All Posts in Category: Case Study

save medical devices from hackers

Save Medical Devices From Hackers: One Doctor’s Quest

THE INTERNET OF Things has introduced security issues to hundreds of devices that previously were off-limits to hackers, turning innocuous appliances like refrigerators and toasters into gateways for data theft and spying. But most alarmingly, the Internet of Things has created a whole new set of security vulnerabilities with life-threatening risks. We’re talking about the cars and, particularly, medical devices that are now in the sights of hackers—including drug infusion pumps, pacemakers, and other critical hospital equipment.

Now a California medical doctor is teaming up with technologists and patients to develop a new technical standard to secure insulin pumps used by diabetics. The standard, expected to be completed by July, could become a model to help secure other medical equipment in the future—especially because, in an unconventional move, the doctor is collaborating with patients who tinker with their own medical devices.

Dr. David Klonoff, an endocrinologist and medical director of the Diabetes Research Institute at the Mills-Peninsula Health Services facility, became concerned for the safety of his patients after reading stories about security researchers like Jay Radcliffe who found vulnerabilities in his own insulin pump in 2012. The vulnerabilities would allow a hacker to manipulate the dosage and deliver too much insulin, causing a patient’s blood sugar to plummet and lead him to potentially fall into a diabetic coma or die. “Right now there is no [security] standard for any medical device,” Klonoff notes. “As health-care professionals, we all want to see our patients have safe equipment and not be at risk.”

“Klonoff wants to find a way to secure insulin pumps to shut out nefarious hackers while still letting patients hack their own pumps for better performance.”

Creating a security standard for insulin pumps, however, comes with a caveat: it has to consider the needs of a special group of do-it-yourself patients and technologists who use an existing vulnerability in current insulin pumps to hack their devices and produce better, personalized results.

The diabetes community has a heightened interest in their medical equipment that exceeds that of other patient communities. Klonoff says his committee wants to embrace that rather than discount it. “We have to keep in mind the tradeoff between wanting security and maintaining usability … and make it possible that a do-it-yourselfer can still do some things with their device,” he says. “If we make the standard too tight … a lot of patients will complain, ‘Now I can’t use my device.’ There is always going to be this tradeoff.”

Klonoff doesn’t have any technical training, so he’s an unusual choice to lead the drive for a technology security standard. But he created a previous technical standard for the FDA, for the performance of continuous glucose monitors, so when he approached the federal agency earlier this year about the need for security in insulin pumps, they asked him to assemble a committee of experts.

Save Medical Devices from Hackers, Dr. David Klonoff.Dr. David Klonoff

Klonoff’s committee has nearly four-dozen members, including representatives from the National Institute of Standards and Technology, the Department of Homeland Security, and FDA, as well as companies and individuals with expertise in diabetes systems or in IT. Some do-it-yourself diabetic patients have also consulted with Klonoff about their wish list for the standard.

The backgrounds of the committee members makes them much more invested in the effort and bring a “double, extra-level of understanding and perspective” to the problem, says Suzanne Schwartz, director of Emergency Preparedness/Operations & Medical Countermeasures at the FDA’s Center for Devices and Radiological Health. The FDA initially considered launching a similar project simultaneously for other medical devices, but ultimately concluded they should get it right with one device first.

The insulin pump technology most patients currently use is a manual system that requires the patient to determine when he or she needs a dose of insulin and how much. A continuous glucose monitor uses a sensor implanted beneath the patient’s skin to take a glucose reading of fluids and send it wirelessly to a pager-like device, an iPhone, or to the cloud, where a physician or parent can also read it. The patient or caregiver uses this and other data to help determine how much insulin to administer and instructs the pump to deliver it via a tiny catheter implanted beneath the skin. The downside to this system is that it requires constant vigilance and quick response. Food can affect blood glucose levels for six to 12 hours after consumption, requiring frequent readings. This can cause patients to miss readings or ignore data that calls for frequent adjustments.

“The pumps don’t encrypt or authenticate their data, so anyone in the vicinity of a patient could intercept glucose readings and alter them or inject their own commands into the data going to the pump.”

A new technology in the late stages of development would automate this process. But fully functional products won’t be on the market for more than a year, as they wend their way through the FDA approval process. The new system, known as an artificial pancreas, uses a continuous glucose monitor, insulin pump, and smart algorithms to measure a patient’s glucose levels and automatically deliver insulin based on the algorithms’ calculations. This closed-loop system would make slight adjustments to increase or decrease insulin as needed, making it particularly useful at night when patients are sleeping and can’t make manual adjustments.

Both pump systems, the manual ones and new automated ones, have wireless capability. But they currently don’t encrypt the communication that passes from the glucose monitor to the handheld device or encrypt the commands that go to the pump. They also don’t authenticate that data to ensure that only an authorized device or person can send it commands. Anyone in the vicinity of a patient can intercept glucose readings and alter them or inject their own commands into the data going to the pump. “If the information is corrupted, that would be bad—or even if it’s not available, that would lead to an incorrect decision,” Klonoff says.

The only thing that’s needed to pull data from an insulin pump or send a dose to a patient is the pump’s six-digit serial number, which operates like an address or phone number to identify the device. But this number is printed on the outside of each pump and also gets transmitted in the clear with any communication the device sends, making it easily accessible to hackers who are sniffing the wireless traffic.

The security standard will not only require vendors to build assurance into their devices so that data is authenticated and not corrupted; they’ll have to prove assurance through testing. The committee intends to create a protocol to certify labs capable of testing devices against the standard. “We’ll have a certain small number of labs that will demonstrate to our committee that they understand [penetration testing] and are qualified to look at a product and see whether it does what it’s supposed to do,” Klonoff says.

Ben West.

Although security standards can help secure new medical devices coming on the market, they don’t address current devices and equipment that won’t get replaced. The FDA’s Schwartz says the agency hasn’t ruled out the possibility of establishing a vulnerability assessment program for medical devices, which would have a government lab examine and test them for security vulnerabilities and work with makers of the devices to get them patched in a timely manner or find ways to mitigate the risk of someone attacking them. The current process for fixing vulnerabilities in medical devices is not very organized and can take a year or longer to get a vendor to even acknowledge an issue, let alone get it fixed.

In the meantime, Schwartz says the FDA plans to publish a draft guidance “that speaks to what our expectations are of the industry with regard to the post-market management of medical device security. A lot of this is about educating manufacturers [and] shifting attitudes that the environment is not the same environment today as it was five or ten years ago.”

Now is the time for a standard, before more wireless insulin pumps come on the market. “It’s very difficult for the FDA to take a product off the market once it’s already there,” Klonoff says. With a standard in place, he expects that market demand will drive vendors to replace existing products with more secure ones, in part because the FDA and insurance companies will be able to insist that products meet the standard for security.

There are challenges to creating a security standard for insulin pumps, however. Adding fingerprint biometrics or passwords to devices to authenticate access might lock a patient out of his own device if his finger is sweaty or he is unable to remember a passcode in the throes of a medical emergency. There are also concerns about giving paramedics and other caregivers the access they need to read data quickly from a pump or alter its dosage for a patient who is delirious or unconscious.

And there’s the issue of the DIYers. Klonoff says the committee wants to find a way to secure insulin pumps to shut out nefarious hackers while still letting patients hack their own pumps for better performance.

“Chris Hannemann hacked his insulin system so that whenever he eats or wants to correct his blood sugar, he can tell the pump to give a larger dose instantaneously or over time.”

Some diabetic systems currently on the market have a vulnerability—a debugging feature left in the firmware by the vendor—that patients have been exploiting to create their own closed-loop system. Their home-brewed system uses complex algorithms to assess readings from their glucose monitors, automatically determine proper insulin doses, and instruct their pumps to deliver it. The algorithms can even anticipate insulin needs based on planned activities and lifestyle.

Ben West is a computer engineer and the primary architect of the hacked system. He spent years studying the software of his own pump to figure out how he might pull automatic readings from his glucose monitor and calculate it to transmit commands to his pump, a process he chronicled in a GitHub post. In the course of his research, he decompiled core code used in pump systems and posted it online, which allowed Bryan Mazlish, a father and husband to two diabetics, to design a closed-loop system and launch a company, Bigfoot BioMedical, around it. That commercial system won’t be on the market for a while, however, so West and a couple in Seattle created a toolkit called OpenAPS, which weaves together different data sets from various diabetes monitoring and pump components so they can communicate. It takes some finessing for a user to assemble, but it works with multiple glucose monitoring systems.

Chris Hannemann.

“We’re providing the building blocks,” he says. “All of those [devices] look and feel very different, so I’ve concentrated on making those look and feel the exact same under OpenAPS. That allows people to put their loop together themselves and be customized for exactly what they want to do.”

The hack has made a huge difference in the quality of life for patients like Chris Hannemann, a 31-year-old mechanical engineer in Berkeley, California, who was diagnosed with Type I diabetes at the age of eight. Hannemann’s sister also has Type I diabetes and his father has Type II.

Using the tools West developed, Hannemann hacked his Medtronic Mini Med Paradigm 723 insulin system so that it will automatically adjust to his body’s insulin needs using data from his continuous glucose monitor. “[W]henever you eat or want to do a correction if your blood sugar is too high, you can tell the pump to [automatically] give a larger dose instantaneously or over time,” he says. “That’s something you wouldn’t be able to find in any [current] commercial system…. I can pull data that I wouldn’t otherwise be able to get from my device and slightly tweak things that work and don’t work until I get a piece of equipment that’s best tailored to my own treatment….I’ve seen decidedly better outcomes in my own health as a result of using this.”

Although automated systems will be on the market eventually, Hannemann and others aren’t willing to wait. “This is our way of short-circuiting that and taking control with devices that are on the market now,” he says.

Hannemann says a security standard for pumps is “definitely overdue.” He and West connected with Klonoff about two months ago to offer their input. “As patients we have a unique perspective—we’re patients but we’re probably edge-case patients as well,” he says.

He says the challenge for the standard is not equating security with “closed off.”

“What you really like to have is a system where all the transmissions are secure—you want there to be a [digital] handshake between whatever device is talking to the insulin pump and the insulin pump itself [to authenticate themselves to each other]—and [you want] different authentication levels as well, so a third-party device could read from the insulin pump but not send commands to the pump,” he says. “I want it so that only my device can talk to the pump and it’s encrypted communication. I don’t want someone else to be able to walk up and… just be able to communicate with my pump.”

Klonoff agrees and says that any standard they develop should take the DIY movement of West, Hannemann, and others into consideration, since their tinkering has already made major contributions to the innovation of automated insulin pumps and will likely lead to more innovations that benefit patients in the future.

Read More
what is windows azure?

What is Windows Azure?

Jeremy Howard sees Silicon Valley as an echo chamber. He recently moved to Northern California from Australia, looking to improve the fortunes of his startup, an ingenious operation known as Kaggle, and he soon found that most Silicon Valley software developers behaved like other Silicon Valley software developers.

“In this echo chamber which is the [San Francisco] Bay Area, unless you follow what everyone else does, then there’s an assumption that you don’t know what you’re doing,” Howard says.

Read More
november hipaa breaches

November HIPAA Breaches 2015

If you still think HIPAA doesnt apply to you, please take a look at this and think again. These are all current breaches that have been submitted to the OCR within the month of November.

Table items in blue are highlighted to show how many of the breaches are involved with Healtcare IT. Most of the highlighted items could have been prevented with the proper setup. This could have kept these companies in the clear and out of violation fines.

November HIPAA Breaches 2015

Covered Entity State Type Individuals Affected Breach Submission Date Type of Breach Location of Breach
Rush University Medical Center IL Healthcare Provider 1529 11/6/2015 Unauthorized Access/Disclosure Paper/Films
Dean Health Plan WI Health Plan 960 11/11/2015 Loss Paper/Films
Good Care Pediatric, LLP NY Healthcare Provider 2,300 11/12/2015 Hacking/IT Incident Desktop Computer
OH Muhlenberg, LLC KY Healthcare Provider 84,681 11/13/2015 Hacking/IT Incident Desktop Computer, Email, Laptop, Network Server
HealthPoint WA Healthcare Provider 1,300 11/13/2015 Theft Laptop
Midlands Orthopaedics, P. A. SC Healthcare Provider 3,902 11/13/2015 Hacking/IT Incident Network Server
UC Health, LLC OH Healthcare Provider 1064 11/14/2015 Unauthorized Access/Disclosure Email

To view a full list of all reported breaches, visit the OCR Portal.

Read More
Triple-S HIPAA Settlement - CAM HIPAA Solutions

Triple-S HIPAA Settlement: $3.5 Million HIPAA Settlement

Triple-S Management Corporation (“TRIPLE-S”), on behalf of its wholly owned subsidiaries, Triple-S Salud Inc., Triple-C Inc. and Triple-S Advantage Inc. , formerly known as American Health Medicare Inc.,  has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).  TRIPLE-S will pay $3.5 million and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program, an effort it has already begun.

“OCR remains committed to strong enforcement of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”

TRIPLE-S is an insurance holding company based in San Juan, Puerto Rico, which offers a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries.  TRIPLE-S has fully cooperated with HHS in investigating this case and has agreed to put in place a comprehensive HIPAA compliance program as a condition for settlement.

After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including:

  • Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;
  • Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;
  • Use or Disclosure of more PHI than was necessary to carry out mailings;
  • Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and
  • Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.

The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes:

  • A risk analysis and a risk management plan;
  • A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;
  • Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and
  • A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises.

Triple-S, with the help of OCR through its technical assistance, had already begun to take extensive corrective action, as required by the Corrective Action Plan, and will continue to work with OCR to come into compliance with HIPAA.

“Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the Corrective Action Plan entered into with OCR,” said President and CEO of Triple-S Management Corporation, Ramon M. Ruiz.  “We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.”

The Resolution Agreement and Corrective Action Plan can be found on the OCR website.

HHS offers guidance on how your organization can conduct a HIPAA Risk Analysis.

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit H.H.S. at http://www.hhs.gov/ocr/office

Read More
November HIPAA Settlement - CAM HIPAA Solutions

November HIPAA Settlement: Reminder for Users of Medical Devices

Lahey Hospital and Medical Center (Lahey)  has agreed, in it’s November HIPAA Settlement, to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR).  Lahey will pay $850,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program.  Lahey is a nonprofit teaching hospital affiliated with Tufts Medical School, providing primary and specialty care in Burlington, Massachusetts.

Read More
Fear Itself Speech 修改 文章 英文 click through the following web site | Advanced Trading Tools · Learn How to Trade opciones binarias demo click here now
Loan Canada go credit visit their website