HIMSS AsiaPac19 Livestream

Livestream from HIMSS AsiaPac19

Offensive Artificial Intelligence (OAI) will radically change how healthcare needs to defend itself from cyber attack and require a new approach to defense using Defensive AI tools (Defensive AI). As an industry we need to start preparing for this. This and other warnings in a live-stream from HIMSS AsiaPac19.




See also The Impact of AI and HIoT Related Threats from the HIMSS Show Daily

See also AI Will Radically Change Healthcare Security my keynote from HIMSS AsiaPac19

Read More

AI Will Radically Change Healthcare Security

The massive recent growth in cyber-attacks has become a huge concern for just about everyone all around the world. This includes individuals, business, industry, and governments. Most alarmingly this also seems to include a myriad of critical infrastructure services like healthcare which is firmly in the cross-hairs of perpetrators. Healthcare presents an easy and lucrative target for cyber-attackers for the value of PII, PHI and IP but also, for the extortion value of holding sick patients or their medical data to ransom.

The criminal underworld that is behind many of the current cyberattacks is not just highly organized and specialized, its syndicated, heavily networked across geographic and political boundaries and now forms a giant cartel - a criminal underworld of cyber crime, where the buying and selling of exploits, stolen data, and the laundering of dirty money is as business-like as the 24/7 customer service these groups provide to victims.

 

Just as South American drug lords dominate the manufacture and supply of illegal narcotics sold in the United States, the Russian Mafia and its off-shoots dominate the cyber criminal theft and extortion racket that attacks the United States, Europe and Asia. Thanks to their location in the former USSR  which lacks extradition treaties with the rest of the world, most of these perpetrators are immune from prosecution in the countries where they inflict damage. Their locations also typically lack robust local or national law enforcement, and police officers can be easily paid off to look the other way. In other words cyber criminals can act and ply their trade with impunity unlikely ever to be brought to justice. 

 

Then there are the nation-state actors, who have vast units of military intelligence cyber operatives used to attack and weaken other countries for political and economic advantage. They often push up against the boundaries of acceptability and cyber war, carefully calculating that their actions will not cause a kinetic, or major economic or diplomatic response from those attacked and injured. China leads the ranks with hundreds of thousands of PLA cyber warriors, while the Russian GRU, and FSB, are not far behind. Not without mention are also Iranian state actors or groups operating out of China on behalf of the Kim dynastic regime of North Korea.

Together, these nation states, their proxies and plain and simple opportunistic criminal cartels present a formidable foe for anyone defending a government, a nation's critical infrastructure services or any business. But cyber-attacks are increasingly becoming automated using AI to get past cyber defenses by removing the human constraint factor that causes an attacker to pause for consideration. ‘Offensive AI’ mutates itself as it learns about its environment to stealthily mimic humans to avoid detection. It is the new cyber offensive weapon of choice and will automate responses to defensive measures rather like playing chess with a computer – it learns as it goes! Anyone who has seen the movie 'War Games' a 1983 American Cold War science fiction techno-thriller, will soon realize that this assumed intelligence can be dangerous, as computers lack human reasoning, empathy or broader understanding and could easily take an attack too far.

The author presenting how AI will radically change healthcare security at the HIMSS AsiaPac19 
Annual Conference in Bangkok, Thailand.

 

Deepfakes

We are all used to critically evaluating an image to look for the tale-tale signs of photoshopping or other image manipulation before believing what we see. The same is true for audio recordings – was that really the President saying that or was it an impersonator? What we are not used to is video manipulation – this is new territory for our brains to critically process and evaluate for truth and accuracy. AI is increasingly being used in sophisticated technology to create ‘deepfakes’ where a face is superimposed on someone else’s body or the entire video is computer generated.

Deepfakes

Data Integrity

AI’s intent is not just to steal information but to change it in such a way that integrity checking will be difficult if not impossible. Did a physician really update a patient’s medical record or did ‘Offensive AI’? Can a doctor or nurse trust the validity of the electronic health information presented to them? Ransom of patient lives may not be too far away – especially at times of heightened global tensions.

Defensive AI

But AI is already being used very effectively for cyber defense across healthcare and other industries. Advanced malware protection that inoculates the LAN and responds in nano-seconds to anomalous behavior patterns. Biomedical security tools that use AI to constantly manage and secure the rising number of healthcare IoT devices as they connect and disconnect from hospital networks. AI-powered attacks will outpace human response teams and outwit current legacy-based defenses. ‘Defensive AI’ is not merely a technological advantage in fighting cyber-attacks, but a vital ally on this new battlefield and the only way to protect patients from the cyber criminals of the future. 

More Resources

See also The Impact of AI and HIoT Related Threats from the HIMSS Show Daily

See also my LiveStream TV Interview from HIMSS AsiaPac19

Read More

The impact of AI & HIoT related threats and recommended approaches

An interview with Richard Staynings, Chief Security Strategist at Cylera at the HIMSS AsiaPac 19 conference in Bangkok, Thailand.

The following article first appeared in the Show Daily of the HIMSS AsiaPac19 conference

Currently leading healthcare security strategy at Cylera, a biomedical HIoT security startup, Richard Staynings has more than two decades of experience in both cybersecurity leadership and client consulting in healthcare. Last year, he served on the Committee of Inquiry into the SingHealth breach as an expert witness in Singapore. He recently spoke to Healthcare IT News on some of the current developments in healthcare cybersecurity.

Sections:

1. AI
2. IoT
3. Keeping Abreast
4. Resources

 

 

 Q. Artificial Intelligence (AI) applications in healthcare are all the rage now, and so are cybersecurity threats, given the frequency and intensity of healthcare-related incidents. In particular, some of the cyber-attacks have become more sophisticated through the use of AI to get past cyber defenses. On the medical devices front, AI is also being used to constantly manage and secure the rising number of healthcare IoT devices as they connect and disconnect from hospital networks. How do you think the application of AI in healthcare cybersecurity will be like in the next few years?

A. Healthcare is widely considered to be an easy and soft target because “who in their right mind would attack the weak and defenseless?” …. or so the thought goes! The fact is that healthcare presents a rich target for cyber criminals because of the value of the data hosted and processed. When you couple that with a chronic historic under-investment in the development of capable cybersecurity teams and tools across healthcare, you can see why perpetrators are so keen to break in. But it’s no longer the theft of medical records, or PII that concerns me, it’s the wholesale theft of intellectual property from research universities and pharmaceuticals by outlaw nation states, (one in particular) and the potential to hold both hospitals and their patients to ransom by just about anyone - that’s what really worries me most.

I believe we are on the cusp of an AI arms race. Attackers are busy designing new attack vectors and methods to get by cyber defenses that heavily leverage AI and ML (machine learning). Advanced persistent threats (APTs) that hide unnoticed on the network for years sometimes, while gathering vital information and gradually expanding their footprint till they own the entire network, just as the attack on SingHealth in 2017 demonstrated. AI that perfectly emulates the normal acceptable behavior of users and systems on the network and as such goes undetected by even the best cyber defenses. AI that knows when someone of significance is on vacation by their spouse’s Facebook or Instagram posts and can perfectly emulate the exact way that a CEO communicates, in order to seemingly instruct Finance to make payments to an overseas supplier from their yacht on the high seas, well out of cell phone range for any chance of voice verification.

‘Offensive AI’ mutates itself as it learns about its environment to stealthily mimic humans to avoid detection. It is the new cyber offensive weapon of choice and will automate responses to defensive measures rather like playing chess with a computer – it learns as it goes. But increasingly the intent of attacks is not just to steal information but to change it in such a way that integrity checking is impossible. Did a physician really update a patient’s medical record or did ‘Offensive AI’ do it? Can a doctor or nurse trust the validity of the electronic medical information presented to them? This is the new threat and it is best executed by AI.

Did a physician really update a patient’s medical record or did ‘Offensive AI’ do it?

Why would anyone do this? Well, I can think of at least three reasons: Cyber-war, monetary extortion, and as a distraction from even more nefarious attacks against military targets or defense secrets.

AI is already being used very effectively for cyber defense. Advanced malware protection that inoculates the LAN and responds in nano-seconds to anomalous behavior patterns. Biomedical security tools that use AI to constantly manage and secure the rising number of healthcare IoT devices as they connect and disconnect from hospital networks, (just as my company, Cylera makes). AI-powered attacks will outpace human response teams and outwit current legacy-based defenses. ‘Defensive AI’ is not merely a technological advantage in fighting cyber-attacks, but a vital ally on this new battlefield and the only way to protect us all from the cyber criminals of the future.

 

 

Q. You will be conducting a cybersecurity workshop titled “The rising threat of Internet of Things - Everything from Medical Devices to Hospital Management Systems” at the upcoming HIMSS AsiaPac19 conference from October 7-10 held in Bangkok Thailand. Could you give us a primer on some of the common IoT-related cybersecurity threats in healthcare?

A. So unlike IT devices, by and large IoT devices can’t be centrally managed, patched, updated, or secured. IoT devices are simple and functional. They open and close a set of elevator doors, and move the elevator car to the desired floor. That’s all they do. They do it well and they do it millions and millions of times during their life spans.

The same is true with medical devices that administer drugs to a patient at a certain flow rate based upon the drug library, report on vital patient statistics like BP, heart rate and O2 saturation, and scan patients for broken bones, tumors, and other ailments. Most were designed at a time long before sophisticated and well-funded nation state cyber criminals, and a time when devices were by and large not connected to the Internet. Now these devices are managed remotely from hundreds of miles away by third party vendors who can do the job better, faster and cheaper than having a number of FTEs on staff locally. Thanks to digitization and inter-connectivity, devices now communicate directly with HIT applications and the EMR – something most older systems were never designed to do. And they certainly were never designed to connect securely. By network-connecting these highly insure devices we have opened Pandora’s box, and the number of network-connected HIoT devices is growing at an exponential rate.

The big question is how do we understand what we have on our networks, assess and quantify their threats and vulnerabilities, and remediate those risks in such a way that patients are not placed at potential harm from attack by medical device. How do we identify when one of these devices is behaving abnormally so we can swap it out before attempting to treat a patient based upon inaccurate data or behaviour? How can we identify when a device has been compromised and is being used to attack the hospital? These are things that physicians, nurses, and biomedical technicians are not currently trained to look for!

The global WannaCry attack, attributed to North Korea, caused a large number of hospitals especially in the UK to have to turn away ambulances and cancel procedures. It was just the tip of the extortionist’s iceberg. Forget the de-encryption of medical records for a Bitcoin fee, just wait till patients in ICU or NICU are held to ransom - maybe by the medical devices attached to them and keeping them alive. Sound far fetched? So did putting a man on the moon in the 1950s!

Q. Cybersecurity is a constantly evolving field these days with the rapid advancement of technologies as well as the increased sophistication of cyber-criminals. How do cybersecurity professionals learn to stay ahead of the curve and keep abreast of the latest developments & training?

A. Many people who remember the 'dot com' era of the late 90s will remember the term 'Internet Year' to describe the rapid pace of change affecting IT at the time. A time where a year’s worth of development would be crammed into a few months. Well in cybersecurity, things change by the week. That includes threats, vulnerabilities, threat-actors, attack-vectors, new offensive and defensive technologies, and even a few advances on the procedural front as we discover better more efficient ways of doing things.

I can’t talk for everyone in my line of work, but I spend a lot of time reading blogs, tweets and other social media posts from experts in the field, as well as a lot of articles from the cybersecurity and industry trade press like Healthcare IT News. I also read more than my share of white papers and academic journals along with the odd book or two. My reading includes developments not just in cybersecurity but also healthcare and other industries which allows me to consider the implications of new non-security technologies and how they might impact cybersecurity and risk one day.

One thing that really concerns me right now is the exponential growth in IoT – everything from network-connected home thermostats, to internet connected refrigerators, connected vehicles, to connected cities where traffic lights are optimized to allow the free passage of emergency vehicles through rush hour traffic and everything else. This is an area I spend a lot of time researching. IoT devices already outnumber the human population of the planet, and by next year there will be in excess of 20 billion network connected devices. Now consider that even a small percentage of these devices might be out to attack you and you can see the magnitude of the problem. The growth of botnets, now far overshadows unpatched Windows machines that have been turned into zombie attack systems by their real owners – the hackers and nation state cyber forces that easily took advantage of weak security and now OWN their user’s online banking information and shady personal photographs. I sometimes think you should be required to pass some sort of drivers test before being allowed to purchase a home computer!

I also consider security and industry conferences to be a great source of vital information. I probably speak at 20+ conferences every year and attend quite a few more on top of that. I always learn something from the discoveries, war stories and experiences shared by other speakers and practitioners in the space. There’s also a lot to be learned by the way healthcare is delivered and secured in different countries even though I work in quite a few. HIMSS, CHIME, AEHIS, H-ISAC, RSA, BlackHat, and KiwiCon currently top my list, as do conferences and summits put on by various publications in the space. They are all good, and if you can spare the time and afford the admission then I find that I always come away with something new as a result.

 

Q. A constant challenge for healthcare organizations is the management of limited resources and budgets for cybersecurity measures, and cybersecurity can often become an after thought. What advice would you give to them in their approach to cybersecurity, particularly in light of their resource constraints?

A. In one sentence? Treat Cybersecurity risk in the same way you treat Patient Safety because the two are inextricably linked in today’s connected digital healthcare environment. Many hospital CEOs, Boards of Directors and Ministers of Health haven’t realized this yet. The sooner they do the better for all of us.

Another piece of free advice for healthcare boards is that healthcare compliance does not equal to security. The industry suffers from a myopic focus upon protecting the confidentiality of patient data, when in fact operational and reputational risks to data integrity and system availability are far more important and potentially damaging. No one is going to die because of a confidentiality breach, they could however easily die as the result of an integrity or availability cyber-attack. The healthcare industry needs to adopt a risk-based approach to security, based upon assets rather than controls or a compliance checklist. Only then, will healthcare boards begin to understand their level of exposure, and feel inclined to do something about it.

In essence we have several giant gaps currently. A gap between the ease of a perpetrator attacking a victim, making lots of money from that attack, then walking away scott-free, versus making cyber-attacks difficult and very costly for the perpetrator – whether that perpetrator is an individual, a criminal group, or a nation state. Its rather akin to the school playground where a bully is beating up and intimidating other kids stealing their lunch money, but the school rules have yet to catch up to outlaw bullying or place CCTV or a teacher in the playground to grab any bullies by the ear and drag them to the Headmaster’s office for punishment and a corrective action plan!

The other gap we have is in resourcing. According to the Cisco Annual Cybersecurity Report, there is a 12x demand over supply for security professionals. We need to train tens of thousands of security analysts, architects, threat analysts and security operations staff for the world of tomorrow. We also need to allocate much greater budgets towards securing the future of our businesses, whether that business is a profit-making enterprise or a public service. This is a simple legal question of negligence in my opinion. If those ultimately responsible choose to ignore or accept a critical risk against the advice of their security and risk executives, then they should be held liable. Especially in healthcare where patient lives are at stake.

Everyone likes to talk about the next great level of interoperability in health IT but they haven’t figured out yet that to get there, you need to invest in cybersecurity to prevent your patients from being attacked by cyber criminals and their PII and PHI stolen or altered.

Cybersecurity and protecting patients should be viewed as a “business enabler” of new more efficient, more profitable, digital health services and should be an initial design consideration not a last-minute ‘strap-on’ where you are going to spend a lot more time and money for a less secure system. “Security by design” is where we need to be.

“Security by design” is where we need to be.

A true senior security executive, is one that sits at the right hand of the CEO and frequently addresses the board on security matters. He or she directs a comprehensive holistic cybersecurity program staffed with a solid team of security professionals. Together, they facilitate a hospital expanding its range of services to patients for the delivery of more profitable services. Services like telehealth and telemedicine that improve patient satisfaction scores, and the adoption of new riskier technologies like artificial intelligence and machine learning that will ultimately improve patient outcomes by catching tumors earlier and reducing the high costs of intervention for patients with latter stage cancer or similar diseases.

No one expected the Spanish Inquisition but it came all the same

Cybersecurity will also facilitate the advance of personalized medicine by protecting highly confidential information like someone’s genome sequence. A patient can change their name, their address, even their health number following a breach of information. They can’t even attempt to change their genetic sequence. Human cloning may sound rather SciFi but it’s not that far off. China has reportedly already accomplished this. In the fifteenth century, no one expected the Spanish Inquisition but it came about all the same. We need to think outside of the box to prepare for the challenges to our business model in healthcare and the threats and risks that we face.

Click for the original Show Daily PDF

This blog was first published by HIMSS Media and Cylera


See also AI Will Radically Change Healthcare Security

See also my LiveStream TV Interview from AsiaPac HIMSS

Read More

Beverly Hills Healthcare Security Forum

California Healthcare Cybersecrity Forum in Beverly Hills. Photo: Pat Lambert.

An esteemed panel of biomedical and security leaders discussed "The Biomedical Elephant in the Room" at the California Healthcare Cybersecurity Forum today in Beverly Hills.

Healthcare IoT (HIoT) now extends from one side of healthcare delivery to the other and today that includes an increasing number of medical devices, robots, health automation systems and building management systems none of which hospitals can easily do without.

Most of these connected devices however are not traditionally managed by IT, many don’t appear in any asset management database, most are not patched against vulnerabilities regularly (if ever), and the vast majority are highly vulnerable to cyber-attack and extortion. Very few have effective compensating security controls like micro-segmentation to protect patients from being the subject of the attack rather than just the device attached to them.

A large number of network and implantable medical devices, pose a significant patient safety risk if not secured and could cause patient harm or even fatalities.

Dick Cheney, former Vice President of the United States, had the wireless interface to his own pacemaker disabled because of fears that me might be hacked or assassinated by a political opponent or foreign government via manipulation of the cardiac defibrillator keeping him alive. This scenario was the basis of an episode in the TV series Homeland, in which the Vice President of the United States was hacked and killed.

Edited: Homeland, Se2Ep10

The panel which discussed what can be done to mitigate security risks and protect patient safety comprised of the following experts:

Chad Wilson CISO at Standford Childrens' Health,

Dr. Benoit Desjardins MD, Ph.D. Associate Professor of Radiology at Penn Medicine,

Harb Singh Security Program Manager at Cedars-Sinai Medical Center,

Richard Staynings Chief Security Strategist at Cylera, and panel moderator

For those that missed this highly informative and educational session, Richard will be moderating a similar panel in Boston at the Healthcare Innovation, Healthcare Cybersecurity Forum, on Oct 4th.

Read More

Nation State Cyber Thieves Target Healthcare Research and Patient Data

State sponsored cyberattacks against Healthcare and the wide scale theft of PHI, PII and IP are increasing, putting the whole sector at increased risk a new report claims.

Not Petya (Nyetya), WannaCry, Stuxnet, Sony Pictures, Yahoo, US Office of Personnel Management (OPM), SingHealth, and Anthem breaches are all recent examples of nation state attacks. Some are indiscriminate, some target other nation states, and some are focused towards intelligence gathering of mass or targeted individuals. Some are thinly disguised criminal theft of intellectual property and trade secrets, or monetary theft and extortion to supplement what hackers get get paid by their government puppet-masters for 'official business'. They all have one thing in common, a well-funded and well-trained team of cyber warriors with the patience of saints, and the tenacity to get the job done. These are the advanced persistent threats (APTs) that mark a nation state adversary. They are usually stealthy and stay hidden till the last moment, or go unnoticed entirely as Yahoo eventually discovered after a subsequent attack.

Although WannaCry took out a large number of healthcare systems around the world including a significant number of UK NHS hospitals and healthcare trusts, it was by and large a broadcast extortion attack to generate money for the highly sanctioned government of North Korea (DPRK). The SingHealth and Anthem breaches were however highly targeted at healthcare institutions, and these are just the tip of the iceberg. Like the OPM breach, these attacks are thought to have originated from Peoples Republic of China (PRC).

Chinese fingerprints are all over many recent healthcare attacks.

A recent report by FireEye has indicated that state-sponsored attackers from the PRC have for some time been targeting medical data from the healthcare industry. This includes not only PII, PHI and in some cases even the prescription information of patients, but a broader focus upon the theft of academic and clinical research, drug and clinical trial data, research studies, formulary and procedural data, as well as plans for medical devices. Pharmaceutical companies, universities, hospitals and biotech / biomedical engineering companies have all been targeted according to FireEye’s “Beyond Compliance: Cyber Threats and Healthcare report”. In particular there has been a strong focus on the theft of research data into cancer treatments and artificial intelligence, both of which are top priorities for Chinese manufacturers the report adds.

FireEye has seen a “prevalence of multiple Chinese groups over the last several years, and continuing in what we see today, targeting medical researchers in particular," says Luke McNamara, a principle analyst at FireEye who worked on the research. The company says the Chinese-linked APT41, APT22, APT10 and APT18 have all been seen trying to obtain medical data in recent years. Additionally a group linked to Vietnam (APT32) and a group linked to Russia (APT28) also dabble in healthcare, the latter of which has so far targeted sports medicine providers responsible for ant-doping tests of Russian athletes.

“Targeting medical research and data from studies may enable Chinese corporations to [patent and] bring new drugs to market faster than Western competitors,” FireEye said. The country’s ‘Made in China 2025’ campaign intends to replace all imports from multi-nationals with locally produced products.

In particular, the report added, China has exhibited a “growing concern over increasing cancer treatment and mortality rates, and the accompanying national health care costs.” With massive levels of ground and water pollution in China that has poisoned the food supply with dangerous levels of cancer-causing heavy metals, and air pollution which in some cities is hundreds or thousands of times WHO safety limits, it’s no wonder that the costs of treating cancer is such a growing concern for a country which plans to have universal healthcare coverage for all of its 1.5bn citizens by 2025.

If things weren't bad enough already for hospitals and health systems outside of China, then they just got a whole lot worse!

Photo: Markus Spiske.

Nation State Attacks
Nation state sponsored cyberattacks have been on a sharp rise over recent years with North Korean attacks against Sony Pictures in 2014 in retribution for its movie “The Interview”, followed by the ‘WannaCry’ ransomware attacks of 2017, thought to have been designed to generate foreign currency for the hermit kingdom. Also of grave public concern, were Iran’s DDOS attacks against the US banking sector between 2011 and 2013 and an attempted hijacking of the Bowman Ave. Dam in New York, thought to be in retaliation for the US Stuxnet attack against Iranian uranium enrichment centrifuges.

Russia too has been a major perpetrator in more direct cyber-warfare attacks going back as far as the first Chechnya War in 1996, to literally hundreds of attacks against its neighbors - from the cyber attack against the Turkish-Georgian-Kazakh BTC oil pipeline in 2008, to the most recent attack against the Ukrainian power grid. However, it is the ‘Not Petya’ wiperware attacks of 2017 attributed to the Russian GRU that currently takes the prize as being the most destructive and most expensive cyberattack in history. Not Patya targeted companies doing business with Ukraine and resulted in approximately $8bn in damages to multi-nationals from all over the world. Not Petya destroyed tens of thousands of computer systems and shut down hundreds of companies, including some in Russia. Not only did the GRU open Pandora's box but they accidentally let Pandora out to run amok! Russia is also responsible, via a network of proxy groups who engage in simple criminal theft, for many attacks against retail merchants and financial institutions, and of course for the Yahoo breach of a billion users – the largest attack to date.

But it is the People Republic of China’s insatiable appetite for the theft of commercial intellectual property and trade secrets, combined with its wholesale theft of PII and PHI that is most notorious when it comes to nation state cyberattacks. The OPM breach of 21.5 million federal employee records between 2013 and 2014, and the 2015 Anthem Health breach that resulted in the theft of PII of 79 million people – healthcare’s largest, are typical of PRC attacks. While cyber espionage against military-defense secrets appears to be common across all states today, what differentiates China is its cyberespionage activities that plainly target non-military-defense commercial organizations and research universities. In China everything of significance is owned by or beholden to the state, and after 70 years of communism and isolationism, the peoples republic has had a long way to catch up with the rest of the world. It is not only China's intention to catch up, but also to surpass the rest of the world by whatever means are necessary. In China, that ambition is abbreviated as 赶超 or ganchao in Chinese. What's more, China fully intends to surpass the west within the next five years under the central government’s ‘Made in China 2025’ initiative. Unfortunately, given the tight schedule, that may involve the theft of ideas and trade secrets from nearly every major company on the planet.

This blog was originally published here. 

Read More

Rocky Mountain Health IT Summit

Richard Staynings and Michael Archuleta address the Rocky Mountain Health IT Summit today.

Thanks to everyone who attended our presentation today at the Healthcare Informatics Rocky Mountain Health IT Summit in Denver, where Mike Archuleta, CIO of Mt San Rafael Hospital, and I greatly enjoyed sharing our thoughts and advice on how to secure Healthcare IT and IoT.

Unfortunately, today we live in an era of escalating cyber threats from bad actors and nefarious nation states intent on the disruption of our business and personal lives. Regrettably, this also includes life-sustaining healthcare technologies. If this weren't enough, the healthcare industry is also in the process of transforming to a near complete reliance upon information technology and internet of medical things (IoMT) technologies. In fact Healthcare IoT (HIoT) devices are growing at 20% per annum according to some sources which means the problem is getting bigger and bigger each and every day! This includes a proliferation of medical devices, pharmacy and surgical robots, AI-augmented labs and diagnostic systems, and networked connected hospital building management systems like elevators and HVAC systems, without which the modern day hospital cannot function for long. This provides hackers with a very large attack surface upon which to exploit a weakness or vulnerability and establish a beachhead for more nefarious purposes - perhaps the theft of medical records and personal identities, or to ransom hospital data or patients.

Effective cybersecurity has always been about the combination of people, process and technology and that still holds true today. However the perpetrators of cyber-crime are hell-bent on exploiting every weakness regardless of the patient safety issues of their actions. As cyber defenders we need to employ the best processes, skilled security resources, and best technologies in the defense of our diagnostic and clinical systems. It also means that old out-of-date and end-of-life systems should be replaced, while all other systems are updated regularly with security patches, especially if your hospital still runs some version of Windows. The costs of upgrading may appear to be prohibitively expensive, but the reputational and financial costs of a breach or ransom attack could be life threatening - for the business and its patients!

56% of Health Providers Still Rely on Legacy Windows 7 Systems

As a first step hospital CEOs and their boards need to gain an accurate understanding of their risks and that means a full inventory of all of their IT, HIoT and data assets - something most smaller hospitals have little to no idea about. Remediation of identified risks then needs to be prioritized in order to reduce overall enterprise risk and the threat to patient safety. That will require discipline, established and documented processes, and quality resources whether people or tools, or a combination thereof. Above all it requires effective cybersecurity governance sponsored at the highest levels of the board and reinforced all the way throughout the organization. Sadly, too many hospital CEOs and their boards have yet to take this step.

Fortunately however, many small facilities and critical access hospitals have prioritized security and are already reaping the benefits of their early investment in IT and cybersecurity. This allows them to offer more profitable and cost-efficient services to patients via among other services, secure online portals, telehealth and telemedicine, just proving that security does not need to be advanced rocket science, just the combination of good people, process and technology to add value to a business.

For anyone interested our deck can be downloaded here.  Please feel free to leverage our content for your own CEO and Board presentation.

Read More

Singapore eHealth - Innovative Technologies and Security

The Author addresses the Singapore eHealth Summit. Photo: Dean Koh

Singapore faces many of the same problems affecting patient care in Europe and North America; an aging population, rising demand and increasing costs. The need to implement more value-driven initiatives to increase efficiency and improve patient outcomes will become critical here in Singapore just as it is in other countries with declining populations or unsustainable rising healthcare costs. This includes the need for wider mainstream adoption of new and disruptive technologies like data analytics, machine learning and artificial intelligence, combined with highly innovative procedures to accurately identify, diagnose and treat patients.

The recent Singapore eHealth and Health 2.0 summit was unique in that it brought together some of the best minds and best ideas from all over the world under one roof, to showcase a plethora of quality treatment ideas and disruptive emerging technologies which promise to revolutionize the healthcare industry.

As with the adoption of any new technologies, there are risks which must first be evaluated before a technology can be introduced, and in healthcare, increasingly these risks focus upon cybersecurity.

In Singapore, which suffered its largest ever breach last year with the theft of 1.5m SingHealth patient identities along with the prescription records of its Prime Minister and other V.I.P.s, security is of particular concern. Several smaller healthcare breaches this year including publication of the personal details of over 800,000 blood donors, and the exposure of 14,200 HIV patient records has compounded the need for the industry to get security right.

Confidentiality, Integrity and Availability

The ASEAN region, according to CIO Magazine, with its dynamic position as one of the fastest growing digital economies in the world has become a prime target for cyber-attacks, accounting for 35.9% of all cyber attacks globally in 2017. The targeted attack against SingHealth is perhaps a wake-up call for the region to do a better job of securing Confidentiality, Integrity and Availability (CIA) its healthcare and other critical services.

But the risks impacting healthcare are way more nefarious than just the disclosure of confidential patient information. Far more worrying is the threat to the INTEGRITY of health records and other clinical data, and the AVAILABILITY of HIT systems needed to treat patients.

• What happens when a patient's blood type, allergies or past treatment records are altered by a hacker?
• What happens when a ransomware attack locks up all Health IT systems as it did to many hospitals in the British NHS with the WannaCry attack? 

Patient Care suffers and Patient Safety is placed at risk

The growth of medical devices and other Healthcare IoT (HIoT) is prolific and already outnumbers traditional computing systems. Compound growth in medical devices has reached 20% per year by some estimates. Furthermore, most are connected now to hospital networks and talk directly to core HIT systems like the Electronic Health Record. Hackers know this and have used the fact that HIoT systems are by and large unprotected against cyber-attack to launch their infiltration campaigns.

Many legacy medical devices can only connect to hospital WiFi using insure WEP encryption, which means any teenager with the right tools could gain access to core systems in most unsegmented healthcare networks with little more than a SmartPhone from a hospital waiting room.

Medical devices and other HIoT systems now pose the single greatest risk to patient safety according to many in the industry because of their lack of inherent security, inability to be patched or secured with AV or a host firewall as even a Windows PC can. What is more worrying is not that these devices are incredibly easy to hack or topple over, but the fact that they are most often connected to patients at the time providing critical life-sustaining care or telemetry.

On-stage demonstrations at security conferences like DefCon, Black Hat, and KiwiCon often feature the hacking of some sort of medical device that if connected to a real patient, would undoubtedly result in that patients death. Yet, the US FDA, Australia TGA, UK MHRA, and EU EMA, device manufacturers, and hospitals all downplay the risks, knowing that devices have a 15 to 20 year lifespan and few if any, are ever updated with security patches once sold.

The fact of the matter is that we have almost no idea if, and how many patients have died as a result of a medical device being hacked. No one currently is required to forensically investigate a failed medical device. Instead when is device is suspected of failing, all data is wiped to comply with HIPAA, GDPR, SPA, and other privacy rules and the device is shipped back to the manufacturer to be re-imaged, tested and put back into circulation. This is a subject I have written about in the past and one perhaps best demonstrated by Doctors Christian Dameff, MD and Jeff Tully, MD from the University of California Health System, in their realistic yet alarming presentation at the RSA Conference last year.

The need to better understand and evaluate risk in this growing sector of healthcare has reached a tipping point, as OCR in the United States and the TGA in Australia, starts to ask questions about risk analysis of these devices many of which are covered under the HIPAA Security Rule and the APA. However healthcare IT and Security teams face several daunting challenges before they can mitigate security risks and chase compliance.

1. In most hospitals, medical devices are owned and managed by Bio-Medical or Clinical Engineering, while other groups also outside of IT, manage building management and other hospital IoT systems. Consequently, there is limited security visibility, if any at all!

2. An accurate inventory of what HIoT assets are connected to the network is almost impossible to accomplish manually as devices change all the time and manual spreadsheets and traditional IT asset management systems have proven inaccurate.

3. Evaluating the risks of medical devices is difficult since most are connected to patients and cannot be scanned with normal security tools. Larger equipment like X-Ray machines, MRI, CT and PET scanners are in use 24/7 and cannot usually be taken out of service for regular security scans.

4. Inherent weaknesses in some HIoT protocols like DICOM allows a malicious actor to embed weaponized malware into a legitimate image file without detection, as researchers at Cylera Labs discovered recently.

5. Lack of internal network security allows a hacker to intercept and change a PACS image with false information during transmission between a CT scanner and its PACS workstation, adding a tumor to an image or removing one as security researchers at Ben Gurion University recently discovered.

Fortunately, new AI security tools from Cylera, created especially with healthcare in mind, are able to automate the entire risk management process to identify, profile, assess, remediate and manage HIoT assets in line with NIST SP800-30 standards. Just as healthcare delivery is moving towards disruptive innovative technologies, so are the security risk management tools being used to support the adoption of new technologies and new procedures.

Cylera’s 'MedCommand' solution, empowers healthcare providers to protect the safety of their patients, assets, and clinical workflows from cyber-attacks. 'MedCommand' provides clinical engineering and information security teams with a unified solution to manage and protect the entire connected HIoT environment including medical devices, enterprise IoT,
and operational technology.

The 'MedCommand' solution is built on Cylera’s 'CyberClinical' technology platform, which incorporates machine learning, behavioral analytics, data analysis, and virtualization techniques. Cylera has partnered with leading healthcare providers, experts, and peers to develop the most comprehensive and integrated HIoT security solution for healthcare.

Learn more about Cylera's innovative AI based approach to medical device and other HIoT endpoint management or contact us to schedule a conversation.

This blog was originally published here.

Read More

When Cyber Attacks Go Too Far

News today that Israel has responded to a cyber-attack with a kinetic reply is perhaps a first but, in many ways, to be expected, given a rising tide of global cyber-attacks by those who cause increasing levels of damage, yet hide from attribution by use of proxies or through assumed anonymity.

According to Forbes:

The escalating global threat of cyber-attacks against nation-states took a turn yesterday when Israel's military announced that it had "thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work….HamasCyberHQ.exe has been removed," the tweet concluded.

Now that the precedent has been set, it should serve as a very real warning to cyber criminals everywhere that just because they reside in a state that turns a blind eye to international lawlessness, they are not immune from being brought to justice.

This may not be the first kinetic response to an act of cyber warfare but its certainly the first one mass-publicized. The US has reserved the right to retaliate against cyber-attacks with military force since 2011, and in 2015 it launched a hellfire missile attack from a drone to assassinate British born Islamic state hacker Junaid Hussain as he walked down a street in Raffa, Syria.

Many people have been expecting a kinetic response to a cyber attack for some time and talking about the advent of hybrid warfare, but can either of these bombings be seen as the turning point?

The fact is that Hamas had recently launched over 600 missiles at Israel and Israel had conducted over 250 air strikes of Hamas targets in retaliation. In the case of Junaid Hussain, he was known to be actively planning terrorist attacks in the west. Both were thus legitimate targets in existing kinetic conflicts, and both appear to satisfy the UN Charter for 'National Collective Self Defense'. But will this latest attack be used to justify a kinetic response to a future cyber attack or the perceived threat of one by a credible adversary? Maybe!

The Israeli Defense Forces (IDF) certainly considered the threat real enough by Hamas hackers planning an attack on Israel to warrant dropping a very large bomb on top of their building, reportedly with them in it!

Iran should certainly watch its back, where we are told, there has been a steady escalation in threats against the United States over recent months. The recently announced positioning of the USS Abraham Lincoln Strike Group to the Persian Gulf together with a Bomber Strike Group may be seen as a strong warning to Tehran. It may also be considered as positioning for future retaliatory kinetic attacks for recent wave of cyber and other attacks against the United States. This may mark the return of more aggressive US policies against terrorists and others who attack the west with assumed impunity. Just as Reagan’s bombing of Libya in 1986 signified a line drawn in the sand for Qaddafi’s support of terrorism against United States citizens, with hawks like John Bolton and Mike Pompeo advising Trump things could escalate very quickly.

But Iran is not alone on the 'Bad Boy' list of cyber-attacks going too far. According to the Center for Strategic and International Studies most of the world’s cyber-crime is originated in four countries – the Peoples Republic of China, the Russian Federation, the Islamic Republic of Iran and the Democratic People's Republic of (north) Korea, as the chart below shows:

Russia has been using cyberwarfare arguably against its own people since the first Chechen war, but in 2008 the Russia military is attributed to blowing up the Turkish Baku-Tbilisi-Ceyhan (BTC) oil pipeline at Refahiye in eastern Turkey after hacking CCTV cameras to gain access to pipeline valves that were then used to super-pressurize the line until it blew up. The BTC pipeline, which links Baku in Azerbaijan to Ceyhan on the Mediterranean coast of Turkey, gives additional energy independence to oil-rich states on Russia's southern border at a time when Russia is seeking to reassert its control over former Soviet states.

In 2014 a massive cyber attack was launched against Sony Pictures Entertainment that involved the theft and release or destruction of a huge amount of data. It was the first destructive cyber attack conducted against the United States and the first time the US attributed a cyber attack to a foreign government. The attack was claimed by 'Guardians of Peace' and was eventually attributed to North Korea to a group of hackers known as 'Shadow Brokers'.

The 2017 'WannaCry' ransomware attack that brought down hundreds of organizations worldwide including the effective closure of a large number of British hospitals and other critical facilities, has also been attributed to the Shadow Brokers, an outfit that works in the PRC and PDK for the Kim regime of North Korea. According to an Op-Ed in the Wall Street Journal, Tom Bossert, then Homeland Security Advisor to President Donald Trump, firmly attributed the attacks to Kim Jong-Un who gave the order to launch the malware attack, he claimed. "We do not make this allegation lightly. It is based on evidence." Bossert stated. Canada, New Zealand, Japan, and the UK all independently agreed with the US attribution.

Right on the heals of WannaCry, the 'Not Petya' attacks of June 2017 were an act of cyber warfare instigated by the Russian GRU (ГРУ), according to a CIA analysis of the attack reported by the Washington Post. Not Petya or Nyetya as it is also known as, was disguised as a new variant of ransomware, but with no way to recover information or the hard drives storing the data, it destroyed millions of dollars of computer equipment and cost businesses the world-over, somewhere between $4bn and $8bn according to Wired at the time, but now widely regarded to be closer to $12bn. Not Petya thus became known as a broadcast 'wiperware" and as a cyber weapon by many.

According to the CIA, Russia's GRU created NotPetya, as an escalation of its existing kinetic and cyber war against Ukraine ongoing since popular revolution there ousted the pro-Russain former Ukrainian President and CCCP Communist Party Member Viktor Yanukovych. The attack which initially targeted Ukrainian accounting tax software company M.E.Doc, brought down virtually all of Ukraine’s government along with Ukrainian hospitals, power companies, airports, and banks. Since then there has been a steady stream of cyber attacks directed by Moscow against Ukrainian critical infrastructure and power utilities knocking them off-line, constant attacks against Ukrainian businesses, and various kinetic attacks including the military occupation and annexation of Crimea, the instigation of Russian nationalism, ethnic unrest and military support of separatists in Eastern Ukraine. This direct support culminated in the July 2014 destruction of an airliner and deaths of all 285 passengers and 15 crew aboard as MH17 as it flew between Amsterdam and Kuala Lumpur when it was hit by a Russian surface to air missile.

The impact of Not Petya spread far beyond the borders of Ukraine and caused massive damage across the world. First investigated by the Ukrainian security agency, known as the SBU, it was quickly attributed to Russian security services, a fact reflected in other countries subsequent investigations into the cyber attack including all of the Five Eyes nations of the United States, UK, Canada, Australia and New Zealand. This was reflected by a White House statement issued February 15, 2018:

"In June 2017, the Russian military launched the most destructive and costly cyberattack in history, NotPetya "quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin’s ongoing effort to destabilize Ukraine, and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber-attack that will be met with international consequences."

Putin's Russia has continued to push the boundaries of acceptability with each new attack from the hacking of the US Democratic Party and former US Secretary of State and presidential candidate Hillary Clinton, to influencing of the US and German presidential elections and the Brexit referendum via its social media bots, to literally hundreds of attacks against think tanks and NGOs according to Microsoft, most of which have been attributed to a group called 'Strontium' - otherwise known as 'Fancy Bear' or 'APT28'.

Meanwhile in the east, The Peoples' Republic of China has kept up a relentless attack against businesses the world over, in its quest to steal the intellectual property and commercial business secrets of the leading global companies. Despite agreements between US and Chinese presidents in 2015, to stop the wholesale cyber-theft of intellectual property, the attacks continue as China tries to surpass the rest of the world with its home-grown companies, using stolen patents and trade secrets invented by others.

The big question is, "how far is too far"? At what point does it become necessary to send a loud and clear message that cyber-attacks will be met with real consequences? Israel certainly deemed it necessary to deal with a group in Hamas that was responsible for cyber attacks against its country and citizens.

Countries may not readily invade one another today as they once did in the nineteenth and twentieth centuries leading to major global conflicts and massive loss of life. That is, perhaps with the recent exception of China's building of military islands off the coast of the Philippines and Vietnam in international waters - an apparent land grab of most of the South China Sea. But we know from history, that if you don't stand up to a bully at least once, then the bullying will continue. Hitler's military occupation of the Rhineland in 1936 is perhaps a good example of what happens when you ignore a problem for too long.

Sometimes we forget that cyber warfare is after all just another form of warfare!

Now that the precedent has been set, those involved in cyber espionage, wholesale theft of IP, extortion, and cyber attacks against businesses and critical infrastructure of countries might want to consider a new profession, or be on the lookout for things falling from the sky!

Read More

HIMSS TV Interview - C.I.A.

My recent interview with Bruce Steinburg MD, EVP of HIMSS International at the Singapore eHealth and Health 2.0 Summit.

Read More

The Growth of Medical Tourism 3

This is a multi-part story over 3 days. Take me to the beginning.

Trends in Medical and Dental Tourism

Patients Beyond Borders, a publisher of guidebooks for "medical tourists" estimates that more than 20 million people will travel to another country for medical treatment this year, up 25% from 16 million last year. Meanwhile, a 2016 report by Visa estimated that the medical tourism industry was worth $50bn a year, and continuing to grow.

In fact according to Deloitte medical tourism has been growing at 10% per annum or greater for the past 15 years. BCC Research predicts that double digit growth is expected to continue for at least another five years with destinations like Mexico, Thailand, Malaysia, Taiwan, UAE, and Costa Rica leading the popularity charts.

But it's not just a migration of US medical consumers to these locations. Its a global trend of Americans and Europeans looking to cut costs and avoid wait times on one side, and the super wealthy in developing nations like Saudi Arabia, China and India in search of specialist treatments not available in their own countries going the other way. The migration for services is both global and regional. Many Californians and Arizonans head south to Mexico to visit the dentist or pick up prescriptions. The same is true in the northern US states with trips to Canadian pharmacies and healthcare providers. The growth in demand for medical tourism is fueling major investments in healthcare, not just in towns close to US borders, but across the world in cities like Dubai and Abu Dhabi as I reported on in 2017 from the UAE which benefit from an influx of patients from Saudi Arabia and other gulf states as well as from Europe and the United States.

Despite its free National Health System, many UK residents are avoiding long wait lists for consults and procedures and traveling overseas for medical and dental treatment for less than half of the cost of private treatment at home. This includes cosmetic surgery and other treatments not covered under the NHS.

Medigo, a German-based medical travel company says that queries from UK residents jumped 53% last year. Official figures from the UK's Office of National Statistics also show that a rising number of people are going abroad for treatment.

The trend is similar in the US where the number of American health tourists goes up every year. About 422,000 traveled outside of the country for medical and dental procedures in 2017 according to the US National Travel and Tourism Office. That is up from 295,383 in 2000.

These figures exclude the massive and rising number of Americans who drive across the both US boarders each day, to get their prescriptions filled rather than pay the unregulated and exorbitant prescription drug prices in the United States.

As the number of uninsured Americans continues to climb, it seems more than likely that high deductibles and reductions in insurance coverage are pushing more Americans to search elsewhere for affordable medical and dental care. With more attacks underway against the US Patient Protection and Affordable Care Act, otherwise known as 'Obamacare', and employers increasingly shifting healthcare costs to employees, medical tourism looks to become a key facet of most people's future healthcare and dental care.

Read the entire story:

• Part 1 - The hundred dollar Aspirin
• Part 2 - Voting with your feet  

See also my post on health tourism and cybersecurity in the United Arab Emirates

 

 
Read Other Articles on the Rising Tide of Medical Tourism

This article in the New York Times is about US companies that are paying their covered plan participants to travel to Mexico and Costa Rica for elective surgery - with American surgeons.

This NPR article covers why American Travelers Seek Cheaper Prescription Drugs In Mexico And Beyond and what an increasing number of them are doing about US prescription Drug costs.

 

Read how PEPH a Utah Health Insurer, offers a program for public employees to travel to save money on prescription drugs and is sending an ever increasing number of state employees out of the country to fill their prescriptions in Mexico.

 

The Costa Rica Tourist Board now features Medical Tourism as one of the reasons for visiting the nation.  

 

Thailand is now offering medical services for foreigners recovering from Covid and Long Covid.

Read More

The Growth of Medical Tourism 2

This is a multi-part story that launched yesterday.

My employer-sponsored-health-plan provides me and my family with an annual physical with our primary care physician. This normally involves a 40 to 60-minute appointment where a nurse measures my height and weight, checks my vision, draws some blood and has me pee in a cup before my doctor gives me a physical examination. Thanks to Obamacare this little interaction is annual and free, meaning no co-pay, no-deductible or other disincentive to see someone. It also provides the opportunity to discuss with my primary care provider anything that concerns me but didn’t warrant me shelling out money to book a regular appointment with him or her. Finally, it also allows me to unlock and renew my prescriptions for the medications I am supposed to be on for another 12 months - even though I have been on the exact same stuff for more years than I can remember.

Sure, my free annual physical is valuable but just how valuable is it someone like me? Am I at early risk of coronary heart disease, to a stroke, cancer or some ailment that will one day take me surprise and whisk me off to an early death, or worse, a lingering and expensive demise that medically bankrupts my family when my employer sponsored health insurance runs out? Welcome to US healthcare!

Would my 40 minute interaction with my doctor once a year actually discover such a risk?
Highly unlikely I suspect.

Would my health insurance pay for me to undergo a battery of tests to find out?
Also highly unlikely!

The current US Payer-Provider preventative care system is nowhere near as good as politicians would have us believe, and nowhere near as good as physicians would advise or recommend.

I guess my concerns are shared by many people over 40, and that may be why many of us receive direct mail flyers advertising advanced cholesterol or cancer screening – the “Plus Version” of an annual physical if you like. One where you are made to run on a treadmill while connected to an ECG and put through a battery of other tests not covered by your “free annual physical". “Prevention is better and cheaper than cure” as the saying goes and I’m sure all of us would agree.

So my wife and I looked into the costs of a comprehensive health check at home and abroad, including travel. We also looked into the costs of a dental checkup cleaning and treatments since we didn’t elect dental insurance this year or last. We all look after our teeth and the costs of dental insurance just didn’t make economic sense. What we found surprised us.

We could fly all the way to Bangkok, Thailand, stay in a luxury 5 star hotel, enjoy a highly comprehensive health check - including in my case a full workup, ultrasounds, chest X-Ray, etc. get our teeth cleaned and fixed (and take a short vacation) all for significantly less than what it would cost us in the US..... And do it all at top-notch hospitals and dental clinics.

Our Medical Health Check

We selected Bumrungrad International Hospital in the heart of Bangkok for our health check and City Dental Clinic just down the road from the hospital for our teeth cleaning and maintenance. Not only is Bumrungrad reportedly one of the top ten JCI (Joint Commission) accredited hospitals in the world, it has one of the best hospital workflows I have ever seen - (and I work in US healthcare!) They have the health check workflow down to an art. You move seamlessly between one medical station and the next, taking your file with you as you go. Finish one test and a nurse is there to guide you to the next one and so it goes on all day. It truly was a pleasure to witness and observe and was in stark contrast to my experience as a patient in the US health system where I am always kept waiting for long periods of time unless I have the first appointment of the day. Why western hospitals can't seem to institute effective scheduling combined with efficient patient workflow is an anathema to me. Especially when you consider that THEY issued you the appointment in the first place! 

From the pleasant greeting upon entry to the five-star service throughout including lunch catered by the nearby JW Marriott, everyone spoke excellent English as well as half a dozen other languages to cater to guests from Europe, Australasia, the Americas, the Middle East and Asia, including a number of local Thai and Burmese.

No "nickel and diming" either and no unexpected costs. You select exactly what you want in advance from a menu of different health check options when you book your appointment, so you know what you need to pay when you show up on the day. If you need to add extras after your health check, like a consult with a specialist, the hospital will do its best to schedule you in that evening or the following day - even over the weekend. And the costs of an additional specialist consult? About $22 in my wife’s case.

What makes it all the more convenient, is that you can charge it to your US healthcare savings debit card and pay for your medical treatments with pre-tax US earnings. If you have an international health plan you can usually charge the lot to your insurer who is happy to pay non-US healthcare rates for such a valuable service that would cost an order of magnitude more in the USA.

Need a procedure like a biopsy? $100 to $200 often on the same day and certainly while you are in town. Now if only US healthcare could be as efficient! For that reason, it’s probably best to schedule your health check on day 2 or day 3 of a week long stay so you have time for any additional follow up before you hit the beach or need to head home. 

What we like to do is to schedule the first couple of days in Bangkok for health, optical and dental checks, then head to the islands for a week, hit the beach and splash around in the sea, then return to Bangkok for our last 3 or 4 days to pickup glasses, or undergo any minor surgeries, purchase pharmaceuticals, and do some tax free shopping before heading home. 

One thing to beware of is that some doctors will only schedule office hours in Bumrungrad on a couple of days per week so if you want to see a certain named specialist, then its best to plan a little extra time. Of course you could always opt for someone else in the same specialty area as we did and still get excellent advice. All of the doctors at Bumrungrad are top notch and as good as, or better than, anyone you would see back home. 

 

Many doctors we found will schedule office hours from 5pm onwards or weekends only, which was a little unusual from our experience in the US. In actuality, this worked out well for us as we were busy during normal business hours anyway with tourist stuff.   

Bear in mind that hospital pharmacies are usually more expensive than pharmacies outside. That's generally the case everywhere, but you don't have to purchase your meds from the Bumrungrad hospital pharmacy if you don't want to. You can just ask your doctor to write them down and have the billing clerk remove them from your bill when its time to pay for any extras if they were added. No need for official prescriptions in Thailand either for non-opioids. 

Pharmacies abound on every street and every mall in Bangkok so you have your choice of pharmacies. If you are going to other major towns, pharmaceutical drugs are even cheaper. I stocked up one year in Chiang Mai and it was about half the price of the pharmacies I usually go to in Bangkok. Just be sure to check the expiration date of drugs if you are buying a year's supply. Also, especially if you are on some less common drugs leave time to pick these up back in Bangkok before flying home just in case you can't get them in smaller town's and cities. 

Pharmacies are licensed in Thailand and I have never seen or heard of issues with tainted pharmaceutical drugs in the country. I have found drugs to be top quality, manufactured in Europe, Japan, or America from reputable well known companies. Compare that to the no-name generic prescription you usually pick up from your US pharmacist. 

Most Pharmacists speak excellent English and are very well trained and qualified. Don't have what you are looking for? The Pharmacist will be able to recommend a different drug and dosage and discuss side effects or other concerns with you in perfect English. That being said, they are not MDs so if in doubt, find another pharmacy with exactly what your doctor prescribed for you. 

Our Vision Check

So while we were in Bumrungrad for a follow-up appointment, we thought why not get our eyes checked. I had managed to sit on my reading glasses before flying to Bangkok and while they still were functional they would never quite be the same again. So off we went up to the floor of the hospital that deals with vision and booked an appointment for a prescription check to have our eyes tested.

Surprisingly they were able to see us within 10 minutes, so we delayed dinner plans and had a full vision check. My wife's prescription hadn't changed, but mine had slightly so I concluded that it was a good excuse for a new pair of reading glasses since I spend so much time in front of a computer screen. It took me longer to decide on the frames than the extensive test and selection of lens features from a long list available to me. I ended up selecting a very nice pair of usually very expensive name brand frames, paired with lenses with all the bells and whistles for about 70% of what I would have paid in the US after all the sales incentives, gimmicks and discounts were applied. What's more they would be ready the next day I was told to pick up or they could courier them for free to my hotel. I elected to pick them up in case any adjustments were needed. Now that I am home, I am using these computer reading glasses to write this article. In short my new glasses are perfect and far better than what I would have been able to purchase in the US for what I paid.


Our Dental Checkup

Our dental checkups were equally as pleasant at the City Dental Clinic across the street from the hospital. A young but very well qualified dentist checked my teeth and then sonically cleaned them all for about $20. My wife needed a couple of fillings for a chipped tooth and some depleted enamel. Her clean and procedure came to a mere $195 – way less than most people's dental insurance co-pay for a single filling let alone 3, and not including the the bi-weekly or monthly premiums most people waste on dental insurance.

[Since writing this article several years have elapsed and City Dental Clinic lost its building and has closed. On my last visit to Thailand I found a great but slightly more upmarket alternative in Truth Dental Clinic not far from Bumrungrad Hospital. The prices were slightly higher but scheduling an appointment in this larger better equipped dental clinic was a lot easier. Simply 'Line' or 'WhatsApp' their reception at +66 86-393-6231 before you leave home for an appointment no matter what time zone you are in.] Need 4 back-to-back or simultaneous appointments for the family - they will find a time slot for you!

To Summarize

Why would anyone NOT take a trip to Thailand or other parts of the world for elective procedures and proactive health checks? It beats me - that’s all I can say! In fact, we are already planning our checkups and dental cleanings for next year.

Concerns about quality medical and dental staff? Bumrungrad International Hospital achieved Joint Commission status years ago and continues to be one of the top hospitals in the world. It serves over 400,000 medical tourists annually who by all accounts save between 50% and 75% on medical expenses they would have incurred for similar services in the US. The hospital's repeat international clientele is probably testament to its reputation and the quality of service patients receive.

Everyone we met was top notch – as good as you would find at home – just with lower hospital billing and insurance overheads, and significantly lower malpractice premiums to pay, thanks to the absence of both ambulance-chasing lawyers in Thailand and a US legal system written by lawyers to encourage the use of ....... lawyers for every little disagreement.

 

There are also no Pharmacy Benefit Managers (PBMs) or vertically integrated healthcare mega corporations that deliberately raise prices to drive their profits and may their CEOs tens of millions of dollars annually. Corruption exists in every country but the unregulated US healthcare industry takes the prize!

Why the US is falling so far behind the developing world should be obvious to all of us who work in the industry, but no one seems interested in fixing a broken system, removing overheads and getting healthcare costs down. With so many vested interests and different parties all wanting to keep their cut, that may never happen in the US. And so, medical tourism is likely to continue to expand as consumers vote with their feet.

Continue on to the final chapter of this story

Read More