Healthcare Cybersecurity

Study Uncovers More Than 8,000 Security Flaws in Pacemakers from Four Major Manufacturers

Posted by HIPAA Journal

Over the past 12 months, security vulnerabilities in implantable medical devices have attracted considerable attention due to the potential threat to patient safety.

Last year, MedSec conducted an analysis of pacemaker systems which revealed security vulnerabilities in the Merlin@home transmitter and the associated implantable cardiac devices manufactured by St. Jude Medical. Those vulnerabilities could potentially be exploited to cause device batteries to drain prematurely and the devices to malfunction.

A recent study of the pacemaker ecosystem has uncovered a plethora of security flaws in devices made by other major manufacturers. Those flaws could potentially be exploited to gain access to sensitive data and cause devices to malfunction.

Billy Rios and Jonathan Butts, PhD., of security research firm WhiteScope has recently published a white paper detailing the findings of the study.

The pair conducted an analysis of seven cardiac devices from four major device manufacturers. The researchers evaluated home monitoring devices, implantable cardiac devices and physician programmers, with most effort concentrated on four programmers with RF capabilities.

All of the devices under study were obtained from auction sites such as eBay, even though the devices are supposed to be controlled and returned to the manufacturer or hospital when no longer required. The report explained that all of the manufacturers under test had home monitoring equipment listed for sale on public auction sites. The researchers found security flaws existed on all pacemaker systems under study.

The filesystems used by the pacemaker systems were unencrypted, with data stored on removable media. Some of the devices stored highly sensitive data such as medical histories and Social Security numbers, yet the data were not encrypted to prevent unauthorized access.

The pacemaker systems allowed physicians to reprogram the devices without authentication and pacemaker programmers did not authenticate with pacemaker devices. The researchers explained that any pacemaker programmer could be used to reprogram any pacemaker from the same manufacturer.

The software used by the pacemaker systems was discovered to contain more than 8,000 known vulnerabilities in third-party libraries across all the devices. One vendor had 3,715 vulnerabilities in its third-party libraries. The researchers said it was clear there was “an industry wide issue associated with software security updates.”

The study also revealed firmware used by the devices was not cryptographically signed, therefore it would be possible to replace firmware with a custom firmware.

Rios and Butt said, “The findings are relatively consistent across the different vendors,” and recommended “vendors evaluate their respective implementations and validate that effective security controls are in place to protect against identified deficiencies that may lead to potential system compromise.”

The researchers did not disclose the specifics of the vulnerabilities, although they were passed to the Department of Homeland Security’s ICS-CERT, while a report has been submitted to “the appropriate agency” about the discovery of Social Security numbers and other sensitive data from a patient of a prominent east coast hospital.

The researchers now plan to evaluate the home monitoring systems associated with implantable cardiac devices.

The report – Security Evaluation of the Implantable Cardiac Device Ecosystem Architecture and Implementation Interdependenciescan viewed on this link.

The post Study Uncovers More Than 8,000 Security Flaws in Pacemakers from Four Major Manufacturers appeared first on HIPAA Journal.

Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data

Posted by HIPAA Journal

Earlier this month, security researcher Brian Krebs was alerted to a flaw in a patient portal used by True Health Group that allowed patients’ test results to be viewed by other patients. While patients were required to login to the patient portal before viewing their test results, a security flaw allowed then to also view other patients’ results.

Now, the Medicaid and Affordable Care Act Insurer Molina Healthcare is investigating a similar flaw in its patient portal that has allowed the sensitive medical information of patients to be accessed by unauthorized individuals. In the case of Molina Healthcare, patients’ medical claims could be accessed without authentication.

Brian Krebs contacted Molina Healthcare to alert the company to the flaw. An investigation was conducted and its patient portal was shut down while the issue was resolved.

It is unclear for how long the flaw existed, whether medical claims had been viewed by unauthorized individuals, and if so, how many patients had their privacy violated. Potentially, the flaw resulted in the exposure of all customers’ medical claims. Molina Healthcare serves 4.8 million individuals in 12 states and Puerto Rico.

The individuals who identified the flaw and reported the issue to Brian Krebs was able to demonstrate it was possible to access other patients’ names, addresses, birthdates, medical procedure codes, prescribed medications and other sensitive data related to health complaints. Anyone with a link to a medical claim could change a digit in the URL and view other individuals’ medical claims.

In contrast to the security flaw at True Health, Brian Krebs said anyone with a link to a medical claim would be able to access the URL without any authentication required. The link could be clicked and the medical claim could be viewed.

On Friday last week, Molina Healthcare issued a statement saying “We are in the process of conducting an internal investigation to determine the impact, if any, to our customers’ information and will provide any applicable notifications to customers and/or regulatory authorities.”

Molina Healthcare has also engaged the services of Mandiant to improve its system security. Molina Healthcare says the security vulnerability in the patient portal has now been remediated.

The post Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data appeared first on HIPAA Journal.

US-CERT: Patch Samba Now to Address Wormable Code Execution Bug

Posted by HIPAA Journal

A worldwide cyberattack in a similar vein to the WannaCry ransomware attacks on Friday 12, May could be repeated using a different Windows Server Message Block vulnerability. US-CERT has issued a security alert about the SMB flaw advising organizations to apply a patch as soon as possible to fix the vulnerability.

The vulnerability, which is being tracked as CVE-2017-2764, affects Samba 3.5.0 and later versions. Samba provides Windows-style file and print services for Linux and Unix servers and is based on the Windows SMB file-sharing protocol.

US-CERT says the flaw is a remote code execution vulnerability that could be exploited by “a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.” If the flaw is exploited, an attacker could run arbitrary code with root-level permissions.

Ars Technica says the flaw can only be exploited on un-patched computers if port 445 is open to the Internet and if a machine permits permanent write privileges from a shared file with a known or guessable server path.

A patch has been issued to fix the vulnerability in Samba versions 4.4 and later, although organizations that are unable to apply the patch can fix the vulnerability without applying the patch. The workaround involves adding “nt pipe support = no” to the global section of smb.conf and restarting the smbd daemon.

The fix prevents clients from accessing named pipe endpoints, although US-CERT warns that the workaround may also disable some functionality for Windows clients.

Samba is also used on NAS devices, often without users’ knowledge. NAS environments are commonly used to store backup files. If the flaw was exploited in a similar fashion to the May 12 attacks and ransomware is installed, backups could be rendered useless. Organizations should therefore ensure that at least one copy of a backup file is stored on an offline, unnetworked device.

The wormable-code execution bug has existed for 7 years and there are currently more than 104,000 Internet-exposed devices that are vulnerable to attack according to cybersecurity firm Rapid7. A proof-of-concept exploit is believed to be available, although no attacks have been detected to date.

The post US-CERT: Patch Samba Now to Address Wormable Code Execution Bug appeared first on HIPAA Journal.

Medical Device Security Testing Only Performed by One in Twenty Hospitals

Posted by HIPAA Journal

The security of medical devices has attracted a lot of attention in recent months due to fears of device vulnerabilities being exploited by cybercriminals to cause harm to patients, gain access to healthcare networks and steal patient data.

Cybercriminals have extensively targeted the healthcare industry due to the high value of patient data on the black market, combined with relatively poor cybersecurity defenses. While there have been no reported cyberattacks on medical devices with the specific aim of causing harm to patients, there are fears it is only a matter of time before such an attack occurs.

Even if harming patients is not the goal of cybercriminals, ransomware attacks – which take essential computer systems out of action – can place patient safety at risk. Those attacks are already occurring. Some healthcare providers experienced medical device downtime as a result of the recent WannaCry ransomware attacks.

Much attention has focused on device manufacturers for failing to incorporate appropriate security protections to prevent cyberattacks and not considering security for the life cycle of the devices. However, a recent Synopsis-sponsored survey conducted by the Ponemon Institute suggests healthcare delivery organizations may be equally at fault.

The report on the survey – Medical Device Security: An Industry Under Attack and Unprepared to Defend –  shows that both device manufacturers and healthcare organizations are concerned that medical device attacks will occur. 67% of medical device manufacturers and 56% of healthcare delivery organizations believe a cyberattack on a medical device at their organization is likely to occur in the next 12 months.

Even though manufacturers and HDOs are aware of the risks of cyberattacks on medical devices, and one third are aware that those attacks could have an adverse effect on patients, only 17% of device manufacturers and 15% of HDOs are taking action to reduce the risk of cyberattacks on medical devices used by their organizations.

One of the biggest challenges is incorporating security controls into the devices. 80% of device manufacturers said medical devices are very difficult to secure, with a lack of knowledge about how to secure the devices cited as a major issue along with accidental coding errors and pressure to meet product delivery deadlines.

Identifying potential vulnerabilities does not appear to be a major priority. 53% of HDOs and 43% of device manufacturers said they do not perform any medical device security tests, while just 9% of device manufacturers and 5% of HDOs conduct device security tests on an annual basis.

There is also a lack of accountability for medical device security. One third of manufacturers and HDOs said there is no one person in their organization with overall responsibility for medical device security.

The U.S. Food and Drug Administration (FDA) has been conducting workshops with device manufacturers and industry stakeholders to try to determine how medical devices can best be protected; however, the survey suggests that FDA guidance would not be sufficient in itself. Only 51% of manufacturers and 44% of HDOs said they follow current FDA guidance on mitigating medical device security risks.

Ponemon Institute Chairman and founder, Larry Ponemon, said “According to the findings of the research, attacks on devices are likely and can put patients at risk. Consequently, it is urgent that the medical device industry makes the security of its devices a high priority.”

 

Mike Ahmadi, global director of critical systems security for Synopsys’ Software Integrity Group explained the need for urgent change, saying “The industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the software supply chain to ensure medical devices are not only safe, but also secure.”

The survey was conducted in two parts on 550 individuals in North America who had a direct role in the security of medical devices and/or networking equipment and mobile medical apps related to medical devices.

The post Medical Device Security Testing Only Performed by One in Twenty Hospitals appeared first on HIPAA Journal.

Purple Move on WiFi Security Sets Example for All Public WiFi Deployments

Posted by HIPAA Journal

Wireless networks offer many benefits to healthcare organizations. Healthcare professionals can access networks and data from any location using portable devices, without the need to plug in to the network. Many medical devices connect wirelessly to WiFi networks improving clinical workflows. However wireless networks can also introduce risks.

If any PHI is transmitted over wireless networks, HIPAA requires appropriate controls to be applied to safeguard the confidentiality, integrity and availability of PHI.

If WiFi networks lack appropriate security, unauthorized individuals could intercept WiFi packets and view sensitive data, including protected health information. Securing internal WiFi networks is therefore essential. The failure to secure WiFi networks would place an organization at risk of a HIPAA penalty.

The risk of a HIPAA violation or data breach is a real concern for healthcare organizations. Security concerns have prevented many hospitals from offering WiFi access to patients, even though offering WiFi can improve the patient experience.

Many healthcare organizations that have taken the decision to allow patients access to WiFi networks and have reduced risk by keeping WiFi access for guests totally separate from networks used by hospital staff.

While this will allow healthcare organizations to solve some security issues, guest WiFi access can be abused. WiFi networks can be used to view inappropriate material, users face a risk of malware and ransomware infections, and there is potential for man-in-the-middle attacks to occur.

Organizations can take steps to secure their WiFi networks to keep users protected and reduce security risks. A WiFi filtering solution is the typical solution to block a wide range of online threats such as phishing attacks, malware and ransomware downloads.

Purple, the intelligent spaces company, recently chose a WiFi content filtering solution to ensure its customers and clients were protected. Any users of the secured WiFi network are prevented from accessing malicious websites where malware or ransomware could be downloaded and inappropriate or illegal website content is blocked.

Purple used the WebTitan WiFi content filtering solution from TitanHQ to secure its networks and keep its customers protected. James Wood, Head of Integration at Purple said, “We take guest Wi-Fi security seriously so it was important that our customers were protected.” The decision was taken in the wake of recent cyberattacks to improve security for users.

Figures from TitanHQ show how important it is to implement a WiFi filtering solution, with 60,000 malware threats detected and blocked by the web filtering solution each day. As TitanHQ CEO Ronan Kavanagh pointed out, “Internet filtering controls provide a key layer of security, which is particularly beneficial for healthcare organizations following recent targeted attacks on the healthcare sector.”

While there is no obligation for hospitals to offer a filtered Internet service for guest users, if WiFi access is to be provided, it is now easy to secure those networks and provide a better service, including controls to prevent minors from accessing inappropriate content.

Kavanagh explained that secured, content-controlled WiFi networks are fast becoming the norm. “Content filtering for Wi-Fi will be a given in service terms over the next few years.”

If patients are to be offered free or paid internet access in hospitals, those services should include filters to prevent networks from being abused and to ensure the Internet can be accessed safely and securely.

The post Purple Move on WiFi Security Sets Example for All Public WiFi Deployments appeared first on HIPAA Journal.

HIPAA Enforcement Update Provided by OCR’s Iliana Peters

Posted by HIPAA Journal

Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, Iliana Peters, has given an update on OCR’s enforcement activities in a recent Health Care Compliance Association ‘Compliance Perspectives’ podcast.

OCR investigates all data breaches involving the exposure of theft of more than 500 healthcare records. OCR also investigates complaints about potential HIPAA violations. Those investigations continue to reveal similar non-compliance issues. Peters said many issues come up time and time again.

Peters confirmed that cases are chosen to move on to financial settlements when they involve particularly egregious HIPAA violations, but also when they relate to aspects of HIPAA Rules that are frequently violated. The settlements send a message to healthcare organizations about specific aspects of HIPAA Rules that must be addressed.

Peters said one of the most commonly encountered problems is the failure to conduct a comprehensive, organization-wide risk assessment and ensure any vulnerabilities identified are addressed through a HIPAA-compliant risk management process. Several recent settlements have highlighted just how frequently HIPAA covered entities get risk assessments wrong, either failing to conduct them at all, not conducting them frequently enough or conducting them to the standard demanded by HIPAA.

Peters pointed out that privacy violations are occurring frequently, with many HIPAA-covered entities still unsure of the allowable uses and disclosures of PHI. OCR recently announced two settlements have been reached with covered entities that have impermissibly disclosed patients’ health information to employers and the media.

Peters explained that the healthcare industry is not doing a good job at preventing cybersecurity incidents and that warrants attention, but it is important for OCR not to just focus on the hot topics and ‘sexy’ issues. OCR is also focussed on the lack of safeguards for paper records and the failure to secure removable media.

In the case of the latter, there have been numerous instances where ePHI has been exposed as a result of the failure to use encryption. Peters pointed out that if “[a device] can walk away from your enterprise, it will walk away.” OCR has settled cases with several organizations in recent months as a result of the lack of appropriate safeguards and policies and procedures covering removable devices.

Peters explained that OCR has been working on sharing penalties or other recoveries with individuals that have been harmed by privacy violations, although that has been a challenging process as it is difficult to determine and quantify harm. OCR is working on an advanced notice of proposed rulemaking and will be seeking advice from the public on how funds should be shared.

OCR is also working on initiatives to improve privacy protections at non-HIPAA covered entities. For instance, patients are being encouraged to share their health data with research organizations and through the “All of Us” initiative. For those programs to be as successful as they should be, patients need to be sure their data will be protected. OCR is providing advice to organizations and partners to ensure that patient data are protected, even if they are collected and stored by non-HIPAA-covered entities.

Peters also spoke of dealing with Certified EHR technology and how HIPAA applies to cloud computing, malware, and ransomware.

You can listen to the Compliance Perspectives podcast via this link.

The post HIPAA Enforcement Update Provided by OCR’s Iliana Peters appeared first on HIPAA Journal.

Security Gaps Found in Virginia Medicaid Claims Processing Systems

Posted by HIPAA Journal

Last week, the Department of Health and Human Services’ Office of Inspector General released a report of an audit of Virginia Medicaid’s claims processing systems. The audit uncovered several vulnerabilities that left the data of Medicaid beneficiaries exposed. OIG investigators determined that Virginia had not secured its Medicaid data to an acceptable standard in line with Federal requirements.

The report does not detail the specific vulnerabilities OIG discovered, as that would potentially allow those flaws to be exploited, although full details of the findings of the audit have been submitted to the Department of Medical Assistance Services (DMAS) – the entity that administers and supervises the state Medicaid program. OIG has also provided several recommendations for improving the security of its information systems.

The audit involved a review of information system general controls, including conducting staff interviews, reviewing policies and procedures and conducting a vulnerability scan of network devices, servers, databases and websites.

Even though a security program had been adopted for the DMAS Medicaid Management Information System (MMIS), several vulnerabilities had not been addressed. Those vulnerabilities were allowed to persist as a result of insufficient controls over Medicaid data and systems, and a lack of oversight over its contractors to ensure sufficient security measures had been applied.

The vulnerabilities were severe in some cases, potentially allowing Medicaid data to be accessed and critical Medicaid operations to be disrupted. Together, the vulnerabilities could have compromised the integrity of the Virginia Medicaid program. However, OIG uncovered no evidence to suggest that the vulnerabilities had already been exploited.

OIG made several recommendations in various areas including the risk management process, system and information integrity controls, audit and accountability controls, system and communication protection controls and configuration management controls. OIG also recommended access and authentication controls be augmented.

Virginia concurred with all of the recommendation and has developed an action plan to implement those recommendations and correct all vulnerabilities that have yet to be addressed.

While the specific vulnerabilities discovered by OIG were not disclosed in the report, they all fall within areas that other private and public sector organizations have experienced problems with in the past.

Recent healthcare data breaches have also resulted from unaddressed vulnerabilities in similar areas. The recent WannaCry ransomware attacks have shown that vulnerabilities can all too easily be exploited by threat actors.

Healthcare organizations should therefore conduct periodic risk assessments – as required by the HIPAA Security Rule – and conduct vulnerability scans to determine whether any vulnerabilities exist. Organizations must then ensure any identified are vulnerabilities are addressed, prioritising the critical vulnerabilities that have the highest potential of being exploited and those that are likely to cause the most damage.

The post Security Gaps Found in Virginia Medicaid Claims Processing Systems appeared first on HIPAA Journal.

Leading Cause of Healthcare Data Breaches in April was Hacking

Posted by HIPAA Journal

The monthly Breach Barometer Report from Protenus shows a significant reduction in the number of exposed healthcare records in April, with 232,060 records exposed compared to more than 1.5 million in March. The number of reported data breaches also fell from 39 to 34.

The report offers some further good news. The time taken by healthcare organizations to report security incidents also fell last month. 66% of breaches were reported within the 60-day time period allowed by the Health Insurance Portability and Accountability Act Breach Notification Rule. While it is good news that the trend for reporting data breaches more promptly is continuing, there is still plenty of room for improvement.

Protenus reports that in April, it took an average of 51 days from the date of the breach to discovery, and an average of 59 days from the discovery of a breach to the submission of a breach report to the HHS’ Office for Civil Rights.

The data for the Protenus Breach Barometer report was supplied by Databreaches.net, which uncovered one of the worst breaches of the year to date. The theft of psychotherapy notes, substance abuse histories, health histories and the personally identifiable information of 4,229 patients of Bangor Health Center in Maine. That incident was one of 16 hacking incidents reported in April.

Hacking/IT incidents were cited as the cause of 47% of data breaches reported in April, followed by insider incidents (29%), and loss and theft of devices/PHI (15%). The cause of 9% of the breaches is currently unknown.

Hacking was the cause of the largest data breach of the month. The incident, which was reported by Harrisburg Gastroenterology, affected 93,323 individuals.

Out of the 16 hacking/IT incidents reported in April, five were related to ransomware infections and three incidents were phishing attacks. There were five breaches due to insider errors and four incidents involving insider wrongdoing.

While the majority of data breaches involved electronic protected health information, healthcare organizations must ensure appropriate controls are in place to secure physical PHI. Five of the breaches reported in April involved the theft or exposure of physical PHI.

There were two business associate data breaches in April and two reported by health plans. The majority of the breaches (79.41%) were reported by healthcare providers.

Texas was the worst affected state with 4 breaches, followed by Michigan, Ohio and New York, each with three incidents.

The post Leading Cause of Healthcare Data Breaches in April was Hacking appeared first on HIPAA Journal.

Healthcare Cybersecurity Needs Immediate and Aggressive Attention, says HCIC Task Force

Posted by HIPAA Journal

Earlier this month, the Health Care Industry Cybersecurity (HCIC) Task Force issued a pre-release copy of its upcoming report on improving healthcare cybersecurity. In the report the Task Force calls for ‘immediate and aggressive attention’ to tackle growing healthcare cybersecurity threats.

The HCIC Task Force was formed by Congress to address the challenges healthcare organizations face securing and protecting against intentional and unintentional cybersecurity incidents. Those incidents are a major public health concern.

Few would argue that was not the case. Just a matter of days after the report was issued, a massive global ransomware attack occurred. While U.S healthcare organizations appear to have escaped relatively unscathed, that was not the case in the United Kingdom. More than a week after many NHS Trusts had computers encrypted by ransomware, some hospital services are still being disrupted.

The report details six imperatives for improving healthcare cybersecurity and provides a number of recommendations for the healthcare industry to improve resilience against cyberattacks.

HCIC’s 6 imperatives are:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
  2. Increase the security and resilience of medical devices and health IT.
  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  4. Increase health care industry readiness through improved cybersecurity awareness and education.
  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
  6. Improve information sharing of industry threats, weaknesses, and mitigations.

The HCIC Task Force recommends the HHS establishes a ‘cybersecurity leader’ role to oversee and guide cybersecurity efforts in the healthcare sector and suggests a new version of the National Institute of Standards and Technology (NIST) Cybersecurity Framework should be developed specifically for the healthcare industry.

The past 18 months have seen an increase in financial settlements between the HHS’ Office for Civil Rights and healthcare organizations to resolve HIPAA violations discovered during data breach investigations. However, the Task Force suggests that regulators should adopt “a more lenient approach” to security breaches that have resulted from errors to encourage the sharing of information about data breaches. If information sharing is encouraged without fear of financial repercussions, it will make it easier for the healthcare industry to learn from the mistakes of others.

To improve medical device security the Task Force is says there needs to be greater cooperation between device manufacturers and healthcare providers to inventory and secure legacy systems. Devices must also be equipped with stronger authentication controls and new strategic and architectural approaches are required to reduce the attack surface. Vendors also need to be more transparent about cybersecurity protections for the entire life cycle of medical devices.

The Task Force calls for healthcare organizations to hire qualified cybersecurity professionals and install them in leadership positions with overall responsibility for cybersecurity. However, healthcare organizations are struggling to recruit and retain cybersecurity professionals. There is a major staff shortage and not enough CISOs to fill all of the available positions. That situation must improve.

Education on the cybersecurity risks faced by healthcare organisations needs to be improved at the C-Suite level and more tools are required to help organizations manage and assess the cybersecurity protections that have been put in place. Further academic research is also needed to identify new methods of protecting healthcare information.

One key recommendation is to provide healthcare organizations with actionable intelligence that allows them to take rapid action to respond to current threats. The Task Force says there must be greater information sharing across the healthcare industry. Threat information also needs to be packaged in a way that allows individuals with part-time cybersecurity responsibilities to quickly act on intelligence and mitigate risk.

The full report is due to be released in the next few days.

The post Healthcare Cybersecurity Needs Immediate and Aggressive Attention, says HCIC Task Force appeared first on HIPAA Journal.