Healthcare Information Technology

NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) has released a draft paper covering the privacy and security risks of telehealth and remote monitoring devices and best practices for securing the telehealth and remote monitoring ecosystem.

Patient monitoring systems have traditionally been deployed within healthcare facilities; however, there has been an increase in the use of remote patient monitoring systems in patients’ homes in recent years. While these systems are straightforward to secure in a controlled environment such as a hospital, the use of these systems in patients’ homes introduces new risks.

Managing the risks and ensuring the remote monitoring systems and devices have an equivalent level of security as in-house systems can be a major challenge.

The purpose of the paper is to create a reference architecture which addresses the security and privacy risks and provides practical steps that can be taken to improve the overall security of the remote patient monitoring environment.

The paper addresses cybersecurity concerns related to the use of the devices in patients’ homes, the use of home networks, and patient-owned devices and identifies cybersecurity measures that can be implemented by healthcare organizations with RPM and video telehealth capabilities.

“The project team will perform a risk assessment on a representative RPM ecosystem in the laboratory environment, apply the NIST Cybersecurity Framework and guidance based on medical device standards, and collaborate with industry and public partners,” explained NCCoE.

NCCoE has evaluated the following functions of the devices:

  • Connectivity of devices and applications deployed on patient-owned devices such as smartphones, tablets, laptops, and desktop computers
  • How applications transmit monitoring data to healthcare providers
  • The ability for patients to interact with their point of contact to initiate care
  • The ability for data to be analyzed by healthcare providers to identify trends and issue alerts to clinicians about issues with patients
  • The ability for data to be shared with electronic medical record systems
  • The ability for patients to initiate videoconference sessions through telehealth applications
  • The ability for application patches and updates to be installed
  • How a healthcare provider can establish a connection with a remote monitoring device to obtain patient telemetry data
  • How a healthcare provider can connect to a remote monitoring device to update the device configuration

The paper does not cover risks specific to third party telehealth platform providers nor does it evaluate device vulnerabilities and defects.

Stakeholders have been invited to comment on the draft paper. Comments will be accepted until December.

The guidance document can be downloaded on this link.

The post NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity appeared first on HIPAA Journal.

AMIA Calls for Greater Alignment of Federal Data Privacy Rules

The American Medical Informatics Association (AMIA) is calling for the Trump Administration to tighten data privacy rules through greater alignment of HIPAA and the Common Rule and adoption of a more integrated approach to privacy that includes both the healthcare sector and consumer sector.

The call follows a request for comment by the NTIA to initiate a conversation about consumer privacy. In a letter to the National Telecommunications and Information Administration (NTIA), a division of the Department of Commerce, AMIA explained that its comments are informed by extensive experience of dealing with both the Health Insurance Portability and Accountability Act and the Federal Protections for Human Subjects Research (Common Rule).

Currently, there is a patchwork of federal and state regulations that complicates compliance and creates information sharing challenges which results in ‘perverse outcomes’ due to different interpretations of existing privacy policies.

AMIA illustrated the problem of the current patchwork of privacy policies using Pennsylvania and New Jersey as an example. Pennsylvania and New Jersey are neighboring states, but they have different policies covering HIV/AIDS data. If an HIV/AIDS patient from Pennsylvania was to visit a hospital in New Jersey, information on their HIV/AIDS diagnosis would not be accessible by clinicians in New Jersey, even though the information has high importance in treatment decisions. The patient would also be unlikely to receive their data from the New Jersey hospital to take back to their healthcare provider in Pennsylvania.

“AMIA encourages the administration to ensure that federal rules lay a common foundation across jurisdictional and geographic boundaries while also providing a process for jurisdictions to address local needs and norms.”

In recent years there has been a significant increase in consumer devices and information systems that record similar information to medical devices and healthcare information systems. The line between the two has been blurred. Action is therefore required to develop concordant privacy policies across health and consumer data ecosystems.

HIPAA was introduced 22 years ago in 1996 at a time when healthcare organizations were predominantly using paper records. While HIPAA has been updated to account for the shift to electronic records, AMIA points out that the adoption of health-related technologies that were unavailable in 1996 has resulted in the formation of gaps that now endanger patient privacy.

The changes made to HIPAA through the introduction of the Privacy Rule have ensured that patients have access to their health data and greater control over what is done with that information. What is now required are similar rights and protections for consumers.

While AMA does not suggest that either HIPAA or the Common Rule should be applied to the consumer data ecosystem, both “should serve as important and informative inputs to [the] conversation on consumer data privacy.”

AMA has called for the Federal Trade Commission (FTC) to develop a consumer data strategy that “Supports trust, safety, efficacy, and transparency across the proliferation of commercial and non-proprietary information resources,” and suggests that the time is right to develop an “ethical framework around the collection, use, storage, and disclosure of the personal information consumers may provide to organizations.”

The post AMIA Calls for Greater Alignment of Federal Data Privacy Rules appeared first on HIPAA Journal.

Congress Passes CISA Act Which Calls for New Cybersecurity Agency Within DHS

The U.S. Department of Homeland Security will be forming a new agency solely focused on cybersecurity following the passing of new legislation by Congress.

The Cybersecurity and Infrastructure Security Agency Act of 2018 (CISA Act) amends the Homeland Security Act of 2002 can calls for DHS to form a new Cybersecurity and Infrastructure Security Agency. The CISA Act was unanimously passed by the House of Representatives and just awaits the president’s signature.

The new agency will be formed through the reorganization of the National Protection and Programs Directorate (NPPD) and will have the same status as other DHS agencies such as the U.S. Secret Service.

The NPPD is already responsible for reducing and eliminating threats to U.S. critical physical and cyber infrastructure, with cybersecurity elements covered by the Office of Cybersecurity and Communications and the National Risk Management Center.

NPPD currently coordinates IT security initiatives with other entities, local, state, tribal and territorial governments and the private sector and oversees cybersecurity at federal government civilian agencies.

The new name better reflects the work NPPD does and emphasizes the importance of cybersecurity in securing the nation’s critical infrastructure. The new agency will consolidate information security and physical infrastructure security in a unified agency.

“The cyber threat landscape is constantly evolving, and we need to ensure we’re properly positioned to defend America’s infrastructure from threats digital and physical,” said DHS Secretary Kirstjen M. Nielsen. “It was time to reorganize and operationalize NPPD into the Cybersecurity and Infrastructure Security Agency.”

Having a single agency in charge of the nation’s cybersecurity will help the U.S. government address current security gaps. At present, each federal agency is responsible for its own IT systems and managing cyber risks. Regardless of size and budget, each government entity must ensure cyber risks are managed and reduced to a minimal level. There are also several government agencies that cover various cybersecurity functions, which is inefficient and results in security gaps.

“Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation’s critical infrastructure and cyber platforms,” said Christopher Krebs, current undersecretary of the NPPD. “The changes will also improve the Department’s ability to engage with industry and government stakeholders and recruit top cybersecurity talent.”

The post Congress Passes CISA Act Which Calls for New Cybersecurity Agency Within DHS appeared first on HIPAA Journal.

Vulnerabilities Identified in Roche Point of Care Handheld Medical Devices

ICS-CERT has issued an advisory concerning five vulnerabilities that have been identified in Roche Point of Care handheld medical devices. Four vulnerabilities are high risk and one has been rated medium risk.

Successful exploitation of the vulnerabilities could allow an unauthorized individual to gain access to the vulnerable devices, modify system settings to alter device functionality, and execute arbitrary code.

The vulnerabilities affect the following Roche Point of Care handheld medical devices.

  • Accu-Chek Inform II (except Accu-Chek Inform II Base Unit Light and Accu-Chek Inform II Base Unit NEW with Software 04.00.00 or later)
  • CoaguChek Pro II
  • CoaguChek XS Plus & XS Pro
  • Cobas h 232 POC
  • Including the related base units (BU), base unit hubs and handheld base units (HBU).

CVE-2018-18564 is an improper access control vulnerability. An attacker in the adjacent network could execute arbitrary code on the system using a specially crafted message. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.3.

The vulnerability is present in:

  • Accu-Chek Inform II Instrument (Versions prior to 03.06.00 (SN < 14000) and 04.03.00 (SN > 14000))
  • CoaguChek Pro II (Versions prior to 04.03.00)
  • cobas h 232 (Versions prior to 04.00.04 (SN > KQ0400000 or KS0400000))

CVE-2018-18565 is an improper access control vulnerability that would allow an individual that has access to an adjacent network to change the configuration of instrumentation. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.2.

The vulnerability is present in:

  • Accu-Chek Inform II Instrument (Versions prior to 03.06.00 (SN < 14000) and 03.00 (SN >14000))
  • CoaguChek Pro II (Versions prior to 04.03.00)
  • CoaguChek XS Plus (Versions prior to 03.01.06)
  • CoaguChek XS Pro (Versions prior to 03.01.06)
  • Cobas h 232 (Versions prior to 03.01.03 (SN < KQ0400000 or KS0400000))
  • Cobas h 232 (Versions prior to 03.01.03 (SN > KQ0400000 or KS0400000))

CVE-2018-18562 concerns insecure permissions in a service interface that could allow unauthorized users in an adjacent network to execute arbitrary commands on operating systems. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.0.

The vulnerability is present in:

  • Accu-Chek Inform II Base Unit / Base Unit Hub 9 (Versions prior to 03.01.04)
  • CoaguChek / cobas h232 Handheld Base Unit (Versions prior to 03.01.04)

CVE-2018-18563 affects the software update mechanism which could be exploited by an attacker in an adjacent network to overwrite arbitrary files on the system using a specially crafted update package. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.0

The vulnerability is present in:

  • CoaguChek Pro II (Versions prior to 04.03.00)
  • CoaguChek XS Plus (Versions prior to 03.01.06)
  • CoaguChek XS Pro (Versions prior to 03.01.06)
  • Cobas h 232 (Versions prior to 03.01.03 (SN < KQ0400000 or KS0400000))
  • Cobas h 232 (Versions prior to 03.01.03 (SN > KQ0400000 or KS0400000))

CVE-2018-18561 is an improper authentication vulnerability involving the use of weak access credentials. An individual that has access to an adjacent network could gain service access to a vulnerable device through a service interface. The vulnerability is rated medium severity and has been assigned a CVSS v3 base score of 6.5.

The vulnerability is present in:

  • Accu-Chek Inform II Base Unit / Base Unit Hub
  • CoaguChek / Cobas h232 Handheld Base Unit running 03.01.04 and earlier versions

All five vulnerabilities were identified by Niv Yehezkel of Medicate, who disclosed the vulnerabilities to Roche.

Mitigation procedures have been recommended by Roche to reduce the risk of the vulnerabilities being exploited. Software updates to address the vulnerabilities have been scheduled for release in November 2018.

Roche recommends:

  • Restricting network and physical access to the devices and their attached infrastructure through the activation of device security features
  • Protecting vulnerable devices from unauthorized access, theft, and malicious software
  • Monitoring network infrastructure and system activity for suspicious activity.

The post Vulnerabilities Identified in Roche Point of Care Handheld Medical Devices appeared first on HIPAA Journal.

OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices

The HHS’ Office of Inspector General (OIG) has published the findings of an audit of the FDA’s policies and procedures for addressing medical device cybersecurity in the postmarket phase and has identified several deficiencies.

Ensuring the safety, security, and effectiveness of medical devices is a key management challenge for the Department of Health and Human Services. It is the responsibility of the U.S. Food and Drug Administration (FDA) to ensure all medical devices that come to market are secure and incorporate cybersecurity protections to prevent cyberattacks that could alter the functionality of the devices which could cause harm to patients.

The FDA has developed policies and procedures to ensure that cybersecurity protections are reviewed before medical devices come to market and the agency has plans and processes for addressing medical device issues, such as cybersecurity incidents, in the postmarket stage. However, OIG determined that those plans and practices are insufficient in several areas.

One area of weakness concerns how the FDA handles postmarket medical device cybersecurity events, including recalls of medical devices that contain vulnerabilities that could be exploited by hackers to gain access to the devices to alter functionality, steal patient data, or use the devices for attacks on healthcare networks. Written standard operating procedures for device recalls had not been established in two of the 19 FDA district offices under review.

While plans and procedures for dealing with cybersecurity events have been developed by the FDA, the agency’s ability to respond to cybersecurity incidents had not been adequately tested, according to OIG.

OIG noted in its report that as a result of the failure of the FDA to assess risks from medical device security events and ineffective approaches to responding to events, the FDA’s efforts to address medical device vulnerabilities were susceptible to “inefficiencies, unintentional delays, and potentially insufficient analysis.”

Even though deficiencies were identified, OIG said “We did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event.”

OIG recommended that the FDA:

  • Continually assesses cybersecurity risks to medical devices and updates its plans and strategies accordingly
  • Establish written procedures for securely sharing sensitive information about cybersecurity events with appropriate stakeholders
  • Enter into a formal agreement with the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team to establish roles and responsibilities
  • Ensure policies and procedures are established and maintained covering the recall of medical devices vulnerable to cybersecurity threats.

The FDA has been proactively addressing the issue of medical device cybersecurity; however, at the time of OIG’s fieldwork in the spring of 2017, the FDA had not yet properly addressed the emerging issue of medical device cybersecurity.

OIG notes that prior to issuing the draft report of the findings of the audit, the preliminary findings were shared with the FDA. By the time that the draft report was issued, the FDA had already addressed some of OIG’s recommendations.

The FDA concurred with all of OIG’s recommendations; however, the FDA did not agree with OIG’s suggestion that it had failed to assess medical service security at an enterprise or component level and neither that its policies and procedures were inadequate.  The FDA also said that the OIG report provided an incomplete and inaccurate picture of its oversight of postmarket medical device cybersecurity.

The post OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices appeared first on HIPAA Journal.

FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity

The U.S. Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) have announced a memorandum of agreement to implement a new framework to increase collaboration and improve coordination of their efforts to increase medical device security.

The security of medical devices has long been a concern. Cybersecurity flaws in medical devices could potentially be exploited to cause patients harm, and with an increasing number of medical devices now connecting to healthcare networks, it is more important than ever to ensure adequate protections are in place to ensure patient safety and threats are rapidly identified, addressed and mitigated.

Medical devices are a potential weak point that could be exploited to gain access to healthcare networks and sensitive data, they could be used to gain a foothold to launch further cyberattacks that could prevent healthcare providers from providing care to patients. Vulnerabilities could also be exploited to deliberately cause harm to patients. While the latter is not believed to have occurred to date, it is a very real possibility.

Both the FDA and DHS are aware of the threat posed by medical devices and have working to strengthen cybersecurity. The two agencies have collaborated in the past on medical device cybersecurity and vulnerability disclosures, although the new agreement formalizes the relationship between the two agencies.

The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns,” explained FDA Commissioner Scott Gottlieb, M.D. “But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone.”

Under the new agreement, information sharing will be increased between the two federal agencies to improve understanding of new medical device security threats. When vulnerabilities are discovered, both departments will work closely together to assess the risk that the vulnerabilities pose to patient safety. The agencies will also coordinate the testing of the vulnerabilities.

By working more closely together, the two agencies will be able to eliminate duplication of activities and will be able to work more efficiently at identifying and mitigating threats. “Through this agreement, both agencies are renewing their commitment to working with not only each other, but also all stakeholders to create an environment of shared responsibility when it comes to coordinated vulnerability disclosure for identifying and addressing cybersecurity risks,” wrote the FDA.

DHS will remain as the central coordination center for medical device vulnerabilities through the National Cybersecurity and Communications Integration Center (NCCIC), which will continue to be responsible for coordinating information sharing between medical device manufacturers, security researchers and the FDA.

The FDA’s Center for Devices and Radiological Health will use its considerable technical and clinical expertise to assess the risk vulnerabilities pose to patient health and the potential for patients to come to harm from exploitation of vulnerabilities. This information will then be shared with DHS through regular, ad hoc, and emergency communication calls.

“Ensuring our ability to identify, address and mitigate vulnerabilities in medical devices is a top priority, which is why DHS depends on our important partnership with the FDA to collaborate and provide actionable information. This agreement is another important step in our collaboration,” said Christopher Krebs, Undersecretary for the National Protection and Programs Directorate at DHS.

The post FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity appeared first on HIPAA Journal.

Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering

Earlier this year, spam and web filtering solution provider TitanHQ partnered with Datto Networking, the leading provider of MSP-delivered IT solutions to SMBs.

The new partnership has allowed Datto to enhance security on the Datto Networking Appliance with enterprise-grade web filtering technology supplied by TitanHQ.

The new web filtering functionality allows users of the appliance to carefully control the web content that can be accessed by employees and guests and provides superior protection against the full range of web-based threats.

TitanHQ and Datto Networking will be holding a webinar that will include an overview of the solution along with a deep dive into the new web filtering functionality.

Webinar Details:

Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering

Date: Thursday, October 18th

Time: 11AM ET | 8AM PT | 4PM GMT/BST

Speakers:

John Tippett, VP, Datto Networking

Andy Katz, Network Solutions Engineer

Rocco Donnino, EVP of Strategic Alliances, TitanHQ

Click here to register for the webinar

The post Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering appeared first on HIPAA Journal.

FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers

The U.S. Food and Drug Administration (FDA) has issued a warning about vulnerabilities in certain Medtronic implantable cardiac device programmers which could potentially be exploited by hackers to change the functionality of the programmer during implantation or follow up visits. Approximately 34,000 vulnerable programmers are currently in use.

The programmers are used by physicians to obtain performance data, to check the status of the battery, and to reprogram the settings on Medtronic cardiac implantable electrophysiology devices (CIEDs) such as pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors.

The flaws are present in Medtronic CareLink 2090 and CareLink Encore 29901 programmers, specifically how the devices connect with the Medtronic Software Distribution Network (SDN) over the internet. The connection is required to download software updates for the programmer and firmware updates for Medtronic CIEDs.

While a virtual private network (VPN) is used to establish a connection between the programmers and the Medtronic SDN, there is no check performed to establish whether the programmer is still connected to the VPN before software updates are downloaded. This would give hackers the opportunity to install their own updates and alter the functionality of the devices.

The flaws in the programmers were identified by security researchers Billy Rios and Jonathan Butts last year. Medtronic was notified about the flaws but has been slow to take action. An advisory was eventually issued in February 2018, but it has taken until now for action to be taken to correct the vulnerability.

Medtronic is now preventing the programmers from connecting to the SDA to receive software updates. Instead, future updates must be performed by Medtronic through a USB connection. Any attempt to update the device via the SDN will now trigger an “Unable to connect to local network” or “Unable to connect to Medtronic” error message.

The FDA reviewed the cybersecurity vulnerabilities and has confirmed that the flaws could be exploited to cause patients to come to harm. On October 5, 2018, the FDA approved the Medtronic network update that blocks the programmer from accessing the Medtronic SDN.

The FDA recommends that the programmers continue to be used for programming, testing and evaluation of CIED patients. The internet connection is not a requirement for normal operation.

Both the FDA and Medtronic have confirmed that no reports have been received to suggest that the vulnerabilities have been exploited and no patients are known to have come to harm.

The post FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers appeared first on HIPAA Journal.

Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards

The ECRI Institute, a non-profit organization that researches new approaches to improve patient care, has published its annual list of the top ten health technology hazards for 2019.

The purpose of the list is to help healthcare organizations identify possible sources of danger or issues with technology that have potential to cause patients harm to allow them to take action to reduce the risk of adverse events occurring.

To create the list, ECRI Institute engineers, scientists, clinicians and patient safety analysts used expertise gained through testing of medical devices, investigating safety incidents, assessing hospital practices, reviewing literature and talking to healthcare professionals and medical device suppliers to identify the main threats to medical devices and systems that warrant immediate attention.

Weighting factors used to produce the final top 10 list includes the likelihood of hazards causing severe injury or death, the frequency of incidents, the number of individuals likely to be affected, insidiousness, effect on the healthcare organization, and the actions that could realistically be taken to reduce any impact on patient care.

Unsurprisingly, given the volume of cyberattacks on healthcare organizations, the high potential for harm, and the number of individuals that could be affected, the remote accessing of healthcare systems by hackers was rated as the number one hazard for 2019.

There is considerable potential for the remote access functionality of medical devices and systems to be exploited by hackers. A cyberattack could render medical devices and systems inoperative or could degrade their performance, which could have a major negative impact on patient care and could place patients’ lives at risk. Cyberattacks could also result in the theft of health data, which could also have a negative effect on patients.

ECRI notes that while cyberattacks can have a negative impact on healthcare providers, resulting in reputation damage and significant fines, cybersecurity is also a critical patient safety issue.

Hackers can easily take advantage of unmaintained and vulnerable remote access systems to gain access to medical devices and healthcare systems. They can move laterally within the network and gain access to medical and nonmedical assets and connected devices and systems. Patient data can be stolen, malware installed, computing resources can be hijacked, and ransomware can be installed which could render systems inoperable. In the most part, these attacks are preventable.

“Safeguarding assets requires identifying, protecting, and monitoring all remote access points, as well as adhering to recommended cybersecurity practices, such as instituting a strong password policy, maintaining and patching systems, and logging system access,” suggests ECRI.

The full Top Ten List of Health Technology Hazards for 2019 are:

  1. Hackers Can Exploit Remote Access to Systems, Disrupting Healthcare Operations
  2. “Clean” Mattresses Can Ooze Body Fluids onto Patients
  3. Retained Sponges Persist as a Surgical Complication Despite Manual Counts
  4. Improperly Set Ventilator Alarms Put Patients at Risk for Hypoxic Brain Injury or Death
  5. Mishandling Flexible Endoscopes after Disinfection Can Lead to Patient Infections
  6. Confusing Dose Rate with Flow Rate Can Lead to Infusion Pump Medication Errors
  7. Improper Customization of Physiologic Monitor Alarm Settings May Result in Missed Alarms
  8. Injury Risk from Overhead Patient Lift Systems
  9. Cleaning Fluid Seeping into Electrical Components Can Lead to Equipment Damage and Fires
  10. Flawed Battery Charging Systems and Practices Can Affect Device Operation

The post Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards appeared first on HIPAA Journal.