Which is scarier to you, Scripps shutdown hits two-week mark, Finnish mental health patients being ransomed with their private conversations that were hacked, or the fact a a major US pipeline could only be turned back on after paying the ransom?
Scripps FTA
Two independent individuals privy to the current situation inside Scripps said that a decision was made Friday to once again divert stroke, trauma and heart attack cases from Scripps Memorial Hospital La Jolla due to concerns over a recent influx of emergency patients at the facility, one of the largest in San Diego
Finnish mental health hack FTA
At around 4 pm, Jere checked Snapchat. An email notification popped up on his screen. His hands began to shake. The subject line included his full name, his social security number, and the name of a clinic where he’d gotten mental health treatment as a teenager: Vastaamo. He didn’t recognize the sender, but he knew what the email said before he opened it.
A few days earlier, Vastaamo had announced a catastrophic data breach. A security flaw in the company’s IT systems had exposed its entire patient database to the open internet—not just email addresses and social security numbers, but the actual written notes that therapists had taken.
----
Health System Executive - Is this a top five priority at your health system yet?
https://www.wired.com/story/vastaamo-psychotherapy-patients-hack-data-breach/
This transcription is provided by artificial intelligence. We believe in technology but understand that even the most intelligent robots can sometimes get speech recognition wrong.
Today in health it a ransomware pandemic has hit our world today. What you need to know, my name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of this week in Health IT at channel dedicated to keeping health IT staff current and engaged. VMware was our first sponsor for this week in Health it, and now they're the first sponsor of Today in Health.
It. They have been committed to our mission of providing relevant content to health IT professionals since the start. They recently completed an executive study with MIT on the top Healthcare trends, shaping IT, resilience, covering how the pandemic drove unique transformation in healthcare. This is just one of the many resources they have for healthcare professionals.
For this and several other great content pieces, check out vmware.com/go/healthcare. All right. Here's today's story. A bunch of stories. Really just want to give you the stories you need to put together for your presentation to senior leadership on the off chance that your health system is still not giving cybersecurity a top priority.
This may be a little longer than normal. Two main stories and a bunch of highlights of other stories. It's either that or do five episodes this week on cyber attacks and healthcare, which of course would be easy to do. In fact, it would be easy to turn this entire show into a security show based on just the amount of news that's happening in this space.
I. The first story has to be the script story, right? So Scripts, ransomware shut down, hits the two week mark. This according to the San Diego Union Tribune. Let me just give you some excerpts here. As Scripps Health reaches the two week mark in its ongoing ransomware outage. The will be back soon. Message posted on its website is beginning to look more.
Than a little optimistic, though a company spokesman said the health system had nothing new to report on the situation Friday. Employees who said they wish to remain anonymous to avoid losing their jobs confirmed that critical electronic medical record system remained offline. Continuing to force paper documentation and slowing down the pace of care, especially in the emergency department.
Two independent individuals privy to the current situation. Inside Scripps said the decision was made Friday to once again diverge stroke, trauma, and heart attack cases from Scripps Memorial Hospital in La Jolla due to concerns over a recent influx of emergency patients at the facility, one of the largest in San Diego.
Quote from a nurse. I cannot stress this enough. Every minute we are there, we feel like we are playing with our license. Adding that many have been advising their own family members to stay away. I. We are all buying malpractice insurance at this time. Regulators so far have not expressed similar concerns.
In an email sent Friday afternoon, the California Department of Public Health said it continues to monitor Scripps facilities adding that they are operational and caring for patients using appropriate contingency protocols. Alright, so that's the first story that you need to be aware of and if that were not scary enough, we'll go on to the next one, which is I think one of the most scary stories.
In all of cybersecurity breaches that I've read, and this comes from Wired Magazine, they told their therapists everything. Hackers leaked it all. A mental health startup built its business on easy to use technology. Patients joined in droves, then came a catastrophic data breach. And I like the way this story is written.
Gary woke up on the morning of October 24th, 2020, expecting what finished college students called Normy Pavi. I'm sure that's mispronounced an ordinary day. It was Saturday and he slept in the night before. He'd gone drinking by the beach with some friends. They'd sipped cheap. Apple Lur listened to Billy Eilish on this boombox.
Now Yi needed to clear his head. He was supposed to spend the gray fall day on campus finishing a group physics project about solar energy. The 22-year-old took a walk around the lake, near his apartment outside Helsinki. Then feeling somewhat refreshed, he jumped on the bus. The day went quickly. Yi caught up with his friends, many of whom he hadn't seen since the pandemic began.
They chatted about the Christmas plans, ordered pizzas from their favorite local spot and knuckled down on the work in the cafeteria. I. At around 4:00 PM Yari checked Snapchat, an email notification popped up on his screen. His hands began to shake. The subject line included his full name, his social security number, and the name of a clinic where he'd gotten mental health treatment as a teenager.
Vati Mo, he didn't recognize the sender, but he knew what the email said before he opened it. A few days earlier, Vamo had announced a catastrophic data breach, a security flaw in the company's IT system had exposed its entire patient database. To the open internet, not just email addresses and social security numbers, but the actual written notes that therapists had taken a group of hackers or one masquerading as many had gotten hold of the data.
The message in Yi's inbox was a ransom demand. If we received 200 euro worth of Bitcoin within 24 hours, your information will be permanently deleted from our servers. The email said in finish. If Yuri missed the first deadline, he'd have another 48 hours to fork over 500 euro or about $600. After that, your information will be published for all to see.
Yuri had first gone to Vamo when he was 16. He had dropped out of school and began to self-harm, he says, and was consuming extreme amounts of Jagermeister each week. His girlfriend at the time insisted. He get help. She believed it was the only way that Yi would see his 18th birthday. During his therapist sessions, Yi spoke about his abusive parents, how they forced him when he was a young kid, to walk the nearly four miles home from school and made him sleep out in the garden if he was being a disappointment.
He talked about using marijuana, L-S-D-D-M-T. He said he'd organized an illegal rave and was selling drugs. He said he thought about killing himself. After each session, Yi's therapist typed out his notes and uploaded them to fast tomo servers. I was just being honest. Yi says he had no idea that they were backing the information up digitally.
I. I think that's one of the scariest stories in all of healthcare. That's the second story. So you have scripts is down for hitting the two week mark. You have this one where all the records are being released, but I think the thing that makes this one distinct is they're actually ransoming the patients and that is scary stuff.
If you need more stories, here you go. Colonial pipeline pays ransomware to restore service. We're all aware of that one. This one is relatively recent. The Avedon group has hit AXA insurance, actually AXA Asia. Only a week after the firm decided to stop paying ransomware actors. The hackers claim to have stolen three terabytes of sensitive documents from the firm and already leaked several xis threat is to create a precedent in the field, closing the tab for crooks who targeted insurance covered firms.
And it goes on to talk about, let me see, uh, here's some information on this. Some of the stuff that was leaked. Customer medical reports including HIV, hepatitis STD, and other illness reports, customer claims, payments to customers, all customer IDs, all customer bank accounts, scanned papers, hospital and doctor reserved materials.
Private investigations for fraud. Reserved agreements, denied reimbursements, contracts, report ID cards, et cetera. All right, so fair amount of information. Three terabytes worth of that information is out there. And this is the next story. Ireland's Health Service has closed down its computer systems after what it describes as a significant ransomware attack.
The Republic's Health Services executive HSE said it had shut down its entire IT network as a precaution. Let's go on. Hey, the stories just keep on coming. Texas-based Health IT Company Capture RX has notified a growing list of hospitals and healthcare organizations that their patient data has been exposed by a ransomware attack on its IT systems.
The company that helps hospitals manage their three 40 B drug programs said it discovered unusual activity. In some of its files in February, compromised files contain patient records with protected health information, including names, birth dates, and prescription details. A list of hospitals faxed in St.
Luke's Health in New York, Lords Hospital in New York. Gifford Healthcare in Vermont, UPMC. Coal in Wellsboro, Pennsylvania, bay Health in Dover, Delaware, and Walmart in unknown locations. And, let's see. This is probably the last one. The University of California system announced last month that it had been hit with a massive data breach.
The locale was a third party file transfer application called Axelon. uc was just one of the victims of the international cyber attack. Which may have affected roughly a hundred institutions, also, including Stanford Medical School and the University of Maryland, Colorado, and Miami and Yeshiva University in New York.
How much data was stolen? Remains to be unseen. You get the picture, it goes on and on. Uh, I wanted to touch on President Biden signed an executive order. The executive order will address cybersecurity in four ways. This comes from Becker's Healthcare. Number one, protect federal networks. The SolarWinds data breach demonstrated that the most basic cybersecurity prevention and response measures were not systemically rolled out across federal agencies.
The executive order will roll out a set of high impacts cyber defenses that make it harder for malicious actors to compromise and operate on a hacked. Network number two, and I think this is one of the most impactful things in this executive order, improve the security of commercial software.
Commercial software will be modernized in three ways. First, baseline security requirements will be established. Second, federal money will be used to jumpstart the market for secure software by requiring that all software meet these standards in nine months. Third, a response outline will be developed so that the federal government is in a position to respond quickly.
Number three, address barriers to information sharing. Federal agencies cannot defend what they cannot see. The officials said it. Providers who sell the government are required to report breaches rapidly and share cyber threat information, which the government will share with the . Americans, I guess that's us.
Number four, establish a cyber incident review board. The board will convene following a significant cyber incident and make concrete recommendations for improving cybersecurity. Moving forward, the board will have a private sector co-chair, referencing the administration's focus on partnering with the private sector.
On cybersecurity. Alright, so that's the presidential executive order and the response, here's my so what for this story, I actually like the presidential order. From this perspective, your health system is only as secure as the software you purchase or create. I. Your health system is only as secure as the least secure employee practices at your health system, and your health system is only as secure as the posture you choose to take as a health system.
I believe every president and CEO of every health system should sign an executive order with these elements in it, probably today or this week. I would mirror the second item in the President's executive order. A baseline security requirement will be established for all software used at the health system and will be compliant within nine months.
Second thing, all health system vendor contracts will be amended to require business associates and software vendors to report breaches in a certain amount of time and clarity. I would just check all your contracts. You probably think, oh, that has to be in all the contracts. I would check them today, and I would guarantee you they don't all have that language in them.
Number three, a cyber incident review board will be established to review incidents. That makes perfect sense, but you also have to have this review board in place prior to incidents who is looking at your posture and those kind of things. Now, a lot of boards have these already, but some of the smaller health systems may not have this as a subcommittee of the board.
And I'm not even sure if subcommittee of the board is enough. You need an operational board, and I think you should have physicians on this, nurses top leadership, and it should be run by top leadership. The Cyber Incident Review Board should also review your cyber incident response plan within the next 90 days, probably within the next 30 days to look at it for preparedness.
This will include your position on ransomware as an organization and your response to cyber terrorist. I'm sure I could come up with more if I just sat here for a little bit, but that's enough really to get you started. This is a pandemic. This is a war on a global scale, and we need to be mobilized in a way to address this level of threat.
That's all for today. If you know of someone that might benefit from our channel, please forward them a note. They can subscribe on our website this week, health.com, or wherever you listen to Podcast Apple, Google Overcast, Spotify, Stitcher. You get the picture. We are everywhere. We wanna thank our channel sponsors who are investing in our mission to develop the next generation of health leaders, VMware Hillrom, Starbridge Advisors, McAfee and Aruba Networks.
Thanks for listening. That's all for now.