Healthcare Cybersecurity

NIST Releases New Guidance on Securing IoT Devices

The National Institute of Standards and Technology (NIST) has released a new guide for manufacturers of Internet of Things (IoT) devices to help them incorporate appropriate cybersecurity controls to ensure the devices are protected against threats when users connect them to the Internet.

The guide is the second in a series of publications on the security of IoT devices. The first document outlined the risks posed by IoT devices. The latest guide – Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers – is intended to help manufacturers incorporate core cybersecurity features into their IoT devices to reduce the prevalence and severity of IoT device compromises.  

The draft document defines a core baseline of cybersecurity features which should be incorporated into all IoT devices, along with additional features that should be considered to provide a level of protection over and above the baseline that is appropriate for most customers.

The manufacturers of IoT devices have a responsibility to ensure that their devices have at least a basic level of security and for software updates to be released to address vulnerabilities discovered during the lifespan of the products. It is also the responsibility of users of IoT devices to make sure those security controls are activated and software updates are downloaded and applied promptly.

The guidance is aimed at a technical audience, although it is hoped that it will be used by consumers as well as IoT device manufacturers. It includes six security recommendations for IoT device manufacturers to incorporate into their devices. Those recommendations can also be used as a checklist for organizations to make sure a device can be secured before a purchase is made.

Those features are:

  • A device identification feature to allow an individual device to be identified or for a unique address to be used to connect to the network
  • The ability for an authenticated user to perform a software or firmware upgrade
  • A clear demonstration of how the device stores and transmits data
  • The ability to limit access to local and network interfaces
  • A secure and configurable method for updating software and firmware
  • A log feature that records all cybersecurity events

IoT devices connect to and are visible on network, yet they may not have an interface through which security settings can be applied and software updated. If appropriate security controls are not incorporated by manufacturers and activated by users, the devices will remain a security risk and vulnerabilities could be exploited by unauthorized individual to gain access to home and business networks

NIST is accepting comments on the draft guidance until September 30, 2019.

The post NIST Releases New Guidance on Securing IoT Devices appeared first on HIPAA Journal.

GAO Discovers Widespread Cybersecurity Risk Management Failures at Federal Agencies

The Government Accountability Office (GAO) conducted a study of 23 federal agencies and found widespread cybersecurity risk management failures.

Federal agencies are targeted by cybercriminals, so it is essential for safeguards to be implemented to protect against those threats. Federal law requires government agencies to adopt a risk-based approach to cybersecurity to identify, prioritize, and manage cybersecurity risks.

The GAO was asked to conduct its review to determine whether federal agencies had established the key elements of a cybersecurity risk management program, what challenges were faced when developing those programs, and what steps had been taken by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) to address their responsibilities with respect to addressing cybersecurity challenges faced by federal agencies.

The study revealed all but one (22) federal agency had appointed a cybersecurity risk executive, but other important elements of the risk management program had not been incorporated at many of the agencies assessed for the study.

There were deficiencies in the development of a cybersecurity risk management plan. 16 agencies had not fully established a cybersecurity risk management strategy which delineated the boundaries for risk-based decisions. 17 agencies had not fully established an agency-wide and system-level plan for assessing, monitoring, and responding to cybersecurity risks. A process for assessing agency-wide cybersecurity risks based on an aggregation of system-level risks had not been established at 11 agencies. 13 agencies had not established a process for coordinating between cybersecurity and ERM programs for managing all major risks.

Until policies and procedures are changed and the security failures are addressed, federal agencies will face an elevated risk of experiencing cyberattacks that threaten the national security of the United States and personal privacy.

GAO made 58 recommendations that all agencies should incorporate into their risk management processes, including specific recommendations for certain agencies.

Federal agencies have faced several challenges assessing and managing cybersecurity risks. The main challenge was hiring and retaining key cybersecurity management personnel, which was cited as a problem by all 23 agencies.

Managing competing priorities between operations and cybersecurity, establishing and implementing consistent policies and procedures, establishing and implementing standardized technology capabilities, and receiving quality risk data were also common problems.

GAO has recommended that the DHS and OMB develop methods for sharing best practices and successful methods for addressing some of the common challenges faced when implementing consistent cybersecurity risk management practices to ensure those challenges can be overcome quickly and security posture at all of the federal agencies is rapidly improved.

The post GAO Discovers Widespread Cybersecurity Risk Management Failures at Federal Agencies appeared first on HIPAA Journal.

VA OIG Report Highlights Risk of Medical Device Workarounds

A recent inspection of a California VA medical center by the Department of Veteran Affairs Office of Inspector General (VA OIG) has revealed security vulnerabilities related to medical device workarounds and multiple areas of non-adherence with Veterans Health Administration (VHA) and VA policies.

Tibor Rubin VA Medical Center in Long Beach, California was inspected by the VA OIG after VHA and VA privacy and security policy violations were identified during an unrelated investigation.

The auditors identified inappropriate staff workarounds for transferring and integrating information from patient medical devices into the medical center’s EHR system. The auditors also found two potential breaches of patient information while performing the inspection.

The medical center did not have an interface between VHA medical devices and its EHR system, which forced staff to use inappropriate workarounds. Biomedical engineering and IT assistance had not fully resolved software interface issues between VHA medical devices and the EHR, and facility staff were using unapproved communication modes which risked the accidental disclosure of sensitive patient information.

Inspectors discovered 9 out of 12 medical devices lacked an interface with the EHR system, including a high-resolution esophageal manometry (HRM) medical device. The interface with the VHA EHR stopped functioning when the medical center upgraded to Windows 7 from Windows XP in 2013. Biomed and IT had provided assistance initially when problems were first experienced, but additional software interface issues remained unaddressed.

The gastroenterology (GI) provider told the inspectors that the facility’s biomedical engineering and IT departments were involved in the decision to continue using the equipment even though there was no working interface. The GI provider developed two workarounds that were not in line with VHA and VA policies covering sensitive personal information. Those workarounds placed patient information at risk of exposure.

Those methods involved the use of the GI provider’s personal computer and the transfer of sensitive information via unencrypted email, the cloud, and a non-VA-issued unencrypted flash drive. Staff in the GI laboratory, pulmonary/sleep laboratory, and neurology departments had also developed workarounds as a result of interface issues following the operating system upgrade.

Staff were aware of the importance of patient privacy and securing patient information, and one staff member ensured information was only sent via secure, encrypted email. However, other staff members sent email using personal email accounts, unsecured devices, and via SMS text messages.

VA OIG found 99% of the emails sent from the GI provider’s email account contained sensitive patient information as did 91.7% of SMS text messages sent to staff. Inpatient and nursing staff were also discovered to be using non-secure methods of communicating patient information. The medical center was also discovered to still be using logbooks to record equipment taken home by staff, which is against VHA policy.

The report involved one VA medical center, but the findings are not surprising. Similar problems are experienced by many healthcare providers, which also use workarounds to solve software compatibility issues, even though those workarounds can introduce considerable risk.

The VA OIG has made several recommendations on how the medical center can correct the violations and improve security. Those recommendations include taking steps to ensure staff members only use secure methods to communicate patient information, and for the medical center director to conduct a review of communications processes between staff and IT/biomedical engineering and to take action to address interface issues and improve communication.  The medical center is currently in the process of implementing those recommendations.

The post VA OIG Report Highlights Risk of Medical Device Workarounds appeared first on HIPAA Journal.

Judge Approves $74 Million Premera Blue Cross Data Breach Settlement

A Federal District Judge has given preliminary approval to a proposed $74 million settlement to resolve a consolidated class action lawsuit against Premera Blue Cross for its 2014 data breach of more than 10.6 million records.

US District Judge Michael Simon determined that the proposed settlement was fair, reasonable and adequate based on the defense’s case against Premera and the likely cost of continued litigation.

The settlement will see $32 million made available to victims of the breach to cover claims for damages of which $10 million will reimburse victims for costs incurred as a result of the breach. The remaining $42 million will be used to improve Premera’s security posture over the next three years.

Data security improvements are necessary. Internal and third-party audits of Premera before and after the data breach uncovered multiple vulnerabilities. Premera had been warned about the vulnerabilities prior to the breach and failed to take action. That lack of action allowed hackers to gain access to its network. Further, it took almost a year for Premera to determine that its systems had been compromised

“Improved data security benefits all class members, even if they are no longer insured by Premera or a related Blue Cross entity, because sensitive information remains stored on Premera’s servers,” wrote Judge Simon.

Considering the data breach affected 10.6 million individuals, a fund of $10 million to reimburse costs may not seem that much. However, Judge Simon determined the figure to be fair because relatively few of the plaintiffs had suffered identity theft as a result of the data breach and the settlement includes $3.5 million to cover the cost of additional credit monitoring services.

The case against Premera was complex and involved a considerable amount of technical information about the data security protections that were put in place. The evidence also spanned several years. “Whether Premera breached its contractual promises, was negligent, or engaged in unfair practices under Washington’s Consumer Protection Act with respect to Premera’s provision of data security are relatively strong claims,” wrote Judge Simon.

The settlement resolves the lawsuit with no admission of liability. In addition to the $74 million, Premera also settled a multi-state lawsuit with 30 states for $10 million over the failure to address known data security risks.

The Premera data breach was also investigated by the HHS’ Office for Civil Rights. It remains to be seen whether a financial penalty will be deemed appropriate.

The post Judge Approves $74 Million Premera Blue Cross Data Breach Settlement appeared first on HIPAA Journal.

First Half of 2019 Sees 31.6 Million Healthcare Records Breached

It has been a particularly bad six months for the healthcare industry. Data breaches have been reported in record numbers and the number of healthcare records exposed on a daily basis is extremely concerning. The trend of more than one healthcare data breach a day has continued throughout 2019, even reaching a rate of 2 per day in May.

According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and, 31,611,235 healthcare records were breached between January 2019 and June 2019. To put that figure into perspective, it is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records).

One breach stands out from the 285 incidents reported in the first half of the year: The data breach at American Medical Collection Agency (AMCA). A batch of stolen credentials on a dark net marketplace was traced back to AMCA, which discovered its payment web page had been compromised for months. It is not yet known exactly how many healthcare records were exposed in the incident, but 18 clients are known to have been affected and more than 20 million records have been confirmed as having been breached.

The report shows the first 6 months was dominated by hacking incidents, which accounted for 60% of all incidents and 88% of breached records. 168 data breaches were due to hacking, 88 involved phishing, 27 involved ransomware or malware, and one involved another form of extortion.

20.91% of all breaches – 60 incidents – were insider breaches. 3,457,621 records were exposed in those breaches or 11% of all breached records. 35% of incidents were classified as being caused by insider error and 22% were due to insider wrongdoing. There were 24 theft incidents were reported involving at least 184,932 records and the cause of 32 incidents (142,009 records) is unknown.

Healthcare providers reported 72% of breaches, 11% were reported by health plans, and 9% were reported by business associates. 8% of breaches could not be classified. While the above distribution of breaches is not atypical, 2019 has been a particularly bad year for business associates.

In three of the first six months of 2019 a business associate reported the largest breach of the month. The largest breach of the year was at a business associate. That breach is already the second largest healthcare data breach of all time. Hacking was the biggest problem area for business associates. 45% of business associate data breaches were due to hacking and other IT incidents.

One business associate, Dominion National, took 8.5 years to discover its systems had been breached. By the time the breach was discovered, the records of 2,964,778 individuals had been compromised. Overall the average time to discover a breach was 50 days. The average time to report a breach to the HHS was 77 days and the median reporting time was 60 days.

“In order for healthcare organizations to reduce risk across their organization and to truly combat the challenges associated with health data security, it is critical for healthcare privacy offices to utilize healthcare compliance analytics that will allow them to audit every access to their patient data,”  wrote Protenus. “Full visibility into how their data is being accessed will help healthcare organizations prevent data breaches from wreaking havoc on their organization and the patients who trust them with their personal information.”

The post First Half of 2019 Sees 31.6 Million Healthcare Records Breached appeared first on HIPAA Journal.

DHS Issues Best Practices to Safeguard Against Ransomware Attacks

Ransomware appeared to have gone out of fashion in 2018, but that is certainly not the case in 2019. Q1, 2019 saw a 195% increase in ransomware attacks and a further 184% increase in Q2. Judging by the number of ransomware attacks reported in the past few weeks, the Q3 figures are likely to be even worse.

States, cities, and local governments have been extensively targeted as has the healthcare industry. Many victims have been forced to pay sizable ransoms to regain access to critical data. Others have been forced to permanently close their doors.

In response to the growing number of attacks, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) have issued a joint statement in which recommendations are given to help improve resilience to ransomware attacks.

The statement was issued primarily to state, local, territorial and tribal governments, although the recommendations are equally relevant to the healthcare industry and businesses in other industry sectors.

Taking the three steps detailed in the statement (and outlined below) will improve defenses against ransomware and will help to ensure that in the event of an attack, recovery can be made in the shortest possible time frame.

Ransomware Recommendations

  • Backup systems now (and daily)
  • Reinforce cybersecurity awareness training
  • Revise and refine cyber incident response plans

Without valid data backups, ransomware victims will be at the mercy of their attackers. As has already been seen on several occasions this year, payment of the ransom does not guarantee file recovery. Even when keys are supplied to unlock encrypted data, some data loss can be expected.

It is therefore essential to ensure that all critical data, agency and system information is backed up daily, with the backups stored on a separate, non-networked, offline device. Backups and the restoration process must be tested to ensure file recovery is possible. The joint statement instructs all partners to backup systems immediately and daily.

Ransomware is most commonly installed inadvertently by employees as a result of responding to a phishing email or visiting a malicious website. It is therefore important to ensure that the workforce is made aware of the threat and is taught how to recognize suspicious emails, links, and other threats.

Even if training has already been given to staff, refresher training sessions are recommended. The staff should also be made aware of the actions to take if a potential threat is received or if an attack is believed to be in progress, including being advised of out-of-band communication paths.

It may not be possible to prevent all attacks, so it is essential for a ransomware response plan to be developed that can be immediately implemented in the event of an attack. The response plan should include plans that can be implemented if internal capabilities become overwhelmed and instructions and contact information for external cyber first responders, state agencies, and other parties that may be required to assist in the wake of an attack.

The guidance document can be viewed/downloaded on this link (PDF).

The post DHS Issues Best Practices to Safeguard Against Ransomware Attacks appeared first on HIPAA Journal.

Critical VxWorks Vulnerabilities Impact 2 Billion Devices

Security researchers at Armin have identified 11 vulnerabilities in the VxWorks real-time operating system that is used in around 2 billion IoT devices, medical devices, and control systems.

Six of the vulnerabilities have been rated critical and can be exploited remotely with no user interaction required. A successful exploit would allow a hacker to take full control of an affected device. The vulnerabilities are collectively known as “Urgent/11”

VxWorks was first created more than 30 years ago and was developed to serve as an ultra-reliable operating system capable of processing data quickly. Today, VxWorks is the most popular real-time operating system in use and can be found in patient monitors, MRI machines, elevator control systems, industrial controllers, data acquisition systems, modems, routers, firewalls, VOIP phones, and printers.

Armin researchers alerted Wind River about the flaws and patches have now been issued to address the vulnerabilities. Wind River said all currently supported versions of VxWorks are affected by at least one of the vulnerabilities. The vulnerabilities are all in the transmission control protocol/Internet protocol (TCP/IP) stack of VxWorks, also known as IPnet.

The vulnerabilities are:

  • CVE-2019-12256 – Stack-based buffer overflow – CVSS v3: 9.8
  • CVE-2019-12257 – Heap-based buffer overflow – CVSS v3: 8.8
  • CVE-2019-12255 – Integer Underflow – CVSS v3: 9.8
  • CVE-2019-12260 – Improper restriction of operations in memory buffer – CVSS v3: 9.8
  • CVE-2019-12261 – Improper restriction of operations in memory buffer – CVSS v3: 8.8
  • CVE-2019-12263 – Concurrent execution using shared resource with improper synchronization – CVSS v3: 8.1
  • CVE-2019-12258 – Argument injection or modification – CVSS v3: 7.5
  • CVE-2019-12259 – Null pointer dereference – CVSS v3: 6.3
  • CVE-2019-12262 – Argument injection or modification – CVSS v3: 7.1
  • CVE-2019-12264 – Argument injection or modification – CVSS v3: 7.1
  • CVE-2019-12265 – Argument injection or modification – CVSS v3: 5.4

Some of the vulnerabilities affect VxWorks versions which are at or approaching end of life (Versions back to 6.5) and also the now discontinued product, Advanced Networking Technology (ANT). Wind River also reports that one of the vulnerabilities – CVE-2019-12256 – also affects the WvWorks bootrom network stack, as it leverages the same IPnet source as VxWorks.

The following VxWorks products are not affected:

  • VxWorks 5.3 to VxWorks 6.4 inclusive
  • VxWorks Cert versions
  • VxWorks 653 Versions 2.x and earlier.
  • VxWorks 653 MCE 3.x Cert Edition and later.

Patches for the affected VxWorks versions can be obtained by emailing Wind River- – and stating the which version needs to be patched. Xerox and Rockwell Automation have released their own security advisories about the vulnerabilities.

Affected individuals have been advised to apply the patches as soon as possible. Wind River said there have been no reported instances of the vulnerabilities being exploited in the wild.

The post Critical VxWorks Vulnerabilities Impact 2 Billion Devices appeared first on HIPAA Journal.

Kentucky Community Health Center Pays $70,000 Ransom to Recover PHI

On June 7, 2019, Louisville, KY-based Park DuValle Community Health Center suffered a ransomware attack. Hackers succeeded in gaining access to its network and installed ransomware which rendered its medical record system and appointment scheduling platform inaccessible.

The not-for-profit health center provides medical services to the uninsured and low-income patients in the western Louisville area. For seven weeks, employees at the health center have been recording patient information on pen and paper and have had to rely on patients’ accounts of past treatments and medications. With its systems out of action, no patient data could be viewed, and appointments could not be scheduled. The clinic had to operate on a walk-in basis.

The medical record system contained the records of around 20,000 current and former patients who had previously received treatment at one of its medical centers in Louisville, Russell, Newburg, or Taylorsville.

This is not the first ransomware attack suffered by the health center this year.  A prior attack occurred on April 2, 2019, which similarly took its computer systems out of action. In that case, backups were used to restore data and its systems were rebuilt from scratch. The health center was able to recover data without paying a ransom, although its systems were offline for around three weeks while the attack was remediated.

The health center consulted with third-party IT specialists and the FBI after the latest attack and the decision was taken to pay the ransom for the keys to decrypt files. Park DuValle CEO Elizabeth Ann Hagan-Grigsby explained to WDRB reporters that it was not possible to rebuild its systems and recover data from backups after the latest attack.

The ransom was paid in two installments, the first was made two weeks ago and the final payment was made last week. The latest payment was for 6 Bitcoin. Approximately $70,000 was paid in total. The health center expects to have fully restored its systems by August 1, 2019.

The ransom payment is only a small part of the cost of a ransomware attack. Hagan-Grigsby said the attack has so far cost around $1 million.

While the ransomware prevented files from being accessed, Hagan-Grigsby does not believe there has been a data breach. She said the Department of Health and Human Services has been notified but was told there was no data breach. no evidence was found to suggest unencrypted patient information was viewed and its firewall logs show no data was exfiltrated from its systems.

The Park DuValle ransomware is one of several healthcare ransomware attacks to be reported in the past few days. Ransomware attacks have also recently been reported by Springhill Medical Center in Alabama, Harbor Community Hospital in Washington, and Dr. Carl Bilancione’s dental office in Maitland, Florida.

An attack was also reported by Bayamón Medical Center in Puerto Rico, which also affected its affiliated Puerto Rico Women and Children’s Hospital. The attack impacted more than 520,000 patients.

The post Kentucky Community Health Center Pays $70,000 Ransom to Recover PHI appeared first on HIPAA Journal.

NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has issued draft mobile device security guidance to help organizations improve the security of corporately-owned personally-enabled (COPE) mobile devices and reduce the risk the devices pose to network security.

Mobile devices are now essential in modern business. They provide easy access to resources and data and allow employees to work more efficiently. Mobile devices are increasingly being used to perform everyday enterprise tasks, which means they are used to access, view, and transmit sensitive data.

The devices introduce new threats to the enterprise that do not exist for traditional IT devices such as desktop computers and mobile devices are subject to different types of attacks. A different approach is therefore required to ensure mobile devices are secured and risks are effectively managed.

Mobile devices are typically always on and always connected to the Internet and they are often used to access corporate networks remotely via untrusted networks. Malicious apps can be installed on devices that may be granted access to data. The devices are also small and portable, which increases the risk of loss or theft.

The new guidance – SP 1800-21 – explains the unique risks introduced by mobile devices and how those risks can be reduced to a low and acceptable through the use of privacy protections. By adopting a standards-based approach to mobile device security, and through the use of commercially available technology, organizations can address the privacy and security risks associated with mobile devices and greatly improve their security posture.

NCCoE created a reference architecture to illustrate how a variety of mobile security technologies can be integrated into an enterprise network along with recommended protections to implement to reduce the risk of the installation of malicious applications and personal and business data loss. The guidance also explains how to mitigate breaches when devices are compromised, lost, or stolen.

The guidance contains a series of How-to-Guides that contain step by step instructions for setup and configuration to allow security staff to quickly implement and test the new architecture in their own test environments.

NIST also included advice on reducing the cost of issuing COPE mobile devices through enterprise visibility models and suggests ways that system administrators can increase visibility into security incidents and set up automated alerts and notifications in the event that a device is compromised.

NIST is seeking comments on the new draft guidance until September 23, 2019.

The draft mobile device security guidance for COPE devices can be downloaded from NIST on this link.

The post NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices appeared first on HIPAA Journal.