Healthcare Cybersecurity

HC3 Warns of Risk of Web Application Attacks on Healthcare Organizations

Posted by HIPAA Journal

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued guidance to help healthcare organizations protect against web application attacks.

Web applications have grown in popularity in healthcare in recent years and are used for patient portals, electronic medical record systems, scheduling appointments, accessing test results, patient monitoring, online pharmacies, dental CAD systems, inventory management, and more. These applications are accessed through a standard web browser, however, in contrast to most websites, the user is required to authenticate to the application.

Web application attacks are conducted by financially motivated cybercriminals and state-sponsored Advanced Persistent Threat (APT) actors for a range of different nefarious activities. Attacks exploiting vulnerabilities in web applications have been increasing and web application attacks are now the number one healthcare attack vector, according to the 2022 Verizon Data Breach Investigations Report.

Web application attacks most commonly target internet-facing web servers and commonly leverage stolen credentials to gain access to the application or exploit vulnerabilities in the application or underlying architecture. Web application attacks include cross-site scripting (XSS), SQL injection (SQLi), path traversal, local file inclusion, cross-site request forgery (CSRF), and XML external entity (XXE). These attacks are conducted to gain access to sensitive data, to access applications and networks for espionage, or for extortion, such as ransomware attacks. The May 2021 ransomware attack on Scripps Health used a web application attack as the initial attack vector. The attack saw the EHR system and patient portal taken out of action for several weeks.

Distributed Denial of Service attacks on web applications may be conducted to deny access to the application. Comcast Business reports that in 2021, the healthcare sector was the industry most affected by DDoS attacks on web applications, with attacks increasing in response to the COVID-19 pandemic, vaccine availability, and school openings. DDoS attacks are commonly conducted as a smokescreen. While IT teams fight to resolve the DDoS attack, their attention is elsewhere and malware is deployed on the network. DDoS attacks are also conducted by hacktivists. A Major DDoS attack was conducted on Boston Children’s Hospital in April 2014 over the course of a week by a hacker in response to a child custody issue. In that attack, individuals were prevented from accessing the appointment scheduling system, fundraising site, and patient portal.

Like all software-based solutions, web applications may contain vulnerabilities that could potentially be exploited remotely by threat actors to gain access to the applications themselves or the underlying infrastructure and databases. When developing web applications, it is important to follow web application security best practices and design the applications to continue to function as expected when they come under attack and to prevent access to assets by potentially malicious agents. Secure development practices can help to prevent vulnerabilities from being introduced, and security measures should be implemented throughout the software development lifecycle to ensure that design-level flaws and implementation-level vulnerabilities are addressed.

HC3 has suggested several mitigations to protect against web application attacks and limit the harm that can be caused. These include

  • Automated vulnerability scanning and security testing
  • Web application firewalls for blocking malicious traffic
  • Secure development testing
  • CAPTCHA and login limits
  • Multifactor authentication
  • Logon monitoring
  • Screening for compromised credentials

Healthcare organizations should also refer to the Health Industry Cybersecurity Practices (HICP), established under the HHS 405(d) program, for mitigating vulnerabilities in web applications, and web application developers should refer to the OWASP Top 10, which is a standard awareness document detailing the most critical security risks to web applications.

The post HC3 Warns of Risk of Web Application Attacks on Healthcare Organizations appeared first on HIPAA Journal.

Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers

Posted by HIPAA Journal

The U.S Department of Justice has announced that around $500,000 in Bitcoin has been seized from North Korean threat actors who were using Maui ransomware to attack healthcare organizations in the United States.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a security alert warning that North Korean hackers have been targeting the healthcare and public health sector in the United States using Maui ransomware since at least May 2021. The attacks have caused extensive disruption to IT systems and medical services and have put patient safety at risk.

The new ransomware variant was discovered during an investigation of a ransomware attack on a hospital in Kansas in May 2021. The attack was traced to a North Korean hacking group that is suspected of receiving backing from the state. The Kansas hospital had its servers encrypted, preventing access to essential IT systems for more than a week. The hospital paid a ransom of $100,000 for the keys to decrypt files and regain access to its servers and promptly notified the FBI about the attack and payment. The FBI was able to trace the payment, which was passed to money launderers in China, along with another payment of approximately $120,000 that was made by a healthcare provider in Colorado.

In May 2022, the FBI filed a seizure warrant in the District of Kansas to recover payments made in cryptocurrencies to the Maui ransomware gang, and ransom payments of approximately $500,000 were recovered from the seized cryptocurrency accounts. The funds have been forfeited by the ransomware gang and have been returned to healthcare providers in Kansas and Colorado.

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” said Deputy Attorney General Lisa O. Monaco today at the International Conference on Cyber Security. “Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain. The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim.”

Microsoft has also recently reported that a North Korean hacking group that operates under the name HolyGhost has also been using ransomware attacks on SMBs in the United States. It is not clear if the attacks are being conducted by a state-sponsored hacking group or if individuals associated with the Lazarus Group are moonlighting and conducting the attacks independently.

“Today’s success demonstrates the result of reporting to the FBI and our partners as early as possible when you are a victim of a cyberattack; this provides law enforcement with the ability to best assist the victim,” said FBI Cyber Division Assistant Director Bryan Vorndran. “We will continue to pursue these malicious cyber actors, such as these North Korean hackers, who threaten the American public regardless of where they may be and work to successfully retrieve ransom payments where possible.”

The post Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers appeared first on HIPAA Journal.

Study Confirms Security Awareness Training Significantly Reduces Susceptibility to Phishing Attacks

Posted by HIPAA Journal

A recent Phishing by Industry Benchmarking Report has confirmed that providing security awareness training to the workforce significantly reduces susceptibility to phishing attacks. The benchmarking study was conducted by KnowBe4 to determine how effective security awareness training is at reducing susceptibility to phishing attacks. For the report, KnowBe4 analyzed data from more than 9.5 million users across 19 industry sectors, over 30,000 organizations, and 23.4 million simulated phishing emails. The study was conducted on small 22,558 organizations with 1-249 employees, 5,876 mid-sized organizations with between 250 and 999 employees, and 1,709 large organizations with 1,000 or more employees.

According to the 2022 Verizon Data Breach Investigations Report (DBIR), 82% of data breaches in 2021 involved a human element, confirming that people play a major role in security incidents and data breaches. Cybercriminals continue to target the human element as it provides an easy way of gaining access to business networks, and one of the main whys that employees are targeted is through phishing, which has continued to increase year over year.

Technology exists to block phishing attacks, and while products such as spam filters, antivirus software, and web filters are effective and will block a substantial number of threats, some threats will bypass those defenses and will reach employees. Many organizations fail to invest adequately in security awareness training and intervention, even though it is just as important as technology.

For the study, KnowBe4 established a baseline against which the effect of security awareness training could be measured, which the company calls the phish-prone percentage (PPP). The baseline PPP is the percentage of employees who clicked on simulated phishing emails prior to any security awareness training being provided. Training was then provided to employees and the PPP was recalculated after 90 days and after one year of continuous training.

Across all industry sectors and organization sizes, the average baseline PPP was 32.4%, which was one point higher than in 2021. The baseline in small healthcare and pharmaceutical organizations (32.5%) was second worst out of all industry sectors behind education (32.7%). The PPP was second worst in mid-sized organizations (36.6%) behind the hospitality sector (39.4%), and fourth worst in large organizations with a PPP of 45%.

When the phishing test was repeated 90 days after the provision of training, the PPP had dropped to 19.7% at small healthcare and pharmaceutical organizations, 19.1% at mid-sized organizations, and 17.2% at large organizations – Percentage drops of 12.8, 17.5, and 27.8 respectively. Across all industry sectors, the PPP fell from 32.4% to 17.6%. These figures clearly demonstrate the benefits of providing security awareness training to employees and that training provides a fast return on investment.

The third phase of the study involved a repeat of the phishing test after a year of ongoing training and saw the average PPP across all industry sectors and organization sizes drop from 32.4% to 5%. The healthcare and pharmaceutical sector saw the PPP drop to 4.1% in small organizations, 5.1% in mid-sized organizations, and 5.9% in large organizations. That equates to an 87% improvement in small healthcare and pharmaceutical organizations, an 86% improvement in mid-sized organizations, and an 87% improvement in large organizations.

“As with any significant change, it takes time to break old habits and create new ones, “explained KnowBe4 in the report. “Once these new habits are formed, however, they become the new normal, part of the organizational culture, and influence how others behave, especially new hires who look to others to see what is socially and culturally acceptable in the organization.”

KnowBe4 also pointed out that in order to favorably change overall security behaviors, security awareness training programs need to have a clearly defined and communicated mandate, a strong alignment with organizational security policies, an active connection to overall security culture, and full support of executives. “Without consistent and enthusiastic executive support, raising security awareness within an organization is certain to fail.”

The post Study Confirms Security Awareness Training Significantly Reduces Susceptibility to Phishing Attacks appeared first on HIPAA Journal.

Cyber Safety Review Board Says Log4j Vulnerabilities Endemic and Will Persist for Years

Posted by HIPAA Journal

The Cyber Safety Review Board (CSRB), established by President Biden in February 2022, has published a report on the Log4j vulnerability – CVE-2021-44228 – and associated vulnerabilities that were discovered in late 2021. The vulnerabilities affect the open source Java-based logging tool, Log4j, and, according to CSRB, they are endemic and are likely to be present in many systems for years to come.

The Log4j vulnerability can be exploited remotely to achieve code execution on vulnerable systems and was assigned a maximum CVSS severity score of 10 out of 10. According to the report, the vulnerabilities are among the most serious to be discovered in recent years.

The CSRB includes 15 cybersecurity leaders from the private sector and government and has been tasked with conducting reviews of major cybersecurity events and making recommendations for improving public and private sector cybersecurity. The Log4J vulnerability report is the first to be published by the CSRB since its formation.

“At this critical juncture in our nation’s cybersecurity, when our ability to handle risk is not keeping pace with advances in the digital space, the Cyber Safety Review Board is a new and transformational institution that will advance our cyber resilience in unprecedented ways,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The CSRB’s first-of-its-kind review has provided us – government and industry alike – with clear, actionable recommendations that DHS will help implement to strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security.”

For the Log4j vulnerability review, the CSRB engaged with almost 80 organizations to gain an understanding of how the vulnerability has been or is still being mitigated, in order to develop actional recommendations to prevent and effectively respond to future incidents such as this.

The report is broken down into three sections, providing factual information on the vulnerability and what happened, the findings and conclusions based on an analysis of the facts, and a list of recommendations. The 19 actionable recommendations are subdivided into four categories: Address the continued risks from theLog4j vulnerabilities; drive existing best practices for security hygiene; build a better software ecosystem; and investments in the future.

One of the most important recommendations is to create and maintain an accurate IT asset inventory, as vulnerabilities cannot be addressed if it is not known where the vulnerabilities exist. It is essential to have a complete software bill of materials (SBOM) that includes all third-party software components and dependencies used in software solutions. One of the biggest problems with addressing the Log4j vulnerabilities is understanding which products were affected. The report also recommends enterprises develop a vulnerability response program and a vulnerability disclosure and handling process and suggests the U.S. government investigate whether a Software Security Risk Assessment Center of Excellence is viable.

“Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future. Our review of Log4j produced recommendations that we are confident can drive change and improve cybersecurity,” said CSRB Chair and DHS Under Secretary for Policy Robert Silvers.

The post Cyber Safety Review Board Says Log4j Vulnerabilities Endemic and Will Persist for Years appeared first on HIPAA Journal.

Oklahoma State University Settles HIPAA Case with OCR for $875,000

Posted by HIPAA Journal

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced that Oklahoma State University – Center for Health Sciences (OSU-CHS) has agreed to settle a HIPAA investigation stemming from a web server hacking incident and has agreed to pay a financial penalty of $875,000 to resolve potential violations of the HIPAA Privacy, Security, and Breach Notification Rules.

OSU-CHS is a public land-grant research university that provides preventive, rehabilitative, and diagnostic care in Oklahoma. OCR launched a HIPAA investigation after receiving a breach report on January 5, 2018, in response to the hacking of an OSU-CHS web server. OSU-CHS determined that malware had been installed on the server which allowed the hacker(s) to access the electronic protected health information of 279,865 individuals.

The information exposed and potentially obtained by an unauthorized third party included names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSU-CHS initially declared that the data breach occurred on November 7, 2017; however, it was later reported that the hackers first had access to the ePHI of patients 20 months earlier on March 9, 2016,

OCR investigators determined OSU-CHS had potentially violated the following provisions of the HIPAA Rules:

  • Impermissible disclosure of the ePHI of 279,865 individuals – 45 C.F.R. § 164.502(a)
  • Failure to conduct a comprehensive and accurate organization-wide risk analysis –45 C.F.R. § 164.308(a)(l)(ii)(A)
  • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI – 45 C.F.R. 164.308(a)(8)
  • Failure to implement audit controls – 45 C.F.R. § 164.312(b)
  • A security incident response and reporting failure – 45 C.F.R. § 164.308(a)(6)(ii)
  • Failure to provide timely breach notification to affected individuals – 45 C.F.R. § 164.404
  • Failure to provide timely breach notification to the Secretary of the HHS – 45 C.F.R. § 164.408

In addition to the financial penalty, OSU-CHS has agreed to implement a corrective action plan to resolve all areas of non-compliance identified by OCR and will be closely monitored for compliance with the corrective action plan and the HIPAA Rules for two years. The case was settled with no admission of liability or wrongdoing.

“HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” said OCR Director Lisa J. Pino. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”

This is the fifth financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations, and the 111th penalty to be imposed since OCR was given the authority to fine HIPAA-regulated entities for HIPAA violations.

The post Oklahoma State University Settles HIPAA Case with OCR for $875,000 appeared first on HIPAA Journal.

Over 10,000 Organizations Targeted in Ongoing MFA-Bypassing Phishing and BEC Campaign

Posted by HIPAA Journal

Microsoft has warned of a large-scale phishing campaign targeting Office 365 credentials that bypasses multi-factor authentication (MFA). The campaign is ongoing and more than 10,000 organizations have been targeted by scammers in the past 10 months.

Microsoft reports that one of the phishing runs used emails with HTML file attachments, with the email telling the user about a Microsoft voicemail message that had been received. The HTML file had to be opened to download the message. The HTML file serves as a gatekeeper, ensuring the targeted user was arriving at the URL from a redirect from the original attachment.

The user is redirected to a website that hosts a popular open source phishing kit, which is used to harvest credentials. The user is told that they need to sign in to their Microsoft account to receive the voicemail message and after sign in an email will be sent to the user’s mailbox within an hour with the MP3 voicemail message attached. The user’s email address is auto-filled into the login window and the user only needs to enter their password.

This campaign is referred to as an adversary-in-the-middle (AiTM) phishing attack, as the phishing site sites between the targeted user and the genuine resource they are attempting to log into. Two different Transport Layer Security (TLS) sessions are used, one between the user and the attacker and another between the attacker and the genuine resource.

When credentials are entered on the attacker-controlled site, they are passed to the genuine resource. The response from the genuine resource is passed to the attacker, which is then relayed to the user. In addition to harvesting credentials, session cookies are stolen. The session cookie is injected into the browser to skip the authentication process, which still works even if multi-factor authentication is enabled. The phishing kit automates the entire process.

Source: Microsoft

Once the attacker has access to the user’s Office 365 email, the messages in the account are read to identify potential targets for the next phase of the attack. The attacker then sets up mailbox rules that mark certain messages as read and moves them to the archive folder to prevent the user from detecting their mailbox has been compromised. A business email compromise (BEC) scam is then conducted on the targets.

Message threads are hijacked, and the attacker inserts their own content to attempt to get the targeted individual to make a fraudulent wire transfer to an account under the control of the attacker. Since the emails are replies to previous communications, the recipient is likely to believe they are in a genuine conversation with the account owner, when they are only communicating with the attacker.

Microsoft said it takes as little as five minutes from the theft of credentials and session cookies for the first BEC email to be sent. With all replies to the request being automatically sent to the archive, the attacker can simply check the archive for any replies and does so every few hours. They are also able to identify any further potential targets to conduct BEC scams on. While the account compromise is automated, the BEC attacks appear to be conducted manually. Any emails sent or received are manually deleted from the archive folder and sent folder to avoid detection. BEC attacks such as this can involve fraudulent transfers of thousands or even millions of dollars.

Defending against these attacks requires advanced email security solutions that scan inbound and outbound emails and can also block access to malicious websites – an email security solution and a DNS filter for instance. Microsoft also recommends implementing conditional access policies that restrict account access to specific devices or IP addresses. Microsoft also recommends continuously monitoring emails for suspicious or anomalous activities, such as sign-in attempts with suspicious characteristics.

With respect to the MFA bypass, Microsoft stresses that while AiTM attacks can bypass MFA, MFA remains an important security measure and is effective at blocking many threats. Microsoft suggests making MFA implementations “phish-resistant” by using solutions that support Fast ID Online (FIDO) v2.0 and certificate-based authentication.

The post Over 10,000 Organizations Targeted in Ongoing MFA-Bypassing Phishing and BEC Campaign appeared first on HIPAA Journal.

Feds Warn of Threat of Maui Ransomware Attacks By North Korean State-Sponsored Hackers

Posted by HIPAA Journal

A joint security alert has been issued to the healthcare and public health sector by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury warning about the threat of Maui ransomware attacks.

Since May 2021, North Korean state-sponsored cyber actors have been targeting organizations in the U.S. healthcare and public health sector and have been encrypting servers that support electronic medical record systems and diagnostic, imaging, and intranet services. These attacks have resulted in data encryption which has disrupted the services provided to patients and, in some cases, has resulted in disruption to services for long periods.

According to the advisory, initial access is gained to healthcare networks and the ransomware is deployed manually. The threat actors use a command-line interface to control the ransomware payload and launch attacks. Healthcare organizations are an attractive target for ransomware threat actors as they are heavily reliant on data for providing their services. Attacks can cause major disruption, loss of revenue,  and can threaten patient safety. As such, healthcare organizations are seen as more likely to pay ransoms and negotiate payments quickly. For this reason, the FBI, CISA, and the Treasury believe that the healthcare and public health sector will continue to be targeted.

The FBI obtained a sample of Maui ransomware and shared technical details based on its analysis. The methods used by North Korean threat actors to gain initial access to healthcare networks are not understood at this stage, but details have been shared about how attacks are conducted, along with indicators of compromise (IoCs) and a list of mitigations that healthcare and public health sector organizations are encouraged to implement as soon as possible.

The payment of ransom demands is highly discouraged by the FBI, CISA, and the Treasury. Payment does not guarantee file recovery, further ransom demands may be issued after payment is made, and there is no guarantee that it will be possible to decrypt files after paying the ransom. The alert also draws attention to the risk of sanctions by the Office of Foreign Assets Control (OFAC) of the U.S. Treasury if payment is made.

The alert draws attention to a September 2021 advisory from the Treasury that encourages all entities, including those in the healthcare and public health sector to adopt and improve their cybersecurity practices. When the recommended OFAC measures are implemented, OFAC will be more likely to apparent sanctions violations involving ransomware attacks with a non-public enforcement response.

The FBI says it understands that when a healthcare organization is faced with an inability to function, all options should be evaluated, including paying the ransom to protect shareholders, employees, and patients. In the event of an attack, regardless of whether the ransom is paid, the FBI should be notified, and information shared about the attack, including boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files.

A long list of mitigations has been provided to help healthcare and public health sector organizations improve their defenses against these and other ransomware attacks. The mitigations, IoCs, and technical analysis of Maui ransomware can be found on this link.

The post Feds Warn of Threat of Maui Ransomware Attacks By North Korean State-Sponsored Hackers appeared first on HIPAA Journal.

FBI, CISA, & FinCEN Sound Alarm About MedusaLocker Ransomware

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) have issued a joint cybersecurity advisory about MedusaLocker ransomware.

The MedusaLocker threat group appears to operate as a ransomware-as-a-service operation, where affiliates are recruited to conduct the attacks for between 55 and 60% of any ransom payments they generate. MedusaLocker was first detected in September 2019 and has been used to attack a broad range of targets in the United States.

Once access to victims’ networks has been gained, a batch file is used to execute a PowerShell script which propagates MedusaLocker throughout the network. This is achieved by editing the EnableLinkedConnections value within the infected machine’s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and detect shared storage via Server Message Block (SMB) Protocol.

MedusaLocker will terminate security, accounting, and forensic software, restart the machine in safe mode to prevent security software from detecting the ransomware, and then files will be encrypted. All files are encrypted apart from those that are critical to the functionality of the victims’ devices. As is common with ransomware, local backups and shadow copies are deleted, and start-up recovery options are disabled.

A variety of vectors are used to gain initial access to networks, including spam and phishing email campaigns, with some campaigns having the ransomware payload directly attached to emails; however, by far the most common method of attack is exploiting vulnerable Remote Desktop Protocol (RDP) configurations.

Indicators of Compromise (IoCs) have been shared along with IP addresses, Bitcoin wallet addresses, email addresses, and TOR addresses are known to be used by the group. Several mitigations have been suggested, the most important of which are to prioritize remediating known vulnerabilities, enabling and enforcing multifactor authentication, and providing training to employees to help them recognize and avoid phishing attempts.

The post FBI, CISA, & FinCEN Sound Alarm About MedusaLocker Ransomware appeared first on HIPAA Journal.

Warning Issued About 3 High-Severity Vulnerabilities in OFFIS DICOM Software

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory for the healthcare and public health sector warning about three high-severity vulnerabilities in OFFIS DCMTK software. The software is used for examining, constructing, and converting DICOM image files, handling offline media, and sending and receiving images over a network connection.

The vulnerabilities affect all versions of DCMTK prior to version 3.6.7. If exploited, a remote attacker could trigger a denial-of-service condition, write malformed DICOM files into arbitrary directories, and gain remote code execution.

Two path traversal vulnerabilities have been identified in the product which could be exploited to write malformed files into arbitrary directories under controlled names, allowing remote code execution. The product’s service class provider (SCP) is vulnerable to path traversal – CVE-2022-2119 – and the service class user (SCU) is vulnerable to relative path traversal – CVE-2022-2120. Both vulnerabilities have been assigned a CVSS v3 base score of 7.5 out of 10 (high severity).

The third flaw is a NULL pointer deference vulnerability that exists while processing DICOM files. The product dereferences a pointer that it expects to be valid, but if it is NULL, it causes the software to crash. The vulnerability could be exploited to trigger a denial-of-service condition. The vulnerability is tracked as CVE-2022-2121 and has been assigned a CVSS v3 base score of 6.5 out of 10 (high severity).

The vulnerabilities were reported to CISA by Noam Moshe of Claroty. OFFIS has corrected the vulnerabilities in DCMTK version 3.6.7. All users are advised to update to the latest version of the software as soon as possible to prevent exploitation of the flaws.

The risk of exploitation of vulnerabilities such as these can be minimized by ensuring the affected product, control systems, and devices are not exposed to the Internet. The product should be located behind a firewall and isolated from the business network, and if remote access is required, secure methods of connection should be used such as a Virtual Private Network (VPN). If a VPN is used, it should be kept up to date, as VPNs can contain vulnerabilities that can be exploited.

The post Warning Issued About 3 High-Severity Vulnerabilities in OFFIS DICOM Software appeared first on HIPAA Journal.