Healthcare Cybersecurity

Report: The State of Privacy and Security in Healthcare

2020 was a particularly bad year for the healthcare industry with record numbers of data breaches reported. Ransomware was a major threat, with Emsisoft identifying 560 ransomware attacks on healthcare providers in 2020. Those attacks cost the healthcare industry dearly. $20.8 billion was lost in downtime in 2020, according to Comparitech, which is more than twice the ransomware downtime cost to the healthcare industry in 2019.

With the healthcare industry facing such high numbers of cyberattacks, the risk of a security breach is considerable, yet many healthcare organizations are still not fully conforming with the NIST Cybersecurity Framework (NIST CSF) and the HIPAA Security Rule, according to the 2021 Annual State of Healthcare Privacy and Security Report published today by healthcare cybersecurity consulting firm CynergisTek.

To compile the reportThe State of Healthcare Privacy and Security – Maturity Paradox: New World, New Threats, New Focus – CynergisTek used annual risk assessments at 100 healthcare organizations and measured progress alongside overall NIST CSF conformance. 75% of healthcare organizations improved overall NIST conformance in 2020; however, 64% of healthcare organizations fell short of the 80% NIST conformance level considered to be the passing grade. Most of the improvements made in 2020 were only small.

As the graph below shows, 53 healthcare organizations improved NIST conformance year over year, 32 of those were considerably below the 80th percentile and 17 healthcare organizations saw NIST conformance decline year-over- year.

Year-over-Year Improvements in NIST CSF Conformance. Source: CynergisTek State of Healthcare Privacy and Security Report.

In order to improve resilience to ransomware and other cyberattacks, it is essential for healthcare organizations to improve their security posture. It will not be possible to stay one step ahead of threat actors if organizations do not take steps to improve NIST CSF and HIPAA Security Rule conformance.

While good conformance scores are a good indication of security posture, they do not necessarily reflect the extent to which healthcare organizations have reduced risk. For this year’s report, CynergisTek placed less emphasis on conformance scores and assessed the measures healthcare organizations had taken to identify which core functions of the NIST CSF appeared to be really driving long term security improvements, with the goal of identifying the best opportunities for both short- and long-term success.

The Identity function provides the foundation on which the rest of the core functions are based, but 73% of healthcare organizations were rated low performers in this function. Asset management and supply chain risk management were two of the key areas that need to be addressed. The healthcare supply chain is a universal issue and the weak link in healthcare. Many healthcare organizations struggle to validate whether or not third-party vendors meet specific security requirements. 76% of healthcare organizations failed to secure their supply chains.

The Protect function requires safeguards to be implemented to protect critical infrastructure and data. One of the main areas where organizations were falling short is protection of data using encryption. “An organization’s default for storing protected data of any kind and transmitting it should include encryption – it clearly does not”, explained CynergisTek. High performers achieved 90% conformance for protection of data at rest, whereas the rest of the sector was in the low 30th percentile.

In the Detect function, there was a major difference between high and low performers, but overall there were good levels of implementation; however, to be considered a high performer it is necessary to get the detect function substantially implemented and to ensure there is significant automation of security monitoring.

The Respond function concerns an organization’s ability to quickly implement appropriate activities when a cybersecurity event is detected, and this is an area where significant improvements need to be made. Only the highest performers are actively investigating notifications from detection systems, and only high performers were consistently and substantially mitigating incidents.

The recover function identifies activities required to return to normal operations after a cybersecurity incident. While there were gaps among the high performers, conformance was generally very good, but significant improvements need to be made by low performers. Around two-thirds (66%) of healthcare organizations are underperforming in recovery planning.

CynergisTek identified several aspects of security that healthcare organizations need to focus on over the coming 12 months:

  • Improve automation of security functions
  • Validate technical controls for people and processes
  • Perform exercises and drills at the enterprise level to test all components of the business
  • Secure the supply chain
  • Look beyond the requirements of the HIPAA Rules and further enhance privacy and security measures

The researchers found notable improvements had been made in organizations’ HIPAA privacy programs in 2020, with some healthcare organizations making exceptional progress. However, there is still room for improvement. CynergisTek identified several privacy areas that should be focused on in 2021.

These measures include implementing user access monitoring tools and engaging in proactive rather than reactive monitoring, addressing defective HIPAA authorizations, preventing violations of the Minimum Necessary Rule by defining criteria to limit PHI disclosure, updating insufficient privacy policies and procedures and ensuring the new policies are implemented, and addressing inappropriate Hybrid Entity designations.

The post Report: The State of Privacy and Security in Healthcare appeared first on HIPAA Journal.

The Average Ransomware Payment Fell by 38% in Q2, 2021

The average ransom payment made by victims of ransomware attacks fell by 38% between Q1 and Q2, 2021, according to the latest report from ransomware incident response company Coveware. In Q2, the average ransom payment was $136,576 and the median payment decreased by 40% to $47,008.

Average Ransom Payments by Quarter. Source: Coveware

One of the key factors driving down ransom payments is a lower prevalence of attacks by two key ransomware operations, Ryuk and Clop, both of which are known for their large ransom demands. Rather than the majority of attacks being conducted by a few groups, there is now a growing number of disparate ransomware-as-a-service brands that typically demand lower ransom payments. In Q2, Sodinokibi (REvil) was the most active RaaS operation conducting 16.5% of attacks, followed by Conti V2 (14.4%), Avaddon (5.4%), Mespinoza (4.9%), and Hello Kitty (4.5%). Ryuk only accounted for 3.7% of attacks and Clop 3.3%.

The Sodinokibi gang has now gone silent following the attack on Kaseya and appears to have been shut down; however, the group has shut down operations in the past only to restart with a new ransomware variant. Even if the operators have retired, the affiliates used to conduct the attacks are likely to just switch to an alternative RaaS operation so attack volume may not be affected.

The most common vectors used in attacks has been fluctuating over the past few months. In Q1, 2021 there was an increase in brute force attacks on Remote Desktop Protocol (RDP) and the exploitation of software vulnerabilities, with phishing attacks falling. In Q2, RDP compromises and software vulnerability exploits both declined and email phishing increased, with phishing and RDP compromises now equally common. The exploitation of software vulnerabilities is the attack vector of choice for targeted attacks on large enterprises, and those attacks tend to be conducted only by the most sophisticated RaaS operations with large operating budgets that allow them to purchase single day exploits or buy access to large networks.

In Q2, more than 75% of ransomware attacks were on businesses with fewer than 1,000 employees. This is because these smaller companies are less likely to invest in security awareness training for the workforce and email security to block phishing attacks. They are also more likely to expose RDP to the Internet. Smaller businesses are also more likely to outsource security to MSPs. MSPs remain a major target, as an attack on an MSP will allow the attacker to then attack all MSP’s clients.

The report indicates a fall in the effectiveness of double extortion tactics. This is where prior to file encryption, sensitive data are exfiltrated. A demand is issued for the key to decrypt data and a second payment is required to prevent the exposure or sale of stolen data. In Q2, 81% of attacks involved data exfiltration prior to file encryption, up from 76% in Q1.

However, payment to ensure data deletion is now much less likely. In 2020, 65% of victims that were able to recover data from backups paid the attackers to prevent the exposure of stolen data, but in Q2, 2021 the percentage was just 50%.

The most attacked industry sectors in Q2 were the public sector (16.2%), professional services (13.3%), and healthcare (10.8%). Coveware suggests that these industries may not be specifically targeted, instead they are simply the easiest to attack. For instance, the number of attacks on law firms increased but that was largely down to the attack by the Clop ransomware group on Accellion File Transfer Appliances, which were disproportionately used by law firms.

Coveware reports that the average downtime from a ransomware attack declined by 15% in Q2, with victims typically having 23 days of downtime following at attack; however, this was attributed to an increase in data only attacks where there was no material business interruption.

The post The Average Ransomware Payment Fell by 38% in Q2, 2021 appeared first on HIPAA Journal.

June 2021 Healthcare Data Breach Report

For the third consecutive month, the number of reported healthcare data breaches of 500 or more records increased. June saw an 11% increase in reported breaches from the previous month with 70 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – the highest monthly total since September 2020 and well above the average of 56 breaches per month over the past year.

United States healthcare data breaches in the past 12 months

While the number of reported breaches increased, there was a substantial fall in the number of breached healthcare records, which decreased 80.24% from the previous month to 1,290,991 breached records. That equates to more than 43,000 breached records a day in June.

records Exposed in U.S. healthcare data breaches in the past 12 months

More than 40 million healthcare records have been exposed or impermissibly disclosed over the past 12 months across 674 reported breaches. On average, between July 2020 and June 2021, an average of 3,343,448 healthcare records were breached each month.

Largest Healthcare Data Breaches in June 2021

There were 19 healthcare data breaches of 10,000 or more records reported in June. Ransomware continues to pose problems for healthcare organizations, with 6 of the top 10 breaches confirmed as ransomware attacks. Several healthcare organizations reported ransomware attacks in June that occurred at third-party vendors, with the number of healthcare providers confirmed as being affected by the ransomware attacks on vendors Elekta, Netgain Technologies, and CaptureRx continuing to grow.

The largest healthcare data breach to be reported in June was a phishing attack on the medical payment billing service provider MultiPlan. A threat actor gained access to an email account containing the protected health information of 214,956 individuals.

Northwestern Memorial HealthCare and Renown Health were affected by the ransomware attack on the Swedish radiation therapy and radiosurgery solution provider Elekta Inc., That attack is known to have affected a total of 42 healthcare providers in the United States.

Name of Covered Entity Covered Entity Type Individuals Affected Breach Cause Business Associate Involvement
MultiPlan Business Associate 214,956 Phishing attack Yes
Northwestern Memorial HealthCare Healthcare Provider 201,197 Elekta ransomware attack Yes
Scripps Health Healthcare Provider 147,267 Ransomware attack No
San Juan Regional Medical Center Healthcare Provider 68,792 Unspecified hacking and data exfiltration incident No
Renown Health Healthcare Provider 65,181 Elekta ransomware attack Yes
Minnesota Community Care Healthcare Provider 64,855 Netgain ransomware attack Yes
Francisco J. Pabalan MD, INC Healthcare Provider 50,000 Hacking/IT Incident (Unknown) No
Prominence Health Plan Health Plan 45,000 Ransomware attack No
NYC Health + Hospitals Healthcare Provider 43,727 CaptureRx ransomware attack Yes
UofL Health, Inc. Healthcare Provider 42,465 Misdirected email No
Peoples Community Health Clinic Healthcare Provider 40,084 Phishing attack No
Reproductive Biology Associates, LLC and its affiliate My Egg Bank, LLC Healthcare Provider 38,000 Ransomware attack No
Hawaii Independent Physicians Association Business Associate 18,770 Phishing attack Yes
UW Medicine Healthcare Provider 18,389 Hacking/IT Incident (Unknown) Yes
Cancer Care Center Healthcare Provider 18,000 Hacking/IT Incident (Unknown) Yes
Temple University Hospital, Inc. Healthcare Provider 16,356 Hacking/IT Incident (Unknown) Yes
Walmart Inc. Healthcare Provider 14,532 Loss of paper/films No
Discovery Practice Management, Inc. Business Associate 13,611 Phishing attack Yes
Jawonio Healthcare Provider 13,313 Phishing attack No

Causes of June 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in June 2021, with ransomware attacks accounting for a large percentage of those breaches. There were 58 reported hacking/IT incidents, in which the protected health information of 1,190,867 individuals was exposed or compromised – 92.24% of all breached records in June. The mean breach size was 20,532 records and the median breach size was 2,938 records.

Causes of June 2021 Healthcare data breaches

There were 9 unauthorized access/disclosure incidents reported that involved the impermissible disclosure of the PHI of 81,764 individuals. The mean breach size was 9,085 records and the median breach size was 5,509 records.

There was one incident reported involving the loss of paperwork containing the PHI of 14,532 individuals, one portable electronic device theft affecting 1,166 patients, and 1 incident involving the improper disposal of 2,662 physical records.

42 hacking incidents involved PHI stored on network servers, most of which were data access and exfiltration incidents involving ransomware. There were 19 email security breaches involving PHI stored in email accounts, most of which were phishing incidents.

Location of breached PHI in June 2021 data breaches

Covered Entities Reporting Data Breaches in June

The breach reports show healthcare providers were the worst affected covered entity type with 53 data breaches. 9 breaches were reported by health plans, and 8 by business associates of HIPAA covered entities. HIPAA-covered entities often report breaches at third party vendors, which can mask the extent to which business associates are being targeted by hackers. Adjusted figures taking this into account show the extent to which business associates are suffering data breaches. There were 36 data breaches reported that involved business associates, as shown in the pie chart below.

June 2021 healthcare data breaches by covered entity type

June 2021 Healthcare Data Breaches by State

There were large healthcare data breaches reported by HIPAA covered entities and business associates based in 32 states. California was the worst affected state with 8 reported breaches, followed by New York with 6.

State No. Data Breaches
California 8
New York 6
Illinois, Pennsylvania, Washington 4
Georgia, New Jersey, Ohio, Oregon, Texas 3
Arkansas, Kentucky, Michigan, Mississippi, Nevada, Tennessee, Wisconsin 2
Alaska, Arizona, Colorado, Connecticut, Florida, Hawaii, Iowa, Maryland, Massachusetts, Minnesota, Montana, New Mexico, Oklahoma, Rhode Island, South Carolina 1

HIPAA Enforcement Activity in June 2021

The HHS’ Office for Civil Rights announced one HIPAA enforcement action in June under its HIPAA Right of Access enforcement initiative. The Diabetes, Endocrinology & Lipidology Center, Inc. in Martinsburg, West Virginia was ordered to pay a financial penalty of $5,000 to resolve its HIPAA Right of Access case and agreed to adopt a robust corrective action plan to ensure that patients will be provided with timely access to their medical records. There were no confirmed HIPAA enforcement actions by state Attorneys General in June.

The post June 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

U.S. Government Launches New One-Stop Ransomware Website

The Department of Justice and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have announced the launch of a new web resource that will serve as a one-stop-shop providing information to help public and private sector organizations deal with the growing ransomware threat.

The new resource – StopRansomware.gov – is an interagency resource that provides guidance on ransomware protection, detection, and response in a single location.

The new resource provides general information about ransomware, including what ransomware is and how it is used by cybercriminals to extort money from public and private sector organizations. Detailed information is provided on how organizations can improve their security posture and defend against attacks, including ransomware best practices, bad practices to avoid, cyber hygiene tips, FAQs, and training material.

The website includes a newsroom with the latest ransomware-related advice, along with alerts from CISA, the FBI, Department of Treasury, and other federal agencies about the ever-evolving tactics, techniques, and procedures used by cybercriminals in their attacks.

Victims of ransomware attacks can report attacks through the website to either the FBI, CISA, or the U.S. Secret Service, with the report of the attack automatically sent to all appropriate agencies to ensure that the incident is investigated, threat information is shared, and steps are taken to identify the perpetrators and bring them to justice.

Organizations are being encouraged to take advantage of the new resource to understand the threat of ransomware, mitigate risk and, in the event of an attack, know what steps to take to limit the harm caused and ensure the fastest possible recovery.

“Cyber criminals have targeted critical infrastructure, small businesses, hospitals, police departments, schools and more.  These attacks directly impact Americans’ daily lives and the security of our nation,” said Secretary Alejandro Mayorkas for the Department of Homeland Security. “I urge every organization across our country to use this new resource to learn how to protect themselves from ransomware and reduce their cybersecurity risk.”

The post U.S. Government Launches New One-Stop Ransomware Website appeared first on HIPAA Journal.

Imminent Risk of Ransomware Attacks Exploiting Flaw in SonicWall SRA/SMA 100 Series VPN Appliances

SonicWall has issued an urgent security notice warning users of its Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running end-of-life firmware about an imminent ransomware campaign using stolen credentials.

The campaign exploits a known vulnerability in 8.x firmware on the devices. SonicWall patched the vulnerability in later versions of the firmware. All users of these devices that are still running the vulnerable firmware version have been advised to update to version 9.x or 10.x of the immediately.

SonicWall became aware of threat actors targeting the vulnerability in SMA 100 series and SRA products through collaboration with trusted third parties. “The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk,” explained SonicWall.

Customers using end-of-life SMA or SRA devices running the vulnerable 8.x firmware should apply the update immediately or disconnect their appliances and reset passwords. EOL devices are:

  • SRA 4600/1600 (EOL 2019)
  • SRA 4200/1200 (EOL 2016)
  • SSL-VPN 200/2000/400 (EOL 2013/2014)

SMA 400/200 is still supported in Limited Retirement Mode. Users should update to 10.2.0.7-34 or 9.0.0.10 immediately, reset passwords, and enable MFA.

All known vulnerabilities have been corrected in the latest versions of 9.x or 10.x firmware and users of SMA 1000 series products are not affected. Users of these products should ensure they are running the most current firmware versions, should implement multi-factor authentication, and ensure that any future firmware updates are applied as soon as possible.

SMA 210/410/500v has not reached end of life and is actively supported but may still be running firmware versions with vulnerabilities discovered in 2021. Users running firmware 9.x should immediately update to 9.0.0.10-28sv or later and users of firmware 10.x should immediately update to 10.2.0.7-34sv or later.

Customers using end-of-life devices running the vulnerable version 8.x firmware who are not able to upgrade to 9.x or 10.x are being offered a complimentary virtual SMA 500v until October 31, 2021, which is still being supported.

The post Imminent Risk of Ransomware Attacks Exploiting Flaw in SonicWall SRA/SMA 100 Series VPN Appliances appeared first on HIPAA Journal.

CISA Publishes Guidance for MSPs and SMBs on Hardening Security Defenses

Managed Service Providers (MSPs) are attractive targets for cybercriminals. They typically have privileged access to their clients’ networks, so a cyberattack on a single MSP can see the attacker gain access to the systems of many, if not all, of their clients.

The recent Kaseya supply chain attack showed just how serious such an attack can be. An REvil ransomware affiliate gained access to Kaseya systems, through which it was possible to access the systems and encrypt data of around 60 of its customers, many of which are MSPs. Through those MSP customers, ransomware was deployed on up to 1,500 downstream businesses.

Small- and mid-sized businesses often do not have staff to manage their own IT systems or may lack the skills or hardware to store sensitive data and support sensitive processes. Many turn to MSPs to provide that expertise. It is often more cost effective for SMBs to scale and support their network environments using MSPs rather than manage their resources themselves.

Outsourcing IT or security functions to an MSP introduces risks, which need to be mitigated by SMBs. MSPs also need to implement safeguards to prevent their networks from being accessed and to limit the harm caused to their customers should their perimeter defenses be breached.

On July 14, 2021, The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) published guidance to help MSPs and SMBs strengthen their defenses to improve resilience to cyberattacks and to limit the harm caused should such an attack succeed.

The CISA Insights report provides mitigations and hardening guidance for MSPs and SMBs, outlining important steps that should be taken to protect MSP network assets and those of their customers to reduce the risk of successful cyberattacks.

The guidance document – CISA Insights: Guidance for Managed Service Providers (MSPs) and Small- and Mid-sized Businessesis available for download here.(PDF)

The post CISA Publishes Guidance for MSPs and SMBs on Hardening Security Defenses appeared first on HIPAA Journal.

REvil Ransomware Websites Disappear Fueling Speculation of Law Enforcement Takedown

The notorious REvil ransomware gang’s Internet and dark web sites have suddenly gone offline, days after President Biden called Vladimir Putin demanding action be taken against ransomware gangs and other cybercriminals conducting attacks from within Russia on U.S. companies.

At around 1 a.m. on Tuesday, the websites used by the gang for leaking data of ransomware victims, their ransom negotiation chat server, and command and control infrastructure went offline and have remained offline since. For one of the gang’s sites, the server IP address is no longer resolvable via DNS queries.

REvil has grown into one of the most prolific ransomware-as-a-service operations. The gang was behind many ransomware attacks in the United States and worldwide, including the recent attack on JBS Foods and the supply chain attack on Kaseya, which saw ransomware used in attacks on around 60 managed service providers and up to 1,500 of their clients on July 2. A ransom demand of $70 million was issued to supply the keys to decrypt all victims’ devices, with the demand falling to $50 million shortly after.

While it is not unusual for ransomware operations to go quiet, or for infrastructure to be temporarily taken offline, the timing of the shutdown suggests either the U.S. or Russian government has taken action. The FBI has not commented on the shutdown of the REvil servers, and the press secretary of the president of the Russian Federation, Dmitry Peskov, told TASS reporters that he had no knowledge of the reason why the servers had gone dark. It is possible that the loss of infrastructure is due to hardware failure or simply the gang deciding to lay low, especially after such a major attack.

Ransomware gangs have faced a great deal of scrutiny following the attack on Colonial Pipeline by the DarkSide ransomware gang. Shortly after the attack, the White House announced that efforts to target ransomware gangs and their infrastructure would be stepped up. Following the attack, the DarkSide RaaS operation shut down, due to a silent takedown of their infrastructure by law enforcement.

At the Geneva summit, President Biden spoke with Vladamir Putin about cyberattacks conducted on U.S. companies from cybercriminal groups operating within Russia and urged him to take steps to disrupt the gangs, even though the attackers were not sponsored by the state.

A few days ago, President Biden called Putin demanding action be taken against ransomware gangs operating out of Russia. Biden told reporters after the call that the United States would be taking steps to get the servers of ransomware gangs taken down if Russia did not.

Some news outlets, such as the BBC, have reported the shutdown was due to action taken by the United States to disrupt the group’s infrastructure. A BBC reporter spoke to one individual, allegedly an REvil affiliate, who said the group had shut down its infrastructure following a partial takedown by federal law enforcement and increasing pressure from the Kremlin.

Bitali Kremez of Advanced Intel said “Upon uncorroborated information, REvil server infrastructure received a [Russian] government legal request forcing REvil to completely erase server infrastructure and disappear. However, it is not confirmed.”

It is too early to tell what has happened and whether the shut down will be temporary or permanent. As is often the case following the shutdown of a Ransomware-as-a-Service operation, the gang may simply return under a different name, as REvil has done in the past.

This story will be updated as further information becomes available.

The post REvil Ransomware Websites Disappear Fueling Speculation of Law Enforcement Takedown appeared first on HIPAA Journal.

Kaseya Security Update Addresses Flaws Exploited in KSA Ransomware Attack

Kaseya has announced a security update has been released for the Kaseya KSA remote management and monitoring software solution to fix the zero-day vulnerabilities recently exploited by the REvil ransomware gang in attacks on its customers and their clients.

The vulnerabilities exploited in the attack were part of a batch of seven flaws that were reported to Kaseya in April 2021 by the Dutch Institute for Vulnerability Disclosure (DIVD). Kaseya had developed patches to correct four of the seven vulnerabilities in its Virtual System Administrator solution and released these as part of its April and May security updates; however, before patches could be released for the remaining three vulnerabilities, one or more of them were exploited by an REvil ransomware affiliate.

The attack affected approximately 60 customers who had deployed the Kaseya VSA on-premises, many of which were managed service providers (MSPs). The REvil ransomware gang gained access to their servers, encrypted them, and pushed their ransomware out to approximately 1,500 business clients of those companies.

Following the July 2, 2021 attack, Kaseya advised its customers to shut down their on-premises VSA servers until the exploited vulnerabilities were addressed and its SaaS servers were shut down as the SaaS solution also had vulnerabilities, although its cloud-based service was not affected by the attack. Those servers are now being restarted incrementally and the final three patches have been released in the VSA 9.5.7a (9.5.7.2994) update.

The three vulnerabilities addressed in the latest security update are a credential leak and business logic flaw tracked as CVE-2021-30116, a cross site scripting vulnerability – CVE-2021-30119 – and a 2FA bypass vulnerability – CVE-2021-30120. Kaseya says a further three vulnerabilities in the solution have also been addressed by the update. These are a failure to use a secure flag for user portal session cookies, a flaw that allowed files to be uploaded to a VSA server, and an issue where a password hash was exposed, which made weak passwords vulnerable to brute force attacks.

Kaseya has recommended a process for applying the update to minimize risk. This involves ensuring the VSA server is isolated and not connected to the Internet, searching for Indicators of Compromise (IoCs) to determine if servers or endpoints have already been compromised, then applying the update.

The full process for updating on-premises VSA servers and securing them is detailed in the Kaseya On Premises Startup Readiness Guide.

The post Kaseya Security Update Addresses Flaws Exploited in KSA Ransomware Attack appeared first on HIPAA Journal.

Multiple Critical Vulnerabilities Affect Philips Vue PACS Products

Multiple vulnerabilities have been identified in Philips Vue PACS products, including 5 critical flaws with a 9.8 severity rating and 4 high severity flaws.

Some of the vulnerabilities can be exploited remotely and there is a low attack complexity. Successful exploitation of the flaws would allow an unauthorized to gain system access, eavesdrop, view and modify data, execute arbitrary code, install unauthorized software, or compromise system integrity and gain access to sensitive data or negatively affect the availability of the system.

The vulnerabilities were recently reported to CISA by Philips and affect the following Philips Vue PACS products:

  • Vue PACS: Versions 12.2.x.x and prior
  • Vue MyVue: Versions 12.2.x.x and prior
  • Vue Speech: Versions 12.2.x.x and prior
  • Vue Motion: Versions 12.2.1.5 and prior

Critical Vulnerabilities

  • CVE-2020-1938 – Improper validation of input to ensure safe and correct data processing, potentially allowing remote code execution – (CVSS v3 9.8/10)
  • CVE-2018-12326 – Buffer overflow issue in Redis third-party software allowing code execution and escalation of privileges – (CVSS v3 9.8/10)
  • CVE-2018-11218 – Memory corruption vulnerability in Redis software – (CVSS v3 9.8/10)
  • CVE-2020-4670 – Improper authentication issue within the Redis software component – (CVSS v3 9.8/10)
  • CVE-2018-8014 – Default settings for the CORS filter are not secure – (CVSS v3 9.8/10)

High Severity Vulnerabilities

  • CVE-2021-33020 – Use of a cryptographic key past its expiration date – (CVSS v3 8.2/10)
  • CVE-2018-10115 – Incorrect initialization logic of RAR decoder objects in 7-Zip potentially allowing denial of service or remote execution of code via a specially crafted RAR file – (CVSS v3 7.8/10)
  • CVE-2021-27501 – Failure to follow coding rule for development – (CVSS v3 7.5/10)
  • CVE-2021-33022 -Transmission of sensitive/security-critical data in cleartext – (CVSS v3 7.5/10)

Medium Severity Vulnerabilities

  • CVE-2021-33018 – Use of a broken or risky cryptographic algorithm – (CVSS v3 6.5/10)
  • CVE-2021-27497 – Failure of mechanism that protects against direct attacks – (CVSS v3 6.5/10)
  • CVE-2012-1708 – Oracle Database vulnerability that could affect data integrity – (CVSS v3 6.5/10).
  • CVE-2015-9251 – Cross site scripting vulnerability due to improper neutralization of user-controllable input – (CVSS v3 6.1/10)
  • CVE-2021-27493 – Failure to ensure structured messages or data are well formed and security properties are met – (CVSS v3 6.1/10)
  • CVE-2019-9636 – Improper handling of input containing Unicode encoding – (CVSS v3 5.3/10)

Low Severity Vulnerability

  • CVE-2021-33024 – Insecure method of transmission/storage of authentication credentials- (CVSS v3 3.7/10)

Mitigations

Philips recommends Philips configuring the Vue PACS environment per D00076344 – Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter.

Philips has already corrected some of the vulnerabilities in versions 12.2.1.5 (MyVue/Vue Motion), Version 12.2.8.0 (Vue Speech), and Version 12.2.8.0 (Vue PACS), including 4 of the 5 critical flaws.

Version 15 of the software will be released in Q1, 2022 to correct the remaining vulnerabilities in PACS, Speech, MyVue.

Full details are available here.

The post Multiple Critical Vulnerabilities Affect Philips Vue PACS Products appeared first on HIPAA Journal.