Healthcare Cybersecurity

Healthcare Industry Ranks 8th for Cybersecurity but Poor DNS Health and Endpoint Security of Concern

Posted by HIPAA Journal

Through compliance with HIPAA, healthcare organizations have achieved a baseline standard of security, but there is still plenty of room for improvement and healthcare cybersecurity is at best mediocre.

The 2019 Healthcare Cybersecurity Report from Security Scorecard revealed the healthcare industry ranks 8th for cybersecurity out of the 18 industry sectors that were studied for the report.

The worst aspects of security for the healthcare industry were DNS health and endpoint security, where the industry ranked 13th and 12 th respectively.

Without proper DNS security measures in place, attacks could take place in which DNS records are changed. Such an attack would allow cybercriminals to route web traffic to fraudulent websites where credentials could be harvested. The US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) issued a warning about this attack method in January 2019.

Endpoint security is another big concern. In healthcare, employees use a wide range of different types of devices to gain access to healthcare networks, which introduces risks and many healthcare organizations are struggling to address those risks effectively. Security Scorecard cites the 2018 HIMSS Cybersecurity Report which revealed 27.5% of healthcare employees surveyed thought there were too many endpoints in use, which was seen to be one of the biggest barriers to remediating and mitigating cybersecurity incidents.

The one area of apparent strength is network security, where the healthcare industry ranked 5th out of 18. The relatively high score in this area is not necessarily as good as it first appears. The high position means healthcare organizations are protecting the network perimeter through the use of firewalls and are segmenting their networks to limit access to devices and data in the event of a perimeter breach.

Security Scorecard notes that the network security and endpoint security scores suggest the healthcare industry is adopting an “eggshell security model” which means the perimeter controls are strong, but they are being used to defend a particularly soft and vulnerable internal network. If the perimeter is breached, insufficient controls are present to limit the harm that can be caused.

The other areas assessed for the report were application security and patching cadence, where healthcare was deemed mediocre with scores of 8/18 and 10/18 respectively. The application security score was relatively good, but Security Scorecard warned that the high number of applications used in healthcare creates multiple exploitable vectors to attack and the increasing use of networked medical devices could be placing data at risk.

Patching of known vulnerabilities is relatively slow. Patches are delayed to avoid system and application downtime and because they cause a significant increase in system resources. However, delays in patching leave organizations vulnerable. Many attacks occur within a few days of patches being released.

“The risk of ePHI exposure and unauthorized access is an increasing trend year after year,” said Fouad Khalil, VP of Compliance at Security Scorecard. “Healthcare organizations must adopt continuous assurance practices to maintain compliance and adequately protect data… Poor cybersecurity practices cannot be taken lightly.”

The post Healthcare Industry Ranks 8th for Cybersecurity but Poor DNS Health and Endpoint Security of Concern appeared first on HIPAA Journal.

Concerns Raised with FDA over Medical Device Security Guidance

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) is reviewing feedback on the guidance for medical device manufacturers issued in October 2018.

Comments have been submitted on the guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, by more than 40 groups and healthcare companies before the commenting period closed on March 18. Feedback will be taken on board and the guidance will be updated accordingly. The final version of the guidance is expected to be released later this year.

The requirement for medical device manufacturers to submit a ‘Cybersecurity Bill of Materials’ to the FDA as part of the premarket review has been broadly praised. The CBOM needs to include a list of software and hardware components which have vulnerabilities or are susceptible to vulnerabilities. The CBOM will help healthcare organizations assess and manage risk.

However, concerns have been raised by several groups about having to include all hardware components, as it may not even be possible for device manufacturers to provide that information. If hardware components and subcomponents are included, the list could be extensive and contain hundreds of different components. Requests have been made to limit the CBOM to software, and to change the language to Software Bill of Materials as hardware maybe outside the control of the device manufacturer.

The FDA has proposed a two-tier classification of medical devices based on cybersecurity risk. The first tier includes devices that have a high cybersecurity risk, which includes devices that connect to healthcare networks and devices that could potentially result in multiple patients coming to harm if a cybersecurity incident occurs. The second tier includes devices with a standard level of risk.

Several groups have submitted comments requesting changes to this tiered system, including dropping both tiers and adopting a single risk-based approach or the addition of a third tier for devices with low cybersecurity risk. It has also been suggested that the definition of the tiers be changed to include indirect harm to patients or an organization so as to include privacy risks from the exposure of sensitive data.

CHIME suggests the FDA should change its definition of medical device risk to include all risks associated with medical devices. Medical devices could be used as a platform to conduct further attacks on an organization and risks extend far beyond medical devices. CHIME suggested the FDA should expand the definition of risk to include risks to the entire health IT ecosystem.

CHIME also explained that some device manufacturers are not doing enough to address known risks. For example, the patch released to address the vulnerability that was exploited in the WannaCry ransomware attacks in 2017 still hasn’t been applied to many medical devices as manufacturers class the vulnerability as a controlled risk. In other cases, no action is being taken to address known vulnerabilities until the FDA decides a device recall is required. CHIME suggests it should not be up to the device manufacturer to decide whether a risk is controlled or uncontrolled.

CHIME also suggests that the FDA needs to be much clearer about the steps that medical device manufacturers are expected to take to address known vulnerabilities to ensure patient safety is not put at risk, and that there should be a requirement to meet a certification standard as there is for electronic medical records.

The post Concerns Raised with FDA over Medical Device Security Guidance appeared first on HIPAA Journal.

Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs

Posted by HIPAA Journal

Two vulnerabilities have been identified in the Conexus telemetry protocol used by Medtronic MyCarelink monitors, CareLink monitors, CareLink 2090 programmers, and 17 implanted cardiac devices. Both vulnerabilities require a low level of skill to exploit, although adjacent access to a vulnerable device would be required to exploit either vulnerability.

The most serious vulnerability, rated critical, is a lack of authentication and authorization controls in the Conexus telemetry protocol which would allow an attacker with adjacent short-range access to a vulnerable device to inject, replay, modify, and/or intercept data within the telemetry communication when the product’s radio is turned on.

An attacker could potentially change memory in a vulnerable implanted cardiac device which could affect the functionality of the device.

The vulnerability is being tracked as CVE-2019-6538 and has been assigned a CVSS v3 base score of 9.3.

A second, medium severity vulnerability concerns the transmission of sensitive information in cleartext. Since the Conexus telemetry protocol does not use encryption, an attacker with adjacent short-range access to a vulnerable product could intercept communications and obtain sensitive patient data.

The vulnerability is being tracked as CVE-2019-6540 and has been assigned a CVSS v3 base score of 6.5.

The vulnerabilities affect the following Medtronic devices:

  • Versions 24950 and 24952 of MyCareLink Monitor
  • Version 2490C of CareLink Monitor
  • CareLink 2090 Programmer

All models of the following implanted cardiac devices are affected:

  • Amplia CRT-D
  • Claria CRT-D
  • Compia CRT-D
  • Concerto CRT-D
  • Concerto II CRT-D
  • Consulta CRT-D
  • Evera ICD
  • Maximo II CRT-D and ICD
  • Mirro ICD
  • Nayamed ND ICD
  • Primo ICD
  • Protecta ICD and CRT-D
  • Secura ICD
  • Virtuoso ICD
  • Virtuoso II ICD
  • Visia AF ICD
  • Viva CRT-D

Medtronic has implemented additional controls for monitoring and responding to any cases of improper use of the telemetry protocol used by affected ICDs. Further mitigations will be applied to vulnerable devices through future updates.

In the meantime, users of the devices should ensure home monitors and programmers cannot be accessed by unauthorized individuals and home monitors should only be used in private environments. Only home monitors, programmers, and ICDs that have been supplied by healthcare providers or Medtronic representatives should be used.

Unapproved devices should not be connected to monitors through USB ports and physical connections and programmers should only be used to connect with ICDs in hospital and clinical environments.

The vulnerabilities were identified by multiple security researchers who reported them to NCCIC. (Peter Morgan of Clever Security; Dave Singelée and Bart Preneel of KU Leuven; former KU Leuven researcher Eduard Marin; Flavio D. Garcia; Tom Chothia; and Rik Willems.

The post Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs appeared first on HIPAA Journal.

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

Posted by HIPAA Journal

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit.

UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach.

The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had been implemented post-breach to improve security.

UCLA Health avoided a financial penalty, but a class action lawsuit was filed on behalf of patients affected by the breach. The plaintiffs alleged UCLA Health failed to inform them about the breach in a timely manner, there had been breach of contract, violations of California’s privacy laws, and that UCLA Health’s failure to protect the privacy of patients constituted negligence.

UCLA Health notified patients about the breach on July 15, 2015, and while this was in line with HIPAA requirements – under 60 days from the discovery that PHI had been compromised – the plaintiffs believed they should have been notified more quickly, given the fact that the breach had occurred 9 months previously.

Under the terms of the settlement, all patients affected by the breach can claim two years of free credit monitoring and identity theft protection services. Patients will also be allowed to submit a claim to recover costs that have been incurred protecting themselves against unauthorized use of their personal and health information and they can also submit a claim to recover losses from fraud and identity theft.

Patients can claim up to $5,000 to cover the costs of protecting their identities and up to $20,000 for any losses or damage caused by identity theft and fraud. $2 million of the $7.5 million settlement has been set aside to cover patients’ claims.  The remaining $5.5 million will be paid into a cybersecurity fund which will be used to improve cybersecurity defenses at UCLA Health.

Patients have until May 20, 2019 to submit an objection or exclude themselves from the settlement. Preventative measure claim forms must be submitted by June 18, 2019 and patients must enroll in the free credit monitoring and identity theft protection services by September 16, 2019. The deadline for submitting claims for the reimbursement of losses is June 18, 2021. The final court hearing on the settlement is scheduled for June 18, 2019.

The post UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million appeared first on HIPAA Journal.

Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices

Posted by HIPAA Journal

U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, and Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT) have introduced The Internet of Things Improvement Act, which requires all IoT devices purchased by the U.S. government to meet minimum security standards. A companion bill has been introduced in the House by Representatives by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX).

Ericcson has predicted there will be 18 billion IoT devices in use by 2022 and IDC predicts IoT spending will reach $1.2 trillion the same year. As the number of IoT devices in use grows, so does concern about the security risk posed by the devices.

Sen. Warner wants to make sure that a baseline for security is achieved before any IoT device is allowed to connect to a government network and wants to use the purchasing power of the U.S. government to help establish minimum standards of security for IoT devices.

Currently IoT devices are coming to market with scant cybersecurity protections. When cybersecurity measures are integrated into IoT devices, it is often as an afterthought. Most IoT devices have not been designed with security in mind and the market encourages device manufacturers to prioritize convenience and cost over security.

The bill calls for NIST to issue recommendations for IoT device manufacturers on secure development, identity management, configuration management, and patching throughout the life-cycle of the devices. NIST will also be required to work with cybersecurity researchers and industry experts to develop guidance on coordinated vulnerability disclosures to ensure flaws are addressed when they are discovered.

The Internet of Things Improvement Act calls for the Office of Management and Budget (OMB) to issue guidelines for each agency that is consistent with NIST recommendations and for policies to be reviewed at least every five years.

Any IoT device used by the federal government will be required to meet the security standards set by NIST and contractors and vendors that provide IoT devices to the government will be required to adopt coordinated vulnerability disclosure policies to ensure information on vulnerabilities is disseminated.

It is important that IoT devices do not give hackers a backdoor into government networks. Without minimum security standards, the government will be vulnerable to attack and critical national security information will be placed at risk.

The Internet of Things Improvement Act will see the U.S. government lead by example and better manage cyber risks.

The bill is supported by many software and security firms and industry associations, including BSA, Symantec, Tenable, Mozilla, CloudFlare, Rapid7, and CTIA.

The post Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices appeared first on HIPAA Journal.

Security Risks of Medical Devices Explored by Check Point

Posted by HIPAA Journal

Researchers at Check Point have demonstrated just how easy it can be to gain access to IoT medical devices and warn that the security risks of medical devices cannot be ignored.

There have been major technological advances in recent years that has resulted in an explosion of new medical devices, but the IT environments that the devices are incorporated into often lack appropriate security controls.

One of the main problems is many medical devices run on legacy systems and operating systems such as Windows XP, Windows 2000, and Windows 7.

Those operating systems are no longer patched and contain vulnerabilities that could easily be exploited to gain access to patient data or the network to which the devices connect. Even when patches are available, applying them can be difficult and involves considerable downtime. Consequently, devices often remain unpatched and vulnerable to attack.

Many healthcare providers also use medical devices from a wide range of manufacturers. Even identifying vulnerabilities and ensuring patches are applied can be a major challenge.

Check Point Demonstrates Security Risks of Medical Devices

In a recent blog post, Check Point researchers demonstrated just how easy it can be to hack a medical device. Their “UltraHack” demonstration showed a vulnerability could be exploited to hack an ultrasound machine and gain access to sensitive patient information.

The ultrasound machine was running on Windows 2000 and finding a vulnerability to exploit to gain access to the system was far from difficult. Access to the system was gained and the researchers were able to download data stored on the device, including DICOM images.

In the demonstration, the researchers showed how images relating to a particular patient could be replaced. Alternatively, malware or ransomware could be uploaded to the device.

While this attack was demonstrated on an ultrasound machine, vulnerabilities could easily be exploited on other medical devices.

IoT Devices are an Attractive Target for Hackers

Healthcare providers are a major target for hackers. They store large quantities of highly sensitive information which can be used by criminals to steal identities, submit fraudulent tax returns, obtain medical services and prescriptions through medical identity theft, gain access to patients’ financial accounts, and potentially conduct attacks to cause patients harm.

Ransomware attacks can also be extremely profitable. If sensitive medical information is encrypted, ransoms can be demanded. In many cases, healthcare organizations have had been forced to pay the ransom demand to regain access to their data.

As more devices are used in healthcare, the problem is likely to get worse. Check Point cites a Business Insider report which suggests that the use of healthcare IoT devices will increase from 95 million devices in 2015 to 646 million in 2020. By the end of 2019, 87% of healthcare organizations will have adopted IoT devices.

Ensuring devices are only run on supported operating systems and patching promptly will help to improve security, but with hundreds or thousands of devices connected to the network, identifying and addressing vulnerabilities can be an almost impossible task.

Check Point suggests an advanced prevention security solution is now essential to help address the security risks of medical devices. Network segmentation is also a must. “Separating patient data from the rest of the IT network gives healthcare IT professionals a clearer view of network traffic to detect unusual movement that might indicate a breach or compromised [internet of medical things] device,” explained Check Point. “Segmentation would also enable these organizations to prevent data stealing or encrypting malware from propagating further across the network and instead isolating the threat.

The post Security Risks of Medical Devices Explored by Check Point appeared first on HIPAA Journal.

25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months

Posted by HIPAA Journal

Implementing technical safeguards to prevent the exposure of electronic protected health information is a major challenge in healthcare, especially when it comes to securing mobile devices.

According to the Verizon Mobile Security Index 2019 report, 25% of healthcare organizations have experienced a security breach involving a mobile device in the past 12 months.

All businesses face similar risks from mobile devices, but healthcare organizations appear to be addressing risks better than most other industry sectors. Out of the eight industry sectors surveyed, healthcare experienced the second lowest number of mobile security incidents behind manufacturing/transportation.

Healthcare mobile security breaches have fallen considerably since 2017 when 35% of surveyed healthcare organizations said they had experienced a mobile security breach in the past 12 months.

While the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon suggests that may not necessarily be the case. Healthcare organizations may simply be struggling to identify security incidents involving mobile devices.

85% of surveyed healthcare organizations were confident that their security defenses were effective and 83% said they believed they would be able to detect a security incident quickly. That confidence may be misplaced as a quarter of healthcare organizations have experienced a breach involving a mobile device and 80% of those entities learned about the breach from a third party.

Since mobile devices are often used to access or store ePHI, a security incident could easily result in a breach of ePHI. Two thirds (67%) of healthcare mobile security incidents were rated major breaches. 40% of those breaches had major lasting repercussions and, in 40% of cases, remediation was said to be difficult and expensive.

67% of mobile device security incidents saw other devices compromised, 60% of organizations said they experienced downtime as a result of the breach, and 60% said data was lost. 40% of healthcare organizations that experienced such a breach said multiple devices were compromised, downtime was experienced, and they lost data. 30% of breached entities said that cloud services had been compromised as a result of a mobile security breach.

The main security risks were seen to be how devices were used by employees. 53% of respondents said personal use of mobile devices posed a major security risk and 53% said user error was a major problem.

65% of healthcare organizations were less confident about their ability to protect mobile devices than other IT systems. Verizon notes that this could be explained, in part, by the lack of effective security measures in place. For instance, just 27% of healthcare organizations were using a private mobile network and only 22% had unified endpoint management (UEM) in place.

The survey also confirmed that users are taking major risks and are breaching company policies. Across all industries, 48% of respondents said they sacrificed security to get tasks completed compared to 32% last year. 81% said they use mobile devices to connect to public Wi-Fi even though in many cases doing so violates their company’s mobile device security policy.

The post 25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months appeared first on HIPAA Journal.

Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents

Posted by HIPAA Journal

The latest Beazley Breach Insights Report confirms healthcare is the most targeted industry sector, accounting for 41% of all breaches reported to Beazley Breach Response (BBR) Services.

Across all industry sectors, hacking and malware attacks were the most common cause of breaches and accounted for 47% of all incidents, followed by accidental disclosures of sensitive data (20%), insider breaches (8%), portable device loss/theft (6%), and the loss of physical records (5%).

Hacking/malware incidents have increased significantly since 2017, which BBR notes is largely due to a 133% increase in business email compromise (BEC) attacks. Accidental disclosure incidents fell across all industries and insider breaches remained at a similar level to 2017.

While hacking/malware incidents were the main cause of breaches in all other industry sectors, in healthcare they were on a par with accidental disclosures of protected health information, each accounting for 31% of reported breaches.

Insider data breaches were significantly higher than other industry sectors and accounted for 17% of all reported healthcare breaches. 8% of reported healthcare data breaches involved the loss of physical records, 6% were portable device incidents, and 3% were social engineering attacks. 4% of breaches were not categorized.

Hacking/malware incidents increased by 55% in 2018 and accidental disclosures fell by almost 28%. As with other industry sectors, healthcare saw a major increase in BEC attacks.

The February report drew attention to the risk of BEC attacks – The compromising of a company email account which is then used to conduct phishing and social engineering attacks on other employees in the organization and business contacts. These scams are often conducted with the aim of obtaining sensitive information such as W2 Form data or to trick employees into making fraudulent wire transfers.

Beazley also drew attention to an increase in sextortion scams. One of the most common scams involves sending emails to employees claiming malware has been installed on their work computer which has recorded footage of them while they accessed adult websites. The hacker threatens to send a video containing webcam footage spliced with screen grabs of the websites that were being viewed at the time to the victim’s contacts.

These scams are conducted to extort money but also to install malware. Zip files attached to emails claim to include a copy of the video. Opening and executing the attachment triggers the download of information stealers and GandCrab ransomware.

Beazley reports that the sextortion cases that its BBR Services team has dealt contained empty threats, although some clients experienced malware infections as a result of opening the attached files.

The post Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents appeared first on HIPAA Journal.

HIPAA Compliance at Odds with Healthcare Cybersecurity

Posted by HIPAA Journal

The College of Healthcare Information Management Executives (CHIME) has told Congress that complying with HIPAA Rules is not enough to prevent data breaches and HIPAA compliance can, in some cases, result in a lessening of healthcare cybersecurity defenses.

Russell P. Branzell, President and CEO of CHIME and Shafiq Rab, CHCIO Chair of the CHIME Board of Trustees recently responded to a request for information (RFI) by Congress on ways to address rising healthcare costs.

In a March 1, 2019 letter to Lamar Alexander, Chairman of the Committee on Health, Education, Labor, and Pensions (HELP), they explained that the use of technology in healthcare helps to reduce costs and can, if harnessed correctly, improve efficiency as well as outcomes.

“Significant advancements in healthcare technology have been made possible through policy, however, often overly stringent prescriptive mandates have added to healthcare costs, impeded innovation and increased burdens on clinicians.”

The use of technology and data sharing are essential for improving the level of care that can be provided to patients, yet both introduce new risks to the confidentiality, integrity, and availability of healthcare data. While policies are being introduced to encourage the use of technology and improve interoperability, it is also essential for cybersecurity measures to be implemented to protect patient data. Any policy recommendations must also include security requirements.

“As we increase interoperability, additional threats to data integrity will arise. Without proper safeguards, the safe and secure transmission of sensitive data will continue to be a challenge and will hinder efforts to care outcomes,” wrote CHIME.

Healthcare organizations that comply with HIPAA Rules will have met the minimum standards for healthcare data privacy and security set by the HHS. That does not mean that HIPAA-compliant organizations are well protected against cyberattacks. HIPAA is complex and compliance requires a significant amount of resources. That can mean fewer resources are then available to tackle cybersecurity issues and protect against actual cyber threats.

Healthcare providers are devoting resources to meeting standards set by the HHS and its Office for Civil Rights (OCR), even though the measures introduced for HIPAA compliance may not address the most serious threats. As a result, their ability to protect patient data could be diminished rather than increased as a result.

CHIME also pointed out that enforcement of compliance with HIPAA Rules, via breach investigations and compliance audits, are unduly punitive. OCR appears to be more focused on punishment rather than helping healthcare providers recover from a breach, learn from it, and share the lessons learned with other healthcare organizations.

Healthcare providers should not have the burden of protecting PHI in areas outside their control. CHIME suggests safe harbors should be introduced “for organizations that demonstrate, and certify, cybersecurity readiness.” That may require amendments to the HITECH Act, along with a change to the language used for the definition of a breach so it no longer presumes guilt.

CHIME has also called for the HHS to issue better guidance for healthcare providers to help them assess threats that are within their control. Healthcare providers should not have full responsibility for protecting PHI outside of their domain. CHIME has also suggested that the balance of responsibility for security needs to be split more evenly between covered entities and their business associates.

When considering enforcement actions, OCR should assess the level of effort that has gone into protecting systems and PHI and policies should be pursued that reward healthcare providers for good faith efforts to prevent cyberattacks, such as demonstrating sufficient compliance with NIST’s Cybersecurity Framework (CSF).

These measures will help encourage healthcare providers to invest more in cybersecurity, which in turn will help to prevent more breaches and allow healthcare providers to avoid the high costs of mitigating those breaches, thus helping to reduce healthcare costs.

The post HIPAA Compliance at Odds with Healthcare Cybersecurity appeared first on HIPAA Journal.