Leveraging Technology and Data for COVID-19 Vaccine Distribution

Leveraging Technology and Data for COVID-19 Vaccine Distribution
Kevin Grauman, President and CEO, QLess

After months of uncertainty, hope is finally on the horizon as three viable COVID-19 vaccine candidates are moving closer towards approvals for public distribution. Getting to this stage was extremely labor-intensive, but unfortunately, it’s not the end of the hardships. The coronavirus vaccine will represent the largest vaccine distribution in U.S. history, and manufacturing and distributing the vaccines will have its own fair share of difficulties for healthcare systems. In order to optimize the distribution of vaccines, healthcare providers will need to employ technology and data collection to stay organized. Unfortunately, vaccine approvals are quickly looming, meaning that the necessary technology infrastructure needs to be implemented soon. Healthcare facilities need to understand what solutions can be deployed to facilitate a safe and efficient distribution plan — and how to implement them before it’s too late. 

Vaccine Organization and Distribution

With three potential vaccines, each with different vaccination schedules and side effects, managing distribution will be a complicated effort. Patients will need to be matched to the appropriate vaccine, with consideration paid to medical history. Once a patient is matched to their vaccine, healthcare providers need to track side effects, and in the cases of Pfizer and Moderna, when the patient will receive their second dose. This requires significant data collection, which may leave healthcare providers vulnerable to cybersecurity threats. Data breaches have increased by 171 percent this year due to the pandemic, meaning that cybersecurity and secure data storage need to be at the forefront of any healthcare IT strategy.

The CDC is working to implement a data use agreement to determine which information needs to be reported to various levels of government. This will include information on patient matching, which can help determine how much of each vaccine is being used, the remaining supply and what will need to be ordered. Once these guidelines are in place, healthcare facilities will need to start planning and implementing their cybersecurity strategy. Information sharing will be important over the next few months as the vaccines roll out, but this needs to be balanced with access management to reduce the risk of breaches. Ensure that all members of the team, as well as anyone else who has access to important personal data, understand the risks, as well as the protocols that are in place.

Once vaccines are administered, governments will need to monitor both patients and those who chose not to receive a vaccine closely. Shots are voluntary, which means that there may be parts of the population that refuse to get vaccinated. Many governments and businesses are already discussing the implications of that, including restricting access to things like travel and communal spaces. This means that further data will need to be collected and shared that can inform the public of who is not vaccinated. In the U.K., there has been discussion of an app, similar to the contact tracing app, that discloses the status of a person’s vaccination. In Canada, they have discussed an immunity and vaccination passport. It remains to be seen what route the U.S. government will choose, but there are clear implications for data collection with these new technologies.  

Technology Implementation 

Vaccine distribution will also cause problems for healthcare providers due to the sheer volume of patients needing access to services. Currently, hospitals are overwhelmed with COVID-19 patients. It is also flu season, meaning that flu vaccine appointments are rising. In order to provide safe distribution of the flu vaccine, many governments have implemented an appointment-only system where all patients have to pre-register to receive their dose. Similar systems will be crucial for the distribution of COVID-19 vaccinations in order to support the observance of physical distancing requirements. With clinics and healthcare facilities already strained, adding more patients that require vaccinations could cause many issues. Appointments need to be closely managed to ensure that healthcare facilities will still be able to operate safely. Healthcare providers will also need to monitor the number of patients during each distribution phase to ensure that they can handle everyone who needs a vaccine. 

Vaccine distribution could begin any day, which means that the technology infrastructure to support the initiative needs to be implemented immediately. This doesn’t leave much time to create new solutions, so healthcare facilities will need to work with existing technology providers to create a secure infrastructure that supports distribution. When selecting a technology provider, careful consideration needs to be paid to both the services it provides and the security protocol that it has in place. Choose trusted vendors that have experience in the healthcare industry. With all healthcare providers going through the same experience, information sharing will also be important. Discuss with other healthcare IT departments what solutions and providers they are considering for vaccine distribution. 

Preparing for Distribution

There is no doubt that this vaccine distribution plan will be unlike anything the U.S. has ever experienced. With distribution broken down into phases to determine the priority of who receives the vaccines, healthcare providers will be forced to contend with sick patients at the same time that they are distributing vaccines. This will require extra effort to keep everyone safe and healthy. With the vaccines set to begin distribution at any moment, healthcare providers need to act quickly to ensure that the necessary technology and data collection infrastructure is in place to facilitate a safe and efficient distribution.


About Kevin Grauman
Kevin Grauman is the President and CEO of QLess, a line management system used by retail, education and government industries. He is no stranger to the world of startups, with a proven track record as a successful U.S.-based executive leader and entrepreneur. Kevin has been recognized as one of the “100 Superstars of HR Outsourcing in the USA” by HRO Today Magazine.


Aneesh Chopra: It’s the people problem that remains at the core of cyberattacks

Cybersecurity will continue to be a major issue for providers in the year ahead. According to CareJourney President Aneesh Chopra, the most common factors putting providers at risk are their employees and being unable to track data flow.

To Beat COVID-19, We Need A Modern Approach to Public Health Data

To Beat COVID-19, We Need A Modern Approach to Public Health Data
Ed Simcox, Chief Strategy Officer at LifeOmic

The COVID-19 pandemic, which has taken 270,000 American lives to date, has shined a light on another crisis — the U.S. currently has no standardized system for reporting public health data. Health departments all over the country resort to using paper, fax, phone, and email to transmit and receive critical information, and essential healthcare workers are spending precious time retyping data into systems from printed reports and PDFs.

At the heart of this lack of a centralized infrastructure for reporting public health data is the 10th Amendment of the U.S. Constitution, which says, “The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.” Because of this amendment, the federal government — including the CDC — is not able to mandate that states, providers, or public health entities use a centralized reporting mechanism for managing all public health data. Further, the 10th Amendment also allows states to set up their own IT systems independently of other states and the federal government. The CDC then has to beg for data that sits in bespoke, disparate information systems in each state and territory.

Congress has tried three times in the last fourteen years to fix the issue. In 2006, it passed the Pandemic and All Hazards Preparedness Act (PAHPA), which required the CDC to establish the near-real-time, electronic, nationwide, public health data-sharing capability. Four years later in 2010, the U.S. Government Accountability Office (GAO) reported that not even the most basic planning steps were taken to establish the network. 

Then in 2013, Congress passed the Pandemic and All Hazards Preparedness Reauthorization Act (PAHPRA), which unsuccessfully called for a near real-time interoperable public health data exchange network. Finally, just months before the current pandemic, Congress passed the Pandemic and All-Hazards Preparedness and Advancing Innovation Act (PAHPAI), and our need for such a system is now greater than ever.

An Interoperable Public Health Data System

The U.S. Department of Health and Human Services (HHS) needs to lead the creation of a modern public health data approach on behalf of all public health agencies throughout the country, including the CDC. HHS was given $1 Billion for public health data infrastructure modernization in the recently passed CARES Act.

A modern approach to public health data would cost a fraction of that and must consist of three things: the creation of a gateway to link and securely move data between public health entities, the adoption of and adherence to widely accepted health data standards, and the creation of a cloud-based data hub for transparent analysis and reporting of data.

Creation of a Data Gateway

Data must be complete, timely, and accurate. A single federal data gateway would allow for the secure, two-way flow of data between all of the components of the public health ecosystem. The idea is not to create new, custom systems as we have done in the past, but to create a single gateway system at the federal level that stitches all existing data systems together using modern application programming interfaces (APIs). Such a system will allow data to timely flow between jurisdictions and up to the CDC so that we can collectively inform public health decision-making and public policy. 

We should leverage recently adopted interoperability standards to connect data from existing Electronic Health Records (EHR) and insurance claims systems wherever possible to avoid duplicate entry of data by essential workers.

Adoption of a Standardized Data Model

We need to encourage state and local health organizations to use and promote a standardized approach to collecting data at the points of care, testing, and immunization. 

Fortunately, the public health data interoperability challenge can be solved by supporting the private sector’s move to a standardized data model for healthcare data. Congress spent billions of taxpayer dollars over the past several years incentivizing healthcare providers to adopt electronic health record systems and data interoperability standards, most recently as part of the 21st Century Cures Act, which just saw its regulations go into effect this year. Healthcare providers are busy preparing to accommodate the Cures Act’s updated standards and requirements. The federal government should eat its own dog food by adhering to the same standards when creating the new gateway.

The two main standards to pay attention to are Fast Healthcare Interoperability Resources (FHIR) and the United States Core Data for Interoperability (USCDI). Major IT and EHR companies like Google, Amazon, Microsoft, IBM, Oracle, Salesforce, and Cerner have pledged to support these standards meaning they can immediately begin supporting a new gateway and helping America’s public health system quickly modernize. 

A Cloud-Based Data Hub

Once the data is available, flowing, and standardized, we need a national, cloud-based data hub to begin gaining insights from COVID infection rates, vaccinations, and many other key indicators important to recovering from the pandemic.

Led by HHS with support from OMB and the White House, this new system could be set up within months. There are well-known tools and virtual computing environments that could be put to use right away. A modern data hub would benefit not only the federal government but also the research community and academia, as these organizations play very important roles in helping us further understand and respond to the pandemic.

Most importantly, such a hub would provide transparency and accountability, giving confidence in the data being reported by providing independent reproducibility of conclusions from data analysis.


About Ed Simcox

Ed Simcox is the chief strategy officer of LifeOmic, the creator of LIFE mobile apps, JupiterOne cloud compliance and security operations software, and the Precision Health Cloud platform in use at major medical and cancer centers. Prior to joining LifeOmic, Ed served as the Chief Technology Officer (CTO) at the U.S. Department of Health and Human Services (HHS), the largest civilian government agency in the world. He led efforts at HHS to effectively leverage data, technology, and innovation to improve the lives of the American people and the performance of the Department’s 29 agencies and offices. While CTO, he also served as Acting Chief Information Officer at HHS, where he oversaw the Department’s IT modernization efforts, IT operations, and cybersecurity


IoMT Is Improving Patient Access: We Must Avoid Creating New Barriers

The Internet of Medical Things (IoMT) is changing the face of healthcare and has the potential to significantly improve patient access as well as system efficiencies. The adoption of telemedicine, for example, spurred on by the Covid-19 pandemic, has spread rapidly.  Forrester revised its forecasts to predict that virtual care visits in the United States will soar to more than one billion this year—including 900 million visits related to Covid-19 specifically. Likewise, in the United Kingdom, 40% of doctor’s appointments now consist of phone or video calls.

Even before the pandemic, the adoption of IoMT was already growing rapidly, with the market valued at US$44.5 billion in 2018 and predicted to reach US$254 billion in 2026. There are more than 500,000 medical devices on the market, helping to diagnose, monitor, and treat patients – and more and more of these can, and are, becoming connected – not to mention innovations yet to enter the market. The connected medical devices segment specifically is expected to exceed $52 billion by 2022.

The COVID-19 Effect

The COVID-19 pandemic has changed the healthcare landscape more than any other single event in recent memory. The urgent and widespread need for care, coupled with the challenge of physical distancing, has accelerated the creation and adoption of new digital technologies as well as new processes to support their adoption and implementation across healthcare. The MedTech industry is emerging as a key apparatus to combat the virus and provide urgent support.

A simple example demonstrating the potential benefits of IoMT can be seen even within a hospital setting, where monitoring COVID-19 patients is costly in terms of time and PPE (personal protective equipment) consumption, since simply walking into a patient’s room becomes a complex process. IoMT technologies enable medical devices to send data to medical practitioners who can monitor a patient’s condition without having to take readings at the bedside. The same technologies can enable patients who do not require hospitalization to be safely monitored while remaining at home or in a community setting. 

From the patients’ perspective, many are embracing virtual healthcare as an alternative to long waits or having to go to a clinic or hospital altogether. And given the growing number and scope of connected medical devices and services, such as remote patient monitoring, therapy, or even diagnosis, there will be even more options in the future.  

Catalyzed by the pandemic, the IoMT genie is fully out of the bottle, and it is unlikely to go back. 

Increasing Access

This is good news for healthcare and good news for patients and families. Patient access is improving as telehealth, supported by connected devices to enable the collection of health-related data remotely, is helping to lift barriers. This increase in accessibility has the potential to improve the convenience, timeliness, and even safety of access to healthcare services for more people in more places. 

IoMT is lifting geographic barriers that have impeded access to healthcare since its very inception. Individuals with transportation or mobility challenges will no longer need to travel to receive routine care if they can be safely monitored while at home. Historically underserved rural or remote communities can gain access to medical specialists without needing to fly or drive great distances, while services can be delivered more cost-effectively. 

Furthermore, with fewer clinic or hospital-based appointments required for routine monitoring of patients who are otherwise doing well, doctors would be able to concentrate their in-person time and clinic resources on those most in need of care. 

The capacity for specialized medicine enabled by IoMT could also have a dramatic impact. The vast quantities of health data becoming available (with the requisite permissions in place), can enable sophisticated AI-driven health applications that can, for example, predict complications before they occur, better understand the health needs of specific populations, or enable stronger patient engagement and self-care. These models can also equip healthcare practitioners with better sources of information, ultimately leading to better patient outcomes.

Navigating Barriers

That said, while technology capabilities expand, innovation must take into consideration the needs of all the stakeholders within healthcare – from patients and caregivers to healthcare practitioners to administrators and payors/funders. Internet access, infrastructure, and comfort with technology, for example, can pose significant barriers for patients and health practitioners alike. 

One approach is to minimize the technological burden facing end-users. Devices should be user friendly and “ready to go” right out of the box, taking into consideration the circumstances and abilities of the potential range of users (patients and practitioners alike). Relying on the patient’s home Wi-Fi to provide connectivity is not ideal from either a usability or security perspective – not to mention availability and affordability. It is better for medical devices to have a cellular connection that can be immediately and securely connected to the network from any location, while also being remotely manageable to avoid burdening the user with network and setup requirements, or apps to download. 

Another barrier is the concern that both patients and healthcare providers have about security and data privacy risks. According to the 2016 edition of Philips’ Future Health Index, privacy/data security is second only to cost in the list of top barriers to the adoption of connected technology in healthcare across the countries surveyed.  

The Cybersecurity and Infrastructure Security Agency, FBI, and U.S. Department of Health and Human Services have warned of cybercrime threats against hospitals and healthcare providers. The WannaCry ransomware attacks affected tens of thousands of NHS medical tools in England and Scotland. The enthusiasm in rolling out new digital health solutions must not overlook security principles or create systems that rely on ad hoc patches.

One way of meeting the stringent security requirements of healthcare is to ensure that connected medical devices have security literally built into their hardware, following the most recent guidelines set out by the GSMA for IoT security, including the GSMA IoT SAFE specifications. In accordance with this globally relevant approach, connected devices have a specially designed SIM that serves as a mini “crypto safe” inside the device to ensure that only authorized communication can occur.

Similarly, new medical devices and software that are difficult to implement or cannot communicate with other systems such as electronic health/medical records risk being “orphaned” in the system or simply not used.  The latter is a matter of both developing the necessary integrations and ensuring the appropriate access and permissions are managed. More easily said than done, fully integrated systems take time, and some of the pieces may be added incrementally – the key is that the potential to do so is there from the beginning so future resources can be invested in enhancements rather than replacements. 

Early Collaboration is Key

Accessibility and usability must be designed right into IoMT solutions from the outset, and the best way of ensuring that is for developers and healthcare stakeholders to have plenty of interaction long before the product enters the market. Stakeholders are many and healthcare systems are complex, so innovators can look to startup accelerators and other thought leaders to help navigate the territory. The time and effort spent by innovators and healthcare stakeholders in collaborating is a sound investment in the future, ensuring that technology is designed and then applied in meaningful and equitable ways to address the most pressing issues. 

The telehealth genie, powered by IoMT, is indeed out of the bottle and is set to revolutionize healthcare. By ensuring that IoMT technologies are developed and implemented with security, accessibility, and ease of use for all stakeholders as priorities, we can make sure that the full benefits of this new dawn can be enjoyed by all. 


Heidi Sveistrup, Ph.D. Bio

As the current CEO of the Bruyère Research Institute and VP, Research and Academic Affairs at Bruyère Continuing Care, Heidi Sveistrup, Ph.D. is focusing on increasing the research and innovation supporting pivotal transitions in care; meaningful, enjoyable and doable ways to support people to live where they choose; and creating opportunities to discover and create new approaches to identify, diagnose, treat and support brain health with individuals with memory loss. Fostering new and supporting existing collaborations among researchers, policymakers, practitioners, civil society and industry continues to be a priority.


Elza Seregelyi Bio

Elza Seregelyi is the Director for the TELUS L-SPARK MedTech Accelerator program, which offers participants pre-commercial access to a secure telehealth platform. L-SPARK is currently working with its first cohort of MedTech companies. Elza has an engineering and entrepreneurship background with extensive experience driving collaborative initiatives.


Death by Ransomware: Poor Healthcare Cybersecurity

Death by Ransomware: Poor Healthcare Cybersecurity
Babur Khan, Technical Marketing Engineer at A10 Networks

If hackers attack your organization and you’re in an industry such as financial services, engineering, or manufacturing your risks are mostly monetary. But when it comes to healthcare cybersecurity, not only is there significant financial jeopardy, people’s health and wellbeing are also at risk so the stakes are much, much higher.

According to the Department of Health and Human Services, there has been an almost 50 percent increase in healthcare cybersecurity data breaches between February and May 2020 compared to 2019. This is thought to be a result of the COVID-19 pandemic distracting the industry due to the sweeping changes required, putting extra pressure on already inadequate healthcare cybersecurity measures. 

Why Are Hackers Attacking Healthcare?

If there’s one thing hackers like, it’s a target that’s “soft” and large, complex organizations in industries that have been slow to adopt and then secure digital technologies are precisely that, soft targets. These organizations usually have broad and mostly poorly defended “attack surfaces,” which provide hackers with many routes to enter and through which they can not only exfiltrate data but also compromise services and hardware.

Healthcare, in general, is one of the most visible and softest targets. Successful hospital cyber-attacks usually cause significant disruption of patient data and routine workflows such as scheduling patient medication, resources management, and other essential services. These hospital cyber-attacks can easily result in what is euphemistically called in healthcare “bad outcomes” … these “bad outcomes” include injury and death.

How Does Healthcare Think About Cyber Risks?

A study by the security consulting firm Independent Security Evaluators concluded:

One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective … In summary, we find that different adversaries will target or pursue the compromise of patient health records, while others will target or pursue the compromise of patient health itself.

The report argues that protecting patient records has been most of the focus of healthcare cybersecurity planning, and organizations often view threat actors as being “unsophisticated adversaries” such as individual hackers and small hacker collaborations. ISE argues that this framework ignores the potential of far more sophisticated hospital cyber-attacks from political hacktivist groups, organized crime, terrorists, and nation-states who are all highly motivated and well-funded and “As a result, a multitude of attack surfaces are left unprotected, and attack strategies that could result in harm to a patient are not considered.”

The Universal Health Service Hospital Cyber-attacks

In September 2020, Universal Health Services a hospital and health care network with more than 400 facilities across the United States, Puerto Rico, and the United Kingdom, found itself under attack by the Russian “Ryuk” ransomware. This wasn’t the first hospital cyber-attack on UHS. Security firm, Advance Intel’s Andariel intelligence platform, reported that trojan malware-infected Universal Health Services throughout 2020.

UHS has not officially confirmed the details of the attack but reports by UHS employees indicate the attack was the result of a successful phishing expedition. The attack disabled computers and phone systems and forced the hospitals to revert to using paper-based systems to continue operations. Affected network hospitals also had to redirect ambulances and move surgical patients to other unaffected facilities.

As is usually the case with large, complex organizations, cleaning up and restoring the system was neither simple nor quick and a UHS press release on October 12, 2020, announced: “… we have had no indication that any patient or employee data was accessed, copied or misused.” It also stated that operations were mostly back to normal after a total of 16 days. Given that downtime for enterprise security breaches cost upwards of $1,000,000 per day or more this attack will have dealt a serious blow to UHS’ bottom line. Whether UHS paid the ransom is not known.

Cyber Attacks and Murder

When a cyberattack happens to any organization, there are always consequences but when healthcare ransomware is involved there’s a real risk of loss of life. In the case of UHS, there were unconfirmed rumors of four patients dying because doctors had to wait for lab results delivered by couriers instead of by electronic delivery. While those, so far, appear to be just rumors, there is one known case of a patient dying directly due to a hospital ransomware attack.

The University Hospital Düsseldorf (UKD) in Germany suffered a ransomware attack on September 10, 2020. The attackers exploited a vulnerability in the Citrix ADC that had been known since January but the hospital, unfortunately, had not got around to implementing the fix.

As a result of the attack, the hospital immediately announced that “The UKD has deregistered from emergency care. Planned and outpatient treatments will also not take place and will be postponed. Patients are therefore asked not to visit the UKD – even if an appointment has been made” and patients were routed to alternative medical facilities.

The demand note delivered by the hospital ransomware showed that the intended target was not in fact the University Hospital Düsseldorf but rather Heinrich Heine University. The German police contacted the hackers via the instructions in the ransom note dropped by the malware and explained the mistake after which the hackers withdrew their demand and provided the decryption key.

Unfortunately, one patient with a life-threatening illness was diverted to a distant hospital after UKD was deregistered as an emergency care facility. The additional hour’s travel may have been the cause of the patient’s death. On September 18, 2020, German prosecutors launched an official negligent homicide investigation which, if confirmed, would make the patient’s death the first known case of death by hacking.

Protect Critical Systems from Malware

The key to defending your systems from malware and phishing is monitoring and examining all network communications. Now that encryption is becoming the norm for all internet communications, looking “inside” of message streams requires new approaches and technologies so that embedded threats are caught and handled before they can escalate into disasters.


About Babur Nawaz Khan
Babur Nawaz Khan is a Technical Marketing Engineer at A10 Networks, a leading provider of secure application services and solutions. He primarily focuses on A10’s Enterprise Security and DDoS Protection solutions and holds a master’s degree in Computer Science from the University of Maryland, Baltimore County.


CIO: 3 Rules for Meeting ONC/CMS Interoperability, While Improving Cybersecurity

Healthcare data security has been a growing concern for CIOs for the last year or so, as hackers are increasingly targeting health information. Now, with a global pandemic forcing a shift to telemedicine and remote work, and new rules from the ONC and CMS introducing more regulatory burden, healthcare CIOs have more to manage than ever. Fortunately, it is possible to roll out new capabilities while simultaneously improving cybersecurity by following these three rules:

Rule 1: Think Like an Attacker

The coronavirus pandemic has forced healthcare providers everywhere to roll out new capabilities, processes, and workflows, such as telemedicine systems and new patient check-in procedures. These measures are being taken in addition to the necessary work being done to comply with the new mandates from ONC and CMS regarding patient data accessibility. Though these changes need to be implemented quickly, it’s important to follow cybersecurity best practices to avoid providing new openings for attackers. 

When a hacker sees new systems and processes being implemented, they are thinking about:

– What software is being introduced? Are there known vulnerabilities or frequently unpatched exploits associated with it?

– How are new endpoints being added and are they secure?

– Since the new ONC and CMS rules require publicly exposed FHIR APIs, how can those be attacked? Are there social engineering exploits that can provide a way around security?

– Are there ways to perpetrate identity fraud if a patient does not need to be physically present to receive healthcare?

This approach should lead to a cybersecurity plan that puts measures in place for each identified risk. By thinking like the adversary, it is possible to identify and lock down the possible attack vectors. 

Rule 2: Minimize the Attack Surface

Every way into an organization’s network needs to be secured, monitored, and maintained. The best way to make this process as efficient and fool-proof as possible is to minimize the number of ways into the network. 

This is especially difficult in light of the ONC and CMS rules, which require that clinical systems must share data through publicly available FHIR APIs. At first, this seems like a mandate to radically expand the organization’s attack surface. Indeed, this is precisely what happens if the straightforward approach of exposing every clinical system through public APIs is followed. 

A different approach, which provides the same capabilities and compliance with the rules, would be to route all API traffic through a central hub. Attaching all the clinical systems to a single point of API access provides a number of benefits:

– Most importantly, compliance is achieved while minimizing the new attack vectors.

– All traffic between clinical systems and the outside world can be monitored from a single place.

– The API hub can act as a façade that makes legacy systems compliant with the new rules, even if those systems lack native FHIR API capabilities.

The API hub need not be an expensive new component of the network architecture. Most healthcare organizations are already using a clinical integration engine to move HL7, XML, and DICOM traffic among their internal systems. The same technology can serve as an API hub. This is especially effective if a new instance of the integration engine is placed in an isolated part of the network without full access to other systems. 

Rule 3: Have an Expert Review the Defenses

Even for healthcare organizations with cybersecurity experts on staff, it can be worthwhile to bring in a cybersecurity consultant to cross-check new implementations. Novel threats are constantly shifting and emerging, making it nearly impossible for internal IT staff to keep up with the looming threats of ransomware hacks, while also adequately carrying out the day-to-day responsibilities of their jobs. For that reason, it makes sense to bring in a professional who focuses exclusively on security. It is also often useful to have an independent review from someone who is looking at the implementation from an outsider’s perspective. Independent consultants can provide the necessary guidance, risk assessments, and other security support, to set healthcare organizations up for success and operate more securely. 

Expanding an organization’s IT capabilities often means more exposure to risk, especially when implementations are subject to time constraints. However, given the value and importance of the data that’s being generated, transmitted, and stored, it is imperative not to let cybersecurity fall out of focus. By following best practices around design, implementation, and testing healthcare organizations can rise to meet the current challenges of the pandemic, address the mandates of the interoperability rules, and simultaneously improve data security measures. 


About Scott Galbari, Chief Technology Officer

As Chief Technology Officer for Lyniate, Scott leads the development and delivery of all products and services. Scott has been in the healthcare IT domain for the past twenty years and has experience in developing and delivering imaging, workflow, nursing, interoperability, and patient flow solutions to customers in all geographies. He was most recently the General Manager for multiple businesses within McKesson and Change Healthcare and started his career as a software developer.

About Drew Ivan, Chief Product & Strategy Officer

Drew’s focus is on how to operationalize and productize integration technologies, patterns, and best practices. His experience includes over 20 years in health IT, working with a wide spectrum of customers, including public HIEs, IDNs, payers, life sciences companies, and software vendors, with the goal of improving outcomes and reducing costs by aggregating and analyzing clinical, claims, and cost data.


More Than 45 Million Medical Images Are Openly Accessible Online

More Than 45 Million Medical Images Are Openly Accessible Online

What You Should Know:

– CybelAngel tools scanned approximately 4.3 billion IP addresses and detected more than 45 million unique medical images left exposed on over 2,140 unprotected servers across 67 countries including the US, UK, and Germany.

– The report highlights the security risks of publicly accessible images containing highly personal information including ransomware and blackmail.


The analyst team at CybelAngel, a global leader in digital risk protection, has discovered that more than 45 million medical imaging files – including X-rays and CT scans – are freely accessible on unprotected servers, in a new research report.

Medical Device Data Leaks

The report “Full Body
Exposure
” is the result of a six-month investigation into Network Attached
Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), the
de facto standard used by healthcare professionals to send and receive medical
data. The analysts discovered millions of sensitive images, including personal
healthcare information (PHI), were available unencrypted and without password
protection.

CybelAngel tools scanned approximately 4.3 billion IP addresses and detected more than 45 million unique medical images left exposed on over 2,140 unprotected servers across 67 countries including the US, UK, and Germany.

The analysts found that openly available medical images, including up to 200 lines of metadata per record which included PII (personally identifiable information; name, birth date, address, etc.) and PHI (height, weight, diagnosis, etc.), could be accessed without the need for a username or password. In some instances, login portals accepted blank usernames and passwords.

“The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files,” says David Sygula, Senior Cybersecurity Analyst at CybelAngel and author of the report. “This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”

3 Steps to Safeguard The Way Providers Share & Store
Data

CybelAngel advises there are simple steps that healthcare facilities can take to safeguard the way they share and store data including:

– Determine if pandemic response exceeds your security policies: Ad hoc NAS devices, file-sharing apps, and contractors may take data beyond your ability to enforce access controls

– Ensure proper network segmentation of connected medical
imaging equipment: Minimize any exposure critical diagnostic equipment and
supporting systems have to wider business or public networks

– Conduct real-world audit of third-party partners: Assess
which parties may be unmanaged or not in compliance with required policies and
protocols.

– CybelAngel provides a complimentary, comprehensive 30-day
data exposure assessment healthcare and other organizations use to measure
their risk and uncover priority issues.

How Hackers Are Targeting COVID-19 Vaccine Distribution Chain – Q/A

COVID-19 Vaccine Cyber Attacks

With the US and other major countries poised to begin national
distribution of multiple FDA-approved COVID-19 vaccines, the cybersecurity threats
to secure COVID19
vaccine distribution is imminent. Earlier this month, IBM released a report on malicious cyber actors targeting
the COVID-19 cold chain—an integral part of delivering and storing a vaccine at
safe temperatures.

Impersonating a biomedical company, cyber actors are sending phishing and spear-phishing emails to executives and global organizations involved in vaccine storage and transport to harvest account credentials. The emails have been posed as requests for quotations for participation in a vaccine program. In the report, IBM urges companies in the COVID-19 supply chain — from research of therapies, healthcare delivery to the distribution of a vaccine — to be vigilant and remain on high alert during this time

We recently sat down with Nigel Thorpe, Technical Director, SecureAge, an enterprise data security and encryption company to talk about the cybersecurity risks involved with COVID-19 vaccine distribution.

HITC: What type of information are hackers trying to
seize to disrupt the vaccine distribution process?

Thorpe: Hackers will try to obtain all the data they can muster, but specifically, they are looking for data around the distribution logistics together with details of the vaccine and its packaging. Using this they could attempt to replicate and profit from a counterfeit vaccine. In addition, cybercriminals are looking for all sorts of personal information about people involved in the vaccine distribution process, plus members of the public, so they can attempt identity theft and phishing attacks.

What are the dangers and implications if foreign actors
weaponize this information?

Thorpe: One of the biggest problems that already exist is an apprehensive public who is concerned with taking the vaccine because of fears that the approval process has been rushed and circumvented. These fears can be exploited by cybercriminals simply through the use of disinformation. In terms of cybersecurity, any attack on the distribution chain feeds into the fear of those already uncertain about the whole program.

In addition, bad actors could launch ransomware and spear-phishing attacks to get into the corporate network. Here, they can steal information concerning the “cold chain” and use this to build an illegal channel for counterfeit vaccine delivery. Not only would this result in unauthorized, unsafe vaccines being distributed but also reinforce fears of vaccines that many Americans already have. Any data, no matter how small or seemingly innocuous, could be used and exploited by cyber attackers.

How can health facilities remain protected?

Thorpe: The most important aspect is to ensure
that data is encrypted at all times so even if it is stolen, hackers won’t be
able to access this scrambled information. In addition, organizations should
make sure that unauthorized processes don’t run. This can be done by blocking
any application that attempts to execute, but which is not on an authorized
list. These measures will stop the problems of both phishing messages and data
theft – even by insiders.

What other information do you think hackers will target
in the future as we head into 2021?

Thorpe: Outside of exploiting the vaccine distribution network, hackers will attempt to capitalize on the continued remote working situation that is likely to last for most of 2021. Cybercriminals will try to exploit a situation where workers are not all using secure devices, resulting in data being stolen and exploited by bad actors.

In addition, we can expect combination attacks, where
something technical and something human will be combined in ways that the
confines and physical security of office spaces would have prevented. Notices
sent by mail to homes, phone calls, and possibly even personal visits by repair
technicians will be facilitated through stolen information and credentials
online, upping the ante of the scams and other illegal shenanigans.

Strategies for Successful Security Outcomes in Healthcare

Follow along with our blog series #HealthcareNow and #PublicSectorNow, where we’ll address healthcare innovation around the world and how to maintain business continuity in today’s health climate. 

This year has brought unprecedented challenge and opportunity for healthcare organizations as they look to secure their patients, clinicians, care teams, endpoints and data.

With the shift to remote work, heightened demand for telehealth and virtual care, and more devices and connections on the network, there has never been a more critical time to address the cybersecurity strategy within your healthcare organization.

Unfortunately, cybercrime hasn’t stopped or slowed because of the global pandemic. In fact, earlier this year the FBI reported a 400% increase in daily cybersecurity complaints since the pandemic began.

So, how do you build a strong defense to enhance patient safety and protect your healthcare organization from cybersecurity breaches?

To understand and identify security practices that drive successful outcomes, Cisco conducted a fully anonymous survey of over 4,800 active IT, security and privacy professionals from around the world. Of those participants, 281 represented healthcare organizations.

The result? A Security Outcomes Study and a mini report specifically on healthcare that empower security leaders around the world to protect against cyber attacks and drive business growth.

Key Takeaways 

Of the healthcare participants surveyed, 51.2% felt they were meeting compliance regulations, 49.1% said they are gaining executives’ confidence in the security program, 45.9% said they were successfully avoiding major incidents and 43.8% said they were managing top risks. See the figure below for how healthcare organizations reported success rates across various outcomes. Note that the mean rate of success is 42%.

Figure outlining security outcomes for healthcare organizations

When it came to defining the strategies that help enable successful security outcomes within healthcare organizations, the survey looked at three categories – enabling the business, managing risk and operating efficiently.

To enable the business, healthcare organizations noted that proactive tech refresh plays a significant role in success. Those who let their infrastructure degrade and only update when things break showed significantly reduced rates of success in enabling the business.

For managing risk, proactive tech refresh was again in the top three strategies. Other strategies for success include timely incident response and prompt disaster recovery.

Lastly, in the category of operating efficiently, the top success strategy was again proactive tech refresh, with well-integrated tech and effective use of automation as other top strategies.

So, what can we gather from this report? Organizations who take a proactive approach to defining their cybersecurity strategy and maintaining security posture with tech refresh have greater success than those who don’t.

To get more key insights from the healthcare study, please read the Security Outcomes Study for Healthcare.

To see how the healthcare industry compares to other industries and organizations, please read the Security Outcomes Study.

We’d love to hear what you think. Comment below and stay tuned for the next blog in our #HealthcareNow series. 

Virtual Engagement During COVID Pushes Paradigm Shift for Physician Training and Patient Care

Virtual engagement during COVID pushes paradigm shift for physician training and patient care
Shalini Shah, MD is Vice-Chair and Associate Professor, Department of Anesthesiology & Perioperative Care, and Enterprise Director of Pain Services, UC Irvine Health

The dominant presence of COVID-19 has not meant the absence of cancer, ear infections, heart attacks, chronic pain, or other illnesses that need attention and care. Physicians have continued treatment for all types of maladies, and physician training has continued as well. But this treatment and this training look much different these days. Despite the challenges that came with major COVID shutdowns and changing requirements, the healthcare system and patients have been both creative and resilient in finding robust “temporary” solutions to these challenges. It is now looking like some of these COVID-era transitional steps will be preserved and play a lasting role in the future of medical education and telemedicine. What must be sacrificed to reap the benefits of these new protocols?

The rapid adoption of technology and virtual engagement tools has been both impressive and interesting to watch – Zoom meetings between medical association boards of directors, FaceTime calls between isolated patients and their family members at home, telehealth phone appointments with family practice physicians, or virtual medical conferences through Webex – the increasing reliance on these tools has pushed boundaries and exposed both opportunities and challenges with technology use for the future of healthcare.

As COVID-19 has significantly accelerated the feasibility and acceptance of telehealth care by physicians, patients, and payors, we now see healthcare systems navigating in real-time the complex issues with cybersecurity and patient privacy. Due to waivers, everyday technologies can be utilized right now, including FaceTime, Skype, Facebook Messenger video chat, Google Hangouts, and Zoom, but new regulatory guidance may be needed to develop safe, secure, and patient-friendly telehealth applications for the future. Cyber-security, already an important priority in the healthcare information space, is going to become that much more essential as doctor’s offices and clinics implement even more telehealth protocols faster than they ever would have normally planned or budgeted for.

These changes in practice and patient care have also impacted how controlled substances are prescribed. The Drug Enforcement Agency has modified policies to allow for the remote prescribing of controlled substances during the pandemic. Online counseling, informed consent, and follow-up with patients can be done in a virtual setting. Pill counts can be done in a video call and patients can still have their questions answered regarding their pain therapy, although it is likely that after the crisis, prescribing certain controlled substances may return to in-person visits.   It is important that the regulatory climate continues to evolve at the pace needed to address the changing needs and realities of telehealth in the time of COVID.

While we have all become more comfortable on telehealth platforms, there continues to be an important role for in-person visits. Patients may appreciate the convenience of telemedicine; however, they must understand that it can limit a physician’s ability to perform a thorough examination and possibly reduce the chances of a physician detecting an unexpected complication or condition. 

Moving forward, I expect there will be much greater reliance on telehealth strategies even post-COVID, but it will always have to be balanced with old-fashioned office visits.

Residency training has also experienced a profound shift this year. Conventional teaching approaches have either been cut back or have been canceled due to COVID risks, and reduced access to personal protective equipment (PPE) has limited the amount of time spent with patients being cared for during residency and fellowship programs. But we can’t stop training for the next generation of physicians or providing quality Continuing Medical Education (CME) for practicing physicians. E-learning techniques, such as webinars and online skills training, certainly play a role – and these may offer ways to actually enhance cross-departmental or multidisciplinary collaborative educational sessions. E-learning may be more cost-effective and easier to participate in than traveling to conferences or symposia, but the hands-on learning and deep discussions that can occur in breakout sessions or clinical training modules will need to be replaced somehow. And there must be careful vetting of online content in order to avoid a proliferation of commercially biased information, plagiarized materials, or simply false information. As we all adjust to new settings and styles for learning, there must be purposeful strategies to ensure online lectures are still supported with opportunities for learning from direct patient contact and collegial support.

Despite these concerns and challenges, new models for CME activities actually pose a great opportunity for increased access, cost-effectiveness, and practicality for busy clinicians.

Even before the first case of COVID-19 was diagnosed, technological innovation had already begun to change education, healthcare, and even social relationships. The COVID-19 crisis has simply accelerated the drive and interest in these new tools. But while the technological tools and platforms to a large extent existed years before COVID-19, they have never been used as purposefully, as rapidly, or with such intentionality as they are being used now.

I am sure the shift toward technology and virtual engagement in medicine will not go away when we finally get past the COVID-19 crisis. There will likely be lasting changes with the reliance on distance-medicine techniques for both patient care and physician training. But we must keep a close eye on regulatory frameworks that need to be updated, and make extra efforts to build and maintain patient-physician relationships.


About Shalini Shah, MD

Shalini Shah, MD is Vice-Chair and Associate Professor, Department of Anesthesiology & Perioperative Care, and Enterprise Director of Pain Services, UC Irvine Health.  Dr. Shah completed her residency in Anesthesiology from NYP-Cornell University and a combined fellowship in Adult and Pediatric Chronic Pain at Brigham and Women’s Hospital, Beth Israel Deaconess and Children’s Hospital of Boston, Harvard Medical School. 

Healthcare M&A: DAS Health Acquires Randall Technology Services

DAS Health Acquires Health IT and Medical Billing Conglomerate

What You Should Know:

– DAS Health Ventures acquires healthcare
and managed IT company Randall Technology Services (RandallTech).

– This acquisition adds Allscripts® PM
and EHR solutions to the DAS portfolio of supported products, and DAS Health
has now added additional staff in Texas that will create opportunities for
greater regional support of its entire solutions portfolio.


DAS Health Ventures, Inc., an industry leader in health IT and management, announced today it completed the acquisition of Randall Technology Services, LLC (RandallTech) healthcare and managed IT company based in Amarillo, TX. As part of DAS’ growth strategy, this most recent expansion further strengthens its position in the US healthcare technology space.

Acquisition Enhances DAS Health Market Reach

DAS Health actively serves more than 1,800 clients, and
nearly 3,500 clinicians and 20,000 users nationwide, with offices in Florida,
Nevada, New Hampshire and Texas, and a significant employee presence in 14 key
states. This acquisition adds Allscripts® PM and EHR solutions to the DAS
portfolio of supported products, and DAS Health has now added additional staff
in Texas that will create opportunities for greater regional support of its
entire solutions portfolio.

Increased Support for Existing RandallTech Clients

Randall Technology’s clients will gain an increased depth of support, and a substantially improved value proposition, as DAS Health’s award-winning offerings are robust, including managed IT / MSP services, practice management, and EHR software sales, training, support and hosting, revenue cycle management (RCM), security risk assessments (SRA), cybersecurity, MIPS/MACRA reporting & consulting, mental & behavioral health screenings, chronic care management, telemedicine, and other value-based and patient engagement solutions.

Financial details of the acquisition were not disclosed.

Recent Executive Hires: CVS Health New President, Cleveland Clinic/Amwell Joint Venture Leadership, Others

Neela Montgomery, EVP & President at CVS Pharmacy/Retail

CVS Health Corporation names Neela Montgomery Executive Vice President and President of CVS Pharmacy/Retail, effective November 30, 2020. Montgomery will oversee the company’s 10,000 pharmacies across the United States. Montgomery, currently a Board Partner at venture capital firm Greycroft, most recently served as chief executive officer of furniture retailer Crate & Barrel and has nearly 20 years of global retail experience.


The Cleveland Clinic and Amwell joint venture appoint Egbert van Acht as Executive Vice Chairman to the Board of Directors and Frank McGillin as CEO. Formed one year ago as a first-of-its-kind company to provide broad access to comprehensive, high-acuity care via telehealth, the company has made great progress scaling digital care through its MyConsult® offering. With an initial focus on clinical second opinions, the organization also offers health information and diagnosis on more than 2,000 different types of conditions including cancer, cardiac, and neuroscience issues.


Dana Gelb Safran, Sc.D., SVP at WELL Health

Healthcare industry veteran Dana Gelb Safran, Sc.D. has joined Well Health Inc. as Senior Vice President, Value-Based Care, and Population Health. In her new role, Dr. Safran will expand WELL’s uses to improve healthcare quality, outcomes, and affordability through partnerships with payers and Accountable Care Organization (ACO) providers.


Talkdesk®, Inc., the cloud contact center for innovative enterprises appoints Cory Haynes to lead Talkdesk’s strategy for the financial service industry and Greg Miller to lead the strategy for healthcare and life sciences. Haynes and Miller are key members of the Talkdesk industries team led by Andrew Flynn, senior vice president of industries strategy for Talkdesk.


Mark McArdle, SVP Products & Design at Imprivata

Imprivata appoints Mark McArdle to Senior Vice President of Products and Design. Mr. McArdle has more than two decades of experience in software development, Software-as-a-Service (Saas), in Cybersecurity, and advanced products for the enterprise, SMB, and consumer markets.


Jack Stoddard, Executive Chairman at Eden Health

Eden Health names Jack Stoddard as executive chairman of its board of directors. Formerly serving in COO roles for Accolade and Haven, Stoddard brings two decades of healthcare innovation and operating experience to the board position, providing leadership, wisdom, and counsel during a time of monumental growth and adoption for the company. 


Saurav Chatterjee, PhD., CTO at Augmedix

Augmedix names Saurav Chatterjee Chief Technology Officer. Prior to joining Augmedix, he most recently served as Vice President of Engineering at Lumiata, Inc., where he led the engineering team that built a leading AI platform, focusing specifically on transforming, cleaning, enriching, featurizing, and visualizing healthcare data, and on building, deploying and operationalizing machine learning and deep-learning models at scale.


Philip Vecchiolli, Chief Growth & Strategy Officer, Tridiuum

Tridiuum, the nation’s premier provider of digital behavioral health solutions names Philip Vecchiolli has joined the company as Chief Growth and Strategy Officer. Vecchiolli, who brings over 30 years of experience to the new role, has a successful track record of leading business development for large and mid-size healthcare companies.


Janet Dillione, CEO of Connect America

Connect America appoints Janet Dillione as its new chief executive officer (CEO). Prior to joining Connect America, Dillione worked in the healthcare information services industry as CEO of Bernoulli Enterprise, Inc., GM of Nuance Healthcare, and CEO of Siemens Healthcare IT.


Health Catalyst, Inc. announces that current Chief Financial Officer Patrick Nelli has been named President, effective January 1, 2021. Following Nelli’s promotion to the President role, Health Catalyst has named Bryan Hunt, current Senior Vice President of Financial Planning & Analysis, Chief Financial Officer, also effective January 1, 2021.

Two additional promotions, also effective January 1, 2021, include Jason Alger, Senior Vice President of Finance, to Chief Accounting Officer, and Adam Brown, Senior Vice President of Investor Relations, to Senior Vice President of Investor Relations and Financial Planning & Analysis. 


Rick Howard, Chief Product Officer at Apervita

Apervita hires health IT veteran Rick Howard as Chief Product Officer. In his role, Rick will oversee product vision, innovation, design, and delivery of Apervita’s digital platform, which enables digital quality measurement, clinical intelligence, as well as value-based contract monitoring and performance measurement.

Roberto Simon

Conversion Labs, Inc. appoints Roberto Simon to its board of directors and as the chair of its audit committee. Following his appointment, the board now has eight members, with six serving as independent directors. Mr. Simon currently serves as CFO of WEX (NYSE: WEX), a $6+ billion fintech services provider.


Dr. Isaac Rodriguez-Chavez, Ph.D., MHS, MS.

PRA Health Sciences, Inc. appoints senior FDA official Isaac Rodriguez-Chavez, Ph.D., MHS, MS, as Senior Vice President, Scientific and Clinical Affairs. He will lead the company’s Global Center of Excellence for Decentralized Clinical Trial (DCT) Strategy. Dr. Rodriguez-Chavez’s responsibilities will involve the continued growth and development of PRA’s industry-leading decentralized clinical trial strategy, regulatory framework creation, and clinical trial modernization.


Proprio appoints three global thought leaders to its Medical Advisory Board. Dr. Sigurd Berven, Orthopedic Surgeon and Professor at the University of California, San Francisco, Dr. Charles Fisher, Professor and Head of the Combined Neurosurgical & Orthopedic Spine Program at Vancouver General Hospital and the University of British Columbia, and Dr. Ziya Gokaslan, Professor and Chair of the Department of Neurosurgery at Brown University and Neurosurgeon-in-Chief at Rhode Island Hospital and The Miriam Hospital will apply their globally respected surgical and research expertise to the development of the Proprio navigation platform.


Andrew Bindman, MD, EVP & Chief Medical Officer at Kaiser Permanente

Kaiser Permanente names Andrew Bindman, MD Executive Vice President and Chief Medical Officer.  In this role, Dr. Bindman will collaborate with clinical and operational leaders throughout the enterprise to help lead the organization’s efforts to continue improving the high-quality care provided to members and patients throughout Kaiser Permanente. Dr. Bindman will report directly to Kaiser Permanente chairman and CEO Greg A. Adams.

Dr. Michael Blackman, Chief Medical Officer at Greenway

Greenway names Dr. Michael Blackman Chief Medical Officer at Greenway. Dr. Blackman will further support the company’s ambulatory care customers, ensuring providers are equipped with the solutions and services they need to improve patient outcomes and succeed in value-based care.


Suki expands its leadership team with six key hires to support the company’s rapid commercial growth. Tracy Rentz, formerly Vice President of Implementation at Evolent Health, joins Suki as the Vice President of Customer Success and Operations to lead all customer operations, with a particular focus around deploying new Suki customers. Brian Duffy brings over 20 years of sales experience to Suki, joining the team as Director of Sales-East, after having most recently served as Regional Director at Qventus, Inc. Brent Jarkowski will also join Suki’s sales team this November as the Director of Sales-West, bringing over 15 years of experience in strategic relationship management. Brent joins Suki after serving as Senior Client Development Director at Kyyrus. Together, Brian and Brent will head the company’s efforts in building new partnerships across the country. And Josh Margulies, who previously served as the Director of Integrated Brand Marketing for the Jacksonville Jaguars, will serve as Suki’s new Senior Director of Field Marketing.

Phishing attacks most common cybersecurity incident at US healthcare organizations

A survey of healthcare cybersecurity professionals by HIMSS details the most common types of cyber attacks, it’s impact on patient care as well as solutions hospitals and health systems have implemented to prevent falling prey to this type of criminal activity.

7 Best Practices for Third-Party Risk Management in the Pharmaceutical Industry

7 Best Practices for Third-Party Risk Management in the Pharmaceutical Industry
Dr. Aleksandr Yampolskiy, CEO of SecurityScorecard,

The globalization of the pharmaceutical industry has forced pharma companies to outsource, increasing their reliance on third-party vendors and suppliers. As this supply chain grows in complexity, companies find themselves grappling with a growing amount of cyber risk. 

A data breach in the pharmaceutical industry can cost companies upwards of $5 million and costs can rise significantly if a third-party vendor or supplier is the cause of a data breach. For this reason, organizations must ensure the third-parties that exist within their supply chain remain secure. 

Challenges in the Pharmaceutical Supply Chain

There are innumerable logistical, compliance, and cost-related issues that organizations must consider as they add third-parties and vendors to their supply chain. 

From a logistics view, a growing number of touchpoints between production and consumers, shipments that require refrigeration, packaging coordination, and shipment delays related to third-parties all may increase risk. 

This risk is compounded by compliance-related issues. The highly-regulated pharmaceutical industry must comply with a number of healthcare-related regulations, like HIPAA, and must also be sure that their third-party suppliers abide by rules set by supply regulations like Good Distribution Practice (GDP). If these companies and their third-parties do not comply, the organization becomes subject to costly fines – which can range between $10 million and $1 billion depending on various factors. 

Pharmaceutical businesses must protect their organizations in this challenging risk environment by working to mitigate third-party cyber risk as they also work to limit their own. 

Why Third-Party Risk Management is Critical for Pharma 

Due to the high value of the intellectual property they house, pharmaceutical companies are subject to a high-level of cybercrime. In fact, according to a study conducted by Deloitte, the pharmaceutical industry has become the number one target of cybercriminals at a global level, especially in relation to IP theft.

For a pharma organization, data breaches can be devastating, costing companies grief over lost or stolen data and large sums of money to remedy any business hindrances caused by the breach. According to Ponemon’s Cost of a Data Breach report, data breaches cost pharmaceutical companies an average of $5.2 million. When a third-party supplier or vendor causes a breach, the average cost rises by $370,000

In order to protect drug production and patient well-being, the industry must take care to minimize its cyber risk, specifically when it comes to third-parties. 

Best Practices for Third-Party Risk Management in the Pharmaceutical Industry

It is crucial that pharmaceutical organizations work to limit the third-party risk that may stem from vendors and suppliers. Use the following seven best practices for developing your third-party risk management (TPRM) strategy: 

1. Identify Your Suppliers

Pharmaceutical companies have a large, outsourced supply chain and it is imperative to understand exactly who your suppliers are at all points on the chain. Cyber risk can stem from any size or type of vendor, so make sure to list each third-party you work with – from small vendors who may work with only one department, to large vendors who develop drug labels and bottle caps. 

2. Understand and Qualify Potential Cyber Risks

Each third-party has the potential to introduce numerous risks that must be identified at the start of your business relationship. Make note of the types of software, networks, devices, and data that each of your third-parties access. Then, develop a risk inventory and map them against a standardized risk taxonomy, estimate the likelihood and severity of each risk, and rank each third-party in order of potential risk.  

3. Determine a Risk Rating

Once each third-party has been analyzed from a risk-perspective, assign a risk rating to each. Risk ratings generally range from low to high, meaning high-risk vendors receive the most attention when prioritizing risk monitoring strategies and determining your risk appetite. 

4. Define Controls

It’s important to make sure that third-parties have the same level of risk tolerance as your organization. When developing a TPRM policy, you need to define the types of controls your third-parties should be using like encryption, regular security patching, and data segregation. If possible, these controls should be worked into your business contracts. 

5. Measure Third-Party Compliance 

After setting controls, you must set metrics to measure third-party compliance. These metrics may include time to risk detection, time to risk remediation, or time to risk recovery. Monitoring third-party compliance regularly requires a review of security questionnaires or self-audits provided by the third-party. 

6. Align with a Risk Management Framework

In order to properly manage third-party risk, pharmaceutical organizations must develop a third-party risk management framework. Common frameworks like NIST and ISO help to identify which third-party vendors pose the greatest risk and require an immediate response.  

7. Continuously Monitor Third-Parties

In order to ensure security, pharmaceutical companies must continuously monitor their third-party business partners. Many organizations incorporate platforms that can monitor ecosystem risk, providing real-time visibility into the complex IT risks associated with the rapidly expanding pharmaceutical attack surface.

Final Thoughts

The supply chain for the pharmaceutical industry is increasing in regulatory complexity, logistics, and costs. Globalization has expanded the threat landscape, leaving many companies forced to upgrade their risk-management capabilities. Now is the time to adopt the best practices highlighted above to protect drug IP and patient lives. 


About Dr. Aleksandr Yampolskiy, CEO of SecurityScorecard

Dr.Aleksandr Yampolskiy is a globally recognized cybersecurity innovator, leader, and expert. He is co-founder and chief executive officer of SecurityScorecard and strives to create a new language for cybersecurity by enabling people to work collaboratively across the enterprise and with external parties to build a more secure ecosystem. 

COVID-19 Underscores Need for Identity Governance Administration

COVID-19 Underscores Need for Identity Governance Administration
Wes Wright, CTO at Imprivata

If you work in healthcare, chances are that the COVID-19 pandemic forced you to quickly scale up or move staff around to manage the onslaught of patients. The demand for clinicians and support staff grew alongside the spread of the virus, making organizations add clinicians or reassign employees with new or modified roles: Ambulatory nurses went down in the Emergency Department or Isolation Ward, revenue cycle folks started doing transport, and so on. In some cases, former staff or retired workers were called back to help with the surge. 

In the midst of these time-compressed changes, organizations remained rightly focused on their number one priority: patient care delivery. In the background, IT professionals were struggling to manage the slew of new digital identities while ensuring fast-access to new applications, workflows, and devices to accommodate remote work. Giving clinicians this access meant having to quickly provision and deprovision access during the staff ramp-up. Inevitably, access became a problem – whether to the systems or applications needed to do their jobs. In worst-case scenarios, organizations had to balance security and compliance with the delivery of healthcare services to patients. Security protocols were also compromised – a trade-off that should never have to happen. 


Pandemic Spotlights Needs for IGA
In response to the identity management challenges presented by the COVID-19 pandemic, healthcare IT  organizations that had and Identity Governance Administration (IGA) systems came to the rescue.  Those that didn’t, well….. IGA systems provide a fast, reliable way to manage digital identities through provisioning, governance, risk and compliance, and de-provisioning for healthcare workers who need access to workstations and applications. This is even more so the case in a crisis environment. A recent study conducted by Forrester Consulting found that an automated system helps organizations manage, streamline, and secure transactions across hypercomplex ecosystems of healthcare users, locations, devices, and locations. What’s more, according to Forrester, automation also saves time and money and results in a higher quality patient experience. 

Fact is, even in the normal times, healthcare organizations rarely excel at tracking personnel moves, especially the adds and changes due to the time and system constraints often involved. That leads to what I call a “stacked shares” situation. These typically involve a person with decades of experience in your organization who has worked in multiple administrative or clinical areas within the organization and has access to about 80 percent of your network shares because she/he was never deprovisioned from ANY shares. In these instances, the network shares just kept getting “stacked,” one on top of the other. That’s probably exactly what happens during the COVID-19 pandemic as people move around to adapt to the ongoing crisis.

Another unexpected challenge created by the pandemic relates to furloughs. What is your healthcare organization doing with them? Are you disabling and then re-enabling accounts? Re-provisioning when/if they come back? What if they’ve come back but in a new role? Again, the “stacked shares” situation arises. You will likely regret it if your organization doesn’t have an automated IGA system to help you keep track of these movements through an integrated GRC system.


Moving to a Remote Workforce
COVID-19 forced many healthcare organizations to rapidly accommodate a remote workforce. Only a few departments worked remotely before the pandemic, so routers, network, architecting, and bandwidth all had to be upgraded. Most health systems also required additional licensing to successfully ramp up services. Above all, the priority was to prevent any serious disruptions for clinicians. 

Here again, health systems faced the challenge of balancing usability with security concerns. Tools like Zoom and Microsoft Teams proved useful, but they created additional risks including diminished safety of our healthcare workers, cybersecurity intrusions, and hacks – like theft of PHI, ransomware, and more. IT staff had to ensure the security of both the devices and the platforms being used, which is also easily managed by solid IGA systems. 

In these cases, IGA systems analyze login data in real-time via Login Activity reports. They weave digital identity and access management, single-sign-on capabilities, and governance into workflows to strengthen security without compromising care delivery. This includes remote identity proofing to enable electronic prescribing of controlled substances (EPCS), as well as ensure compliance with DEA regulations while avoiding in-person interactions. 

We will no doubt be living in a world of both in-person and remote healthcare for some time given the COVID-19 crisis. One lesson we already learned from the big experiment we just completed is that healthcare organizations benefit from having an IGA system in place to help balance their healthcare delivery, efficiency, and safety, as well as security and compliance. Implementing an IGA strategy no doubt makes it easy for clinicians to securely and seamlessly transition between workstations and applications and have their identity follow them.


About Wes Wright

Wes Wright is the Chief Technology Officer at Imprivata and has more than 20 years of experience with healthcare providers, IT leadership, and security. Prior to joining Imprivata, Wes was the CTO at Sutter Health, where he was responsible for technical services strategies and operational activities for the 26-hospital system. Wes has been the CIO at Seattle Children’s Hospital and has served as the Chief of Staff for a three-star general in the US Air Force.


3 Telemedicine Security and Compliance Best Practices

3 Telemedicine Security and Compliance Best Practices
Gerry Miller, Founder & CEO at Cloudticity

The coronavirus pandemic accelerated telemedicine exponentially as patients and doctors switched from in-person visits to remote consultations. Health providers rapidly scaled virtual offerings in March and April and traffic volumes soared to unprecedented levels, with practices “seeing 50 to 175 times the number of patients by telehealth than before the outbreak,” according to McKinsey. By early August, the U.S. Department of Health and Human Services expanded the list of allowable telehealth services in Medicare and there was an executive order supporting permanent telehealth provisions for rural areas.

But the surge in telemedicine adoption comes with a host of cybersecurity risks and regulatory compliance requirements unique to the healthcare sector.

As telemedicine traffic increases, so does the volume of hacking attempts. Recent cybersecurity news indicates healthcare organizations are top targets for cyberattacks and “providers remain the most compromised segment of the healthcare sector, accounting for nearly 75 percent of reported breaches.” The consequences are chilling: “The average cost of a healthcare data breach is $7.13 million globally and $8.6 million in the United States.

Further, whenever patient information is involved, HIPAA compliance is required. While HHS temporarily suspended pursuing HIPAA penalties on providers for “good faith provision of telehealth during the COVID-19 nationwide public health emergency,” such permissiveness will not last.

Luckily, most telemedicine providers can utilize managed services and cloud infrastructure to keep pace. Here are some best practices to meet IT compliance and cybersecurity demands for telemedicine.

Telemedicine Compliance Best Practices

Compliance should be viewed as a real-time process that drives security. Telemedicine tools and technology should therefore reflect significant expertise with all healthcare regulations (HIPAA, HITRUST, HITECH), with compliance functions permeating processes. Recommended compliance best practices include:

1. Automate Remediation

Healthcare applications cannot offer high reliability if every potential compliance problem is remediated manually; there’s just too much that can go wrong and never enough staff to address it when needed. The solution is to automate everything that can be automated, and rely on people to handle exceptions or potential violations that don’t impact reliability. Cloud-based services can integrate AI and operational intelligence to automatically remediate anomalies when possible, present recommendations to operations staff for cases that cannot be resolved automatically, and present clear choices such as:

·         Do Nothing: Take no action, delete ticket after [x number of days]

·         Fix Now: Implement the recommended actions immediately

·         Schedule: Perform the recommended actions during the next maintenance window

This approach speeds resolution and decreases service disruptions, and improves the reliability of telemedicine delivery. The automated response also plays a critical role in security (which will be discussed shortly).

2. Perform Formal Risk Assessments

Understanding the risk level and specific risk issues are critical components for an effective compliance plan. Many providers of healthcare services underestimate their level of risk, in part because it is difficult to quantify. The HHS has published guidance in its Quantitative Risk Management for Healthcare Cybersecurity, which offers insight. There are also cloud solutions that can aid the process. Cloud services providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud offer automated security assessment services that help improve the security and compliance of applications deployed on their cloud hosting platforms. They can generally assess applications for exposure, vulnerabilities, and deviations from best practices. A good inspection service should highlight network configurations that allow for potentially malicious access, and produces a detailed list of findings prioritized by level of severity.

3. Reduce Attack Surface

To provide secure access to sensitive information, hybrid architectures supporting telemedicine applications need a virtual private network (VPN) gateway between on-premises and cloud resources. However, developers, test engineers, remote employees, and others who need access to cloud-based protected health information (PHI) may bypass a VPN gateway by either cracking open the cloud firewall to allow direct unencrypted internet traffic or using peering connections. To prevent such potential exposures, secure desktop-as-a-service (DaaS) solutions provide an elegant way to allow cloud-based access to PHI without exposing connections or records. A DaaS is generally deployed within a VPC providing each user with access to persistent, encrypted cloud storage volumes using an encryption key management service. No user data is stored on the local device, which reduces overall risk surface area without impeding development capability.

Telemedicine Security Best Practices

While the full scope of cybersecurity strategies is beyond the scope of this article, here are three best practices that telemedicine providers can use bolster their security profile:

1. Deploy Proactive Network Security

Modern cyber threats have become steadily more sophisticated in evading traditional security measures and more devastating once they penetrate network perimeters. For that reason, telemedicine providers need a highly proactive, multilayered approach to prevent malware-based outages, theft of intellectual property, and exfiltration of protected health information (PHI).

A combination of network anti-malware, application control, and intrusion prevention systems (IPS) is recommended. Such proactive solutions are generally bundled in managed cloud services that should automatically detect suspicious system changes in real-time, isolate and quarantine affected resources, and prevent the spread of exploits by locking down any server whose configuration differs from the installed settings.

2. Encrypt Data Storage

Data encryption is the last line of cyber-defense for PHI and other critical information. Even if an attacker can penetrate the perimeter and proactive network security and exfiltrate data from the provider, those data are useless to the hacker if encrypted. It’s good practice to encrypt all web and application servers running on cloud instances using a unique master key from a key management service when creating volumes.

Encryption operations generally occur on the servers that host cloud database (DB) instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its block storage. For additional protection, you can also opt to encrypt DB instances at rest, underlying storage for DB instances, its automated backups, and read replicas.

3. Harden Operating Systems

Both Microsoft Windows Server and Linux are ubiquitous operating systems in telemedicine. They are also both attractive targets for cybercriminals because they provide complex capabilities, frequently remediate vulnerabilities, and are so common (increasing attackers’ chances of finding an unpatched system). Hackers use OS-based techniques such as remote code execution and elevation of privilege to take advantage of unpatched operating system vulnerabilities. Hardened images of Windows Server and Linux virtual machines (VMs) should be used, employing default configurations recommended by the Center for Internet Security (CIS). Such hardened images make gaining OS administrative extremely difficult, and coordinate well with proactive security bundles described earlier.

Additional resources for telemedicine compliance and security are available from the American Medical Association (AMA), the US Department of Homeland Security, the U.S. Department of Health and Human Services, and HITRUST.

 While these best practices are targeted primarily at telemedicine companies, they can also be applied to a wide range of healthcare providers and organizations delivering vital services in the face of 2020’s dramatic swings in demand.


About Gerry Miller

Gerry Miller is the founder and chief executive officer at Cloudticity. He is a successful serial entrepreneur and healthcare fanatic. From starting his first company in elementary school to selling his successful technology consulting firm in 1998, Gerry has always marched to his own drummer, producing a series of successes. Gerry’s first major company was The Clarity Group, a Boston-based Internet technology firm he founded in 1992. Gerry presided over seven years of 100% aggregate annual growth and sold the company in 1998 when it had reached $10MM in revenue.

He was recruited by Microsoft to become their Central US Chief Technology Officer, eventually taking over a global business unit and growing its revenue from $20MM to over $100MM in less than three years. Gerry then joined ePrize as Chief Operating Officer, where he grew sales 38% to nearly $70MM while improving operating efficiency, quality, and both client and employee satisfaction. Gerry founded Cloudticity in 2011 with a passion for helping healthcare organizations radically reshape the industry by unlocking the full potential of the cloud.

To Combat COVID-19, Philips Launches Rapid Equipment Deployment Kits

To Combat COVID-19, Philips Launches Rapid Equipment Deployment Kits

What You Should Know:

– Philips today announced the launch of its Rapid
Equipment Deployment Kits, which provide doctors with critical care patient
monitoring solutions they can quickly implement in the ICU. The Rapid Equipment
Deployment Kits use advanced patient monitoring technology to enable care teams
to swiftly scale up critical care capabilities within just a few hours, and
help hospitals meet on-demand access during these pressing times of COVID-19.

– Arriving at hospitals fully configured and
ready-to-deploy, the kits are pre-built and pre-packed into sturdy cases and
can be transferred from hospital to hospital as needed. After a crisis/surge
has passed, the kits are disinfected and stored to have available in
preparation for future emergencies.


Royal Philips, today introduced its Rapid Equipment Deployment Kit for ICU ramp-ups, allowing doctors, nurses, technicians, and hospital staff to quickly support critical care patient monitoring capabilities during the COVID-19 pandemic.  Currently successfully in use in the first health systems across the US, the Rapid Equipment Deployment Kit combines Philips advanced patient monitoring technology with predictive patient-centric algorithms enabling care teams to quickly scale up critical care patient monitoring capabilities within a few hours.  As health systems in the U.S. continue to experience surges in critical care and emergency care demand related to the COVID-19 crisis, the kit provides hospitals a way to quickly and easily expand their critical care capacity.

The Rapid Equipment Deployment Initiative for COVID-19
Response

To Combat COVID-19, Philips Launches Rapid Equipment Deployment Kits

The Philips Rapid Equipment Deployment Kit is a fully configured and ready-to-deploy ICU patient monitoring solution, which includes 20 ICU monitors, 20 measurement servers and one central management monitoring station. The kits are pre-built, pre-configured and pre-packed into sturdy cases that can elevate a hospital’s general care area to a critical care level in a matter of hours. Kits are complete with step-by-step instructions allowing the pre-configured system to be deployed by hospital staff, with remote technical and clinical support from Philips. Kits can be transferred from hospital to hospital as needed. Once a crisis/surge passes, the kits are disinfected, packed up and stored to have available in preparation for future emergencies.

 Why It Matters

“The current health crisis has demonstrated a clear need for
us to deliver innovative solutions to our customers that provide a complete
critical care monitoring solution with all of the equipment they require on
demand. This eliminates the need to source and configure individual pieces of
high-demand equipment during a crisis,” said Peter Ziese, General Manager of
Monitoring Analytics at Philips.  “To help ensure economical and more
efficient use of hospital resources, the Rapid Equipment Deployment Kits
provide the speed, flexibility and ease of implementation for advanced critical
care patient monitoring that many of our customers must have during this most
pressing time.”

In June, Philips announced it had received Emergency Use Authorization from the FDA for Philips’
IntelliVue Patient Monitors MX750/MX850
 and its IntelliVue Active
Displays AD75/AD85, for use in the US during the COVID-19 health emergency.
These patient monitoring solutions support infection-control protocols and
remotely provide critical patient information when caring for hospitalized
COVID-19 patients. The MX750 and MX850 monitors are the latest additions
to Philips’ portfolio of integrated patient monitoring solutions to help
support improved clinical and operational workflows. Updated features, include
enhancements to monitor and assess clinical and network device performance, and
additional functionalities to strengthen cybersecurity.