Healthcare Technology Vendor News

Tristar Medical Group Discovers Solution That Reduced its AWS Costs by 60%

Healthcare organizations are increasingly turning to the cloud to meet their IT needs, but while there are many advantages to be gained from migrating applications, infrastructure, and datacenter operations to the cloud, managing cloud costs remains a major challenge.

Many healthcare organizations choose AWS EC2 instances for their servers. While the platform meets their needs, the high cost of running AWS EC2 instances – or equivalent instances from other providers – is forcing many healthcare organizations to scale back their cloud migration plans.

The cost of running AWS EC2 instances can be considerable. Tristar Medical Group, the largest privately-owned healthcare provider in Australia, runs facilities across the country, spread across multiple time zones. Its clinics need access to servers around the clock and cloud instances were left running 24/7.

Tristar soon discovered its strategy was proving prohibitively expensive. While the needs of its clinics were being met, the cost of its virtual desktop infrastructure (VDI) solution was unsustainable.

The rising OpEx costs meant Tristar had to scale down its instances and servers. “This led us to two conclusions. Either spend a large amount of capital upfront to increase the efficiency of our VDI solution, or automate and fine-tune our AWS servers to maximize output,” said Tristar CTO Dewald Botha.

Most organizations overprovision cloud resources and do not rightsize resources for their needs. Cloud instances are run 24/7 at a significant cost, when a large percentage of the time those resources are not in use.

The simplest solution is to schedule resources and switch off instances when they are not required and turn them back on when they are needed. Scheduling alone allows cloud users to make significant savings and dramatically reduce their monthly cloud bills, although complex hybrid cloud environments require an automated scheduling solution.

Tristar determined the easiest solution was to find an application that could be used to schedule instances and optimize cloud costs and searched for a suitable cloud cost management solution.

Various solutions were trialed, and while all offered the opportunity to eliminate inefficiencies and schedule resources, the most flexible and easy to use solution that achieved the greatest savings was provided by ParkMyCloud. After signing up for the free trial, Tristar discovered it was able to almost instantly reduce its AWS costs by between 40%-60%, depending on its operational needs.

With costs reduced and spending optimized, Tristar has been able to accelerate cloud migration and has now moved many of its current datacenter instances to AWS. By the time that process is completed, Tristar expects to be able to save around $20,000 a month on cloud costs – $240,000 a year.

The post Tristar Medical Group Discovers Solution That Reduced its AWS Costs by 60% appeared first on HIPAA Journal.

TitanHQ’s WebTitan Now Available Through Kaseya IT Complete Suite

TitanHQ has announced its DNS-based web filtering solution, WebTitan, has now been integrated into Kaseya’s IT Complete platform. The integration allows MSPs serving the healthcare industry to offer their clients an additional layer of protection against web-based threats such as phishing, malware, and ransomware.

Via Kaseya, managed service providers can access cybersecurity solutions from some of the biggest names in the industry, including Cisco, Dell, and Bitdefender. While the platform provides MSPs with a wide range of easy-to-deploy cybersecurity solutions, one notable absence was an MSP-friendly content filtering solution.

“Security is a critical service that all MSPs must deliver. Adding WebTitan to our open ecosystem of partner solutions means our customers now have even greater access to best of breed technologies to meet the needs of their business,” said Frank Tisellano, Jr., Kaseya vice president product management and design. “With growing concerns over malware, ransomware and phishing as key threats to MSP customers, WebTitan adds a highly effective layer of protection.”

A web filtering solution is a powerful tool that allows healthcare organizations to block attempts by employees to visit malicious websites, either through the clicking of hyperlinks in phishing emails, general web browsing, or redirects to malicious sites via malvertising.  A web filter is an important additional tool that helps to ensure the confidentiality, integrity, and availability of protected health information by blocking phishing attacks, malware, and ransomware downloads.

In the past month alone 10 email-based hacking incidents have been reported to OCR, with each incident resulting in the exposure of more than 500 healthcare records. The high volume of successful phishing attacks on healthcare employees highlights the need for advanced technological controls to prevent healthcare employees from visiting malicious websites and disclosing their account credentials.

Managed service providers can now access the multi-award-winning web filtering solution through Kaseya VSA and the Kaseya IT Complete Suite and deploy network-wide DNS-based web filtering in a matter of minutes, giving their healthcare clients even greater protection against malware, ransomware and phishing attacks.

The post TitanHQ’s WebTitan Now Available Through Kaseya IT Complete Suite appeared first on HIPAA Journal.

FDA Issues Alert Over Vulnerabilities in Abbot Laboratories Defibrillators

The U.S. Food and Drug Administration has issued an alert about certain Abbott Laboratories implantable cardiac devices over cybersecurity vulnerabilities that could potentially be exploited to alter the functioning of the devices.

Certain implantable cardiac defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds) are affected, including the Current, Promote, Fortify, Quadra, Unify, and Ellipse families of products. The flaws do not exist on pacemakers or cardiac resynchronization pacemakers (CRT-Ps).

Exploitation of the vulnerabilities is possible using commercially available equipment that could be used to send commands to the devices via radio frequencies. For the vulnerabilities to be exploited, an attacker would need to be in relatively close proximity to the device.

Were an attack to happen, it would be possible to alter the function of the devices and cause them to deliver inappropriate packing and shocks or cause the batteries to deplete prematurely. Exploitation of the vulnerabilities therefore has potential to cause harm to patients.

The vulnerabilities are being addressed with a firmware update. The FDA has assessed the update and confirmed that it mitigates the vulnerabilities and reduces the potential for harm to a reasonable level. After receiving the update, any device that attempts to connect to the ICD or CRT-D would need to provide authentication before any changes could be made.

Abbott Laboratories notes in a recent press release that there have been no reports of the vulnerabilities actually being exploited, and that the update is not an emergency measure but part of a series of planned updates to improve cybersecurity.

The firmware update also corrects an unrelated issue with the lithium ion batteries which can cause them to deplete rapidly, in some cases within a day. This is not caused by malicious actors, instead it is a problem with the batteries, which can form lithium deposits that create abnormal electrical connections. The update includes a new battery depletion alert that will be triggered if rapid battery depletion is detected, informing the patient that they must arrange to visit their physician as soon as possible.

The firmware update cannot be applied remotely. Patients must visit their provider to have their ICD or CRT-D updated.

The update will take approximately 3 minutes during which time the device will operate in backup VVI mode. High voltage therapy will be temporarily disabled and there is potential for the device to deliver no pacing for up to three seconds during the update.

Any firmware or software update has potential to cause a device to malfunction, although the risk is very low and a previous firmware update in August 2017 resulted in no serious malfunctions. In 0.62% of cases, the update was not applied in full. In such cases the issue was rapidly resolved with Technical Services. To reduce the risk of problems, a programmer update has been incorporated which should keep update errors to a minimal level.

Certain devices cannot accept the update due to technical limitations. A fix has been offered by Abbott Laboratories that involves switching off RF functionality via the Merlin@home programmer. While this fix will prevent any exploitation of the vulnerabilities, it would also prevent the device from sending data directly to the physician’s office. Consequently, the FDA recommends that RF functionality is not disabled.

The post FDA Issues Alert Over Vulnerabilities in Abbot Laboratories Defibrillators appeared first on HIPAA Journal.

Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches

Verizon has released its annual Protected Health Information Breach Report which delves deep into the main causes of breaches, why they occur, the motivations of internal and external threat actors, and the main threats to the confidentiality, integrity, and availability of PHI.

For the report, Verizon analyzed 1,368 healthcare data breaches and incidents where protected health information (PHI) was exposed but not necessarily compromised. The data came from 27 countries, although three quarters of the breached entities were based in the United States where there are stricter requirements for reporting PHI incidents.

In contrast to all other industry sectors, the healthcare industry is unique as the biggest security threat comes from within. Insiders were responsible for almost 58% of all breaches with external actors confirmed as responsible for just 42% of incidents.

The main reason for insider breaches is financial gain. PHI is stolen to commit identity theft, credit card fraud, insurance fraud, and tax fraud. Verizon determined that 48% of all internal incidents were conducted for financial gain. 31% involved accessing medical data out of curiosity or for fun, 10% of incidents were attributed to easy access to data, with 3% of incidents occurring due to a grudge and a further 3% for espionage. External attacks are primarily conducted for financial gain – extortion and the theft and sale of data.

Verizon also looked at the actions that lead to PHI incidents and data branches, with the most common problem being errors. Errors were behind 33.5% of incidents within this category, which included the misdelivery of emails and mailings, errors made disposing of PHI, publishing errors, loss of PHI, misconfigurations, programming mistakes and data entry errors. The main incident cause was misdelivery of documents, which accounted for 20% of all incidents in the error category.

The second biggest breach category is misuse, accounting for 29.5% of all incidents. 66% of incidents in this category were attributed to privilege abuse – accessing records without authorization. Data mishandling was behind 21.6% of incidents and possession abuse – the misuse of access to physical records – was behind 16.9% of incidents in the misuse category.

The physical category includes theft of records and devices, snooping, tampering, disabled controls, and surveillance. 16.3% of all healthcare PHI incidents were placed in this category, with theft accounting for 95.2% of all incidents. The theft of laptops was the main incident type. Almost half (47%) of laptop theft incidents involved the devices being taken from employees’ vehicles. The use of encryption would prevent the majority of these incidents from exposing PHI.

Hacking may make the headlines, but it accounted for relatively few breaches – just 14.8% of all healthcare PHI incidents were placed in this category. The main cause of breaches in the hacking category was the use of stolen credentials (49.3% of incidents), with credentials often stolen via phishing attacks. Brute force attacks taking advantage of weak passwords were behind 20.9% of incidents. 17.9% of hacking breaches involved the use of backdoors.

Malware was involved in 10.8% of all PHI incidents. While there were a wide range of malware types and variants used in attacks, by far the biggest category was ransomware, which accounted for 70.5% of attacks.

Social attacks accounted for 8% of all incidents. This category involves attacks on employees. Phishing was involved in 69.9% of incidents in this category, followed by pretexting (11.7%), and bribery (7.8%). Pretexting is the next stage on from phishing, when access to email accounts is used to send further emails – BEC attacks for example.

Verizon offers three suggestions which in the short term will help to reduce the number of PHI related incidents and data breaches.

Full disk encryption should be deployed on all portable electronic devices used to store PHI. This simple measure would prevent PHI from being accessed in the event of loss or theft of an electronic device.

The routine monitoring of medical record access – a requirement of HIPAA – will not prevent breaches, but it will reduce the severity of insider incidents and allow healthcare organizations to take corrective action quickly. When employees are aware that records are routinely monitored it can also act as a deterrent and reduce theft and unauthorized access incidents.

The final course of action is to implement solutions to combat ransomware and malware. While defenses can and should involve the use of spam filters and web filters, simple measures can also be taken such as not allowing laptops to access the Internet if they are used to store large quantities of PHI.

The post Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches appeared first on HIPAA Journal.

Is Liquid Web HIPAA Compliant?

Healthcare organizations searching for a hosting solution may identify Liquid Web as a potential vendor, but is Liquid Web HIPAA compliant? Can its cloud services be used by HIPAA-covered entities for hosting applications and projects that include electronic protected health information?

Any healthcare organization that wants to use the cloud to host applications that use the protected health information (PHI) of patients must select a vendor whose service includes safeguards to ensure the confidentiality, integrity, and availability of ePHI that meet the requirements of the HIPAA Security Rule.

Cloud service providers, including hosting companies, are classed as business associates since they potentially have access to their clients’ data. While many cloud service providers claim they do not access customers’ data, they are still classed as business associates. HIPAA-covered entities and their business associates must therefore enter into a business associate agreement with the service provider before any ePHI is uploaded to the cloud.

Liquid Web Business Associate Agreements

Liquid Web has been providing hosting solutions to SMBs for 20 years. Last year, the company underwent an independent audit of its hosting services to assess compliance with HIPAA/HITECH regulations. While there is no official HIPAA compliance certification, the accounting firm UHY LLP did certify that the company has implemented appropriate administrative, physical, and technical safeguards to satisfy HIPAA Rules. Liquid Web has also passed EU- US and Swiss-US Privacy Shield audits, SOC 1, 2, 3 attestations, and PCI Service Provider recertification.

Liquid Web is prepared to enter into business associate agreements with HIPAA covered entities that require hosting services for web content and applications that include PHI. The BAA covers its single server and multiple server hosting services.

Is Liquid Web HIPAA Compliant?

The privacy and security controls implemented by Liquid Web allow HIPAA covered entities to ensure their data is secure and always available. Liquid Web can be a HIPAA compliant hosting service, provided access, security, and audit controls are set appropriately and a signed business associate agreement is obtained prior to use of the hosting services in connection with any ePHI.

The post Is Liquid Web HIPAA Compliant? appeared first on HIPAA Journal.

NH-ISAC Partnership with Anomali Helps Accelerate Threat Detection and Information Sharing in Healthcare

Anomali has partnered with the National Health Information Sharing and Analysis Center (NH-ISAC) and will be providing threat intelligence to healthcare organizations through NH-ISAC. Anomali will be providing NH-ISAC with the required tools and infrastructure to allow its members to collaborate and share threat intelligence with other members.

Anomali will be providing up to date threat intelligence on new and current external threats specific to the healthcare industry allowing NH-ISAC members to take proactive steps to minimize risk. Anomali’s early warning system helps healthcare organizations respond to threats quickly when suspicious activity is detected on a network.

NH-ISAC members include hospitals, health insurers, medical research institutions, pharma companies, ambulatory providers, medical device manufacturers and other healthcare stakeholders. NH-ISAC community members help each other use physical and cyber threat intelligence to inform security decisions and mitigate threats.

The new collaboration between NH-ISAC and Anomali will help empower the healthcare community to identify and respond to cyber threats. Anomali provides actionable threat intelligence that can be consumed by healthcare organizations and used to compliment internal security threat monitoring programs

The Anomali platform automates collection, normalization, and integration of threat intelligence from a wide range of different sources. The platform allows seamless collaboration with peers in other organizations through Anomali Trusted Circles and gives healthcare organizations complete visibility into attacks that threaten the confidentiality of protected health information and the security of the networks on which the information is stored. A threat detection by one member helps other organizations take preventative steps to block attacks before they occur.

“Sharing threat intelligence among member firms is one of the most essential services of any ISAC. The NH-ISAC Board is pleased with the opportunity to work with the Threatstream platform to enhance threat intelligence sharing for the healthcare sector,” said Jim Routh, NH-ISAC board member.

The post NH-ISAC Partnership with Anomali Helps Accelerate Threat Detection and Information Sharing in Healthcare appeared first on HIPAA Journal.

Is Google Calendar HIPAA Compliant?

Is Google Calendar HIPAA compliant? Can the time management and calendar scheduling service be used by healthcare organizations or would use of the service be considered a violation of HIPAA Rules? This post explores whether Google supports HIPAA compliance for the Google Calendar service.  

Google Calendar was launched in 2006 and is part of Google’s G Suite of products and services. Google Calendar could potentially be used for scheduling appointments, which may require protected health information to be added.

Uploading any protected health information to the cloud is not permitted by the HIPAA Privacy Rule unless certain HIPAA requirements have first been satisfied.

A risk analysis must be conducted to assess potential risks to the confidentiality, integrity, and availability of ePHI. Risks must be subjected to a HIPAA-compliant risk management process and reduced to an acceptable level. Access controls must be implemented to ensure that ePHI can only be viewed by authorized individuals, appropriate security controls must be in place to prevent unauthorized disclosures, and an audit trail must be maintained.

Further, healthcare organizations covered by HIPAA Rules are required to enter into a HIPAA-compliant business associate agreement with any vendor before any electronic protected health information is disclosed, even if the service provider says it does not access customer data.

Google has appropriate security controls in place to protect data uploaded to Google Calendar and access and audit controls can be configured, so Google Calendar HIPAA compliance hinges on whether Google is willing to enter into a business associate agreement with HIPAA-covered entities or their business associates.

Google’s Business Associate Agreement

Google is willing to sign a business associate agreement with healthcare organizations for its paid services, but not for any of its free services. The business associate agreement covers the use of G Suite, and includes Google Calendar, Google Drive, the chat messaging feature of Google Hangouts, Hangouts Meet, Google Keep, Google Cloud Search, Google Sites, Jamboard, and Google Vault services.

HIPAA-covered entities must enter into a BAA with Google prior to any of the above services being used with ePHI. Once a signed BAA has been obtained the services can be used, although it is the responsibility of the covered entity to ensure that the services are used in a manner compliant with HIPAA Rules. Google provides a HIPAA-compliant service, but it is still possible for organizations and employees to violate HIPAA Rules using its services.

Is Google Calendar HIPAA Compliant?

So, is Google Calendar HIPAA compliant? Provided a BAA has been obtained, Google Calendar can be considered a HIPAA compliant time management and calendar scheduling service.

The post Is Google Calendar HIPAA Compliant? appeared first on HIPAA Journal.

SpamTitan v7.00 Release Sees Bitdefender Used as Primary AV Engine

TitanHQ has announced the release of a new version of its leading spam filtering solution SpamTitan. SpamTitan v7.00 includes several important updates to better protect users from malicious emails and known threats, including patches for recently discovered vulnerabilities in the ClamAV anti-virus engine.

One of the notable changes in the new version is a change to the primary anti-virus engine. SpamTitan v7.00 now offers award-winning anti-malware and ransomware protection through Bitdefender.

The change to the Romanian-based antivirus company is part of a growing strategic relationship with the firm that will see further collaboration over the coming weeks and months. The secondary AV engine will continue to be provided by ClamAV. TitanHQ has confirmed that support for Kaspersky AV – the primary AV engine on previous releases of SpamTitan – will stop from May 1, 2018.

TitanHQ said its mission is “to provide secure, reliable and affordable security solutions to our partners and customers. Our team continually develops our product suite, implementing customer feedback and feature requests into new product releases.”

All new customers signing up for spam and phishing protection with SpamTitan will be protected by SpamTitan v7.00. The updated version has also been pushed out to existing customers that have prefetch of system updates enabled. The new version will appear in the list of available updates. If the prefetch option is disabled, users must manually check for available updates via their user interface.

TitanHQ has also announced that support for versions 4 and 5 of SpamTitan will stop on May 1, 2018, giving users less than two months to upgrade to the new version; however, users should update to the latest version as soon as possible for the best level of protection.

The latest version addresses 7 known vulnerabilities in ClamAV – CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377, CVE-2017-12378, CVE-2017-12379, and CVE-2017-12380 and also includes security updates for packages including openssl, openssh, php, and wget. ClamAV has also been updated to version 0.99.3 which resolves potential DoS attacks.

Existing customers should read all release notes that apply to versions of SpamTitan later than the current installation prior to installation. TitanHQ notes that prior to upgrading to v7.00 users must first upgrade to SpamTitan v6.15. Cluster installations require the patch to be applied to all notes in the cluster.

The update will take approximately 10-20 minutes to complete during which time appliances should not be rebooted.

The post SpamTitan v7.00 Release Sees Bitdefender Used as Primary AV Engine appeared first on HIPAA Journal.

PhishMe Rebrands as Cofense and Announces Acquisition by Private Equity Syndicate

PhishMe, the leading provider of human phishing defense solutions, has announced that from February 26, 2018, the firm will be known as Cofense. Along with the name change, the firm has announced it has been acquired by a private equity syndicate, which valued the firm at $400 million.

PhishMe was formed in 2007 with the aim of developing products and services to tackle the growing threat from phishing. Employees have long been viewed as the weakest link in security, yet the human element of security defenses was often neglected. Over the years, PhishMe developed its products and services to help companies improve their last line of defense and turn security liabilities into security assets.

PhishMe has helped thousands of organizations improve their defenses against phishing through training and phishing simulations. The firm has also developed a range of associated products and services including a reporting platform that has now been adopted by more than 2 million users, as well as incident response and threat intelligence services.

While phishing defense is still at the heart of the, the name change reflects the more comprehensive range of products and services now being offered and future plans for expansion of its enterprise-wide attack detection, response, and orchestration solutions.

The acquisition will help in that regard. With the backing of the private equity syndicate, the company’s finances have been secured and the firm is planning to expand and enhance its products and services and increase its global reach.

“This acquisition further strengthens the alignment between our management team, employees, and investors as we focus on building an enduring company,” explained Cofense co-founder and CEO Rohyt Belani. “With cybersecurity a top priority for organizations everywhere, our goal is to continue bringing innovative products to markets around the globe to help stop active attacks faster than ever.”

The post PhishMe Rebrands as Cofense and Announces Acquisition by Private Equity Syndicate appeared first on HIPAA Journal.