Healthcare Cybersecurity

NIST Publishes Critical Software Definition for U.S. Agencies

Posted by HIPAA Journal

President Biden’s Cybersecurity Executive Order requires all federal agencies to reevaluate their approach to cybersecurity, develop new methods of evaluating software, and implement modern security approaches to reduce risk, such as encryption for data at rest and in transit, multi-factor authentication, and using a zero-trust approach to security.

One of the first requirements of the Executive Order was for the National Institute of Standards and Technology (NIST) to publish a definition of critical software, which the Cybersecurity and Infrastructure Security Agency (CISA) will use to create a list of all software covered by the Executive Order and for creating security rules that federal agencies will be required to follow when purchasing and deploying the software. These measures will help to prevent cyberattacks such as the SolarWinds Orion supply chain attack that saw the systems of several federal agencies infiltrated by state-sponsored Russian hackers.

The Executive Order required NIST to publish its critical software definition within 45 days. NIST sought input from the public and private sector and multiple government agencies when defining what critical software actually is.

“One of the goals of the EO is to assist in developing a security baseline for critical software products used across the Federal Government,” explained NIST. “The designation of software as EO-critical will then drive additional activities, including how the Federal Government purchases and manages deployed critical software.”

NIST’s critical software definition is software or software dependencies that contain one or more of the following attributes:

  • Software designed to run with elevated privileges or used to manage privileges.
  • Software with direct or privileged access to networking or computer resources.
  • Software designed to control access to data or operational technology.
  • Software that performs a function critical to trust.
  • Software that operates outside of normal trust boundaries with privileged access.

The above definition applies to all software, whether it is integral to devices or hardware components, stand-alone software, or cloud-based software used for or deployed in production systems or used for operational purposes. That definition covers a broad range of software, including operating systems, hypervisors, security tools, access management applications, web browsers, network monitoring tools, and other software created by private companies and sold to federal agencies, or software developed internally by federal agencies for use within federal networks, including government off-the-shelf software.

NIST has recommended federal agencies should initially focus on implementing the requirements of the Executive Order on standalone, on-premises software that has critical security functions or has significant potential to cause harm if compromised. Next, federal agencies should move onto other categories of software, such as cloud-based software, software that controls access to data, and software components in operational technology and boot-level firmware.

NIST has published a list of EO-critical software, although CISA will publish a more comprehensive finalized list in the coming weeks.

The post NIST Publishes Critical Software Definition for U.S. Agencies appeared first on HIPAA Journal.

Government Watchdog Makes 7 Recommendations to HSS to Improve Cybersecurity

Posted by HIPAA Journal

The Government Accountability Office has published a report following a review of the organizational approach to cybersecurity of the U.S. Department of Health and Human Services (HHS).

The study was conducted because both the HHS and the healthcare and public health sector are heavily reliant on information systems to fulfil their missions, which include providing healthcare services and responding to national health emergencies. Should any information systems be disrupted, it could have major implications for the HHS and healthcare sector organizations and could be catastrophic for Americans who rely on their services.

“A cyberattack resulting in the disruption of IT systems supporting pharmacies, hospitals, and physicians’ offices would interfere with the approval and distribution of the life-saving medications and other products needed by patients and healthcare facilities,” said the GAO in the report.

The HHS must implement safeguards in place to protect its computer systems from cyber threat actors looking to obtain sensitive data to commit fraud and identity theft, conduct attacks that aim to disrupt operations, or gain access to networks to launch attacks on other computer systems.  Throughout the pandemic, many threat actors and APT groups have targeted the healthcare sector, with the GAO pointing out that the FBI and CISA have issued multiple alerts over the past 12 months warning about cyber threats specifically targeting healthcare and public health entities.

The GAO reports that the HHS has clearly defined roles and responsibilities, which is essential for effective collaboration; however, there were several areas where improvements could be made, mostly concerning collaboration with its partners.

HHS working groups were assessed on the extent to which they demonstrated Leading Practices for Collaboration. All seven of the HHS working groups met the Leading Practices: Bridge organizational cultures, identify leadership, include relevant participants in the group, identity resources. 6 working groups met the Leading Practices: Clarify roles and responsibilities and document and regularly update written guidance and agreements, and five groups met the Leading Practice: Define and track outcomes and accountability.

The GAO made seven recommendations on how the HHS can improve collaboration and coordination within the HHS and with the healthcare sector.

  1. The HHS Secretary should order the CIO coordinate cybersecurity threat information sharing between the Health Sector Cybersecurity Coordination Center (HC3) and the Healthcare Threat Operations Center (HTOC).
  2. The HHS Secretary should order the CIO to monitor, evaluate, and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group.
  3. The HHS Secretary should order the Assistant Secretary for Preparedness and Response to monitor, evaluate, and report on the progress and performance of the Government Coordinating Council’s Cybersecurity Working Group and HHS Cybersecurity Working Group.
  4. The HHS Secretary should order the CIO to regularly monitor and update written agreements describing how the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group will facilitate collaboration, and ensure that authorizing officials review and approve the updated agreements.
  5. The HHS Secretary should order the Assistant Secretary for Preparedness and Response to ensure that authorizing officials review and approve the charter describing how the HHS Cybersecurity Working Group will facilitate collaboration.
  6. The HHS Secretary should direct the Assistant Secretary for Preparedness and Response to finalize written agreements that include a description of how the Government Coordinating Council’s Cybersecurity Working Group will collaborate; identify the roles and responsibilities of the working group; monitor and update the written agreements on a regular basis; and ensure that authorizing officials leading the working group approve the finalized agreements.
  7. The HHS Secretary should order the Assistant Secretary for Preparedness and Response to update the charter for the Joint Healthcare and Public Health Cybersecurity Working Group for the current fiscal year and ensure that authorizing officials leading the working group review and approve the updated charter.

The HHS concurred with six of the recommendations and disagreed with one. The HHS is currently taking action to address the 6 recommendations it concurred with. The HHS did not concur with the recommendation to coordinate cybersecurity information sharing between HC3 and HTOC.

The post Government Watchdog Makes 7 Recommendations to HSS to Improve Cybersecurity appeared first on HIPAA Journal.

Bipartisan Group of Senators Introduce Federal Data Breach Notification Bill

Posted by HIPAA Journal

A bipartisan group of senators has introduced a federal data breach notification bill – the Cyber Incident Notification Act of 2021 – that requires all federal agencies, contractors, and businesses that have oversight over critical infrastructure to report significant cyber threats to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery.

The draft bill was introduced by Senators Mark Warner (D-VA), Marco Rubio (R-FL), and Susan Collins (R-ME) but has yet to be formally introduced in the Senate. The bill seeks to address many of the issues that have been identified following recent cyberattacks that have impacted critical infrastructure, such as the SolarWinds Orion supply chain attack and the ransomware attacks on JBS and Colonial Pipeline.

The purpose of the new bill is to ensure timely federal government awareness of cyber intrusions that pose a threat to national security, which will enable the development of a common operating picture of national-level cyber threats. Entities discovering cyber threats will be required to provide actionable cyber threat information which will be made available to government and private sector entities and the public to allow action to be taken promptly to tackle threats.

Incidents classified as significant cybersecurity intrusions that would warrant notifications are cyberattacks that:

  • Involve or are believed to involve a nation state.
  • Involve or are believed to involve an Advanced Persistent Threat (APT) actor.
  • Involve or are believed to involve a transnational organized crime group.
  • Could harm U.S. national security interests, foreign relations, or the U.S. economy.
  • Likely to be of significant national consequence.
  • Has potential to affect CISA systems.
  • Involves ransomware.

The draft bill requires breach notifications to include a description of the cybersecurity intrusion, the affected systems and networks, estimates of the dates when the intrusion is thought to have occurred, a description of the vulnerabilities thought to have been exploited, and the tactics, techniques, and procedures (TTPs) used by the threat actor. In addition, notifications should include any information that could be used to identify the threat actor, contact information to allow the breached entity to be contacted by federal agencies, and details of any actions taken to mitigate the threat.

The bill requires the Department of Homeland Security to work with other federal agencies to draw up a set of reporting criteria and to harmonize those criteria with the regulatory requirements in effect on the date of enactment.

Any covered entity that fails to report a cyber intrusion covered by the bill will face penalties determined by the Administrator of the General Services Administration. Businesses violating the terms of the Cyber Incident Notification Act of 2021 could face a financial penalty of 0.5% of gross revenue for the previous year and sanctions could include removal from federal contracting schedules.

While there is clearly a need for a national data breach notification law, several attempts have been made previously to introduce a data breach notification bill, but all have failed to make it through the Senate.  In addition to this bill, Several House members and Senators are believed to be working on their own data breach notification bills.

The post Bipartisan Group of Senators Introduce Federal Data Breach Notification Bill appeared first on HIPAA Journal.

May 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

May was the worst month of 2021 to date for healthcare data breaches. There were 63 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in May. For the past three months, breaches have been reported at a rate of more than 2 per day. The average number of healthcare data breaches per month has now risen to 54.67.

U.S. Healthcare Data Breaches - Past 12 Months

May was also the worst month of the year in terms of the severity of breaches. 6,535,130 healthcare records were breached across those 63 incidents. The average number of breached healthcare records each month has now risen to 3,323,116. 17,733,372 healthcare records have now been exposed or impermissibly disclosed so far in 2021 and almost 40 million records (39.87M) have been breached in the past 12 months.

U.S. Healthcare Data Breaches - Records Breached in the Past 12 Months

Largest Healthcare Data Breaches Reported in April 2021

As was the case in April, there were 19 healthcare data breaches involving 10,000 or more records and 7 of those breaches involved 100,000 or more records. All but one of those breaches was a hacking incident or involved It systems being compromised by other means.

The largest healthcare data breach of the month by some distance affected 20/20 Eye Care Network, a vision and hearing benefits administrator. The records of more than 3.25 million individuals were stored in an AWS S3 bucket that was accessed by an unauthorized individual. Data was downloaded by the attacker before being deleted. Another benefits administrator, SEIU 775 Benefits Group, also suffered a breach in which sensitive data was deleted. That breach involved the PHI of 140,000 individuals.

Over the past two months, several healthcare providers have announced they were affected by a ransomware attack on the third-party administration service provider CaptureRx. At least 26 healthcare providers are known to have had PHI exposed in that breach. This month, CaptureRx issued its own notification to the HSS which confirms the breach affected 1,656,569 individuals. This month, several healthcare organizations have reported they have been affected by a ransomware attack on another business associate, Netgain Technologies. The table below shows the extent to which ransomware has been used in attacks on the healthcare industry.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause Business Associate Involvement
20/20 Eye Care Network, Inc Business Associate 3,253,822 Hacking/IT Incident Unsecured AWS S3 Bucket Yes
NEC Networks, LLC d/b/a CaptureRx Business Associate 1,656,569 Hacking/IT Incident Ransomware attack Yes
Orthopedic Associates of Dutchess County Healthcare Provider 331,376 Hacking/IT Incident Ransomware attack No
Rehoboth McKinley Christian Health Care Services Healthcare Provider 207,195 Hacking/IT Incident Ransomware attack No
Five Rivers Health Centers Healthcare Provider 155,748 Hacking/IT Incident Phishing attack No
SEIU 775 Benefits Group Business Associate 140,000 Hacking/IT Incident Unspecified hacking incident Yes
San Diego Family Care Healthcare Provider 125,500 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Hoboken Radiology LLC Healthcare Provider 80,000 Hacking/IT Incident Hacked medical imaging server No
CareSouth Carolina, Inc. Healthcare Provider 76,035 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Arizona Asthma and Allergy Institute Healthcare Provider 70,372 Hacking/IT Incident Ransomware attack No
New England Dermatology, P.C. Healthcare Provider 58,106 Improper Disposal Improper disposal of specimen bottles No
Sturdy Memorial Hospital Healthcare Provider 57,379 Hacking/IT Incident Ransomware attack No
LogicGate Business Associate 47,035 Hacking/IT Incident Unsecured AWS S3 Bucket Yes
Lafourche Medical Group Healthcare Provider 34,862 Hacking/IT Incident Phishing attack No
Internal Medicine Associates of Jasper, PC, dba Prestige Medical Group Healthcare Provider 34,203 Hacking/IT Incident Ransomware attack No
SAC Health Systems Healthcare Provider 28,128 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Monadnock Community Hospital Healthcare Provider 14,340 Hacking/IT Incident Unspecified hacking incident Yes
Community Access Unlimited Business Associate 13,813 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Westwood Obstetrics and Gynecology Healthcare Provider 12,931 Hacking/IT Incident Unspecified hacking incident Yes

Causes of May 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in May. Out of the 63 reported breaches, 47 (74.60%) were hacking/IT incidents. These incidents resulted in the exposure or theft of 6,432,367 healthcare records – 98.43% of all records breached in the month. The average breach size was 131,273 records and the median breach size was 4,250 records.

There were 9 reported unauthorized access/disclosure incidents involving the records of 17,834 individuals. The average breach size was 1,982 records and the median breach size was 1,562 records. There were 3 loss/theft incidents reported involving the 20,325 records and two incidents involving the improper disposal of protected health information affecting 64,604 individuals.

May 2021 U.S. Healthcare Data Breaches - Causes

While phishing incidents have plagued the healthcare industry over the past few years, it is now network server incidents that dominate the breach reports. 41 of the month’s breaches involved compromised network servers, compared to just 9 incidents involving email.

May 2021 U.S. Healthcare Data Breaches- location of breached PHI

May 2021 Healthcare Data Breaches by Covered Entity Type

47 healthcare providers reported data breaches in May 2021, although only 20 of those incidents were breaches directly involving the healthcare provider. 27 of those breaches were reported by the healthcare provider but occurred at a business associate.

7 data breaches were reported to the HHS’ Office for Civil Rights by business associates of HIPAA-covered entities, although in total, the business associate was present in 31 of the month’s breaches.

8 breaches affected health plans, 4 of which had some business associate involvement, and one breach was reported by a healthcare clearinghouse.

May 2021 healthcare data breaches by covered entity type

States Affected by Healthcare Data Breaches

Healthcare data breaches were reported by HIPAA-covered entities and business associates based in 32 U.S. states.

State No. Reported Data Breaches
Texas 6
New York & Ohio 5
California, Illinois, West Virginia 4
Mississippi & Missouri 3
Florida, Maryland, Massachusetts, New Jersey, & Oklahoma 2
Arizona, Arkansas, Connecticut, Delaware, Georgia, Indiana, Louisiana, Maine, Minnesota, North Carolina, Nevada, New Hampshire, New Mexico, Pennsylvania, Rhode Island, South Carolina, Tennessee, Washington, and Wisconsin 1

HIPAA Enforcement in May 2021

There was one HIPAA enforcement action announced by the HHS’ Office for Civil Rights in May, bringing the total up to 8 for 2021. Most of the settlements announced so far in 2021 have resolved violations of the HIPAA Right of access; however, May’s settlement was for multiple violations of the HIPAA Security Rule.

Most financial penalties stem from an OCR investigation into a data breach or complaint from a patient. May’s financial penalty was atypical, as it was the result of a compliance investigation. OCR had investigated a data breach reported by the Department of Veteran Affairs involving its business associate Authentidate Holding Corporation (AHC).

That investigation was resolved without financial penalty; however, during the investigation OCR learned that AHC had entered into a reverse merger with Peachstate Health Management, LLC, a CLIA-certified laboratory that provides clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR decided to conduct a compliance review of Peachstate’s clinical laboratories to assess Privacy and Security Rule compliance and discovered multiple violations of the HIPAA Security Rule. OCR discovered potential violations related to risk assessments, risk management, audit controls, and a lack of documentation of HIPAA Security Rule policies and procedures. The case was settled for $25,000.

The post May 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Avaddon Ransomware Operation Shuts Down and Releases Decryption Keys

Posted by HIPAA Journal

The Avaddon ransomware-as-a-service operation was shut down on Friday and the threat group released the decryption keys for all victims. Bleeping Computer was sent an email with password and a link to a password protected ZIP file that contained the private keys for 2,934 Avaddon ransomware victims. The keys were confirmed as legitimate by Emsisoft and Coveware, with the former now having released a free decryptor that can be used by all Avaddon ransomware victims to decrypt their files.

Avaddon is a relatively new ransomware-as-a-service operation which started up in March 2020. The threat group behind the operation recruited affiliates to conduct attacks and provided them with a portal through which they could generate copies of the ransomware to conduct their own attacks. All ransoms generated were then shared between the affiliate and the RaaS operator.

It is not uncommon for RaaS operations to suddenly stop and release the keys for victims that have not yet paid, but the timing of the shut down suggests the RaaS operator may have got nervous with the increased focus of governments and law enforcement agencies on ransomware gangs.

Following the ransomware attacks on JBS and Colonial Pipeline attack, the White House ordered the Department of Justice to centralize its approach to ransomware investigations and treat attacks in the same way as terrorist attacks. White House deputy press secretary Karine Jean-Pierre said it would also be “delivering the message that responsible states do not harbor ransomware criminals,” and will be engaging with the Russian government to try to get action taken against ransomware gangs that operate in the country.

The G7 nations also committed to take action on ransomware attacks and issued a communique calling on Russia and other countries that may harbor ransomware gangs to take steps to identify, disrupt, and hold individuals to account who are conducting ransomware attacks, abusing virtual currency to launder ransom, and commit other cybercrimes. President Biden is also expected to speak with Vladimir Putin at the Geneva summit on June 16 about ransomware gangs operating out of Russia.

Following the DarkSide ransomware attack on Colonial Pipeline that disrupted fuel supplies to the eastern seaboard, the DarkSide ransomware gang announced it was shutting down. The REvil and Avaddon gangs issued a joint statement saying they were updating their rules and would not permit its affiliates to conduct ransomware attacks on critical infrastructure firms, governments, healthcare organizations, and educational institutions. It would appear that this was not enough for the Avaddon ransomware gang. It remains to be seen whether the operation has permanently been shut down or if the operator of the ransomware is just laying low for a while. It is not uncommon for ransomware operations to shut down then rebrand and recommence their attacks several weeks or months later.

“The recent actions by law enforcement have made some threat actors nervous: this is the result. One down, and let’s hope some others go down too,” said Emsisoft threat analyst Brett Callow to Bleeping Computer.

The post Avaddon Ransomware Operation Shuts Down and Releases Decryption Keys appeared first on HIPAA Journal.

HSCC Urges Biden to Provide Funding to Bolster Cybersecurity Posture of the Healthcare Sector

Posted by HIPAA Journal

The Healthcare and Public Health Sector Coordinating Council (HSCC) has urged President Biden to provide further funding and support to improve the cybersecurity posture of the healthcare sector to improve resilience to cyberattacks.

In a recent letter addressed to President Biden and copied to Senate and House party leaders, the HSCC called for more funds to help the healthcare sector deal with cyber threats, improved collaboration between the healthcare industry and government, and for the government to provide a roadmap for making improvements to the cybersecurity readiness of the healthcare sector.

Under the American Rescue Plan, the government has made funding available to modernize federal information technology systems to improve resilience against future cyberattacks. $9 billion will be invested to help the U.S. launch major new IT and cybersecurity shared services at the Cyber Security and Information Security Agency (CISA) and the General Services Administration, and $690 million has been made available to CISA to bolster cybersecurity across federal civilian networks; however, none of that funding has been made available to directly help the healthcare sector, even though the healthcare sector has been heavily targeted by cyber actors prior to and during the pandemic.

According the HSCC, the healthcare sector is currently stretched to its limits to meet its clinical and public health obligations. The healthcare industry has faced relentless cybersecurity threats that have grown in magnitude and complexity year after year, and the situation has become far worse during the pandemic. Those threats, including ransomware, have targeted the technology integral to patient care.

Cyberattacks such as the ransomware attack on Colonial Pipeline threaten national security, but these attacks are also placing patient safety at risk. The attacks can result in denial of service, corruption of data on medical devices, and data manipulation that can have a direct implication for clinical operations, patient care, and public health.

“In assessing how the American Rescue Plan, coupled with the recently released Executive Order on Improving the Nation’s Cybersecurity, can measurably strengthen the security and resiliency of the healthcare system and patient safety, we request an enhanced strategic planning process within the administration that will complement the ongoing cybersecurity partnership between the HSCC, the Department of Health and Human Services and other essential government partners,” said HSCC in the letter. “As you lead the nation out of the pandemic, put more Americans back to work and increase their access to health insurance, the ability of the healthcare sector to deter cyber threats is imperative for the nation to maintain public health and global competitiveness beyond the pandemic.”

The post HSCC Urges Biden to Provide Funding to Bolster Cybersecurity Posture of the Healthcare Sector appeared first on HIPAA Journal.

Patch Issued to Fix Critical RCE Vulnerability in ZOLL Defibrillator Dashboard

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning about 6 vulnerabilities in the ZOLL Defibrillator Dashboard, including one critical 9.9 severity remote code execution flaw.

The vulnerabilities were reported to CISA anonymously and affect all versions of the ZOLL Defibrillator Dashboard prior to version 2.2. Some of the flaws can be exploited remotely and require a low level of skill to exploit.

Exploitation of the vulnerabilities could allow non-admin users to achieve remote code execution and steal credentials, which would impact the confidentiality, integrity, and availability of the application.

ZOLL has confirmed that all 6 vulnerabilities have been fixed in version 2.2 of the ZOLL Defibrillator Dashboard. Customers have been advised to upgrade the solution to version 2.2 or later as soon as possible. ZOLL also explained that in the event of any discrepancy with the Defibrillator Dashboard, the defibrillator device should be considered the source of accurate data.

The vulnerabilities are as follows:

Vulnerability CVSS Severity Score Description Risk
CVE-2021-27489 9.9 Unrestricted file upload Remote code execution
CVE-2021-27481 7.1 Hard-coded cryptographic key Theft of sensitive information
CVE-2021-27487 7.1 Sensitive data stored in cleartext Theft of sensitive information
CVE-2021-27485 7.1 Passwords stored in recoverable format Theft of credentials
CVE-2021-27483 5.3 Improper privilege management Elevation of privileges to administrator level
CVE-2021-27479 4.6 Improper neutralization of input during web page generation Injection of malicious scripts to be executed by higher privilege users

There are not believed to have been any attempted exploits of the vulnerabilities in the wild.

The post Patch Issued to Fix Critical RCE Vulnerability in ZOLL Defibrillator Dashboard appeared first on HIPAA Journal.

Critical VMWare VCenter Software Vulnerability Under Attack

Posted by HIPAA Journal

A critical remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation is being actively exploited by cyber actors to take full control of unpatched systems. The flaw, tracked as CVE-2021-21985, was announced by VMWare in late May and a patch was released to correct the flaw on May 25, 2021.

The Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert warning all users of VMware vCenter Server and VMware Cloud Foundation that the vulnerability is an attractive target for attackers and there is a high risk of exploitation. A reliable proof-of-concept exploit for the vulnerability is now in the public domain.

There are thousands of vulnerable vCenter servers accessible over the Internet that are vulnerable to attack. Mass scanning for VMware vSphere hosts vulnerable to RCE attacks are currently being conducted and several security researchers have reported the honeypots they set up with vulnerable versions of VMware vCenter Server have been scanned for the vulnerability.

Today, the Department of Health and Human Services’ Office for Civil Rights issued a cyber alert reiterating the importance of patching the vulnerability, explaining CISA identified several agencies that have not yet applied the patch and are vulnerable to attack.

According to VMWare, “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.”

Security researcher Kevin Beaumont said his honeypot was infected with a web shell after the vulnerability was exploited. “vCenter is a virtualization management software,” he said. “If you hack it, you control the virtualization layer (e.g., VMware ESXi)—which allows access before the OS layer (and security controls). This is a serious vulnerability, so organizations should patch or restrict access to the vCenter server to authorized administrators.”

If it is not possible to apply the patches immediately, there are workarounds available that can reduce the risk of exploitation. These workarounds should be implemented immediately.

The post Critical VMWare VCenter Software Vulnerability Under Attack appeared first on HIPAA Journal.

Vulnerabilities Identified in Hillrom Medical Device Management Products

Posted by HIPAA Journal

Two medium severity vulnerabilities have been identified in Hillrom medical device management tools which could result in the leakage of sensitive data, corruption of data, and remote code execution.

An out-of-bounds write vulnerability – tracked as CVE-2021-27410 – could allow an attacker to cause memory corruption which would allow the remote execution of arbitrary code. While remote code execution is possible, exploiting the flaw is highly complex. The flaw has been assigned a CVSS v3 severity score of 5.9 out of 10.

The second flaw is an out-of-bounds read issue that could result in information leakage and arbitrary code execution if combined with the out-of-bounds write vulnerability. The flaw is tracked as CVE-2021-27408 and has been assigned a CVSS severity score of 5.9.

The flaws affected the following Hillrom Welch Allyn medical device management tools:

  • Welch Allyn Service Tool: versions prior to v1.10
  • Welch Allyn Connex Device Integration Suite – Network Connectivity Engine (NCE): versions prior to v5.3
  • Welch Allyn Software Development Kit (SDK): versions prior to v3.2
  • Welch Allyn Connex Central Station (CS): versions prior to v1.8.6
  • Welch Allyn Service Monitor: versions prior to v1.7.0.0
  • Welch Allyn Connex Vital Signs Monitor (CVSM): versions prior to v2.43.02
  • Welch Allyn Connex Integrated Wall System (CIWS): versions prior to v2.43.02
  • Welch Allyn Connex Spot Monitor (CSM): versions prior to v1.52
  • Welch Allyn Spot Vital Signs 4400 Device (Spot 4400) / Welch Allyn Spot 4400 Vital Signs Extended Care Device: versions prior to v1.11.00

The vulnerabilities were identified by Itamar Cohen-Matalon of Medigate Reserach Labs who reported the vulnerabilities to Hillrom. Hillrom has now released software updates to correct the flaws. Customers are advised to upgrade to the latest versions of the software to fix the flaws to prevent exploitation. At present, there are no reported cases of exploitation of the vulnerabilities.

Product versions with the vulnerabilities corrected are listed below:

  • Welch Allyn Service Tool: v1.10
  • Welch Allyn Connex Device Integration Suite – Network Connectivity Engine (NCE): v5.3 (available Summer 2021)
  • Welch Allyn Software Development Kit (SDK): v3.2
  • Welch Allyn Connex Central Station (CS): v1.8.6 (available Fall 2021)
  • Welch Allyn Service Monitor: v1.7.0.0
  • Welch Allyn Connex Vital Signs Monitor (CVSM): v2.43.02
  • Welch Allen Connex Integrated Wall System (CIWS): v2.43.02
  • Welch Allyn Connex Spot Monitor (CSM): v1.52
  • Welch Allyn Spot Vital Signs 4400 Device (Spot 4400) / Welch Allyn Spot 4400 Vital Signs Extended Care Device: v1.11.00 (available Fall 2021)

Hillrom also recommends applying proper network and physical security controls, applying authentication for server access, and applying data execution prevention (DEP) where possible to prevent shellcode from running.

The post Vulnerabilities Identified in Hillrom Medical Device Management Products appeared first on HIPAA Journal.