F-Secure Security Center has disclosed an Adobe Flash Player remote code execution vulnerability.

Report ID: SA200900917
Source: F-Secure
Date of Discovery: 25.02.2009
Criticality: Urgent
Affects:
Adobe Flash Player 10.x
Adobe Flash Player 9.x
Compromise From: From remote
Compromise Type: System access
Remote code execution

An upgrade to 10.0.22.87 (10.0r22) is the solution.

It also is a good idea to check the program directory (C:\WINDOWS\system32\Macromed\Flash) and remove all prior versions of flash.

The US Department of Justice has settled with Eli Lilly for more than $1.4 billion over illegal “off-label” marketing practices for an antipsychotic drug.

Facing tens of thousands of claims and over a hundred lawsuits that involved Medicaid fraud investigations in more than 30 states Lilly now has to pay civil penalties of $800 million, plead guilty to criminal charges and pay an additional $600 million in fines.

“Eli Lilly completely ignored the law” and made “hundred of millions of dollars” from its illegal promotion of Zyprexa, [U.S. Attorney Laurie] Magid said at a press conference in Philadelphia today. “We’re holding a company responsible for putting thousands and thousands of patients at risk.”

Lilly had advertised, without clearance from regulators, that five milligrams at 5 pm would help dementia patients fall asleep. The drug represented almost a quarter of company revenues with $4.76 billion in sales for 2007 alone.

Six former sales representatives responsible for blowing the whistle under the federal False Claims Act are to receive $78.8 million in the civil settlement and a share from settlements in states that have whistleblower laws. The company now also must operate under federal monitoring for five years.

I have been getting a lot of questions about the American Recovery and Reinvestment Act of 2009 (ARRA) and how it will affect IT spending in health care. A WTN News article has an excellent executive summary:

The largest allocation of funding — approximately $17 billion — is for incentive payments through the Medicare and Medicaid reimbursement systems to encourage providers and hospitals to implement EHR technology systems. As described more fully below, the incentive payments are triggered when a provider or hospital demonstrates it has become a “meaningful EHR user.” Payments are paid over time, with larger payments in the early years and lower payments over time, totaling as much as $48,400 for eligible professionals and up to $11 million for hospitals. On the other hand, hospitals and eligible professionals suffer penalties through reduced Medicare reimbursement payments if they do not become meaningful users of EHR by 2015.

This says to me an entity has to purchase and install the technology before it can be reimbursed. Proof that electronic health records (EHR) are deployed securely will net payments and incentives out of the stimulus package. Here are the top five objectives, which should help prioritize projects related to the above reimbursements:

• The electronic exchange of health information
• Utilization of electronic health records for each person in the United States by 2014
• Use of privacy and security protections (including encryption standards) for electronic exchange of identifiable health information
• Improving quality of health care
• Specifying plans for individuals with unique needs such as children

Security protections of IT can be reimbursed. A regulated entity thus should see the stimulus as an opportunity to invest in the security of their health information technology (HIT) and EHR systems. This should be taken as great news by the health care industry, especially with recent state laws that strengthen HIPAA security requirements, such as California AB211 and SB541, and Massachusetts 201 CMR 17.