F-Secure Security Center has disclosed an Adobe Flash Player remote code execution vulnerability.

Report ID: SA200900917
Source: F-Secure
Date of Discovery: 25.02.2009
Criticality: Urgent
Affects:
Adobe Flash Player 10.x
Adobe Flash Player 9.x
Compromise From: From remote
Compromise Type: System access
Remote code execution

An upgrade to 10.0.22.87 (10.0r22) is the solution.

It also is a good idea to check the program directory (C:\WINDOWS\system32\Macromed\Flash) and remove all prior versions of flash.

The US Department of Justice has settled with Eli Lilly for more than $1.4 billion over illegal “off-label” marketing practices for an antipsychotic drug.

Facing tens of thousands of claims and over a hundred lawsuits that involved Medicaid fraud investigations in more than 30 states Lilly now has to pay civil penalties of $800 million, plead guilty to criminal charges and pay an additional $600 million in fines.

“Eli Lilly completely ignored the law” and made “hundred of millions of dollars” from its illegal promotion of Zyprexa, [U.S. Attorney Laurie] Magid said at a press conference in Philadelphia today. “We’re holding a company responsible for putting thousands and thousands of patients at risk.”

Lilly had advertised, without clearance from regulators, that five milligrams at 5 pm would help dementia patients fall asleep. The drug represented almost a quarter of company revenues with $4.76 billion in sales for 2007 alone.

Six former sales representatives responsible for blowing the whistle under the federal False Claims Act are to receive $78.8 million in the civil settlement and a share from settlements in states that have whistleblower laws. The company now also must operate under federal monitoring for five years.

I have been getting a lot of questions about the American Recovery and Reinvestment Act of 2009 (ARRA) and how it will affect IT spending in health care. A WTN News article has an excellent executive summary:

The largest allocation of funding — approximately $17 billion — is for incentive payments through the Medicare and Medicaid reimbursement systems to encourage providers and hospitals to implement EHR technology systems. As described more fully below, the incentive payments are triggered when a provider or hospital demonstrates it has become a “meaningful EHR user.” Payments are paid over time, with larger payments in the early years and lower payments over time, totaling as much as $48,400 for eligible professionals and up to $11 million for hospitals. On the other hand, hospitals and eligible professionals suffer penalties through reduced Medicare reimbursement payments if they do not become meaningful users of EHR by 2015.

This says to me an entity has to purchase and install the technology before it can be reimbursed. Proof that electronic health records (EHR) are deployed securely will net payments and incentives out of the stimulus package. Here are the top five objectives, which should help prioritize projects related to the above reimbursements:

• The electronic exchange of health information
• Utilization of electronic health records for each person in the United States by 2014
• Use of privacy and security protections (including encryption standards) for electronic exchange of identifiable health information
• Improving quality of health care
• Specifying plans for individuals with unique needs such as children

Security protections of IT can be reimbursed. A regulated entity thus should see the stimulus as an opportunity to invest in the security of their health information technology (HIT) and EHR systems. This should be taken as great news by the health care industry, especially with recent state laws that strengthen HIPAA security requirements, such as California AB211 and SB541, and Massachusetts 201 CMR 17.

A couple weeks ago I mentioned the Kyrgyz base closure would end the last remaining US base in Central Asia, which complicates the supply chain for American operations in Afghanistan. The AP seems to have just picked this up as newsworthy today. I suspect they mention it because there is a positive development for the US to announce, as well as a human-rights angle:

…the tentative pact with Uzbekistan was particularly important. It represented a warming of relations between U.S. officials and Uzbekistan’s authoritarian president.

Karimov ordered a major U.S. air base in Uzbekistan closed in the wake of Washington’s criticism of his government’s deadly crackdown on anti-government protesters in the city of Andijan in 2005.

This will be an interesting twist for the new American President’s foreign policy. The test is whether Obama can extend US influence into the region more sensibly than his predecessor. Bush’s interaction with Georgia was not only short-sighted, but arguably stoked and then failed to avert war with Russia. In the case of the Uzbekistan’s leader Karimov, Bush’s Pentagon funded him as part of the “war on terror” until around 2005 when they had to admit he was a ruthless dictator using US-trained and armed soldiers to kill large numbers of civilian protesters. Some even acknowledged this could be seen as counter-productive to reducing terror. Radio Free Europe tried to explain the situation in 2005, quoting William Kristol and Stephen Schwartz from The Weekly Standard.

“I frankly think that with the war in Afghanistan essentially over, there’s no reason to maintain any base in Uzbekistan and they [the United States] should remove the base. I think they [the United States] should cut off any military or police training to Uzbek troops since we now have to face the scandalous fact that the troops in the Andijon incident apparently were trained in the United States.”

Yes, you read that right, the periodical that “often reflects the thinking of the Bush administration” said “with the war in Afghanistan essentially over” in 2005…and here we are today facing Taliban control expanding, demand for more troop enlargements in Afghanistan, and a crisis of supply routes.

With signs of encroaching Russian influence over its neighbor, the US has moved back towards alliance with Karimov in order to access the Uzbek base and Afghanistan. Will Obama’s administration also be able to continue their rhetoric on human-rights? This brings me back to the question of cyberwarfare. Russia may continue to stoke fear through its use of non-state agents on the network. This would be good as it perhaps allows the US to build on counter-cyberwarfare aid as part of the deal to win access rights, rather than supply of guns and military training, and still have enough leverage to stand tall on human rights policy. In other words I suspect cyberwarfare aid (e.g. network infrastructure and monitoring) has far less lethal and reprehensible side-effects.