Healthcare Cybersecurity

PhishMe Report Shows Organizations Are Struggling to Prevent Phishing Attacks

Organizations are struggling to prevent phishing attacks, according to a recently published survey by PhishMe.

The survey, conducted on 200 IT executives from a wide range of industries, revealed 90% of IT executives are most concerned about email-related threats, which is not surprising given the frequency and sophisticated nature of attacks. When attacks do occur, many organizations struggle to identify phishing emails promptly and are hampered by an inefficient phishing response.

When asked about how good their organization’s phishing response is, 43% of respondents rated it between totally ineffective and mediocre. Two thirds of respondents said they have had to deal with a security incident resulting from a deceptive email.

The survey highlighted several areas where organizations are struggling to prevent phishing attacks and respond quickly when phishing emails make it past their defenses.

PhishMe also notes that many first line IT support staff have not received insufficient training or lack the skills to identify phishing emails. Consequently, many fail to escalate threats or block access to malicious links through the firewall or web filter.

The biggest challenge was too many threats and too few responders, according to 50% of respondents. Approximately one third of respondents said they have to deal with more than 500 suspicious emails a week. 21% said they have more than 1,000 emails reported as suspicious each week.

Dealing with those emails and finding the real threats among the spam takes a considerable amount of time. When asked how the phishing response could be improved, number one on the wish list was a solution that could automatically analyze phishing emails to sort the real threats from spam.

Due to time pressures and a lack of human resources, potential phishing attacks are often not dealt with rapidly. Many organizations have an inefficient and ineffective phishing response which makes rapid mitigation difficult.

Part of the problem is how suspicious emails are reported. 55% of organizations have potentially suspicious emails routed to the helpdesk and do not have a dedicated inbox for phishing emails. Mixing reports of potential phishing attacks with other IT issues increases the probability of serious threats being overlooked and invariably leads to delays in implementing the phishing response.

The survey showed companies are heavily reliant on technology to prevent phishing attacks, although most have correctly chosen to implement layered defenses. That said, 42% of respondents said multiple layers of security solutions was a problem when managing phishing attempts.

The most common defense against phishing attacks is email gateway filtering, although 15% of organizations still do not use email filtering technology and 20% do not use an anti-malware solution. There are also clear gaps in employee training. 34% of organizations do not provide computer-based training for employees to improve awareness of phishing and teach employees how to identify phishing emails.

Technology can only go so far. Email gateway solutions are effective at blocking phishing threats, although they are not 100% effective. Malicious emails will make it past email filters so it is essential that staff are trained to identify threats.

PhishMe accepts there are limits to training. “Are all employees going to “get it?” every time? Probably not. But they don’t have to if the rest of the organization is ready to recognize and report suspicious emails. It only takes one to report it so the incident response team can substantially reduce the impact of phishing attacks.”

The post PhishMe Report Shows Organizations Are Struggling to Prevent Phishing Attacks appeared first on HIPAA Journal.

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems.

The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.”

Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices.

The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely; however, the guidelines are only recommendations and are not legally enforceable. It is down to each manufacturer to ensure the recommendations are incorporated into the design of the devices.

FDA Associate Director for Digital Health, Bakul Patel, Patel explained in a recent blog post that the guidelines focus on three key areas: Ensuring interoperability is at the core of the design of their devices, that verification, validation and risk management activities are performed, and that the functional, performance, and interface characteristics of the devices are clearly specified to ensure users.

In terms of interoperability, the guidelines say, “In designing a medical device’s electronic interface, manufacturers should consider the level of interoperability needed to achieve the purpose of the interface, as well as the information necessary to describe the interface.”

Manufacturers should “address the risks associated with the anticipated users of the device, reasonably foreseeable misuse of the device, and reasonably foreseeable combinations of events that could result in a hazardous situation.”

Devices must also be clearly labelled to advise users of the functional, performance and interface characteristics, including explicit warnings against foreseeable uses that could result in harm.

Patel explained, the FDA’s main concern is safety. “Errors and inadequate interoperability, such as differences in units of measure (e.g., pounds vs. kilograms) can occur in devices connected to a data exchange system. Our guidance recommends appropriate functional, performance, and interface requirements for devices with such interactions.”

Manufacturers should be transparent about the functions and characteristics of the devices and their interfaces to ensure those using the devices with systems and devices can do so safely. If it is not clearly explained to users how the devices function and interface, this could potentially lead to devices malfunctioning, which would have an impact on patient safety. The guidelines say, “The manufacturer should determine the appropriate way to provide the information based upon the anticipated users and the risk analysis.”

Patel explained, “Our guidance is a good step towards safer devices, and we will continue to work with all stakeholders to adapt along with the technology.”

The final guidelines can be downloaded here.

The post FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange appeared first on HIPAA Journal.

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems.

The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.”

Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices.

The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely; however, the guidelines are only recommendations and are not legally enforceable. It is down to each manufacturer to ensure the recommendations are incorporated into the design of the devices.

FDA Associate Director for Digital Health, Bakul Patel, Patel explained in a recent blog post that the guidelines focus on three key areas: Ensuring interoperability is at the core of the design of their devices, that verification, validation and risk management activities are performed, and that the functional, performance, and interface characteristics of the devices are clearly specified to ensure users.

In terms of interoperability, the guidelines say, “In designing a medical device’s electronic interface, manufacturers should consider the level of interoperability needed to achieve the purpose of the interface, as well as the information necessary to describe the interface.”

Manufacturers should “address the risks associated with the anticipated users of the device, reasonably foreseeable misuse of the device, and reasonably foreseeable combinations of events that could result in a hazardous situation.”

Devices must also be clearly labelled to advise users of the functional, performance and interface characteristics, including explicit warnings against foreseeable uses that could result in harm.

Patel explained, the FDA’s main concern is safety. “Errors and inadequate interoperability, such as differences in units of measure (e.g., pounds vs. kilograms) can occur in devices connected to a data exchange system. Our guidance recommends appropriate functional, performance, and interface requirements for devices with such interactions.”

Manufacturers should be transparent about the functions and characteristics of the devices and their interfaces to ensure those using the devices with systems and devices can do so safely. If it is not clearly explained to users how the devices function and interface, this could potentially lead to devices malfunctioning, which would have an impact on patient safety. The guidelines say, “The manufacturer should determine the appropriate way to provide the information based upon the anticipated users and the risk analysis.”

Patel explained, “Our guidance is a good step towards safer devices, and we will continue to work with all stakeholders to adapt along with the technology.”

The final guidelines can be downloaded here.

The post FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange appeared first on HIPAA Journal.

Warning Issued About Vulnerabilities in Smiths Medical Medfusion 4000 Devices

The U.S. Department of Homeland Security (DHS) has issued a warning about vulnerabilities in Smiths Medical Medfusion 4000 wireless syringe infusion pumps. The vulnerabilities could potentially be exploited by hackers to alter the performance of the devices.

Smiths Medical Medfusion 4000 devices are used to deliver small doses of medication and are used throughout the United States and around the world in acute care settings. Eight vulnerabilities have been identified in three versions of the wireless syringe infusion pumps (V1.1, v1.5 and v1.6), with CVSS v3 scores ranging from 3.7 to 8.1. The vulnerabilities could be exploited remotely, potentially causing harm to patients. Hackers could also exploit the vulnerabilities to gain access to other healthcare IT systems if the devices are not segmented on the network.

DHS says the impact to organizations depends on several factors, based on specific clinical usage and hospital’s operational environments. Six of the vulnerabilities relate to hard-coded passwords/credentials, certificate validation issues, and authentication gaps which could allow hackers to gain access to the devices. The other two vulnerabilities involve third-party components, although those vulnerabilities would be much harder to exploit.

Smiths Medical has reassured healthcare organizations that while the vulnerabilities could potentially be exploited, in a clinical setting this would be highly unlikely, explaining the exploit “requires a complex and an unlikely series of conditions.” Attackers would also require a high skill level to exploit the vulnerabilities in Smiths Medical Medfusion 4000 wireless syringe infusion pumps. ICS-CERT says there are no publicly known exploits targeting the vulnerabilities.

Smiths Medical has been working closely with DHS and will resolve the flaws, although the Plymouth, MN-based medical device manufacturer will not do so until the release of Medfusion 4000 v1.6.1 in January 2018.

In the meantime, healthcare organizations using vulnerable versions of the devices have been advised by Smiths Medical to take steps to reduce risk. Those steps include:

  • Assigning static IP addresses to the infusing pumps
  • Monitoring network activity for rogue DNS and DHCP servers
  • Ensuring network segments are installed and the devices are segregated from other parts of hospital networks. Hospitals have been advised to consider network micro segregation
  • Using network virtual local area networks (VLANs) for the segmentation
  • Adopting password best practices, such as setting strong passwords and not re-using passwords
  • Performing routine backups and evaluations.

ICS-CERT recommends disconnecting the devices from the network until the product fix is applied, although this would require the drug library to be updated manually on all devices.

ICS-CERT also recommends:

  • Closing Port 20/FTP, Port 21/FTP, and Port 23/Telnet if the devices need to be networked
  • Disabling the FTP server on the pumps
  • Closing all unused ports
  • Monitoring and logging all network traffic attempting to reach the affected products, including attempts on closed ports
  • Locating the devices behind firewalls
  • Using VPNs to connect to the devices if remote access is required, and to ensure the latest version of VPNs are installed.

The post Warning Issued About Vulnerabilities in Smiths Medical Medfusion 4000 Devices appeared first on HIPAA Journal.

NCCoE/NIST Release Draft Guidelines for Ransomware Recovery

Draft guidelines for ransomware recovery have been issued by the National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST). The guidelines – NIST Special Publication 1800-11 – apply to all forms of data integrity attacks.

SP 1800-11 is a detailed, standards-based guide that can be used by organizations of all sizes to develop recovery strategies to deal with data integrity attacks and establish best practices to minimize the damage caused and ensure a speedy recovery.

NIST says, “When data integrity events occur, organizations must be able to recover quickly from the events and trust that the recovered data is accurate, complete, and free of malware.”

NCCoE/NIST collaborated with cybersecurity vendors (GreenTec, HP, IBM, Tripwire, the MITRE Corporation and Veeam) to develop the guidelines, which will help organizations prepare for the worst and develop an effective strategy to recove from a cybersecurity event such as a ransomware attack. By adopting the best practices detailed in the guidelines, the recovery process should be smoother, critical business and revenue generating operations can be maintained, and enterprise risk can be effectively managed.

The NIST guidelines for ransomware recovery will help organizations prepare for an attack and develop strategies to allow them to restore data to the last known good configuration, identify the correct backup copies to use, and determine whether data have been altered or poisoned.

In the event of data alteration, organizations are shown how to identify the individual(s) who have altered data and determine the impact of data alteration on business processes. The guidelines also explain how businesses can ensure systems are free from malware during the recovery process.

The guidelines are split into three volumes: Volume A is an executive summary which is of particular relevance for business decision makers including CSOs and CISOs; Volume B outlines approach, architecture and security characteristics which will help technology and security program managers identify, understand, assess, and mitigate risk. Volume C includes how-to guides, including specific product installation, configuration, and integration instructions for a selection of software solutions and tools that can be used to help organizations recover from data integrity attacks.

The draft guidelines for ransomware recovery are open for comments and can be downloaded on this link.

The post NCCoE/NIST Release Draft Guidelines for Ransomware Recovery appeared first on HIPAA Journal.

FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers

The U.S. Food and Drug Administration (FDA) is recommending all patients with vulnerable St. Jude Medical implantable cardiac pacemakers visit their providers to have the firmware on their devices updated. The update will make the devices more resilient to cyberattacks.

Last year, MedSec Holdings passed on the findings of a study of cybersecurity vulnerabilities in St. Jude Medical devices to the short-selling firm Muddy Waters Capital. The report identified a number of vulnerabilities that could be exploited to alter the functioning of the devices and drain batteries prematurely.

While St. Jude Medical initially denied the vulnerabilities existed, the FDA investigated the claims and confirmed that remotely exploitable vulnerabilities were present in certain St. Jude Medical Products.

Now, a year after the vulnerabilities were disclosed, the FDA has announced a voluntary recall of the devices to update the firmware to prevent the devices from being hacked via radio frequency communications.

There are between 450,000 and 500,000 vulnerable devices currently in use in the United States and a recall of this scale will almost certainly cause problems for healthcare providers. The FDA and Abbot Laboratories, which acquired St. Jude Medical last year, have suggested patients have the firmware upgrade applied at their next scheduled visit to their healthcare provider rather than make a separate visit.

The recall does not apply to implantable cardiac defibrillators or cardiac resynchronization ICDs, only to the following St. Jude Medical pacemakers:

  • Accent SR RF™
  • Accent MRI™
  • Assurity™
  • Assurity MRI™
  • Accent DR RF™
  • Anthem RF™
  • Allure RF™
  • Allure Quadra RF™
  • Quadra Allure MP RF™

The update will require any device attempting to communicate with the implanted pacemaker to be authenticated via the Merlin Programmer and Merlin@home Transmitter. All Abbott Laboratories devices manufactured after August 28, 2017 will include the updated firmware. The firmware update was released on August 29.

The FDA has not recommended devices be removed and replaced as the firmware update will make the devices secure. The update is a quick and simple process that takes just three minutes, although patients will be required to visit their providers to have the update applied. The update cannot be issued remotely as there is “a low risk [<0.023%] of update malfunction”.  During the update, the device will continue to function in backup mode and life-saving functionality will be maintained. The devices will return to normal settings after the update has been applied.

It has been more than a year since the report of the vulnerabilities was published, although during that time there have been no reported attacks or harm caused to patients. The Department of Homeland Security says exploiting the vulnerabilities would require “a highly complex set of circumstances.”

“All industries need to be constantly vigilant against unauthorized access,” said Robert Ford, executive vice president, Medical Devices at Abbot Laboratories. He explained, “[cybersecurity] isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.”

The post FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers appeared first on HIPAA Journal.

FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers

The U.S. Food and Drug Administration (FDA) is recommending all patients with vulnerable St. Jude Medical implantable cardiac pacemakers visit their providers to have the firmware on their devices updated. The update will make the devices more resilient to cyberattacks.

Last year, MedSec Holdings passed on the findings of a study of cybersecurity vulnerabilities in St. Jude Medical devices to the short-selling firm Muddy Waters Capital. The report identified a number of vulnerabilities that could be exploited to alter the functioning of the devices and drain batteries prematurely.

While St. Jude Medical initially denied the vulnerabilities existed, the FDA investigated the claims and confirmed that remotely exploitable vulnerabilities were present in certain St. Jude Medical Products.

Now, a year after the vulnerabilities were disclosed, the FDA has announced a voluntary recall of the devices to update the firmware to prevent the devices from being hacked via radio frequency communications.

There are between 450,000 and 500,000 vulnerable devices currently in use in the United States and a recall of this scale will almost certainly cause problems for healthcare providers. The FDA and Abbot Laboratories, which acquired St. Jude Medical last year, have suggested patients have the firmware upgrade applied at their next scheduled visit to their healthcare provider rather than make a separate visit.

The recall does not apply to implantable cardiac defibrillators or cardiac resynchronization ICDs, only to the following St. Jude Medical pacemakers:

  • Accent SR RF™
  • Accent MRI™
  • Assurity™
  • Assurity MRI™
  • Accent DR RF™
  • Anthem RF™
  • Allure RF™
  • Allure Quadra RF™
  • Quadra Allure MP RF™

The update will require any device attempting to communicate with the implanted pacemaker to be authenticated via the Merlin Programmer and Merlin@home Transmitter. All Abbott Laboratories devices manufactured after August 28, 2017 will include the updated firmware. The firmware update was released on August 29.

The FDA has not recommended devices be removed and replaced as the firmware update will make the devices secure. The update is a quick and simple process that takes just three minutes, although patients will be required to visit their providers to have the update applied. The update cannot be issued remotely as there is “a low risk [<0.023%] of update malfunction”.  During the update, the device will continue to function in backup mode and life-saving functionality will be maintained. The devices will return to normal settings after the update has been applied.

It has been more than a year since the report of the vulnerabilities was published, although during that time there have been no reported attacks or harm caused to patients. The Department of Homeland Security says exploiting the vulnerabilities would require “a highly complex set of circumstances.”

“All industries need to be constantly vigilant against unauthorized access,” said Robert Ford, executive vice president, Medical Devices at Abbot Laboratories. He explained, “[cybersecurity] isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.”

The post FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers appeared first on HIPAA Journal.

New Ransomware and Phishing Warnings for Healthcare Organizations

Warnings have been issued about a new ransomware variant that is being used in targeted attacks on healthcare organizations and IRS, FBI and Hurricane Harvey themed phishing attacks.

Defray Ransomware

A new ransomware variant is being used in highly targeted attacks on healthcare organizations in the United States and United Kingdom. Defray ransomware is being distributed in small email campaigns using carefully crafted messages specifically developed to maximize the probability of a response from healthcare providers.

The messages claim to have been sent from the Director of Information Management and Technology at the targeted organization and include the hospital’s logos. The documents claim to be patient reports detailing important information for patients, relatives and carers. The messages are being sent to specific individuals in organizations and via distribution lists.

The campaigns involve Microsoft Word documents with embedded OLE packager shell objects. Clicking the embedded executable to view the content of the document will see Defray ransomware downloaded. There is currently no free decryptor to unlock the encryption. Recovery will depend on backups being available, otherwise a ransom of $5,000 per encrypted device must be paid for the decryption keys.

The scams were uncovered by researchers at Proofpoint who believe the actors behind the campaigns are likely to continue to conduct highly targeted attacks rather than use the spray and pay tactics more commonly associated with ransomware distribution.

As always, the advice is to ensure backups are regularly performed and end users are made aware of the risks of clicking links or opening attachments from unknown senders.

Hurricane Harvey Phishing Scams

Natural disasters draw out the scammers and Hurricane Harvey is no exception. US-CERT has recently issued a warning to consumers and businesses to be alert to Hurricane Harvey phishing scams. Scammers take advantage of interest in natural disasters to phish for sensitive information, install malware and ransomware, and fraudulently obtain charitable donations from the public.

Email and social media scams can be expected and users should be alert to the risk of malicious cyber activity. Emails relating to the relief efforts or updates on Hurricane Harvey should be treated as suspicious. Links in the emails should not be clicked and attachments not opened.

Email requests for charitable donations to help the victims of the disaster should be treated as suspicious. Rather than using links in the emails, US-CERT recommends obtaining trusted contact information for the charity via the Better Business Bureau National Charity Report Index and to independently verify the legitimacy of any email request for donations.

FBI and IRS-Themed Phishing Emails

An alert has been issued about a new phishing scam that uses both the FBI and IRS emblems to fool users into installing ransomware. The emails relate to an FBI questionnaire that needs to be downloaded, printed, completed, scanned and returned.

A link is included in the email to download the form, which the scammers suggest is related to changes to tax laws. Clicking the link will result in ransomware being downloaded. The IRS has reconfirmed it does not initiate communication via email, text message or social media posts.

IRS commissioner John Koskinen said, “People should stay vigilant against email scams that try to impersonate the IRS and other agencies that try to lure you into clicking a link or opening an attachment. People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call.”

The post New Ransomware and Phishing Warnings for Healthcare Organizations appeared first on HIPAA Journal.

New Ransomware and Phishing Warnings for Healthcare Organizations

Warnings have been issued about a new ransomware variant that is being used in targeted attacks on healthcare organizations and IRS, FBI and Hurricane Harvey themed phishing attacks.

Defray Ransomware

A new ransomware variant is being used in highly targeted attacks on healthcare organizations in the United States and United Kingdom. Defray ransomware is being distributed in small email campaigns using carefully crafted messages specifically developed to maximize the probability of a response from healthcare providers.

The messages claim to have been sent from the Director of Information Management and Technology at the targeted organization and include the hospital’s logos. The documents claim to be patient reports detailing important information for patients, relatives and carers. The messages are being sent to specific individuals in organizations and via distribution lists.

The campaigns involve Microsoft Word documents with embedded OLE packager shell objects. Clicking the embedded executable to view the content of the document will see Defray ransomware downloaded. There is currently no free decryptor to unlock the encryption. Recovery will depend on backups being available, otherwise a ransom of $5,000 per encrypted device must be paid for the decryption keys.

The scams were uncovered by researchers at Proofpoint who believe the actors behind the campaigns are likely to continue to conduct highly targeted attacks rather than use the spray and pay tactics more commonly associated with ransomware distribution.

As always, the advice is to ensure backups are regularly performed and end users are made aware of the risks of clicking links or opening attachments from unknown senders.

Hurricane Harvey Phishing Scams

Natural disasters draw out the scammers and Hurricane Harvey is no exception. US-CERT has recently issued a warning to consumers and businesses to be alert to Hurricane Harvey phishing scams. Scammers take advantage of interest in natural disasters to phish for sensitive information, install malware and ransomware, and fraudulently obtain charitable donations from the public.

Email and social media scams can be expected and users should be alert to the risk of malicious cyber activity. Emails relating to the relief efforts or updates on Hurricane Harvey should be treated as suspicious. Links in the emails should not be clicked and attachments not opened.

Email requests for charitable donations to help the victims of the disaster should be treated as suspicious. Rather than using links in the emails, US-CERT recommends obtaining trusted contact information for the charity via the Better Business Bureau National Charity Report Index and to independently verify the legitimacy of any email request for donations.

FBI and IRS-Themed Phishing Emails

An alert has been issued about a new phishing scam that uses both the FBI and IRS emblems to fool users into installing ransomware. The emails relate to an FBI questionnaire that needs to be downloaded, printed, completed, scanned and returned.

A link is included in the email to download the form, which the scammers suggest is related to changes to tax laws. Clicking the link will result in ransomware being downloaded. The IRS has reconfirmed it does not initiate communication via email, text message or social media posts.

IRS commissioner John Koskinen said, “People should stay vigilant against email scams that try to impersonate the IRS and other agencies that try to lure you into clicking a link or opening an attachment. People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call.”

The post New Ransomware and Phishing Warnings for Healthcare Organizations appeared first on HIPAA Journal.