Healthcare Information Technology

U.S. Healthcare Providers Affected by Global Ransomware Attack

Posted by HIPAA Journal

NotPetya ransomware attacks have spread to the U.S. Decryption may not be possible even if the ransom is paid. Details of how to prevent attacks are detailed below.

NotPetya Ransomware Attacks Spread to the United States

Tuesday’s global ransomware attack continues to cause problems for many organizations in Europe, with the attacks now having spread to North America. The spread of the ransomware has been slower in the United States than in Europe, although many organizations have been affected including at least three healthcare systems.

Pennsylvania’s Heritage Valley Health System has confirmed that its computer systems have been infected with the ransomware. The ransomware has affected the entire health system including both of its hospitals and its satellite and community facilities.

While medical services continue to be provided, computer systems were shut down and some non-urgent medical procedures were postponed. 14 of the health system’s community facilities were closed on Wednesday as a result of the attack and lab and diagnostic services were also affected

The health system’s communications director, Suzanne Sakson said, “Corrective measures supplied by our antivirus software vendor have been developed and are being implemented and tested within the health system.”

No evidence has been uncovered to suggest protected health information has been accessed, although an investigation into the incident is ongoing.

West Virginia’s Princeton Community Hospital has also been affected with many of the hospital’s computers taken out of action following infection with ransomware. An investigation has been launched to determine whether patient health information was potentially accessed. Hospital spokesperson Rick Hypes said the hospital has implemented its protocols for cyberattacks and patient care is continuing to be provided.

The New Jersey-based pharmaceutical firm Merck has also been affected.

While it was initially believed the attacks involved Petya ransomware, security researchers believe this is a Petya-like ransomware variant from the same family. It has already attracted a variety of names including NotPetya, SortaPetya, GoldenEye, Petna, Nyeta and ExPetr.

Decryption Unlikely, Even if the Ransom is Paid

The ransomware variant deletes and replaces the Master File Table (MFT) which prevents computers from being able to locate files. The attackers have collected some ransom payments, although recovering systems by paying the ransom may not be possible.

The attacker was using an email account through a German email provider; however, that email account has been suspended. The email account was used to verify payment of a ransom. Without access to that email account, payment verification would be prevented.

Security researchers at Kaspersky Lab have also discovered a flaw in the ransomware which prevents data recovery, even if the ransom is paid. Kaspersky Lab issued a statement saying “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.”

Some security researchers have suggested that the goal of the attack was therefore not extortion but sabotage. Matt Suiche suggested in a recent analysis of the attack that “The ransomware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon.” However, also likely is a mistake by the attackers when developing their ransomware.

The number of victims has been steadily rising, with Kaspersky Lab identifying 2,000 attacks on Tuesday, while Microsoft now reports there has been at least 12,500 infections across 65 countries.

The attacks have hit multinational companies hard, with infections first occurring in European facilities but then subsequently spreading across networks to other geographical locations. Shipping firm Maersk had its Danish facilities infected, followed by infections in Ireland, the UK and other countries.

How to Prevent Infection with NotPetya Ransomware

Two exploits released by Shadow Brokers have been used to spread infections – EternalBlue and EternalRomance – both of which were addressed with the MS17-010 patch issued by Microsoft in March, which was subsequently expanded for use on non-supported Windows versions such as Windows XP following the WannaCry ransomware attacks last month.

However, if one computer on a network has not been patched the machine can be infected. The infection can then spread across a network to patched computers.

Even if all vulnerable machines have been patched, infection may still occur. The attackers are using multiple attack vectors including spam emails containing malicious attachments.

To protect against these NotPetya ransomware attacks – and other similar attacks – the MS17-010 patch must be applied to all Windows devices. Since data recovery may not be possible it is essential for data to be backed up, with multiple copies made, including one copy on an air-gapped machine that is not exposed via the Internet.

Rapid7 recommends organizations should “employ network and host-based firewalls to block TCP/445 traffic from untrusted systems.” Additionally, “if possible, block 445 inbound to all internet-facing Windows systems.”

PsExec and wmic.exe should also be disabled to limit the ability of the ransomware to spread.

Since infection can occur via email, organizations should send alerts to company employees alerting them to the risk of attack from infected email attachments, specifically – but not exclusively – Microsoft Excel spreadsheets.

Security researcher Amit Serper at Cyberreason suggests it is possible to ‘vaccinate’ computers to prevent encryption, with his method confirmed by a number of firms such as Emisoft and PT security.

Serper says, “Create a file called perfc in the C:\Windows folder and make it read only.” Details of how to do this are available on Beeping Computer.

The post U.S. Healthcare Providers Affected by Global Ransomware Attack appeared first on HIPAA Journal.

FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products

Posted by HIPAA Journal

Food and Drug Administration (FDA) Commissioner Scott Gottlieb, M.D., has announced the FDA will be launching a new, risk-based regulatory framework in the fall for overseeing connected medical technology, including health apps and medical devices.

The FDA wants to encourage and promote innovation that will lead to the development of new and beneficial medical technologies; however, it is essential that these technologies can benefit patients without placing their health or privacy at risk.

Gottlieb said the FDA has now developed a new Digital Health Innovation Plan that will foster “innovation at the intersection of medicine and digital health technology.” The plan includes a novel post-market approach that will allow the regulation of digital medical devices and health-related apps.

In a recent blog post, Gottlieb pointed out that close to 165,000 health-related apps have now been released for Smartphones and Apple devices, with forecasts estimating the apps will be downloaded 1.7 billion times by the end of this year. These apps have the potential to improve the health of patients, empowering them to make better day-to-day heath decisions and manage their health conditions more effectively.

There has been an explosion in the number and types of connected digital health devices in recent years, including health-tracking apps, fitness trackers and medical devices. There has been considerable innovation in the field, although Gottlieb said there is currently some ambiguity about how the FDA regulates apps and medical devices which results in some innovators steering clear of healthcare and focussing efforts on other ventures.

The FDA’s aim is to release clear guidance for developers that will enable them to understand all regulatory requirements on their own without having to obtain answers from the FDA on each individual technological change they wish to make.

The new guidance will cover a wide range of digital health products with multiple software functions, including some apps and devices that currently fall outside the scope of FDA regulation.

Gottlieb said, “Greater certainty regarding what types of digital health technology is subject to regulation and regarding FDA’s compliance policies will not only help foster innovation, but also will help the agency to devote more resources to higher risk priorities.”

The FDA will be running a pilot program for its new, risk-based regulatory framework this fall. The pilot program is still under development and the FDA is currently determining how a third-party certification program can be developed that will allow low-risk digital health products to be marketed without the need for a premarket review by the FDA.

High-risk products will still require a pre-market review, although the FDA is looking at ways the process can be streamlined. The FDA is considering a certification program that would assess companies on their products to determine whether they are reliably and consistently engaging in high quality software design and have been diligently validating their software products.

Gottlieb said, “Employing a unique pre-certification program for software as a medical device (SaMD) could reduce the time and cost of market entry for digital health technologies.”

“Applying this firm-based approach, rather than the traditional product-based approach, combined with leveraging real-world evidence, would create market incentives for greater investment in and growth of the digital health technology industry.”

The post FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products appeared first on HIPAA Journal.

Study: 1 in 5 Enterprise Users Have Set Weak Passwords

Posted by HIPAA Journal

The sharing of passwords across multiple platforms is a bad idea. If one platform suffers a data breach, all other systems that have the same password set could also easily be compromised. Even though the reuse of passwords is unwise, and many organizations have policies in place prohibiting employees from recycling passwords, it remains a common practice.

Many organizations have implemented policies, procedures and technology to prevent weak passwords from being used and they force end users to change their passwords frequently, but it is difficult for organizations to prevent password recycling.

The practice has recently been investigated by Preempt. Preempt has developed a tool that can be used by enterprises to assess the strength of the passwords used by their employees. The tool reports on the accounts that have weak passwords set, allowing the enterprise to take action. The tool also compares passwords to a database of 10 million passwords compromised in previous data breaches that are now in the hands of cybercriminals.

An analysis of data from enterprises that downloaded the Preempt Inspector tool showed that more than 7% of employees are using passwords for their work accounts that have already been compromised in previous data breaches. Preempt also reports that 20% of passwords used by enterprise employees could easily be compromised, even though many enterprises have systems in place to ensure password complexity.

Preempt reports that 1 in 14 enterprise employees have set an extremely weak password that has appeared in a previous breach, while 13.39% of enterprise users have shared their password, either with other users, teams or the password has been used for other services. Preempt says its research shows that 1 in 7 users have disclosed their password to other users within their network.

The study revealed that an average of 19.1% of enterprise users have set poor passwords, either those that have been used elsewhere, have been shared or are particularly weak. This translates to 1 in 5 enterprise users having a password that could easily be guessed by a threat actor.

The study revealed that larger organizations tend to have a better security posture and also a lower percentage of weak passwords in use. The larger the organization, the more secure their passwords are. This has been attributed to larger organizations having more resources devoted to security, with password policies likely to have been set and systems in place to enforce strong passwords. Those organizations are also likely to have more extensive education programs to raise security awareness.

The study was conducted on clients in multiple countries, with US-based organizations having approximately half the number of weak passwords that non-US companies. Preempt suggests that credential theft and cyberattacks are more extensively covered in the media in the United States, raising awareness of security and the need to take steps to prevent data breaches, such as setting strong passwords and not reusing passwords on multiple platforms.

The research shows that even though employees receive security awareness training and policies and technology are used to enforce the use of strong passwords, many employees are still taking big risks with their password choices. Many enterprises may believe they have tackled the issue of poor passwords, when the realty is likely quite different.

The post Study: 1 in 5 Enterprise Users Have Set Weak Passwords appeared first on HIPAA Journal.

ONC Announces Winners of Move Data Forward and Privacy Policy Snapshot Challenges

Posted by HIPAA Journal

The HHS’ Office of the National Coordinator for Health Information Technology (ONC) has announced the winners of its Privacy Policy Snapshot Challenge.

Participants in the challenge were required to develop a Model Privacy Notice (MPN) generator capable of generating customizable MPNs for healthIT developers.

While resources are available to help HIPAA covered entities, many technology companies are not subject to HIPAA requirements. It was therefore important for a resource to be developed for those businesses to help them adhere to other federal regulations.

While a MPN had already been released by ONC in 2011, since then the range of digital health technologies has increased considerably. One MPN would not be suitable for all organizations that collect consumer information.

On March 1, 2016, ONC issued a request for information to find out more from the public about the practices that should be disclosed to consumers and how that information should be presented.

The challenge to develop a MPN generator was issued in December 2016, with participants leveraging an updated MPN that had been developed by ONC with assistance from the Federal Trade Commission, HHS’ Office for Civil Rights and public and private stakeholders.

The challenge was to create an innovative tool that made it easy for developers to generate their own privacy notices, while also making it easy for consumers to understand those notices and find out about the data collected and how that information will be used and shared.

There were three winners announced by ONC, with the top prize of $20,000 awarded to Jason Cronk and Professor Daniel J. Solove. 1upHealth came second and was awarded a prize of $10,000 with third place and a prize of $5,000 going to MadeClear.io.

Jason Cronk/Prf. Daniel J. Solove’s winning submission best specified which language and terms had been changed to enhance consumer understanding, while combining “the clarity and simplicity of a nutrition facts-type label with visual icons that aid comprehension of the privacy concepts.” The MPN generator includes a side-by-side and live updating view of the MPN as users complete the app’s sections.

The 1upHealth team conducted detailed interviews and usability tests to obtain feedback on the usability of the solution. The MPN generator also includes a live updating, side by side view and verification of websites and phone number formats. The solution also allows for extensive customization and is available in three formats (HTML, JSON and Markdown).

MadeClear.io also conducted extensive tests, obtaining feedback from 30 individuals on usability. The MPN generator includes expandable headers displaying how far developers have progressed, with alternating background images to differentiate different sections and colourful icons to add context to the privacy language.

Genevieve Morris, principal deputy national coordinator for health IT announced the winners of the challenge saying, “Winners designed innovative tools that will help make privacy notices easier for consumers to understand, so they can know how and why their health information is being shared.”

While the winning MPN generators can be used by developers, they do not meet the requirements of HIPAA for notices of privacy practices.

ONC Announces Move Health Data Forward Challenge Winners

Last week, the ONC announced the winners of the Move Health Data Forward challenge which asked participants to develop applications that make it easier for consumers to share their health data with their healthcare providers, research institutions, family and caregivers.

This was a multi-stage challenge with the first phase requiring participants to submit their plans. Ten phase 1 winners were awarded $5,000 each. Phase 2 required participants to demonstrate that their plans were viable and could meet the goals of the challenge. The field was narrowed down to five winners, each of whom won $20,000.

Phase three required participants to implement their solution into a mobile or web application, with two winners selected and awarded $50,000 each. Those winners were Foxhall Wythe LLC and Live and Leave Well, LLC.

The Foxhall Wythe solution – Docket™- is a system that allows consumers to easily store and share their healthcare data with trusted healthcare providers. The system securely stores data with the appropriate protections to meet HIPAA security standards, while using FHIR® messages for communication. The solution includes OAuth 2.0 for user authentication, with a Quick Response (QR) code scan to authorize the sharing of information.

The Live and Leave Well™ solution allows consumers to easily share their end of life plans with healthcare providers, friends and family. Users can share Do Not Resuscitate (DNRs) and Medical Orders of Life Sustaining Treatment (MOLST) and other documents with healthcare providers. Healthcare providers can also complete proxy forms on the system.  The app uses open application program interfaces, direct integration and OAuth 2.0 and allows data to be securely shared with ease.

Don Rucker, M.D., national coordinator for health information technology, said “The final winners in the Move Health Data Forward challenge show us that electronic health information can truly be owned by patients and their family members”

The post ONC Announces Winners of Move Data Forward and Privacy Policy Snapshot Challenges appeared first on HIPAA Journal.

VA Chooses Cerner to Provide Replacement for VistA EHR

Posted by HIPAA Journal

The U.S. Department of Veteran Affairs (VA) has selected Cerner Corp., to provide a replacement for the outdated self-developed VistA EHR system.  Earlier this year, United States Secretary of Veterans Affairs David Shulkin said a decision needed to be made about the VA EHR system, suggesting an off-the-shelf EHR system was the best choice and that a final decision would be made by July 1.

Shulkin said, “Seamless care is fundamentally constrained by ever-changing information sharing standards, separate chains of command, complex governance, separate implementation schedules that must be coordinated to accommodate those changes from separate program offices that have separate funding appropriations, and a host of related complexities requiring constant lifecycle maintenance.”

The cost of continued development of VistA was considered to be too great, especially with the prospect of ongoing interoperability problems.  The VA has already invested hundreds of millions of dollars into VistA, yet the EHR is still only semi-interoperable with the system used by the Department of Defense (DOD). Cerner was the natural choice since it is the system used by the DOD.

Shulkin said, “Without improved and consistently implemented national interoperability standards, VA and DoD will continue to face significant challenges if the departments remain on two different systems.”

The DOD EHR system took 26 months to implement; however, the VA urgently needed to change systems to improve interoperability and security and could not wait years. Shulkin therefore made the decision to move systems without market competition, signing a Determinations and Findings document which allowed the VA to approach Cerner and choose the MHS Genesis system on a sole-source basis.

Shulkin said the use of Cerner’s system “will ultimately result in all patient data residing in one common system and enable seamless care between the departments without the manual and electronic exchange and reconciliation of data between two separate systems.”

The VA also plans to use the same architecture, tools and processes used by the DOD to secure its system, which will see a significant cybersecurity enhancement over its existing system.

While the decision has been made to implement Cerner’s system, that does not spell the end of VistA just yet. Transitioning to the new system will take time. VistA will need to be run in tandem with the new EHR for some time to come as VistA has functions that Cerner’s system does not. It could therefore take a decade before VistA is fully retired.

Shulkin said, “We’re embarking on creating something that has not been done before: an integrated product that, while utilizing the DoD platform, will require a meaningful integration with other vendors to create a system that serves Veterans in the best possible way.”

President Donald Trump welcomed the move saying, “This is one of the biggest wins for our veterans in decades.  And I congratulate Secretary Shulkin for making this very, very important decision.”

The post VA Chooses Cerner to Provide Replacement for VistA EHR appeared first on HIPAA Journal.

Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts

Posted by HIPAA Journal

Ransomware, malware and unaddressed software vulnerabilities threaten the confidentiality, integrity and availability of PHI, although healthcare organizations should take steps to deal with the threat from within. This year has seen numerous cases of employees snooping and accessing medical records without authorization.

The HIPAA Security Rule 45 CFR §164.312(b) requires covered entities to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information,” while 45 CFR §164.308(a)(1)(ii)(D) requires covered entities to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Logs create an audit trail that can be followed in the event of a data breach or privacy incident. Those logs can be checked to discover which records have been accessed without authorization.

If those logs are monitored continuously, privacy breaches can be identified quickly and action taken to limit harm. However, recent incidents have shown that while access logs are kept, they are not being regularly checked. There have been numerous recent examples of employees who have improperly accessed patients’ medical records over a period of several years.

A few days ago, Beacon Health announced an employee had been discovered to have improperly accessed the medical records of 1,200 patients without any legitimate work reason for doing so. That employee had been snooping on medical records for three years.

In March, Chadron Community Hospital and Health Services in Nevada discovered an employee had accessed the medical records of 700 patients over a period of five years and St. Charles Health System in central Oregon discovered an employee had accessed medical records without authorization over a 27 month period.

Also in March, Trios Health discovered an employee had improperly accessed the medical records of 570 patients. The improper access occurred over a period of 41 months.

Rapid detection of internal privacy breaches is essential. Even when snooping is discovered relatively quickly, the privacy of many thousands of patients may have already been violated. In January, Covenant HealthCare notified 6,197 patients of a privacy breach after an employee was discovered to have improperly accessed medical records over a period of 9 months, while a Berkeley Medical Center employee accessed the ePHI of 7,400 patients over a period of 10 months.

Healthcare organizations may not feel it is appropriate to restrict access to patients’ PHI, but a system can be implemented that will alert staff to improper access promptly. Software solutions can be used to detect improper access and alert appropriate members of staff in near real-time. If such systems are not implemented, regular audits of ePHI access logs should be conducted. Regular checks of ePHI access logs will allow organizations to prevent large-scale breaches, reduce legal liability and reduce the harm caused by rogue employees.

The post Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts appeared first on HIPAA Journal.

Medical Device Security Testing Only Performed by One in Twenty Hospitals

Posted by HIPAA Journal

The security of medical devices has attracted a lot of attention in recent months due to fears of device vulnerabilities being exploited by cybercriminals to cause harm to patients, gain access to healthcare networks and steal patient data.

Cybercriminals have extensively targeted the healthcare industry due to the high value of patient data on the black market, combined with relatively poor cybersecurity defenses. While there have been no reported cyberattacks on medical devices with the specific aim of causing harm to patients, there are fears it is only a matter of time before such an attack occurs.

Even if harming patients is not the goal of cybercriminals, ransomware attacks – which take essential computer systems out of action – can place patient safety at risk. Those attacks are already occurring. Some healthcare providers experienced medical device downtime as a result of the recent WannaCry ransomware attacks.

Much attention has focused on device manufacturers for failing to incorporate appropriate security protections to prevent cyberattacks and not considering security for the life cycle of the devices. However, a recent Synopsis-sponsored survey conducted by the Ponemon Institute suggests healthcare delivery organizations may be equally at fault.

The report on the survey – Medical Device Security: An Industry Under Attack and Unprepared to Defend –  shows that both device manufacturers and healthcare organizations are concerned that medical device attacks will occur. 67% of medical device manufacturers and 56% of healthcare delivery organizations believe a cyberattack on a medical device at their organization is likely to occur in the next 12 months.

Even though manufacturers and HDOs are aware of the risks of cyberattacks on medical devices, and one third are aware that those attacks could have an adverse effect on patients, only 17% of device manufacturers and 15% of HDOs are taking action to reduce the risk of cyberattacks on medical devices used by their organizations.

One of the biggest challenges is incorporating security controls into the devices. 80% of device manufacturers said medical devices are very difficult to secure, with a lack of knowledge about how to secure the devices cited as a major issue along with accidental coding errors and pressure to meet product delivery deadlines.

Identifying potential vulnerabilities does not appear to be a major priority. 53% of HDOs and 43% of device manufacturers said they do not perform any medical device security tests, while just 9% of device manufacturers and 5% of HDOs conduct device security tests on an annual basis.

There is also a lack of accountability for medical device security. One third of manufacturers and HDOs said there is no one person in their organization with overall responsibility for medical device security.

The U.S. Food and Drug Administration (FDA) has been conducting workshops with device manufacturers and industry stakeholders to try to determine how medical devices can best be protected; however, the survey suggests that FDA guidance would not be sufficient in itself. Only 51% of manufacturers and 44% of HDOs said they follow current FDA guidance on mitigating medical device security risks.

Ponemon Institute Chairman and founder, Larry Ponemon, said “According to the findings of the research, attacks on devices are likely and can put patients at risk. Consequently, it is urgent that the medical device industry makes the security of its devices a high priority.”

 

Mike Ahmadi, global director of critical systems security for Synopsys’ Software Integrity Group explained the need for urgent change, saying “The industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the software supply chain to ensure medical devices are not only safe, but also secure.”

The survey was conducted in two parts on 550 individuals in North America who had a direct role in the security of medical devices and/or networking equipment and mobile medical apps related to medical devices.

The post Medical Device Security Testing Only Performed by One in Twenty Hospitals appeared first on HIPAA Journal.

Purple Move on WiFi Security Sets Example for All Public WiFi Deployments

Posted by HIPAA Journal

Wireless networks offer many benefits to healthcare organizations. Healthcare professionals can access networks and data from any location using portable devices, without the need to plug in to the network. Many medical devices connect wirelessly to WiFi networks improving clinical workflows. However wireless networks can also introduce risks.

If any PHI is transmitted over wireless networks, HIPAA requires appropriate controls to be applied to safeguard the confidentiality, integrity and availability of PHI.

If WiFi networks lack appropriate security, unauthorized individuals could intercept WiFi packets and view sensitive data, including protected health information. Securing internal WiFi networks is therefore essential. The failure to secure WiFi networks would place an organization at risk of a HIPAA penalty.

The risk of a HIPAA violation or data breach is a real concern for healthcare organizations. Security concerns have prevented many hospitals from offering WiFi access to patients, even though offering WiFi can improve the patient experience.

Many healthcare organizations that have taken the decision to allow patients access to WiFi networks and have reduced risk by keeping WiFi access for guests totally separate from networks used by hospital staff.

While this will allow healthcare organizations to solve some security issues, guest WiFi access can be abused. WiFi networks can be used to view inappropriate material, users face a risk of malware and ransomware infections, and there is potential for man-in-the-middle attacks to occur.

Organizations can take steps to secure their WiFi networks to keep users protected and reduce security risks. A WiFi filtering solution is the typical solution to block a wide range of online threats such as phishing attacks, malware and ransomware downloads.

Purple, the intelligent spaces company, recently chose a WiFi content filtering solution to ensure its customers and clients were protected. Any users of the secured WiFi network are prevented from accessing malicious websites where malware or ransomware could be downloaded and inappropriate or illegal website content is blocked.

Purple used the WebTitan WiFi content filtering solution from TitanHQ to secure its networks and keep its customers protected. James Wood, Head of Integration at Purple said, “We take guest Wi-Fi security seriously so it was important that our customers were protected.” The decision was taken in the wake of recent cyberattacks to improve security for users.

Figures from TitanHQ show how important it is to implement a WiFi filtering solution, with 60,000 malware threats detected and blocked by the web filtering solution each day. As TitanHQ CEO Ronan Kavanagh pointed out, “Internet filtering controls provide a key layer of security, which is particularly beneficial for healthcare organizations following recent targeted attacks on the healthcare sector.”

While there is no obligation for hospitals to offer a filtered Internet service for guest users, if WiFi access is to be provided, it is now easy to secure those networks and provide a better service, including controls to prevent minors from accessing inappropriate content.

Kavanagh explained that secured, content-controlled WiFi networks are fast becoming the norm. “Content filtering for Wi-Fi will be a given in service terms over the next few years.”

If patients are to be offered free or paid internet access in hospitals, those services should include filters to prevent networks from being abused and to ensure the Internet can be accessed safely and securely.

The post Purple Move on WiFi Security Sets Example for All Public WiFi Deployments appeared first on HIPAA Journal.

Medical Device Cybersecurity Gaps Discussed at FDA Workshop

Posted by HIPAA Journal

This week, the U.S. Food and Drug Administration (FDA) is hosting a two-day workshop to identify current cybersecurity gaps that could be exploited by cybercriminals to gain access to medical devices and discuss best practices and tools that can be adopted to improve defenses against cyberattacks.

This is the third time the FDA has held such a workshop on medical device security and it comes at an appropriate time. The recent WannaCry ransomware attacks resulted in Siemens, Bayer and other manufacturers’ devices having data encrypted.

Cyberattacks on medical devices have potential to cause considerable harm to patients. Cybercriminals could also target medical devices to obtain sensitive information on patients or use the devices to launch attacks on healthcare networks.

This week, the attacks only resulted in data being encrypted. Bayer reported that both of the healthcare organizations that were affected were able to recover data and restore the functionality of their medical devices within 24 hours. The medical devices were not specifically targeted and the aim of the attacks was to encrypt data rather than steal information or cause patients to be harmed. That may not always be the case.

Studies have been conducted that demonstrated a theoretical risk of medical devices being hacked, and while the risk of cyberattacks on medical devices is likely to be low, this week’s incidents have clearly demonstrated that attacks are not only theoretical.

Medical devices now have the functionality to connect to healthcare networks and pass data directly to EHR systems, making them an attractive target for cybercriminals, even more so given the relative lack of security controls in place.

While there have been no reports of cyberattacks on medical devices being conducted that resulted in patients coming to harm, action does need to be taken now to ensure attacks cannot easily occur in the future. As the functionality of medical devices improves and new Smart devices come to market, the risk of cyberattacks is only ever likely to increase.

Progress is being made to improve medical device cybersecurity. Last week, the National Institute of Standards and Technology (NIST) issued new guidance for healthcare providers on securing wireless infusion pumps to prevent unauthorized access. However more needs to be done by manufacturers of the devices to improve security, something that the FDA is attempting to tackle.

At the workshop, the FDA, researchers and industry representatives discussed the challenges of securing medical devices and the possible tools and best practices that can be adopted to improve resilience against cyberattacks to prevent unauthorized access.

Many of the issues that were highlighted by the recent WannaCry attacks were raised at the meeting, including how to secure devices for their entire lifecycle, when the support for software on which the devices run often stops during the product lifecycle.

The workshop is continuing today with the discussions ongoing. A report on the outcome of the workshop will be published later this year.

The post Medical Device Cybersecurity Gaps Discussed at FDA Workshop appeared first on HIPAA Journal.