Healthcare Data Security

ICS-CERT Warns of Vulnerabilities in Philips IntelliSpace Cardiovascular Products

ICS-CERT has issued and advisory about two vulnerabilities that have been identified in Philips IntelliSpace Cardiovascular products, one of which has been given a high severity rating and could allow a threat actor to elevate privileges and gain full control of a vulnerable device.

The improper privilege management vulnerability (CVE-2018-14787) is present in IntelliSpace Cardiovascular cardiac image and information management software version 2.x and earlier releases and Xcelera V4.1 and earlier versions.

The vulnerability could not be exploited remotely. Local access is required, and an authenticated user would need to have write privileges. If exploited, privileges could be escalated and access gained to folders containing executables. Arbitrary code could be executed to give the attacker full control of the system. The vulnerability has been assigned a CVSS v3 severity score of 7.3.

An unquoted search path or element vulnerability (CVE-2018-14789) is present in IntelliSpace Cardiovascular Version 3.1 and earlier versions and Xcelera Version 4.1 and earlier versions. This flaw would allow an attacker to execute arbitrary code and escalate privileges. The vulnerability has been assigned a CVSS v3 severity score of 4.2 (medium).

Philips discovered the vulnerabilities and self-reported them to the National Cybersecurity and Communications Integration Center (NCCIC).

The improper privilege management vulnerability has been addressed in version 3.1 of IntelliSpace Cardiovascular software. Any user running IntelliSpace Cardiovascular version 2.x or prior versions or Xcelera V4.1 or prior versions should contact their Philips service support team to receive information on how they can upgrade to version 3.1.

Philips will be addressing the unquoted search path or element vulnerability in the next release of IntelliSpace Cardiovascular – V3.2 – which has been scheduled for release in October 2018. Until that point, interim mitigations can be implemented to reduce the potential for the vulnerability to be exploited. Philips suggests reviewing file permission policies and restricting available permissions where possible.

Several vulnerabilities have been identified in the IntelliSpace suite of products in recent months. In March 2018, ICS-CERT issued a warning about several vulnerabilities affecting all versions of iSite and IntelliSpace PACS, some of which were assigned a CVSS v3 severity score of 10 – The maximum score possible. If exploited the vulnerabilities could compromise patient confidentiality, system integrity, and/or system availability.

In February, ICS-CERT issued a warning about a slew of vulnerabilities in the IntelliSpace Portal that were assigned severity scores ranging from 3.1 to 8.1. In total, 35 vulnerabilities were detected, some of which could be exploited remotely and allowed remote code execution.

In January, a warning was issued about an insufficient session expiration vulnerability in IntelliSpace Cardiovascular that was assigned a CVSS v3 score of 6.7. Exploiting the vulnerability would require only a low skill level. If exploited, an attacker could gain access to sensitive patient information.

The post ICS-CERT Warns of Vulnerabilities in Philips IntelliSpace Cardiovascular Products appeared first on HIPAA Journal.

Microsoft ADFS Vulnerability Allows Bypassing of Multi-Factor Authentication

A vulnerability has been discovered in Microsoft’s Active Directory Federation Services (ADFS) that allows multi-factor authentication (MFA) to be bypassed with ease. The flaw is being tracked as CVE-2018-8340 and was discovered by Andrew Lee, a security researcher at Okta.

ADFS is used by many organizations to help secure accounts and ADFA is used by vendors such as SecureAuth, Okta, and RSA to add multi-factor authentication to their security offerings.

To exploit the vulnerability an attacker would need to obtain the login credentials of an employee and have a valid second factor authentication token. That token could then be used as authentication to access any other person’s account if their username and password is known.

A threat actor could easily obtain a username and a password by conducting a phishing campaign. The number of phishing attacks on healthcare organizations that have been reported recently show just how easy it is to fool employees into disclosing their login credentials. A brute force attempt on an account with a weak password would also work.

Obtaining the second factor token is a little more difficult. The second factor is often a mobile phone number or email address or a smart card PIN number. That information could also potentially be obtained through phishing or through a successful attempt to get the IT help desk to reset a user’s MFA token.

The vulnerability would be easy to exploit by an insider, since that person would already have a valid MFA token registered on the system. All that would be required to access the account of another employee would be their username and password.

The vulnerability is due to the way ADFS communicates during a login. When an attempt is made to login, the server sends an encrypted context log which contains the MFA token. However, the context log does not include the username, so no check is performed to ensure the MFA token is being used by the correct individual. If an attacker used a browser to gain access to an account using a known username/password and MFA token, and a second browser with just a username and password but no MFA token, a single MFA token could be used to gain access to both accounts.

Two-factor authentication is an important security control that can prevent unauthorized account access even if a threat actor has successfully obtained login credentials, although this vulnerability shows that the system is not infallible.

The flaw has now been fixed in Microsoft’s Patch Tuesday updates on August 14. Healthcare organizations should ensure that the patch is applied promptly to ensure their MFA controls cannot be easily bypassed.

The post Microsoft ADFS Vulnerability Allows Bypassing of Multi-Factor Authentication appeared first on HIPAA Journal.

Vulnerabilities in Patient Monitors Allow Vital Signs to be Altered in Real Time

A security researcher at McAfee (Douglas McKee) has identified a vulnerability in the communications protocol used by patient monitoring equipment. The flaw could be exploited by a threat actor allowing patients’ vital signs to be falsified and sent to central monitoring systems.

Patient monitors record patients’ vital signs and communicate the information to central monitoring systems. The central management systems collect data from many bedside patient monitors, allowing healthcare professionals to monitor multiple patients simultaneously. Information is usually sent over TCP/IP through wired or wireless connections and includes information such as blood pressure, blood oxygen levels, and heart rates. Decisions about treatment are made based on the information provided through those monitoring systems.

Vital signs are integral to clinical decision making. If vital signs are misreported, decisions could be made that could cause patients to come to harm – incorrect doses of medications could be provided, the choice of drug could be influenced by bad data, an incorrect diagnosis could be made, or there could be delays providing medical assistance.

Incorrect data could also lead to patients staying in hospital for far longer than necessary and additional unnecessary tests may be performed, which would come at a cost to the healthcare provider, insurer, or patient.

For the study, McAfee purchased a patient monitor and a central monitoring station on eBay that were manufactured in 2004 and ran Windows XP Embedded. While the devices were old, McAfee confirmed that the monitor and central monitoring station are still in use in several hospitals in the United States.

The researchers were able to create a simple device to emulate vital signs using a Raspberry Pi and conduct a replay attack. The researchers were able to send heart rate data to the central monitoring system indicating a steady heart rate of 80 bpm, when the patient monitor was no longer connected to the system. The researchers were able to do the same with other vital signs. This just involved a short loss in connection, which would likely go unnoticed.

For such an attack to be pulled off, the attacker would need access to the patient to disconnect the patient monitor and plug in the emulation device. The replay attack could allow normal heart rate data to be provided to the central monitoring station when the patient was actually flatlining.

The researchers were also able to devise an attack method that allowed vital signs data to be modified in real time. In this attack, access to the patient was not required. The attacker simply needed to be on the same network. The attacker posed as the central monitoring station, intercepted data from the targeted patient’s monitor, and then falsified the data and sent it to the real central monitoring station. This attack was possible due to a flaw in the Rwhat protocol that is used to send data over wired or Wi-Fi connections. Since data is sent over unencrypted User Datagram Protocol (UDP), data packets can easily spoofed and modified.

Conducting such an attack is not straightforward. Knowledge of the equipment and networking protocol is required, and the attack could only be performed on single or possibly small groups of patients. Some medical knowledge would be required, as the vital signs would need to be believable to a physician. The attack also only caused falsified data to be displayed on the monitoring station – The patient monitor continued to display the correct readings.

Such an attack may be unlikely but could be a threat for certain patients – Those testifying in trials or politicians for example.

If communications between patient monitors and central monitoring stations are encrypted and additional authentication checks are incorporated, such an attack would be much harder to pull off. It is also important for the equipment to be located on isolated networks with very strict access controls to reduce the potential for such an attack to occur.

The post Vulnerabilities in Patient Monitors Allow Vital Signs to be Altered in Real Time appeared first on HIPAA Journal.

Vulnerabilities in Fax Machines Can Be Exploited to Gain Network Access and Exfiltrate Sensitive Data

Despite many alternative communication methods being available, healthcare organizations still extensively use faxes to communicate. Some estimates suggest as many as 75% of all communications occur via fax in the healthcare industry.

While fax machines would not rank highly on any list of possible attack vectors, new research shows that flaws in the fax protocol could be exploited to launch attacks on businesses and gain network access.

The flaws were detected by researchers at Check Point who successfully exploited them to create a backdoor into a network which was used to steal information through the fax. The researchers believe there are tens of millions of vulnerable fax machines are currently in use around the world.

To exploit the flaw, the researchers sent a specially crafted image file through the phone line to a target fax machine. The fax machine decoded the image and uploaded it to the memory and the researchers’ script triggered a buffer overflow condition that allowed remote code execution. The researchers were able to gain full control of the fax machine and, using the NSA exploits Eternal Blue and Double Pulsar, spread malware to a vulnerable PC that was connected to the same network.

The malware was programmed to search for files of interest. When a file was located, it was sent back to the Check Point via fax.

Check Point’s research was mainly focused on HP’s OfficeJet Pro all-in-one fax printers, although the same flaws exist in many other manufacturers’ fax machines including those manufactured by Epson and Canon. Check Point alerted HP to the issue, which has now been patched, although other manufacturers’ devices remain vulnerable. In many cases, software on the all-in-one-printers cannot be updated. Correcting the flaw will only be possible by upgrading to newer devices.

Check Point suggests all businesses that still use fax machines, including healthcare organizations, should determine whether their fax machines are capable of being updated and ensure all software is kept up to date. If updates are not possible, upgrading the devices is recommended and the printer-fax machines should be located on secure networks separate from those on which protected health information is stored.

While the research was focused on all-in-one printers, the researchers note that attacks would not be limited to those devices. Potentially, stand-alone fax machines could also serve as an entry point into a business network as could fax-to-mail services.

At this stage there have been no reports of this method of attack being used in the wild, although the Check Point researchers note it will only be a matter of time before others determine how the attacks can be conducted.

The post Vulnerabilities in Fax Machines Can Be Exploited to Gain Network Access and Exfiltrate Sensitive Data appeared first on HIPAA Journal.

APWG Detects 46% Rise in Phishing Websites in Q1, 2018

The Anti-Phishing Working Group has released its Q1, 2018 Phishing Activity Trends Report which shows there was a substantial increase in unique phishing sites detected in the first few months of 2018 compared to the final quarter of 2017.

The report explores phishing attacks and methods used between January 1 and March 31, 2018.

In Q1, 263,538 unique phishing sites were identified – a 46% increase from the 180,577 unique sites identified in Q4, 2017 and a 38% increase from the 190,942 sites detected in Q3, 2017. There were 60,887 unique phishing sites detected in January 2018 which was on a par with December 2017, although a substantial increase in February (88,754) and a further major increase in March (113,897).

The number of unique phishing campaigns reported by APWG customers remained broadly the same in January (89,250) and February (89,010) with a slight fall in March (84,444). 235 brands were spoofed in January, rising to 273 in February, and falling to 238 in March.

APWG member MarkMonitor tracked the industry sectors that were most heavily targeted in phishing campaigns. Its figures show online payment services topped the list in Q1, 2018, accounting for 39% of all reported phishing attacks. Attacks involving SAAS and webmail providers accounted for 18.7% of the total, following by financial institutions (14.2%) and file hosting and cloud storage services on 11.3%.

As businesses have moved over to HTTPS sites, the phishers have followed. Each quarter has seen a substantial rise in the percentage of phishing sites that use HTTPS and secure the connection between the site and the browser. APWG member PhishLabs has been tracking the use of HTTPS on phishing sites and its figures show a third (33%) of all phishing sites were on HTTPS infrastructure in Q1, 2018 compared to just 10.5% in Q1, 2017.

Many consumers still believe that a website starting with HTTPS means the site is legitimate, when that is certainly not the case. It only means that the connection between the browser and the site is secured. If the site is owned by a phisher, or if a legitimate site has been hijacked, any information entered can be captured. Many phishers are registering their own domains and are taking advantage of the free SSL certificates that are offered to make their sites look more legitimate.

RiskIQ’s figures show that the phishing URLs used by phishers closely match TLD market share, with .com’s the most widely used TLD’s by phishers. .Coms accounted for 6,608 of the 13,594 unique domains used in phishing attacks in Q1, 2018. Those domains were widely distributed among different domain registrars.

Brazilian cybersecurity firm Axur provided a breakdown of internet-based attacks on individuals and companies in Brazil. The firm’s data show scam websites were the leading threat and accounted for 9,061 of the 17,065 attacks in Q1, 2018. They were followed by social media scams (4,209), mobile app scams (1,840) and phishing scams (1,816). 350 redirection URLs were detected that sent visitors to exploit kits and phishing sites and 257 URLs were being used to deliver malware.

The post APWG Detects 46% Rise in Phishing Websites in Q1, 2018 appeared first on HIPAA Journal.

At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018

In total, there were 143 data breaches reported to the media or the Department of Health and Human Services’ Office for Civil Rights (OCR) in Q2, 2018 and the healthcare records of at least 3,143,642 patients were exposed, impermissibly disclosed, or stolen. Almost three times as many healthcare records were exposed or stolen in Q2, 2018 as Q1, 2018.

The figures come from the Q2 2018 Breach Barometer Report from Protenus. The data for the report came from OCR data breach reports, data collected and collated by Databreaches.net, and proprietary data collected through the Protenus compliance and analytics platform, which monitors the tens of trillions of EHR access attempts by its healthcare clients.

Q2 2018 Healthcare Data Breaches

Month Data Breaches Records Exposed
April 45 919,395
May 50 1,870,699
June 47 353,548

 

Q2, 2018 saw five of the top six breaches of 2018 reported. The largest breach reported – and largest breach of 2018 to date – was the 582,174-record breach at the California Department of Developmental Services – a burglary.

It is unclear if any healthcare records were stolen in the breach although data theft could not be ruled out. Many physical records were damaged by a fire started by the burglars which activated the sprinkler system which caused water damage. Electronic equipment was taken although it was encrypted.

The second largest data breach of 2018 was reported by MSK Group in May. The orthopedic group detected unauthorized access of parts of its network that contained the protected health information of 566,236 patients.

The third largest breach of 2018 involved the exposure and potential theft of 538,127 records from LifeBridge Health. Malware had been installed on a server on which billing information and medical records were stored.

The fifth and sixth largest breaches of the year to date were reported in June. Oklahoma State University Center for Health Sciences experienced a 279,865-record breach when its computer network was hacked and Med Associates, Inc., discovered a desktop computer had been hacked resulting in the exposure of 276,057 patients’ PHI.

The Threat from Within

Protenus has drawn attention to the threat from insider breaches and the importance of detecting privacy breaches promptly. When medical records are accessed by employees without authorization, there is a 30% chance of an employee violating patient privacy again within 3 months and a 66% chance they will do so again within 6 months. One of the main problems for hospitals is the time taken to investigate and respond to insider threats. On average, one investigator monitors the ePHI access attempts of 4,000 employees across an average of 2.5 hospitals – a significant burden.

Out of every 1,000 healthcare employees, Protenus determined than 9 will breach patient privacy, most commonly by snooping on the medical records of family members.  In Q2, 2018 71.4% of breaches involved employees snooping on family members’ medical records.

30.99% of breaches (44) reported to the Office for Civil Rights in Q2 were insider breaches, and out of the 27 incidents for which details have been disclosed, the records of 421,180 patients were known to have been compromised. There were 25 incidents involving insider error and 18 incidents involving insider wrongdoing.

Healthcare Hacking Incidents Increased in Q2 2018

The biggest cause of healthcare data breaches in Q2, 2018 was hacking/IT incidents which accounted for 36.6% of all reported breaches in the quarter. There were 52 hacking/IT incidents reported in Q2, compared to 30 in Q1 – a 73% increase. Those breaches resulted in the exposure/theft of at least 2,065,813 healthcare records.

Details were available for 44 breaches, ten of which were phishing-related breaches, 7 involved ransomware or malware, and one involved another form of extortion.

There were 23 reported cases of theft of physical or electronic records and a further 23 breaches that did not include enough information for them to be categorized.  Overall, 84% of breaches involved electronic records and 16% involved paper records.

Healthcare providers were the worst hit with 76.37% of reported breaches, following by health plans on 10.91%, business associates on 5.45%, and other entities on 7.27%.

The average time to discover a breach was 204 days and the median time was 18 days. The detection times ranged from one day to 1,587 days. From the available data, the average time to disclose breaches to the Office for Civil Rights was 71 days and the median time was 59 days. The maximum time frame under HIPAA for disclosing breaches is 60 days. California was the worst hit state with 20 incidents followed by Texas on 13.

The Protenus Q2 2018 healthcare data breach report can be downloaded on this link (PDF).

The post At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018 appeared first on HIPAA Journal.

More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched

OpenEMR is an open-source electronic health record management system that is used by many thousands of healthcare providers around the world. It is the leading free-to-use electronic medical record platform and is extremely popular.

Around 5,000 physician offices and small healthcare providers in the United States are understood to be using OpenEMR and more than 15,000 healthcare facilities worldwide have installed the platform. Around 100 million patients have their health information stored in the database.

Recently, the London-based computer research organization Project Insecurity uncovered a slew of vulnerabilities in the source code which could potentially be exploited to gain access to highly sensitive patient information, and potentially lead to the theft of all patients’ health information.

The Project Insecurity team chose to investigate EMR and EHR systems due to the large number of healthcare data breaches that have been reported in recent years. OpenEMR was the natural place to start as it was the most widely used EMR system and with it being open-source, it was easy to test the code without running into legal problems. The findings of the investigation into OpenEMR v5.0.1.3 are detailed in Project Insecurity’s vulnerability report (PDF).

After identifying around 20 serious vulnerabilities, the vendor was contacted on July 7, 2018 and was given a month before public disclosure, allowing time for developers to correct the flaws.

One of the most serious vulnerabilities discovered allowed an attacker to bypass authentication on the Patient Portal Login. The authentication was simple, requiring next to no skill to pull off. An individual only needed to navigate to the registration page and modify the requested URL to access the desired page. By exploiting this flaw, it would be possible to view and alter patient records and potentially compromise all records in the database.

Project Insecurity discovered nine flaws that allowed SQL injection which could be used to view data in a targeted database and perform other database functions, four flaws could be exploited that would allow remote code execution to escalate privileges on the server, several cross-site request forgery vulnerabilities were discovered, three unauthenticated information disclosure vulnerabilities, an unrestricted file upload flaw, and unauthenticated administrative actions and arbitrary file actions were possible.

The vulnerabilities were identified through a manual review of the code and by modifying requests. No source code analysis tools were used. If the flaws had been found by a hacker, huge numbers of medical records could have been accessed, altered, and stolen.

OpenEMR has now issued patches to correct all the flaws identified by the Project Insecurity team.

The post More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched appeared first on HIPAA Journal.

The High Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta

The SamSam ransomware attack on the City of Atlanta was initially expected to cost around $6 million to resolve: Substantially more than the $51,000 ransom demand that was issued. However, city officials now believe the final cost could be around $11 million higher, according to a “confidential and privileged” document obtained by The Atlanta Journal-Constitution.

The attack has prompted a complete overhaul of the city’s software and systems, including system upgrades, new software, and the purchasing of new security services, computers, tablets, laptops, and mobile phones.

The Colorado Department of Transportation was also attacked with SamSam ransomware this year and was issued with a similar ransom demand. As with the City of Atlanta, the ransom was not paid. In its case, the cleanup is expected to cost around $2 million.

When faced with extensive disruption and a massive clean up bill it is no surprise that many victims choose to pay the ransom. Now new figures have been released that confirm just how many victims have paid to recover their files and regain control of their computer systems.

223 SamSam Ransoms Paid: Almost $6 Million Generated

A recent analysis of the cryptocurrency wallets used by the threat actor behind the SamSam ransomware has shown there have been 223 ransom payments made by victims in the two and a half years since the release of the first SamSam ransomware variant. The payments almost total $6 million, more that six times the amount previously thought to have been earned by the threat actor behind the attacks.

The figures come from Sophos, which has recently teamed up with a leading cryptocurrency tracking firm, to investigate the attacks.

It was initially thought that the attacks were primarily being conducted on healthcare organizations, educational institutions, and government agencies, although the recent analysis has shown the private sector has attracted the majority of attacks. Healthcare organizations are obliged to report the attacks under HIPAA Rules, which is why it seemed like they were extensively targeted.

26% of all attacks have been on healthcare firms. The majority of attacks have been on private companies and have not been reported. Many attacked firms have chosen to quietly pay the ransom demand.

No Sign of SamSam Ransomware Attacks Slowing Down

Several cybersecurity firms have reported a slowdown in ransomware attacks as threat actors switch to spreading cryptocurrency mining malware due to the higher potential for profits. However, there has not been any slowdown in SamSam ransomware attacks.

On average, one SamSam ransomware attack is conducted a day and the attacks have a high success rate. With ransom demands of around $50,000 issued for each infection, and an average of $187,500 earned each month, it is unlikely that the attacks will stop any time soon.

SamSam ransomware infections do not occur via spam or phishing emails, instead companies are attacked through the exploitation of vulnerabilities and recently through brute force attacks on remote desktop protocol connections.

Access is gained to the network and the attacker manually moves laterally using standard administration tools rather than NSA exploits. The malicious payload is deployed on as many computers and servers as possible before the encryption routine is started. The attacks tend to take place at night when there is less chance of them being detected and blocked.

This quiet, stealthy method of attack ensures a high rate of success compared to the noisy spam-delivered campaigns. Sophos believes the attacks are the work of a single individual.

How to Block SamSam Ransomware Attacks

Vulnerability scans and penetration testing can help to identify vulnerabilities before they are exploited and prompt patching is essential. Multi-factor authentication should be implemented, intrusion detection systems deployed and correctly configured, access logs should be routinely checked, admin privileges should be limited, and regular backups should be made with at least one copy stored off-site and offline.

Access to RDP needs to be restricted and remote connections should ideally only be made through VPNs, which also need to be kept up to date. If RDP is not required it should be disabled.

If RDP is enabled, rate limiting should be used to lock out users after a set number of failed attempts to block brute force attempts to gain access. Naturally practicing good password hygiene is also important, default passwords should be changed, strong passwords or passphrases used, and passwords should be changed at regular intervals.

It is also wise to change RDP connections from the standard TCP/3389 port and it is similarly advisable not to have RDP connections public-facing to the internet.

Sophos notes that the nature of SamSam ransomware attacks mean that simply backing up files is not enough to ensure a quick recovery. SamSam ransomware not only encrypts files, but also application configuration files. Even if files are restored it is likely that applications will fail to work.

The only way of ensuring a full recovery apart from paying the ransom is to rebuild affected machines. It is therefore important that companies have a plan for such an eventuality if they are to avoid having to pay the ransom.

The post The High Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta appeared first on HIPAA Journal.

Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps

An advisory has been issued by ICS-CERT about vulnerabilities in MedTronic MyCareLink Patient Monitors and the MiniMed 508 Insulin Pump. This is the second advisory to be issued about MyCareLink Patient Monitors in the past six weeks. In June, ICS-CERT issued a warning about the use of a hard-coded password (CVE-2018-8870) and an exposed dangerous method or function vulnerability (CVE-2018-8868).

The latest vulnerabilities to be discovered are an insufficient verification of data authenticity flaw (CVE-2018-10626) and the storage of passwords in a recoverable format (CVE-2018-10622). The vulnerabilities are present in all versions of the Medtronic MyCareLink 24950 and 24952 Patient Monitors.

If an attacker were to obtain per-product credentials from the monitor and the paired implanted cardiac device, it would be possible for invalid data to be uploaded to the Medtronic Carelink network due to insufficient verification of the authenticity of uploaded data. The vulnerability has been assigned a CVSS v3 score of 4.4 (medium severity).

The way that passwords are stored could allow them to be recovered by an attacker and used for network authentication and encryption of local data at rest. This vulnerability has been assigned a CVSS v3 score of 4.9 (medium severity).

The vulnerabilities were identified by security researchers at Whitescope LLC, who reported them to the National Cybersecurity and Communications Integration Center (NCCIC).

Medtronic has already taken steps to address the vulnerabilities. Server-side updates have been made to correct the data authenticity verification issue and further mitigations will be implemented shortly to enhance data integrity and authenticity. To reduce the risk of exploitation, Medtronic recommends users maintain good physical control over their home monitors and only use monitors that have been obtained from healthcare providers.

Two vulnerabilities have also been identified in the Medtronic MiniMed 508 Insulin Pump by the Whitescope researchers. The first is the cleartext transmission of sensitive information (CVE-2018-40634) and the second is an authentication bypass flaw that could be exploited in a capture replay attack (CVE-2018-14781).

The researchers discovered that communications between the insulin pump and wireless accessories are sent in cleartext, which could allow sensitive information such as the device serial number to be captured by an attacker. The vulnerability has been assigned a CVSS v3 score of 4.8 (medium severity).

When the insulin pump is paired with a remote controller and the easy-bolus and remote bolus options are set, the device is vulnerable to a capture-replay attack which would allow the wireless transmissions to be captured and replayed resulting in an additional insulin (bolus) delivery. The vulnerability has been assigned a CVSS v3 score of 5.3 (medium severity).

The vulnerabilities affect the following MiniMed insulin pumps and associated products: MMT 508 MiniMed insulin pump, MMT – 522 / MMT – 722 Paradigm REAL-TIME, MMT – 523 / MMT – 723 Paradigm Revel, MMT – 523K / MMT – 723K Paradigm Revel, and MMT – 551 / MMT – 751 MiniMed 530G.

Medtronic will not be issuing a fix to correct the flaws as devices are only vulnerable if the remote option is enabled. Devices are not vulnerable in their default configuration. Users can disable to easy bolus and remote bolus options if they have been set. If users wish to continue to use the easy bolus option, they should be attentive to device alerts when enabled and should turn off the easy bolus option when they are not intending to use the remote bolus option.

The post Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps appeared first on HIPAA Journal.