Healthcare Cybersecurity

Vulnerabilities Identified in Insulet Omnipod and Systech NDS-5000 Terminal Server

Posted by HIPAA Journal

Advisories have been issued about recently discovered vulnerabilities in the Insulet Omnipod Insulin Management System and the Systech NDS-5000 Terminal Server.

Improper Access Control Identified in Insulet Omnipod Insulin Management System

ThirdwayV Inc. has discovered a high severity flaw in the Omnipod Insulin Management System which could allow an attacker with access to a vulnerable insulin pump to access the Pod and intercept and modify data, change insulin pump settings, and control insulin delivery.

The vulnerable insulin pumps communicate with an Insulet manufactured Personal Diabetes Manager device using wireless RF. The researchers discovered the RF communication protocol does not implement authentication or authorization properly.

The following versions are affected:

  • Omnipod Insulin Management System Product ID/Reorder number: 19191 and 40160
  • UDI/Model/NDC number: ZXP425 (10-Pack) and ZXR425 (10-Pack Canada)

The vulnerability is tracked as CVE-2020-10597 and has been assigned a CVSS v3 base score of 7.3 out of 10. There have been no reported cases of exploitation of the vulnerability.

Patients should not connect any third-party devices or use unauthorized software and should be attentive to pump notifications, alarms and alerts. Patients should monitor their blood glucose levels carefully and any unintended boluses should be cancelled at once. Insulet recommends updating to the latest model of the insulin pump, which has greater cybersecurity protections.

Patients using one of the vulnerable products have been advised to contact Insulet Customer Care or their healthcare provider for further information on the risk posed by the vulnerability.

Cross-Site Scripting Vulnerability Found in Systech NDS-5000 Terminal Server

An NDS-5000 Terminal Server cross-site scripting vulnerability has been identified that could allow an attacker to perform privileged operations on behalf of the users, access sensitive data, limit system availability, and potentially remotely execute arbitrary code. The vulnerability can be exploited remotely and requires only a low level of skill to exploit.

The vulnerability is tracked as CVE-2020-7006 and has been assigned a CVSS v3 base score of 6.8 out of 10 (medium severity). The vulnerability affects DS-5000 Terminal Server, NDS/5008 (8 Port, RJ45), firmware Version 02D.30 and has been corrected in firmware version 02F.6.

Uses of the affected product should contact Systech Technical Support for further information on updating the firmware to prevent exploitation.

The vulnerability was identified by Murat Aydemir, Critical Infrastructure Penetration Test Specialist at Biznet Bilisim A.S.

The post Vulnerabilities Identified in Insulet Omnipod and Systech NDS-5000 Terminal Server appeared first on HIPAA Journal.

CISA Warns of Exploitation of Vulnerabilities in VPNs and Campaigns Targeting Remote Workers

Posted by HIPAA Journal

In an effort to prevent the spread of the coronavirus, many employers are telling their employees to work from home. While this measure is important for reducing the risk of contracting Coronavirus Disease 2019 (COVID-19), working from home introduces other risks.

In order to protect against cyberattacks, enterprise-class virtual private networks (VPN) solutions should be used to connect remotely to the network. VPNs secure the connection between a user’s device and the network, allowing them to access and share healthcare information securely.

While VPNs will improve security, many VPN solutions have vulnerabilities that can be exploited by cybercriminals. If those vulnerabilities are exploited, sensitive data can be intercepted, and an attacker could even take control of affected systems. Cybercriminals are actively searching for vulnerabilities in VPNs to exploit, and the increase in remote workers as a result of the coronavirus gives them many more targets to attack.

The risks associates with VPNs and the increase in the number of remote workers due to the coronavirus has prompted the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) to issue an alert advising organizations to increase VPN security and adopt cybersecurity best practices to protect against cyberattacks.

Several vulnerabilities have been discovered in popular VPN solutions in the past 12 months, including VPN applications from Palo Alto Networks, Pulse Secure, and FortiGuard. While patches have been released to address the vulnerabilities, many organizations have not updated their software to the latest version. The failure to patch negates the protection provided by the VPN.

A campaign was detected in January 2020 targeting the CVE-2019-11510 remote code execution vulnerability in Pulse Secure Connect and Pulse Policy Secure to deliver REvil ransomware. By exploiting the vulnerability, an attacker could potentially gain access to all active users and obtain their credentials in plaintext and execute arbitrary commands on VPN clients as they connect to the server. A patch to correct the vulnerability was released by Pulse Secure on April 24, 2019, yet 9 months later, many organizations are still using vulnerable versions of the VPN.

Updating VPNs can be difficult because they are often in use 24/7; however, it is essential that updates are applied due to the high risk of exploitation of unpatched vulnerabilities. CISA is urging all organizations to ensure that VPN patches are prioritized.

It is also important to make sure that users only have access to systems that are critical to perform their work duties. Ensuring remote workers have low level privileges will reduce the harm that can be caused if their credentials are compromised. IT teams should also step up monitoring of their networks and should be reviewing access logs to identify potential compromises.

CISA has also warned about an increase in phishing attacks targeting remote workers to obtain VPN credentials. Email security solutions need to be in place to capture these messages before they are delivered, and multifactor authentication should be implemented for remote access to prevent stolen credentials from being used. CISA warns that organizations that fail to implement MFA will be at greater risk from phishing attacks.

IT teams also need to make sure their systems can cope with the increased number of remote workers. CISA warns that organizations may find they only have a limited number of VPN connections, and when they are all in use some users will be prevented from accessing systems to conduct telework. “With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks,” warns CISA.

The HHS’ Centers for Medicare and Medicaid Services (CMS) has expanded Medicare telehealth benefits to help in the fight against the COVID-19 and the HHS’ Office for Civil Rights has announced it will be exercising enforcement discretion in relation to telehealth. This will allow more healthcare workers to work remotely over the coming weeks. It is therefore critical that VPN best practices are followed.

The post CISA Warns of Exploitation of Vulnerabilities in VPNs and Campaigns Targeting Remote Workers appeared first on HIPAA Journal.

Department of Health and Human Services Targeted in Cyberattack

Posted by HIPAA Journal

The U.S. Department of Health and Human Services (HHS) has been targeted by cybercriminals in what appears to be an attempt to overwhelm its website with millions of hits. According to a statement issued by HHS spokesperson, Caitlin B. Oakley, the HHS detected “a significant increase in activity on HHS cyber infrastructure” in what appears to have been an attempted Distributed Denial of Service (DDoS) attack.

The individuals responsible for the attack were unsuccessful thanks to additional protections put in place to mitigate DDoS attacks as part of HHS preparation and response to the COVID-19 pandemic. “HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities,” explained Oakley.

No data breach was experienced and the HHS and federal networks are continuing to function normally. Federal cybersecurity professionals are continuing to monitor HHS computer networks and will take appropriate actions to protect those networks and mitigate any further attacks should they occur. The federal government is investigating the attack and at this stage it is unclear who was responsible.

“We have extremely strong barriers, we had no penetration into our networks, no degradation of the functioning of our networks, we had no limitation on the ability or capacity of our people to telework, we’ve taken very strong defensive actions,” said HHS Secretary, Alex Azar.

The White House National Security Council (NSC) sent a tweet on Sunday warning about a disinformation campaign which suggests President Trump is about to order a national quarantine and that the country will be placed on lockdown, as has been the case in Italy and Spain. The NSC tweet explained that these text message rumors are fake. It is unclear if the attempted DDoS attack and text message campaign are related.

There are also several phishing campaigns being conducted that are using fear about SARS-CoV-2 and COVID-19 to spread malware and obtain sensitive information. The malicious email campaigns are likely to increase as the pandemic develops. If you receive any email communication related to SARS-Cov-2 and COVID-19, verify the validity of the message before taking any actions.

For up to date information and guidance on SARS-Cov-2 and COVID-19, visit the Centers for Disease Control and Prevention (CDC) website – CDC.gov.

Illinois Public Health Network Suffers Ransomware Attack

Last week, cybercriminals launched a cyberattack on the Champaign-Urbana Public Health District in Illinois and deployed Netwalker (MailTo) ransomware. The attack disabled the public health district’s website on the morning of March 10, 2020. The incident was investigated and was confirmed as a ransomware attack within a couple of hours.

Employees were able to continue to access critical systems during the website outage. No electronic medical records or other sensitive data have been compromised. Medical records were migrated to the cloud 6 months previously. The Champaign-Urbana Public Health District has since been restored.

The post Department of Health and Human Services Targeted in Cyberattack appeared first on HIPAA Journal.

HSCC Publishes Best Practices for Cyber Threat Information Sharing

Posted by HIPAA Journal

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published best practices for cyber threat information sharing. The new guidance document is intended to help healthcare organizations develop, implement, and maintain a successful cyber threat information sharing program to reduce cyber risk.

The new document builds on previously published guidance – the Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) – in which HSCC identified key Information Sharing and Analysis Organizations (ISAOs) for the healthcare sector. The latest guidance document helps organizations determine what information to share, how to share the information, and how to protect any sensitive information they receive, as well as providing best practices for obtaining internal and legal approvals for information sharing processes.

One of the main benefits of participating in these programs is to learn about possible attacks and the mitigations to implement to avoid becoming a victim. If an attack occurs at one healthcare organization, it is probable that similar attacks will be performed on others. Through threat information sharing, healthcare organizations can learn from others about attacks and mitigations so they can prepare and improve their own security posture. This is especially important for healthcare organizations with limited resources to devote to cybersecurity as it allows them to crowd source cybersecurity expertise.

The threat landscape evolves at a rapid pace and new attack methods are constantly being developed by cybercriminals. Cyber threat intelligence sharing programs help participants keep abreast of new attack methods and take steps to reduce risk through rapid sharing of actionable intelligence. Cross-organizational collaboration also helps to improve patient safety through the development of trusted networks that help manage potential threats.

The guidance document helps organizations get started by outlining the steps that need to be taken to prepare before joining a threat information sharing program. Preparation requires information sharing goals and objectives to be established, as well as governance models for regulatory compliance. Information sharing assets must be categorized, a governance body must be created, and sanitization rules must be established. HSCC recommends involving the legal department early in the information sharing process and making sure the value and scope of information sharing is understood.

The HSCC cyber threat information sharing guidance details the types of information that should be shared, such as strategic, tactical, operational, and technical intelligence, as well as open source data and incident response information. “While some may believe that threat intelligence only includes information about malware, hacking techniques, and threat actors – threat intelligence data truly comes in a variety of forms and should encompass all cyber risk that could impact the health industry, such as third-party risks, insider threats, cybersecurity risks, regulatory risks, and geopolitical risks,” explained HSCC.

The guidance also details best practices for sharing information, such as using the traffic light protocol and ensuring legal protections are in place to protect against any liability, and also provides advice on who to share threat data with. The document concludes with case studies showing how information can be shared to benefit the information sharing community and protect against attacks.

The HSCC best practices for cyber threat information sharing can be downloaded on this link.

The post HSCC Publishes Best Practices for Cyber Threat Information Sharing appeared first on HIPAA Journal.

83% of Medical Devices Run on Outdated Operating Systems

Posted by HIPAA Journal

The current state of IoT device security has been investigated by the Unit 42 team at Palo Alto Networks which identified major risks to the confidentiality, integrity and availability of healthcare data and serious vulnerabilities that could easily be exploited in devastating cyberattacks.

The Unit 42 team analyzed more that 1.2 million IoT devices of 8,000 different types across a range of industry sectors for the 2020 IoT Threat Report. Data was gathered from its Zingbox IoT inventory and management service, which included 73.2 billion network sessions.

The researchers found high numbers of IoT devices that use legacy protocols and unsupported operating systems, a problem that has now got worse since support for Windows 7 stopped in January 2020. Unit 42’s research revealed only 17% of devices have active support for their underlying operating systems. In healthcare, 83% of IoT devices were running on unsupported operating systems, which increased 56% from last year following the end of support for Windows 7. 27% of IoT medical devices are still running on Windows XP and decommissioned versions of Linux.

51% of all cyberthreats in healthcare concern imaging devices, attacks on which can disrupt the care provided to patients. Exposure of sensitive data is a real issue, especially considering 98% of IoT device traffic is not encrypted. Sensitive data is transmitted in plaintext and can be intercepted by anyone who knows where to look.

Network segmentation has improved since last year when the study was last conducted. The Unit 42 team found that the number of hospitals that had more than 20 VLANs had tripled since last year to 44%. However, 72% of healthcare VLANs include standard IT assets as well as IoT devices. An attack on a vulnerable IoT device could allow malware to be transferred to computers and servers on the same network. A doctor opening a malicious email attachment could see malware transferred to medical devices such as infusion pumps, MRI machines, and other medical imaging systems.

The researchers found 57% all IoT devices are vulnerable to high or medium severity attacks. It is common for default passwords to remain in place, even though the passwords can easily be found online. When passwords are changed, they are often changed to easy to remember passwords which are vulnerable to brute force attacks. Patching was found to be poor and the use of unsupported operating systems means patches are no longer released to correct known vulnerabilities.

IoT devices used to be attacked and added to botnets to conduct DDoS attacks but is now it is common for the devices to be attacked to give cybercriminals a foothold in healthcare networks. Once a device has been compromised the attackers move laterally and compromise other systems on the network, either manually or through worm-like attacks.

IoT devices are also not being monitored so compromised devices are often not identified. The Unit 42 team identified a mammogram machine that was infected with the Conficker worm – a malware variant that was first identified in November 2008.

Unit 42 recommends action be taken to ensure vulnerabilities are identified and addressed to make the devices harder to attack. That process must start with a complete inventory of all IoT devices on the network. A recently published report from the Enterprise Strategy Group revealed 77% of organizations do not have full visibility into all of the IoT devices on their networks.

Patches should be implemented on all devices that can be patched, with priority given to the types of devices that carry the highest level of risk – medical devices – and those with the most vulnerabilities – security cameras and printers.

Networks segmentation is necessary to make it harder for attackers to move laterally, with IoT devices kept separate from standard IT assets. IoT devices should also be monitored to detect attacks in progress.

The post 83% of Medical Devices Run on Outdated Operating Systems appeared first on HIPAA Journal.

90% of Healthcare Organizations Have Experienced an Email-Based Attack in the Past Year

Posted by HIPAA Journal

A recently published study conducted by HIMSS Media on behalf of Mimecast has revealed 90% of healthcare organizations have experienced at least one email-based threat in the past 12 months. 72% have experienced downtime as a result and one in four said the attack was very or extremely disruptive.

Healthcare organizations are a major target for cybercriminals. They hold large quantities of personal and health information that can be used for many fraudulent purposes, email-based attacks are easy to perform and require little technical skill, and they often give a high return on investment. Healthcare email security defenses also lag behind other industry sectors and security awareness training is often overlooked.

The study was conducted in November 2019 on 101 individuals that had significant involvement with email security at hospitals and health systems in the United States. 3 out of 4 respondents said they have or are in the process of rolling out a comprehensive cyber resilience program, but only 56% of respondents said they already have such a strategy in place. When asked about their current email security deployments, only half had a high level of confidence that their email security measures would block email-based threats.

When asked about the email threats they had experienced and which were the most disruptive, 61% of respondents said impersonation of trusted vendors were very or extremely disruptive, 57% rated credential-harvesting phishing attacks very or extremely disruptive, and 35% said data leaks and threats initiated by cybercriminals stealing users’ log-in credentials were very or extremely disruptive. The main losses caused by the attacks were productivity (55%), data (34%) and financial (17%).

Email security solutions can block the majority of threats, yet only 79% of respondents said that had email security controls in place or were planning to introduce them. Internet and web protection measures had only been implemented by 64% of surveyed healthcare organizations.

These technical solutions are important, but it is important not to forget the human element. Only 73% of surveyed organizations believed security awareness training was an essential part of their defenses against email-borne cyberattacks. This can partly be explained by the way that training is provided. 40% of respondents said they provide security awareness training less than quarterly and 27% only provide training once a year.

“Organizations are better off doing five minutes of training once a month, instead of 15 minutes of training once a quarter,” said Matthew Gardiner, director of enterprise security at Mimecast. “Even though it’s the same amount of time, it’s better to do the training more often so the information stays top of mind.”

It is alarming considering the number of email-based attacks that 11% of respondents said they conduct security awareness training less frequently than once a year, only during onboarding, or only after a major event such as a phishing attack or data breach.

“To better prepare, information technology and security professionals must strengthen their email security programs by combining the best technical controls with knowledgeable staff and resilient business processes to avoid disruption from email-borne attacks,” said Gardiner.

The post 90% of Healthcare Organizations Have Experienced an Email-Based Attack in the Past Year appeared first on HIPAA Journal.

Maximum Severity SMBv3 Flaw Identified: Workaround Required Until Patch Released

Posted by HIPAA Journal

A critical flaw has been identified in Windows Server Message Block version 3 (SMBv3) which could potentially be exploited in a WannaCry-style attack. The vulnerability is wormable, which means an attacker could combine it with a worm and compromise all other vulnerable devices on the network from a single infected machine.

This is a pre-auth remote code execution vulnerability in the SMBv3 communication protocol due to an error that occurs when SMBv3 handles maliciously crafted compressed data packets. If exploited, an unauthenticated attacker could execute arbitrary code in the context of the application and take full control of a vulnerable system. The vulnerability can be exploited remotely by sending a specially crafted packet to a targeted SMBv3 server.

The vulnerability, tracked as CVE-2020-0796, affects Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation). It has not yet been confirmed if earlier Windows versions such as Windows 8 and Windows Server 2012 are also vulnerable.

Both Fortinet and Cisco Talos published blog posts summarizing the SMBV3 vulnerability, although Cisco Talos later took down the post. A patch for the flaw was expected to be released by Microsoft on March 2020 Patch Tuesday, but a full fix was not ready in time.

Proof of concept exploits for the flaw have not been published online at the time of writing and there have been no reported cases of exploitation of the vulnerability in the wild; however, Microsoft recommends Windows administrators should take steps to protect against exploitation until a patch is released to correct the flaw.

Workarounds:

  • Disable SMBv3 compression
  • Block TCP port 445 on the network perimeter firewall

Blocking port 445 is the best defense against internet-based attacks, but it will not prevent exploitation from within the enterprise firewall.

SMBv3 compression can be disabled on SMBv3 servers by using the following PowerShell command. No reboot is required after making the change.

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force

Microsoft says disabling SMBv3 compression will not prevent exploitation of SMB clients.

It is essential to apply the patch as soon as it is released by Microsoft. No timescale has been released on when the patch will be made available. Due to the severity of the flaw it is probable that an out-of-band patch will be released.

The post Maximum Severity SMBv3 Flaw Identified: Workaround Required Until Patch Released appeared first on HIPAA Journal.

Healthcare and Pharma Companies Targeted in HIV Test Phishing Campaign

Posted by HIPAA Journal

Researchers at Proofpoint have identified a new phishing campaign targeting healthcare providers, insurance firms and pharmaceutical companies. The intercepted emails impersonate Vanderbilt University Medical Center and claim to include the results of a recent HIV test.

The emails have the subject line “Test result of medical analysis” and include an Excel spreadsheet attachment – named TestResult.xlsb – which the recipient must open to view the HIV test results. When the spreadsheet is opened, the user is advised the data is protected. To view the test result it is necessary to enable content. If content is enabled and macros are allowed to run, malware will be downloaded onto the user’s computer.

This is a relatively small-scale campaign being used to distribute the Koadic RAT, a program used by network defenders and pen testers to take control of a system. According to Proofpoint, Koadic is popular with nation state-backed hacking groups in Russia, China, and Iran. Koadic allows attackers to take control of a computer, install and run programs, and steal sensitive personal and financial data.

Proofpoint has also intercepted several Coronavirus-themed phishing emails in the past few weeks that are being used to distribute a range of malware variants including the Emotet Trojan, AZORult information stealer, the AgentTesla keylogger, and the NanoCore RAT. Several campaigns have been identified that use fake DocuSign, Office 365, and Adobe websites for harvesting credentials.

Several coronavirus-themed phishing lures have been identified. Many claim to offer further information about local COVID-19 cases or claim to include important information to prevent infection. One campaign claimed there was a vaccine and a cure for COVID-19 and it was being withheld by the government. Some of the phishing emails are extremely well written and are highly convincing and impersonate authorities on COVID-19 such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC).

Researchers at Checkpoint have been tracking coronavirus-themed domains and report more than 4,000 new coronavirus-themed domains have been registered since January 2020. 5% of those domains are suspicious and 3% have been confirmed as malicious and are being used in phishing campaigns or for malware distribution.

“Threat actors regularly use purported health information in their phishing lures because it evokes an emotional response that is particularly effective in tricking potential victims to open malicious attachments or click malicious links, explained Proofpoint. “If you receive an email that claims to have sensitive health-related information, don’t open the attachments. Instead, visit your medical provider’s patient portal directly, call your doctor, or make an appointment to directly confirm any medical diagnosis or test results.”

The post Healthcare and Pharma Companies Targeted in HIV Test Phishing Campaign appeared first on HIPAA Journal.

Q3, 2019 Saw a 350% Increase in Ransomware Attacks on Healthcare Providers

Posted by HIPAA Journal

Ransomware attacks on healthcare providers increased by 350% in Q4, 2019, according to a recently published report from Corvus. The attacks show no sign of letting up in 2020. Already in 2020 attacks have been reported by NRC Health, Jordan Health, Pediatric Physician’s Organization at Children’s, and the accounting firm BST & Co., which affected the medical group Community Care Physicians.

To identify ransomware trends in healthcare, Corvus’s Data Science team studied ransomware attacks on healthcare organizations since Q1, 2017. Between Q1, 2017 and Q2, 2019, an average of 2.1 ransomware attacks were reported by healthcare organizations each quarter. In Q3, 2019, 7 attacks were reported, and 9 attacks were reported in Q4, 2019. Corvus identified more than two dozen ransomware attacks on U.S. healthcare organizations in 2019 and predicts there will be at least 12 ransomware attacks on healthcare organizations in Q1, 2020.

Reports from other cybersecurity firms similarly show an increase in ransomware attacks on healthcare providers in the second half of the year. One report from Emsisoft suggested ransomware attacks had affected 764 U.S. healthcare providers in 2019.

The analysis by Corvus shows healthcare organizations have a smaller attack surface than the web average, which makes it easier to defend against attacks; however, attacks are still succeeding showing healthcare organizations are struggling to block the main attack vectors used by cybercriminals to deliver their ransomware payloads.

There are two main ways that threat actors gain access to healthcare networks to deploy ransomware: Remote Desktop Protocol (RDP) and email. Threat actors search for healthcare organizations with exposed RDP ports and use brute force tactics to guess passwords. Corvus calculated that having an open RDP port increases the likelihood of a ransomware attack by 37%. Healthcare organizations had an average of 9 open ports, with the lowest number in hospitals and the highest number in medical groups.

Email is the main attack vector, which is used in the majority of ransomware attacks on healthcare organizations. 91% of ransomware attacks were the result of phishing exploits according to Corvus.

Email security solutions capable of scanning emails, hyperlinks, and email attachments can identify and block many email-based threats; however, 75% of hospitals do not use those tools. Across the healthcare industry as a whole, only 14% of healthcare organizations used email scanning and filtering solutions.

Corvus’s research suggests that when email scanning and filtering tools are implemented there is a 33% lower chance of experiencing a ransomware attack. Risk can be further reduced by providing regular security awareness training to employees to help them identify phishing emails and malware threats. Email authentication measures should also be implemented. If email credentials are compromised, 2-factor authentication can prevent stolen credentials from being used to gain access to internal resources.

The post Q3, 2019 Saw a 350% Increase in Ransomware Attacks on Healthcare Providers appeared first on HIPAA Journal.