanted access to the systems from the “evil” outside. The “People” pillar is also a very important one. Even if you have implemented the best technical solutions, if the employees are sensitive to social engineering methods (e.g. phishing emails) your company will remain vulnerable. Employees of organisations need to be aware of the threats and dangers of cybercrime. They need to be aware of the high value of the “crown-jewels” and understand that they also bear a responsibility with regards to information security. The “Processes” pillar is about to what extend the topic Security is embedded into the business processes. Put security on the agenda of the whole organisation. Talk about it during team meetings. Report security incidents to a central person. Senior management should make clear to the organisation that they are serious about Information security. The key point is that you need to address ALL three pillars in order to reduce risks. Hackers do not attack your network. They attack your people! Make them resilient. Security awareness is about changing the behaviour of people. Good security awareness training as part of a security awareness program will reduce the number of security incidents. Best regards, Rob Koch

Yehuda Zicherman D.Sc.
Medical Device Supervisor
On top of the previous commenters, whom I agree to their perspective, I would like to add another layer of rational.
I am told by experts that complete security cannot be achieved, even when the top technology is acquired and updated.
Why? Because in a lot of cases, a security breach is based on an incidental human mistake that can merely be prevented. I was yesterday in a demonstration when a top level security system (superb anti-virus and firewall, no direct access to web, access denied to USB connections, etc., etc.) was compromised within 60 seconds by using the advantage that only one employee in a big organization left his computer open when he prepared his cup of coffee.
The conclusion of the cyber experts that demonstrated this breach was that any system can be compromised. The question becomes, how to limit the unavoidable damages.
A monitoring capability that shortens the time until the breach is detected and the internal barriers within the organization’s IT system that help detect this breach before the core and the most delicate information is compromised, might be the “real life” answer. That could be valid to the Anthem case, too.

Karen Boyd
Owner / Operator at QMS Consulting LLC
Anthem ignored the cost of quality (in this case, security). Ignorance is not always bliss…

Joe Hage
🔥 Find me at MedicalDevicesGroup.net 🔥
Thank you, Ruben.

Here’s the link to that prior discussion:
Will allowing patients access to EHRs pose a security risk? | LinkedIn [http://ow.ly/IQkk9|leo://plh/http%3A*3*3ow%2Ely*3IQkk9/Om0i?_t=tracking_disc]

Karen Eason
Owner at BizSplice, LLC
EXCELLENT Ruben! It’s horrible when you can see the train coming but no one hears you scream. I have been in this situation many times. May I add that in order to get a job these days, you are required to put it all “out there”, and some companies give points for social media participation and favor those that are more active. If I were doing the hiring, I would realize that those who DO NOT post on Facebook, are actually the experts because they are informed enough to know what is actually taking place.

Ruben Gomez
Area Manager – NOLA/SOLA at TRUMPF Medizin Systeme GmbH + Co. KG.
Dear all;

About 5 months ago there was a good discussion here titled “Will allowing patients access to EHRs pose a security risk?”, and after those high level discussions, all the different opinions, we saw the domino effect of these corporations in the “hacking block”, where these cyber-punks were successful in gaining control of their data for the misuse of their cyber-punk-peers.

Now (unfortunately for the 80+ million that trusted their more intimate data to Anthem) the hacking-block chopped ever so closely to that discussion (should I rub it in with an “I told you so”?), showing once more that if these large mammals are falling prey to these minute organisms, imagine how would any sane human pretend to take care of the security of their own health-data, nevertheless create another “entity” where to store, manage, view and edit the data. One entity that needs to come from the ground up solely based on “better than bank or NYSE” grade security (notice I left the DoD and NSA out), then think how the service will be deployed.

By the way, a health data set is more lucrative than stealing a little credit card, SSN/BD/Address combo. More lucrative you ask?, the answer is yes!, because now instead of making a little charge for porn here, and a little charge for 4 tires there, the cyber-punks and their peers can bill and get paid in larger sums, where they will float and get paid way before someone figures it out.

Wake up all, everyone holding large amounts of profitable data will be and is, as we speak, under attack. Do not wake up, do not heed the word “security” and what it implies in your daily cyber-connected life, do not create a long complicated password for each of your online accounts, continue using the same password for all your online accounts, do not use backups, click on every ad or attachment you see, do not even think to read/learn/act about what encryption is, continue feeding your immature narcissism posting your life for everyone to see and read, so everyone (friend and/or foe) know where you are, where you are going, when you will be back, how many bathroom stops you made along the way, continue shedding little by little small pieces of information that will enable someone out there with ill intent to attack you directly, and continue feeding the ones that exploit Social Engineering, the classical method used to gain entry to Anthem’s servers, as Joe said: “the weakest links”, to which I add: times 5.

Social Engineering is only a small part of that dark business, there are countless other ways these cyber-punks can gain entry to a large system (imagine how easy would be to hack yours), reason why those holding my data, your data, everyone’s data, need to be held accountable for more than what Anthem will suffer. A simple free credit monitoring and alert for a year is not enough to stop a breach of my data. If you all do not demand more accountability and satisfaction then we all will be served with a lollipop after been told “oopppss!, we did it again, this time even your Fruit-of-the-Looms were exposed to a breach, but any way, what flavor you wish your lollipop to be?”

This is and will continue to be a very expensive mistake for all those companies and every single individual affected by these attacks, many will continue to fall. The question is: what every single one of you is doing now, today, to protect your own data, control your access and privileges to the systems you most access. Once the weakest links are not hardened, these attacks will continue and will get bigger. Do not say “it will not happen to me”, as I might have to title you as delusional, not an alarmist.

Now, I will go back to work because someone has to, have a great one.

Nahum Kovalski
Medical Futurist at MTC – Medical Technology Consulting
Whenever an EMR company begins development of a feature, it is most likely consciously ignoring previous developments in the same area. When one EMR develops their version of a prescription writer, they tend not to copy the code from other sources [unless they are implementing an open source solution]. Expecting every company to take the time to develop a rocksolid secure system, is probably doomed to failure. There is no question that competition yields a best of brand product. But certain things should be reusable to eliminate wasted time on reinventing the wheel.

In a recent blog post, I spoke about treating EMRs as Lego projects. A central medical authority could decide on all of the components that belong in an EMR, and then open up the system to module developers. These module developers could develop anywhere from one to hundreds of modules that would be plugged into the EMR backbone. Competition would exist at the level of the modules.

Basic features like storing and retrieving personal patient information could be part of the backbone, and be implemented with all of the necessary security. All EMR module developers would use this backbone API for security sensitive activities. For example, if you wish to transfer a chart to another EMR, a backbone utility would handle the anonymization and securing of the data before transfer. Of course, companies could compete over the development of these backbone facilities. The point is that there would tend to be much less duplication of work. Also, the basics like security would be included as part of the basic package of the EMR backbone.

I personally think that designing monolithic systems that are so huge that they are hard to control, has proven itself to be far too problematic. It also denies users the opportunity to use best of breed options for each component of an EMR. Perhaps one company has a top-of-the-line OB/GYN module and another company has a top-of-the-line ER module. EMR designers would no longer have to choose a single system that might or might not excel in both of these areas.

Michael Kotowski
Seeking New Opportunity! Strategy/Innovation/EmergingTech-AI|Blockchain|Cloud|CyberSecurity|Digital|IoT|RPA|3D Print
Great topic and timing* – although to many of the points above, the time to think Security, should have been before opening up all of these avenues for unwanted hack and access. That said, it’s not too late, so sounding the alarms as a call to action is critical.

There’s no doubt that EMR would add value. The risks and exposure need to be addressed before this can truly happen. In the IoT world, and with all of the unsecure BYODevices out there, there’s huge exposure right now.

I’m looking forward to grabbing that bull by the horns and shutting down those not authorized to the extent that’s possible. It can be done.

Andrew Kyle
Medical Device Expert; BOD, Startups; Cannabis Devices
The rush to hit a deadline for EMR seems to me to be counterproductive if the end result is a hacker’s dream. I think I would value my privacy more than having my health records available across the “globe”. What is the case for privacy and the right to be “forgotten” in this discussion. This is OUR information – and we should have the right to “op out” once we have left a medical facility.

Karen Eason
Owner at BizSplice, LLC
Yes Hamza, they do indeed! The solutions presented will eventually solve a lot of problems with proper blood sugar management as it relates to “real world” living with diabetes versus what the text books and often clueless medical establishment purports it to be. If you know of anyone interested in donating their time, please let me know and I will make an introduction 😉 The more the merrier!

Hamza Sajjad
MBA | Healthcare | Marketing | Competitive Strategy
Karen, I definitely see how that would be a concern. The second we make a shift towards taking data online, we are moving towards a space of less safety, privacy, and control. Of course this space comes with enormous benefits as well, and I too see the need for open source projects for certain markets, taking advantage of the creativity of everyone, as opposed to brushing off third party ideas. Also, I was not aware of Tidepool, but it looks like they have some very interesting projects underway!

Vince Navarre
Diabetes Business Specialist at Boehringer Ingelheim
Thanks for the heads up. No need to panic but as with any thing being vigilant and aware regarding your personal interests especially your health is prudent. Considering a back up plan is important in all categories of personal safety. Complete dependency on technology can make a person vulnerable. A simple illustration of this is calculators… How many of us are great with multiplying in our heads anymore. I used to be… I feel the industry will do what it can to protect it’s financial interests. What’s your plan B?

Karen Eason
Owner at BizSplice, LLC
I won’t disagree Hamza, however for the diabetes space, the future will be in transferring all medical device data via bluetooth to a cloud and I can’t help but wonder how secure this is going to be, regardless of the measures taken. It seems for every measure taken, there is a loophole to be exploited. For my industry the answer will definitely not be in protected projects with intellectual property concerns, but rather via rapidly expanding open source projects, as they are the only platforms worthy of demanding large scale patient adoption. Projects like Tidepooldotorg, if able to be funded correctly, will provide the solutions persons with diabetes are actually seeking.

Hamza Sajjad
MBA | Healthcare | Marketing | Competitive Strategy
The FDA has recently released guidelines on medical device cybersecurity, and I really don’t see companies investing heavily in cybersecurity for implantable devices such as pacemakers and infusion pumps. I do, however, believe that we will see a whole lot of third party IT companies come in and take the medical device industry by storm, building the most complex security systems into each player in this market, as a leak of intellectual property, let alone patient information, could severely damage a company in this rapidly developing space.

Jan Robran
Business Development at AcceleVentures, Inc.
All I know if government regulators are going to run internet or cyber anything beware.. we are doomed….
they have proven this administration uses ever department to serve on desires well below anyone trusting privacy to be honored

Chris Clark
Head of Informatics | North America
Very scary indeed… Cutting corners in today’s IT world is a short-cut to disaster.

Sabrina De Marzi
Director, Marketing & Digital Client Services at Falcon Retail – A Division of Solution Associates Inc.
It is very scary to think how quickly something you think is so innovative and convenient for your life-style can turn out to be a bad investment. I agree with Karen, the sever pitfalls of these products are the results of poor judgment calls on behalf of the corporations and the lack of process and procedures for mitigating risks for the short win-fall of greed.