Healthcare Cybersecurity

JekyllBot:5 Vulnerabilities Allow Hackers to Take Control of Aethon TUG Hospital Robots

Posted by HIPAA Journal

Five zero-day vulnerabilities have been identified in Aethon TUG autonomous mobile robots, which are used in hospitals worldwide for transporting goods, medicines, and other medical supplies. Hospital robots are attractive targets for hackers. If access to the robots is gained, a variety of malicious actions could be performed.

Attackers could trigger a denial-of-service condition to disrupt hospital operations for extortion, and since sensitive patient data is fed into the devices, exploitation of the vulnerabilities could provide hackers with access to patient data. The robots are given privileged access to restricted areas within healthcare facilities, which would not normally be accessible to unauthorized individuals. The robots can open doors and access elevators, and could be used to block access, shut down elevators, or bump into staff and patients. Since the robots have integrated cameras, they could be hijacked and used for surveillance. The robots could also potentially be hijacked and used to deliver malware or could serve as a launchpad for more extensive cyberattacks on hospital networks.

The vulnerabilities, which are collectively named JekyllBot:5, were identified by Asher Brass and Daniel Brodie of the healthcare IoT security firm Cynerio. The researchers said the vulnerabilities require a low level of skill to exploit, can be exploited remotely if the system is connected to the Internet, and exploitation of the vulnerabilities does not require any special privileges.

One of the vulnerabilities is rated critical with a CVSS severity score of 9.8 out of 10 and the other four are all high-severity issues with CVSS scores between 7.6 and 8.2. The most serious vulnerability, tracked as CVE-2022-1070, could be exploited by an unauthenticated attacker to access the TUG Home Base Server websocket, which would allow the attacker to cause a denial-of-service condition, gain access to sensitive information, and take full control of TUG robots.

Two of the vulnerabilities – CVE-2022-1066 and CVE-2022-26423 – are due to missing authentication and have been given CVSS scores of 8.2. The first vulnerability can be exploited by an unauthenticated attacker and allows new users to be created with administrative privileges and allows existing users to be modified or deleted. The second vulnerability allows an unauthenticated attacker to freely access hashed user credentials.

The remaining two vulnerabilities – CVE-2022-1070 and CVE-2022-1059 – make the Fleet Management Console vulnerable to cross-site scripting attacks. Both flaws have been given a CVSS score of 7.6.

“The worst-case scenario is a total disruption of critical care and violation of patient privacy, and JekyllBot:5 would give attackers the means to compromise security in ways they would not otherwise be able to, especially in terms of physical security,” said Brodie.

The researchers notified Aethon and CISA about the vulnerabilities. Aethon has patched the vulnerabilities via a new firmware release – version 24. All versions of the firmware prior to version 24 are at risk of exploitation of the JekyllBot:5 vulnerabilities.

Further steps can also be taken to minimize the risk of the exploitation of vulnerabilities. CISA recommends not exposing control system devices and systems to the Internet, locating all control systems behind firewalls, and isolating systems such as TUG Home Base Server from business networks. If remote access is necessary, Virtual Private Networks should be required for access and VPNs should be kept up to date and always be running the latest software version.

“Hospitals need solutions that go beyond mere healthcare IoT device inventory checks to proactively mitigate risks and apply immediate remediation for any detected attacks or malicious activity,” said Leon Lerman, founder and CEO of Cynerio. “Any less is a disservice to patients and the devices they depend on for optimal healthcare outcomes.”

The post JekyllBot:5 Vulnerabilities Allow Hackers to Take Control of Aethon TUG Hospital Robots appeared first on HIPAA Journal.

Warning Issued About Phishing Campaigns Involving Legitimate Email Marketing Platforms

Posted by HIPAA Journal

A recent data breach at the email marketing platform vendor Mailchimp has prompted a warning from the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) about the risk of phishing attacks using the platform.

The breach came to light when the cryptocurrency hardware wallet provider, Trezor, investigated a phishing campaign targeting its customers that used the email addresses registered to Trezor accounts, which uncovered a data breach at Mailchimp.

Mailchimp’s investigation confirmed that threat actors had successfully compromised internal accounts of its customer support and account administration teams, and while those accounts have now been secured, the attackers were able to gain access to the accounts of 300 Mailchimp users and were able to extract audience data from 102 of those accounts. API keys were also obtained by the attackers that allow them to create email campaigns for use in phishing attacks without having to access customer portals.

Since accounts used by Mailchimp customers to send marketing campaigns such as newsletters may be whitelisted by subscribers, any phishing campaigns conducted using the compromised accounts may see the emails delivered to inboxes. HC3 says it is only aware of one phishing campaign being conducted using a compromised account, which targeted users in the cryptocurrency and financial sectors, but there is a risk that campaigns could also be conducted targeting users in the healthcare and public health (HPH) sector.

HC3 has recommended organizations in the HPH sector take steps to mitigate the threat. HC3 says the best defense is user awareness training since phishing emails will come from a legitimate and trusted sender. Employees should be made aware of the threat and be instructed to be wary of any emails sent via Mailchimp. While phishing emails could be sent, malware may also be delivered. Antivirus software should be implemented, network intrusion prevention systems are beneficial, and HC3 also suggests using web filters to restrict access to web content that is not necessary for business operations.

Anti-spoofing and other email authentication mechanisms are also recommended. These include performing validity checks of the sender domain using SPK, checking the integrity of messages using DKIM, and checking to make sure the sender is authorized to use the domain using DMARC.

The post Warning Issued About Phishing Campaigns Involving Legitimate Email Marketing Platforms appeared first on HIPAA Journal.

Increase in Class Action Lawsuits Following Healthcare Data Incidents

Posted by HIPAA Journal

The law firm BakerHostetler has published its 8th Annual Data Security Incident Response (DSIR) Report, which provides insights based on 1,270 data security incidents managed by the firm in 2021. 23% of those incidents involved data security incidents at healthcare organizations, which was the most targeted sector.

Ransomware Attacks Increased in 2021

Ransomware attacks have continued to occur at elevated levels, with them accounting for 37% of all data security incidents handled by the firm in 2021, compared to 27% in 2020 and there are no signs that attacks will decrease in 2022. Attacks on healthcare organizations increased considerably year over year. 35% of healthcare security incidents handled by BakerHostetler in 2021 involved ransomware, up from 20% in 2022.

Ransom demands and payments decreased in 2021. In healthcare, the average initial ransom demand was $8,329,520 (median $1,043,480) and the average ransom paid was $875,784 (median $500,846) which is around two-thirds of the amount paid in 2020. Restoration of files took an average of 6.1 days following payment of the ransom, and in 97% of cases, data was successfully restored after paying the ransom.

Data exfiltration is now the norm in ransomware attacks. 82% of the ransomware attacks handled by BakerHostetler in 2021 included a claim that the attackers had exfiltrated data prior to encrypting files. In 73% of those incidents, evidence of data theft was uncovered, and 81% required notice to be provided to individuals. The average number of notifications was 81,679 and the median number of notifications was 1,002.

The threat of the exposure of stolen data prompted many organizations to pay the ransom. 33% of victims paid the ransom even though they were able to partially restore files from backups and 24% paid even though they had fully restored files from backups.

There was also an increase in business email compromise (BEC) attacks, where phishing and social engineering are used to access organizations’ email accounts, which are then used to trick organizations into making fraudulent payments. While there was an improvement in detection in time to recover transferred funds – 43% compared to 38% in 2020 – there was an increase in the number of organizations that had to provide notifications about the incident to individuals and regulators, jumping from 43% of incidents in 2020 to 60% in 2021.

Class Action Lawsuits are More Common, Even for Smaller Data Incidents

It is now more common for organizations to face class action lawsuits after data security incidents. While class action lawsuits tended to only be filed for large data incidents, it is now increasingly common for smaller data incidents to also result in lawsuits. In 2021, 23 disclosed data incidents resulted in lawsuits being filed, up from 20 in 2020. 11 of the lawsuits related to data incidents involving the data of fewer than 700,000 individuals, with 3 lawsuits filed in relation to incidents that affected fewer than 8,000 individuals.

BakerHostetler identified a trend in 2021 for multiple class action lawsuits to be filed following a data incident. More than 58 lawsuits were filed related to the 23 incidents, and 43 of those lawsuits were in response to data breaches at healthcare organizations.

“There was always a risk of multidistrict litigation following large data incidents. However, now we are seeing multiple lawsuits following an incident notification in the same federal forum. Or, in the alternative, we see a handful of cases in one federal forum and another handful of cases in a state venue,” explained BakerHostetler in the report. “This duplicative litigation trend is increasing the “race to the courthouse” filings and increasing the initial litigation defense costs and the ultimate cost of settlement, due to the number of plaintiffs’ attorneys involved.”

OCR is Requesting Evidence of “Recognized Security Practices”

2021 saw record numbers of data breaches reported by healthcare organizations. 714 incidents were reported to the HHS’ Office for Civil Rights in 2021 compared to 663 in 2020, and more data breaches were referred to the Department of Justice to investigate possible criminal violations than in previous years.

In 2021, there was an amendment made to the HITECH Act to include a HIPAA Safe Harbor for organizations that have adopted recognized security practices for at least 12 months prior to a data breach occurring. BakerHostetler said that out of the 40 OCR investigations of organizations that it worked with, OCR frequently asked about the recognized security practices that had been in place in the 12 months prior to the incident occurring. BakerHostetler strongly recommends organizations examine their security practices and ensure they match the definition of “recognized security practices” detailed in the HITECH amendment, and to consider further investments in cybersecurity to meet that definition if their security practices fall short of what is required.

The post Increase in Class Action Lawsuits Following Healthcare Data Incidents appeared first on HIPAA Journal.

FDA Releases Updated Guidance on Medical Device Cybersecurity

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has issued new draft guidance for medical device manufacturers to help them incorporate cybersecurity protections into their products at the premarket stage, and to ensure security risks are managed for the full life cycle of the products.

The FDA first released final guidance on premarket expectations for medical devices in 2014, then updated and released draft guidance in 2018. The latest update was deemed necessary due to the changing threat landscape, the increasing use of wireless, Internet- and network-connected devices, portable media, and the frequent electronic exchange of medical device-related health information. Further, the healthcare industry is being increasingly targeted by cyber threat actors, and the severity and clinical impact of healthcare cyberattacks have increased. Cyberattacks on healthcare providers have the potential to delay test results, diagnoses, and treatment, which could lead to patient harm.

The FDA felt that an updated approach was necessary to ensure cybersecurity risks were managed and reduced to a low and acceptable level. The updated guidance includes recommendations regarding cybersecurity device design, labeling, and the documentation the FDA suggests should be included in premarket submissions for devices with cybersecurity risk.

The FDA considered feedback received on the 2018 draft guidance, input from stakeholders gathered at various public meetings, and recommendations made in the Health Care Industry Cybersecurity (HCIC) Task Force Report when updating the guidance.

The guidance covers threat modeling, the requirement for a software bill of materials that includes all third-party software components, security risk assessment, security risk management, the implementation of security controls, cybersecurity testing, vulnerability management planning, and the importance of cybersecurity transparency.

By following the FDA’s recommendations, device manufacturers can ensure an efficient premarket review process and that their devices will be sufficiently resilient to cyber threats.

The FDA has requested public comment on the new draft guidance – Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions – which will be accepted until July 7, 2022. The FDA will then work on a final version of the guidance.

The post FDA Releases Updated Guidance on Medical Device Cybersecurity appeared first on HIPAA Journal.

NCCoE Releases Final Guidance on Effective Enterprise Patch Management

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) has released the final versions of two Special Publications that provide guidance on enterprise patch management practices to prevent the exploitation of vulnerabilities in IT systems.

Cybercriminals and nation-state threat actors target unpatched vulnerabilities in software, operating systems, and firmware to gain access to business networks to steal sensitive data and disrupt operations. It is vital for all organizations to ensure patches and software/firmware updates are implemented promptly to prevent exploitation.

“Patching is a critical component of preventive maintenance for computing technologies—a cost of doing business, and a necessary part of what organizations need to do in order to achieve their missions,” explained NCCoE. “It helps prevent compromises, data breaches, operational disruptions, and other adverse events.”

While the importance of prompt patching is well understood by IT, security, and technology management, the importance and value of patching is typically less well understood by organizations’ business and mission owners. Despite vulnerabilities being regularly exploited by threat actors, many organizations either cannot or do not adequately patch. One of the main issues is the sheer number of patches and software/firmware upgrades that need to be performed and the time it takes to fully test patches before deployment and apply those patches across the entire organization. Many organizations also struggle with the prioritization of patching and fail to ensure that the most serious vulnerabilities are patched first.

NCCoE worked closely with cybersecurity technology providers to develop guidance – Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology (SP-800-40) and Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways (SP-1800-31) – to help enterprises with patch management planning and implementation. The guidance documents discuss the challenges organizations need to overcome with patch management and recommend a strategy that can be adapted to simplify and operationalize patching to improve the reduction of risk.

By following the patch management guidance, organizations can ensure effective preventive maintenance to reduce the risk of data breaches, disruption to business processes, and other adverse security events.

Image Source: J. Stoughton/NIST

The post NCCoE Releases Final Guidance on Effective Enterprise Patch Management appeared first on HIPAA Journal.

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has released a Request for information (RFI) related to two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

The HITECH Act, as amended in 2021 by the HIPAA Safe Harbor Act, requires the HHS consider the security practices that have been implemented by HIPAA-regulated entities when considering financial penalties and other remedies to resolve potential HIPAA violations discovered during investigations and audits.

The aim of the HIPAA Safe Harbor Act was to encourage HIPAA-regulated entities to implement cybersecurity best practices, with the reward being lower financial penalties for data breaches and less scrutiny by the HHS if industry-standard security best practices have been implemented for the 12 months prior to a data breach occurring.

Another outstanding requirement that dates back to when the HITECH Act was signed into law, is for the HHS to share a percentage of the civil monetary penalties (CMPs) and settlement payments with individuals who have been harmed as a result of the violations for which the penalties have been applied. The HITECH Act calls for a methodology to be established by the HHS for determining appropriate amounts to be shared, based on the nature and extent of the HIPAA violation and the nature and extent of the harm that has been caused.

Earlier this year, the recently appointed Director of the HHS’ Office for Civil Rights (OCR) – Lisa J. Pino – confirmed that these two requirements of the HITECH Act were being addressed this year. Yesterday, OCR published the RFI in the Federal Register seeking public comment on these two requirements of the HITECH Act.

Specifically, OCR is seeking feedback on what constitutes “Recognized Security Practices,” the recognized security practices that are being implemented to safeguard electronic protected health information by HIPAA-compliant entities, and how those entities anticipate adequately demonstrating that recognized security practices are in place. OCR would also like to learn about any implementation issues that those entities would like to be clarified by OCR, either through further rulemaking or guidance, and suggestions on the action that should initiate the beginning of the 12-month look-back period, as that is not stated in the HIPAA Safe Harbor Act.

One of the main issues with the requirement to share CMPs and settlements with victims is the HITECH Act has no definition of harm. OCR is seeking comment on the types of “harms” that should be considered when distributing a percentage of SMPs and settlements, and suggestions on potential methodologies for sharing and distributing monies to harmed individuals.

“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”

In order to be considered, comments must be submitted to OCR by June 6, 2022.

The post OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals appeared first on HIPAA Journal.

The Protecting and Transforming Cyber Health Care (PATCH) Act Introduced to Improve Medical Device Cybersecurity

Posted by HIPAA Journal

A bipartisan pair of senators have introduced the Protecting and Transforming Cyber Health Care (PATCH) Act which aims to improve the security of medical devices.

Vulnerabilities are often identified in medical devices that could potentially be exploited by threat actors to change the functionality of the devices, render them inoperable, or to allows the devices to be used as a springboard for more extensive attacks on healthcare networks. Over the course of the pandemic, cyberattacks on healthcare organizations have increased, and medical devices and the networks to which they connect have been affected by ransomware attacks. These attacks have affected hospitals, patients, and the medical device industry.

U.S. Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) introduced the PATCH Act to ensure that the U.S. healthcare system’s cyber infrastructure remains safe and secure. The PATCH Act will update the Federal Food, Drug, and Cosmetic Act to require all premarket submissions for medical devices to include details of the cybersecurity protections that have been implemented.

If passed, before a medical device can be approved for use by the Food and Drug Administration (FDA), manufacturers will need to ensure that critical cybersecurity requirements have been implemented. The PATCH Act also calls for manufacturers of medical devices to design, develop, and maintain processes and procedures to update and patch the devices and related systems throughout the lifecycle of the device. A Software Bill of Materials for each device must also be provided to users which will make it easier to identify vulnerabilities that affect the devices, including vulnerabilities in open source components and dependencies.

The Patch Act also requires medical device manufacturers to develop a plan for monitoring, identifying, and addressing post-market cybersecurity vulnerabilities, and a Coordinated Vulnerability Disclosure will be required to demonstrate the safety and effectiveness of a device.

“New medical technologies have incredible potential to improve health and quality of life,” said Dr. Cassidy. “If Americans cannot rely on their personal information being protected, this potential will never be met.”

“In recent years, we’ve seen a significant increase in cyber-attacks that have exposed vulnerabilities in our health care infrastructure, impacting patients across Wisconsin and the country. We must take these lessons learned to better protect patients,” said Senator Baldwin. “I am excited to introduce the bipartisan PATCH Act to ensure that innovative medical technologies are better protected from cyber threats and keep personal health information safe while also finding new ways to improve care.”

A companion bill was introduced by reps. Michael C. Burgess (R-TX) and Angie Craig (D-MN) in the House of Representatives.

The post The Protecting and Transforming Cyber Health Care (PATCH) Act Introduced to Improve Medical Device Cybersecurity appeared first on HIPAA Journal.

Differences Between Small and Large Healthcare Organizations on Security

Posted by HIPAA Journal

A recent survey of healthcare providers by Software Advice provides insights into healthcare data breaches, their root causes, and the different security practices at small and large healthcare providers.

The survey was conducted on 130 small practices with 5 or fewer licensed providers and 129 large practices with six or more providers to understand the security issues they face and the measures each group has taken to protect against cyberattacks and data breaches. Across both groups of healthcare providers, more than half store more than 90% of patient data digitally, such as patient records, medical histories, and billing records. While digital records are more efficient, there is a risk that hackers will be able to gain access to patient information.

Hackers tend to target larger practices rather than small practices, based on the number of reported data breaches. 48% of large healthcare providers said they had experienced a data breach in the past, and 16% said they had suffered a breach in the past 12 months. One in four small practices had experienced a breach in the past (23%), with 5% experiencing a breach in the past year. By far the biggest cause of data breaches was human error. 46% of small practices and 51% of large practices said human error was the leading cause of data breaches.

23% of small healthcare practices said they had experienced a ransomware attack in the past, compared to 45% of large practices. 5% of the attacks on small healthcare providers and 12% of attacks on large healthcare providers occurred in the past 12 months. 76% of small practices and 74% of large practices said they were able to recover at least some of their data from backups without paying the ransom, which highlights the importance of having good backup policies. That is especially important as paying the ransom comes with no guarantee that files can be recovered. 23% of small practices paid the ransom to recover their data compared to 19% of large healthcare providers, but 14% of small healthcare providers said they did not recover their data after paying.

11% of large practices permanently lost their data due to the attack, 7% accepted data loss and 4% paid the ransom but were still unable to recover their data. Most of the healthcare providers did not state how much was paid as a ransom. Two small practices said they paid between $5,000 and $10,000 and two paid between $25,000 and $100,000.

To defend against attacks, healthcare organizations have implemented a range of technical safeguards, with the most common measures being firewalls, antivirus software, email security solutions, and data backup technology. Small practices were investing more money than larger organizations in antivirus technology, and while such solutions are important, it is also important to invest in email and networks security tools. Larger organizations with deeper pockets were more likely to invest in those tools and be better protected as a result. Software Advice suggests that smaller healthcare providers should consider reducing spending on antivirus software and improving email and network security, as that could help to prevent more data breaches.

It is important not to neglect the human element of cybersecurity, especially considering the large number of data breaches that were attributed to human error. Providing security awareness training to employees is a requirement of the HIPAA Security Rule, but it should not just be a checkbox option. Regular security awareness training to teach employees how to recognize and avoid threats can greatly reduce the risk of a successful cyberattack but 42% of small practices and 25% of large practices said they spent no more than 2 hours on privacy and security awareness training for employees in 2021.

2-factor authentication is an important security measure to implement to prevent stolen credentials from being used to access accounts. Microsoft has previously said that 2-factor authentication can block more than 99% of automated attacks on accounts. It is encouraging that 90% of large practices have implemented 2FA to some degree, but small practices are much less likely to use 2FA to protect their accounts. 22% of small practices said they have not implemented 2FA at all and 59% only use 2FA on some applications.

“Paying for every data protection tool available isn’t a wise option as it leaves you vulnerable to other avenues of attack or breach, such as incidental exposure or human error. Instead, remember that you must guard yourself on multiple fronts,” suggests Software Advice. That involves training employees, investing in the right security tools to protect data, and developing an action plan to help mitigate harm in the event of a breach or attack.

The post Differences Between Small and Large Healthcare Organizations on Security appeared first on HIPAA Journal.

Warnings Issued About Vulnerabilities in the Spring Application Building Platform and UPS Devices

Posted by HIPAA Journal

Two remote code execution vulnerabilities have been identified in the Spring platform – a popular application framework that software developers use for rapidly building Java applications. Proof-of-concept exploits for both vulnerabilities are in the public domain and at least one of the vulnerabilities is being actively exploited.

The first vulnerability – CVE-2022-22963 – affects Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions and is remotely exploitable in the default configuration while running a Spring Boot application that depends on Spring Cloud Function, such as when depending on packages such as spring-cloud-function-web and spring-cloud-starter-function-web.

According to VMWare, which owns Spring, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression, which will allow remote code execution and access to local resources. The vulnerability was initially assigned a CVSS severity score of 5.4, but was later upgraded to critical. Proof-of-concept exploits for the vulnerability are in the public domain.

The vulnerability has been addressed by VNWare in Spring Cloud Function versions 3.1.7 and 3.2.3. Immediate upgrading to a secure version is recommended to prevent exploitation.

A proof of concept exploit has been publicly released for another zero-day vulnerability that affects the Spring Core Java framework. The vulnerability, dubbed Spring4Shell, allows unauthenticated individuals to remotely execute code on applications.

The vulnerability – tracked as CVE-2022-22965 – is due to unsafe deserialization of passed arguments and affects Spring MVC and Spring WebFlux applications on JDK 9 or higher. An exploit for the vulnerability is in the public domain, but will not work if an application is deployed as a Spring Boot executable jar, which is the default. The exploit will only work if the application is run on Tomcat as a WAR deployment with a spring-webmvc or “spring-webflux” dependency; however, there may be other ways to exploit the vulnerability.

The vulnerability is not as serious as the Log4J/Log4Shell vulnerability, but Spring is popular and widely used for building applications.

The vulnerability has been fixed in the following versions:

  • Spring Framework 5.3.18 and Spring Framework 5.2.20
  • Spring Boot 2.5.12
  • Spring Boot 2.6.6

CISA Warns of Attacks on Uninterruptible Power Supply Devices

The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DoE) have issued a warning that cyber threat actors are exploiting vulnerabilities in Internet-connected uninterruptible power supply (UPS) devices to gain access to networks.

UPS devices are routinely attached to networks for power monitoring, maintenance, and convenience, and are used to provide clean and emergency power to IT equipment and applications. Many UPS vendors have added IoT capabilities to the devices to allow them to be accessed via the Internet.

CISA and the DoE are aware of threat actors using these devices to gain access to networks, most commonly by using unchanged default usernames and passwords to access the devices.

All users of these devices have been advised to immediately enumerate their UPSs and similar systems and ensure they are not accessible via the Internet, or if Internet access is required, to ensure the device or system is behind a virtual private network. Default credentials should be changed, long passwords or passphrases used to secure the devices, and multifactor authentication should be enforced

The post Warnings Issued About Vulnerabilities in the Spring Application Building Platform and UPS Devices appeared first on HIPAA Journal.