Healthcare Information Technology

FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity

The U.S. Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) have announced a memorandum of agreement to implement a new framework to increase collaboration and improve coordination of their efforts to increase medical device security.

The security of medical devices has long been a concern. Cybersecurity flaws in medical devices could potentially be exploited to cause patients harm, and with an increasing number of medical devices now connecting to healthcare networks, it is more important than ever to ensure adequate protections are in place to ensure patient safety and threats are rapidly identified, addressed and mitigated.

Medical devices are a potential weak point that could be exploited to gain access to healthcare networks and sensitive data, they could be used to gain a foothold to launch further cyberattacks that could prevent healthcare providers from providing care to patients. Vulnerabilities could also be exploited to deliberately cause harm to patients. While the latter is not believed to have occurred to date, it is a very real possibility.

Both the FDA and DHS are aware of the threat posed by medical devices and have working to strengthen cybersecurity. The two agencies have collaborated in the past on medical device cybersecurity and vulnerability disclosures, although the new agreement formalizes the relationship between the two agencies.

The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns,” explained FDA Commissioner Scott Gottlieb, M.D. “But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone.”

Under the new agreement, information sharing will be increased between the two federal agencies to improve understanding of new medical device security threats. When vulnerabilities are discovered, both departments will work closely together to assess the risk that the vulnerabilities pose to patient safety. The agencies will also coordinate the testing of the vulnerabilities.

By working more closely together, the two agencies will be able to eliminate duplication of activities and will be able to work more efficiently at identifying and mitigating threats. “Through this agreement, both agencies are renewing their commitment to working with not only each other, but also all stakeholders to create an environment of shared responsibility when it comes to coordinated vulnerability disclosure for identifying and addressing cybersecurity risks,” wrote the FDA.

DHS will remain as the central coordination center for medical device vulnerabilities through the National Cybersecurity and Communications Integration Center (NCCIC), which will continue to be responsible for coordinating information sharing between medical device manufacturers, security researchers and the FDA.

The FDA’s Center for Devices and Radiological Health will use its considerable technical and clinical expertise to assess the risk vulnerabilities pose to patient health and the potential for patients to come to harm from exploitation of vulnerabilities. This information will then be shared with DHS through regular, ad hoc, and emergency communication calls.

“Ensuring our ability to identify, address and mitigate vulnerabilities in medical devices is a top priority, which is why DHS depends on our important partnership with the FDA to collaborate and provide actionable information. This agreement is another important step in our collaboration,” said Christopher Krebs, Undersecretary for the National Protection and Programs Directorate at DHS.

The post FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity appeared first on HIPAA Journal.

Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering

Earlier this year, spam and web filtering solution provider TitanHQ partnered with Datto Networking, the leading provider of MSP-delivered IT solutions to SMBs.

The new partnership has allowed Datto to enhance security on the Datto Networking Appliance with enterprise-grade web filtering technology supplied by TitanHQ.

The new web filtering functionality allows users of the appliance to carefully control the web content that can be accessed by employees and guests and provides superior protection against the full range of web-based threats.

TitanHQ and Datto Networking will be holding a webinar that will include an overview of the solution along with a deep dive into the new web filtering functionality.

Webinar Details:

Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering

Date: Thursday, October 18th

Time: 11AM ET | 8AM PT | 4PM GMT/BST

Speakers:

John Tippett, VP, Datto Networking

Andy Katz, Network Solutions Engineer

Rocco Donnino, EVP of Strategic Alliances, TitanHQ

Click here to register for the webinar

The post Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering appeared first on HIPAA Journal.

FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers

The U.S. Food and Drug Administration (FDA) has issued a warning about vulnerabilities in certain Medtronic implantable cardiac device programmers which could potentially be exploited by hackers to change the functionality of the programmer during implantation or follow up visits. Approximately 34,000 vulnerable programmers are currently in use.

The programmers are used by physicians to obtain performance data, to check the status of the battery, and to reprogram the settings on Medtronic cardiac implantable electrophysiology devices (CIEDs) such as pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors.

The flaws are present in Medtronic CareLink 2090 and CareLink Encore 29901 programmers, specifically how the devices connect with the Medtronic Software Distribution Network (SDN) over the internet. The connection is required to download software updates for the programmer and firmware updates for Medtronic CIEDs.

While a virtual private network (VPN) is used to establish a connection between the programmers and the Medtronic SDN, there is no check performed to establish whether the programmer is still connected to the VPN before software updates are downloaded. This would give hackers the opportunity to install their own updates and alter the functionality of the devices.

The flaws in the programmers were identified by security researchers Billy Rios and Jonathan Butts last year. Medtronic was notified about the flaws but has been slow to take action. An advisory was eventually issued in February 2018, but it has taken until now for action to be taken to correct the vulnerability.

Medtronic is now preventing the programmers from connecting to the SDA to receive software updates. Instead, future updates must be performed by Medtronic through a USB connection. Any attempt to update the device via the SDN will now trigger an “Unable to connect to local network” or “Unable to connect to Medtronic” error message.

The FDA reviewed the cybersecurity vulnerabilities and has confirmed that the flaws could be exploited to cause patients to come to harm. On October 5, 2018, the FDA approved the Medtronic network update that blocks the programmer from accessing the Medtronic SDN.

The FDA recommends that the programmers continue to be used for programming, testing and evaluation of CIED patients. The internet connection is not a requirement for normal operation.

Both the FDA and Medtronic have confirmed that no reports have been received to suggest that the vulnerabilities have been exploited and no patients are known to have come to harm.

The post FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers appeared first on HIPAA Journal.

Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards

The ECRI Institute, a non-profit organization that researches new approaches to improve patient care, has published its annual list of the top ten health technology hazards for 2019.

The purpose of the list is to help healthcare organizations identify possible sources of danger or issues with technology that have potential to cause patients harm to allow them to take action to reduce the risk of adverse events occurring.

To create the list, ECRI Institute engineers, scientists, clinicians and patient safety analysts used expertise gained through testing of medical devices, investigating safety incidents, assessing hospital practices, reviewing literature and talking to healthcare professionals and medical device suppliers to identify the main threats to medical devices and systems that warrant immediate attention.

Weighting factors used to produce the final top 10 list includes the likelihood of hazards causing severe injury or death, the frequency of incidents, the number of individuals likely to be affected, insidiousness, effect on the healthcare organization, and the actions that could realistically be taken to reduce any impact on patient care.

Unsurprisingly, given the volume of cyberattacks on healthcare organizations, the high potential for harm, and the number of individuals that could be affected, the remote accessing of healthcare systems by hackers was rated as the number one hazard for 2019.

There is considerable potential for the remote access functionality of medical devices and systems to be exploited by hackers. A cyberattack could render medical devices and systems inoperative or could degrade their performance, which could have a major negative impact on patient care and could place patients’ lives at risk. Cyberattacks could also result in the theft of health data, which could also have a negative effect on patients.

ECRI notes that while cyberattacks can have a negative impact on healthcare providers, resulting in reputation damage and significant fines, cybersecurity is also a critical patient safety issue.

Hackers can easily take advantage of unmaintained and vulnerable remote access systems to gain access to medical devices and healthcare systems. They can move laterally within the network and gain access to medical and nonmedical assets and connected devices and systems. Patient data can be stolen, malware installed, computing resources can be hijacked, and ransomware can be installed which could render systems inoperable. In the most part, these attacks are preventable.

“Safeguarding assets requires identifying, protecting, and monitoring all remote access points, as well as adhering to recommended cybersecurity practices, such as instituting a strong password policy, maintaining and patching systems, and logging system access,” suggests ECRI.

The full Top Ten List of Health Technology Hazards for 2019 are:

  1. Hackers Can Exploit Remote Access to Systems, Disrupting Healthcare Operations
  2. “Clean” Mattresses Can Ooze Body Fluids onto Patients
  3. Retained Sponges Persist as a Surgical Complication Despite Manual Counts
  4. Improperly Set Ventilator Alarms Put Patients at Risk for Hypoxic Brain Injury or Death
  5. Mishandling Flexible Endoscopes after Disinfection Can Lead to Patient Infections
  6. Confusing Dose Rate with Flow Rate Can Lead to Infusion Pump Medication Errors
  7. Improper Customization of Physiologic Monitor Alarm Settings May Result in Missed Alarms
  8. Injury Risk from Overhead Patient Lift Systems
  9. Cleaning Fluid Seeping into Electrical Components Can Lead to Equipment Damage and Fires
  10. Flawed Battery Charging Systems and Practices Can Affect Device Operation

The post Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards appeared first on HIPAA Journal.

NIST Releases Guidance on Managing IoT Cybersecurity and Privacy

The National Institute of Standards and Technology (NIST) has released a draft guidance document that aims to help federal agencies and other organizations understand the challenges associated with securing Internet of Things (IoT) devices and manage the cybersecurity and privacy risks that IoT devices can introduce.

The guidance document – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) is the first in a series of new publications address cybersecurity and privacy together and the document is the foundation for a series of further publications that will explore IoT device cybersecurity and privacy in more detail.

“IoT is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices,” explained NIST.

In the guidance document, NIST identifies three high-level considerations that can affect the management of risks that IoT devices can introduce. First, IoT devices tend to interact with the physical world in ways that conventional IT devices do not. Second, IoT devices cannot typically be accessed, managed, and monitored in the same way as conventional IT devices. Third, the availability, efficiency and effectiveness of cybersecurity and privacy controls are different for IoT devices than conventional IT devices.

Cybersecurity and privacy risks need to be addressed for the entire lifecycle of IoT devices and can be considered in terms of three high-level mitigation goals:

  • Preventing IoT devices from being used to conduct attacks
  • Protecting the confidentiality, integrity, and availability of data stored on the devices
  • Protecting the privacy of individuals

The guidance document suggests various ways that the above goals can be met and the challenges that organizations may face achieving those goals. However, since IoT devices are so diverse, it is difficult for recommendations to be made that can be applied for all use cases, levels of risk and device types.

NIST is seeking public comments on the document and will be accepting feedback until October 24, 2018. The draft document can be downloaded on this link (PDF).

The post NIST Releases Guidance on Managing IoT Cybersecurity and Privacy appeared first on HIPAA Journal.

Final Participation Request: Emergency Preparedness Survey

Do you want to help determine the state of emergency preparedness in healthcare?

Over 100 HIPAA Journal readers have already participated in this survey and this is the last chance to contribute by completing this short anonymous survey on emergency preparedness and security communications trends.

This is an opportunity for you to find out how your healthcare industry colleagues nationwide communicate in emergency preparedness and security matters and where they expect to take these practices next.

After you complete the survey, you will have the chance to enter into a raffle for a $150 gift card from the survey sponsor (RaveMobileSafety).

If you provide your email address, you’ll receive the published (anonymous) results before they are released.

HIPAA Journal will eventually publish the results.

Note: HIPAA Journal is not conducting this survey and HIPAA Journal does not receive any payment for promoting this survey.  If your organization is running a survey that is interesting to healthcare professionals, you can contact us with the details.

The post Final Participation Request: Emergency Preparedness Survey appeared first on HIPAA Journal.

Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI

In its August 2018 cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA-covered entities of the importance of implementing physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is processed, transmitted, or stored on electronic media and devices.

Electronic devices such as desktop computers, laptops, servers, smartphones, and tablets play a vital role in the healthcare, as do electronic media such as hard drives, zip drives, tapes, memory cards, and CDs/DVDs. However, the portability of many of those devices/media means they can easily be misplaced, lost, or stolen.

Physical controls are therefore essential. Anyone with physical access to electronic devices or media, whether healthcare employees or malicious actors, potentially have the ability to view, change, or delete data. Device configurations could be altered or malicious software such as ransomware or malware could be installed. All of these actions jeopardize the confidentiality, integrity, or availability of ePHI.

HIPAA – 45 CFR § 164.310(a)(1) – requires covered entities and their business associates to implement policies and procedures to restrict access to electronic devices and media and the facilities in which they are housed. 45 CFR § 164.310(d)(1) of the HIPAA Security Rule requires policies and procedures to be implemented to govern the receipt and removal of those devices into and out of an organization’s facility, as well as movement within the facility. Robust policies and procedures must be developed to ensure ePHI is appropriately protected at all times.

When developing policies and procedures covering portable electronic devices and media, OCR recommends that HIPAA covered entities and their business associates consider the following questions:

  • Are records tracking the location, movements, alterations, repairs, and disposition of devices and media in place covering the entire life cycle of the devices/media?
  • Does the organization’s record of device and media movement include the individual(s) responsible for such devices and media?
  • Have members of the workforce (including management) received training on the correct handling of devices/media to ensure ePHI is safeguarded at all times?
  • Have appropriate technical controls been implemented to ensure the confidentiality, integrity, and availability of ePHI, such as encryption, access controls and audit controls?

There are several methods for tracking electronic devices and media. Smaller healthcare organizations that only use a limited number of devices/media may be able to manually track the movement of their devices/media, although this becomes a major challenge if large numbers of devices are in use. In such cases, specialized inventory management software and databases may be more appropriate. OCR suggests the use of a bar-code system or RFID tags may make it easier to organize, identify, and track the movement of devices and media.

When deciding on the most appropriate device and media controls to implement, healthcare organizations and their business associates should be guided by their risk analysis and risk management processes. Full consideration should be given to size, complexity and capabilities; hardware and software capabilities; technical infrastructure; the cost of implementing security measures; and the probability and criticality of potential risks to ePHI.

Policies and procedures must also be developed and implemented to ensure that when devices/media reach end of life, all ePHI stored on the devices is permanently erased to prevent the information from being retrieved or reconstructed. OCR covered the secure disposal of ePHI in its July 2018 cybersecurity newsletter.

Organizations that fail to track electronic devices and media and ensure that ePHI is appropriately protected at all times run the risk of HIPAA fines for non-compliance.

The most recent example is University of Texas MD Anderson Cancer Center’s failure to encrypt ePHI on portable electronic devices. That violation resulted in a civil monetary penalty of $4,348,000.

The August 2018 cybersecurity newsletter can be downloaded on this link (PDF – 140KB)

The post Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI appeared first on HIPAA Journal.

NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations

The National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) have released the final version of the NIST Cybersecurity Practice Guide for Securing Wireless Infusion Pumps in healthcare delivery organizations.

Wireless infusion pumps are no longer standalone devices. They can be connected to a range of different healthcare systems, networks, and other devices and can be a major cybersecurity risk.

If malicious actors are able to gain access to the wireless infusion pump ecosystem, settings could be altered on the pumps or malware could be installed that causes the devices to malfunction, resulting in operational and safety risks.

An attack on the devices could result in patients coming to harm, protected health information could be exposed, and a compromise could result in disruption to healthcare services, reputation damage, and considerable financial costs.

Securing wireless infusion pumps is a challenge. Standard cybersecurity solutions such as anti-virus software may affect the ability of the device to function correctly and efficiently. Oftentimes, the pumps contain maintenance default passcodes which, if not changed, makes them vulnerable to attack. Many wireless infusion pumps can be accessed remotely. While this makes management easier, it is also a security weak point. The devices could potentially be accessed remotely by threat actors.

The guide helps healthcare delivery organizations manage and secure their wireless networks and infusion pumps, mitigate vulnerabilities, and protect against threats.

The guide combines standard-based commercially available technologies with industry best practices to help healthcare delivery organizations strengthen the security of the devices. The guidance includes a questionnaire-based risk assessment and maps the security characteristics of the wireless infusion pump ecosystem to the HIPAA Security Rule and the NIST Cybersecurity Framework.

By using the guide, healthcare delivery organizations can create a defense-in-depth solution that will allow them to protect their wireless infusion pumps against a wide range of different risk factors.

Braun, Baxter, BD, Cisco, Clearwater Compliance, Digicert, Hospira, Intercede, MDISS, PFP Cybersecurity, Ramparts, Smiths Medical, Symantec, and TDI Technologies all participated in the creation of the guide.

NIST Special Publication 1800-8A – Securing Wireless Infusion Pumps in Healthcare Delivery Organizations – is available for download on this link (PDF).

The 375-page document may take some time to open, depending on the speed of your Internet connection.

The post NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations appeared first on HIPAA Journal.

Warnings Issued About Vulnerabilities in Philips PageWriter Cardiographs and IntelliVue Information Center iX

Over the past few months, several vulnerabilities have been discovered in Philips medical devices, software and systems.

This week, two further advisories have been issued by the Industrial Control Systems Cyber Emergency Team (ICS-CERT) about vulnerabilities the firm’s real-time central monitoring system, Philips IntelliVue Information Center iX, and its PageWriter cardiographs. All three of the vulnerabilities are classed as medium risk with CVSS v3 base scores ranging between 5.7 and 6.1.

CVE-1999-0103 is a denial of service vulnerability that affects the Philips IntelliVue Information Center iX version B.02. The flaw was discovered by a user of the system and was reported to Philips, which in turn reported the vulnerability to the National Cybersecurity and Communications Integration Center’s (NCCIC).

The vulnerability can be exploited remotely and does not require a high level of skill. If multiple initial UDP requests are made, it could compromise the availability of the device by causing the operating system to become unresponsive. The vulnerability has been assigned a CVSS v3 base score of 5.7.

Philips has already put mitigations in place to reduce the potential for the vulnerability to be exploited. All PIIC iX B.02 users have been advised to read the labelling, instructions for use, and service guides, which detail compensating controls. A patch will be released to correct the vulnerability by the end of September 2018.

Two vulnerabilities have been identified by Philips affecting its PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs. The flaws are present in all versions prior to May 2018.

CVE-2018-14799 is an improper input validation vulnerability. The devices do not properly sanitize data entered by users, which could result in the triggering of a buffer overflow condition. If exploited, a threat actor could access and modify device settings. The vulnerability has been assigned a CVSS v3 base score of 5.9.

CVE-2018-1480 concerns the use of hard-coded credentials. To exploit this vulnerability an attacker would need physical access to the device and would require the superuser password. With the password and physical access it would be possible to change all settings on the device and reset all existing passwords. The vulnerability has been assigned a CVSS v3 base score of 6.1.

The PageWriter vulnerabilities will be addressed by Philips via a new release, but that will not be available until the middle of 2019.

Philips notes that the WinCE5 operating system on the PageWriter TC20, TC30, TC50 and TC70 is now obsolete and is no longer supported. TC50 and TC70 can be updated to WinCE7, which users can download from InCenter.

However, TC20 and TC30 do not support WinCE7 so customers have been advised to upgrade to TC50 if they are concerned about the obsolete operating system, otherwise Philips will be issuing an update for the TC20 to a supported operating system by the end of 2019.

In the meantime, Philips suggests defense in depth, physical security controls to prevent access to the devices, controlling access to system components to protect medical devices in the system, and the use of multi-factor authentication.

The post Warnings Issued About Vulnerabilities in Philips PageWriter Cardiographs and IntelliVue Information Center iX appeared first on HIPAA Journal.