Category: Cybersecurity News

Before the recent ransomware attack on MyEyeDr. Optometry in Colorado P.C, which is a network of offices offering vision care, some protected health information (PHI) of 1,475 Colorado residents were potentially compromised.

The attacker accessed part of the MyEyeDr. systems on December 11, 2019 then downloaded and deployed the ransomware. MyEyeDr. immediately took action to block further unauthorized access and regain all impacted patient records. The network did not pay the ransom demand.

Although most of the encrypted data can be restored, certain files were not recovered and stayed encrypted. An independent computer forensics company investigated the attack to know if the attackers stole any information before file encryption. The forensics company did not find any evidence that indicates the exfiltration of data and believed that the attackers only encrypted files with the intent to extort money from MyEyeDr.

The patient information contained in the affected systems included names, birth dates, diagnoses, clinical data, and treatment details. The attack only affected the patients who received services at Colorado MyEyeDr. locations from December 1 to December 10, 2019.

7,983 Today’s Vision Willowbrook Patients Affected by Improper Disposal Incident

MyEyeDr. also encountered another breach that resulted in the compromise of the PHI of 7,983 patients from Today’s Vision Willowbrook. Capital Vision Services, dba MyEyeDr. acquired Today’s Vision Willowbrook in February 2019.

Some time in May 21, 2019, MyEyeDr. found out that Today’s Vision Willowbrook patients’ historic records were disposed of in an inappropriate manner. The patient records should have been securely destroyed. Instead, they were discarded in a dumpster within Tomball, Texas.

The compromised records included the following patients’ data: names, addresses, birth dates, Social Security numbers, clinical data, and billing data. The information belonged to patients who went to Today’s Vision Willowbrook from 1997 t 2003.

The media reported about the improper disposal and local law enforcement officials went to the dumpster and gathered the patient records. According to MrEyeDr., because of the quick action of Tomball’s police in getting the records, it is believed that unauthorized third parties did not have any opportunity to misuse any of the information included in the patient records.

MyEyeDr. stated that no MyEyeDr. employee had possession of the records and that employees of Today’s Vision Willowbrook did not appear to have dumped the patient records.

A new Comparitech study has revealed the degree of ransomware attacks on healthcare organizations and their real cost on the healthcare industry.

The study showed that healthcare organizations in the United States have encountered at least 172 ransomware attacks in the past three years. The attacks had affected 1,446 hospitals, clinics, and other medical facilities and at least $6,649,713 patients.

The number of attacks decreased from 53 incidents in 2017 to 31 incidents in 2018. But the attacks in 2019 had the same level as in 2017 with 50 reported attacks on healthcare companies.

Since 2016, the target of 74% of healthcare ransomware attacks were the hospitals and health clinics. The 26% of ransomware attacks were on healthcare establishments such as nursing homes, dental practices, medical testing laboratories, health insurance companies, plastic surgeons, optometry practices, medical supply firms, government healthcare organizations, and managed service providers.

Ransom demands vary substantially ranging from around $1,600 to $14 million. Some attacks on healthcare organizations had ransom demands of $16.48 million since 2016. Comparitech stated that healthcare companies have spent about $640,000 to attackers to get the keys to unlock encrypted files, nevertheless, the real cost is probably to be substantially greater as a lot of victims choose not to publicize that information.

Because of attacks, appointments are usually canceled and data could be permanently lost. The time, effort, and cost of remediating attacks can be too much for a number of smaller healthcare organizations. Two healthcare clinics have discontinued their practices because of ransomware attacks in 2019.

Ransom payments are only a small percentage of the total cost of an attack. Fixing systems from backups, or even utilizing the decryption keys from the attackers, can take a substantial amount of time. Repairing systems and data could take several hours to a number of weeks or months. The downtime as a result of ransomware attacks also adds to the total costs.

Comparitech chose several diverse data breach reports, IT news sources,, healthcare resources, and HHS’ Office for Civil Rights data, together with information from studies on the cost of downtime resulting from ransomware attacks. The researchers produced a low and high estimation of the downtime cost for all 172 verified attacks since 2016 based on that data. The low and high estimate for the downtime cost were $157,896,000 and $240,800,000, respectively.

Considering that hospitals and other health providers are often easy targets for hackers, ransomware will continue to be a rising issue for both organizations and patients. Most ransomware attacks thus far have targeted patient data and hospital systems, but the potential is a lot worse without implementing the right safety measures. Ransomware attacks may target life-saving equipment and crucial patient data and systems.

Medtronic, a manufacturer of medical device, issued patches for fixing vulnerabilities in the following devices:

• implantable cardioverter defibrillators (ICDs)
• CareLink 2090 and CareLink Encore 29901 programmers
• cardiac resynchronization therapy defibrillators (CRT-Ds)

Security researchers first identified the vulnerabilities in 2018 and 2019 and informed Medtronic about it. Immediately, Medtronic published mitigations to minimize the risk of attackers exploiting the vulnerabilities and to make it possible for customers to keep on using the impacted products safely. It took a long time to develop and release the patches for the complicated and safety-critical devices because of the necessary regulatory approval process. Medtronic developed security remediations immediately at the same time ensured that the patches would sustain the products’ comprehensive security and functionality.

In 2018, Security researchers Jonathan Butts and Billy Rios discovered three flaws in Medtronic’s devices used for programming and managing implanted cardiac devices, particularly CareLink 2090 and CareLink Encore 29901. Because of the vulnerabilities, an advisory was issued in February 2018. An attacker could exploit the vulnerabilities and change the firmware through a man-in-the-middle attack, gain access to files stored in the system, get device usernames and passwords, and manipulate implanted Medtronic devices remotely.

A number of researchers also identified two more vulnerabilities in the Medtronic Conexus telemetry protocol in 2019. Thus, a second Medtronic advisory was issued in March 2019. The vulnerabilities exist because of the insufficiency of encryption, authorization, and authentication. An attacker could exploit the vulnerabilities and intercept, replay, and alter data, and modify the settings of programmers, implanted devices, and home monitors. One rated critical vulnerability, CVE-2019-6538, was designated a CVSS v3 base rating of 9.3 out of 10.

The most recent patches fix the vulnerabilities found in MyCareLink monitors aad nCareLink monitors and programmers. Patches were issued for roughly 50% of the impacted Medtronic implantable devices affected by the Conexus vulnerabilities. See the list of all the products below:

• Brava™ CRT-D, all models
• Evera™ ICD, all models
• Evera MRI™ ICD, all models
• Mirro MRI™ ICD, all models
• Viva™ CRT-D, all models
• Primo MRI™ ICD, all models

Patches for the other vulnerable products will be available later this year.

To protect against exploitation of the vulnerabilities, Medtronic deactivated the software development network (SDN) used for delivering device updates. Therefore, software updates should be done manually by using a secured USB. Since the patches are already available, Medtronic reactivated the SDN and customers can use it now to update their devices.

Medtronic is monitoring possible exploitation of the vulnerabilities. It’s good that no cyberattack or privacy breach has been reported resulting from the vulnerabilities and there is no report of patients being harmed.

The Cybersecurity and Infrastructure Security Agency (CISA) has released an alert to Pulse Secure customers instructing them to apply the patch for the 2019 Pulse Secure VPN vulnerability, labeled as CVE-2019-11510.

Cybercriminals are continually attacking unpatched Pulse Secure VPN servers. The threat actors install the Sodinokibi (REvil) ransomware in the unpatched Pulse Secure VPN servers they target when exploiting CVE-2019-11510. A number of attacks were already reported in January 2020. Aside from encrypting data, the threat actors steal the data and threaten the victims that they will publish the sensitive data. Last week, there was information owned by Artech Information Systems that was published because of the non-payment of the ransom.

CISA still see extensive exploitation of vulnerability CVE-2019-11510 by various threat actors. Some are country-state sponsored advanced persistent attackers exploiting the vulnerability with the intention to steal data, passwords, and install malware.

Exploiting vulnerability CVE-2019-11510 could make it possible for a remote, unauthorized attacker to access all active VPN users and get their plain-text passwords. CISA explains that an attacker could also execute arbitrary code on VPN clients in case they are able to connect to an unpatched Pulse Secure VPN server.

Pulse Secure published an advisory regarding the vulnerability on April 24, 2019 and released patches to fix the vulnerability on all Pulse Connect Secure and Pulse Policy Secure versions affected. However, lots of organizations are slow in applying the patches. Because there are no mitigations or alternative fixes that may be used to avoid vulnerability exploitation, the only option is to use the patches from Pulse Secure.

CISA has advised all institutions to use the patches without delay to avoid vulnerability exploitation. There are approximately 10% of Pulse Secure customers vulnerable to the attack because they have not applied the patch.

Data breaches in the healthcare industry are happening more often than before. In 2019, the HHS’ Office for Civil Rights received 494 data breaches involving over 500 records so far and there were over 41.11 million healthcare records exposed, impermissibly disclosed or stolen. That figure makes 2019 the worst year ever with regards to healthcare data breaches and the second-worst when it comes to the volume of breached healthcare records.

About four of five data breaches involve the healthcare industry in 2019. The healthcare industry cost as a result of those breaches is estimated to go up to $4 billion in 2020.

The poor condition of healthcare cybersecurity was pointed out by a late 2019 Black Book Market Research survey of 2,876 healthcare security professionals from 733 provider organizations. The survey looked at the condition of vulnerabilities, cybersecurity gaps, and inadequacies in the healthcare industry.

The survey showed that over 93% of healthcare companies encountered a data breach since Q3 of 2016. 57% of surveyed healthcare workers encountered over 5 breaches during that period. Though there’s noticeably a high risk of a data breach, companies do not invest in cybersecurity at a level that is needed. As per 90% of hospital officials surveyed, the level of IT security budgets stayed the same since 2016.

The survey showed that hospital systems have spent 6% more on their cybersecurity budgets. However, physician organizations spend a lesser amount on cybersecurity since 2018 and currently their allocation is under 1% of their IT budget.

When spending money on cybersecurity, organizations often buy solutions blindly or with minimal idea or discernment. The survey revealed that from 2016 to 2018, 92% of data security buying decisions made by the C-suite did not involve any users or concerned department managers.

Despite the fact of attack threats, 92% of healthcare organizations do not have enough full-time cybersecurity experts and just 21% of hospitals claimed having a security executive. Just 6% of the survey participants said there was a person who is the Chief Information Security Officer (CISO). Just 1.5% of physician organizations with over 10 clinicians claimed to have a dedicated CISO.

The healthcare industry needs more CISOs and cybersecurity specialists. However, it is uncertain where those people will be from because of a national deficiency of skilled cybersecurity specialists. Meanwhile, cybersecurity is being outsourced to managed service providers.

The survey also observed these things:

• 96% of IT experts say threat actors are moving faster than medical companies
• Providers are spending more money on marketing to fix ruined reputations following a breach than on dealing with the effects of data breaches.
• 35% of healthcare establishments have not scanned for vulnerabilities prior to an attack
• 87% of healthcare organizations did not have a cybersecurity drill and an incident response procedure
• 40% of companies surveyed don’t assess their cybersecurity status
• 26% of hospital survey participants and 93% of physician groups reported they have no sufficient solution to quickly identify and respond to a cyberattack.

The Georgia Supreme Court revived a lawsuit filed against Athens Orthopedic Clinic regarding a cyberattack by TheDarkOverlord in June 2016.

The cyberattack involved patient data theft from Athens Orthopedic clinic. The hacking group issued a ransom demand and said that they would restore the data after paying the ransom. The clinic declined to pay off the ransom and the hacking group replied by saying that it sold some of the stolen information. Later on, the hacking group posted certain stolen information on Pastebin, where other people could download it.

According to three victims of the data breach, namely, Paulette Moreland, Christine Collins, and Kathryn Strickland, they faced risks of identity theft and fraud from the time the cybercriminals got hold of their personal data, posted them for sale on the darknet, and some people downloaded them.

Christine Collins, one of the plaintiffs, claimed her credit card had fraudulent charges soon after the cyberattack. Those charges were reversed but she needed to spend time working on it. She also put her credit card on fraud alerts to avoid further problems.

The plaintiffs want damages covering the fees they had to pay for credit monitoring and identity theft protection services as the clinic did not offer such services plus attorneys fees, and they also want injunctive relief according to the Georgia Uniform Deceptive Trade Practices Act.

The lower court granted standing to the lawsuit, however, Athens Orthopedic clinic submitted a motion to dismiss that the Court of Appeals granted. The Court of Appeals decided that the alleged negligence was invalid, seeing that the plaintiffs were trying to get damages for a heightened risk of harm. Under the Georgia tort law, this was regarded as speculative harm and wouldn’t be tantamount to a cognizable injury.

Now, that decision was overturned by the Supreme Court stating that the plaintiffs had claimed adequate harm so that the case survived the motion to dismiss.

The Supreme Court in its ruling stated that the plaintiffs claim the cybercriminals could steal their identities for fraudulent acts and there is an “imminent and substantial” risk of identity theft. This equates to a legitimate allegation with regard to the possibility of identity theft of any class member because of the data breach. Since this lawsuit is presented with a motion to dismiss, we should acknowledge this factual allegation as true.

The Supreme Court determined that the Court Of Appeals’ ruling was based on two cases that were not the same as the cyberattack on Athens Orthopedic Clinic. In the two cases, there was no proof that indicates the cybercriminals stole information, consequently, there’s no imminent and substantial risk of identity theft and fraud.

In the incident of Athens Orthopedic Clinic’s cyberattack, a cybercriminal stole the plaintiffs’ information and threatened to peddle the information, tried to do so, and other people downloaded the information. At this point, we should presume that the plaintiffs’ data was maliciously accessed by a criminal actor and there was an attempt to sell some of the information to other wrongdoers. Therefore, the “imminent and substantial risk” of identity theft and fraud is real. The Supreme Court decided that the plaintiffs’ negligence claims are adequate to survive the motion to dismiss.

Security researchers at Blackberry Cylance warn managed service providers, technology, and medical care companies about a new ransomware variant used for targeted attacks.

Attacks using a new VegaLocker/Buran ransomware variant called Zeppelin are executed on carefully picked, high profile targets. Since early 2019, attackers use VegaLocker and variants from this ransomware family were used to strike businesses located in Russian speaking nations.

The campaigns were extensive and employed malvertising to direct users to sites holding the ransomware. The most recent variant is being employed in a remarkably different campaign that’s a lot more focused. So far, attacks were only identified in European, Canadian and United States companies. In case a gadget in the Russian Federation, Belorussia, Ukraine or Kazakhstan downloads the ransomware, the ransomware simply leaves and doesn’t do file encryption.

The VegaLocker family ransomware variants were all offered as ransomware-as-a-service. The Zeppelin ransomware seems to be the same, though Blackberry Cylance researchers think that the threat actors behind the attacks are different. There were just a few attacks to date, thus this can mean a few people are executing the attacks on carefully selected targets.

Zeppelin ransomware is very easy to customize and may be used as an EXE or DLL file. Some were also found wrapped in PowerShell loaders. Attackers additionally personalize the ransom notes and modify them to match various campaigns. Some found the name of the firm attacked being used, further showing how the campaigns are highly targeted.

When attacking managed service providers, MSP files are encrypted, and by means of their remote admin tools, the ransomware is installed on their clients’ systems. It is more common for service providers to be attacked and a number of threat actors have used this tactic, which includes those responsible for the Ryuk and Sodinokibi ransomware.

Zeppelin ransomware uses a number of obfuscation layers to avert security solutions, which include using encrypted strings, code of various sizes and pseudo-random keys. The encryption schedule could likewise be slowed down to evade detection by heuristic analyses and trick sandboxes. The ransomware could even eliminate backup services and remove backup files and shadow copies to hinder repair without a ransom payment.

The original file is encrypted retaining the extension. The files are tagged using the word Zeppelin. The encryption routine employs symmetric file encryption with randomly created keys for every file, (AES-256 in CBC mode) together with asymmetric encryption for the session key, utilizing a personalized RSA implementation.

Blackberry Cylance researchers obtained a number of ransomware samples where only the file’s first 1000 bytes are encrypted. This is enough to make the files unusable and accelerates the file encryption process at the same time, hence it is less likely to detect the attack and stop it before the completion of file encryption.

In these targeted attacks, the attackers drop a ransom note that includes email addresses so that the victims could contact them. This makes it possible for the attackers to specify ransom payments based on the victim’s perceived capability to pay.

It is not known what strategies the attackers use to spread the Zeppelin ransomware. The researchers located a sample on water-holed sites, with Pastebin hosting the ransomware payload. However, a number of distribution methods could be employed.

Protecting against attacks calls for combining security solutions and adopting best practices in cybersecurity, which include:

• Blocking open ports
• Changing all default passwords
• Disabling RDP when possible
• Using an enhanced spam filtering solution
• Applying patches immediately
• Keeping operating systems and software program updated

Make sure to train staff and follow security best practices. Be sure to create backups regularly and test them to ensure file recovery. It is additionally necessary to store one backup copy securely on a device that isn’t linked to the network.

An IT company in Colorado that offers managed IT services to dental offices experienced a ransomware attack. Using the company’s systems, over 100 dental practices were likewise attacked by ransomware.

The ransomware attack on Complete Technology Solutions (CTS) based in Englewood, CO started on November 25, 2019. A KrebsonSecurity report stated that CTS received a ransom demand of $700,000 in exchange for the keys to disable the encryption. The company decided not to pay the ransom.

When providing dental practices with IT services, access to their systems is given to CTS using a remote access tool. Hackers seem to have used that tool to access the systems of CTS clients and attack it using Sodinokibi ransomware.

A few of the dental practices hit by the attack were able to recover their data using backups, specifically those that had stored a copy of their data offsite. A lot of dental practices continue to have no access to their data or systems and are turning down patients because of continuing system failures.

KrebsonSecurity reports that a few of those practices are attempting to make a deal with the attackers to get the keys to unlock their data.

Due to several ransom notes and file extensions, data recovery has been challenging. And so, recovery of some encrypted data has been possible after paying the ransom demand. To unlock other encrypted files, it required paying an additional ransom. Black Talon Security mentioned to KrebsonSecurity the condition of one dental practice that had 50 encrypted devices and got over 20 ransom notes. There were several payments made to recover data.

There was a similar attack on the Wisconsin company PerCSoft, which resulted in the ransomware attack of about 400 dental offices in August 2019. PerCSoft is a company providing dental offices with digital data backup services. The hackers used the Sodinokibi ransomware.

Ransomware gangs are increasingly targeting managed service providers. Through one attack on a managed service provider, the attackers could strike many other firms, so that the returns are much higher.

A Kaspersky Lab recent report stated that ransomware attackers are focusing on backups and Network Attached Storage (NAS) tools to make it tougher for victims to get back their files for free and not pay the ransom.

The most recent attack demonstrates the importance of creating backups of all critical information. So make sure to at least have one backup copy of files to be stored securely off-site, on a non-networked device that is not accessible online.

Healthcare companies that still use Windows 7 and Windows 2008 must upgrade their operating systems because Microsoft will stop giving support starting on January 14, 2019.

On January 14, 2019, Microsoft will not release patches and updates anymore making the operating system vulnerable to attackers. There probably won’t be any cyberattack the moment support stops, however any operating system vulnerabilities identified after January 14 will not be addressed. Attackers could exploit the Windows 7 vulnerabilities in compromised devices and launch attacks on all devices linked to the network. The risk of cyberattacks will grow in proportion to the number of vulnerabilities found.

As per Forescout, the industry that uses the most number of Windows 7 devices is the healthcare industry. A report at the start of this year showed that 56% of healthcare companies still use devices running on Windows 7. Moreover, 10% of the devices used by healthcare companies still use Windows 7 or its identical versions. It is expected that by January 14, 2020, around 70% of all IoT and healthcare devices will continue to use Windows 7 or other operating systems that are not supported.

Using unsupported operating systems violates the HIPAA. In case of a Windows 7 vulnerability exploitation after January 14, healthcare companies will face a regulatory penalty if protected health information (PHI) is exposed.

Healthcare companies that cannot upgrade prior to January 14 have another option. Microsoft will still provide extended security updates for users of enterprise Windows 7 but they will pay an annual fee per device. The cost of Microsoft’s extended support will be high and will only be available until January 2023.

• $25 per device in 2020
• $50 per device in 2021
• $100 per device in 2022

Southeastern Minnesota Oral & Maxillofacial Surgery (SEMOMS) reported a ransomware attack that resulted in the potential compromise of the protected health information (PHI) of approximately 80,000 patients.

The attack was discovered on September 23, 2019. The IT staff responded and singled out the affected server and took steps to recover the encrypted data. It is uncertain whether SEMOMS paid the ransom or if the IT crew had restored the server from backups.

With the help of computer forensics specialists, SEMOMS established that the affected server included names and X-ray pictures and that an unauthorized individual accessed the server. No proof was found to show the attackers accessed or exfiltrated patient information, but it cannot be ruled out that there was unauthorized ePHI access and theft of data. As a result, notification letters were sent to all individuals whose protected health information was possibly compromised.

Phishing Attack on Healthcare Administrative Partners Affected 17,693 Patients

Healthcare Administrative Partners (HAP), a company offering medical billing and coding services to healthcare organizations in Media, PA, reported that an unauthorized person accessed the email account of an employee after responding to a phishing email.

HAP became aware of the phishing attack on June 26, 2019 upon noticing suspicious activity in the email account of an employee. It was confirmed on September 26, 2019 that the email account contained the PHI of some clients.

A third-party computer forensics company investigated the breach, but found no clear information yet if the email messages and attachments with ePHI had been accessed. Its probability cannot be eliminated.

The account comprised patient information such as names, addresses, birth dates, medical record numbers, doctors’ names, prescription medications, health diagnoses, and limited treatment data. HAP sent notification letters to all impacted companies on October 4, 2019.

HAP also took the necessary steps to enhance email security including the resetting of email passwords, labeling of all external emails as external, training of employees on extra security awareness, and implementing mailbox size limitations and email archiving to minimize the exposure of data in case of more attack. HAP is additionally examining multi-factor authentication alternatives.

TigerConnect’s 2019 State of Healthcare Communications Report showed that dependence on decades-old, ineffective communications technology is adversely affecting patients and is further increasing healthcare costs.

TigerConnect’s report involved the participation of over 2,000 patients and 200 healthcare workers in a survey to evaluate the present condition of communications in healthcare and obtain information on areas with inefficient communication.

The results undoubtedly indicate the brokenness of communication in healthcare. 52% of healthcare companies are have disconnected communication that affects patients every day or a few times per week.

The report shows the majority of hospitals still heavily rely on 70s communications technology. 89% of hospitals continue to utilize faxes and 39% still use pagers in certain divisions, jobs, or even throughout the entire business. The world probably has advanced, yet healthcare has not, though healthcare is the sector that benefits the most from using mobile technology.

The HHS’ Centers for Medicaid and Medicare Services (CMS) is lobbying for the elimination of fax machines at the close of 2020 and want healthcare organizations to use safer, dependable, and effective communications techniques. Considering the numerous application of fax machines, that goal may be hard to accomplish.

There is considerable cost brought about by communication problems in healthcare. As per NCBI, over $4 million is lost each year by a 500-bed hospital because 70% of all medical error fatalities are due to inefficient communication and errors.

Healthcare employees definitely feel the communication problems when valuable time is wasted on combating inefficient communications systems. According to the report, 55% of healthcare companies think the healthcare industry is not up-to-date when it comes to communications technology, in contrast to other consumer sectors.

One of the major problems confronting healthcare professionals is the inability to contact members of the care team when needed. 39% of healthcare specialists said that communicating with more than one care group team members is hard. The problems in communicating immediately and effectively are creating work problems all through the care system. Quick communication is crucial for offering premium quality patient care and enhancements are done, although slowly. Secure messaging is currently the main method of communication in general for nurses (45%) and doctors (39%). Landlines are the primary way of communication for personnel outside hospitals (37%) and allied health experts (32%), though secure messaging platforms may be used by all groups anywhere.

Although there is a growing mobile labor force in healthcare, healthcare companies still rely heavily on landlines. People use landlines when there is no secure messaging available. Organizations likewise use landlines 25% of the time where secure messaging is available.

A lot of healthcare companies that have implemented secure messaging platforms to improve communication are unable to enjoy all of its benefits. Too often, secure messaging technology is applied in silos, with diverse groups utilizing varied techniques and tools to converse with one another. When not using secure messaging, for example when using the platform only by particular persons, communication is very problematic.

Patients feel communications problems. About 3/4 (74%) of surveyed patients who’d been in the hospital for two years, either getting treatment or seeing an immediate family, said the inefficient processes are frustrating.

The most typical complaints were

• slow-moving discharge/transfer times (31%)
• ED time with physicians (22%)
• lengthy waiting room times (22%)
• the capability to communicate with a physician (22%)
• the amount of time required to get laboratory test results (15%).

A lot of these issues can be resolved by improving care team members’ communication.

The survey likewise showed that hospital employees have a tendency to underrate the degree of frustration felt by patients. The survey additionally revealed that clinical and non-clinical personnel are not in-line. Non-clinical employees underrate communication problems, and 68% of non-clinical employees probably won’t say communication disconnects are adversely affecting patients every day.

Communication issues were reported as causing

• late discharges (50%)
• delays in consultation (40%)
• lengthy ED wait times (38%)
• transport delays (33%)
• slow inter-facility transfers (30%).

There is a 50% better chance of everyday communication disconnects adversely affecting patients when not using secure messaging.

TigerConnect has a number of recommendations regarding how to improve communication in healthcare:

• Prioritize communication as a method
• Concentrate on enhancing communication to relieve major bottlenecks
• Incorporate communication platforms with EHRs to achieve the best value
• Standardize communication throughout the organization
• Clinical leadership must be included in designing a solution
• Quit using patient websites to connect with patients and begin using patient messaging as an all-around communication strategy.

The survey gives important information about the status of communication in healthcare and evidently shows what needs to be improved. The full TigerConnect 2019 State of Communication in Healthcare Report is available free of charge on this link (registration required).

The Internet of Things Improvement Act has been introduced by co-chairs of the Senate Cybersecurity Caucus, U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO) and Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT). This act requires all IoT devices purchased by the U.S. government to meet minimum security standards. A companion bill has also been introduced in the House by Representatives by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX).

It has been predicted by Ericcson that there will be 18 billion IoT devices in use by 2022. What’s more, IDC predicts IoT spending will hit$1.2 trillion in the same year. With growing numbers of IoT devices, the concern about the security risk posed by the devices also grows.

Sen. Warner wants to ensure that a basic standard for security is achieved before any IoT device is allowed to connect to a government network. He also wants to make use of the purchasing power of the U.S. government in order to help establish minimum standards of security for IoT devices.

IoT devices are currently entering the market with scant cybersecurity protections. Often when cybersecurity measures are integrated into IoT devices it is as an afterthought. The majority of IoT devices have not been designed with security as a priority. This is largely as a result of the market encouraging device manufacturers to prioritize convenience and cost over security.

NIST are called by the bill to issue recommendations for IoT device manufacturers on secure development, configuration management, identity management and patching throughout the life-cycle of the devices. It will also be required for NIST to work alongside cybersecurity researchers and industry experts to develop guidance on coordinated vulnerability disclosures to make sure flaws are ironed-out when they are discovered.

The Internet of Things Improvement Act calls for the Office of Management and Budget (OMB) to make guidelines available for every agency that is consistent with NIST recommendations and for policies to be reviewed at least every five years.

It will also be required for any IoT device used by the federal government to meet the security standards set by NIST. Additionally, contractors and vendors that provide IoT devices to the government will be asked to adopt coordinated vulnerability disclosure policies to ensure information on vulnerabilities is disseminated.

It is vital that IoT devices do not give hackers an opportunity to break into government networks. Without these minimum security standards, the government will be open to attack and critical national security information will be in a vulnerable state.

The Internet of Things Improvement Act will see the U.S. government lead by example and better manage cyber risks.