Healthcare Cybersecurity

Direct-to-Consumer DNA Testing Company Exposed Personal Information Online

Posted by HIPAA Journal

San Francisco, CA-based Vitagene, a health tech company that provides direct-to-consumer DNA-testing services, has inadvertently exposed the personal and genealogy information of thousands of customers to unauthorized access over the Internet.

The Vitagene DNA testing service is part of a DNA-based personalized health and wellness platform. Individuals undergo genetic testing to determine their likelihood of developing certain diseases. Vitagene then develops a personalized health and wellness action plan tailored to the individual.

During beta testing, patient records were uploaded to Amazon Web Services cloud servers, but security controls had not been configured correctly. The files could be viewed by anyone without the need for any authentication. Vitagene became aware of the problem in late June and by July 1, external access to customer files was blocked.

A spokesperson for Vitagene confirmed that the breach had impacted a small number of its customers who had used its DNA-testing service between 2015 and 2017. The exposed records contained information such as names, addresses, telephone numbers, and personal and work email addresses.

Approximately 300 files contained raw genotype data. Members of the public could have viewed the information, but it would have been difficult for anyone to understand the data unless they had an understanding of genomics.

Approximately 3,000 individuals are believed to have been affected. Those individuals will be notified once the breach investigation has been completed. Vitagene is currently trying to determine whether any customer information was accessed during the time it was available online.

“We updated our security protocols in 2018 and have engaged an outside security firm to run external and internal penetration testing across our application,” said Chief Executive Officer Mehdi Maghsoodnia. “As a team we acknowledge our mistake and will keep ourselves accountable. We hope over time to prove that we are worthy of the trust that is given to us every day.”

Direct-to-consumer DNA testing services are not classed as covered entities under HIPAA and are therefore not subject to its regulations. Many consumers do not realize these types of services are not covered by HIPAA and that they do not have the same rights with respect to their data.

There have been calls for HIPAA’s reach to be extended to include DNA testing services. A bipartisan group of senators has introduced a bill that aims to address the current security gaps and help ensure that consumers privacy is protected when using direct-to-consumer genetic testing services and health apps.

The Department of Health and Human Services’ Office for Civil Rights cannot take action over the breach, but the Federal Trade Commission (FTC) could issue a fine and state attorneys could take action if there have been violations of state laws.

The post Direct-to-Consumer DNA Testing Company Exposed Personal Information Online appeared first on HIPAA Journal.

Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance

Posted by HIPAA Journal

Compliancy Group is offering healthcare professionals an opportunity to take part in a webinar covering the main threats facing the healthcare industry.

Threats such as ransomware, malware, and phishing will be discussed by compliance experts in relation to HIPAA and the privacy and security of patient data.

Cybersecurity has become more important than ever in healthcare. The industry is seen as a weak target by hackers, large volumes of data are stored, and patient information carries a high value on the black market.

April 2019 saw the highest number of healthcare data breaches in a single month and more healthcare data breaches were reported in 2018 than in any other year to date. The increased frequency of attacks on organizations of all sizes highlights just how important cybersecurity has become.

Cyberattacks are not only negatively affecting businesses in the healthcare sector, but also place the privacy of patient’s health information at risk. While it was once sufficient to implement standard security tools, the sophisticated nature of attacks today mean new solutions are required to protect against cyberattacks.

Protecting against cyberattacks while ensuring compliance with HIPAA can be a challenge and oversights could easily lead to a costly breach or regulatory fine.

In the latest Compliancy Group webinar, compliancy experts will walk you through the inns and outs of the regulations and you can find out more about cybersecurity with respect to the requirements of HIPAA and HITECH.

Webinar:

Ransomware, Malware, Phishing, Oh My!

Wednesday, July 10th

2:00 ET/11:00 PT

Advance Registration

The post Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance appeared first on HIPAA Journal.

Vulnerability Identified in GE Aestiva and Aespire Anesthesia Machines

Posted by HIPAA Journal

An improper authentication vulnerability has been identified in GE Aestiva and Aespire Anesthesia devices which are used in hospitals throughout the United States.

The vulnerability – CVE-2019-10966 – could allow a remote attacker to modify the parameters of a vulnerable device and silence alarms. Possible alterations include making changes to gas composition parameters to correct flow sensor readings for gas density and altering the time on the device.

The flaw is due to the exposure of certain terminal server implementations which extend GE Healthcare anesthesia device serial ports to TCP/IP networks. The vulnerability could be exploited if serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration.

The vulnerability has been assigned a CVSS v3 base score of 5.3 out of 10 and affects GE Aestiva and Aespire versions 7100 and 7900.

GE Healthcare has confirmed this is not a vulnerability in GE Healthcare device themselves. While the flaw could be exploited, GE Healthcare has determined via a formal risk investigation that “there is no introduction of clinical hazard of direct patient risk.” When the device is in use, changes would not alter the delivery of therapy to a patient and exploitation of the vulnerability would not result in information exposure.

GE Healthcare has provided mitigations to prevent exploitation of the vulnerability. When connecting GE Healthcare anesthesia device serial ports to TCP/IP networks, secure terminal servers should be used and best practices for terminal servers should be followed.

The security features of secure terminal servers include user authentication, strong encryption, network controls, VPN, logging and audit capability, and secure configuration and management options.

Best practices to adopt include governance, management, and secure deployment measures, including the use of VLANS, device isolation, and network segmentation.

The post Vulnerability Identified in GE Aestiva and Aespire Anesthesia Machines appeared first on HIPAA Journal.

Consumers Concerned About Medical Device Security

Posted by HIPAA Journal

The importance consumers place on the privacy and security of their health information has been explored in a recent nCipher Security survey.

The survey was conducted on 1,300 U.S. consumers and explored attitudes toward online privacy, the sharing of sensitive information, and data breaches.

The survey revealed consumers are more concerned about their financial information being hacked than their health information. 42% of respondents said their biggest cybersecurity concern was their financial information being stolen, compared to 14% whose main concern was the theft of their health data.

Concern about financial losses is understandable. Theft of financial information can have immediate and potentially very serious consequences. Theft of health data may not be viewed to be as important by comparison, but consumers are still concerned about the consequences of a breach of their personal information.

Over one third of consumers said they were worried that hackers would tamper with their data and 44% were concerned about identity theft after a data breach. 22% of consumers said they were concerned that the hacking of a connected device would jeopardize their health.

The survey explored the main privacy and security concerns related to the sharing of personal information. The biggest privacy concerns were providing SSNs or credit card numbers over the phone (46%), online banking (35%) and online shopping (34%). 16% of respondents thought their private information was most vulnerable when downloading health records or using an internet-connected medical device.

An increasing number of people are now using personal devices to track their movements and monitor their health. Only 37% of survey respondents said they do not record health metrics on some kind of internet-connected device.

23% of consumers use smartphones for that purpose, 135 have internet-connected scales, 12% wear fitness trackers, and 10% use an Apple Watch or similar device. 19% of consumers connect to their provider’s website to track and record their health information.

The survey suggests many consumers have strong feelings about medical device security. More than half of respondents (52%) believed the best way to protect personal data on medical devices is encryption. In the event of a cyberattack, personal information would not be put at risk.

35% of consumers said they should be required to validate their devices regularly to better protect privacy and 31% of respondents thought medical devices should be independently certified.  18% are in favor of government-controlled medical devices. 17% of respondents said executives should be fired if personal healthcare data is exposed, including executives at medical device manufacturers.

The post Consumers Concerned About Medical Device Security appeared first on HIPAA Journal.

Critical Vulnerability Identified in Burrow-Wheeler Aligner Genomics Mapping Software

Posted by HIPAA Journal

Researchers at Sandia National Laboratories have discovered a vulnerability in open source software used by genomic researchers. If exploited, an attacker could gain access to and alter sensitive genetic information.

DNA screening is a two-step process. First, a patient’s DNA is sequenced and their genome is mapped. Then, the patient’s genetic information is compared with a standardized human genome. Any differences between the two are assessed to determine whether genetic differences are due to diseases. A software tool is used to make the comparison.

Sandia researchers discovered a stack-based buffer overflow vulnerability – CVE-2019-10269 – in the Burrow-Wheeler Aligner (BWA) program used by many researchers to perform DNA-based medical diagnostics. The vulnerability is present at the point where BWA imports the standardized human genome from government servers. Patient information is transmitted via an insecure channel and could be intercepted in a man-in-the-middle attack.

An attacker could intercept the standardized human genome, combine it with malware, and then transmit both to the BWA user’s device. The malware could alter the information in the patient’s DNA analysis during genome mapping and, as a result, the final DNA analysis could be corrupted.

An attacker could alter DNA mapping data to make it appear that a patient does not have a disease, which would result in a delay in the patient receiving treatment. The DNA analysis could also be altered to indicate a patient has a disease, which would lead physicians to prescribe unnecessary medications which could potentially be harmful to the patient.

After discovering the vulnerability, Sandia notified the software developer and the U.S. Computer Emergency Readiness Team (US-CERT). The software developer has now patched the vulnerability in the latest version of the software. No reports have been received to date to suggest the flaw has been exploited in real-world attacks.

The vulnerability requires a low level of skill to exploit and has been assigned a CVSS v3 base score of 9.8 out of 10 – Critical.

All users of the BWA program should update to the latest version of the software as soon as possible to prevent the flaw from being exploited. The researchers also suggest implementing a solution that prevents sequenced DNA data from being altered and to only ever send sensitive data over secure, encrypted channels.

The researchers have also urged security researchers to analyze genomics software for similar weaknesses. While the BWA vulnerability has been corrected, similar vulnerabilities may exist in other genomics mapping programs.

The post Critical Vulnerability Identified in Burrow-Wheeler Aligner Genomics Mapping Software appeared first on HIPAA Journal.

U.S. Cyber Command Warns of Active Exploitation of 2017 Outlook Vulnerability

Posted by HIPAA Journal

A two-year-old vulnerability in Microsoft Outlook is being exploited by hackers in targeted attacks on U.S. government networks.

U.S. Cyber Command has issued a warning about vulnerability CVE-2017-1174, which is being actively exploited to install remote access Trojans and other forms of malware.  U.S. Cyber Command strongly recommends patching the vulnerability immediately to prevent exploitation.

The flaw is a sandbox escape vulnerability which can be exploited if the attacker has the user’s outlook credentials, which could be obtained via a phishing attack or other means. The attacker could then change the user’s home page to a page with embedded code that downloads and executes malware when Outlook is opened.

U.S. Cyber Command made no mention of the threat actors believed to be behind the attacks, although security researchers at Palo Alto Networks, FireEye, Chronicale, and others have linked the attacks to the Iran-backed cyberespionage group APT33.

APT33 has been exploiting this vulnerability for at least a year, but instead of using phishing, the group conducts brute force attacks using commonly used passwords. A typical attack will see multiple accounts targeted. When multiple passwords have been guessed, the Outlook vulnerability is exploited, and malware is downloaded on multiple devices on the network.

While there have been attacks on U.S. entities in the past, the group has been most active in the Middle East. The rise in attacks on American targets is believed to be linked to the escalating tensions between the two countries.

The U.S. Cyber Command warning on Twitter comes just a few days after the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, issued a warning on Twitter about Iran-backed threat groups conducting attacks using wiper malware. That warning was issued following an increase in cyberattacks on U.S. businesses and government entities by threat actors with links to Iran.

Symantec also issued a warning about an increase in attacks by the threat group APT33 in March this year, in which an exploit for a vulnerability in WinRAR was being used.

APT33, also known as Shamoon, was discovered to have links to Iran by FireEye researchers in 2017. The group is believed to have conducted a range of cyberattacks throughout the Middle East. The largest ever cyberattack in the Middle East, on oil firm Saudi Aramco in 2012, involved wiper malware called Shamoon. While the malware shares the name with the threat group, APT33 has not been confirmed as being involved in the attacks, although it is suspected by many.

Brandon Levene, head of applied intelligence at Chronicle, analyzed malware samples released by U.S. Cyber Command and found several similarities between the latest attacks and Shamoon malware campaigns in 2016. The latter leveraged a vulnerability and executed a PowerShell script to download the Pupy remote access Trojan and there are code similarities in the downloaders used in the latest attacks.

Levene also analyzed three malicious tools that were used in the recent attacks. The tools had different purposes but would have allowed the attackers to interact with a server they have compromised and conduct a range of different malicious activities. APT33 has used similar tools in attacks in the past to remotely execute code on compromised devices. FireEye’s Andrew Thompson also attributed the latest attacks to the threat group APT33.

With the U.S. stepping up its cyber offensive against Iran and as tensions continue to rise, retaliatory attacks on U.S. targets are likely to continue.

The post U.S. Cyber Command Warns of Active Exploitation of 2017 Outlook Vulnerability appeared first on HIPAA Journal.

Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices

Posted by HIPAA Journal

A recent study of cybersecurity best practices adopted by large and small healthcare providers has revealed there is a growing gulf between the two. Larger providers are more likely to have mature, sophisticated cybersecurity defenses, while smaller providers are struggling to follow cybersecurity best practices.

For the study, KLAS and CHIME analyzed responses to the 2018 Healthcare’s Most Wanted survey given by around 600 healthcare providers and assessed each to determine whether they were adhering to healthcare cybersecurity best practices.

One of the requirements of the Cybersecurity Act of 2015 was for the Department of Health and Human Services (HHS) to form a task group to develop guidance for healthcare providers to help them manage and mitigate threats to patient data.

The 405(d) Task Group released the document – Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) – which details 10 cybersecurity principles relevant to healthcare providers of all sizes. These principles must be addressed to ensure cybersecurity risks are reduced to a reasonable and acceptable level.

The principles are:

  • Email protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

KLAS and CHIME assessed the responses against these principles and found large healthcare organizations to be performing well, with mature and sophisticated cybersecurity defenses. Larger healthcare organizations were more proactive and were conducting regular vulnerability scans and application testing, whereas smaller providers were reliant on penetration tests to identify vulnerabilities.

Larger healthcare organizations were more likely to have a dedicated CISO, board-level committees and governance, risk management, compliance committees, and BYOD management, which were often found lacking at smaller organizations.

Smaller providers were less likely to use network segmentation and multi-factor authentication – Two important measures for limiting damage in the event of credentials being compromised. While network access controls had been implemented at virtually all surveyed provider organizations, less than half of smaller providers had implemented network segmentation.

Network segmentation is important for preventing the spread of malware internally and to stop hackers from having full access to the entire network. Without it, a single compromised device could mean the entire network is compromised. Multi-factor authentication is similarly important. In the event of credentials being stolen, in a phishing attack for example, multi-factor authentication should prevent the account from being accessed. Only half of smaller providers had implemented MFA.

There were several positives in the report. Email and endpoint security systems had been implemented at most provider organizations which provide a reasonable level of protection against external threats. The threat from phishing was being addressed through security awareness training and phishing email simulations. 70% of all providers conducted phishing simulations at least every quarter.

Providers are concerned about medical device security and the potential for an attack to cause harm to patients. Most providers have included medical device security in their cybersecurity program, which is supported by strong cybersecurity practices in other areas. Data loss prevention solutions have also been widely adopted, although on-premises DLP solutions have slowed transition to the cloud. Most organizations that use DLP solutions backup data physically rather than using cloud backup services.

Incident response plans have been developed by most providers and most have signed up with information sharing and analysis organizations to participate in threat sharing. It is essential to have a plan in place to ensure a smooth incident response, but that plan must be tested to make sure it works in practice. Only half of organizations conduct an exercise annually to test their incident response plan.

“Today’s security requirements are challenging historical asset management practices, making it increasingly necessary for organizations to establish clear policies that align their IT, information security, healthcare technology management, and procurement teams,” said Steven R. Cagle, CEO of Clearwater, sponsor of the report.

Making improvements to an organization’s cybersecurity posture can be a challenge with too little money and resources often available to address all issues. Consequently, it can be difficult to know where to start. Cagle suggests starting with a comprehensive risk analysis to identify and evaluate all risks. A risk management plan can then be developed to prioritize the most serious vulnerabilities.

Larger healthcare organizations are more likely to use risk management software to support this process and identify the highest risks and optimize deployment of security controls. The result is greater risk reduction for lower costs.

The findings of the KLAS-CHIME study were published in the white paper – How Aligned Are Provider Organizations with the Health Industry Cybersecurity Practices (HICP) Guidelines?

The post Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices appeared first on HIPAA Journal.

Medtronic Recalls Insulin Pumps Due to Cybersecurity Risk

Posted by HIPAA Journal

The United States Computer Emergency Readiness Team (US-CERT) and the Food and Drug Administration (FDA) have issued alerts about cybersecurity flaws in certain Medtronic insulin pumps.

The affected insulin pumps connect with other devices such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices using wireless RF. Vulnerabilities have been identified in certain MiniMed 508 and MiniMed Paradigm insulin pumps which could allow an attacker with adjacent access to an affected product to intercept, modify, or interfere with the RF communications to or from the product.

Consequently, it would be possible to read data sent to and from the device, alter the settings of the insulin pump, and take control of insulin delivery. An attack could therefore result in hypoglycemia, diabetic ketoacidosis, or death.

The flaw – CVE-2019-10964 – is due to the communications protocol not properly implementing authentication or authorization and has been assigned a CVSS v3 base score of 7.1 out of 10.

The flaw was uncovered by security researchers Nathanael Paul, Jay Radcliffe, and Barnaby Jack, Billy Rios, Jonathan Butts, and Jesse Young, with assistance provided by Medtronic.

The following devices are vulnerable:

  • MiniMed 508 pump – All versions
  • MiniMed Paradigm (511 pump, 512/712 pumps, 712E pump, 515/715 pumps, 522/722 pumps, 522K/722K pumps.
  • MiniMed 523/723 and 523K/723K pumps – Software versions 2.4A or lower
  • MiniMed Paradigm Veo 554/754 pumps – Software versions 2.6A or lower
  • MiniMed Paradigm Veo 554CM and 754CM models only – Software versions 2.7A or lower

FDA deputy director of strategic partnerships and technology innovation Suzanne Schwartz said, “The risk of patient harm if such a vulnerability were left unaddressed is significant.” At this stage, no one is known to have exploited the flaw in a real-world attack.

While there are mitigations that can help to reduce the risk of exploitation of the vulnerability, Medtronic has been unable to develop a patch or software update that can correct the flaw. Consequently, the decision was taken to recall all affected insulin pumps and replace them with devices with more robust cybersecurity protections.

Medtronic says there are around 4,000 patients using the vulnerable insulin pumps in the United States. All have been asked to contact their care providers as soon as possible to arrange for their insulin pump to be replaced.

The post Medtronic Recalls Insulin Pumps Due to Cybersecurity Risk appeared first on HIPAA Journal.

DHS Warns of Increasing Risk of Wiper Malware Attacks by Iranian Threat Actors

Posted by HIPAA Journal

The Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning following a rise in cyberattacks by ‘Iranian regime actors.’

The warning from Christopher C. Krebs came as tensions are building between the United States and Iran. Iran has been accused of planting magnetic mines to damage commercial shipping vessels and a U.S. surveillance drone was shot as it flew over the Strait of Hormuz. Iran claims the drone was flying in its territory.

The U.S. responded with a planned air strike, although it was called off by President Trump due to the likely loss of life. However, a strike did take place in cyberspace. The U.S. Cyber Command has reportedly launched an attack on an Iranian spying group, Islamic Revolutionary Guard Corps, that is believed to have been involved in the mine laying operation. According to a recent report in the Washington Post, the cyberattacks disabled the command and control system that was used to launch missiles and rockets.

Iranian threat actors have also been highly active. There have been increasing numbers of cyberattacks on United States industries and government agencies.

While cyberattacks can take many forms, Iranian threat actors have increased attacks using wiper malware. In addition to stealing data and money, the threat actors use the malware to wipe systems clean and take down entire networks.

Iran is one of three countries rated by the United States as having highly capable threat actors involved in economic espionage and theft of trade secrets and proprietary data. Iranian hackers are more than capable of conducting devastating cyberattacks.

Iranian hackers were behind the SamSam ransomware attacks on healthcare providers and hackers working for the Iranian regime are believed to be responsible for the cyberattack on the Saudi Arabian oil firm Saudi Aramco in 2012. Shamoon wiper malware was used in that attack to wipe tens of thousands of devices.

The harm caused by these wiper attacks is considerable. In 2017, attacks using NotPetya wiper malware resulted in global financial losses of between $4 billion and $8 billion. The attack on the shipping firm Maersk resulted in losses of around $300 million. The attacks are also common. According to a recent report by Carbon Black, 45% of healthcare CISOs have experienced a wiper malware attack in the past 12 months.

The hackers may be highly capable, but they still use basic techniques and exploit common weaknesses to gain access to networks. These include phishing and spear phishing, social engineering, password spraying, and credential stuffing.

All of these attack methods can be blocked with basic cybersecurity measures such as enforcing the use of strong passwords, changing all default passwords, rate limiting on logins, applying the rule of least privilege when setting permissions, implementing multi-factor authentication, closing unused ports, disabling RDP, prompt patching,  adopting a robust backup strategy, and providing security awareness training to employees.

Krebs warned that all U.S industries, government agencies, and businesses should be alert to the risk of cyberattacks. “If you suspect an incident, take it seriously and act quickly,” said Krebs.

The post DHS Warns of Increasing Risk of Wiper Malware Attacks by Iranian Threat Actors appeared first on HIPAA Journal.