All Posts in Category: Health Basics

save medical devices from hackers

Save Medical Devices From Hackers: One Doctor’s Quest

THE INTERNET OF Things has introduced security issues to hundreds of devices that previously were off-limits to hackers, turning innocuous appliances like refrigerators and toasters into gateways for data theft and spying. But most alarmingly, the Internet of Things has created a whole new set of security vulnerabilities with life-threatening risks. We’re talking about the cars and, particularly, medical devices that are now in the sights of hackers—including drug infusion pumps, pacemakers, and other critical hospital equipment.

Now a California medical doctor is teaming up with technologists and patients to develop a new technical standard to secure insulin pumps used by diabetics. The standard, expected to be completed by July, could become a model to help secure other medical equipment in the future—especially because, in an unconventional move, the doctor is collaborating with patients who tinker with their own medical devices.

Dr. David Klonoff, an endocrinologist and medical director of the Diabetes Research Institute at the Mills-Peninsula Health Services facility, became concerned for the safety of his patients after reading stories about security researchers like Jay Radcliffe who found vulnerabilities in his own insulin pump in 2012. The vulnerabilities would allow a hacker to manipulate the dosage and deliver too much insulin, causing a patient’s blood sugar to plummet and lead him to potentially fall into a diabetic coma or die. “Right now there is no [security] standard for any medical device,” Klonoff notes. “As health-care professionals, we all want to see our patients have safe equipment and not be at risk.”

“Klonoff wants to find a way to secure insulin pumps to shut out nefarious hackers while still letting patients hack their own pumps for better performance.”

Creating a security standard for insulin pumps, however, comes with a caveat: it has to consider the needs of a special group of do-it-yourself patients and technologists who use an existing vulnerability in current insulin pumps to hack their devices and produce better, personalized results.

The diabetes community has a heightened interest in their medical equipment that exceeds that of other patient communities. Klonoff says his committee wants to embrace that rather than discount it. “We have to keep in mind the tradeoff between wanting security and maintaining usability … and make it possible that a do-it-yourselfer can still do some things with their device,” he says. “If we make the standard too tight … a lot of patients will complain, ‘Now I can’t use my device.’ There is always going to be this tradeoff.”

Klonoff doesn’t have any technical training, so he’s an unusual choice to lead the drive for a technology security standard. But he created a previous technical standard for the FDA, for the performance of continuous glucose monitors, so when he approached the federal agency earlier this year about the need for security in insulin pumps, they asked him to assemble a committee of experts.

Save Medical Devices from Hackers, Dr. David Klonoff.Dr. David Klonoff

Klonoff’s committee has nearly four-dozen members, including representatives from the National Institute of Standards and Technology, the Department of Homeland Security, and FDA, as well as companies and individuals with expertise in diabetes systems or in IT. Some do-it-yourself diabetic patients have also consulted with Klonoff about their wish list for the standard.

The backgrounds of the committee members makes them much more invested in the effort and bring a “double, extra-level of understanding and perspective” to the problem, says Suzanne Schwartz, director of Emergency Preparedness/Operations & Medical Countermeasures at the FDA’s Center for Devices and Radiological Health. The FDA initially considered launching a similar project simultaneously for other medical devices, but ultimately concluded they should get it right with one device first.

The insulin pump technology most patients currently use is a manual system that requires the patient to determine when he or she needs a dose of insulin and how much. A continuous glucose monitor uses a sensor implanted beneath the patient’s skin to take a glucose reading of fluids and send it wirelessly to a pager-like device, an iPhone, or to the cloud, where a physician or parent can also read it. The patient or caregiver uses this and other data to help determine how much insulin to administer and instructs the pump to deliver it via a tiny catheter implanted beneath the skin. The downside to this system is that it requires constant vigilance and quick response. Food can affect blood glucose levels for six to 12 hours after consumption, requiring frequent readings. This can cause patients to miss readings or ignore data that calls for frequent adjustments.

“The pumps don’t encrypt or authenticate their data, so anyone in the vicinity of a patient could intercept glucose readings and alter them or inject their own commands into the data going to the pump.”

A new technology in the late stages of development would automate this process. But fully functional products won’t be on the market for more than a year, as they wend their way through the FDA approval process. The new system, known as an artificial pancreas, uses a continuous glucose monitor, insulin pump, and smart algorithms to measure a patient’s glucose levels and automatically deliver insulin based on the algorithms’ calculations. This closed-loop system would make slight adjustments to increase or decrease insulin as needed, making it particularly useful at night when patients are sleeping and can’t make manual adjustments.

Both pump systems, the manual ones and new automated ones, have wireless capability. But they currently don’t encrypt the communication that passes from the glucose monitor to the handheld device or encrypt the commands that go to the pump. They also don’t authenticate that data to ensure that only an authorized device or person can send it commands. Anyone in the vicinity of a patient can intercept glucose readings and alter them or inject their own commands into the data going to the pump. “If the information is corrupted, that would be bad—or even if it’s not available, that would lead to an incorrect decision,” Klonoff says.

The only thing that’s needed to pull data from an insulin pump or send a dose to a patient is the pump’s six-digit serial number, which operates like an address or phone number to identify the device. But this number is printed on the outside of each pump and also gets transmitted in the clear with any communication the device sends, making it easily accessible to hackers who are sniffing the wireless traffic.

The security standard will not only require vendors to build assurance into their devices so that data is authenticated and not corrupted; they’ll have to prove assurance through testing. The committee intends to create a protocol to certify labs capable of testing devices against the standard. “We’ll have a certain small number of labs that will demonstrate to our committee that they understand [penetration testing] and are qualified to look at a product and see whether it does what it’s supposed to do,” Klonoff says.

Ben West.

Although security standards can help secure new medical devices coming on the market, they don’t address current devices and equipment that won’t get replaced. The FDA’s Schwartz says the agency hasn’t ruled out the possibility of establishing a vulnerability assessment program for medical devices, which would have a government lab examine and test them for security vulnerabilities and work with makers of the devices to get them patched in a timely manner or find ways to mitigate the risk of someone attacking them. The current process for fixing vulnerabilities in medical devices is not very organized and can take a year or longer to get a vendor to even acknowledge an issue, let alone get it fixed.

In the meantime, Schwartz says the FDA plans to publish a draft guidance “that speaks to what our expectations are of the industry with regard to the post-market management of medical device security. A lot of this is about educating manufacturers [and] shifting attitudes that the environment is not the same environment today as it was five or ten years ago.”

Now is the time for a standard, before more wireless insulin pumps come on the market. “It’s very difficult for the FDA to take a product off the market once it’s already there,” Klonoff says. With a standard in place, he expects that market demand will drive vendors to replace existing products with more secure ones, in part because the FDA and insurance companies will be able to insist that products meet the standard for security.

There are challenges to creating a security standard for insulin pumps, however. Adding fingerprint biometrics or passwords to devices to authenticate access might lock a patient out of his own device if his finger is sweaty or he is unable to remember a passcode in the throes of a medical emergency. There are also concerns about giving paramedics and other caregivers the access they need to read data quickly from a pump or alter its dosage for a patient who is delirious or unconscious.

And there’s the issue of the DIYers. Klonoff says the committee wants to find a way to secure insulin pumps to shut out nefarious hackers while still letting patients hack their own pumps for better performance.

“Chris Hannemann hacked his insulin system so that whenever he eats or wants to correct his blood sugar, he can tell the pump to give a larger dose instantaneously or over time.”

Some diabetic systems currently on the market have a vulnerability—a debugging feature left in the firmware by the vendor—that patients have been exploiting to create their own closed-loop system. Their home-brewed system uses complex algorithms to assess readings from their glucose monitors, automatically determine proper insulin doses, and instruct their pumps to deliver it. The algorithms can even anticipate insulin needs based on planned activities and lifestyle.

Ben West is a computer engineer and the primary architect of the hacked system. He spent years studying the software of his own pump to figure out how he might pull automatic readings from his glucose monitor and calculate it to transmit commands to his pump, a process he chronicled in a GitHub post. In the course of his research, he decompiled core code used in pump systems and posted it online, which allowed Bryan Mazlish, a father and husband to two diabetics, to design a closed-loop system and launch a company, Bigfoot BioMedical, around it. That commercial system won’t be on the market for a while, however, so West and a couple in Seattle created a toolkit called OpenAPS, which weaves together different data sets from various diabetes monitoring and pump components so they can communicate. It takes some finessing for a user to assemble, but it works with multiple glucose monitoring systems.

Chris Hannemann.

“We’re providing the building blocks,” he says. “All of those [devices] look and feel very different, so I’ve concentrated on making those look and feel the exact same under OpenAPS. That allows people to put their loop together themselves and be customized for exactly what they want to do.”

The hack has made a huge difference in the quality of life for patients like Chris Hannemann, a 31-year-old mechanical engineer in Berkeley, California, who was diagnosed with Type I diabetes at the age of eight. Hannemann’s sister also has Type I diabetes and his father has Type II.

Using the tools West developed, Hannemann hacked his Medtronic Mini Med Paradigm 723 insulin system so that it will automatically adjust to his body’s insulin needs using data from his continuous glucose monitor. “[W]henever you eat or want to do a correction if your blood sugar is too high, you can tell the pump to [automatically] give a larger dose instantaneously or over time,” he says. “That’s something you wouldn’t be able to find in any [current] commercial system…. I can pull data that I wouldn’t otherwise be able to get from my device and slightly tweak things that work and don’t work until I get a piece of equipment that’s best tailored to my own treatment….I’ve seen decidedly better outcomes in my own health as a result of using this.”

Although automated systems will be on the market eventually, Hannemann and others aren’t willing to wait. “This is our way of short-circuiting that and taking control with devices that are on the market now,” he says.

Hannemann says a security standard for pumps is “definitely overdue.” He and West connected with Klonoff about two months ago to offer their input. “As patients we have a unique perspective—we’re patients but we’re probably edge-case patients as well,” he says.

He says the challenge for the standard is not equating security with “closed off.”

“What you really like to have is a system where all the transmissions are secure—you want there to be a [digital] handshake between whatever device is talking to the insulin pump and the insulin pump itself [to authenticate themselves to each other]—and [you want] different authentication levels as well, so a third-party device could read from the insulin pump but not send commands to the pump,” he says. “I want it so that only my device can talk to the pump and it’s encrypted communication. I don’t want someone else to be able to walk up and… just be able to communicate with my pump.”

Klonoff agrees and says that any standard they develop should take the DIY movement of West, Hannemann, and others into consideration, since their tinkering has already made major contributions to the innovation of automated insulin pumps and will likely lead to more innovations that benefit patients in the future.

Read More
hipaa gaps

What Closing the HIPAA Gaps Means for the Future of Healthcare Privacy

By now, most people have felt the effects of the HIPAA Privacy Rule (from the Health Insurance Portability and Accountability Act). HIPAA has set the primary standard for the privacy of healthcare information in the United States since the rule went into effect in 2003. It’s an important rule that creates significant baseline privacy protections for healthcare information across the country.


Yet, from the beginning, important gaps have existed in HIPAA – the most significant involving its “scope.” The rule was driven by congressional decisions having little to do with privacy, but focused more on the portability of health insurance coverage and the transmission of standardized electronic transactions.

Because of the way the HIPAA law was crafted, the U.S. Department of Health and Human Services (HHS) could only write a privacy rule focused on HIPAA “covered entities” like healthcare providers and health insurers. This left certain segments of related industries that regularly use or create healthcare information—such as life insurers or workers compensation carriers— beyond the reach of the HIPAA rules. Therefore, the HIPAA has always had a limited scope that did not provide full protection for all medical privacy.

So why do we care about this now?

While the initial gaps in HIPAA were modest, in the past decade, we’ve seen a dramatic increase in the range of entities that create, use, and disclose healthcare information and an explosion in the creation of healthcare data that falls outside HIPAA.

For example, commercial websites like Web MD and patient support groups regularly gather and distribute healthcare information. We’ve also seen a significant expansion in mobile applications directed to healthcare data or offered in connection with health information. There’s a new range of “wearable” products that gather your health data. Virtually none of this information is covered by HIPAA.

At the same time, the growing popularity of Big Data is also spreading the potential impact from this unprotected healthcare data. A recent White House report found that Big Data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in many areas including healthcare. The report also stated that the privacy frameworks that currently cover healthcare information may not be well suited to address these developments. There is no indication that this explosion is slowing down.

We’ve reached (and passed) a tipping point on this issue, creating enormous concern over how the privacy interests of individuals are being protected (if at all) for this “non-HIPAA” healthcare data. So, what can be done to address this problem?

Debating the solutions

Healthcare leaders have called for broader controls to afford some level of privacy to all health information, regardless of its source. For example, FTC commissioner Julie Brill asks whether we should be “breaking down the legal silos to better protect that same health information when it is generated elsewhere.”

These risks also intersect with the goal of “patient engagement,” which has become an important theme of healthcare reform. There’s increased concern about how patients view this use of data, and whether there are meaningful ways for patients to understand how their data is being used. The complexity of the regulatory structure (where protections depend on sources of data rather than “kinds” of data), and the determining data sources (which is often difficult, if not impossible), has led to an increased call for broader but simplified regulation of healthcare data overall. This likely will call into question the lines that were drawn by the HIPAA statute, and easily could lead to a re-evaluation of the overall HIPAA framework.

Three options are being discussed on how to address non-HIPAA healthcare data:

  • Establishing a specific set of principles applicable only to “non-HIPAA healthcare data” (with an obvious ambiguity about what “healthcare data” would mean)
  • Developing a set of principles (through an amendment to the scope of HIPAA or otherwise) that would apply to all healthcare data
  • Creating a broader general privacy law that would apply to all personal data (with or without a carve-out for data currently covered by the HIPAA rules).

It’s clear that the debate and policymaking “noise” on this issue will be ongoing and extensive. Affected groups will make proposals, regulators will opine, and legislative hearings will be held. Industry groups may develop guidelines or standards to forestall federal legislation. We’re a long way from any agreement on defining new rules, despite the growing consensus that something must be done.

Therefore, companies that create, gather, use, or disclose any kind of healthcare data should evaluate how this debate might affect them and how their behavior might need to change in the future. The challenge for your company is to understand these issues, think carefully and strategically about your role in the debate, and anticipate how they could affect your business going forward.

Read More

The Exponential Future of Patient Engagement

FrankFortnerIn October of 2014, I attended the CHIME fall conference and had the privilege of listening to Dr. Peter Diamandis, CEO of the X PRIZE Foundation, and author of books such as “Abundance” and “Bold.” He brings an optimistic message about the value created through the exponential growth of certain technologies — that starts after they become “digitized,” yielding exponential leaps forward rather than small, linear steps. Examples include artificial intelligence, 3D printing, digital photography, and more. In short, once digitized, and after moving through the subsequent phases of: deception, disruption, demonetization, and dematerialization, a technology reaches the final stage of democratization — essentially it’s small, it’s cheap, and it’s everywhere! Just think about the computing power of your smartphone, its digital camera, and its instant access to more data than U.S. presidents had just 20 years ago!

Read More

5 things to know now about coming OCR HIPAA audits

Nothing sends a shock of fear through a hospital C-suite quite like the word audit. And the second phase of HIPAA audits is slated to being in early 2016.

Those CIOs, CISOs, CEOs, General Counsel and privacy officers unfortunate enough to receive notification of an impending HIPAA audit from the Health and Human Services Department’s Office for Civil Rights will invariably feel that pressure.

1. OCR is moving forward with HIPAA compliance audit program. The audit contract was awarded to FCiFederal, a government operations management and professional services provider. Audits will cover hospitals, healthcare providers, health plans and business associates.

2. Compliance audits expected to be in hundreds; not thousands. Both healthcare organizations and business associates can expect approximately 200-300 limited scope desk audits to create a sample base of covered entities to ensure HIPAA Privacy, Security & Breach Notification Rules compliance.

3. OCR has been transparent on topics it will target. From the way patients access and obtain their data to breach notification policies, the OCR will cover a wide range of functions that are listed in detail on its site.

4. Prepare now in case your organization is selected. Management should speak with individual staff members to review policies, procedures and guidelines that support HIPAA and HITECH standards. Collect data beforehand and designate an area to keep materials to provide to OCR if needed.

5. Educate staff and leadership on how your organization is preparing for an OCR audit. Keep staff abreast of information relevant to the OCR audit, including prompt attention to communication from OCR. Ensure your C-suite is prepared for the new OCR compliance measurement standards, as well.

OCR will look into security, privacy and breach notification rules to analyze risk, safeguards and implementations, especially those associated with electronic health information and device encryption.

Smart healthcare executives will use the waiting period before audits begin by assessing risk, preparing staff and reviewing policies. Let us help you prepare for an upcoming audit. We offer compliance checks, policy revisions, creation and management as a service, Healthcare IT consultations and support to help get you and your organization to where it needs to be.

Originally published by Jessica Davis of Healthcare IT News

Read More

HIPAA Compliance: One Size Does NOT Fit All

HIPAA  compliance and regulations have pulled the rug out from under healthcare organizations across the country, exposing some major cracks in the foundation of healthcare data security processes.

Protecting patient data in a world of electronic health records and mobile workers was never going to be a walk in the park. However, meeting the complex (and often vague) requirements of HIPAA can seem like an insurmountable challenge, with information flowing across numerous interrelated and interdependent healthcare institutions, service providers, insurers and patients. Every day data moves between doctors and nurses inside the hospital, outsourced diagnostic services, pharmacies, labs, billing services, insurers, business associates, community nurses, home healthcare providers, rehab centers, clinics … the list goes on. Electronic patient information is communicated via LAN, WAN and through all forms of wireless devices, from laptops to smartphones to specialized handheld medical information devices.

Read More
Fear Itself Speech 修改 文章 英文 click through the following web site | Advanced Trading Tools · Learn How to Trade opciones binarias demo click here now
Loan Canada go credit visit their website