Posts Tagged: HHS


7
Nov 19

Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks

Hospitals that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among heart patients in the following months or years because of cybersecurity remediation efforts, a new study posits. Health industry experts say the findings should prompt a larger review of how security — or the lack thereof — may be impacting patient outcomes.

Researchers at Vanderbilt University‘s Owen Graduate School of Management took the Department of Health and Human Services (HHS) list of healthcare data breaches and used it to drill down on data about patient mortality rates at more than 3,000 Medicare-certified hospitals, about 10 percent of which had experienced a data breach.

As PBS noted in its coverage of the Vanderbilt study, after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined.

The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.

“Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes,” the authors found. “Remediation activity may introduce changes that delay, complicate or disrupt health IT and patient care processes.”

Leo Scanlon, former deputy chief information security officer at the HHS, said the findings in this report practically beg for a similar study to be done in the United Kingdom, whose healthcare system was particularly disrupted by the Wannacry virus, a global contagion in May 2017 that spread through a Microsoft Windows vulnerability prevalent in older healthcare systems.

“The exploitation of cybersecurity vulnerabilities is killing people,” Scanlon told KrebsOnSecurity. “There is a lot of possible research that might be unleashed by this study. I believe that nothing less than a congressional investigation will give the subject the attention it deserves.”

A post-mortem on the impact of WannaCry found the outbreak cost U.K. hospitals almost $100 million pounds and caused significant disruption to patient care, such as the cancellation of some 19,000 appointments — including operations — and the disruption of IT systems for at least a third of all U.K. National Health Service (NHS) hospitals and eight percent of general practitioners. In several cases, hospitals in the U.K. were forced to divert emergency room visitors to other hospitals.

But what isn’t yet known is how Wannacry affected mortality rates among heart attack and stroke patients whose ambulances were diverted to other hospitals because of IT system outages related to the malware. Or how many hospitals and practices experienced delays in getting test results back needed to make critical healthcare decisions.

Scanlon said although he’s asked around quite a bit over the years to see if any researchers have taken up the challenge of finding out, and that so far he hasn’t found anyone doing that analysis.

“A colleague who is familiar with large scale healthcare data sets told me that unless you are associated with a research institution, it would be almost impossible to pry that kind of data out of the institutions that have it,” Scanlon said. “The problem is this data is hard to come by — nobody likes to admit that death can be attributable to a non-natural cause like this — and is otherwise considered sensitive at a very high and proprietary level by the institutions that have the facts.”

A study published in the April 2017 edition of The New England Journal of Medicine would seem to suggest applying the approach used by the Vanderbilt researchers to measuring patient outcomes at U.K. hospitals in the wake of Wannacry might be worth carrying out.

In the NEJM study, morbidity and mortality data was used to show that there is a measurable impact when ambulances and emergency response teams are removed from normal service and redirected to standby during public events like marathons and other potential targets of terrorism.

The study found that “medicare beneficiaries who were admitted to marathon-affected hospitals with acute myocardial infarction or cardiac arrest on marathon dates had longer ambulance transport times before noon (4.4 minutes longer) and higher 30-day mortality than beneficiaries who were hospitalized on nonmarathon dates.” Continue reading →


6
Jun 18

Further Down the Trello Rabbit Hole

Last month’s story about organizations exposing passwords and other sensitive data via collaborative online spaces at Trello.com only scratched the surface of the problem. A deeper dive suggests a large number of government agencies, marketing firms, healthcare organizations and IT support companies are publishing credentials via public Trello boards that quickly get indexed by the major search engines.

By default, Trello boards for both enterprise and personal use are set to either private (requires a password to view the content) or team-visible only (approved members of the collaboration team can view).

But individual users may be able to manually share personal boards that include personal or proprietary employer data, information that gets cataloged by Internet search engines and available to anyone with a Web browser.

David Shear is an analyst at Flashpoint, a New York City based threat intelligence company. Shear spent several weeks last month exploring the depths of sensitive data exposed on Trello. Amid his digging, Shear documented hundreds of public Trello boards that were exposing passwords and other sensitive information. KrebsOnSecurity worked with Shear to document and report these boards to Trello.

Shear said he’s amazed at the number of companies selling IT support services that are using Trello not only to store their own passwords, but even credentials to manage customer assets online.

“There’s a bunch of different IT shops using it to troubleshoot client requests, and to do updates to infrastructure,” Shear said. “We also found a Web development team that’s done a lot of work for various dental offices. You could see who all their clients were and see credentials for clients to log into their own sites. These are IT companies doing this. And they tracked it all via [public] Trello pages.”

One particularly jarring misstep came from someone working for Seceon, a Westford, Mass. cybersecurity firm that touts the ability to detect and stop data breaches in real time. But until a few weeks ago the Trello page for Seceon featured multiple usernames and passwords, including credentials to log in to the company’s WordPress blog and iPage domain hosting.

Credentials shared on Trello by an employee of Seceon, a cybersecurity firm.

Shear also found that a senior software engineer working for Red Hat Linux in October 2017 posted administrative credentials to two different servers apparently used to test new builds.

Credentials posted by a senior software engineer at Red Hat.

The Maricopa County Department of Public Health (MCDPH) in Arizona used public Trello boards to document a host of internal resources that are typically found behind corporate intranets, such as this board that aggregated information for new hires (including information about how to navigate the MCDPH’s payroll system):

The (now defunct) Trello page for the Maricopa County Department of Public Health.

Even federal health regulators have made privacy missteps with Trello. Shear’s sleuthing uncovered a public Trello page maintained by HealthIT.gov — the official Web site of the National Coordinator for Health Information Technology, a component of the U.S. Department of Health and Human Services (HHS) — that was leaking credentials.

There appear to be a great many marketers and realtors who are using public Trello boards as their personal password notepads. One of my favorites is a Trello page maintained by a “virtual assistant” who specializes in helping realtors find new clients and sales leads. Apparently, this person re-used her Trello account password somewhere else (and/or perhaps re-used it from a list of passwords available on her Trello page), and as a result someone added a “You hacked” card to the assistant’s Trello board, urging her to change the password.

One realtor from Austin, Texas who posted numerous passwords to her public Trello board apparently had her Twitter profile hijacked and defaced with a photo featuring a giant Nazi flag and assorted Nazi memorabilia. It’s not clear how the hijacker obtained her password, but it appears to have been on Trello for some time.

Other entities that inadvertently shared passwords for private resources via public Trello boards included a Chinese aviation authority; the International AIDS Society; and the global technology consulting and research firm Analysis Mason, which also exposed its Twitter account credentials on Trello until very recently. Continue reading →