Healthcare Cybersecurity

NIST Publishes Updated Security and Privacy Controls Guidance for Information Systems and Organizations

The National Institute of Standards and Technology (NIST) has released updated guidance on Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Revision 5).

This is the first time that NIST has updated the guidance since 2013 and is a complete renovation rather than a minor update. NIST explained that the updated guidance will “provide a solid foundation for protecting organizations and systems—including the personal privacy of individuals—well into the 21st century.”

The updated guidance is the result of years of effort “to develop the first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size, and all types of systems—from super computers to industrial control systems to Internet of Things (IoT) devices.”

This is the first control catalog to be released worldwide that includes privacy and security controls in the same catalog. The guidance will help to protect organizations from diverse threats and risks, including cyberattacks, human error, natural disasters, privacy risks, structural failures, and attacks by foreign intelligence agencies. The controls detailed in the guidance will help organizations take a proactive and systematic approach to protecting critical systems, components and services and will ensure they have the necessary resilience to protect the economic and national security interests of the United States.

The guidance is intended to help government agencies and their third-party contractors meet the requirements of the Federal Information Security Management Act and it will be mandatory for government agencies to implement the new provisions detailed in the updated guidance. The guidelines are voluntary for private sector organizations, although the private sector is being encouraged to adopt the new guidelines to tackle privacy and security issues.

There have been several major updates to the guidance, which include:

  • New, ‘state-of-the-practice’ controls to protect critical and high value assets. The revisions have been based on the latest threat intelligence and cyber attack data and will improve cyber resiliency, support secure system design, security and privacy governance and accountability.
  • Information security and privacy controls have been integrated into a seamless, consolidated control catalog for systems and organizations.
  • Controls are now outcome-based, with the entity responsible for implementing the controls removed from the document. The guidance now focuses on the protection outcome from implementing the controls.
  • Standards have been incorporated for supply chain risk management with guidance provided on how to integrate those standards throughout an organization.
  • The guidance incorporates next generation privacy and security controls, and includes guidelines for how to use them.
  • Control selection processes have been separated from the controls to make it easier for the controls to be used by different communities of interest.
  • Descriptions of content relationships have been improved, clarifying the relationship between requirements and controls and the relationship between security and privacy controls.

“The controls offer a proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and national security interests of the United States,” explained Ron Ross, NIST Fellow and co-author of the document.

The post NIST Publishes Updated Security and Privacy Controls Guidance for Information Systems and Organizations appeared first on HIPAA Journal.

CISA Issues Alert Following Surge in LokiBot Malware Activity

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following a surge in LokiBot malware activity over the past two months.

LokiBot – also known as Lokibot, Loki PWS, and Loki-bot – first appeared in 2015 and is an information stealer used to steal credentials and other sensitive data from victim machines. The malware targets Windows and Android operating systems and employs a keylogger to capture usernames and passwords and monitors browser and desktop activity. LokiBot can steal credentials from multiple applications and data sources, including Safari, Chrome, and Firefox web browsers, along with credentials for email accounts, FTP and sFTP clients.

The malware is also capable of stealing other sensitive information and cryptocurrency wallets and can create backdoors in victims’ machines to provide persistent access, allowing the operators of the malware to deliver additional malicious payloads.

The malware establishing a connection with its Command and Control Server and exfiltrates data via HyperText Transfer Protocol. The malware has been observed using process hollowing to insert itself into legitimate Windows processes such as vbc.exe to evade detection. The malware can also create a duplicate of itself, which is saved to a hidden file and directory.

The malware may be relatively simple, but that has made it an attractive tool for a wide range of threat actors and LokiBot is used in a wide variety of data compromise use cases.  Since July, CISA’s EINSTEIN Intrusion Detection System identified a significant increase in LokiBot activity.

LokiBot is most commonly distributed via email as a malicious attachment; however, since July, the malware has been distributed in a variety of different ways, such as links to websites hosting the malware sent by SMS and via text messaging apps.

Information stealers have proven popular during the COVID-19 pandemic, especially LokiBot. LokiBot was the most commonly detected information stealer in the first half of 2020, according to F-Secure.

CISA has shared best practices to adopt to strengthen defenses against LokiBot and other information stealers. These include:

  • Deploying antivirus software and ensuring virus definition lists are kept up to date
  • Applying patches for vulnerabilities promptly
  • Disabling file and printer sharing services. If not possible, set strong passwords or use AD authentication
  • Use multi-factor authentication on accounts
  • Restrict user permissions to install and run software applications
  • Enforce the use of strong passwords
  • Provide training to the workforce and encourage workers to exercise caution when opening email attachments
  • Deploy a spam filtering solution
  • Use a personal firewall on workstations and configure the firewall to deny unsolicited connection requests
  • Monitor web activity and consider using a web filter to prevent employees from accessing unsavory websites
  • Scan all software downloaded from the Internet prior to executing

The post CISA Issues Alert Following Surge in LokiBot Malware Activity appeared first on HIPAA Journal.

August 2020 Healthcare Data Breach Report

37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average.

The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.

 

 

Largest Healthcare Data Breaches Reported in August 2020

 

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Incident
Northern Light Health Business Associate 657,392 Hacking/IT Incident Network Server, Other Blackbaud ransomware attack
Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident Network Server Blackbaud ransomware attack
Assured Imaging Healthcare Provider 244,813 Hacking/IT Incident Network Server Ransomware attack
MultiCare Health System Healthcare Provider 179,189 Hacking/IT Incident Network Server Blackbaud ransomware attack
Imperium Health LLC Business Associate 139,114 Hacking/IT Incident Email Phishing attack
University of Florida Health Healthcare Provider 135,959 Hacking/IT Incident Network Server Blackbaud ransomware attack
Utah Pathology Services, Inc. Healthcare Provider 112,124 Hacking/IT Incident Email Phishing attack
Dynasplint Systems, Inc. Healthcare Provider 102,800 Hacking/IT Incident Network Server Ransomware attack
Main Line Health Healthcare Provider 60,595 Hacking/IT Incident Network Server Blackbaud ransomware attack
Northwestern Memorial HealthCare Healthcare Provider 55,983 Hacking/IT Incident Network Server Blackbaud ransomware attack
Richard J. Caron Foundation Healthcare Provider 22,718 Hacking/IT Incident Network Server Blackbaud ransomware attack
UT Southwestern Medical Center Healthcare Provider 15,958 Unauthorized Access/Disclosure Other Unconfirmed
City of Lafayette Fire Department Healthcare Provider 15,000 Hacking/IT Incident Network Server Ransomware attack
Hamilton Health Center, Inc. Healthcare Provider 10,393 Unauthorized Access/Disclosure Email Misdirected Email

 

Causes of August 2020 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in August, with the 24 reported incidents making up 64.9% of the month’s data breaches. 2,127,070 records were compromised in those breaches, which is 98.15% of all records breached in August. The average breach size was 88,628 records and the median breach size was 11,550 records.

There were 8 unauthorized/access disclosure incidents involving 32,205 records. The average breach size was 4,026 records and the median breach size was 992 records. There were 5 loss (2) and theft (3) incidents reported. The average breach size was 1,581 records and the median breach size was 1,768 records.

While phishing attacks usually dominate the healthcare data breach reports, in August, attacks on network servers were more common. The increase in network server attacks is largely due to ransomware attacks, notably, an attack on Blackbaud, a business associate of many healthcare organizations in the United States. Blackbaud offers a range of services to healthcare providers, including patient engagement and digital data storage related to donors and philanthropy.

Between February 7, 2020 and May 20, 2020, hackers had access to Blackbaud’s systems and obtained backups of several of its clients’ databases before deploying ransomware. Blackbaud paid the ransom to ensure data stolen in the attack were destroyed.

Only a small percentage of its clients were affected by the attack, but so far at least 52 healthcare organizations have confirmed that their donor data were compromised in the attack. We have data for 17 of those attacks and so far, more than 3 million individuals are known to have been affected. That number is likely to grow significantly over the next few weeks now the deadline for reporting the breach is approaching.

There were also two major phishing incidents reported in August. Imperium Health suffered an attack in which the records of 139, 114 individuals were potentially compromised, and Utah Pathology Services suffered an attack involving the records of 112,124 individuals.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 24 data breaches reported in August. Three breaches were reported by health plans and five breaches were reported by business associates; however, a further 9 breaches had some business associate involvement.

States Affected by August 2020 Data Breaches

Data breaches were reported by entities in 24 states in August. Pennsylvania was the worst affected state with 6 breaches of 500 or more healthcare records, followed by Kentucky with 4, Texas with 3, and Arizona, Ohio, and Washington with 2.  One breach was reported in each of Arkansas, California, Colorado, Connecticut, Florida, Iowa, Idaho, Illinois, Indiana, Maryland, Maine, Michigan, Missouri, New York, Oklahoma, South Carolina, Utah, and Wisconsin.

HIPAA Enforcement Activity in August 2020

There were no HIPAA enforcement actions announced in August by either the HHS Office for Civil Rights or state attorneys general.

The post August 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Hospital Ransomware Attack Results in Patient Death

Ransomware attacks on hospitals pose a risk to patient safety. File encryption results in essential systems crashing, communication systems are often taken out of action, and clinicians can be prevented from accessing patients’ medical records.

Highly disruptive attacks may force hospitals to redirect patients to alternate facilities, which recently happened in a ransomware attack on the University Clinic in Düsseldorf, Germany. One patient who required emergency medical treatment for a life threatening condition had to be rerouted to an alternate facility in Wuppertal, approximately 20 miles away. The redirection resulted in a one-hour delay in receiving treatment and the patient later died. The death could have been prevented had treatment been provided sooner.

The attack occurred on September 10, 2020 and completely crippled the clinic’s systems. Investigators determined that the attackers exploited a vulnerability in “widely used commercial add-on software” to gain access to the network. As the encryption process ran, hospital systems started to crash and medical records could not be accessed.

The medical clinic was forced to de-register from emergency care, postponed appointments and outpatient care, and all patients were advised not to visit the medical clinic until the attack was remediated. A week later and normal function at the hospital has still not resumed, although the hospital is now starting to restart essential systems.

According to a recent Associated Press report, 30 servers at the hospital were affected. A ransom demand was found on one of the encrypted servers. The hospital alerted law enforcement which made contact with the attackers using the information in the ransom note.

It would appear that the attackers did not intend on attacking the hospital, as the ransom note was addressed to Heinrich Heine University in Düsseldorf, to which the medical clinic is affiliated. Law enforcement officials made contact with the attackers using the information in the ransom note and told the attackers that the hospital had been affected and patient safety was at risk.

The attackers supplied the keys to decrypt files and made no further attempts to extort money. No further contact has been possible with the attackers. Law enforcement is continuing to investigate and it is possible that charges of manslaughter could be brought against the attackers.

Until now there have been no confirmed cases of ransomware attacks on healthcare facilities resulting in the death of a patient, but when attacks cripple hospital systems and patients are prevented from receiving treatment for life threatening conditions, such tragic events are sadly inevitable.

Several ransomware gangs have publicly stated that they will not conduct attacks on medical facilities, and if hospital systems are affected, keys to decrypt files will be provided free of charge. However, even if keys are provided to decrypt files, recovery from an attack is not a quick process. Other ransomware operations have made no such concessions and continue to attack healthcare facilities.

The post Hospital Ransomware Attack Results in Patient Death appeared first on HIPAA Journal.

CISA Warns of Public Exploit for Windows Netlogon Remote Protocol Vulnerability

CISA has published information on a critical vulnerability in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) now that a public exploit for the flaw has been released, which could be used to attack vulnerable domain controllers.

MS-NRPC is a core component of Active Directory that provides authentication for users and accounts. “The Netlogon Remote Protocol (MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel,” explained Microsoft.

The vulnerability, tracked as CVE-2020-1472, is an elevation of privilege vulnerability that can be exploited when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller. MS-NRPC reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode, which would allow an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and gain domain administrator privileges.

Microsoft is addressing the vulnerability in a phased two-part roll out. Microsoft released a patch for the vulnerability on August 2020 Patch Tuesday which changes Netlogon client behavior to use secure RPC with Netlogon secure channel between member computers and Active Directory (AD) domain controllers (DC). The second “enforcement phase” is planned for Q1, 2021, on or after February 9, 2021, and will be deployed automatically.

Microsoft explained the “changes to the Netlogon protocol have been made to protect Windows devices by default, log events for non-compliant device discovery, and add the ability to enable protection for all domain-joined devices with explicit exceptions.”

The patch enforces secure RPC usage for machine accounts on Windows based devices, trust accounts, and all Windows and non-Windows DCs.  A new group policy is included to allow non-compliant device accounts.

“Mitigation consists of installing the update on all DCs and RODCs, monitoring for new events, and addressing non-compliant devices that are using vulnerable Netlogon secure channel connections,” explained Microsoft. “Machine accounts on non-compliant devices can be allowed to use vulnerable Netlogon secure channel connections; however, they should be updated to support secure RPC for Netlogon and the account enforced as soon as possible to remove the risk of attack.”

After deploying the patch, monitoring should take place to identify warning events and actions are required on each of those events. All warning events must be resolved before the February 2021 enforcement phase begins.

Deployment guidelines for the August 2020 patch are detailed here.

The February patch will transition into the enforcement phase and will put DCs into enforcement mode regardless of the enforcement mode registry key, forcing all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device.  The update will also remove logging as all vulnerable connections will be denied.

If the August 2020 patch has not yet been applied, systems will be vulnerable to attack. CISA warns that the flaw is an attractive target for attackers and immediate patching is strongly recommended. Should the vulnerability be exploited, and the Active Directory infrastructure compromised, significant damage can be caused, and the attack will be costly to mitigate.

The post CISA Warns of Public Exploit for Windows Netlogon Remote Protocol Vulnerability appeared first on HIPAA Journal.

Vulnerabilities Identified in Philips Clinical Collaboration Platform

5 low- to medium-severity vulnerabilities have been identified in the Philips Clinical Collaboration Platform (Vue PACS). If successfully exploited, an attacker could convince an authorized user to execute unauthorized actions or could result in the disclosure of information that could be used in further attacks.

Philips has not received any reports to indicate exploits for the vulnerabilities have been developed or used in real world attacks, and there have been no reports of incidents from clinical use associated with the vulnerabilities.

The vulnerabilities affect versions 12.2.1 and prior and range in severity from low (CVSS v3 base score 3.4) to medium (CVSS v3 base score 6.8).

  • CVE-2020-16200 – Resource exposed to the wrong control sphere – Allows unauthorized access to the resource (CVSS 6.8)
  • CVE-2020-16247 – Algorithm downgrade – A failure to control the allocation and maintenance of a limited resource, potentially leading to exhaustion of available resources. (CVSS 6.5)
  • CVE-2020-16198 – Protection mechanism failure – Failure or insufficient checks to verify the identity given by an attacker to ensure the claim is correct. (CVSS 5.0)
  • CVE-2020-14525 – Improper neutralization of scripty in attributes in a web page – Does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a webpage that is served to other users. (CVSS 3.5)
  • CVE-2020-14506 – When input or data is provided, there are insufficient checks to ensure the input has the properties to allow data to be processed safely and correctly. (CVSS 3.4)

Philips released a patch for the Clinical Collaboration Platform (Version 12.2.1.5) in June 2020 for web portals which fixed two of low-severity flaws (CVE-2020-14506 and CVE-2020-14525).

Philips released a new version of the Vue PACS Clinical Collaboration Platform (Version 12.2.5) in May 2020, which corrected four of the flaws (CVE-2020-14506, CVE-2020-14525, CVE-2020-16247, and CVE-2020-16198).

The remaining vulnerability, CVE-2020-16200, could not be patched and requires manual intervention to prevent exploitation. Affected customers are encouraged to contact Philips Customer Support to receive assistance correcting the vulnerability.

Philips also recommends the following mitigations:

  • Implement physical security measures to limit or control access to critical systems.
  • Restrict system access to authorized personnel only and follow a least privilege approach.
  • Apply defense-in-depth strategies.
  • Disable unnecessary accounts and services.

The vulnerabilities were identified by Northridge Hospital Medical Center, which reported the vulnerabilities to Philips. Philips released a security advisory and notified relevant authorities about the flaws under its Coordinated Vulnerability Disclosure Policy.

The post Vulnerabilities Identified in Philips Clinical Collaboration Platform appeared first on HIPAA Journal.

CISA/FBI Warn of Targeted Attacks by Iranian Hacking Groups

A hacking group with links to the Iranian government has been observed exploiting several vulnerabilities in attacks on U.S. organizations and government agencies, according to a recent joint cybersecurity advisory released by the Cybersecurity Security and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). The alert closely follows a similar cybersecurity advisory warning about hackers linked to the Chinese government conducting attacks exploiting some of the same vulnerabilities.

The Iranian hacking group, known as UNC757 and Pioneer Kitten, has been exploiting vulnerabilities in F5 networking solutions, Citrix NetScaler, and Pulse Secure VPNs to gain access to networks. The hacking group has also been observed using open source tools such as Nmap to identify vulnerabilities, such as open ports within vulnerable networks.

Exploited Vulnerabilities

Two vulnerabilities in Pulse Secure products are being exploited. The first, CVE-2019-11510, affects Pulse Secure Connect enterprise VPN servers and is a file reading vulnerability. The second is an authentication command injection vulnerability, CVE-2019-11539, in Pulse Secure Pulse Connect Secure software.

The remote code execution vulnerability CVE-2019-19781, which affects Citrix Gateway and Citrix SD-WAN WANOP appliances, is also being exploited along with the CVE-2020-5902 remote code execution vulnerability in F5’s BIG-IP network products.

Once access to networks has been gained, the hackers obtain admin credentials and install web shells such as ChunkyTuna, Tiny, and China Chopper for further entrenchment. They rely heavily on open source and operating system tooling to conduct operations, such as Lightweight Directory Access Protocol (LDAP) directory browser, ngrok, and fast reverse proxy (FRP). Plink and TightVNC are often used for lateral movement.

The hackers have been observed using several methods to evade detection, such as hiding tasks and services, software packing, compile after delivery, and masquerading files as legitimate Dynamic Link Library files. The hackers have also been observed cleaning files on compromised NetScaler devices every 30 minutes to minimize their footprint.

CISA suspects the hackers are stealing data due to the use of tools such as 7-Zip and the ChunkyTuna web shell, although no evidence has been found confirming that to be the case. The hackers are also known to have viewed sensitive documents on compromised networks and have been selling access to compromised organizations on a hacking forum.

While Pioneer Kitten has links to the Iranian government and supports the government’s interests, the hackers also conduct attacks for financial gain and are suspected of having the capabilities to deploy ransomware on victims’ networks.

Pioneer Kitten has attacked government agencies and organizations in several different sectors including healthcare, information technology, finance, insurance, and media organizations in the United States.

Detecting and Preventing Attacks

Many of the attacks involve the exploitation of vulnerabilities for which patches have been released, but not yet applied. The best defense against attacks is to apply patches promptly.

In addition to patching the F5, Citrix, and Pulse Secure vulnerabilities, it is important to investigate whether the vulnerabilities have already been exploited.

The hacking group makes significant use of ngrok to expose a local port to the Internet. This activity may appear as TCP port 443 connections to external cloud-based infrastructure and FRPC is used over port 7557.

CISA has included other Indicators of Compromise (IoCs) in the cybersecurity advisory along with several mitigations that should be implemented to further reduce the risk of attack.

The post CISA/FBI Warn of Targeted Attacks by Iranian Hacking Groups appeared first on HIPAA Journal.

CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning hackers affiliated with China’s Ministry of State Security (MSS) are conducting targeted cyberattacks on U.S. government agencies and private sector companies.

The attacks have been ongoing for more than a year and often target vulnerabilities in popular networking devices such as Citrix and Pulse Secure VPN appliances, F5 Big-IP load balancers, and Microsoft Exchange email servers. The hacking groups use publicly available information and open source exploit tools in the attacks such as China Chopper, Mimikatz, and Cobalt Strike. The hacking groups, which have varying levels of skill, attempt to gain access to federal computer networks and sensitive corporate data and several attacks have been successful.

The software vulnerabilities exploited by the hackers are all well-known and patches have been released to correct the flaws, but there are many potential targets that have yet to apply the patches and are vulnerable to attack.

Some of the most exploited vulnerabilities include:

CVE-2020-5902 – A vulnerability in the F5 Big-IP Traffic Management Interface which, if exploited, allows threat actors to execute arbitrary system commands, disable services, execute java code, and create/delete files.

CVE-2019-19781– A vulnerability in Citrix VPN appliances which can be exploited to achieve directory traversal.

CVE-2019-11510 – A vulnerability in Pulse Secure VPN appliances which can be exploited to gain access to internal networks.

CVE-2020-0688 – A vulnerability in MS Exchange which can be exploited to gain access to Exchange servers and execute arbitrary code.

There is no single action that can be taken to block these threats, but many of the successful attacks have exploited known vulnerabilities. Scans are often conducted within hours or days of a vulnerability being made public. Since many public and private sector organizations do not apply patches promptly, it gives hackers the opportunity to gain access to networks. Applying patches promptly is therefore one of the best forms of defense.

“Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks,” explained CISA in its security advisory. “If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.”

Scans are being conducted using tools such as the Shodan search engine to identify potential targets that may be susceptible to attacks. The hackers also leverage the Common Vulnerabilities and Exposure (CVE) and the National Vulnerabilities (NVD) databases to obtained detailed information about vulnerabilities that can be exploited.

“Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits,” explained CISA. “These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.”

Other tactics often used by these threat actors include spear phishing and brute force attempts to guess weak passwords. It is therefore essential to enforce the use of strong passwords, provide phishing awareness training to the workforce, and implement software solutions capable of detecting/blocking phishing attacks.

The post CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws appeared first on HIPAA Journal.

8 Vulnerabilities Identified in Philips Patient Monitoring Devices

8 low- to moderate-severity vulnerabilities have been identified in Philips patient monitoring devices. Exploitation of the vulnerabilities could result in information disclosure, interrupted monitoring, denial of service, and an escape from the restricted environment with limited privileges.

The vulnerabilities affect the following Philips patient monitoring devices:

  • Patient Information Center iX (PICiX) Versions B.02, C.02, C.03
  • PerformanceBridge Focal Point Version A.01
  • IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior
  • IntelliVue X3 and X2 Versions N and prior

Vulnerabilities

CVE-2020-16212 – CVSS 6.8/10 – Moderate Severity. A resource is exposed to wrong control sphere, which could allow an unauthorized individual to gain access to the resource and escape the restricted environment with limited privileges. Physical access to a vulnerable device is required to exploit the flaw.

CVE-2020-16216 – CVSS 6.5/10 – Moderate Severity. The product does not validate or incorrectly validates input or data to ensure it has the necessary properties to allow it to be handled safely. Exploitation could trigger a denial of service condition through a system restart.

CVE-2020-16224 – CVSS 6.5/10 – Moderate Severity. When the software parses a formatted message or structure, it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. This could trigger a restart of the surveillance station resulting in interrupted monitoring.

CVE-2020-16228 – CVSS 6.0/10 – Moderate Severity. The software incorrectly checks the revocation status of a certificate, potentially allowing a compromised certificate to be used.

CVE-2020-16222 – CVSS 5.0/10 – Moderate Severity. When individuals claim to have a particular identity, there is insufficient authentication to prove the identity of that individual, potentially allowing unauthorized access to data.

CVE-2020-16214 – CVSS 4.2/10 – Moderate Severity. User-provided information is saved into a CSV file, but since special elements are not correctly neutralized, they could be interpreted as a command when the CSV file is opened using spreadsheet software.

CVE-2020-16218 – CVSS 3.5/10 – Low Severity. The product incorrectly neutralizes user-controllable input before it is placed in output that is then used as a webpage and served to other users. Exploitation could give an attacker read-only access to patient data.

CVE-2020-16220 – CVSS 3.5/10 – Low Severity. Product does not validate or incorrectly validates input to ensure it complies with the syntax, which could be exploited to cause the service to crash.

The vulnerabilities were identified by security researchers at ERNW Research GmbH, ERNW Enno, and Rey Netzwerke GmbH who reported the flaws to Philips. Philips reported the flaws to CISA and other government agencies under the company’s coordinated vulnerability disclosure policy.

There have been no reported cases of any of the vulnerabilities being exploited in the wild. Updates will be issued starting in 2020; however, in the meantime Philips recommends the following mitigations to make it harder for the vulnerabilities to be exploited:

  • Physically or logically isolate the devices from the hospital local area network (LAN).
  • Implement access control lists that restrict access in and out of the patient monitoring network for only necessary ports and IP addresses.
  • Limit exposure by ensuring the SCEP service is not running unless it is actively being used to enroll new devices.
  • Enter a unique password of 8-12 unpredictable and randomized digits when enrolling new devices using SCEP
  • Physically secure the devices to prevent unauthorized login attempts and ensure servers are located in locked data centers.
  • Control access to patient monitors at nurses’ stations
  • Block remote access to PIC iX servers if not required, and if remote access is necessary, only grant remote access on a must-have basis
  • Apply the principle of least privilege and only allow access to bedside monitors to trusted users.

Users should contact their local or regional Philips service support teams for further information on updating the affected patient monitoring devices and applying mitigating measures.

The post 8 Vulnerabilities Identified in Philips Patient Monitoring Devices appeared first on HIPAA Journal.