Healthcare Data Security

FBI Issues Warning About Increasing Egregor Ransomware Activity

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has issued a Private Industry Alert about the growing threat of Egregor ransomware attacks.

Egregor ransomware is a ransomware-as-a-service operation that was first identified in September 2020. The threat actors behind the operation recruit affiliates to distribute their ransomware and give them a cut of any ransoms they generate. The affiliates have been highly active over the past three months and have conducted attacks on many large enterprises. High-profile victims include Barnes & Noble, Ubisoft, Kmart, Crytek, and the Canadian transportation agency TransLink.

The threat group claims to have gained access to more than 150 corporate networks and deployed their ransomware, with the ransom demands exceeding $4 million. Many affiliates have been recruited by the Egregor ransomware gang and each has their preferred method of distributing the ransomware. With a wide range of tactics, techniques, and procedures used to deliver the ransomware, defending against attacks can be a challenge for network defenders.

Initial access to corporate networks is often gained through phishing attacks targeting corporate email accounts using attachments with malicious code that downloads the ransomware payload. Other tactics include brute force attacks on weak passwords and the exploitation of vulnerabilities in Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs).

Once a network has been compromised, the attackers escalate privileges and move laterally within networks using tools such as Advanced IP Scanner, Cobalt Strike, AdFind, and malware such as QakBot. The network is explored to find sensitive data, which is exfiltrated using 7zip and Rclone, sometimes hiding the activity as a Service Host Process (svchost). The exfiltrated data is used to pressure victims into paying the ransom with the threat actors threatening to sell or publish the data if payment is not made.

The ransomware first appeared around the same time as the Maze ransomware operation shut down and any Maze ransomware affiliates switched to distributing Egregor ransomware. Several security researchers have suggested the Maze ransomware gang is running the Egregor ransomware operation due to the arrival of Egregor as the Maze operation shut down, similarities between the companies attacked and the ransom notes. The threat actors running the Egregor ransomware operation also appear to have considerable experienced running ransomware-as-a-service operations.

The FBI has advised against paying the ransom demands as there is no guarantee that valid keys will be supplied to unlock encrypted data and that stolen data may not be deleted even if the ransom is paid. Paying the ransom helps to fund future attacks and encourages the threat actors to continue.

Due to the diverse tactics, techniques, and procedures used to distribute the ransomware, network defenders need to harden security organization-wide. To ensure data can be recovered in the event of an attack, regular backups should be performed of critical data, and those backups should be stored offline, in the cloud or on an external hard drive that is not connected to the network. Backups should never be accessible from the network where the data resides.

Antivirus and antimalware solutions should be deployed and set to update automatically, email security gateways should be used to block phishing attacks, and multi-factor authentication should be implemented on corporate email accounts and remote access solutions. If multi-factor authentication cannot be implemented, it is essential to use strong passwords.

Secure networks should be used for remote access and public Wi-Fi networks should be avoided. Public-facing remote access solutions should be regularly updated and patches should be applied promptly. Several attacks saw networks compromised by exploiting vulnerabilities in RDP such as CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108. Patching these vulnerabilities should be prioritized. The FBI also recommends reviewing suspicious .bat and .dll files with recon data, such as .log files, and monitoring for the use of exfiltration tools.

Victims of Egregor ransomware attacks are being encouraged to report the attacks to their local FBI office or the FBI’s 24/7 CyberWatch. Victims should bear in mind that payment of a ransom potentially carries sanctions risks. Last year, the Office of Foreign Assets Control (OFAC) of the Treasury Department warned that paying a ransom could violate OFAC regulations if it involves a sanction nexus. OFAC should be contacted prior to victims paying any ransom payment in order to avoid future sanctions.

The post FBI Issues Warning About Increasing Egregor Ransomware Activity appeared first on HIPAA Journal.

NSA Releases Guidance on Eliminating Weak Encryption Protocols

Posted by HIPAA Journal

The National Security Agency (NSA) has released guidance to help organizations eliminate weak encryption protocols, which are currently being exploited by threat actors to decrypt sensitive data.

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols were developed to create protected channels using encryption and authentication to ensure the security of sensitive data between a server and a client.  The algorithms used by these protocols to encrypt data have since been updated to improve the strength of encryption, but obsolete protocol configurations are still in use. New attacks have been developed that exploit weak encryption and authentication protocols, which are being actively used by threat actors to decrypt and obtain sensitive data.

The NSA explains that most products that use obsolete TLS versions, cipher suites, and key exchange methods have been updated, but implementations have often not kept up and continued use of these out-of-date TLS configurations carries an elevated risk of exploitation. Continued use of outdated protocols provides a false sense of security, as while data transmissions are protected, the level of protection provided is insufficient to prevent decryption of data by nation state actors and other well-resourced threat actors.

The new NSA guidance explains how to detect outdated TLS and SSL configurations, replace them with newer, more secure versions, and block obsolete TLS versions, cipher suites, and key exchange methods.

 

The guidance is primarily aimed at cybersecurity leaders in the National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB), but can be used by all network owners and operators to better secure sensitive data.

The NSA recommends updating SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 and only using TLS 1.2 or TLS 1.3. The guidance included detailed information on the tools, network signatures, and server configurations necessary to only allow strong encryption protocol configurations.

“Obsolete configurations provide adversaries access to sensitive operational traffic using a variety of techniques, such as passive decryption and modification of traffic through man-in-the-middle attacks,” said the NSA in the guidance. “To help system administrators fix their network components, NSA developed several server configurations and network signatures to accompany the report that are available on the NSA Cybersecurity Github.”

Updating TLS configurations will ensure that government agencies and enterprise organizations have stronger encryption and authentication and will better protect sensitive data.

The post NSA Releases Guidance on Eliminating Weak Encryption Protocols appeared first on HIPAA Journal.

Healthcare Industry Cyberattacks Increase by 45%

Posted by HIPAA Journal

In the fall of 2020, a warning was issued to the healthcare and public health sector following a spike in ransomware activity. The joint CISA, FBI, and HHS cybersecurity advisory explained that the healthcare industry was being actively targeted by threat actors with the aim of infecting systems with ransomware. Several ransomware gangs had stepped up attacks on the healthcare and public health sector, with the Ryuk and Conti operations the most active.

A new report from Check Point shows attacks continued to increase in November and December 2020, when there was a 45% increase in cyber-attacks on healthcare organizations globally. The increase was more than double the percentage rise in attacks on all industry sectors worldwide over the same period. Globally, there was an average of 626 cyberattacks on healthcare organizations each week in November and December, compared to 430 attacks in October.

The vectors used in the attacks have been varied, with Check Point researchers identifying an increase in ransomware, botnet, remote code execution, and DDoS attacks in November and December; however, ransomware attacks showed the largest percentage increase and ransomware remains the biggest malware threat.

Conti ransomware continues to pose a threat and has been used in many healthcare industry ransomware attacks, although Ryuk remains the most commonly used ransomware variant, followed by Sodinokibi. The biggest increase in attacks was in Central Europe, which saw a 145% spike in attacks, followed by East Asia (137%) and Latin America (112%). There was a 67% rise in attacks in Europe and a 37% increase in North America. The country with the biggest increase was Canada, which saw attacks increase by 250%.

Ransomware attacks are financially motivated. Ransomware gives threat actors a large payout in a matter of days after conducting an attack and ransoms are often paid to allow files to be restored or to prevent the release or sale of stolen sensitive data. The healthcare industry is targeted because there is a higher probability that a ransom will be paid than attacks on other industry sectors. Healthcare providers need to restore access to patient data quickly to ensure care can continue to be provided to patients, especially at a time when there is tremendous pressure due to the number of new patients requiring treatment for COVID-19.

While it is still common for ransomware to be distributed via spam email and exploit kits, the attacks on the healthcare industry have been highly targeted, with the main ransomware variants used in the attacks delivered manually. Initial access to healthcare networks is gained using a variety of methods. Many ransomware attacks start with phishing emails that deliver Trojans such as Emotet, TrickBot, and Dridex. Check Point advises security professionals to search for these Trojans on the network, along with Cobalt Strike, all of which are used to deliver Ryuk ransomware.

Many ransomware attacks start with a phishing email, so it is important to ensure that anti-phishing cybersecurity solutions are implemented, and for employees to receive regular training to help them identify phishing and social engineering attacks.

While most phishing attacks occur in the week during business hours, ransomware attacks commonly commence over the weekend and during holidays, when monitoring by security staff is likely to be reduced. Healthcare organizations are advised to raise their guard over the weekend and during holidays to detect attacks in progress.

Vulnerabilities in software and operating systems are commonly exploited to gain access to healthcare networks, so prompt patching is vital, but in healthcare it is not always possible for patches to be applied. Check Point recommends using an intrusion prevention system (IPS) with virtual patching capabilities that can prevent the exploitation of vulnerabilities in systems and applications that cannot be patched. Anti-ransomware cybersecurity solutions should also be used that have a remediation feature that can block attacks within minutes if ransomware is deployed.

The post Healthcare Industry Cyberattacks Increase by 45% appeared first on HIPAA Journal.

Largest Healthcare Data Breaches in 2020

Posted by HIPAA Journal

2020 was the worst ever year for healthcare industry data breaches. 616 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights. 28,756,445 healthcare records were exposed, compromised, or impermissibly disclosed in those breaches, which makes 2020 the third worst year in terms of the number of breached healthcare records.

The chart below clearly shows how healthcare industry data breaches have steadily increased over the past decade and the sharp rise in breaches in the past two years.

The Largest Healthcare Data Breaches in 2020

When a breach occurs at a business associate of a HIPAA-covered entity, it is often the covered entity that reports the breach rather than the business associate. In 2020, a massive data breach was experienced by the cloud service provider Blackbaud Inc. Hackers gained access to its systems and stole customer fundraising databases before deploying ransomware. Blackbaud was issued with a ransom demand and a threat that the stolen data would be released publicly if the ransom was not paid. Blackbaud decided to pay the ransom to prevent the exposure of client data. Blackbaud received assurances that the stolen data was permanently deleted and not been further disclosed.

The total victim count from the Blackbaud ransomware attack may never be known, but more than 6 dozen healthcare providers have reported being affected to date and over 8 million healthcare records have potentially been compromised. That breach clearly tops the list of the largest healthcare data breaches in 2020 and ranks as one of the largest healthcare data breaches of all time.

2020’s Largest Healthcare Data Breaches

The individual entities that reported data breaches in 2020 involving more than 300,000 healthcare records are listed below. In some cases, the actual data breach occurred prior to 2020, but was only discovered and reported in 2020.

Trinity Health – 3,320,726 Individuals

At more than 3.3 million records, Trinity Health was the worst affected healthcare victim of the ransomware attack on Blackbaud Inc. The hackers potentially obtained the philanthropy database of the Livonia, Michigan-based Catholic health system, which contained patient and donor information from 2000 to 2020.

MEDNAX Services, Inc. – 1,290,670 Individuals

Sunrise, FL-based MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, suffered a breach of its Office 365 environment in June 2020 after employees responded to phishing emails. The breach was extensive, involving patient and guarantor information such as Social Security numbers, driver’s license numbers, and health insurance and financial information.

Inova Health System – 1,045,270 Individuals

Virginia-based Inova Health System was also a victim of the Blackbaud ransomware attack. The hackers gained access to Blackbaud’s systems on February 7, 2020 and the breach continued until May 20, 2020. Ransomware was deployed on May 14, 2020. Inova’s fundraising database was potentially compromised which contained patient and donor information.

Magellan Health Inc. 1,013,956 Individuals

Arizona-based Magellan Health was the victim of an April 2020 ransomware attack in which the protected health information of patients was potentially compromised. The attack ended with the deployment of ransomware but started with a spear phishing email. Several of its affiliated entities were also affected by the breach.

Dental Care Alliance – 1,004,304 Individuals

Sarasota, FL-based Dental Care Alliance, LLC, a dental support organization with more than 320 affiliated dental practices across 20 states, reported a breach of its systems in December. Few details have been released about the nature of the hacking incident as the investigation is still ongoing. The breach affected many of its affiliated dental practices.

Luxottica of America Inc. – 829,454 Individuals

Luxottica of America Inc., an operator of vision care facilities across the United States and owner of the eyewear brands Ray-Ban, Oakley, and Persol, experienced a cyberattack in August 2020 which saw hackers gain access to its web-based appointment scheduling system which contained the PHI of patients of its eye care partners.

Northern Light Health – 657,392 Individuals

The Maine health system Northern Light Health was also a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database which contained patient and donor information.

Health Share of Oregon – 654,362 Individuals

In May 2020, the Medicaid coordinated care organization Health Share of Oregon reported the theft of a laptop computer from its non-emergent medical transportation vendor. The laptop was stolen in November 2019 and was not encrypted, which potentially gave the thief access to patents’ contact information, Health Share ID numbers, and Social Security numbers.

Florida Orthopaedic Institute – 640,000 Individuals

Florida Orthopaedic Institute suffered a ransomware attack in April which saw patient information on its servers encrypted. Prior to the use of ransomware, patient data may have been viewed or obtained by the hackers.

Elkhart Emergency Physicians – 550,000 Individuals

Elkhart Emergency Physicians reported a breach in May 2020 involving the improper disposal of patient records by a third-party storage vendor – Central Files Inc. Elkhart Emergency Physicians was the worst affected entity, but several other clients of the vendor were also impacted by the breach. The records had been dumped without being shredded after the storage facility permanently closed.

Aetna ACE – 484,157 Individuals

Aetna reported a data breach in December which occurred at business associate EyeMed, which provides vision benefit services for its members. The breach occurred when an EyeMed employee responded to a phishing email, which allowed the attacker to gain access to email accounts containing PHI. Several EyeMed clients were affected by the breach.

Saint Luke’s Foundation – 360,212 Individuals

Kansas City, MO-based Saint Luke’s Foundation was also a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database which contained patient and donor information.

NorthShore University Health System – 348,746 Individuals

Evanston, IL-based NorthShore University Health System was also affected by the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database.

SCL Health Colorado – 343,493 Individuals

SCL Health Colorado was also a victim of the Blackbaud ransomware attack. The PHI of patients in its Colorado, Montana and Kansas locations was potentially accessed by the attackers.

AdventHealth – 315,811 Individuals

The Altamonte Springs, FL-based healthcare system AdventHealth was also a victim of the Blackbaud ransomware attack which saw the hackers gain access to its fundraising database.

Nuvance Health – 314,829 Individuals

Nuvance Health was a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database between February and May.

Magellan Rx Management – 314,704 Individuals

Magellan Rx Management was one of the victims of the ransomware attack on its parent company, Magellan Health, in April. The hackers potentially stole patient data prior to encrypting files.

The Baton Rouge Clinic – 308,169 Individuals

The Baton Rouge Clinic in Louisiana experienced a cyberattack in early July involving ransomware. The attackers potentially viewed or obtained patient data prior to the deployment of ransomware.

The post Largest Healthcare Data Breaches in 2020 appeared first on HIPAA Journal.

NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has released final guidance for healthcare delivery organizations on securing the Picture Archiving and Communication System (PACS) ecosystem.

PACS is a medical imaging technology that is used to securely store and digitally transmit medical images such as MRIs, CT scans, and X-rays and associated clinical reports and is ubiquitous in healthcare. These systems eliminate the need to store, send, and receive medical images manually, and assist healthcare delivery organizations by allowing the images to be securely and cheaply stored offsite in the cloud. PACS allows medical images to be easily retrieved using PACS software from any location.

PACS is a system that by design cannot operate in isolation. In healthcare delivery organizations, PACS is usually integrated into highly complex environments and interfaces with many interconnected systems. The complexity of those environments means securing the PACS ecosystem can be a major challenge and it is easy for cybersecurity risks to be introduced that could easily compromise the confidentiality, integrity, and availability of the PACS ecosystem, protected health information (PHI), and any systems to which PACS connects.

In September 2019, a ProPublica report found 187 unprotected servers that were used to store and retrieve medical images. Those servers stored the medical images and associated PHI of more than 5 million patients in the United States. In some cases, the images could be accessed using a standard web browser and viewed using free-to-download software.

This year, the analyst team at CyberAngel scanned approximately 4.3 billion IP addresses worldwide and found 2,140 unprotected servers across 67 countries. Those servers were found to contain more than 45 million medical images. The images had up to 200 lines of metadata that included personally identifiable information and protected health information. According to the CyberAngel “Full Body Exposure” report, those images could be accessed via the Internet with a standard web browser. In some instances, login portals were present, but accepted blank username and password fields.

NIST released draft guidance on securing the PACS ecosystem shortly after the ProPublica report was published to help healthcare delivery organizations identify cybersecurity risks associated with PACS and implement stronger security controls while minimizing the impact and availability to PACS and other components.

The final version of the guidance includes a comprehensive set of cybersecurity standards and best practices to adopt to improve the security of the PACS ecosystem, with the guidance covering asset management, access control, user identification and authentication, data security, security continuous monitoring, and response planning, recovery, and restoration.

“The final practice guide, which in addition to incorporating feedback from the public and other stakeholders, builds on the draft guide by adding remote storage capabilities into the PACS architecture. This effort offers a more comprehensive security solution that more closely mirrors real-world HDO networking environments,” explained NIST.

This practice guide can be used by HIPAA covered entities and their business associates to implement current cybersecurity standards and best practices to reduce their cybersecurity risk, while maintaining the performance and usability of PACS

NIST Cybersecurity Special Publication 1800-24, Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector is available on this link.

The guidance was developed by NIST/NCCoE in collaboration with Cisco, Clearwater Compliance, DigiCert, Forescout, Hyland, Microsoft, Philips, Symantec, TDI Technologies, Tempered Networks, Tripwire, Virtua Labs, and Zingbox.

The post NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem appeared first on HIPAA Journal.

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act.

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules.

The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their individual audits.

The 2016-2017 HIPAA Audits Industry Report details the overall findings of the audits, including key aspects of HIPAA compliance that are proving problematic for covered entities and business associates.

In the report, OCR gives each audited entity a rating based on their level of compliance with each specific provision of the HIPAA Rules under assessment. A rating of 1 indicates the covered entity or business associate was fully compliant with the goals and objectives of the selected standards and implementation specifications. A rating of 2 means the entity substantially met the criteria and maintained adequate policies and procedures and could supply documentation or other evidence of compliance.

A rating of 3 means the entity minimally addressed the audited requirements and had made some attempt to comply, although had failed to comply fully or had misunderstood the HIPAA requirements. A rating of 4 means the entity made negligible efforts to comply, such as supplying policies and procedures for review that were copied directly from an association template or providing poor or generic documentation as evidence of training.  A rating of 5 means OCR was not provided with evidence of a serious attempt to comply with the HIPAA Rules.

The table below summarizes the audit results on key provisions of the HIPAA Rules. The blue and red figures indicate the most common rating in each category, with blue corresponding to mostly ratings of 1 or 2 (compliant) and red indicating implementation was inadequate, negligible, or absent.

The table clearly shows that most audited entities largely failed to successfully implement the HIPAA Rules requirements.

OCR 2016-2017 HIPAA Audits Industry ReportMost covered entities complied with the requirement of the Breach Notification Rule to send timely notifications in the event of a data breach. HIPAA requires those notifications to be sent within 60 days of the discovery of a data breach; however, most covered entities failed to include all the required information in their breach notifications.The audits revealed widespread compliance with the requirement to create and prominently post a Notice of Privacy Practices on their website. The Notice of Privacy Practices gives a clear, user friendly explanation of individuals’ rights with respect to their personal health information and details the organization’s privacy practices. However, most audited entities failed to include all the required content in their Notice of Privacy Practices.

The individual right of access is an important provision of the HIPAA Privacy Rule. Individuals have the right to obtain and inspect their health information. Most covered entities failed to properly implement the requirements of the HIPAA Right of Access, which includes providing access to or a copy of the PHI held within 30 days of receiving a request and only charging a reasonable cost-based fee for access.

The first phase of HIPAA compliance audits conducted by OCR in 2012 revealed widespread noncompliance with the requirement to conduct a comprehensive, organization-wide risk analysis to identify vulnerabilities and risks to the confidentiality, integrity, and availability of protected health information. In its enforcement activities over the past 11 years, a risk analysis failure is the most commonly cited HIPAA violation.

HIPAA covered entities are still failing in this important provision of the HIPAA Security Rule, with the latest round of audits revealing most audited entities failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

You can view the full 2016-2017 HIPAA Audits Industry Report on this link: https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf.

The post OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules appeared first on HIPAA Journal.

Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers

Posted by HIPAA Journal

Three serious vulnerabilities have been identified in Medtronic MyCareLink (MCL) Smart Patient Readers, which could potentially be exploited to gain access to and modify patient data from the paired implanted cardiac device. Exploitation of the vulnerabilities together could permit remote code execution on the MCL Smart Patient Reader, allowing an attacker to take control of a paired cardiac device. In order to exploit the vulnerabilities, an attacker would need to be within Bluetooth signal proximity to the vulnerable product.

The flaws are present in all versions of the MCL Smart Model 25000 Patient Reader. The first vulnerability, tracked as CVE-2020-25183, is an authentication protocol vulnerability. The method used to authenticate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app can be bypassed. An attacker using another mobile device or malicious app on the patient’s smartphone could authenticate to the patient’s MCL Smart Patient Reader, tricking it into believing it is communicating with the patient’s smartphone app. The vulnerability has been assigned a CVSS v3 base score of 8.0 out of 10.

A heap-based buffer overflow event can be triggered in the MCL Smart Patient Reader software stack by an authenticated attacker running a debug command. Once triggered, an attacker could then remotely execute code on the vulnerable MCL Smart Patient Reader, potentially allowing the attacker to take control of the device. The vulnerability is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.

MCL Smart Patient Readers are also vulnerable to a race condition in the software update system, which could be exploited to upload and execute unsigned firmware on the Patient Reader. This vulnerability could also allow remote execution of arbitrary code on the MCL Smart Patient Reader and could give an attacker control of the device. The flaw is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.

The vulnerabilities were identified by researchers at the Israeli firm Sternum, with UC Santa Barbara, University of Florida, and University of Michigan researchers independently identifying the improper authentication vulnerability.

The flaws were reported to Medtronic which has now released a firmware update to fix the vulnerabilities. The firmware update can be applied by updating the MyCareLink Smartapp via the associated mobile application store. Updating to mobile application version v5.2 will ensure the update is applied on the next use; however, in order for the patch to work, the user’s smartphone must be running iOS 10 or above or Android 6.0 or above.

Users have also been advised to maintain strong physical control over their home monitors and to restrict use of the home monitors to private environments. Patients should only use home monitors that have been obtained directly from their healthcare provider or a Medtronic representative.

Medtronic has also taken steps to improve security, including implementing Sternum’s enhanced integrity validation (EIV) technology which provides early detection and real-time mitigation of known vulnerability exploitation attempts, and Sternum’s advanced detection system technology, which enables device-level logging and monitoring of all device activity and behavior.

The post Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers appeared first on HIPAA Journal.

Xavier Becerra Named Secretary of the Department of Health and Human Services

Posted by HIPAA Journal

President-elect Joe Biden has named California Attorney General Xavier Becerra as Secretary of the Department of Health and Human Services. While the decision has been made according to The New York Times, the appointment has yet to be announced by his transition team.

Biden is committed to building the most diverse administration in history and while progress has been made so far, Biden has faced criticism over the number of Latinos appointed to date. If the appointment of Becerra is confirmed by the senate, he will become the first ever Latino Secretary of the Department of Health and Human Services. The news of his selection has drawn praise from the Congressional Hispanic Caucus.

Becerra has a long record of supporting the Affordable Care Act and helped steer the legislation through Congress in 2009 and 2010. The former Los Angeles area congressman also led the coalition of Democratic states that defended the Affordable Care Act and resisted attempts by the Trump Administration to overturn it. Becerra will be responsible for expanding the Affordable Care Act and is likely to quickly rollback changes made by the Trump administration.

Becerra has worked with the Louisiana Attorney General to increase the availability of the drug Remdesivir in the state and with many Republican Attorneys General in legal actions against opioid manufacturers. His successes working with Republicans was one of factors that helped secure the position of Secretary of the HHS. Becerra will have the immediate task of overseeing the HHS response to the coronavirus pandemic, including the mass vaccination program due to be rolled out across the United States in early 2021.

Biden has nominated Dr. Rochelle Walensky to lead the Centers for Disease Control and Prevention.  Walensky is a leading infectious disease specialist at Massachusetts General Hospital, with extensive career experience combatting HIV/AIDS. Dr. Anthony Fauci, current director of the National Institute of Allergy and Infectious Diseases and chief medical advisor on COVID-19 will remain in those two positions.

Biden has named Jeff Zients, former economic advisor to President Barack Obama, as the White House coronavirus coordinator and co-chair of the coronavirus task force, Vivek Murthy, is expected to return to the position of Surgeon General that he held under the Obama administration.

Other nominations include Yale School of Medicine professor Dr. Marcella Nunez-Smith as COVID-19 Equity Task Force chair and deputy campaign manager Natalie Quillian as deputy coordinator of the COVID-19 Response. The remaining members of the health care team are expected to be announced in the next few days.

The post Xavier Becerra Named Secretary of the Department of Health and Human Services appeared first on HIPAA Journal.

AMA Issues Guidance to Help Healthcare Organizations Mitigate COVID-19 Cyber Risks

Posted by HIPAA Journal

The American Medical Association has warned hospitals, health systems, and medical practices about the increase in cyber risks targeting the healthcare sector and has provided recommendations on the steps that can be taken to ensure threats are mitigated and network security is improved.

Laura Hoffman, AMA assistant director of federal affairs, explained the current threats in a recent AMA COVID-19 Update and announced a new resource has been developed by the AMA and American Hospital Association (AHA) on technology considerations for healthcare organizations for the remainder of 2020 to improve network security and bolster patient privacy efforts.

The COVID-19 pandemic has created many new challenges for healthcare organizations which are having to treat increased numbers of patients while working in ways that may be unfamiliar. The pandemic has seen a major expansion of telehealth services, with many patients now receiving care virtually using new technology platforms.

These new technologies and platforms have introduced vulnerabilities and broadened the attack surface and cybercriminals have taken advantage and have stepped up attacks on the healthcare sector. At the start of the pandemic there was an increase in phishing attacks on the industry. Virtual Private Networks have been used to support remote working, telehealth, and remote monitoring of medical devices, which has increased the attack surface. Several vulnerabilities have been identified in these solutions which have been exploited by threat actors to gain access to healthcare networks.

There has also been a major increase in ransomware attacks on the healthcare sector. The operators of Ryuk ransomware have been targeting the healthcare industry and have stepped up their attacks in recent weeks. These attacks prevent access to protected health information and disable mission critical systems, causing delays to patient care and placing patient safety at risk. The AMA has also observed an increase in insider threats during the pandemic. Insiders have identified security vulnerabilities and have taken advantage and exploited those vulnerabilities for financial gain.

“As practices reopen, and hospitals around the country prepare for a second wave of COVID-19 infections coinciding with cold and flu season, our organizations are providing this update on steps physicians should take to prepare for the coming months,” explained AMA/AHA in the new guidance document – Technology Considerations for the Rest of 2020.

The AMA recommends healthcare providers should request routine updates from their health information technology vendors or security professionals. The guidance document lists a series of questions that should be asked of those providers to ensure that vulnerabilities are identified and addressed. The questions cover network security, the use of legacy devices and software that is no longer supported, access rights to systems given to third parties and vendors during the pandemic, and the location of all protected health information.

In addition to addressing cybersecurity risks, healthcare providers should get prepared for when the Public Health Emergency comes to an end. During the pandemic, the HHS’ Office for Civil Rights announced it would be exercising enforcement discretion with respect to the good faith use of technology to support telehealth. When the Public Health Emergency ends, healthcare providers will be required to comply fully with HIPAA once again.

The telehealth platforms that have been used during the pandemic may no longer be suitable for use, and if use can continue, business associate agreements will need to be entered into with technology vendors. It is also necessary to conduct security risk assessments on telehealth platforms to identify risks and vulnerabilities to protected health information associated, if they have not already been conducted.

The AMA is encouraging physicians and hospitals to start having discussions with their telemedicine vendors and to take steps to conduct or implement a security risk analysis, so they are prepared for when the Public Health Emergency ends.

In the guidance, the AMA/AHA also suggest asking telemedicine vendors about their privacy practices, intended data use and security protocols. “Many physicians do not realize that a telemedicine platform or application may be low-cost or free because the vendor’s business model is based on aggregating and selling patients’ data. If possible, consult with your legal team to clarify how video, audio, and other data are being captured and stored by the vendor and who has access. You can also ask whether the vendor will share results of third-party security audits, including SOC 2 or HITRUST, in addition to the results of their penetration testing.”

It is also advisable to enable all available privacy and security tools when using telemedicine platforms, including end-to-end encryption to prevent third-parties from intercepting communications between providers and patients. Providers should also be open with patients about the potential privacy risks associated with the use of telemedicine platforms and make sure they are aware of any risks involved with virtual care.

The post AMA Issues Guidance to Help Healthcare Organizations Mitigate COVID-19 Cyber Risks appeared first on HIPAA Journal.