Healthcare Information Technology

Vulnerability Identified in BD FACSLyric Flow Cytometry Solution

Posted by HIPAA Journal

Becton, Dickinson and Company (BD) has identified an improper access control vulnerability in its BD FACSLyric flow cytometry solution. If the flaw is exploited, an attacker could gain access to administrative level privileges on a vulnerable workstation and execute commands. The vulnerability requires a low level of skill to exploit.

BD extensively tests its software for potential vulnerabilities and promptly corrects flaws. BD is currently taking steps to mitigate the vulnerability for all users of vulnerable FACSLyric flow cytometry solutions.

The flaw (CVE-2019-6517) is due to improper enforcement of user access control for privileged accounts. It has been given a CVSS v3 base score of 6.8 – Medium severity. BD self-reported the vulnerability to the National Cybersecurity & Communications Integration Center (NCCIC).

The vulnerability is present in the following cytometry solutions:

  • BD FACSLyric Research Use Only, Windows 10 Professional Operating System, U.S. and Malaysian Releases (Nov 2017 and Nov 2018)
  • The U.S. release of BD FACSLyric IVD Windows 10 Professional Operating System.

FACSLyric flow cytometry systems on Windows 7 are unaffected.

BD is contacting all affected users and will perform remediation activities to correct the flaw. These include disabling the admin account for users with BD FACSLyric RUO Cell Analyzer units on Windows 10 Pro. Computer workstations with BD FACSLyric IVD Cell Analyzer units on Windows 10 Pro will be replaced.

Users of the vulnerable solutions that have not yet been contacted by BD can contact BD Biosciences General Tech Support for further information.

To minimize the risk of exploitation of vulnerabilities such as this, NCCIC recommends locating medical devices and systems behind firewalls, minimizing network exposure for medical devices and systems, restricting access to authorized individuals, applying the rule of least privilege, adopting defense in depth strategies, and disabling unnecessary accounts and services.

The post Vulnerability Identified in BD FACSLyric Flow Cytometry Solution appeared first on HIPAA Journal.

New Report Reveals Spiraling Cost of Cyberattacks

Posted by HIPAA Journal

A new report from Radware has provided insights into the threat landscape in 2018 and the spiraling cost of cyberattacks. The report shows there was a 52% increase in the cost of cyberattacks on businesses in since 2017.

For the report, Radware surveyed 790 managers, network engineers, security engineers, CIOs, CISOs, and other professionals in organizations around the globe. Respondents to the survey were asked about the issues they have faced preparing for and mitigating cyberattacks and the estimated cost of those attacks.

The 2018 Threat Landscape

93% of surveyed firms said they had experienced a cyberattack in the past 12 months. The biggest threat globally was ransomware and other extortion-based attacks, which accounted for 51% of all attacks. In 2017, 60% of cyberattacks involved ransoms. The reduction has been attributed to cybercriminals switching from ransomware to cryptocurrency mining malware.

Political attacks and hacktivism accounted for 31% of attacks, down from 34% in 2017. The motive behind 31% of attacks was unknown, which demonstrates that attackers are now more purposeful about hiding their motives. 27% of attacks were insider threats, 26% were attacks by competitors, 19% were attributed to cyberwar, and 18% were conducted by angry users. The primary aim of the attacks was service disruption (45%), data theft (35%), and espionage (3%). 16% of attacks had another aim or the purpose had not been established.

One in five businesses reported being attacked daily: A 62% increase year over year. 13% reported weekly attacks, 13% monthly attacks, and 27% experienced one or two attacks in the past year. 19% were unsure how many times they had been attacked.

Healthcare was the second most attacked industry behind the government sector. 39% of healthcare organizations reported having to fend off daily or weekly cyberattacks by hackers. Only 6% of healthcare organizations claimed they had not been attacked in the past year.

The biggest threats were malware and bots (reported by 76% of organizations), social engineering attacks such as phishing (65%), DDoS attacks (53%), web application attacks (42%), ransom threats (38%), and cryptocurrency miners (20%).

Respondents from healthcare organizations felt they were best prepared for phishing and other social engineering attacks (58%), malware, bots and DDoS attacks (55%), and web application attacks (52%). Only 39% felt they were well prepared to deal with ransomware attacks and advanced persistent threats.

The Rising Cost of Cyberattacks

The Radware study asked respondents about the business cost of a successful cyberattack. According to the report, the cost more than doubled compared to last year and is now $1.1 million. Respondents that had a formalized calculation to determine the financial impact of a cyberattack reported the cost to be $1.7 million, compared to $880,000 for those with no formal calculation.

For SMBs with fewer than 1,000 employees, the average cost of a cyberattack was estimated to be $450,000. That rose to $1.1 million for enterprises with between 1,000 and 10,000 employees, and $2.1 million for large corporations with more than 10,000 employees.

The average cost of a successful cyberattack on a healthcare organization was determined to be $1.43 million. Fortunately, most healthcare organizations (82%) had a breach response plan in place, which can limit the cost of a cyberattack.

The True Cost of a Cyberattack

The cost of a cyberattack is likely to be significantly higher than the estimates. Radware notes that the estimates do not factor in direct costs such as extended labor, investigations, and the development of software patches, indirect costs such as the hiring of technical consultants, legal expenses, and stock price drops, and costs associated with the prevention of future cyberattacks.

Other costs that are difficult to calculate are lost revenue, brand reputation damage, and loss of customers – All real possibilities after a data breach. Radware notes that following a successful cyberattack, 43% of respondents said there had been a negative customer experience, 37% suffered brand reputation damage, and 23% reported a loss of customers.

“The cost of cyberattacks is simply too great to not succeed in mitigating every threat, every time,” explained Radware. “Customer trust is obliterated in moments, and the impact is significant on brand reputation and costs to win back business.”

The post New Report Reveals Spiraling Cost of Cyberattacks appeared first on HIPAA Journal.

Hospital Associations Call for Industry-Wide Effort to Accelerate Interoperability

Posted by HIPAA Journal

Seven leading hospital associations, including the American Hospital Association (AHA), are calling for an industry-wide effort to improve data sharing. The new report seeks to enlist and expand public and private stakeholder support to accelerate interoperability and help remove the barriers to data sharing.

In order to achieve the full potential of the nation’s healthcare system, health data must flow freely. Only then will it be possible to provide the best possible care to patients, properly engage people in their health, improve public health, and ensure new models of healthcare succeed.

Effective sharing of patient data strengthens care coordination, improves safety and quality, empowers patients and their families, increases efficiency, reduces healthcare costs, and supports the accurate tracking of diseases and the creation of robust public health registries.

The report explains that great progress is being made to improve interoperability of health IT systems and ensure that patients data can be accessed regardless of location or system. 93% of hospitals now allow patients to access their health records online, 87% allow health records to be downloaded by patients, 88% of hospitals send patient records to ambulatory care providers outside their system, and 84% of hospitals allow caregivers to access information on behalf of patients.

Interoperability improvements have required tremendous effort and have come at a significant cost. Progress has been made but hospitals still face substantial barriers that are preventing efficient data sharing. Health IT tools are often expensive, many do not easily support information sharing, and the use of different health IT and EHR systems make it difficult to efficiently share information.

It is now common for healthcare to be delivered across multiple settings and locations. Records generated in doctor’s offices, hospitals, laboratories, medical devices, and in non-clinical settings should all be accessible and capable of being transferred quickly, efficiently, and accurately to create a full patient record that can be accessed by patients and their healthcare providers.

The report notes that diplomats at the United Nations speak a wide variety of languages but, through translators, are able to communicate efficiently and effectively. Mobile phones can communicate with other devices, regardless of make, model, or operating system. Healthcare needs to operate in a similar way.

A final push is required to get interoperability where it needs to be. The challenges that need to be overcome are detailed in the report along with an agenda detailing the pathway to full interoperability.

In order to achieve true interoperability, all industry stakeholders need to collaborate and work toward the common goal. The roles that different stakeholders must play are detailed in the report.

The report – Sharing data, Saving Lives: The Hospital Agenda for Interoperability – can be downloaded on this link.

The post Hospital Associations Call for Industry-Wide Effort to Accelerate Interoperability appeared first on HIPAA Journal.

Vulnerabilities Identified in Dräger Infinity Delta Patient Monitors

Posted by HIPAA Journal

The U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Team (US-CERT) has issued an advisory about three vulnerabilities affecting Dräger Infinity Delta patient monitoring devices.

The flaws affect all versions of Infinity Delta, Delta XL, Kappa, and infinity Explorer C700 patient monitoring devices. The flaws could lead to the disclosure of sensitive information stored in device logs, be leveraged to conduct Denial of Service (DoS) attacks, or could potentially allow an attacker to gain full control of the operating system of a vulnerable device. The flaws were discovered by Marc Ruef and Rocco Gagliardi of scip AG.

The vulnerabilities are detailed below, in order of severity:

CVE-2018-19014 (CWE-532) – Exposure of Information in Log Files

Log files are not appropriately secured and are accessible over an unauthenticated network. An attacker could gain access to device log files and view sensitive information relating to the internals of the monitor, location of the device, and its wired network configuration. The flaw has been assigned a CVSS v3 base score of 4.3.

CVE-2018-19010 (CWE-20) – Improper Input Validation

An error in the way input is validated could be exploited to cause the device to constantly reboot. An attacker could repeatedly send a malformed network packet causing a vulnerable device to repeatedly reboot until it reverts to its default configuration and network connectivity is lost. The vulnerability has been assigned a CVSS v3 base score of 6.5.

CVE-2018-19012 (CWE-269) – Privilege Escalation Through Improper Privilege Management

An attacker could break out of kiosk mode via a specific dialog and gain access to the underlying operating system and take full control of the operating system. The vulnerability has been assigned a CVSS v3 base score of 8.4.

All three vulnerabilities were addressed by Dräger in December 2018. Users should update the devices to Delta/Infinity Explorer VF10.1 which can be accessed on Dräger ServiceConnect.

Users have also been advised to review their network segmentation configuration and ensure that the devices are logically or physically separated from the hospital LAN and also check the Windows patch level of their Infinity Explorer.

The post Vulnerabilities Identified in Dräger Infinity Delta Patient Monitors appeared first on HIPAA Journal.

IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity

Posted by HIPAA Journal

The Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) has issued an alert about increased Chinese malicious cyber activity targeting IT service providers such as Managed Service Provider (MSPs), Managed Security Service Providers (MSSPs), Cloud Service Providers (CSPs) and their customers.

The attacks take advantage of trust relationships between IT service providers and their customers. A successful cyberattack on a CSP, MSP or MSSP can give the attackers access to healthcare networks and sensitive patient data.

The DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued technical details on the tactics and techniques used by Chinese threat actors to gain access to services providers’ networks and the systems of their customers.

The information has been shared to allow network defenders to take action to block the threats and reduce exposure to the Chinese threat actors’ activities. Guidance has been released for IT service providers and their customers on the steps that should be taken to improve security to prevent successful attacks. While a range of mitigations have been specified, there is no single solution that will work for all organizations and mitigating these malicious activities can be a complex process.

Advice for Customers of IT Service Providers

Healthcare organizations that utilize IT service providers are advised to:

  • Ensure their providers have conducted a review to determine if there is a security concern or has been a compromise
  • Ensure their IT service providers have implemented solutions and tools to detect cyberattacks.
  • Review and verify connections between healthcare systems and those used by IT service providers.
  • Verify all IT service provider accounts are being used for appropriate purposes.
  • Disable IT service provider accounts when they are not in use.
  • Ensure business associate agreements require IT service providers to implement appropriate security controls, require logging and monitoring of client systems and connections to their networks, and the need to promptly issue notifications when suspicious activity is detected.
  • Integrate system log files and network monitoring data into intrusion detection and security monitoring systems for independent correlation, aggregation and detection.
  • Ensure service providers view US-CERT pages related to APT groups targeting IT service providers, specifically TA-18-276A and TA-18-276B.

Advice for IT Service Providers

IT service providers have been advised to take the following actions to mitigate the risk of cyberattacks:

  • Ensure the mitigations detailed in US-CERT alerts are fully implemented.
  • Ensure the principle of least privilege is applied to their environments, customers’ data are logically separated, and access to clients’ networks is not shared.
  • Implement advanced network and host-based monitoring systems that look for anomalous behavior that could indicate malicious activity.
  • Aggregate and correlate log information to maximize the probability of detection of malicious activity and account misuse.
  • Work closely with customers to ensure that all hosted infrastructure is carefully monitored and maintained.

The post IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity appeared first on HIPAA Journal.

HHS Publishes Cybersecurity Best Practices for Healthcare Organizations

Posted by HIPAA Journal

The U.S. Department of Health and Human Services has issued voluntary cybersecurity best practices for healthcare organizations and guidelines for managing cyber threats and protecting patients.

Healthcare technologies are essential for providing care to patients, yet those technologies introduce risks. If those risks are not properly managed they can result in disruption to healthcare operations, costly data breaches, and harm to patients.

The HHS notes that $6.2 billion was lost by the U.S. Health Care System in 2016 as a result of data breaches and 4 out of 5 physicians in the United States have experienced some form of cyberattack. The average cost of a data breach for a healthcare organization is now $2.2 million.

“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health,” said Janet Vogel, HHS Acting Chief Information Security Officer. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”

The guidance and best practices – Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patientswere developed in response to a mandate in the Cybersecurity Act of 2015 Section 405(d) to issue practical guidelines to help healthcare organizations cost-effectively reduce healthcare cybersecurity risks.

The guidance was developed over two years with assistance provided by more than 150 cybersecurity and healthcare experts from industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership.

“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats. That is exactly what this resource delivers,” said Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine.

Two technical volumes have also been published that outline cybersecurity best practices for healthcare organizations tailored to the size of the organization: One for small healthcare providers such as clinics and a second volume for medium healthcare organizations and large health systems. The documents contain a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes.

The aim of the guidance and best practices is threefold: To help healthcare organizations reduce cybersecurity risks to a low level in a cost-effective manner, to support the voluntary adoption and implementation of Cybersecurity Act recommendations, and to provide practical, actionable, and relevant cybersecurity advice for healthcare organizations of all sizes.

The guidance aims to raise awareness of cybersecurity threats to the healthcare sector and help healthcare organizations mitigate the most impactful cybersecurity threats: Email phishing attacks, ransomware attacks, loss/theft of equipment and data, accidental and intentional insider data breaches, and medical device attacks that could affect patient safety.

Ten cybersecurity practices are detailed in the technical volumes to mitigate the above threats in the following areas:

  • E-mail protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

A “cybersecurity practices assessments toolkit” has also been made available to help healthcare organizations prioritize threats and develop action plans to mitigate those threats.

Over the next few months, the HHS will be working closely with industry stakeholders to raise awareness of cybersecurity threats and implement the best practices across the health sector.

The post HHS Publishes Cybersecurity Best Practices for Healthcare Organizations appeared first on HIPAA Journal.

NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity

Posted by HIPAA Journal

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) has released a draft paper covering the privacy and security risks of telehealth and remote monitoring devices and best practices for securing the telehealth and remote monitoring ecosystem.

Patient monitoring systems have traditionally been deployed within healthcare facilities; however, there has been an increase in the use of remote patient monitoring systems in patients’ homes in recent years. While these systems are straightforward to secure in a controlled environment such as a hospital, the use of these systems in patients’ homes introduces new risks.

Managing the risks and ensuring the remote monitoring systems and devices have an equivalent level of security as in-house systems can be a major challenge.

The purpose of the paper is to create a reference architecture which addresses the security and privacy risks and provides practical steps that can be taken to improve the overall security of the remote patient monitoring environment.

The paper addresses cybersecurity concerns related to the use of the devices in patients’ homes, the use of home networks, and patient-owned devices and identifies cybersecurity measures that can be implemented by healthcare organizations with RPM and video telehealth capabilities.

“The project team will perform a risk assessment on a representative RPM ecosystem in the laboratory environment, apply the NIST Cybersecurity Framework and guidance based on medical device standards, and collaborate with industry and public partners,” explained NCCoE.

NCCoE has evaluated the following functions of the devices:

  • Connectivity of devices and applications deployed on patient-owned devices such as smartphones, tablets, laptops, and desktop computers
  • How applications transmit monitoring data to healthcare providers
  • The ability for patients to interact with their point of contact to initiate care
  • The ability for data to be analyzed by healthcare providers to identify trends and issue alerts to clinicians about issues with patients
  • The ability for data to be shared with electronic medical record systems
  • The ability for patients to initiate videoconference sessions through telehealth applications
  • The ability for application patches and updates to be installed
  • How a healthcare provider can establish a connection with a remote monitoring device to obtain patient telemetry data
  • How a healthcare provider can connect to a remote monitoring device to update the device configuration

The paper does not cover risks specific to third party telehealth platform providers nor does it evaluate device vulnerabilities and defects.

Stakeholders have been invited to comment on the draft paper. Comments will be accepted until December.

The guidance document can be downloaded on this link.

The post NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity appeared first on HIPAA Journal.

AMIA Calls for Greater Alignment of Federal Data Privacy Rules

Posted by HIPAA Journal

The American Medical Informatics Association (AMIA) is calling for the Trump Administration to tighten data privacy rules through greater alignment of HIPAA and the Common Rule and adoption of a more integrated approach to privacy that includes both the healthcare sector and consumer sector.

The call follows a request for comment by the NTIA to initiate a conversation about consumer privacy. In a letter to the National Telecommunications and Information Administration (NTIA), a division of the Department of Commerce, AMIA explained that its comments are informed by extensive experience of dealing with both the Health Insurance Portability and Accountability Act and the Federal Protections for Human Subjects Research (Common Rule).

Currently, there is a patchwork of federal and state regulations that complicates compliance and creates information sharing challenges which results in ‘perverse outcomes’ due to different interpretations of existing privacy policies.

AMIA illustrated the problem of the current patchwork of privacy policies using Pennsylvania and New Jersey as an example. Pennsylvania and New Jersey are neighboring states, but they have different policies covering HIV/AIDS data. If an HIV/AIDS patient from Pennsylvania was to visit a hospital in New Jersey, information on their HIV/AIDS diagnosis would not be accessible by clinicians in New Jersey, even though the information has high importance in treatment decisions. The patient would also be unlikely to receive their data from the New Jersey hospital to take back to their healthcare provider in Pennsylvania.

“AMIA encourages the administration to ensure that federal rules lay a common foundation across jurisdictional and geographic boundaries while also providing a process for jurisdictions to address local needs and norms.”

In recent years there has been a significant increase in consumer devices and information systems that record similar information to medical devices and healthcare information systems. The line between the two has been blurred. Action is therefore required to develop concordant privacy policies across health and consumer data ecosystems.

HIPAA was introduced 22 years ago in 1996 at a time when healthcare organizations were predominantly using paper records. While HIPAA has been updated to account for the shift to electronic records, AMIA points out that the adoption of health-related technologies that were unavailable in 1996 has resulted in the formation of gaps that now endanger patient privacy.

The changes made to HIPAA through the introduction of the Privacy Rule have ensured that patients have access to their health data and greater control over what is done with that information. What is now required are similar rights and protections for consumers.

While AMA does not suggest that either HIPAA or the Common Rule should be applied to the consumer data ecosystem, both “should serve as important and informative inputs to [the] conversation on consumer data privacy.”

AMA has called for the Federal Trade Commission (FTC) to develop a consumer data strategy that “Supports trust, safety, efficacy, and transparency across the proliferation of commercial and non-proprietary information resources,” and suggests that the time is right to develop an “ethical framework around the collection, use, storage, and disclosure of the personal information consumers may provide to organizations.”

The post AMIA Calls for Greater Alignment of Federal Data Privacy Rules appeared first on HIPAA Journal.

Congress Passes CISA Act Which Calls for New Cybersecurity Agency Within DHS

Posted by HIPAA Journal

The U.S. Department of Homeland Security will be forming a new agency solely focused on cybersecurity following the passing of new legislation by Congress.

The Cybersecurity and Infrastructure Security Agency Act of 2018 (CISA Act) amends the Homeland Security Act of 2002 can calls for DHS to form a new Cybersecurity and Infrastructure Security Agency. The CISA Act was unanimously passed by the House of Representatives and just awaits the president’s signature.

The new agency will be formed through the reorganization of the National Protection and Programs Directorate (NPPD) and will have the same status as other DHS agencies such as the U.S. Secret Service.

The NPPD is already responsible for reducing and eliminating threats to U.S. critical physical and cyber infrastructure, with cybersecurity elements covered by the Office of Cybersecurity and Communications and the National Risk Management Center.

NPPD currently coordinates IT security initiatives with other entities, local, state, tribal and territorial governments and the private sector and oversees cybersecurity at federal government civilian agencies.

The new name better reflects the work NPPD does and emphasizes the importance of cybersecurity in securing the nation’s critical infrastructure. The new agency will consolidate information security and physical infrastructure security in a unified agency.

“The cyber threat landscape is constantly evolving, and we need to ensure we’re properly positioned to defend America’s infrastructure from threats digital and physical,” said DHS Secretary Kirstjen M. Nielsen. “It was time to reorganize and operationalize NPPD into the Cybersecurity and Infrastructure Security Agency.”

Having a single agency in charge of the nation’s cybersecurity will help the U.S. government address current security gaps. At present, each federal agency is responsible for its own IT systems and managing cyber risks. Regardless of size and budget, each government entity must ensure cyber risks are managed and reduced to a minimal level. There are also several government agencies that cover various cybersecurity functions, which is inefficient and results in security gaps.

“Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation’s critical infrastructure and cyber platforms,” said Christopher Krebs, current undersecretary of the NPPD. “The changes will also improve the Department’s ability to engage with industry and government stakeholders and recruit top cybersecurity talent.”

The post Congress Passes CISA Act Which Calls for New Cybersecurity Agency Within DHS appeared first on HIPAA Journal.