The anti-virus vendor Sophos has detailed a troubling new spyware attack.  The spyware, named Troj/Ransom-U, encrypts a user’s media and Microsoft office files and then demands $120 to decrypt the files and allow access to them.  The spyware also changes the user’s Windows desktop to read the following:

The rest of the ransom note reads as follows:

Attention!!!

All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself - just look for files in all folders.

There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.

We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.

For details you have to send your request on this e-mail (attach to message a full serial key shown below in this 'how to..' file on desktop): [email address]

This new type of spyware has major implications for both personal and workforce users.  For home users imagine that all your pictures, music, MS office documents that are stored on your hard drive are encrypted and can no longer be accessed.  Unless you have backups of your files, they are completely inaccessible.  This could be years of photos and other media files.  And my guess is that paying the $120 in not going to get your files back.

For home users there are a few things that you can do to protect yourself against this new type of spyware.

1. Ensure you are running an up to date version of anti-virus / anti-spyware.
2. Ensure that the definitions of your anti-virus program are updated at least once a day
3. Ensure that you are backing up your files.  Backup should be automatic to a USB drive or one of the online backup programs such a Mozy, Dropbox, or Windows Live Sync / Mesh.
4. Make sure you keep up with vendor software updates such as Microsoft OS security updates, Adobe Flash, Adobe Acrobat, etc.

Ransom Implications

For workforce / office users this new type of spyware has some even more far reaching implications.  I don’t know the exact details of how this spyware works but it is not out of the realm of possibility that this version or a future version couldn’t encrypt files on a user’s computer but also encrypt files on network shares that they have access to.  Imagine that an organization’s Word and Excel files are all encrypted and inaccessible.  That could be years of data that is now locked away and made virtually useless.

But lets take it a step further and imagine that the spyware now takes those files and sends them to a server that the spyware creator has access to.  If you are a health organization or a financial services organization, these files may contain patient or customer information such as SSN, credit card info, etc.  Now imagine you get an email or letter threatening to expose your patient’s or customer’s information unless you pay an even higher ransom.  As you can see the implications are now even more serious.

Some of the steps you can take to protect yourself in an organization are:

1. Ensure you have multiple layers of anti-virus / anti-spyware
2. Ensure that the anti-virus / spyware is up to date and the definitions are automatically updated
3. Minimize your employees access to network shares that are required for their job function.  Restrict access where access is not need.  In other words, implement strong network security.
4. Implement user home drives so they store their files on a network server and not on their local computer.  This will enable the files to be automatically backed up.
5. Ensure you run at least daily backups of your data on all servers.
6. Implement automatic patching of your Windows Servers and vendor software.
7. Educate your employees on the implications of spyware and how to avoid being a victim.

Unfortunately this will not be the last we hear of these types of spyware.  The days of spyware just slowing a computer down or feeding up random shopping sites are over.  Today and tomorrow’s versions of spyware are much more menacing and have the potential of causing serious harm to users and organizations.  Practicing safe computing is even more important than ever.

Quest Diagnostics released a native EHR for the iPad.  The demo video that they have makes it look very user friendly. Here are some facts that they have on their website:

• Care360, the leading web-based electronic health record (EHR), accessible on desktops, laptops and the iPhone™, now comes with a native app for the iPad.
• The app, developed by MedPlus, the healthcare IT subsidiary of Quest Diagnostics, is garnering praise for its intuitive interface, remarkable navigation ease, and support of patient engagement.
• Designed with physician needs and workflow in mind, the Care360 HD interface helps physicians navigate easily while focusing on the patient.
• Physicians are using the app throughout the day — on the go — to review a patient’s medication history, respond to medication renewal requests, write prescriptions and handle other clinical tasks. The longer battery life also minimizes time spent recharging or changing batteries.
• Managing medications, reviewing and annotating lab results, and viewing trends through historical lab results is all easy through Care360’s native iPad app. Physicians are also viewing encounter notes, patient problems, comments and allergies, and accessing, adding or editing patient demographics.
• Physicians had already embraced Care360 Mobile for the iPhone. Now, they have the flexibility to use Care360 with that same functionality on the iPad, with a thoughtfully designed iPad-native app.

I know the more I use my iPad the more impressed I am with it.  I can see this being a very interesting application.  And the nice thing would be to put a keyboard/dock in an exam room and easily enter information and use the touch screen at the same time.

What is even more interesting is that the Care360 EHR is a SaaS / Hosted model that is accessed via the Internet.  So with a 3G iPad you can access the EHR from anywhere.  Or load the app on your iPhone and you will always have access to your EHR no matter where you are.

This sounds like it has the potential to be a game changer.  If anyone has feedback or experience with the Care360 EHR or the iPhone or iPad app leave a comment and give your thoughts.

USB thumb drives or flash drives should be viewed as a real liability.  Yes they are convenient, yes they make transferring data extremely easy and yes they are cheap. But hidden under all those benefits is the reality that because they are so convenient and cheap it is too easy to put sensitive information on them.  It is too easy to lose them and it is too easy to face a major liability of a patient information data breach if they are lost and not encrypted.

In two recent cases the real liability of these flash drives surfaced.  The Department of Veterans Affairs announced that an employee brought in a personal USB thumb drive and copied information on 240 veterans and beneficiaries.  The drive was not encrypted and it was misplaced.

A VA employee had been using the personal thumb drive to store information on 240 veterans and beneficiaries in violation of VA policy, Baker says. The information included names, Social Security numbers, addresses and health data. Affected veterans are being offered free credit protection because the drive was inappropriately removed from the VA facility, Baker explains.

In another incident involving an unencrypted flash drive:

A psychiatric hospital in Louisville is notifying 24,600 patients about a breach involving the loss of an unencrypted flash drive.

So it is pretty easy to see how these drives can be a liability.   Here are a few thoughts on how to limit your exposure this the liability.

1. Develop a policy that employees are not to use personal USB flash drives.  In the policy state that only USB drives that are purchased by the organization are allowed to be used.  Also state that USB drives are only to be used with prior authorization (state who needs to authorize the use as well).  Write the policy in an email or a Word document and send it to everyone.  Make them sign it and send it back to you.
2. Purchase encrypted USB drives for employee use.  Encrypted USB drives are more money than unencrypted drives but are worth the increased cost. They are also very easy to use and just require a password when accessing the drive to either read or write data.  Encrypted drives can be bought at Amazon, Buy.com or other retailers.  I personally use an encrypted drive from Kanguru Solutions which works great.
3. Use staff meetings to discuss the liability associated with the flash drives.  Remind employees about the policy they signed.  Continue to educate them and to continue to remind them until it is ingrained in them to be fearful of these drives.

If you take the above steps your liability will not go away but it is likely to be reduced significantly.  And once the liability is reduced you can go back to thinking how incredible these little drives are compared to floppy drives that were used in the past.

There are a lot of people talking about HIPAA and patient information security.  There are a lot of companies that are selling products and services to help organizations comply with HIPAA and protect patient records.  But when it comes down to it, most medical practices just don’t care about HIPAA.  Now don’t get me wrong, it is not like they don’t care about patients and want to deliberately expose patient information.  That is clearly not the case.

The reality is that medical practices are overwhelmed.  They are either struggling to implement their EMR, trying to use their EMR in a meaningful way or just stuck in the decision process of purchasing an EMR.  On top of that they face declining revenues due to a struggling economy, looming Medicare cuts that will significantly impact their revenue and the uncertainty of healthcare reform.

When you add the cost and aggravation of trying to comply with the HIPAA Security Rule and implement the needed safeguards to protect patient information, it becomes too much.  On top of that, the level of expertise to understand the technical details of patient information security is beyond most non-computer security people.  Factor in that there is basically minimal enforcement of HIPAA regulations and you come up with one thing:  No one cares about HIPAA.

We will sit back and watch as the HHS breach notification website continues to post the latest patient information breaches.  We will watch as more and more patients have their information exposed and privacy violated.  Maybe then the government will start to enforce the regulations that were put in place to protect patients.  And maybe then people will care about HIPAA but right now, they just don’t.

A study by the Ponemon Institute (registration required) shed some much needed insight into the current state of patient information security.  There is so much valuable information that I urge you to read the full report.  I will try to pull out some of the most interesting pieces and summarize it here.

Protecting patient data is not a priority. Seventy percent of hospitals say that protecting patient data is not a top priority. The majority of responding organizations have less than two staff dedicated to data protection management (67 percent). Most at risk is patient billing information and medical records, which is not being protected. In addition, patients are typically first to detect a significant number of breaches at healthcare organizations (41 percent). This finding suggests that patient data is being unknowingly exposed until the patients themselves detect the breach. Healthcare organizations’ inability to prevent or detect patient data loss is putting patients at greater risk of medical identity theft, financial identity theft and having their personal health facts disclosed.

Federal regulations have not improved the safety of patient records. The passage of the HITECH Act widened the scope of privacy and security protections under HIPAA to provide stronger safeguards for patient data. Despite the intent of these rules, the majority (71 percent) of respondents do not believe these new federal regulations have significantly changed the management practices of patient records.

The average number of lost or stolen records per breach was 1,769. A significant percentage of organizations either did not notify any patients (38 percent) or notified everyone (34 percent) that their information was lost or stolen.

Very few respondents (15 percent) believe the breach had no negative impact on their organizations. Most respondents believe they have suffered brand or reputation diminishment (81 percent) followed by time and productivity loss (80 percent) and loss of patient goodwill (77 percent). The least negative results are lawsuits (23 percent) and poor employee morale (18 percent).

As mentioned above, the most negative result of a data breach is brand or reputation diminishment related to this is the loss of patient goodwill. The potential result is patient churn. According to Bar Chart 16, 29 percent of respondents see the lifetime value between 10,001 to $50,000. The extrapolated average lifetime value of one lost patient (customer) is $107,580.

Ponemon Institute’s 2009 Annual Study: Cost of a Data Breach calculates the abnormal customer/patient churn rate for the healthcare industry as six percent. When this churn rate is applied to the average number of data breach incidents experienced by survey participants over two years (2.4), the average number of lost or stolen records per breach (1,769) and percent that were fully notified (34 percent), the result is 87 patients lost to churn. The loss of 87 patients implies that organizations lose over $9 million to patient churn just from data breach incidents experienced over a two-year period.

Table 1: Attributes that describe the information security environment in healthcare organizations in descending order of confidence.	Very confident & Confident response*
Comply with legal requirements and policies including privacy laws and statutes (i.e., HIPAA)	85%
Enforce corporate policies, including the termination of employees or contractors who pose a serious insider threat	72%
Training and awareness program for all system users	71%
Have standard agreements with business associates that clearly explain the requirements for data protection	66%
Ensure minimal downtime or disruptions to systems resulting from security problems	65%
Conform with leading self-regulatory requirements such as ISO, NIST, HITRUST and others	61%
Prevent or curtail viruses and malware infections	56%
Attract and retain high quality IT security personnel	55%
Perform timely updates for all major security patches	53%
Security program administration is consistently managed	52%
Secure endpoints to the network	51%
Secure patient data in motion	47%
Know where patient information is physically located	47%
Identify system end-users before granting access rights to patient information	45%
Conduct independent audits of the system	45%
Secure patient data at rest	42%
Control all live data used in systems development activities	39%
Prevent or curtail cyber attacks	39%
Prevent or curtail cyber attacks that attempt to acquire patient information	37%
Identify major data breaches involving patient information	32%
Prevent or curtail major data breaches involving patient information	31%
Determine the root causes of major data breaches involving patient information	30%
Protect patient information used by business associates	29%
Limit physical access to data storage devices containing patient information	23%
Demonstrate the economic value or other tangible benefits of the company’s security program	17%
Protect patient information used by outsourcers including cloud computing vendors	10%

There is so much more in the report and I urge you to take a look at it.  But just from the information above you can tell that health organizations have to do MUCH more to protect patient information.