Healthcare Cybersecurity

CISA Issues Alert Following Increase in Emotet Malware Attacks

Posted by HIPAA Journal

Following a period of dormancy between February 2020 and July 2020, the Emotet botnet sprang back to life and recommenced spam runs distributing the Emotet Trojan. Since August 2020, attacks on state and local governments have increased sharply, prompting the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to issue a cybersecurity alert for all industry sectors.

The Emotet botnet resumed activity in July with a massive phishing campaign using messages with malicious Word attachments and hyperlinks. Since then, multiple spam runs have been conducted which typically consist of more than 500,000 emails. The Emotet Trojan is a dangerous banking Trojan which is used as a downloader of other types of malware, notably the TrickBot and Qbot Trojans. The secondary payloads in turn deliver other malware payloads, including Ryuk and Conti ransomware.

One infected device could easily result in further infections across the network. Emotet infects other devices in a worm-like fashion, creating multiple copies of itself which are written to shared drives. Emotet also brute forces credentials and distributes copies of itself via email. Emotet is capable of hijacking genuine email threads and inserting malicious files. Since the emails appear to have been sent by known contacts in response to previously sent messages, there is a higher probability of the email attachments being opened.

The Trojan is continuously evolving using dynamic link libraries and regularly has new capabilities added. The capabilities of the Trojan make it difficult to eliminate from networks. The Trojan can be removed from infected devices, but they can quickly be reinfected by other compromised devices on the network.

CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have been collecting data on Emotet attacks and Emotet loader downloads since botnet activity resumed in July. CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, identified around 16,000 alerts about Emotet activity since July, including potentially targeted attacks on state and local governments. Compromises have also been reported in Canada, France, Italy, Japan, New Zealand, and the Netherlands.

CISA regards Emotet as one of the most prevalent ongoing threats, and its secondary malware payloads of TrickBot and Qbot are also significant threats, as are the ransomware payloads they deliver.

The phishing emails used to distribute the Emotet loader are diverse and often change. COVID-19 themes emails have been used this year along with many lures aimed at businesses. The email attachments are typically malicious Word documents, although password protected zip files have also been used to evade anti-spam and anti-phishing solutions. The emails often claim that attachments have been created on mobile device and require the user to enable content (and by doing so enable macros) to view the files.

To prevent Emotet malware attacks, CISA and MS-ISAC recommend adopting cybersecurity best practices which include applying protocols to block suspicious attachments, including attachments that cannot be scanned by AV solutions such as password-protected files. Antivirus software should be used on all devices and set to update automatically, suspicious IPs should be blocked, DMARC authentication and multi-factor authentication should be implemented, organizations should adhere to the principle of least privilege, and should segment and segregate networks and disable file and printer sharing services (if possible).

The full list of recommended mitigations are detailed in the CISA alert.

The post CISA Issues Alert Following Increase in Emotet Malware Attacks appeared first on HIPAA Journal.

CISA Releases Telework Toolkit to Help Businesses Transition to a Permanent Telework Environment

Posted by HIPAA Journal

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has published a Telework Essentials Toolkit to help business leaders, IT staff, and end users transition to a permanent teleworking environment.

The COVID-19 pandemic forced businesses to rapidly change from having a largely office-based workforce to allowing virtually all employees to work from home to reduce the risk of infection. The speed at which the transition had to be made potentially introduced security vulnerabilities that weakened organizational cybersecurity defenses. The CISA Toolkit is intended to provide support to organizations to help them re-evaluate and strengthen their cybersecurity defenses and fully transition into a long-term teleworking solution.

The Toolkit includes three personalized modules that include best practices for executive leaders, IT professionals and teleworkers, and include the security considerations appropriate to each role.

Executive leaders are provided with information to help them drive cybersecurity strategy, investment, and develop a cyber secure hybrid culture in their organization. Resources are provided to help business leaders develop organizational policies and procedures for remote working, implement cybersecurity training to improve understanding on risks and threats when accessing organizational systems and data remotely, and moving organizational assets beyond the traditional perimeter where they may not be accessible to the organization’s monitoring and response capabilities. Advice is provided on addressing the basics of cyber hygiene with the workforce and providing clear and regular updates on cybersecurity best practices.

Guidance for IT professionals is focused on the policies, procedures, and tools that need to be implemented to ensure teleworkers can work and access the resources they need remotely. The guidance explains the importance of patching promptly and implementing effective vulnerability management practices, the need for zero trust architecture, multi-factor authentication, regular data backups, and DMARC validation to address the risks of phishing and business email compromise in relation to remote working environments. IT leaders must also stipulate the tools and applications that must be used when working remotely and provide training on how to use those tools securely.

Everyone has a role to play in the transition from temporary to permanent remote working, including end users. The third module is aimed at teleworkers and provides advice on the steps that need to be taken to work securely from home. These include making sure home networks are properly configured and hardened, following organizational secure practices and policies, increasing awareness of phishing and social engineering threats, and promptly communicating any suspicious activities to the IT security team.

The CISA Telework Essentials Toolkit can be downloaded on this link.

The post CISA Releases Telework Toolkit to Help Businesses Transition to a Permanent Telework Environment appeared first on HIPAA Journal.

Treasury Department Warns of Sanctions Risks if Facilitating or Paying a Ransomware Payment

Posted by HIPAA Journal

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has warned that companies that facilitate ransom payments to cybercriminals on behalf of victims of the attacks could face sanctions risks for violating OFAC regulations. Victims of ransomware attacks that pay ransoms to cyber actors could similarly face steep fines from the federal government if it is discovered that the criminals behind the attacks are already under economic sanctions.

“Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business,” explained OFAC in its advisory on potential sanctions risks for facilitating ransomware payments. “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

Several individuals involved in ransomware attacks over the past few years have been sanctioned by OFAC, including the Lazarus Group from North Korea which was behind the WannaCry 2.0 ransomware attacks in May 2017, two Iranians believed to be behind the SamSam ransomware attacks that started in late 2015, Evil Corp and its leader, Maksim Yakubets, who are behind Dridex malware, and Evgeniy Mikhailovich Bogachev, who was designated the developer of Cryptolocker ransomware, first released in December 2016.

Paying ransoms to sanctioned persons or jurisdictions threatens U.S. national security interests. “Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims,” explained OFAC.

“U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes,” wrote OFAC.

Civil monetary penalties may be imposed for sanctions violations, even if the person violating sanctions was unaware that they were engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC. Any facilitator or payer of ransom demands to sanctioned individuals, entities, or regimes could face a financial penalty up to $20 million.

Many entities do not disclose ransomware attacks or report them to law enforcement to avoid negative publicity and legal issues, but by failing to report they are hampering law enforcement investigations into attacks. OFAC explained in its advisory that the financial intelligence and enforcement agency will “consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”

The advisory also includes contact information for victims of ransomware attacks to discover if there are sanctions imposed on threat actors, and whether payment of a ransom may involve a sanctions nexus.

OFAC has advised against paying any ransom demand. Not only does payment of a ransom risk violating OFAC regulations, there is no guarantee that payment of the ransom will result in valid keys being supplied, the criminals may not delete stolen data, and they could issue further ransom demands. Payment of a ransom may also embolden cyber actors to engage in further attacks.

OFAC has only offered advice and warned of sanctions risks if payments are made to certain threat actors. Aside from implementing a ban on paying any ransom payment, the attacks are likely to remain profitable and will continue. Only when the attacks cease to be profitable are cybercriminals likely to stop conducting attacks.

The post Treasury Department Warns of Sanctions Risks if Facilitating or Paying a Ransomware Payment appeared first on HIPAA Journal.

NIST Publishes Updated Security and Privacy Controls Guidance for Information Systems and Organizations

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has released updated guidance on Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Revision 5).

This is the first time that NIST has updated the guidance since 2013 and is a complete renovation rather than a minor update. NIST explained that the updated guidance will “provide a solid foundation for protecting organizations and systems—including the personal privacy of individuals—well into the 21st century.”

The updated guidance is the result of years of effort “to develop the first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size, and all types of systems—from super computers to industrial control systems to Internet of Things (IoT) devices.”

This is the first control catalog to be released worldwide that includes privacy and security controls in the same catalog. The guidance will help to protect organizations from diverse threats and risks, including cyberattacks, human error, natural disasters, privacy risks, structural failures, and attacks by foreign intelligence agencies. The controls detailed in the guidance will help organizations take a proactive and systematic approach to protecting critical systems, components and services and will ensure they have the necessary resilience to protect the economic and national security interests of the United States.

The guidance is intended to help government agencies and their third-party contractors meet the requirements of the Federal Information Security Management Act and it will be mandatory for government agencies to implement the new provisions detailed in the updated guidance. The guidelines are voluntary for private sector organizations, although the private sector is being encouraged to adopt the new guidelines to tackle privacy and security issues.

There have been several major updates to the guidance, which include:

  • New, ‘state-of-the-practice’ controls to protect critical and high value assets. The revisions have been based on the latest threat intelligence and cyber attack data and will improve cyber resiliency, support secure system design, security and privacy governance and accountability.
  • Information security and privacy controls have been integrated into a seamless, consolidated control catalog for systems and organizations.
  • Controls are now outcome-based, with the entity responsible for implementing the controls removed from the document. The guidance now focuses on the protection outcome from implementing the controls.
  • Standards have been incorporated for supply chain risk management with guidance provided on how to integrate those standards throughout an organization.
  • The guidance incorporates next generation privacy and security controls, and includes guidelines for how to use them.
  • Control selection processes have been separated from the controls to make it easier for the controls to be used by different communities of interest.
  • Descriptions of content relationships have been improved, clarifying the relationship between requirements and controls and the relationship between security and privacy controls.

“The controls offer a proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and national security interests of the United States,” explained Ron Ross, NIST Fellow and co-author of the document.

The post NIST Publishes Updated Security and Privacy Controls Guidance for Information Systems and Organizations appeared first on HIPAA Journal.

CISA Issues Alert Following Surge in LokiBot Malware Activity

Posted by HIPAA Journal

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following a surge in LokiBot malware activity over the past two months.

LokiBot – also known as Lokibot, Loki PWS, and Loki-bot – first appeared in 2015 and is an information stealer used to steal credentials and other sensitive data from victim machines. The malware targets Windows and Android operating systems and employs a keylogger to capture usernames and passwords and monitors browser and desktop activity. LokiBot can steal credentials from multiple applications and data sources, including Safari, Chrome, and Firefox web browsers, along with credentials for email accounts, FTP and sFTP clients.

The malware is also capable of stealing other sensitive information and cryptocurrency wallets and can create backdoors in victims’ machines to provide persistent access, allowing the operators of the malware to deliver additional malicious payloads.

The malware establishing a connection with its Command and Control Server and exfiltrates data via HyperText Transfer Protocol. The malware has been observed using process hollowing to insert itself into legitimate Windows processes such as vbc.exe to evade detection. The malware can also create a duplicate of itself, which is saved to a hidden file and directory.

The malware may be relatively simple, but that has made it an attractive tool for a wide range of threat actors and LokiBot is used in a wide variety of data compromise use cases.  Since July, CISA’s EINSTEIN Intrusion Detection System identified a significant increase in LokiBot activity.

LokiBot is most commonly distributed via email as a malicious attachment; however, since July, the malware has been distributed in a variety of different ways, such as links to websites hosting the malware sent by SMS and via text messaging apps.

Information stealers have proven popular during the COVID-19 pandemic, especially LokiBot. LokiBot was the most commonly detected information stealer in the first half of 2020, according to F-Secure.

CISA has shared best practices to adopt to strengthen defenses against LokiBot and other information stealers. These include:

  • Deploying antivirus software and ensuring virus definition lists are kept up to date
  • Applying patches for vulnerabilities promptly
  • Disabling file and printer sharing services. If not possible, set strong passwords or use AD authentication
  • Use multi-factor authentication on accounts
  • Restrict user permissions to install and run software applications
  • Enforce the use of strong passwords
  • Provide training to the workforce and encourage workers to exercise caution when opening email attachments
  • Deploy a spam filtering solution
  • Use a personal firewall on workstations and configure the firewall to deny unsolicited connection requests
  • Monitor web activity and consider using a web filter to prevent employees from accessing unsavory websites
  • Scan all software downloaded from the Internet prior to executing

The post CISA Issues Alert Following Surge in LokiBot Malware Activity appeared first on HIPAA Journal.

August 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average.

The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.

 

 

Largest Healthcare Data Breaches Reported in August 2020

 

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Incident
Northern Light Health Business Associate 657,392 Hacking/IT Incident Network Server, Other Blackbaud ransomware attack
Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident Network Server Blackbaud ransomware attack
Assured Imaging Healthcare Provider 244,813 Hacking/IT Incident Network Server Ransomware attack
MultiCare Health System Healthcare Provider 179,189 Hacking/IT Incident Network Server Blackbaud ransomware attack
Imperium Health LLC Business Associate 139,114 Hacking/IT Incident Email Phishing attack
University of Florida Health Healthcare Provider 135,959 Hacking/IT Incident Network Server Blackbaud ransomware attack
Utah Pathology Services, Inc. Healthcare Provider 112,124 Hacking/IT Incident Email Phishing attack
Dynasplint Systems, Inc. Healthcare Provider 102,800 Hacking/IT Incident Network Server Ransomware attack
Main Line Health Healthcare Provider 60,595 Hacking/IT Incident Network Server Blackbaud ransomware attack
Northwestern Memorial HealthCare Healthcare Provider 55,983 Hacking/IT Incident Network Server Blackbaud ransomware attack
Richard J. Caron Foundation Healthcare Provider 22,718 Hacking/IT Incident Network Server Blackbaud ransomware attack
UT Southwestern Medical Center Healthcare Provider 15,958 Unauthorized Access/Disclosure Other Unconfirmed
City of Lafayette Fire Department Healthcare Provider 15,000 Hacking/IT Incident Network Server Ransomware attack
Hamilton Health Center, Inc. Healthcare Provider 10,393 Unauthorized Access/Disclosure Email Misdirected Email

 

Causes of August 2020 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in August, with the 24 reported incidents making up 64.9% of the month’s data breaches. 2,127,070 records were compromised in those breaches, which is 98.15% of all records breached in August. The average breach size was 88,628 records and the median breach size was 11,550 records.

There were 8 unauthorized/access disclosure incidents involving 32,205 records. The average breach size was 4,026 records and the median breach size was 992 records. There were 5 loss (2) and theft (3) incidents reported. The average breach size was 1,581 records and the median breach size was 1,768 records.

While phishing attacks usually dominate the healthcare data breach reports, in August, attacks on network servers were more common. The increase in network server attacks is largely due to ransomware attacks, notably, an attack on Blackbaud, a business associate of many healthcare organizations in the United States. Blackbaud offers a range of services to healthcare providers, including patient engagement and digital data storage related to donors and philanthropy.

Between February 7, 2020 and May 20, 2020, hackers had access to Blackbaud’s systems and obtained backups of several of its clients’ databases before deploying ransomware. Blackbaud paid the ransom to ensure data stolen in the attack were destroyed.

Only a small percentage of its clients were affected by the attack, but so far at least 52 healthcare organizations have confirmed that their donor data were compromised in the attack. We have data for 17 of those attacks and so far, more than 3 million individuals are known to have been affected. That number is likely to grow significantly over the next few weeks now the deadline for reporting the breach is approaching.

There were also two major phishing incidents reported in August. Imperium Health suffered an attack in which the records of 139, 114 individuals were potentially compromised, and Utah Pathology Services suffered an attack involving the records of 112,124 individuals.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 24 data breaches reported in August. Three breaches were reported by health plans and five breaches were reported by business associates; however, a further 9 breaches had some business associate involvement.

States Affected by August 2020 Data Breaches

Data breaches were reported by entities in 24 states in August. Pennsylvania was the worst affected state with 6 breaches of 500 or more healthcare records, followed by Kentucky with 4, Texas with 3, and Arizona, Ohio, and Washington with 2.  One breach was reported in each of Arkansas, California, Colorado, Connecticut, Florida, Iowa, Idaho, Illinois, Indiana, Maryland, Maine, Michigan, Missouri, New York, Oklahoma, South Carolina, Utah, and Wisconsin.

HIPAA Enforcement Activity in August 2020

There were no HIPAA enforcement actions announced in August by either the HHS Office for Civil Rights or state attorneys general.

The post August 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Hospital Ransomware Attack Results in Patient Death

Posted by HIPAA Journal

Ransomware attacks on hospitals pose a risk to patient safety. File encryption results in essential systems crashing, communication systems are often taken out of action, and clinicians can be prevented from accessing patients’ medical records.

Highly disruptive attacks may force hospitals to redirect patients to alternate facilities, which recently happened in a ransomware attack on the University Clinic in Düsseldorf, Germany. One patient who required emergency medical treatment for a life threatening condition had to be rerouted to an alternate facility in Wuppertal, approximately 20 miles away. The redirection resulted in a one-hour delay in receiving treatment and the patient later died. The death could have been prevented had treatment been provided sooner.

The attack occurred on September 10, 2020 and completely crippled the clinic’s systems. Investigators determined that the attackers exploited a vulnerability in “widely used commercial add-on software” to gain access to the network. As the encryption process ran, hospital systems started to crash and medical records could not be accessed.

The medical clinic was forced to de-register from emergency care, postponed appointments and outpatient care, and all patients were advised not to visit the medical clinic until the attack was remediated. A week later and normal function at the hospital has still not resumed, although the hospital is now starting to restart essential systems.

According to a recent Associated Press report, 30 servers at the hospital were affected. A ransom demand was found on one of the encrypted servers. The hospital alerted law enforcement which made contact with the attackers using the information in the ransom note.

It would appear that the attackers did not intend on attacking the hospital, as the ransom note was addressed to Heinrich Heine University in Düsseldorf, to which the medical clinic is affiliated. Law enforcement officials made contact with the attackers using the information in the ransom note and told the attackers that the hospital had been affected and patient safety was at risk.

The attackers supplied the keys to decrypt files and made no further attempts to extort money. No further contact has been possible with the attackers. Law enforcement is continuing to investigate and it is possible that charges of manslaughter could be brought against the attackers.

Until now there have been no confirmed cases of ransomware attacks on healthcare facilities resulting in the death of a patient, but when attacks cripple hospital systems and patients are prevented from receiving treatment for life threatening conditions, such tragic events are sadly inevitable.

Several ransomware gangs have publicly stated that they will not conduct attacks on medical facilities, and if hospital systems are affected, keys to decrypt files will be provided free of charge. However, even if keys are provided to decrypt files, recovery from an attack is not a quick process. Other ransomware operations have made no such concessions and continue to attack healthcare facilities.

The post Hospital Ransomware Attack Results in Patient Death appeared first on HIPAA Journal.

CISA Warns of Public Exploit for Windows Netlogon Remote Protocol Vulnerability

Posted by HIPAA Journal

CISA has published information on a critical vulnerability in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) now that a public exploit for the flaw has been released, which could be used to attack vulnerable domain controllers.

MS-NRPC is a core component of Active Directory that provides authentication for users and accounts. “The Netlogon Remote Protocol (MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel,” explained Microsoft.

The vulnerability, tracked as CVE-2020-1472, is an elevation of privilege vulnerability that can be exploited when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller. MS-NRPC reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode, which would allow an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and gain domain administrator privileges.

Microsoft is addressing the vulnerability in a phased two-part roll out. Microsoft released a patch for the vulnerability on August 2020 Patch Tuesday which changes Netlogon client behavior to use secure RPC with Netlogon secure channel between member computers and Active Directory (AD) domain controllers (DC). The second “enforcement phase” is planned for Q1, 2021, on or after February 9, 2021, and will be deployed automatically.

Microsoft explained the “changes to the Netlogon protocol have been made to protect Windows devices by default, log events for non-compliant device discovery, and add the ability to enable protection for all domain-joined devices with explicit exceptions.”

The patch enforces secure RPC usage for machine accounts on Windows based devices, trust accounts, and all Windows and non-Windows DCs.  A new group policy is included to allow non-compliant device accounts.

“Mitigation consists of installing the update on all DCs and RODCs, monitoring for new events, and addressing non-compliant devices that are using vulnerable Netlogon secure channel connections,” explained Microsoft. “Machine accounts on non-compliant devices can be allowed to use vulnerable Netlogon secure channel connections; however, they should be updated to support secure RPC for Netlogon and the account enforced as soon as possible to remove the risk of attack.”

After deploying the patch, monitoring should take place to identify warning events and actions are required on each of those events. All warning events must be resolved before the February 2021 enforcement phase begins.

Deployment guidelines for the August 2020 patch are detailed here.

The February patch will transition into the enforcement phase and will put DCs into enforcement mode regardless of the enforcement mode registry key, forcing all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device.  The update will also remove logging as all vulnerable connections will be denied.

If the August 2020 patch has not yet been applied, systems will be vulnerable to attack. CISA warns that the flaw is an attractive target for attackers and immediate patching is strongly recommended. Should the vulnerability be exploited, and the Active Directory infrastructure compromised, significant damage can be caused, and the attack will be costly to mitigate.

The post CISA Warns of Public Exploit for Windows Netlogon Remote Protocol Vulnerability appeared first on HIPAA Journal.

Vulnerabilities Identified in Philips Clinical Collaboration Platform

Posted by HIPAA Journal

5 low- to medium-severity vulnerabilities have been identified in the Philips Clinical Collaboration Platform (Vue PACS). If successfully exploited, an attacker could convince an authorized user to execute unauthorized actions or could result in the disclosure of information that could be used in further attacks.

Philips has not received any reports to indicate exploits for the vulnerabilities have been developed or used in real world attacks, and there have been no reports of incidents from clinical use associated with the vulnerabilities.

The vulnerabilities affect versions 12.2.1 and prior and range in severity from low (CVSS v3 base score 3.4) to medium (CVSS v3 base score 6.8).

  • CVE-2020-16200 – Resource exposed to the wrong control sphere – Allows unauthorized access to the resource (CVSS 6.8)
  • CVE-2020-16247 – Algorithm downgrade – A failure to control the allocation and maintenance of a limited resource, potentially leading to exhaustion of available resources. (CVSS 6.5)
  • CVE-2020-16198 – Protection mechanism failure – Failure or insufficient checks to verify the identity given by an attacker to ensure the claim is correct. (CVSS 5.0)
  • CVE-2020-14525 – Improper neutralization of scripty in attributes in a web page – Does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a webpage that is served to other users. (CVSS 3.5)
  • CVE-2020-14506 – When input or data is provided, there are insufficient checks to ensure the input has the properties to allow data to be processed safely and correctly. (CVSS 3.4)

Philips released a patch for the Clinical Collaboration Platform (Version 12.2.1.5) in June 2020 for web portals which fixed two of low-severity flaws (CVE-2020-14506 and CVE-2020-14525).

Philips released a new version of the Vue PACS Clinical Collaboration Platform (Version 12.2.5) in May 2020, which corrected four of the flaws (CVE-2020-14506, CVE-2020-14525, CVE-2020-16247, and CVE-2020-16198).

The remaining vulnerability, CVE-2020-16200, could not be patched and requires manual intervention to prevent exploitation. Affected customers are encouraged to contact Philips Customer Support to receive assistance correcting the vulnerability.

Philips also recommends the following mitigations:

  • Implement physical security measures to limit or control access to critical systems.
  • Restrict system access to authorized personnel only and follow a least privilege approach.
  • Apply defense-in-depth strategies.
  • Disable unnecessary accounts and services.

The vulnerabilities were identified by Northridge Hospital Medical Center, which reported the vulnerabilities to Philips. Philips released a security advisory and notified relevant authorities about the flaws under its Coordinated Vulnerability Disclosure Policy.

The post Vulnerabilities Identified in Philips Clinical Collaboration Platform appeared first on HIPAA Journal.