Healthcare Cybersecurity

HIPAA Quiz Launched by Compliancy Group

Posted by HIPAA Journal

A new HIPAA Quiz has been launched by the Compliancy Group, which serves as a quick and easy free tool to assess the current state of HIPAA compliance in an organization.  

Healthcare organizations that have implemented policies and procedures to comply with the Health Insurance Portability and Accountability Act (HIPAA) Rules may think that they are fully compliant with all provisions of the HIPAA Privacy, Security, and Breach Notification Rules. However, HHS’ Office for Civil Rights (OCR) compliance audits and investigations into data breaches and complaints often reveal certain requirements of HIPAA have been missed or misinterpreted.

OCR investigates all breaches of more than 500 records and so far in 2018, six financial penalties have been issued to HIPAA covered entities to resolve HIPAA violations. The average settlement/civil monetary penalty in 2018 is $1,491,166.

State attorneys general also investigate data breaches and complaints and can also issue fines for noncompliance with HIPAA Rules. There have been five fines issued by state attorneys general in 2018 to resolve HIPAA violations. The average settlement amount is $514,563 in 2018 and was $718,800 in 2017.

To help healthcare organizations comply with HIPAA Rules and avoid financial penalties, the Compliancy Group, a team of HIPAA compliance experts that help healthcare organizations meet HIPAA requirements, has released a free HIPAA Quiz that allows healthcare organizations to conduct a quick assessment to determine whether they are meeting the basic requirements of HIPAA. The quiz consists of yes/no questions that have been designed to get a baseline reading of HIPAA compliance against the fundamental elements of HIPAA.

“We designed the Compliancy Group HIPAA Quiz to empower health care professionals,” said Joe Bilello, Vice President of Compliancy Group. “Too often we see misconceptions around HIPAA compliance in the health care market. We hope the HIPAA Quiz will give users the chance to find out what’s really required for HIPAA compliance, rather than relying on hearsay and outdated information. Compliancy Group is always here to help address HIPAA concerns for anyone from single-doctor practices, to large-scale technology providers.”

The HIPAA compliance assessment tool can be accessed on this link.

The post HIPAA Quiz Launched by Compliancy Group appeared first on HIPAA Journal.

FDA to Increase Scrutiny of Medical Device Cybersecurity

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General (OIG) has released a report which recommends the Food and Drug Administration (FDA) should scrutinize medical device cybersecurity controls more closely and more fully integrate cybersecurity into the premarket review process for medical devices.

Currently, the FDA reviews cybersecurity documentation in premarket submissions to ensure medical devices have appropriate cybersecurity controls before approval is given for the devices to be marketed. FDA reviewers use 2014 FDA cybersecurity guidance as general principles when conducting reviews of new medical devices and has taken steps to ensure that devices are assessed against new and emerging threats.

The FDA considers cybersecurity risks and threats that affect specific devices and applies that knowledge to all other devices with similar risk profiles. For example, if there is a known threat to a specific cardiac device from one manufacturer, all other manufacturers’ cardiac devices will be assessed against the same threat.

Reviews of cybersecurity controls includes assessments of a hazard analysis, matrices describing the device’s security risks and the controls that have been implemented by the manufacturer to reduce those risks to an acceptable level. Plans for updating software are assessed, software supply chain controls are reviewed, and the manufacturers’ device instructions and recommended cybersecurity controls are evaluated.

In cases where the cybersecurity documentation submitted by manufacturers is insufficient, the FDA requests further information from the manufacturer and seeks clarification on cybersecurity controls when there is any doubt about the level of protection provided. OIG notes that no medical device has been rejected due to cybersecurity issues. In cases where cybersecurity has been a concern, it has been resolved by manufacturers supplying further cybersecurity information.

Overall, the FDA’s assessments of medical device cybersecurity are good, although OIG identified three areas where improvements could be made: The FDA should change internal processes to ensure questions about cybersecurity are asked earlier in the approval process, presubmission meetings should address cybersecurity-related issues, and the FDA’s Refuse-to-Accept checklist should have cybersecurity included in the Smart template. Currently the Smart template does not prompt FDA reviewers to ask specific cybersecurity questions and there is no section where the results of a cybersecurity review can be recorded.

According to OIG, the FDA has welcomed the feedback and has agreed to all three of OIGs recommendations. Two of the recommendations have already been implemented, with only the Refuse-to-Accept checklist outstanding. With respect to the latter, the FDA has accepted that this change could improve efficiency as it will ensure that the file contains all the necessary information prior to review. This will mean that it should not be necessary for FDA reviewers to have to contact the manufacturer to ask for further information on cybersecurity.

The FDA has explained that its review process is not static and is constantly evolving and takes into account the changing threat landscape. The FDA is also considering updating rules on network-capable medical devices to ensure that cybersecurity controls are incorporated at the earliest stages of the design process.

The post FDA to Increase Scrutiny of Medical Device Cybersecurity appeared first on HIPAA Journal.

Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI

Posted by HIPAA Journal

In its August 2018 cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA-covered entities of the importance of implementing physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is processed, transmitted, or stored on electronic media and devices.

Electronic devices such as desktop computers, laptops, servers, smartphones, and tablets play a vital role in the healthcare, as do electronic media such as hard drives, zip drives, tapes, memory cards, and CDs/DVDs. However, the portability of many of those devices/media means they can easily be misplaced, lost, or stolen.

Physical controls are therefore essential. Anyone with physical access to electronic devices or media, whether healthcare employees or malicious actors, potentially have the ability to view, change, or delete data. Device configurations could be altered or malicious software such as ransomware or malware could be installed. All of these actions jeopardize the confidentiality, integrity, or availability of ePHI.

HIPAA – 45 CFR § 164.310(a)(1) – requires covered entities and their business associates to implement policies and procedures to restrict access to electronic devices and media and the facilities in which they are housed. 45 CFR § 164.310(d)(1) of the HIPAA Security Rule requires policies and procedures to be implemented to govern the receipt and removal of those devices into and out of an organization’s facility, as well as movement within the facility. Robust policies and procedures must be developed to ensure ePHI is appropriately protected at all times.

When developing policies and procedures covering portable electronic devices and media, OCR recommends that HIPAA covered entities and their business associates consider the following questions:

  • Are records tracking the location, movements, alterations, repairs, and disposition of devices and media in place covering the entire life cycle of the devices/media?
  • Does the organization’s record of device and media movement include the individual(s) responsible for such devices and media?
  • Have members of the workforce (including management) received training on the correct handling of devices/media to ensure ePHI is safeguarded at all times?
  • Have appropriate technical controls been implemented to ensure the confidentiality, integrity, and availability of ePHI, such as encryption, access controls and audit controls?

There are several methods for tracking electronic devices and media. Smaller healthcare organizations that only use a limited number of devices/media may be able to manually track the movement of their devices/media, although this becomes a major challenge if large numbers of devices are in use. In such cases, specialized inventory management software and databases may be more appropriate. OCR suggests the use of a bar-code system or RFID tags may make it easier to organize, identify, and track the movement of devices and media.

When deciding on the most appropriate device and media controls to implement, healthcare organizations and their business associates should be guided by their risk analysis and risk management processes. Full consideration should be given to size, complexity and capabilities; hardware and software capabilities; technical infrastructure; the cost of implementing security measures; and the probability and criticality of potential risks to ePHI.

Policies and procedures must also be developed and implemented to ensure that when devices/media reach end of life, all ePHI stored on the devices is permanently erased to prevent the information from being retrieved or reconstructed. OCR covered the secure disposal of ePHI in its July 2018 cybersecurity newsletter.

Organizations that fail to track electronic devices and media and ensure that ePHI is appropriately protected at all times run the risk of HIPAA fines for non-compliance.

The most recent example is University of Texas MD Anderson Cancer Center’s failure to encrypt ePHI on portable electronic devices. That violation resulted in a civil monetary penalty of $4,348,000.

The August 2018 cybersecurity newsletter can be downloaded on this link (PDF – 140KB)

The post Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI appeared first on HIPAA Journal.

Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence

Posted by HIPAA Journal

There has been a twist in the class action lawsuit filed by victims of the 2015 Premera Blue Cross data breach. The plaintiffs allege Premera Blue Cross willfully destroyed evidence of data theft.

In 2015, Premera Blue Cross announced it was the victim of a cyberattack that resulted in cybercriminals gaining access to plan members’ protected health information.

The data breach was the second largest data breach ever to be reported by a healthcare organization, behind only the 78.8 million-record Anthem Inc., data breach that was also discovered in 2015. The protected health information of 11 million individuals was exposed as a result of the hack.

The Premera data breach was detected in January 2015, although the investigation revealed hackers had gained access to its network in May 2014. The attackers potentially had access to plan members’ protected health information (PHI) and personally identifiable information (PII) for 8 months before the intrusion was detected and access to data was blocked.

Unsurprisingly, given the scale of the breach, several class action lawsuits were filed by the breach victims. As was the case with the lawsuits filed in the wake of the Anthem data breach, they were consolidated into a single class action lawsuit. Anthem settled its class action lawsuit earlier this year, but the Premera Blue Cross lawsuit is ongoing.

A resolution does not appear to be getting closer. In fact, there has been a new twist in the case which is likely to delay an outcome further still. The plaintiffs have alleged that Premera Blue Cross destroyed key evidence that would have helped their case.

Alleged Destruction of Evidence of Data Theft

A third-party computer forensics firm, Mandiant, was retained to conduct an investigation into the breach. Mandiant determined that the hackers had compromised 35 Premera computers in the attack, and through those computers the attackers potentially had access to the records of 11 million plan members.

The cyberattack was not the work of amateurs. A well-known hacking group had conducted the attack and that group had succeeded in stealing data from other entities that it had attacked in the past.

While concrete evidence was allegedly not found to confirm that data had been exfiltrated, Mandiant did find fragments of RAR files on one of the computers that had been compromised. RAR files are compressed files that are used to make data transmission easier. The presence of the file fragments, which it is alleged were created by the attackers, suggests the hackers used RAR files to exfiltrate data and deleted the files to cover their tracks.

The plaintiffs requested all evidence uncovered during the Mandiant investigation be handed over, including the hard drives and forensic images of the 35 compromised computers. Premera responded to that request but claimed that it was only able to provide images for 34 out of the 35 computers as one computer, referred to in the court documents as A23567-D, had been destroyed. The computer was destroyed on December 16, 2016 – around a year after the litigation had started.

A23567-D is alleged to have contained important evidence that could confirm that data had been exfiltrated. That computer was the only one out of the 35 to contain a type of malware referred to by Mandiant as PHOTO. The malware was capable of registry modification, executing programs, and crucially, uploading and downloading files. The attackers communicated with that computer on a daily basis from July 2014 until January 2015 when the cyberattack was discovered and remote access was blocked.

“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network,” wrote the plaintiffs’ attorneys in the motion. “This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose.”

The computer appears to have been sent for destruction in error. It was deemed to be of no further interest to Premera and had reached end of life.

The problem for the plaintiffs is without any evidence of data theft, the case is unlikely to succeed. According to the motion, “Essentially, Premera maintains a ‘no harm, no foul’ defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera’s system.”

Whether accidental or willful, the destruction of the computer is extremely damaging to the case. The motion states that “Without access to that hard drive, trying to prove that the hackers removed plaintiffs PII and PHI through that computer is impossible.”

Additionally, the motion, filed in the U.S. District Court in Portland, claims that Premera Blue Cross failed to preserve data loss logs from its Bluecoat Data Loss Prevention (DLP) system, which potentially could have confirmed that plan members’ data had been stolen. It is alleged that those files were also deleted after the lawsuit was filed.

Premera Blue Cross issued a a statement to ZDNet in which it was confirmed that Premera disagrees with the motion and does not believe the facts of the case justify the relief the plaintiffs have requested. A response to the motion will be filed by Premera’s attorneys by September 28, 2018.

If the motion is granted, a federal judge would then instruct a jury that key evidence has been destroyed and that it should be assumed that the evidence confirmed data exfiltration had occurred. It would also not be possible for Premera to call in computer experts to testify that no data had been exfiltrated.

Even a favorable ruling would be no guarantee of success nor of a settlement being reached. In order for damages to be awarded, plaintiffs in the suit would still need to establish that they have suffered losses as a result of the data breach.

The post Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence appeared first on HIPAA Journal.

Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence

Posted by HIPAA Journal

There has been a twist in the class action lawsuit filed by victims of the 2015 Premera Blue Cross data breach. The plaintiffs allege Premera Blue Cross willfully destroyed evidence of data theft.

In 2015, Premera Blue Cross announced it was the victim of a cyberattack that resulted in cybercriminals gaining access to plan members’ protected health information.

The data breach was the second largest data breach ever to be reported by a healthcare organization, behind only the 78.8 million-record Anthem Inc., data breach that was also discovered in 2015. The protected health information of 11 million individuals was exposed as a result of the hack.

The Premera data breach was detected in January 2015, although the investigation revealed hackers had gained access to its network in May 2014. The attackers potentially had access to plan members’ protected health information (PHI) and personally identifiable information (PII) for 8 months before the intrusion was detected and access to data was blocked.

Unsurprisingly, given the scale of the breach, several class action lawsuits were filed by the breach victims. As was the case with the lawsuits filed in the wake of the Anthem data breach, they were consolidated into a single class action lawsuit. Anthem settled its class action lawsuit earlier this year, but the Premera Blue Cross lawsuit is ongoing.

A resolution does not appear to be getting closer. In fact, there has been a new twist in the case which is likely to delay an outcome further still. The plaintiffs have alleged that Premera Blue Cross destroyed key evidence that would have helped their case.

Alleged Destruction of Evidence of Data Theft

A third-party computer forensics firm, Mandiant, was retained to conduct an investigation into the breach. Mandiant determined that the hackers had compromised 35 Premera computers in the attack, and through those computers the attackers potentially had access to the records of 11 million plan members.

The cyberattack was not the work of amateurs. A well-known hacking group had conducted the attack and that group had succeeded in stealing data from other entities that it had attacked in the past.

While concrete evidence was allegedly not found to confirm that data had been exfiltrated, Mandiant did find fragments of RAR files on one of the computers that had been compromised. RAR files are compressed files that are used to make data transmission easier. The presence of the file fragments, which it is alleged were created by the attackers, suggests the hackers used RAR files to exfiltrate data and deleted the files to cover their tracks.

The plaintiffs requested all evidence uncovered during the Mandiant investigation be handed over, including the hard drives and forensic images of the 35 compromised computers. Premera responded to that request but claimed that it was only able to provide images for 34 out of the 35 computers as one computer, referred to in the court documents as A23567-D, had been destroyed. The computer was destroyed on December 16, 2016 – around a year after the litigation had started.

A23567-D is alleged to have contained important evidence that could confirm that data had been exfiltrated. That computer was the only one out of the 35 to contain a type of malware referred to by Mandiant as PHOTO. The malware was capable of registry modification, executing programs, and crucially, uploading and downloading files. The attackers communicated with that computer on a daily basis from July 2014 until January 2015 when the cyberattack was discovered and remote access was blocked.

“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network,” wrote the plaintiffs’ attorneys in the motion. “This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose.”

The computer appears to have been sent for destruction in error. It was deemed to be of no further interest to Premera and had reached end of life.

The problem for the plaintiffs is without any evidence of data theft, the case is unlikely to succeed. According to the motion, “Essentially, Premera maintains a ‘no harm, no foul’ defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera’s system.”

Whether accidental or willful, the destruction of the computer is extremely damaging to the case. The motion states that “Without access to that hard drive, trying to prove that the hackers removed plaintiffs PII and PHI through that computer is impossible.”

Additionally, the motion, filed in the U.S. District Court in Portland, claims that Premera Blue Cross failed to preserve data loss logs from its Bluecoat Data Loss Prevention (DLP) system, which potentially could have confirmed that plan members’ data had been stolen. It is alleged that those files were also deleted after the lawsuit was filed.

Premera Blue Cross issued a a statement to ZDNet in which it was confirmed that Premera disagrees with the motion and does not believe the facts of the case justify the relief the plaintiffs have requested. A response to the motion will be filed by Premera’s attorneys by September 28, 2018.

If the motion is granted, a federal judge would then instruct a jury that key evidence has been destroyed and that it should be assumed that the evidence confirmed data exfiltration had occurred. It would also not be possible for Premera to call in computer experts to testify that no data had been exfiltrated.

Even a favorable ruling would be no guarantee of success nor of a settlement being reached. In order for damages to be awarded, plaintiffs in the suit would still need to establish that they have suffered losses as a result of the data breach.

The post Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence appeared first on HIPAA Journal.

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

Posted by HIPAA Journal

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients.

In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines.

The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained.

In total, 3,751 clients in New York had information such as their full name, address, phone number, age, date of birth, gender, race, primary diagnosis code, IQ, health insurance information, and Social Security number exposed. Those individuals were notified of the breach on March 9, 2018, the Department of Health and Human Services’ Office for Civil Rights was informed, and a breach report was submitted to the New York Attorney General’s office.

Under HIPAA, The Arc of Erie County is required to safeguard the ePHI of its clients and prevent that information from being accessed by unauthorized individuals. The investigation into the breach by the New York Attorney General’s office confirmed that HIPAA Rules had been violated as appropriate physical, technical, and administrative safeguards had not been implemented to ensure the confidentiality, integrity, and availability of ePHI. As a result of that failure, there had been an impermissible disclosure of clients ePHI.

“The Arc of Erie County’s work serves our most vulnerable New Yorkers – and that comes with the responsibility to protect them and their sensitive personal information,” said New York Attorney General Barbara. D. Underwood. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”

In addition to paying a financial penalty of $200,000, The Arc of Erie County has agreed to adopt a Corrective Action Plan (CAP) that includes the requirement to conduct a thorough risk analysis to identify all security risks and vulnerabilities affecting its electronic equipment and data systems. A report of that assessment must be submitted to the New York Attorney General’s office within 180 days. Any vulnerabilities identified must be corrected through a HIPAA-compliance risk management process and policies and procedures must also be reviewed and revised, based on the findings of the risk analysis.

The post NY Attorney General Fines Arc of Erie County $200,000 for Security Breach appeared first on HIPAA Journal.

ICS-CERT Issues Advisory After Nine Vulnerabilities Discovered in Philips E-Alert Units

Posted by HIPAA Journal

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a further advisory about Philips healthcare devices after nine vulnerabilities were self-reported to the National Cybersecurity & Communications Integration Center (NCCIC) by the Amsterdam-based technology company.

This is the fourth advisory issued by ICS-CERT in the past month. Previous advisories have been issued over cybersecurity vulnerabilities in its central patient monitoring system – Philips IntelliVue Information Center iX (1 vulnerability), Philips PageWriter Cardiographs (2 vulnerabilities), and Philips IntelliSpace Cardiovascular cardiac image and information management software (2 vulnerabilities).

The latest advisory concerns nine vulnerabilities discovered in Philips eAlert units – These are non-medical devices that monitor imaging systems such as MRI machines to identify issues rapidly before they escalate. The devices are used by healthcare providers around the world.

One of the vulnerabilities is rated critical, five are high severity, and three are medium severity. If exploited, an attacker on the same subnet could potentially obtain user contact details, compromise unit integrity/availability, provided unexpected input into the application and execute arbitrary code, altering display unit information or causing the device to crash. The vulnerabilities affect all versions of the software, including R2.1.

In order of severity, the vulnerabilities are:

CVE-2018-8856 (CWE-798) – Hard-Coded Credentials – CVSS v3 score: 9.8

A hard-coded cryptographic key is present in the software which is used for the encryption of internal data.

CVE-2018-8842 (CWE-319) – Cleartext Transmission of Sensitive Information – CVSS v3 score: 7.5

Sensitive and security-critical data are transmitted in cleartext which could be intercepted by individuals unauthorized to view the information. Since the Philips e-Alert communication channel is not encrypted, personal contact information and application login credentials could be obtained from within the same subnet.

CVE-2018-8854 (CWE-400) – Uncontrolled Resource Consumption – CVSS v3 score: 7.5

The size or amount of resources requested or influenced by an actor are not properly restricted, which can be used to consume more resources than intended.

CVE-2018-8850 (CWE-20) – Improper Input Validation – CVSS v3 score: 7.1

Improper validation of input that would allow an attacker to craft input in a form not expected by the application. Parts of the unit could receive unintended input potentially resulting in altered control flow, arbitrary control of a resource, or arbitrary code execution.

CVE-2018-8846 (CWE-79) – Improper Neutralization of Input During Web Page Generation – CVSS v3 score: 7.1

The software fails to neutralize or improperly neutralizes user-controlled input before being placed in output that is used as a web page which is subsequently served to other users.

CVE-2018-8848 (CWE-276) – Incorrect Default Permissions – CVSS v3 score: 7.1

When the software is installed, incorrect permissions are set for an object that exposes it to an unintended actor.

CVE-2018-8844 (CWE-352) – Cross-Site Request Forgery – CVSS v3 score: 6.8

The web application does not adequately verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVE-2018-8852 (CWE-384) – Session Fixation – CVSS v3 score: 6.4

When authenticating a user or establishing a new user session, an attacker is given an opportunity to steal authenticated sessions without invalidating any existing session identifier.

CVE-2018-14803 (CWE-200) – Information Exposure – CVSS v3 score: 5.3

This is a banner disclosure vulnerability that could allow an attacker to gain product information such as the OS and software components via the HTTP response header which would normally not be available to an attacker.

Four of the vulnerabilities have been addressed with the release of R2.1 (CVE-2018-8842, CVE-2018-8856, CVE-2018-8850, CVE-2018-8852) and the remaining five vulnerabilities (CVE-2018-8854, CVE-2018-8846, CVE-2018-8848, CVE-2018-14803, CVE-2018-8844) will be addressed with a software update which has been planned for the end of the year.

Users of vulnerable devices should ensure that they have upgraded to software version R2.1 which will address four of the vulnerabilities, including the critical hard-coded credential flaw.

Philips also recommends users take the following actions as an immediate mitigation to reduce the potential for exploitation of the five remaining flaws until the next software update is released:

  • Ensure that network security best practices are implemented, and
  • Limit network access to e-Alert in accordance with product documentation.

The post ICS-CERT Issues Advisory After Nine Vulnerabilities Discovered in Philips E-Alert Units appeared first on HIPAA Journal.

NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) have released the final version of the NIST Cybersecurity Practice Guide for Securing Wireless Infusion Pumps in healthcare delivery organizations.

Wireless infusion pumps are no longer standalone devices. They can be connected to a range of different healthcare systems, networks, and other devices and can be a major cybersecurity risk.

If malicious actors are able to gain access to the wireless infusion pump ecosystem, settings could be altered on the pumps or malware could be installed that causes the devices to malfunction, resulting in operational and safety risks.

An attack on the devices could result in patients coming to harm, protected health information could be exposed, and a compromise could result in disruption to healthcare services, reputation damage, and considerable financial costs.

Securing wireless infusion pumps is a challenge. Standard cybersecurity solutions such as anti-virus software may affect the ability of the device to function correctly and efficiently. Oftentimes, the pumps contain maintenance default passcodes which, if not changed, makes them vulnerable to attack. Many wireless infusion pumps can be accessed remotely. While this makes management easier, it is also a security weak point. The devices could potentially be accessed remotely by threat actors.

The guide helps healthcare delivery organizations manage and secure their wireless networks and infusion pumps, mitigate vulnerabilities, and protect against threats.

The guide combines standard-based commercially available technologies with industry best practices to help healthcare delivery organizations strengthen the security of the devices. The guidance includes a questionnaire-based risk assessment and maps the security characteristics of the wireless infusion pump ecosystem to the HIPAA Security Rule and the NIST Cybersecurity Framework.

By using the guide, healthcare delivery organizations can create a defense-in-depth solution that will allow them to protect their wireless infusion pumps against a wide range of different risk factors.

Braun, Baxter, BD, Cisco, Clearwater Compliance, Digicert, Hospira, Intercede, MDISS, PFP Cybersecurity, Ramparts, Smiths Medical, Symantec, and TDI Technologies all participated in the creation of the guide.

NIST Special Publication 1800-8A – Securing Wireless Infusion Pumps in Healthcare Delivery Organizations – is available for download on this link (PDF).

The 375-page document may take some time to open, depending on the speed of your Internet connection.

The post NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations appeared first on HIPAA Journal.

Critical ‘Misfortune Cookie’ Flaw Identified in Qualcomm Life Capsule Datacaptor Terminal Server

Posted by HIPAA Journal

A code weakness in Qualcomm Life’s Capsule Datacaptor Terminal Server (DTS) has been discovered. The flaw could be remotely exploited allowing an attacker to obtain administrator level privileges and remotely execute code.

The Qualcomm Life Capsule’s Datacaptor Terminal Server is a medical gateway device used by many U.S. hospitals to network their medical devices. The Datacaptor Terminal Server is used to connect respirators, bedside monitors, infusion pumps and other medical devices to the network. The Datacaptor Terminal Server has a web management interface which allows it to be operated and configured remotely.

The flaw affects the Allegro RomPager embedded webserver (versions 4.01 through 4.34) which is included in all versions of Capsule DTS. The flaw could be exploited by an attacker by sending a specially crafted HTTP cookie to the web management portal, allowing arbitrary data to be written to the devices’ memory, ultimately permitting remote code execution. The exploit would require little skill to perform and requires no authentication. If exploited, availability of the device could be harmed, as well as causing disruption to the network connectivity of all medical devices networked through the device.

The vulnerability, tracked as CVE-2014-9222, is classed as critical and has been assigned a CVSS v3 base score of 9.8 out of 10.

While the vulnerability in Qualcomm Life’s Capsule Datacaptor Terminal Server has only just been discovered, it dates back more than four years. The vulnerability, known as Misfortune Cookie, was identified by Checkpoint researchers in 2014, and by Allegro nine years ago. While Allegro addressed the flaw in version 4.34 of its firmware, that version was not adopted by many chipset manufacturers who continued to supply software development kits containing the vulnerable version of the firmware.

The vulnerability was recently discovered to affect the Qualcomm Life Capsule DTS by Elad Luz, Head of Research at CyberMDX, who notified Qualcomm Life allowing an update to be issued to correct the flaw prior to public disclosure. Luz also recently identified a critical flaw in certain BD Alaris Plus medical syringe pumps.

Qualcomm Life has issued a firmware upgrade for the Single Board version of DTS which can be downloaded from the customer portal of Capsule and applied to the device using standard patching processes. Unfortunately, due to technical limitations, it is not possible for the patch to be applied to other versions of DTS including Dual Board, Capsule Digi Connect ES, and Capsule Digi Connect ES converted to DTS.

To address the flaw in those versions, Capsule recommends disabling the embedded webserver. Since the embedded webserver is only required for initial configuration, and not for continued use of the device, disabling the webserver will not adversely affect functionality of the device.

“Uncovering these vulnerabilities illustrates how responsible disclosure between cybersecurity researchers and medical device vendors can work when both sides are committed to improving patient safety,” said Luz.

The post Critical ‘Misfortune Cookie’ Flaw Identified in Qualcomm Life Capsule Datacaptor Terminal Server appeared first on HIPAA Journal.