Healthcare Cybersecurity

Warning Issued About 3 High-Severity Vulnerabilities in OFFIS DICOM Software

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory for the healthcare and public health sector warning about three high-severity vulnerabilities in OFFIS DCMTK software. The software is used for examining, constructing, and converting DICOM image files, handling offline media, and sending and receiving images over a network connection.

The vulnerabilities affect all versions of DCMTK prior to version 3.6.7. If exploited, a remote attacker could trigger a denial-of-service condition, write malformed DICOM files into arbitrary directories, and gain remote code execution.

Two path traversal vulnerabilities have been identified in the product which could be exploited to write malformed files into arbitrary directories under controlled names, allowing remote code execution. The product’s service class provider (SCP) is vulnerable to path traversal – CVE-2022-2119 – and the service class user (SCU) is vulnerable to relative path traversal – CVE-2022-2120. Both vulnerabilities have been assigned a CVSS v3 base score of 7.5 out of 10 (high severity).

The third flaw is a NULL pointer deference vulnerability that exists while processing DICOM files. The product dereferences a pointer that it expects to be valid, but if it is NULL, it causes the software to crash. The vulnerability could be exploited to trigger a denial-of-service condition. The vulnerability is tracked as CVE-2022-2121 and has been assigned a CVSS v3 base score of 6.5 out of 10 (high severity).

The vulnerabilities were reported to CISA by Noam Moshe of Claroty. OFFIS has corrected the vulnerabilities in DCMTK version 3.6.7. All users are advised to update to the latest version of the software as soon as possible to prevent exploitation of the flaws.

The risk of exploitation of vulnerabilities such as these can be minimized by ensuring the affected product, control systems, and devices are not exposed to the Internet. The product should be located behind a firewall and isolated from the business network, and if remote access is required, secure methods of connection should be used such as a Virtual Private Network (VPN). If a VPN is used, it should be kept up to date, as VPNs can contain vulnerabilities that can be exploited.

The post Warning Issued About 3 High-Severity Vulnerabilities in OFFIS DICOM Software appeared first on HIPAA Journal.

Vulnerabilities Identified in Welch Allyn Resting Electrocardiograph Devices

Posted by HIPAA Journal

Hillrom Medical Device Management has announced that two vulnerabilities have been identified in certain Welch Allyn medical devices. If exploited the vulnerabilities could allow an unauthorized attacker to compromise software security by executing commands, gaining privileges, and reading sensitive information while evading detection.

The vulnerabilities affect the following Hillrom products:

  • Welch Allyn ELI 380 Resting Electrocardiograph (versions 2.6.0 and prior)
  • Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph (versions 2.3.1 and prior)
  • Welch Allyn ELI 250c/BUR 250c Resting Electrocardiograph (versions 2.1.2 and prior)
  • Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph (versions 2.2.0 and prior)

The two vulnerabilities were discovered by an anonymous researcher who reported to Hillrom. The most serious vulnerability – tracked as CVE-2022-26389 – has a CVSS v3 severity score of 7.7 out of 10 (high severity), and is due to improper access controls for restricting attempts at accessing resources by unauthorized individuals.

The second vulnerability – tracked as CVE-2022-26388 – has been assigned a CVSS v3 severity score of 6.4 out of 10 (medium severity) and is due to the use of hard-coded credentials for inbound authentication and outbound communication to external components.

Hillrom released a patch to fix the flaw in May 2022 for the Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph, and patches are scheduled to be released to address the vulnerabilities in the Welch Allyn ELI 380 and ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph devices by Q4, 2023.

The patches should be applied as soon as possible to prevent the exploitation of the flaws. If a patch is not yet available, Hillrom recommends applying the proper network and physical security controls to reduce risk:

  • Ensure a unique encryption key is configured for ELI Link and Cardiograph.
  • Where possible, use a firewall to prevent communication on Port 21 FTP service, Port 22 SSH (Secure Shell Connection), and Port 23 Telnet service.

The post Vulnerabilities Identified in Welch Allyn Resting Electrocardiograph Devices appeared first on HIPAA Journal.

HHS Offers Advice to Help Healthcare Organizations Strengthen Their Cyber Posture

Posted by HIPAA Journal

The HHS’ Health Sector Cybersecurity Coordination Sector (HC3) has published guidance for healthcare organizations to help them improve their cyber posture. Cyber posture is the term given for the overall strength of an organization’s cybersecurity, protocols for predicting and preventing cyber threats, and the ability to continue to operate while responding to cyber threats.

To comply with the HIPAA Security Rule, organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information, and reduce risks to a low and acceptable level.

Technical safeguards will help to keep ePHI private and confidential and will ensure ePHI can be recovered in the event of a destructive cyberattack. A robust cybersecurity program can help to limit the damage caused in the event of an attack, can prevent the theft of sensitive information such as ePHI and intellectual property, limit the potential for misuse of patient data, and will help to improve customer confidence.

HC3 details several steps that can be taken to improve cyber posture such as conducting regular security posture assessments, consistently monitoring networks and software for vulnerabilities, defining which departments own risks and assigning managers to specific risks, regularly analyzing gaps in security controls, defining key security metrics, and creating incident response and disaster recovery plans.

HC3 also recommends following the cybersecurity best practices detailed in CISA Insights for protecting against cyber threats. These best practices can help to reduce the likelihood of a damaging cyber intrusion occurring, will help organizations rapidly detect attacks in progress, will make it easier to conduct an efficient breach response, and maximize organizations’ resilience to destructive cyberattacks.

HC3 draws attention to the security risk assessment, which is an aspect of HIPAA Security Rule compliance that has been problematic for many healthcare organizations. The security risk assessment is concerned with identifying threat sources, threat events, and vulnerabilities, determining the likelihood of exploitation and the probable impact, and calculating risk as a combination of likelihood and impact.

Healthcare organizations can then use the information provided by risk assessments to prioritize risk management. The Office for Civil Rights has recently released a new version of its Security Risk Assessment Tool, which can help small- and medium-sized healthcare organizations with their security risk assessments.

The post HHS Offers Advice to Help Healthcare Organizations Strengthen Their Cyber Posture appeared first on HIPAA Journal.

Webinar Today: July 20, 2022: Compliance vs. Security: Why you Need Both to be HIPAA Compliant

Posted by HIPAA Journal

Healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities that come into contact with protected health information (PHI) are required to ensure policies, processes, and people are compliant with the Rules of the Health Insurance Portability and Accountability Act (HIPAA).

Ensuring you have a good security posture is an important part of HIPAA compliance. The HIPAA Security Rule requires HIPAA-regulated entities to have appropriate safeguards in place to ensure the confidentiality, integrity, and availability of ePHI, and to manage risks to protected health information and reduce them to a low and acceptable level.

Ensuring you have a good security posture has never been more important. Cyber threat actors have stepped up their attacks on the healthcare industry and data breaches are occurring at record levels. Further, following the ‘Safe Harbor’ update to the HITECH Act, if you are able to demonstrate you have implemented recognized security practices, you will be protected against fines, sanctions, and extensive audits and investigations by the HHS’ Office for Civil Rights.

To help you on your compliance journey and with your security efforts, Compliancy Group is hosting a webinar that will explain the ins and outs of compliance and cybersecurity, and why both are necessary for patient privacy and your practice’s security.

During the webinar, Compliancy Group will explain how HIPAA compliance can be simplified, you will be walked through the regulation, and will be provided with actionable tips that you can implement within your practice today.

 3 learning objectives of the webinar:

  1. Why compliance and security are BOTH required for HIPAA compliance.
  2. How HIPAA and security help protect your patients.
  3. What you can implement in your practice now to avoid breaches and fines.

Webinar Details:

Compliance vs. Security: Why you Need Both to be HIPAA Compliant

Wednesday, July 20, 2022

11:00 a.m. PT ¦ 2:00 p.m. ET

Host: Compliancy Group

[contact-form-7]

The post Webinar Today: July 20, 2022: Compliance vs. Security: Why you Need Both to be HIPAA Compliant appeared first on HIPAA Journal.

Bipartisan Legislation Introduced to Strengthen Cybersecurity for Medical Devices

Posted by HIPAA Journal

A bipartisan billThe Strengthening Cybersecurity for Medical Devices Act – has been introduced that calls for the U.S. Food and Drug Administration (FDA) to review and update its guidelines on medical device cybersecurity more frequently to ensure devices are protected from potential hacking and cyberattacks.

The bill, introduced by Sen. Jacky Rosen (D-NV) and co-sponsored by Sen Todd Young (R-IN), calls for the Secretary of the Department of Health and Human Services (HHS), in consultation with the Director of the Cybersecurity and Infrastructure Security Agency (CISA), to provide updated guidance on medical device cybersecurity to FDA every year, and for the FDA to issue updated guidelines and suggestions on medical device cybersecurity at least every two years. The frequency of updates needs to be improved to ensure the guidelines remain current, especially considering the fast-evolving threat landscape and the extent to which the healthcare industry is being targeted by cyber threat actors.

“Medical devices are increasingly connected to the Internet or other health care facility networks to provide features that improve the ability of health care providers to treat patients,” said Sen. Young. “Our bill helps ensure medical devices are protected from cyberattacks and used safely and securely in order to reduce risks and vulnerabilities for patients.”

The bill also calls for the FDA to share information publicly about federal resources for healthcare professionals, medical device manufacturers, and health systems that will help them identify and address vulnerabilities and to ensure they can access appropriate support. The Strengthening Cybersecurity for Medical Devices Act also requires the Government Accountability Office (GAO) to compile a report on cybersecurity vulnerabilities affecting medical devices and to make recommendations for improving federal coordination to support cybersecurity for medical devices.

“In light of increased cyber threats, we must strengthen the security of our health care system’s cyber infrastructure,” said Senator Rosen. “This bipartisan bill I introduced with Senator Young will ensure that medical devices and technologies are up to date with the latest cybersecurity, protecting patients and health care systems.”

The post Bipartisan Legislation Introduced to Strengthen Cybersecurity for Medical Devices appeared first on HIPAA Journal.

DogWalk Zero-day Windows MSDT Vulnerability Gets Unofficial Patch

Posted by HIPAA Journal

Another zero-day vulnerability has been identified that affects the same Windows tool as Follina. While the vulnerability is not known to have been exploited in the wild, the bug is exploitable and the recent interest and widespread exploitation of the Follina vulnerability make exploitation of this flaw more likely.

The vulnerability affects the Microsoft Diagnostic Tool (MSDT) and is a path traversal flaw that can be exploited to copy an executable file to the Windows Startup folder. The vulnerability can be exploited by sending a specially crafted .diagcab file via email or convincing a user to download the file from the Internet. .diagcab files are Cabinet files that include a diagnostic configuration file. In this attack, once the startup entry is implanted, the executable file will be run the next time Windows is restarted.

The vulnerability was identified and publicly disclosed by security researcher Imre Red in January 2020. Microsoft decided not to issue a fix as this was technically not a security issue, and since .diagcab files are considered unsafe they are automatically blocked in Outlook, on the web, and in other places. While Microsoft’s reasoning is understandable, there are other file types that are not technically executables and could potentially be abused, it is possible that threat actors could try to exploit the vulnerability, especially in attacks over the Internet.

“Outlook is not the only delivery vehicle: such file is cheerfully downloaded by all major browsers including Microsoft Edge by simply visiting a website, and it only takes a single click (or mis-click) in the browser’s downloads list to have it opened,” explained 0Patch. “No warning is shown in the process, in contrast to downloading and opening any other known file capable of executing attacker’s code. From the attacker’s perspective, therefore, this is a nicely exploitable vulnerability with all Windows versions affected back to Windows 7 and Server 2008.”

Following the discovery of the Follina vulnerability, security researcher j00sean rediscovered the flaw and announced it last week. The vulnerability has been dubbed DogWalk and is considered to be sufficiently exploitable for 0Patch to develop micropatches to address the flaw.

The micropatches for the DogWalk vulnerability are being provided free of charge until Microsoft develops a patch to permanently fix the issue. The micropatches have been released for Windows 7, 10, and 11, and Windows Server 2008 R2, 2012/2012 R2, 2016, 2019, and 2022.

The post DogWalk Zero-day Windows MSDT Vulnerability Gets Unofficial Patch appeared first on HIPAA Journal.

HC3 Warns Healthcare Sector About Growing Threat from Emotet Malware

Posted by HIPAA Journal

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the healthcare sector about the threat from Emotet malware. Emotet was first detected in 2014 and was initially a banking Trojan; however, the malware has been updated over the years and has had new features added. In addition to serving as a banking Trojan, the malware includes a dropper for delivering other malware variants and is offered to other cybercriminal groups under the infrastructure-as-a-service (IaaS) model. Emotet has been used to deliver a range of malware variants including IcedID, Trickbot, Qbot, Azorult, and ransomware payloads such as Ryuk and BitPaymer.

According to Europol, Emotet is the most dangerous malware variant and has infected one in five organizations worldwide. Data from Malwarebytes indicates 80% of malware infections at healthcare organizations involved Trojans, and Emotet was the most common Trojan deployed in attacks on the healthcare sector. Europol considers Emotet to be the most dangerous malware currently in use.

Emotet is operated by the MUMMY SPIDER threat group, which was targeted in an international law enforcement operation in late 2020. Multiple cybersecurity agencies from the U.S., Canada, and Europe successfully took down the Emotet infrastructure in January 2021 and removed the disabled malware from infected devices in April 2021.

While Emotet activity was stopped, it didn’t take long for MUMMY SPIDER to start rebuilding the botnet. In November 2021, security researchers started to identify new Emotet activity as the botnet started to be rebuilt. According to HC3, the new command-and-control infrastructure of Emotet now consists of 246 systems (and growing), and the malware has been updated and has an enhanced dropper and new loader. The number of infected devices has been growing at an incredible rate.

Emotet malware is primarily delivered via email, most commonly via malicious Office attachments or hyperlinks to compromised websites where the payload is downloaded. Emotet has also been overserved being delivered in brute force attacks and by exploiting known vulnerabilities. Proofpoint has reported that the tactics, techniques, and procedures (TTPs) have been updated and new methods of delivery are being trialed, including emails with hyperlinks to OneDrive. These new tactics are being trialed in small campaigns to test their effectiveness and could be adopted in much larger campaigns. Proofpoint also suggests the threat group may have changed tactics and could continue conducting more limited attacks on selected targets.

Emotet is capable of self-propagation, hijacks email threats, and inserts a copy of itself into the messages which are sent to contacts. This method of distribution has proven to be highly effective, as the messages distributing the malware come from known and trusted sources, which increases the likelihood of the attachments being opened. In January the malware was observed dropping Cobalt Strike onto infected systems.

The best approach to take to block attacks is to implement layered defenses. HC3 has provided an analysis of the malware and the TTPs known to be used for distributing the malware in the threat brief, and recommends consulting government resources and implementing the suggested mitigations.

The post HC3 Warns Healthcare Sector About Growing Threat from Emotet Malware appeared first on HIPAA Journal.

Healthcare Ransomware Attacks Increased by 94% in 2021

Posted by HIPAA Journal

Ransomware attacks on healthcare organizations increased by 94% year over year, according to the 2022 State of Ransomware Report from cybersecurity firm Sophos. The report is based on a global survey of 5,600 IT professionals and included interviews with 381 healthcare IT professionals from 31 countries.  This year’s report focused on the rapidly evolving relationship between ransomware and cyber insurance in healthcare.

66% of surveyed healthcare organizations said they had experienced a ransomware attack in 2021, up from 34% in 2020 and the volume of attacks increased by 69%, which was the highest of all industry sectors. Healthcare had the second-highest increase (59%) in the impact of ransomware attacks.

According to the report, the number of healthcare organizations that paid the ransom has doubled year over year. In 2021, 61% of healthcare organizations that suffered a ransomware attack paid the ransom – The highest percentage of any industry sector. The global average was 46%, which is almost twice the percentage of the previous year.

Paying the ransom may help healthcare organizations recover from ransomware attacks more quickly, but there is no guarantee that paying the ransom will prevent data loss. On average, after paying the ransom, healthcare organizations were only able to recover 65% of encrypted data, down from 69% in 2020. In 2020, 8% of healthcare organizations recovered all of their data after paying the ransom. That figure fell to just 2% in 2021.

While the healthcare industry had the highest percentage of victims paying the ransom for the decryption keys and to prevent the exposure of sensitive data, healthcare had the lowest average ransom amount of $197,000. The global average across all industry sectors was $812,000. The ransom cost was lower in healthcare, but the overall cost of recovery was second-highest, with the total cost of a ransomware attack $1.85 million, which is considerably higher than the global average of $1.4 million.

Even though there is a high risk of suffering a costly ransomware attack, there are relatively low levels of cyber insurance coverage in healthcare. Across all industry sectors, 83% of organizations had cyber insurance. Only 78% of surveyed healthcare organizations said they had a cyber insurance policy. Many cyber insurance providers stipulate that certain baseline security measures must be implemented in order to take out insurance policies, and the level of maturity of cybersecurity programs can have a big impact on the cost of insurance.  97% of healthcare organizations said they had upgraded their cybersecurity defenses to improve their cyber insurance position.

97% of healthcare organizations that had cyber insurance that covered ransomware attacks said the policy paid out, with 47% saying the entire ransom payment was covered by their cyber insurance provider; however, obtaining cyber insurance to cover ransomware attacks is getting much harder due to the extent to which the healthcare industry is being targeted.

The post Healthcare Ransomware Attacks Increased by 94% in 2021 appeared first on HIPAA Journal.

Atlassian Releases Patch for Maximum Severity Widely Exploited Vulnerability in Confluence Server and Data Center

Posted by HIPAA Journal

Atlassian has released a patch to fix a critical zero-day vulnerability that affects all supported versions of Confluence Server and Data Center. The vulnerability – tracked as CVE-2022-26134 – has a maximum CVSS severity score of 10 out of 10 and can be exploited remotely by unauthenticated attackers to achieve code execution. According to security researchers, exploiting the flaw is trivial, with no user interaction or privileges required.

Last week, cybersecurity firm Volexity detected exploitation of the vulnerability while responding to a security breach. The researchers were able to reproduce the exploit for the flaw and shared details of the vulnerability with Atlassian last week. Volexity reports that in the incident its researchers investigated, the attackers were most likely based in China and exploited the vulnerability to run malicious code and installed webshells such as BEHINDER and China Chopper. The attackers conducted reconnaissance, checked local confluence databases and dumped user tables, altered web access logs to remove traces of exploitation, and wrote additional webshells.

On Friday, Volexity President, Steven Adair, said in a Tweet, “It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we have seen so far.”

Over the weekend, proof-of-concept exploits were widely released and exploitation accelerated. On Thursday, GreyNoise CEO, Andrew Morris said 23 IP addresses were attempting to exploit the flaw and by Friday the number had grown to 211.

It is essential for the patch to be applied immediately on Confluence or Data Center servers to prevent exploitation. Atlassian says the following product versions are affected:  7.4.0, 7.13.0, 7.14.0, 7.15.0, 7.16.0, 7.15.1, 7.14.2, 7.17.0, 7.4.16, 7.18.0, 7.16.3, 7.13.6, and 7.17.3. Atlassian Cloud sites are unaffected.

Atlassian has fixed the vulnerability in versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1. If it is not possible to patch immediately, it is essential to implement the mitigations suggested by Atlassian.

The post Atlassian Releases Patch for Maximum Severity Widely Exploited Vulnerability in Confluence Server and Data Center appeared first on HIPAA Journal.