Industry Watch – April/May 2016

March 29, 2016


A patient’s perspective on ransomware

By Sean Mason, Director of Threat Management, Cisco Security Advisory Services

In 2015, I had a crippling case of sciatica. This prompted me to undergo a series of tests, including an MRI and, ultimately, a very scary lumbar microdiscectomy surgery to fix a severely herniated disc. I mention this because, while I am an information security professional, I’m also a patient who requires medical care on occasion. I put my trust and confidence in both the hospitals and healthcare providers that help me.

This is why it’s very concerning and personal to me when I receive nearly weekly calls from hospitals and healthcare providers seeking assistance to respond to ransomware and other malware incidents taking place within their environment.

Upfront reality

By the time I receive those phone calls, considerable damage is usually already done. In a recent case, an entire wing was rendered inoperable, and the ability to service patients was severely impacted. When it comes to ransomware, there is no way to recover your data outside of taking the chance – and risk – of paying off the perpetrator and hoping they follow through with their end of the bargain.

While I usually advocate that prevention is not a panacea and can eventually be defeated, the reality is that the best way organizations can address ransomware is to be proactive and work to stay ahead of it.

The fundamentals

It is important to recognize that healthcare organizations are rather unique, given their mix of devices on the network. Many are running unsupported operating systems from a decade or more ago. As such, the cybersecurity fundamentals required to protect the network are slightly different.

For example, many of the newer and more effective cybersecurity technologies that reside on the endpoint are incompatible with older operating systems, so network-based defensive approaches should be considered.

Additionally, all organizations should:

  • Ensure a robust security program is in place;
  • Incorporate continuous patching, monitoring, and tuning of security tools;
  • Include a process to respond immediately to any issues to ensure that they don’t become exacerbated; and
  • Consider consulting with a trusted security advisor to develop your security strategy before disaster strikes.

Final thoughts

According to the 2016 Cisco Annual Security Report, one ransomware campaign alone was targeting up to 90,000 victims per day, for an estimated $30 million total annually. With numbers like these, criminals will continue to operate these campaigns. Organizations will continue to see ransomware and other variations of it for quite some time.

Taking the time and effort to be proactive and implement approaches to combat this threat is required not just now, but will be needed for years to come. Additionally, while it can be very easy to have a hyper-focused level of concern with ransomware, these techniques will also help you stay ahead of other malware issues that can cause considerable impact to your healthcare organization.

Always remember: While it may appear simpler to just pay a ransom, you are dealing with criminals. There is no guarantee that paying them off will work.

Healthcare organizations must be vigilant in protecting patients, instilling trust and confidence, with the assurance that their solutions are safe to use. This is paramount to any patient, including this one.

Mobile Apps

Accenture: Hospitals missing out on millions

Only 2 percent of patients in the largest U.S. hospitals are using hospital-provided mobile health apps, according to new research from Accenture, and it’s a costly situation. Accenture estimates that failure to align mobile apps to the services consumers demand could cost each of these hospitals, on average, more than $100 million annually in lost revenue.

The research, which assessed mobile app use among the 100 largest U.S. hospitals, found that two-thirds (66 percent) of the 100 largest U.S. hospitals have mobile apps for consumers, and roughly two-fifths (38 percent) of that subset have developed proprietary apps for their patients. However, only 11 percent of health systems offer patients proprietary apps that operate with at least one of the three functions that consumers demand most: access to medical records; the ability to book, change, and cancel appointments; and the ability to request prescription refills electronically.

“Simply having a mobile app is not enough,” says Brian Kalis, Accenture’s Managing Director of Digital Health Strategy. “Hospital apps are failing to engage patients by not aligning their functionality and user experience with what consumers expect and need.” Those who become disillusioned with a provider’s mobile services (or a lack thereof) could go somewhere else.

According to Accenture, this is already happening: Approximately 7 percent of patients have switched healthcare providers due to a poor experience with online customer service channels, such as mobile apps or Web chat. Accenture estimates that this pattern could lead to a loss of tens of millions of dollars in annual revenue per hospital and suggests that as consumers bring their service expectations from other industries into healthcare, providers are likely to see higher switching rates on par with the mobile phone industry (9 percent), cable TV providers (11 percent), or even retail (30 percent).

The report suggests that one way for hospitals to improve the customer experience is to partner with digital disruptors such as Good Rx, ZocDoc, InstaMed Go, and WebMD to create mobile platforms tailored to their specific patient demands. For example, a large healthcare provider might partner with ZocDoc to improve appointment scheduling or with InstaMed Go to improve bill paying.

Source: Accenture

Infectious Agents

War on germs takes flight

Engineers at Boeing (Everett, WA) are casting a new light on airplane bathroom hygiene, and that light is deadly – for germs, that is.

The airline designers and builders have created a self-cleaning lavatory prototype that uses a special kind of ultraviolet (UV) light to kill 99.99 percent of germs when the bathroom is unoccupied. The Clean Lavatory system can disinfect all surfaces after every use in just three seconds, and can even help eliminate odors.

When combined with touchless features such as a hands-free faucet, soap dispenser, trash flap, automatic lifting toilet lid and seat, and hand dryer, the whole system aims to minimize the growth and potential transmission of micro-organisms.

The patent-pending cleaning system, which will require further study before it can be offered to airlines, lifts and closes the toilet seat by itself so that all surfaces are exposed to a flood of Far UV light during the cleaning cycle. The light bath is activated only when the lavatory is unoccupied. Far UV is different from the UVA or UVB light in tanning beds, and is not harmful to people.

Secure Messaging
Hidden costs of pager use revealed

A new study commissioned by TigerText shows hospitals pay 45 percent more for antiquated paging technology than they would for secure messaging. The HIMSS Analytics study, which surveyed 200 U.S. hospitals, revealed that 90 percent of these organizations still use pagers and each spends, on average, $180,000 per year.

“The Hidden Cost of Pagers in Healthcare” study included research from HIMSS Analytics and other market research. The HIMSS Analytics research found that the average paging service cost per device was $9.19 per month, compared to industry research showing the cost of secure messaging app alternatives to be less than $5 per month.

The HIMSS Analytics research also revealed significant “soft” costs from the continued use of pagers:

  • A lack of two-way communication was the most commonly cited disadvantage of using pagers among the executives interviewed;
  • One-way paging does not give recipients full context nor the option to provide feedback or ask questions, costing care teams precious time to manage patient care;
  • Pagers were seen in interviews as causing communication gaps by not allowing users to update contact directories and on-call schedules, which are critical to effectively reaching physicians;
  • Survey respondents noted the inconvenience of carrying and managing more than one device; and
  • The limitation of paging systems operating only on a single network was perceived as a significant disadvantage, unlike smartphones, which communicate across multiple networks (i.e., cellular, Wi-Fi).

The HIMSS Analytics research included a quantitative survey of more than 200 pager users at hospitals throughout the United States, with a bias toward large organizations with more than 100 patient beds, as larger hospitals tend to have a high correlation to pager use.

Source: TigerText

Mobile Tech

Doctors and patients at disconnect over health-tracking app data

So you’ve been using your fitness tracking band religiously for months, and you’re excited to show your doctor all the progress you’ve made logging extra steps and counting nearly every calorie. And look at that heart rate! But will your doctor even care, and is your data even usable on a professional level?

These are some of the main questions that University of Washington (UW) researchers tried to answer in a new study on healthcare activity trackers, apps, and self-reported data. The overall conclusion (brace yourself): Most healthcare providers don’t have the time or tools to review your data – and your data may not be scientifically valid anyway.

UW researchers surveyed 211 patients and interviewed 21 doctors, dietitians, and other healthcare providers about their expectations for how patients’ self-tracking data should be shared and used.

“We’ve heard doctors say more and more that people bring this data into the clinic, and they’re just overwhelmed by it,” says lead study author Christina Chung, a UW doctoral student in Human-Centered Design and Engineering. “When you’re managing chronic disease or symptoms, day-to-day lifestyle tracking data can be useful, but doctors don’t have a way to use these data efficiently and effectively.”

What kind of data does get attention? Providers who asked patients to keep paper diaries or suggested specific tracking tools often found the resulting information helpful in collaboratively diagnosing triggers or arriving at effective treatments. That was largely because those providers had designed and refined those processes over time to elicit useful information and track the most relevant patient behavior.

But patient-initiated tracking efforts – apps that were suggested by a friend or activity trackers received as birthday gifts, for example – were a different story. The study concluded that, on a whole, the ways that some activity trackers or calorie-counting apps present data are more suited to supporting healthy lifestyles than helping providers make clinical decisions.

Microsoft Band 2

“As a provider, you feel pressured because you want to help and interpret the data that people are bringing you, but every format is different and none of the data is validated,” says study paper co-author Jasmine Zia, an attending physician and Acting Assistant Professor in UW Medicine’s Division of Gastroenterology.

In ongoing work, the UW team is exploring ways to make self-tracking data more clinically useful and to help healthcare providers and patients collaborate and engage with it.

The study, “Boundary Negotiating Artifacts in Personal Informatics: Patient-Provider Collaboration with Patient-Generated Data,” won a best paper award and was presented in March at the Association for Computing Machinery’s conference on Computer-Supported Cooperative Work and Social Computing in San Francisco.

Source: UW

Photo 103483001 © Leowolfert |
Photo 95433616 © Benjawan Sittidech |
Photo 97681210 © Marko Bukorovic |
Photo 213710213 © Anyaberkut |