A story over at FierceHealthcare discusses a survey where parents were asked if they used email regularly and if they would welcome being able to email their children’s doctors.

Out of the 229 parents surveyed, 75 percent (171) said they were “regular email users.” Ninety percent of those parents (154) indicated that they were open to using email to communicate with their child’s doctor, although African-American respondents and those making $30,000 or less annually were much less likely to agree. 

A story over at FierceMoblieHealthcare reports that two laptops were stolen from the Department of Veterans Affairs.  Neither of the laptops had the hard drives encrypted.

Two recently disclosed potential breaches of health data in government health programs, potentially impacting more than 10,000 patients, were the result of stolen, unencrypted laptops belonging to contractors.     

The Department of Veterans Affairs said that a laptop stolen from an unspecified contractor’s car April 22 contained unencrypted, personally identifiable information of about 644 veterans. And New Mexico’s Health and Human Services Department reported last week that an employee of West Monroe Partners, a subcontractor that processes dental claims for Medicaid enrollees, had an unencrypted computer in the trunk of a car stolen in Chicago March 20. That computer may have contained data on 9,600 beneficiaries, Government Health IT reports.

Still, the news incensed Rep. Steve Buyer (R-Ind.), the ranking member of the House Veterans Affairs Committee, because a law passed in the wake of a major breach in 2006 that threatened the privacy of 26.5 million veterans and their spouses requires VA contractors to encrypt health data on laptops. The breach indicates that the “VA lacks focus on its primary responsibility of protecting veterans’ personal information,” Buyer writes in a May 12 letter to VA Secretary Eric Shinseki.

“We would like to express our deepest concern about the continued use of unencrypted devices within VA, despite the ongoing efforts to stop such use,” he adds.

It seems to me that if your medical practice is using laptops that are unencrypted, it is only a matter of time before you experience a security breach.  Encrypting the hard drive of a laptop is neither very complicated nor is it expensive.  My advice is to start looking into laptop encryption sooner rather than later.

One of the most important things you can do to protect your network is to ensure that each desktop, laptop and server is running anti-virus software.  To further clarify, it is not enough to just run anti-virus software but the solution should protect against viruses, spyware and malware.  For the rest of this article I will refer to the solution as anti-virus although I mean a solution that protects against viruses, spyware and malware.

Many of the anti-virus solutions sold today operate in a similar fashion.  The console or main program of the anti-virus software is installed on a server on a network.  From there each desktop, laptop and server has the anti-virus client installed on it.  The anti-virus console is responsible for checking for new virus definitions from the software vendor and then pushing the definitions out to each of the clients (desktops, laptops and servers).  Normally this process occurs several times a day without incident.  The process ensures that all of the computers running on a network have the latest virus definitions and are prepared to protect against all known threats.  Unfortunately, lately the process has failed and caused major problems.

On April 22, 2010 the McAfee anti-virus program experienced a bug that caused networks around the world to fail.  According to a story by InfoWorld:

The update distributed at 3 a.m. Eastern time Wednesday misclassified a critical Windows XP system file, called svchost.exe, as a malicious program. As a result, McAfee’s AV software was instructed to detect and remove the threat, sending affected PCs into fits of rebooting that made the machines useless.

Steve Shillingford, chief executive of tech forensics firm Solera Networks, told USA Today that one large U.S. multinational company saw 50,000 PCs go into a reboot frenzy as a result of the destructive update. Solera was in the process of helping the client clean up the mess, which could only be corrected manually by a technician at each PC.

The problem that McAfee experienced was that the latest virus definitions had a bug that mistakenly took a Windows XP system file and classified it as a virus.  The software then tried to remove the virus which caused Windows XP machines to go into a endless loop of reboots.  This process made the machine unusable.  What made the problem worse was the process that I previously described.  The console program downloaded the buggy virus definition and then pushed that definition to each of the desktops, laptops and servers running on the network.  You can see how the problem then begins to escalate.

To be honest, I was on the sidelines on April 22, 2010 as the McAfee fiasco occurred.  We had previously migrated all of our clients away from McAfee and Symantec anti-virus to Sunbelt’s VIPRE anti-virus.  So when McAfee had the problem I was smug knowing that my clients were not impacted.

Unfortunately, my smugness wore off yesterday.  Starting around 8am our helpdesk started receiving a lot of support requests.  The support requests were spread over almost all our our clients and each request had a similar theme – the client network was slow and unresponsive.  From there the morning only got worse.  The phones rang off the hook, the requests kept coming in and we were in full scale fire fighting mode.

Finally we received a series of emails from Sunbelt Software Support which explained why all of our clients were having the same problem. 

From: Sunbelt Software Support [support@sunbeltsoftware.com]
Subject: High CPU utilization with definitions 6272 – 6274

Product Notification:  VIPRE Enterprise, VIPRE Enterprise Premium, CounterSpy Enterprise

Date: May 7^th, 2010

Notification Type: Support Issue

Product: VIPRE Enterprise, VIPRE Enterprise Premium, CounterSpy Enterprise

Version: All

Operating System:  All product-supported Operating Systems

Dear VIPRE/CounterSpy Enterprise customer,

Customers running a scan with definition versions 6272, 6273, or 6274 may experience extremely high CPU usage when running a scan.   

The issue started with definition 6272, released 5/6/2010 at 5:53:19 PM EDT.  The issue is caused by a virus detection (Virus.VBS.Redlof.f) that causes a loop condition on the system, resulting in high CPU usage.  

This problem has been fixed in definition version 6275.

If you are unable to abort a currently running scan on your agent machines, the solution to the 100% CPU usage is to do as follows:

1. Ensure the Enterprise Server has received definition version 6275.
2. Stop the following processes on any unresponsive agent machines:

1. �
   1. SBAMsvc.exe
   2. SBAMTray.exe (if tray icon is set to be visible)
   3. sbamui.exe (if agent interface is open)
   4. SBPIMSvc.exe (4.0 Agents only)

1. Restart your enterprise agents.
2. Update any outdated agents within your console to the latest definitions.

We are aggressively researching why this detection was able to release to the public and are putting in place additional quality assurance processes, so that we can ensure that this type of detection doesn’t occur again.

Thanks for choosing Sunbelt Software,

Sunbelt Software Support
Sunbelt Software
email: support@sunbeltsoftware.com
Voice: 1-877-673-1153 Ext 510
Fax: 1-727-562-5199
Web: http://www.sunbeltsoftware.com
Physical Address:
33 N Garden Ave
Suite 1200
Clearwater, FL  33755
United States

It turns out that Sunbelt pushed out a virus definition file that caused each desktop, laptop and server to spike to 100% CPU utilization.  This spike made the computers basically unusable.  The resolution was to download the newest definition which corrects the issue.  The problem was each of the computers were unresponsive so trying to deploy the latest definition was extremely difficult. 

I would like to give kudos to my staff who wrestled with VIPRE for most of the morning and were eventually able to push out the newest definition files and resolve the issue for all of our clients.

On the other hand, I push back on Sunbelt and McAfee to realize the impact of releasing updates that are buggy and cause major network problems.  These vendors have a responsibility to their customers to ensure that what is released is fully tested and is bug free.  These problems are not just a pain for IT staffs but have major impact to medical practices, hospitals, financial institutions, Universities and corporations around the world.  It is easy to say in an email or press release that you will take steps to ensure that these incidents don’t occur again.  What your customers really want are concrete plans that show your are serious about your efforts and are doing everything your can to prevent wide spread outages that happened over the past few weeks.

It seems pretty obvious that if you keep your software updated you decrease the chances of incurring a security breach.  Software updates include Operating Systems (Windows XP, Vista, Windows 7, Windows Server 2003, Windows Server 2008, etc.), Adobe Acrobat, Microsoft Office, Internet Explorer, Microsoft SQL Server, etc. .  By security breach I am referring to a virus attack, spyware / malware or a theft of data from an external entity to your network.

Microsoft published Version 8 of its Security Intelligence Report (SIR) which is a 250 page report on security.

Wolfgang Kandek the CTO of Qualys, a maker of vulnerability scanning products does a nice job summarizing some of the key points of the Microsoft SIR:

Running updated software decreases the attack surface and increases general robustness. The report shows that attackers target Internet Explorer 6 (IE 6) up to four times more often than the newer version IE 7 (pg.33). Statistics on the OS level reveal that the newer versions of Windows are less likely to be infected by malware — Windows XP SP3 is more than five times better than the original Windows XP, and Windows 7 is another three times better than XP SP3 (pg. 85). In addition, 64-bit implementations add another layer of robustness.

 

Application attacks continue to increase. Adobe Reader attacks were used in 44 percent of the investigated cases, followed by an attack on a recent Internet Explorer vulnerability with 16 percent. The remaining 40 percent are divided by attacks on the OS and a variety of different software packages, including RealPlayer, Apple QuickTime, and AOL software (pg.26).

 

Attacks against Microsoft Office make use of older vulnerabilities and can easily be avoided by keeping the software suite up to date. By applying the respective service packs, users can avoid the majority of Office file format attacks (pg. 43).

 

While Windows 7 (and Vista SP2) are clearly much better than the older versions of Windows, there has been an uptake in the infection rate. Attackers are starting to focus their attention on Windows 7 as it become wider deployed and it will be interesting to see how its performance develops.

It is clear to say that Microsoft believes that the more you patch and update your products the less the chances of experiencing a security breach / attack.  If you are cynical and say that of course Microsoft wants you to upgrade your products because it make them more money, I won’t argue with you.

A best practice and one that you should do as you are implementing the HIPAA Security Rule is to do a Risk Assessment which includes a vulnerability scan.  The vulnerability scan will identify all the holes and vulnerabilities in your current software (Operating System, application software, network equipment, etc.).  Once you get the results of the vulnerability scan, you will want to ensure that you apply the appropriate software patches and/or upgrades to eliminate or minimize the risk of the vulnerabilities.  Moving forward you will want to adopt a software patching process that applies the latest patches that software vendors release.  Microsoft offers a few free ways of keeping your software up to date. 

Once again, the more you keep your software updated, the less likely you will experience a security breach / attack.

InformationWeek is reporting that University of California-Davis has decided to stop using Google Gmail over privacy concerns.  The University was engaged in a trial of the paid Gmail program for 30,000 of its faculty and staff members. 

Some interesting quotes from the story:

• Many faculty “expressed concerns that our campus’s commitment to protecting the privacy of their communications is not demonstrated by Google and that the appropriate safeguards are neither in place at this time nor planned for in the near future,” the letter said.

 

• “Though there are different interpretations of these sections, the mere emergence of significant disagreement on these points undermines confidence in whether adopting Google’s Gmail service would be consistent with the policy,” the letter states.

 

•  The UC Davis IT leaders’ letter additionally stated that “outsourcing e-mail may not be in compliance with the University of California Electronic Communications Policy.” The policy forbids the university from disclosing or examining the contents of e-mails without the account holder’s consent, and from distributing e-mails to third parties.

This could have major ramifications to Google if other Universities, Medical Practices, Legal Practices and other profession service companies reach the same conclusion regarding the lack of Privacy with Gmail.

In a story that makes you scratch your head, a missing CD with over 300,000 names of New Yorkers with developmental and other health issues has been missing for almost a month.

We have not been able to locate within our Early Intervention program unit one disc out of two discs that we received from New York City,” DOH spokeswoman Claudia Hutton said.”At this point, we have no reason to believe they’ve left the building.”

The contents of the disk were encrypted but unfortunately the encryption password may have been written on the outside of the disk.

Adding to concern is the fear that the disc’s password may be written on the outside, although Hutton said the disc is encrypted and could not be read without advanced technical skill.

 

Hutton conceded that putting the password on the disc was not a good idea and amounted to “sloppy housekeeping.”

It seems like almost every week there is another report of a breach of personal health information.  A story over at HealthLeaders Media reports that The Medical Center at Bowling Green is notifying 5,418 patients of a theft of a computer drive.  The drive contained personal health information including:

patient’s full name, date of birth, address, medical record number, and physician name. Some patients’ records also include Social Security numbers, weight, height, and menopause age.

In a statement posted on the it’s website, The Medical Center at Bowling Green said this about the data:

The information on the hard drive was not encrypted; however, the hard drive was maintained in a locked, non-public, private area.

Of course if the data was encrypted there would have been no need to notify anyone of the hard drive theft.

The take-away is that every medical practice and medical facility has to start looking into and implementing data encryption.

An article over at the American Medical Association (AMA) states that patients are more likely to use Personal Health Records (PHRs) if the patient’s doctor recommends it. 

The California HealthCare Foundation commissioned a study in which researchers talked to people who use PHRs as well as people who don’t. Nonusers made up 89% of the 1,864 respondents (the rest didn’t know or refused to answer). The report, “Consumers and Health Information Technology: A National Survey,” found that the biggest barrier to PHR use is privacy concerns, cited by 75% of non-PHR users. Many respondents expressed fears that their medical information could be used against them by insurers or employers, both of which are pushing for PHR adoption.

Meanwhile, 58% said they might be interested in a PHR from a hospital or physician with whom they already have a relationship. Fifty-two percent said they might be persuaded to use a PHR if a doctor said it was safe, while 50% said they would use a PHR if a friend or family member said it was safe.

Patients had a higher trust level for PHRs that came from their provider or their doctor.

What is interesting is that PHRs were defined in light of patient portals from physician’s EMRs.

Although PHRs have been defined as electronic filing cabinets to store personal health information, they are evolving into larger patient portals tethered to a physician’s electronic medical record system and offering benefits beyond data storage. Integrated PHRs allow patients to look up lab and test results, communicate with physicians electronically and request prescription refills online, and offer other convenience features that patients increasingly are demanding.

Of respondents who use PHRs, 26% said they were using one offered by a physician. Another 51% said they were using one owned by their health plan. Only 4% used an employer-issued PHR.

There seems to be a mistrust for PHRs that are offered by employers.

Colin Evans, CEO of Dossia, a PHR offered by a large employer consortium whose members include Wal-Mart Stores Inc., said he was not surprised that employer-sponsored PHRs were at the bottom of the list. “I think the question that tends to lead in people’s minds is who do they trust with their data,” he said.

With an adoption rate of only 7% of all users, PHRs have a long way to go.  It will be interesting to see which PHRs do the best; physician patient portals, employer sponsored PHRs, insurers sponsored PHRs or Google, Microsoft, etc. PHRs.