Hi, I'm Mike.
I do web things like:
If you need help with sales/marketing contact me on LinkedIn.
Once upon a time, there was a theory that Macau would be playing host to fewer VIP billionaires and become a hub for meetings, incentives, conferences, and exhibitions (MICE). This was part of Macau’s overall strategy for diversification, a goal pushed by Beijing and shared by the local populace. These business tourists would augment the new middle class families coming for entertainment as much as baccarat. I bought into this theory for a few reasons.
Unfortunately, as the chart shows, visitors to exhibitions fell along with VIP revenue from 2014 to 2016. The Macau government database hasn’t been updated with any 2017 data yet, but we know that VIP revenue has finally posted a quarter of growth. It will be interesting to see whether the number of Macau exhibition visitors will grow as well.
How to Anticipate Cyber Surprises "Technology necessary for a robust cybersecurity program already exists in most organizations. The missing piece — strong governance — is the key to putting internal policies into practice and maximizing the effectiveness of existing technology." "The first step is to make sure off-site backups are kept up to date. Automatic notifications should alert the security team at preset intervals, reminding them to verify that data is fully backed up at an off-site location. It’s critical to use a risk-based approach to prioritize which data needs monitoring and testing."" "Business continuity and disaster recovery (BC/DR) plans, much like data backups, must be tested (and optimized) at regular intervals.""
SEC Picks Up the Pace of Cyber Attacks Enforcement "Citing an interview with the U.S. Securities and Exchange Commission (SEC), Steven Peikin, along with Stephanie Avakian, were appointed new co-directors of enforcement. Reuters reported the two are very concerned with cyberattacks on brokerage firms. “The greatest threat to our markets right now is the cyber threat,” said Peikin in the exclusive interview. “That crosses not just this building, but all over the country.”""
AI Takes a Seat in the Boardroom as Execs Turn to Automated Cyber Defences "Four in five (81%) executives report implementing automated security solutions" "in Radware’s security industry survey, 98% of security professionals globally reported experiencing at least one attack in 2016." Executives identified negative customer experience (39%) as the biggest impact of a cyber-attack, with brand reputation loss (36%) and revenue loss (34%) close behind. Furthermore, 56% of European executives estimate that cyber-attacks cost their businesses between £500,000 and £10m (compared to 40% in the US). the amount of UK executives who reported experiencing a ransom attack almost doubled from 12% last year to 23% in 2017.
SOMEONE FAILED TO CONTAIN WANNACRY The theory is that the North Korean agency responsible for Wannacry was just testing it and then it started to spread. Security experts believe that, had it been an intentional attack, it would have been more sophisticated.
Stephanie Snyder, U.S. cyber sales lead, Aon, said more than 70 carriers now offer cyber coverage, but there are few consistencies among them regarding coverage triggers, definitions, exclusions . . .Wow, 70 carriers. That's a lot of options. I wonder if they have geographic restrictions on the companies they will offer to.
Database of Over 198 Million U.S. Voters Left Exposed On Unsecured Server This blunder was caused by Deep Root Analytics (DRA), a data analytics firm employed by the US Republican National Committee (RNC), who "mistakenly" left sensitive personal details of more than 198 million US voters exposed on an unsecured Amazon S3 server. Chris Vickery, a security researcher at UpGuard, who discovered the exposed database said anyone could have downloaded more than a Terabytes of files containing voters data without the need for any password from the Amazon S3 server maintained by DRA.
Web Hosting Provider Pays $1 Million to Ransomware Attackers South Korean web hosting company Nayana agreed to pay $1 million in Bitcoin after a ransomware attack hit 153 Linux servers. The attack took place June 10 and resulted in over 3,400 business websites the company hosts being encrypted. According to the Nayana’s initial announcement, the attacker demanded 550 Bitcoins (over $1.6 million) to decrypt the infected files. Following negotiations, they lowered the ransom demand to 397.6 Bitcoins (around $1.01 million). The company’s website also uses Apache version 1.3.36 and PHP version 5.1.4, both released in 2006 and known to include vulnerabilities. Most likely, the vulnerable Linux installation was used as an entry point to run the Erebus ransomware on Nayana’s systems. The Apache version that Nayana uses runs as a user of nobody(uid=99) and “a local exploit may have also been used in the attack,” the researchers say. the malware was built specifically to target and encrypt web servers and data stored in them
Nigerian Hackers Lift Reams of Info from Global Industrial Targets There have been more than 500 attacked companies in more than 50 countries so far—and most are industrial enterprises and large transportation and logistics corporations. The emails used in such attacks are made to look as legitimate as possible so that the employees who receive them open the accompanying malicious attachments without giving them much thought. The emails were sent on behalf of various companies that did business with potential victims: suppliers, customers, commercial organizations and delivery services. The emails asked recipients to check information in an invoice as soon as possible, clarify product pricing or receive goods specified in the delivery note attached. “It is worth noting that a complete set of malware for carrying out this type of attack usually costs no more than $200.” The most common pathology for the attack results in criminals redirecting legitimate business transfers of money or payments into their own accounts. they intercept the email with the seller’s invoice and forward it to the buyer after replacing the seller’s account details with the details of an account belonging to the attackers.” the company making a purchase not only loses money but also fails to receive the goods they need on time.
Minnesota Updates on Intrastate Crowdfunding In Minnesota, by meeting the requirements of the MNvest rules, companies may raise capital within Minnesota state borders after making a notice filing, paying a $300 fee, and waiting ten days before creating an offering. Both non-accredited and accredited investors may participate with non-accreds capped at $10,000 per offering. Accreds have no such limit. Issuers may raise up to $2 million with reviewed financial statements. If you keep it under $1 million you have to prepare financial statements internally thus avoiding an additional cost. All offerings must be sold through a registered portal and it is only available to Minnesota residents. Companies must generate 80% of gross revenue in the state to qualify. According to MNvest, this is the status of crowdfunding in the state after 6 months: Three registered funding portals 7 campaigns with 3 successfully funded Over $300,000 raised for Minnesota based companies. MNvest says there is more on the way.
These New Cyber-Weapons Could Topple Power Grids
Cybereason Gets $100M to Fend Off Cyber Attacks : and Competitors
" Cybereason’s approach stands out for its “offensive mindset,” as Div says, and its emphasis on understanding hackers’ intent and trying to “hunt them” inside a computer system. (The underlying technology includes statistical models of organizations and sophisticated efforts to detect and stop anomalous behavior by users or intruders.)
“Our promise is that we know how to… evolve faster than the hackers,” Div says."
Selling Your Data? Here’s What You Need To Know
"There are some limitations to what you can sell, however, particularly with GDPR going into effect next year and other regulatory constraints. “Privacy is a concern, and you might think twice about selling it if you’ve promised not to,” she says. “WhatsApp’s flipflop on customer data left users feeling betrayed."
There are multiple ways to sell the data. “If you’re selling data you might sell through a data broker, a curated marketplace or a self-service marketplace,” Belissent says. “Companies like Exapik brings brokers data deals, and Quandl helps prepare the data and provide a marketplace. But selling data requires a data- and development-savvy target market and that means slower time to value.”
Does Machine Learning Have a Future Role in Cyber Security?
Former Symantec CTO Amit Mital has claimed that cybersecurity is “basically broken” and machine learning is one of the few ‘beacons of hope.’
“In recent months some major companies have acquired machine learning capabilities. For example, Sophos acquired Invincia, Radware bought Seculert and Hewlett Packard bought Niara. This may be a sign that at least some major organisations see ML and big data capability as an important asset for the future.”
“Some recent developments and improvements in cyber security machine learning include a joint effort by MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) and a ML startup called PatternEx. The result of this effort is AI2, a system that delivers a detection rate of 85%, with a five fold decrease in false positives.”
Security Awareness Programs Need Full-Time Staff
The number of full-time employees devoted to security awareness programs and their ability to effectively communicate to and engage with employees are two main reasons why security awareness programs either thrive or fail, says a new report
Digital organizations face a huge cybersecurity skills gap
the trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues
Second, certain companies may not know what to look for in a professional.
Third, when skilled professionals are hired, they can often be overworked to the point where they don’t have the time to keep up with the latest developments in the field — and even in their own security tools.
according to the Information Audit and Control Association (IACA), about a quarter of all cybersecurity positions are left unfilled for about six months.
Canada’ CSE warns of cyber attacks against next 2019 Election
The hackers targeted candidates and spread disinformation and propaganda in order to influence the vote. According to the CSE, the “low sophistication” attacks “did not impact the outcome of the election.”
Cybereason Gets $100M to Fend Off Cyber Attacks : and Competitors " Cybereason’s approach stands out for its “offensive mindset,” as Div says, and its emphasis on understanding hackers’ intent and trying to “hunt them” inside a computer system. (The underlying technology includes statistical models of organizations and sophisticated efforts to detect and stop anomalous behavior by users or intruders.) “Our promise is that we know how to… evolve faster than the hackers,” Div says."
Selling Your Data? Here’s What You Need To Know "There are some limitations to what you can sell, however, particularly with GDPR going into effect next year and other regulatory constraints. “Privacy is a concern, and you might think twice about selling it if you’ve promised not to,” she says. “WhatsApp’s flipflop on customer data left users feeling betrayed." There are multiple ways to sell the data. “If you’re selling data you might sell through a data broker, a curated marketplace or a self-service marketplace,” Belissent says. “Companies like Exapik brings brokers data deals, and Quandl helps prepare the data and provide a marketplace. But selling data requires a data- and development-savvy target market and that means slower time to value.”
Does Machine Learning Have a Future Role in Cyber Security? Former Symantec CTO Amit Mital has claimed that cybersecurity is “basically broken” and machine learning is one of the few ‘beacons of hope.’ “In recent months some major companies have acquired machine learning capabilities. For example, Sophos acquired Invincia, Radware bought Seculert and Hewlett Packard bought Niara. This may be a sign that at least some major organisations see ML and big data capability as an important asset for the future.” “Some recent developments and improvements in cyber security machine learning include a joint effort by MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) and a ML startup called PatternEx. The result of this effort is AI2, a system that delivers a detection rate of 85%, with a five fold decrease in false positives.”
Security Awareness Programs Need Full-Time Staff The number of full-time employees devoted to security awareness programs and their ability to effectively communicate to and engage with employees are two main reasons why security awareness programs either thrive or fail, says a new report
Digital organizations face a huge cybersecurity skills gap the trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues Second, certain companies may not know what to look for in a professional. Third, when skilled professionals are hired, they can often be overworked to the point where they don’t have the time to keep up with the latest developments in the field — and even in their own security tools. according to the Information Audit and Control Association (IACA), about a quarter of all cybersecurity positions are left unfilled for about six months.
Canada’ CSE warns of cyber attacks against next 2019 Election The hackers targeted candidates and spread disinformation and propaganda in order to influence the vote. According to the CSE, the “low sophistication” attacks “did not impact the outcome of the election.”
U.S. Firms Issue Principles for Cyber Risk Ratings Used by Insurers "Large corporations often use the ratings, the cyber equivalent of a FICO credit score, to assess how prepared the companies they work with are to withstand cyber attacks. Insurers also look at the ratings when they make underwriting decisions on cyber liability." "The move comes in response to the emergence of such startups as BitSight Technologies, RiskRecon and SecurityScorecard that collect and analyze large swaths of data to rate companies on cyber security."
South Korea:Govt to promote cyber insurance "the Ministry is planning to link insurers with information security service providers and provide incentives to policyholders. Discounts on insurance premiums for those participating in an information security management system are being mentioned although it is a matter to be determined by each insurance company."
Cyber Insurance Premium Volume Grew 35% to $1.3 Billion in 2016 "The largest cyber insurance writers are American International Group, XL Group and Chubb, according to the reports. These companies had a combined market share of approximately 40 percent at year-end 2016. The top 15 writers of cyber held approximately 83 percent of the market in 2016. Completing the top 10 writers of cyber ranked by direct premium written are: Travelers, Beazley, CNA, Liberty Mutual, BCS Insurance (owned by Blue Cross licensees), AXIS Insurance Group and Allied World. Two carriers made big gains in cyber in 2016: Markel Corp. went from #116 in 2015 to #16 and Starr International Group rose to #18 from #110 in 2015. these statements likely underestimate(s) the industry’s cyber premium exposure due to challenges in breaking out cyber-related premium from other coverages in multi-line coverage products." "In its report, A.M. Best noted how the top cyber insurance writers have shifted their writings to standalone policies and away from packaged policies by nearly a 70-30 split on the $1.3 billion of total direct premiums written in 2016."
5.5 Million Devices Operating with WannaCry Port Open Last week, security firm Rapid7 issued its annual National Exposure Index report, the result of scans of over 3 billion IP-addressable, public internet devices, checking for exposed services on 30 different ports. It found 160 million devices with open ports that generally should’t be exposed to the internet. For file-sharing SMB port 445, the port associated with WannaCry, it found 5.5 million devices operating with the port exposed. About 800,000 of those were on Windows’ systems — meaning they’re directly vulnerable to the cryptoworm that targets Windows machines.
What Not to Do After A Data Breach "Unfortunately, if you hadn’t previous developed a strategy, then whatever hasty decisions you make after an attack could worsen the situation." "Key contacts should be mapped out ahead of time and stored digitally. It should also be available in hard copy in case of a catastrophic breach." "isolate the effected system and eradicate the cause of the breach to ensure your system is out of danger." "If you determine that a breach has indeed occurred following your internal investigation, bring in third-party expertise to help handle and mitigate the fallout" "you may want to look into hiring a public relations team to help control the messaging behind your response." "you’ll want to be as accurate and honest as possible when addressing the public. This is beneficial to your brand, but it’s also beneficial to how much money you’ll recoup from your cyber-insurance policy" "When users hear about a breach from a third party, it immediately erodes hard-won trust" “Be sure to also interview anyone involved and carefully document their responses,” he continued. “Creating detailed reports with disk images, as well as details on who, what, where, and when the incident occurred, will help you implement any new or missing risk mitigation or data protection measures.”
Experts Debate: Is Big Data a Boon or Risk for Actuaries? "One of the biggest issues with big data is validation. Data is often aggregated from sources where it can be difficult to assess the reliability. A growing number of actuaries use data from social media, where it can be difficult to authenticate." "Banthorpe predicts that the FTC and other regulators are expected to roll out new regulations in the future. This is a risk for actuaries, because they may need to revise their models in the future if they lose access to certain data that has become instrumental to their models." "Many actuaries worry that the algorithms behind big data may not be properly setup."
FBI report: Minnesotans reported losing $12.6 million to cybercrime in 2016 "just 15 percent of victims report their cases to the authorities." Victims 60 or older were the most common and reported losing the most last year. The extradition to Minnesota this month of Peteris Sahurovs, a 28-year-old Latvian man, illustrates the far-flung nature of the frauds, making for long investigations. A grand jury in Minnesota indicted Sahurovs in 2011 for allegedly defrauding victims of more than $2 million in a "scareware" scheme that involved posing as a fictitious hotel chain and running ads on the Star Tribune's website. The scam infected consumers' devices with malware that required visitors to buy $50 antivirus software to regain control of their computers.
How the SEC uses machine learning to assess risk "Fraud, for example, is what social scientists call a latent variable. You don’t see it until it’s found. So, it is more challenging for machine learning algorithms to make accurate predictions of possible fraud than shopping decisions."" "Topic modeling and other cluster analysis techniques are producing groups of “like” documents and disclosures that identify both common and outlier behaviors among market participants. These analyses can quickly and easily identify latent trends in large amounts of unstructured financial information, some of which may warrant further scrutiny by our enforcement or examination staff." "More broadly, we use unsupervised algorithms to detect patterns and anomalies in the data, using nothing but the data, and then use supervised learning algorithms that allow us to inject our knowledge into the process; that is, supervised learning “maps” the found patterns to specific, user-defined labels. From a fraud detection perspective, these successive algorithms can be applied to new data as it is generated, for example from new SEC filings. When new data arrives, the trained “machine” predicts the current likelihood of possible fraud on the basis of what it learned constituted possible fraud from past data." "The results are impressive. Back-testing analyses show that the algorithms are five times better than random at identifying language in investment adviser regulatory filings that could merit a referral to enforcement. But the results can also generate false positives or, more colloquially, false alarms." "But given the demonstrated ability of these machine learning algorithms to guide staff to high risk areas, they are becoming an increasingly important factor in the prioritization of examinations. This enables the deployment of limited resources to areas of the market that are most susceptible to possible violative conduct." "market exchanges will begin reporting all of their transactions through the Consolidated Audit Trail system, also known as CAT, starting in November of this year. Broker-dealers will follow with their orders and transactions over the subsequent 2 years. This will result in data about market transactions on an unprecedented scale." "One example is the Option Pricing Reporting Authority data, or OPRA data. To help you grasp the size of the OPRA dataset, one day’s worth of OPRA data is roughly two terabytes. To illustrate the size of just one terabyte, think of 250 million, double-sided, single-spaced, printed pages. Hence, in this one dataset, we currently process the equivalent of 500 million documents each and every day. And we reduce this information into more usable pieces of information, including market quality and pricing statistics."
Ransomware Attack Affects 500,000 Patients In its statement, the company says the incident "was a highly sophisticated attack, which we believe may have been carried out from an offshore location." The company did not reveal in its statement to say how much of a ransom was demanded by the attackers or whether it had paid the extortionists.
Get Hacked and Your Cybersecurity Company May Pay "SentinelOne offers a warranty that puts the company on the hook for up to $1,000,000 if the customer falls victim to a ransomware attack, in which hackers break in and encrypt data before demanding a ransom to unlock it. Other cybersecurity startups, as well as big players like Symantec and McAfee, now similarly promise to pay up if their product or service fails. " "In evaluating these risks, cybersecurity firms have an advantage over traditional insurance companies, because they have crucial data that can only come from analyzing real events like the data breaches they themselves have experienced."
http://www.databreachtoday.com/when-ransomware-strikes-twice-or-impacts-emergency-services-a-10093 Walnut Place, a Dallas-based provider of rehabilitation, skilled nursing and assisted living services, says that it was hit in May with a second ransomware attack while it was still investigating an earlier ransomware attack that was remediated in February.
Next global cyber attack could cost insurers $2.5 billion “It would only need a combination of WannaCry’s wide reach and Petya’s destructive force to cost cyber insurers something like $2.5 billion, or a full year of gross premium income in the market.” Those events didn’t result in meaningful insurance claims because they didn’t affect many companies in the U.S., where currently more than 90 percent of the cyber insurance market is located, Newman said. Reckitt Benckiser Group Plc cut its full-year sales forecast on Thursday after a global cyberattack last month disrupted manufacturing and distribution for the maker of Air Wick fresheners and Dettol cleaners. CFC underwrites approximately $100 million of cyber-insurance premiums, making it one of Europe’s biggest sellers of the product, and has sold the coverage since 2000. As a Lloyd’s of London-backed managing general agent, the company underwrites on behalf of other insurers. The global market for cyber insurance grew to about $3.4 billion in premiums last year and could rise to between $8.5 billion and $10 billion by 2020, reinsurer Munich Re estimates. CFC saw its premiums in the market climb by more than 60 percent last year and Newman expects to match that this year. Thomas Seidl, an analyst at Sanford C. Bernstein in London: “Everybody has exposure to cyber risks and the best precaution can’t eliminate that, so there is a strong demand for insurance making cyber coverage by far the biggest opportunity for non-life insurers for the next years.” Low claims, combined with more companies entering the market, mean that prices for cyber coverage have been falling globally. They are down about 10 percent in the U.S. and about 20 percent in the international market this year, according to CFC’s Newman. Link via businessinsurance.com
Australia:Reinsurance pool eyes cyber terrorism cover Cyber terrorism will be on the agenda of the government terrorism reinsurance agency, the Australian Reinsurance Pool Corporation (ARPC), as part of its tri-annual review. Dr Chris Wallace, CEO of ARPC, told The Australian that the next review, due in late 2018, should consider extending coverage to cyber terrorism.
The Bank of England's Prudential Regulation authority has issued a supervisory statement on cyber insurance underwriting risk. This supervisory statement (SS) sets out the Prudential Regulation Authority’s (PRA) expectations of firms regarding cyber insurance underwriting risk.
What mission control will look like at the hospital of the future "The 4,500-square-foot center will feature GE Analytic Tiles using artificial intelligence, predictive analytics and thoughtful design to target improved clinical, operational and patient outcomes..." There is a fixed bedside monitor at the head of every bed, which once the patient's vitals are taken and checked by the nurse, automatically sends them to the patient's electronic chart. If there are abnormal results or abnormal cardiac monitoring results and a certain level of concern, other members of the team including the physician can automatically see the results. Wearable technologies are going to allow providers to send patients home sooner and avoid ER visits. In the next year, we will look to increasing the use of wearable devices for patients who return home but need to continue care.
How hospitals can shore up cybersecurity on a 'skinny' budget Providers should look toward vendors with a healthcare-focus that are able to provide the necessary security evaluations. “In healthcare specifically, there are certain things the systems need to be able to run properly: the EHR needs certain things to run and medical devices need to be certified, among others. Healthcare needs a security person who understands these unique needs.” All hospitals need to assign a group of people on site who are the security glue that holds the organization together. Lovejoy said these employees -- although not necessarily fully designated security staff -- can manage and implement security needs, while measuring outcomes.
eClinicalWorks Lawsuit Leads to EHR Replacement for Few Users A new KLAS report surveying customer reactions to the eClinicalWorks $155 million settlement with the Department of Justice (DOJ) found that only 4 percent of customers plan to find a replacement EHR as a result of the settlement. The lawsuit settled allegations that eClinicalWorks had made false claims regarding the certification of its EHR technology and paid some customers kickbacks in return for positive product promotion. Thirty-five percent are keeping eClinicalWorks and report being satisfied with the technology, while 24 percent said they intend to replace eClinicalWorks due to reasons other than the settlement. Some believe eClinicalWorks is just the first vendor to get caught
How Electronic Health Records Degrade Care and Endanger Patients Many of the decisions about how to organize the medical record, how to format the document, and what data to include or exclude arise from the need to use the record as the support for and documentation of “billable events” during the hospital stay. "While clinicians each have their tailored checklists, there is a mind-numbing amount of repetition and overlap. This wastes time and results in a bloated, redundant record." "The most dangerous of the checklists are the order sets. These are a list of self-contained orders for all aspects of patient’s care from diet and activity to medications and invasive procedures. These expanded order sets can be initiated by the physician with a single click of the mouse." The surgeon, the internist, various consultants and the pain management physician are all likely to be using a “single click” order set. There are few safeguards to identify overlapping or inconsistent and incompatible orders and this poses a real danger for the patient. More data equals more billing, pure and simple. The carry forward is a trivially technologically easy version of “cut and paste,” and it is used by clinicians for the same reason as auto-fill – easy documentation, less time spent, more billing available. there must now be documentation in the EHR about smoking cessation, potential for elder abuse, vaccination status, use of seat belts use of child safety seats and a variety of other issues. Although the inclusion of these global safety and care concerns is laudable, the medical record has become bloated with repetitive, inappropriately placed mandatory documentation of these often peripheral and distracting subjects. when I reviewed the emergency room record of the patient I had brought in for fainting and low blood pressure, I saw that the first two pages had no reference to the reason for her admission, but had entries about vaccination status, the name and phone number of her outpatient pharmacy, the use of seat belts, the query about abuse in the home, a smoking cessation notation, the placement of the IV, including a standard description of the sterile technique used, a description of her living arrangements and the names and phone numbers of her emergency contact and her physicians. the clinician is likely to lack the mental stamina to wade through the document the much touted “safety” features of the EHR are themselves often so ubiquitous and distracting that they lose their efficacy. Hospitals and physician practices select among and contract with competing EHR companies, and the patient finds himself in the center of system of non-communicating silos. A large part of the increase in participants in the healthcare industry is due to the dramatic increase in federal, state, and local health care bureaucrats as well as the increases in hospital administrators, auditors, plan administrators and other non-clinical participants.
How to Fix the EHR Mess In 2011, the Obama administration attempted to rectify this situation. This proved to be an even bigger mistake. Government bureaucrats assumed that high cost and resistance to change were the problem. They rolled out the “Meaningful Use” (MU) program, which for two years was voluntary, but by 2013, carried penalties for those who did not participate. The program offered $44,000, spread over five years, for physicians who used EHRs certified according to MU standards, and who used those EHRs (and reported data to prove compliance) according to complicated MU criteria. The combination of monetary incentives and penalties pushed physicians to purchase EHRs in great numbers. And both EHR companies and users became obsessed with MU beyond almost anything else. That was because, number one, compliance was very difficult. Stage 1 of the MU program comprised 25 standards, which were a lot. And further, proving compliance, registering and reporting the data required by the MU program, created an entirely new layer of work. And number two, EHRs still didn’t work very well. They remained unusable, meaning that they made it harder to perform and document the basic work of caring for patients. So, today many physicians use unwieldy software, and spend an inordinate amount of time attempting to comply with an unwieldy MU program. And most physicians will tell you that Stage 2 of MU, which the government rolled out far too quickly, made things even worse.
This EHR Mess We’re In Security concerns with current EHR’s are based on the idea that a system containing more than 1 patient will create a “honey pot” of data. Imagine that you are a malicious hacker who wants to get data (social security numbers, demographics, medical diagnoses, etc.). The chance that the hacker can break into a system without having to do it multiple times and on multiple systems is much less when they are trying to hack a central server with multiple patient records. They only have to crack the code once to get maybe a million records. It’s like robbing a bank versus robbing a home. Imagine each patient having their own electronic data container that contains data for only one person (hence HIE of One) that belongs to him or her and not by anyone else unless they designate an individual to control it. Let’s also imagine that these data containers can talk to each other (this is called a distributed network – such as peer-to-peer) and to other entities (hospitals, government, corporations, FitBit, health device company, you name it) but only at the behest of the patient. Imagine that approved physicians can access, add, and update their patient data container (which is a single patient EHR, NOSH ChartingSystem) at any time irregardless if the patient is physically there (so it’s not a physical device carried around by the patient, like a USB key, because, you know, sometimes people don’t carry things with them all the time, especially if they are seriously hurt, unconscious, etc). Imagine this data container being similar to a health journal that a patient would carry around with them and make the physician jot and update their medication list, allergies, problem lists, immunizations, medical history and it’s a running list that is up-to-date, not of dispute, and that the patient can verify. What makes HIE of One coupled with NOSH ChartingSystem unique? It addresses the issue of patient privacy and gives control back to the patient over the sharing of his or her protected health information to others. insurance companies .... no longer have to be liable for security breaches each time a nefarious hacker or Big Brother goes after their data.
Healthcare executives are investing heavily in cybersecurity technology—analysts worry that approach is shortsighted Although cybersecurity spending is a priority given the increasing percentage of organizations that experienced an attack in the last two years, most of that money is going toward new technology, including software, firewalls and encryption. Nearly 8 in 10 respondents said they plan to increase investments in technology and 82% said investments would go toward stronger policies around access to data. Staffing ranked dead last among planned investments. Just 24% indicated they were investing in hiring and training staff.
Cyber Insurance Rates to Rise – What Should I Do? 44% of respondents (insurance brokers) report that their clients are increasing their coverage, while none report any client decreasing coverage. The average policy covers about $6 million, up from $3 million in last fall’s survey. Growth is fastest among small-to-medium enterprises, as they become increasingly aware of the real cyber threat. Three brokers noted that they each had clients seeking $600 million limits. The largest reported last fall was $500 million. Once an organization decides to purchase cyber insurance, it can lower the premium significantly by having a strong information security program Show how the organization uses active monitoring to detect and respond to cyber incursions rapidly. While accumulating logs and analyzing them will find problems, the sooner this happens the better. Demonstrate an effective, regularly tested business continuity program. Having backups can eliminate the problem of ransomware corrupting operational files. Having a working, effective disaster recovery plan can reduce the cost of business interruption insurance. Share regular audit results showing that the organization’s policy, procedures and technology work together within a context of employee awareness.
Wait! What? Amazon and Apple eye building EHRs Amazon is reportedly considering developing an EHR platform as well as telemedicine and health apps for existing devices, such as its Echo. Apple, for its part, already has a big toe in the healthcare market with its HealthKit and ResearchKit apps, Apple Watch, and work with Health Gorilla to add diagnostic data to the iPhone, including measures such as blood work, by integrating with hospitals, lab test companies and imaging centers. The Cupertino, California giant has also recently hired people with top healthcare credentials who are savvy in the digital realm.
Despite Abundance of Threats, Few Providers Take Serious Steps To Protect Their Data Researchers found that 95% of responding healthcare organizations don’t use software for information security governance or risk management and that just 31% of respondents said they were well prepared to address IT risks. Still, despite the prevalence of cybersecurity threats, 68% don’t have any staffers in place specifically to address them. To tackle these problems, 56% of healthcare organizations said they plan to invest in security solutions to protect their data. Unfortunately, though, the majority said they lacked the budget (75%), time (75%) and senior management buy-in (44%) needed to improve their handling of such risks.
Hospitals Face Growing Cybersecurity Threats The average breach costs $355 per stolen record for health care organizations The average cost of a health care breach is estimated to be more than $2.2 million, not to mention the reputation damage. According to Burning Glass Technologies, the average advertised pay for health care cybersecurity positions is 25 percent lower than in finance.
Cerner sees record level of bookings in Q2 Bookings hit a record high, at $1.64 billion, with contributions from new, existing, and short- and long-term clients, said Cerner president Zane Burke. Though he acknowledged the EHR marketplace will inevitably slow down, that time hasn't come, he said.
Doctors frustrated that electronic records steal time from patients Dr. Jeffrey Chi, a hospitalist and professor at Stanford University School of Medicine in Stanford, California, transitioned from paper charts to electronic records during his residency and sees advantages of EHRs. “We no longer have to hunt down charts, and we can access patient information and place orders from anywhere in the hospital,” he said in an email. “Notes can also be written in a fraction of the time. Remote access now allows us to follow patient care even after we've left the hospital.”
Why would someone hack an IV pump? Why would someone hack an IV pump? There are several reasons, Regalado pointed out. If successful, an attacker could steal personally identifiable information (PII), hijack hospital devices and demand ransom, corrupt the device in a denial-of-service attack, or use the pump as an entryway into the broader corporate network. For his educational research, Regalado chose to break into the Alaris PC Unit and IV Pump module manufactured by Bectron. The pump is a market-leading brand used at several hospitals around the world, he said.
Wannacry Inspires Worm-like Module in Trickbot News of the new worm-like module in Trickbot comes just days after Flashpoint warned that Trickbot, for the first time, was being used to target and infect customers of U.S. banks and financial institutions. Though Trickbot has been around since mid-2016 it has only targeted victims outside the U.S.
Cybersecurity of Medical Devices There is no going back to non-networked medical devices. The benefits of integrated data flows to support patient care are just too great. Plus, software updates for fleets of equipment are more easily done via a wireless network, and remote device performance monitoring can head off equipment failure to keep operations going. Even with these known benefits and risks, a recent study by the Ponemon Institute, a leading IT security research organization, found that roughly 53 percent of healthcare providers did not test medical devices for security. Only 15 percent reported that they have taken significant steps to prevent attacks on medical devices in their hospitals. the clinical engineering department should know which devices are connected to the network, and which generate or store protected health information. it’s best to avoid risky devices rather than openly welcome them into clinical use. suppliers should be required to submit their Manufacturer Disclosure Systems for Medical Device Security (MDS2) statement.
Report: EHR Installs Carry Significant Financial Risks for Hospitals Analyzing the 39 hospitals that have recently invested in major EMR and revenue cycle system conversions, the analysts found that increased expenses and slower patient volumes contributed to a median 10.1 percent decline in absolute operating cash flow and 6.1 percent reduction in days cash on hand in the install year. However, many hospitals returned to pre-install levels within a year as implementation costs dissipated and revenue cycle processes stabilized.
Cyber Attack on Ukrainian Medical Facilities Sets ‘Dangerous’ Precedent: Experts Across Dobrobut, a CT scanner, a mammography machine and four X-ray machines were disabled after the worm crippled the Windows computers they were connected to.
XL Catlin launches cyber risk policyXL-Catlin-launches-new-cyber-risk-policy-CyberRiskConnect CyberRiskConnect offers up to $15 million in limits, and coverage is available on a primary or excess basis, according to the insurer, which does business as XL Catlin.
Sullivan Brokers Enhances Healthcare Provider Program, Adds Cybersecurity Coverage The enhanced Practice Shield program now includes an expanded list of eligible classes, a revised policy with a broadened definition of insured, available prior acts coverage, a separate per physician limit for designated classes, a zero retention available on most risks, as well as competitive rates, experienced underwriting and claims staff, and short new business and renewal applications. In addition, cybersecurity coverage can be added to the policy with limits up to $1 million.
Start your week with data leaks: Italy's largest bank and several North American airlines are alerting customers of data leaks involving personally identifiable information. "Spirit’s warning comes after a hacker contacted news websites, including SecurityWeek, claiming to have obtained information on 11.7 million Spirit accounts. The individual claimed to have alerted the airline of a vulnerability in its systems, and decided to put the data up for sale on the dark web after the company ignored him." link
Telemedicine: Take a lesson from retail to improve patient adoption Mercy Hospital’s Virtual Care Center provides remote consults and monitoring to 33 hospitals across four states, allowing highly specialized care to be delivered quickly and effectively without the danger of sending a patient to a centralized hospital when time matters. Market research firm Berg Insight estimates that the number of remotely monitored patients, let alone everyday consumers, will exceed 50 million in the next four years. Patients at CVS’ Minute Clinic who opted for a telehealth visit to avoid a wait to see a provider reported 94-99 percent satisfaction and a third of them reported a preference for telehealth over an in-person visit. IDNs are spending millions of dollars implementing telemedicine solutions for basic sick care in the hopes that the service will attract new patients and increase engagement and satisfaction among existing patients.
Hacker Leaks Data From Mandiant (FireEye) Senior Security Analyst So far the hackers have mostly leaked the personal info of the senior analyst at Mandiant. Considering its a Virginia based cyber-security firm, we'd have to assume they had access to quite a few sensitive networks.
What is IT governance? A formal way to align IT & business strategy Essentially, IT governance provides a structure for aligning IT strategy with business strategy. By following a formal framework, organizations can produce measurable results toward achieving their strategies and goals. A formal program also takes stakeholders' interests into account, as well as the needs of staff and the processes they follow. Most IT governance frameworks are designed to help you determine how your IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from its investments. Where COBIT and COSO are used mainly for risk, ITIL helps to streamline service and operations. Although CMMI was originally intended for software engineering, it now involves processes in hardware development, service delivery and purchasing. As previously mentioned, FAIR is squarely for assessing operational and cyber security risks.
When purchasing a new ambulatory EHR, or replacing or upgrading an existing ambulatory EHR system, 51.4 percent of healthcare provider organizations are considering EHR vendor Epic, up from 45.1 percent in 2016, according to the new HIMSS Analytics 9th Annual Outpatient PM and EHR Study.
Information Security Expert Predicts that the “Enron of Data Breaches” is Coming We do have small physician practices who are completely unaware of the requirements. In their minds HIPAA is still a privacy issue, so when you talk to them they think they are HIPAA-compliant because they have a form at the front of the medical office [for patients]. But what they don’t understand is that even after that form, you need to keep the information secure, too.
Microsoft unveils open source Coco blockchain framework for healthcare, other industries Consultancy Deloitte, in fact, said this spring that healthcare is among the most proactive industries with 35 percent intending to deploy blockchain this year. In addition to interoperability and security, healthcare and technology experts have suggested Blockchain could be used for claims adjudication, clinical trials, master patient index and supply chain purposes.
Health Data Security Making Proress The Healthcare Information and Management Systems Society's 2017 Cybersecurity Survey, based on feedback from 126 U.S. health information security professionals, found that only about 71 percent of respondents were able to even identify the percent of their organization's budget allocated for cybersecurity. Of those, 60 percent say cybersecurity represented 3 percent or more of the budget, while the rest say the percentage is lower.
Health Analytics Another focus is real-time data analytics. EHRs are good at dumping out reporting data, he said, but often analytics executives are trying to change provider behavior with data that is months old. He said real-time data feeds have a more immediate impact. “When our providers treat a patient or enter a diagnosis code, they get feedback instantly,” he said. Emergency departments have dashboards with 55-inch TV screens. “Getting data out of the EHR in real time is a big challenge, but we are doing it.”
How AI Will Transform Insurance Claims Companies that have already automated some aspects of their claims process have seen a significant reduction in processing times and quality. AI-powered claims could also fight against one of the most costly elements of the insurance industry: fraudulent claims, which cost the industry more than $40 billion a year. Instead of relying on humans to manually comb through reports to catch inaccurate claims, AI algorithms can identify patterns in the data and recognize when something is fraudulent. Instead of spending valuable time and money on the underwriting process, which typically includes invasive questions and surveys about to dictate premiums, artificial intelligence could automate the entire process. Bots could potentially scan a customer’s social profile to gather information and find trends and patterns. For example, someone who has a healthy lifestyle and a steady job may be able to be connected to being a safer driver, which could lower insurance premiums. AI can analyze data better than humans to more accurately predict each customer’s risk, thereby providing customers with the right amount of insurance and companies with protection from risky customers. Telematics, or wireless communication of data back to an organization, is expected to be a huge area of growth for insurance. Many insurance companies already offer discounts to customers who transmit their driving data back to the company. Telematics and artificial intelligence can take this one step further by recognizing GPS patterns with the data, inferring road and traffic conditions and even predicting and helping avoid accidents, which could potentially lead to fewer claims to process and safer and more satisfied customers.