Doctors an Easy Mark for Hospital Cyberattackers

As healthcare systems cope with a surge in COVID-19 patients, they're also dealing with an onslaught of ransomware attacks.

In late October, the FBI and the U.S. Department of Health and Human Services issued an alert that hackers using the "Ryuk" ransomware, which took in at least $61 million in the U.S. from 2018 to 2019, were targeting hospitals during the second COVID-19 surge.

While healthcare systems have worked to strengthen their defenses against such attacks, cybercriminals are still finding a way in, often via healthcare workers who fall for sophisticated spear phishing attacks. These aren't Nigerian prince scams; fraudulent emails are targeted, going so far as to spoof a boss' email address or pretend to share information about COVID-19.

"Both our strongest link and our weakest link are our people," said Rich Temple, chief information officer of the Deborah Heart and Lung Center in New Jersey, who added that phishing attacks their organization have "kicked up with a vengeance" since April.

Attacks Ramping Up in Healthcare

These kinds of strikes on healthcare systems aren't new for a simple reason: the potential payout for hackers if they get inside. Patient files often includes information such as Social Security numbers that can be sold for big money on the dark web.

Hospitals have also typically trailed other sectors, like finance, in fortifying security measures. Healthcare systems spend 4% to 7% of their IT budget on security, compared to 15% in other sectors, according to research from the law firm Bass, Berry and Sims.

"It's the ease of getting to this information as well as the value of the data," said Chris Sherman, security and risk analyst at the consulting firm Forrester.

Ransomware is profitable, too. In a ransomware attack, hackers infect and shut down a hospital's IT system by doing things like making data impossible to read, stymieing communication between employees and shutting down email systems. They then demand a ransom to return things back to normal. Ransomware attacks have cost the U.S. healthcare system at least $160 million since 2016, according to a February study by research firm Comparitech.

These kinds of attacks have been on the rise since that report. According to NBC News, as many as 20 medical facilities were hit recently, a figure that includes multiple facilities within the same hospital chain.

Stakes Are Rising

Bad actors can cause more problems than just monetary losses. While concerns about attacking patients directly by doing things like hacking into their medical devices or altering test results are still only theoretical, shutting down hospitals is real and does real harm.

When University Health Services -- which has 400 facilities in the U.S. and U.K. -- was hit with a suspected Ryuk attack in September, they had to take their 250 U.S. facilities offline. Officials told the Wall Street Journal that no patients were harmed, but employees told the Associated Press that their ability to communicate about patients was severely hampered.

During the 2017 "WannaCry" attack on Britain's National Health Service, "emergency departments were shut down. Patients had to have surgeries stopped mid-procedure and ambulances had to rush these patients to other hospitals," said Ryan Witt, cybersecurity strategy director of healthcare at Proofpoint, a cybersecurity company.

An analysis from Digital Medicine found no mortality associated with that attack, but a German woman died during a September ransomware event at the Dusseldorf University Clinic. Emergency room patients had to be taken to other hospitals, which meant a 20-minute drive for this patient, delaying her care by an hour.

Caregivers Seen as a Way In

The switch to at least partial virtual care has created potential points of access for criminals, said Sherman. "Just using a personal device that may or may not have out-of-date security, or weak passwords" opens up possible attack vectors. Home Wi-Fi networks and routers may also be less secure than those within a physical healthcare setting, which means it's more likely that criminals can sneak into a healthcare organization's IT infrastructures through work devices attached to those environments.

However, phishing is still a preferred attack. According to the 2019 Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey, phishing was involved in 69% of security incidences at hospitals last year. It works, said Witt, because it relies on humans making mistakes, something that's exacerbated by pandemic-related exhaustion.

Today's phishing attacks also work because they're sophisticated. Hackers scrape information from hospital websites and social media platforms to make them personal. They'll often impersonate members of a hospital executive team, and direct their victims to do things they normally wouldn't do if a stranger asked, like clicking on a link that lets ransomware in, or giving up passwords and usernames, or even sending money to a criminal's bank account masquerading as a legitimate vendor or fund.

In a 2019 survey of email fraud attacks against 450 healthcare organizations, Proofpoint found that targeted healthcare companies received 43 imposter emails in the first quarter of 2019, up 300% over the same quarter in 2018. Within affected healthcare companies, 65 people were targeted by spoof email, and 95% of those companies saw emails spoofing their own domains.

Proofpoint found that subject lines of attack emails included "payment," "request," "urgent," and related terms in 55% of all imposter email attacks. In addition, 77% of attacks on healthcare companies used malicious URLs.

Those most likely to be attacked were people with access to critical data or systems, with a publicly available email. Popularity may hurt too, said Witt. "There's a correlation between your overall prowess and your area of specialty and if you're going to be a target," he said.

Hackers shifted during COVID, too. "As the news story evolved, the lures evolved," Witt said. At the outset of the pandemic, criminals pretended to be from groups like the World Health Organization, and asked doctors to click on links about COVID FAQs and protocols.

Attacks then moved to PPE, with hackers pretending to be vendors selling things like face masks and shields, and asking victims to approve purchase orders. Later, emails turned to being about stimulus funding. Fake vaccine trial emails have been constant throughout.

"We're seeing that attackers are getting more sophisticated and more devious," said Temple, regarding what his organization has seen in the last year. "That means impersonating leaders and sending orders to do this and do that."

He said their best line of defense is educating employees, which includes raising awareness about what bad emails look like but also running fake phishing campaigns, where they phish their own employees.

"You see if people click on things they shouldn't, and take it one step further to see if they reveal their username and password," he said. "We know who those people are and need a little extra attention."

This is a common practice. That same HIMSS Cybersecurity Survey found that 82% of healthcare organizations run fake phishing campaigns. They also found that 40% of organizations said they have click rates lower than 10%, which they call "a significant, positive achievement."

While Temple wouldn't share how many employees were tricked by fake phishes, he did say that "it's people in all different ranks in the organization who fall for it, not just entry-level people. Doctors have fallen for it multiple times."

They will let employees know they fell for the fake email, and contact their managers, too. He knows that sounds harsh, but "it's so dangerous. Out staff are our last line of defense from what can be a catastrophe."

https://www.medpagetoday.com/practicemanagement/informationtechnology/89629

Walmart to limit people in stores nationwide to combat COVID-19 spread

Starting on Saturday, Walmarts nationwide will be “metering” in order to limit the number of customers inside a single store at one time.

The process of metering was put in place back in April for Walmart at all stores across the country. Starting this weekend, Walmart will be back to counting customers. When Walmart started regulating store entry back in April, they were allowing no more than five customers for each 1,000 square feet at a given time, or about 20 percent of a store’s capacity. The new mandate will remain the same, unless there is a lower capacity allowed as required by a local government.

Once a store reaches its capacity, customers will be admitted inside on a “1-out-1-in” basis.

“We know from months of metering data in our stores that the vast majority of the time our stores didn’t reach our self-imposed 20% metering capacity,” Senior Director of Global Communications for Corporate Affairs at Walmart Kory Lundberg wrote to 11 News Friday night.

https://www.kktv.com/2020/11/14/walmart-will-start-limiting-the-number-of-people-in-stores-nationwide-on-saturday-to-combat-the-spread-of-covid-19/

Trial Finds Semaglutide Resolves NASH in Many Obese Adults

More patients who received subcutaneous semaglutide (Ozempic), the glucagon-like peptide-1 (GLP-1) receptor agonist, saw resolution of their nonalcoholic steatohepatitis (NASH), with no worsening of fibrosis, versus patients who received placebo in a randomized trial.

While the proportion of patients with NASH resolution was higher among those who received semaglutide at several dose levels versus placebo, the highest dose (0.4 mg) showed the greatest difference (59% vs 17%, P<0.001), reported Philip Newsome, PhD, of the University of Birmingham in England, and colleagues.

However, there was no difference in improvement in fibrosis stage between the two groups (43% in the 0.4-mg group vs 33% in placebo group, P=0.48).

Findings from this phase II trial were presented at TLMdX, the virtual American Association for the Study of Liver Diseases (AASLD) meeting, and published in the New England Journal of Medicine.

Semaglutide is approved to treat type 2 diabetes, as it increases insulin secretion, which boosts sugar metabolism. The researchers noted it is being studied for use in weight management, and that it has a mechanism of action similar to liraglutide, another GLP-1 receptor agonist, but with "more pronounced metabolic effects."

Prior research found that semaglutide induced weight loss and improved glycemic control in patients with obesity and type 2 diabetes, in addition to reducing cardiovascular risks among patients with type 2 diabetes at high risk. In addition, semaglutide reduced markers of inflammation and levels of alanine aminotransferase, said the study authors.

Newsome and colleagues conducted the phase II trial from January 2017 to September 2018, with a 7 week follow-up period, at 143 centers in 16 countries. Patients were mostly adults 18-75, with or without type 2 diabetes, and a BMI of greater than 25. They had biopsy-confirmed NASH and liver fibrosis of stage F1, F2, or F3. The primary endpoint was resolution of NASH, defined as no more than mild residual inflammatory cells, no hepatocyte ballooning, and no worsening of liver fibrosis after 72 weeks.

Patients were randomized to receive either 0.1, 0.2, or 0.4 mg of subcutaneous semaglutide or corresponding placebo daily.

Overall, 320 patients were randomized -- 80 to the 0.1-mg semaglutide group, 78 to the 0.2-mg group, 82 to the 0.4-mg group, and 80 to placebo. Patients' mean age was 55, 61% were women, 78% were white, and 62% had type 2 diabetes. Mean BMI was about 36, and about half had stage F3 fibrosis. Mean activity score for nonalcoholic fatty liver disease was about 5.

The researchers noted the lack of significant difference between groups with respect to improvement of at least one fibrosis stage, characterizing it as "unexpected," but added that the temporal association between NASH resolution, weight loss, and improvement in fibrosis stage "is not fully understood."

"It is possible that the current trial was not of sufficient duration for improvements in fibrosis stage to become apparent, especially since most patients had advanced fibrosis," they wrote, further speculating about a lack of statistical power for this secondary endpoint.

Examining safety, gastrointestinal disorders were the most common adverse events, with substantially higher proportions of patients in the 0.4-mg semaglutide group versus patients in the placebo group reporting nausea (42% vs 11%, respectively), constipation (22% vs 12%), decreased appetite (22% vs 5%), and vomiting (15% vs 2%). More serious adverse events were reported across semaglutide groups (15-19%) compared with placebo (10%), but the authors noted no apparent dose-dependent relationship.

Hepatic events were similar across groups, with gallbladder disorders occurring in a higher percentage of semaglutide patients. There were no cases of acute pancreatitis, and severe hypoglycemic episodes were rare. Malignant neoplasms were reported in three patients in the semaglutide groups (vs none in the placebo group), though observed events of benign, malignant, and unspecified neoplasms (which were not adjudicated) were 15% in the semaglutide groups and 8% in the placebo group. However, "no pattern of occurrence in specific organs was observed," the authors wrote.

They also said cardiovascular events were adjudicated, and occurred in three patients in the semaglutide groups, but no conclusions can be drawn, since the trial was not powered to evaluate cardiovascular outcomes.

One possible limitation to the trial was the lack of long-term clinical outcomes.

Disclosures

This study was supported by Novo Nordisk.

Newsome disclosed support from Novo Nordisk, Pharmaxis, Boehringer Ingelheim, Echosens, BMS, Gilead, Pfizer, and Poxel.

Other co-authors disclosed support from a variety of pharmaceutical and industry entities.

One co-author disclosed a patent for semaglutide use in medicine.

Primary Source

New England Journal of Medicine

Source Reference: Newsome PN, et al "A placebo-controlled trial of subcutaneous semaglutide in nonalcoholic steatohepatitis" N Engl J Med 2020; DOI: 10.1056/NEJMoa2028395.

https://www.medpagetoday.com/meetingcoverage/aasld/89674

What's Wrong With COVID-19 Case Counts

There's certainly no denying the severity of COVID-19 in the U.S., but the numbers of positive tests reported can lead to confusion – especially for those of us in university towns.

Most of us in healthcare have a fairly good understanding of math but are not nuanced in the field of statistics. Unfortunately, the lack of understanding of the statistical principle of base rate fallacy/false positive paradox has led to some confusing numbers.

A classic 1978 article in the New England Journal of Medicine reveals this problem. The researchers asked 60 Harvard physicians and medical students a seemingly simple question: If a test to detect a disease with a prevalence of 1/1,000 has a false positive rate of 5%, what is the chance that a person found to have a positive result actually has the disease?

Only 14% gave the correct answer of 2% with most answering 95%.

Base rate fallacy/false positive paradox is derived from Bayes theorem. When the incidence of a disease in a population is low, unless the test used has very high specificity, more false positives will be determined than true positives. The difference in the numbers can be quite striking and certainly not inherently understandable.

We have learned in the past from routine PSA testing and mammograms that a positive test in a screening situation needs to be taken in context. The incidence of a disease in the population that you are testing is extremely important for accuracy.

Purdue University made the decision in late spring to resume in-person classes for its fall session. Purdue is a major research university with a strong emphasis on STEM education. Many of these classes include practicums, laboratory sessions, and group projects that require some in-person attendance.

An elaborate plan was implemented, including a signed pledge from all students to behave properly, wear masks, maintain social distancing. A decision was made to perform random testing on 10% of the students and staff each week. Since staff and students combined are 50,000 at Purdue University, 5,000 tests are done every week. The purpose of the random testing was surveillance to encourage students and staff to maintain proper behavior.

The Indiana State Department of Health advised against a random testing program, as it felt overall data accuracy would be difficult. Commingling of data in our county from the people tested WITH symptoms together with the randomly tested Purdue students WITHOUT symptoms has occurred. Base rate fallacy/false positive paradox unfortunately becomes ignored when one does this.

Up to this point, Purdue has done random testing on about 1,000 students per weekday. Of those, about 35 are positive each day, according to the university's dashboard. Students who test positive have to isolate in an old dormitory or go home. Those who choose to go home will often have another test by their personal physician. When these tests return negative, significant confusion occurs.

So far, 90% of the students who test positive do not develop symptoms. Only one has been hospitalized and none have died. Had Purdue chosen to test all 50,000 students and staff every week, 10 times the number would have reported as testing positive weekly. Had this data been commingled with testing of symptomatic individuals, there certainly would have been an outcry by the casual observer to close everything down again. Yet those numbers would be only representative of the positivity of mass testing, not the prevalence of infective patients.

Those 35 students who test positive daily are added to our county totals (many of those county positive tests are done on people with COVID-19 symptoms). Thus, it makes it look like our county's number of positive tests has doubled since Purdue started in-person classes in August.

The numbers have caused our county health department to move cautiously. Restaurant occupancy, sporting events and other large gatherings are again limited at a greater level than state requirements.

Without knowing the specificity of the test, the number of these positives that are false positives is unknown.

By base rate fallacy/false positive paradox, if the specificity of a test is 95%, when used in a population with a 2% incidence of disease -- such as healthy college students and staff -- there will be 5 false positives for every 2 true positives. (The actual incidence of active COVID-19 in college age students is not known but estimated to be less than 0.6% by Indiana University/Fairbanks data. Even using a test with 99% specificity with a 1% population incidence generates 10 false positives for every 9 true positives.

Using the same test on patients with COVID-19 symptoms, because their incidence of disease is 50% or greater, the test does not have to be perfect. Even using a test with only 90% specificity, the number of false positives will be much less significant.

The actual sensitivity and specificity of COVID-19 tests are unknown as these tests were okayed by the FDA under Emergency Use Authorization. Manufacturers' data have not yet been corroborated by the agency.

The tests are "good enough" for diagnosing patients with symptoms but not nearly as effective when used for a random testing program.

By not reporting these groups separately, we really have no idea what's going on in our town. Luckily, Purdue keeps their own dashboard and with some calculations their data can be extracted from the county data to give us a ballpark guess. Also because of additional testing being available, Indiana is now performing at times 40,000 COVID tests per day. Eight weeks ago, Indiana was performing 20,000 tests per day. Our state has a population of 6.5 million. By those increased numbers of testing, 4% of our Indiana population is now being tested for COVID-19 every week.

Purdue has discussed using a serial testing protocol. Antigen tests will be used on the random population with subsequent confirmatory PCR tests used for anyone who initially tests positive. This should decrease the number of overall false positives and hopefully will prevent so many from being quarantined.

Certainly positivity rates are going up here. Contact tracers are telling positive testers who have nowhere to isolate to be evaluated at their hospital emergency room. Could this be the reason for increased hospitalizations? As of a week ago, our two local hospitals with a combined 350 beds had 18 patients admitted with a COVID diagnosis. COVID deaths in Indiana average about 23 per day, but that too is going up.

So it's all very confusing. Ideally, testing those WITH symptoms would be reported separately from those randomly being tested WITHOUT symptoms.

Contact traced people identified as being close to a COVID patient WITH symptoms (>10% incidence of testing positive for COVID) would also be another category and those identified by contact tracing who were near a person who tested positive WITHOUT symptoms (>1% incidence of having COVID) would be a fourth.

Throw all those four groups in together if you want, but just understand you are not getting a true picture of what is going on. We must compare apples to apples and oranges to oranges rather than just making fruit salad out of the whole thing. Bad decisions can be made because of a misunderstanding of statistics.

Robert Hagen, MD, is recently retired from Lafayette Orthopaedic Clinic in Indiana. He's an adjunct professor at Indiana University, a past president and board member of the Indiana Orthopaedic Society, and a past member of the Board of Councilors for the American Academy of Orthopaedic Surgeons.

https://www.medpagetoday.com/infectiousdisease/covid19/89522

Goldman 'Pinpoints Temperature Below Which COVID-19 Outbreaks Start To Accelerate'

In a recent note to clients, a team of researchers at Goldman Sachs took a close look at temperatures and studied whether there was a correlation with temperatures. Perhaps unsurprisingly, the team found a strong negative correlation between confirmed cases and temperature, with the number of the former going up while the number for the latter goes down.

As the regression modeled by Goldman shows, the further temperatures drop with a modest lag between the summer and the winter, the more extreme the surge in COVID-19 cases. This applies in both the US and Europe.

Using fixed effects modeling, the Goldman team then tried to strip out other factors to try and isolate and expose the influence of temperature on case growth.

Interestingly enough, the analysts analysis found that no matter the difference in statewide policies and enforcement, cases appeared to wax and wane along with changes in temperature, appearing to resist most efforts to control the virus.

This notion isn't all that surprising. Most other coronaviruses (ie the common cold), along with various influenza strains, are heavily influenced by temperature and seasonal effects (hence "flu season".

Medical literature cited by Goldman explains the seasonality trend in two key ways: Increase indoor social activity for "hosts", which increases exposure, along with the cold weather's impact on the immune system and general health (making individuals more vulnerable).

Armed with these models, Goldman's team of analysts produced a set of projections showing that the economies of the US and Europe will likely slow significantly during Q1 and Q4, followed by a springtime thaw as new case numbers start to recede.

https://www.zerohedge.com/geopolitical/goldman-pinpoints-temperature-below-which-covid-19-outbreaks-start-accelerate