Healthcare Information Technology

NAAG Urges Apple and Google to Take Further Steps to Protect Privacy of Users of COVID-19 Contact Tracing Apps

Posted by HIPAA Journal

On June 16, 2020, The National Association of Attorneys General (NAAG) wrote to Google and Apple to express concern about consumer privacy related to COVID-19 contact tracing and exposure notification apps. NAAG has made recommendations to help protect the personally identifiable information and sensitive health data of the millions of consumers who will be urged to download the apps to help control COVID-19.

“Digital contact tracing may provide a valuable tool to understand the spread of COVID-19 and assist the public health response to the pandemic,” explained the state AGs in the letter. “However, such technology also poses a risk to consumers’ personally identifiable information, including sensitive health information, that could continue long after the present public health emergency ends.”

Privacy protections are essential for ensuring that users of the apps do not have sensitive data exposed or used for purposes other than helping to control the spread of COVID-19. Without privacy protections, consumers will simply not download the apps, which will decrease their effectiveness. A study conducted by the University of Oxford suggests that in order for the aims of the apps to be achieved, there needs to be uptake of around 60% of a population. If consumers feel their privacy is at risk, that figure will not be achieved.

Current perceptions about the privacy protections of COVID-19 contact tracing apps were explored in a recent survey conducted on behalf of the antivirus firm Avira on 2,005 individuals in the United States. 71% of respondents said they do not plan to use the apps when they are made available. 44% were concerned about digital privacy, 39% said the apps provided a false sense of security, 37% said they did not think the apps would work, and 35% do not trust app providers.

The survey revealed most consumers do not trust Apple and Google to protect the data collected by the apps. Only 32% of respondents said they trusted the companies to protect their sensitive data, even though both companies have taken steps to implement privacy and security controls. There is even less trust in the government. Only 14% of respondents said they would trust contact tracing apps provided directly from the government. 75% of Americans said they believe their digital privacy would be placed at risk if COVID-19 contact tracing data was stored in a way that government and authorities could access the data.

In the letter, which was signed by 39 state attorneys general, concern was raised about the proliferation of contact tracing apps in the Google Play and Apple App Store. These apps are typically free to download and use and offer in-app adverts to generate revenue. Rather than using Google and Apple’s API and Bluetooth for identifying potential exposure, the apps rely on GPS tracking.

The state AGs also expressed concern that as more public health authorities start releasing contact tracing apps that use the Google and Apple API, it is likely many more developers will start releasing apps, and those apps may not incorporate the necessary privacy and security controls to comply with states’ laws.

Google and Apple were praised for the steps they have taken so far to ensure consumer privacy is protected but have been urged to go further. NAAG has requested any contact tracing app that is labeled or marketed as related to COVID-19 must be affiliated with either a municipal, county, state, or federal public health authority, or a hospital or university in the U.S. that is working with such public health authorities.

NAAG also called for Google and Apple to guarantee that all COVID-19 contact tracing apps will be removed from Google Play and the Apple App Store if they are not affiliated with the above entities, and for Google and Apple to pledge that all COVID-19 apps will be removed from Google Play and the App Store when the COVID-19 national public health emergency ends.

The post NAAG Urges Apple and Google to Take Further Steps to Protect Privacy of Users of COVID-19 Contact Tracing Apps appeared first on HIPAA Journal.

Bipartisan Bill Introduced to Protect Privacy of COVID-19 Contact Tracing and Exposure Notification Apps

Posted by HIPAA Journal

A bipartisan group of Senators have introduced a bill that aims to regulate contact tracing and exposure notification apps that will be used to control the spread of COVID-19.

The Exposure Notification Privacy Act is one of three bills that aim to regulate contact tracing apps to protect the privacy of Americans. The other two bills failed to gather enough support. It is hoped a bipartisan bill will have a greater chance of being passed.

Contact tracing and exposure notification technologies are currently being explored as a way of controlling the spread of COVID-19. Google and Apple have both developed the technology to support contact tracing via mobile phones using low energy Bluetooth. When a user downloads a contact tracing app it will log encounters with other individuals who have also downloaded the app. When someone is diagnosed with COVID-19, the encounter data in the app is used to notify all individuals who may have been infected by that person.

Contact tracing and exposure notification apps have been used in other countries and have helped reduce the spread of COVID-19, but there are privacy risks associated with the apps that the new bill aims to address.

The Exposure Notification Privacy Act was introduced by Sens. Maria Cantwell (D-Washington) and Bill Cassidy (R-Louisiana) and has been co-sponsored by Amy Klobuchar (D-Minnesota). The bill aims to give Americans control over their personal data and “will place public health officials in the driving seat of exposure notification development.”

The bill requires the use of contact tracing and exposure notification apps to be voluntary and for developers of the apps to implement measures that give consumers strong controls over their personal data. The bill limits the types of data that the apps can collect and places a time limit on how long personal data can be used.

In order for the apps to achieve their purpose, they will need to be downloaded by large numbers of people. For that to happen, Americans will need to be confident that their privacy is protected and their personal data will not be misused.

“Public health needs to be in charge of any notification system so we protect people’s privacy and help them know when there is a warning that they might have been exposed to COVID-19,” said Senator Cantwell. “This bill defends privacy when someone voluntarily joins with others to stop the spread of Covid-19.”

The bill requires exposure notification systems to only allow medically authorized diagnoses to ensure that false reports are avoided. The bill requires personal data collected through the apps to only be used for the purpose of controlling the spread of COVID-19 and personal data is prohibited from being used for commercial purposes. In addition to participation being voluntary, the bill will give Americans the right to opt out and have their personal data deleted at any time.

Strong security controls must be put in place to protect personal data collected through the apps and in the event of a data breach, the bill calls for all affected individuals to be notified. There will also be strict enforcement measures to ensure consumer rights are protected. Federal and state authorities will be given the right to impose financial penalties in cases of noncompliance.

“As we continue to confront the coronavirus pandemic, Americans should not have to worry about the privacy and security of their personal health data,” said Senator Klobuchar. “While contact tracing can play a critical role in helping prevent the spread of the coronavirus, this crucial innovation cannot come at the expense of consumers’ privacy.”

The post Bipartisan Bill Introduced to Protect Privacy of COVID-19 Contact Tracing and Exposure Notification Apps appeared first on HIPAA Journal.

Atlantic Receives Gold Stevie Award for Best Healthcare Technology Solution

Posted by HIPAA Journal

The HIPAA-compliant hosting company Atlantic.Net has won two Stevie Awards at the 18th Annual American Business Awards, the premier business award program in the United States.

The Stevie Awards are part of a global business award program that recognizes companies and individuals who have made a big impact over the past 12 months and have demonstrated outstanding performance in the workplace. The program is split into 8 geographic regions with nominations received from organizations in more than 70 countries. Each year approximately 12,000 nominations are received globally.

This year, more than 3,600 nominations were received from organizations of all types and sizes in America. Almost all industry sectors were represented, including for-profit and non-profit organizations, and public and private sector companies. The nominations were assessed by more than 230 professionals worldwide.

Atlantic.Net is a global cloud service provider that specializes in managed and non-managed Windows, Linux, and FreeBSD server hosting solutions with data centers located in New York, London, San Francisco, Toronto, Dallas, Ashburn, and Orlando. The company has a strong focus on compliance and is a leading provider of HIPAA-compliant hosting solutions to U.S. healthcare organizations.

Atlantic.Net picked up the Gold Award in the Healthcare Technology Solution category and a Silver Award in the Cloud Platform category. “Since starting our business 25 years ago, we have always aimed to provide the best, most innovative solutions for our clients,” said Marty Puranik, CEO of Atlantic.Net. “This year is a poignant time for businesses to navigate, particularly in the healthcare tech sector, so we are thrilled to receive this prestigious honor from the American Business Awards.”

The post Atlantic Receives Gold Stevie Award for Best Healthcare Technology Solution appeared first on HIPAA Journal.

CMS Eases Quality Payment Program Reporting Requirements in Response to COVID-19

Posted by HIPAA Journal

On March 22, 2020, the HHS’ Centers for Medicare and Medicaid Services (CMS) announced it is easing the burden on clinicians, healthcare providers, and facilities that are participating in the Quality Payment Program and other reporting programs due to the 2019 Novel Coronavirus (COVID-19) pandemic.

The CMS is granting exceptions and extensions to reporting requirements for the 1.2 million clinicians that are participating in the Quality Payment Program and are on the front lines fighting against the virus and COVID-19 respiratory disease.

“The Trump Administration is cutting bureaucratic red tape so the healthcare delivery system can direct its time and resources toward caring for patients,” explained CMS Administrator Seema Verma.

The CMS has recognized that quality measure data collection and reporting for services during the COVID-19 crisis may not reflect the true level of performance in areas such as cost, readmissions, and the patient experience. The move will also ease the burden on clinicians during these exceptional circumstances.

Policy exceptions and extensions are being provided for 2019 and 2020 data submission deadlines for the quality reporting programs listed below:

Provider Programs

  • Quality Payment Program – Merit-based Incentive Payment System (MIPS)
  • Medicare Shared Savings Program Accountable Care Organizations (ACOs)

Hospital Programs

  • Ambulatory Surgical Center Quality Reporting Program
  • CrownWeb National ESRD Patient Registry and Quality Measure Reporting System
  • End-Stage Renal Disease (ESRD) Quality Incentive Program
  • Hospital-Acquired Condition Reduction Program
  • Hospital Inpatient Quality Reporting Program
  • Hospital Outpatient Quality Reporting Program
  • Hospital Readmissions Reduction Program
  • Hospital Value-Based Purchasing Program
  • Inpatient Psychiatric Facility Quality Reporting Program
  • PPS-Exempt Cancer Hospital Quality Reporting Program
  • Promoting Interoperability Program for Eligible Hospitals and Critical Access Hospitals

PAC Programs

  • Home Health Quality Reporting Program
  • Hospice Quality Reporting Program
  • Inpatient Rehabilitation Facility Quality Reporting Program
  • Long Term Care Hospital Quality Reporting Program
  • Skilled Nursing Facility Quality Reporting Program
  • Skilled Nursing Facility Value-Based Purchasing Program

Further information on the new reporting deadlines, exceptions, and extensions can be found on the CMS website.

The post CMS Eases Quality Payment Program Reporting Requirements in Response to COVID-19 appeared first on HIPAA Journal.

TigerConnect Secure Communications Platform Offered to Hospitals Free of Charge During COVID-19 Pandemic

Posted by HIPAA Journal

TigerConnect, the provider of the most widely used secure healthcare communications platform in the United States, has announced that U.S. health systems and hospitals can use its platform free of charge to help support COVID-19 related communications during the novel coronavirus pandemic.

TigerConnect has been tracking COVID-19 and the impact it is having on the U.S. healthcare system. Unsurprisingly given the rapid spread of the virus, use of its secure communications platform has surged. The company also reports that it is receiving an increasing number of calls from customers looking to expand licenses to make sure all staff have access to the platform to expedite internal and external communication and support isolation workflows.

The TigerConnect platform can be used to create dedicated channels for COVID-19 communications to provide support for patients and staff members. The platform ensures instant and immediate communication of preparedness plans, staff schedules, guidelines on infection control and isolation protocols, and other critical information. Users of the platform can contact any person within a healthcare system instantly, without knowing their number or extension.

“As part of the healthcare community, we harbor a sense of duty to do everything we can to keep the flow of information moving as quickly as possible,” explained TigerConnect. “This is the time to remove any barriers that might keep organizations from having every tool they need to fight COVID-19.”

Hospitals and health systems that have not yet adopted the TigerConnect platform are being offered complimentary use of the TigerConnect secure texting network for up to 6 months to support COVID-19 communications. Existing customers will be provided with complimentary expansion of TigerText Essentials licenses for up to 6 months. TigerConnect has also announced that it will be extending support hours and publishing resources and conducting webinars to help current and new users of the platform optimize communications.

As has been seen in Europe, which is now the epicenter of the COVID-19 pandemic, hospitals and health systems are stretched and struggling to cope with the number of cases. Immediate, enterprise-wide communication is critical for preventing the spread of the disease.

In Singapore, stringent measures have been implemented to prevent the spread of the novel coronavirus. As of March 14, there have been 200 cases of COVID-19 in Singapore but no COVID-19 deaths. Coordinating the response to COVID-19 and ensuring resources are correctly allocated has been a major challenge, but one that has been helped by having an efficient communications system in place. 55,000 healthcare professionals in Singapore are using the TigerConnect platform and usage has increased fivefold in the past three weeks. Being prepared and having the systems in place to deal with outbreaks of disease that support fast and efficient communication has been invaluable.

“It is clear that identifying new cases quickly and sharing that information among key stakeholders is crucial to containment and treatment,” explained TigerConnect co-founder and CEO, Brad Brooks. “Our mission is to help organizations remove the barriers that might slow down those responses as we continue to partner with the organizations on the front lines of this crisis.”

The post TigerConnect Secure Communications Platform Offered to Hospitals Free of Charge During COVID-19 Pandemic appeared first on HIPAA Journal.

HHS Releases Final Interoperability and Information Blocking Rules

Posted by HIPAA Journal

On March 6, 2020, the Office of Information and Regulatory Affairs’ Office of Management and Budget announced it has completed its review of the rules proposed by two HHS agencies in February 2019 to tackle interoperability and information blocking.

On March 9, 2020 the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator of Health Information Technology (ONC) released their final rules which change how healthcare delivery organizations, health insurers, and patients exchange health data.

The interoperability and information blocking rules were required by the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) and the 21st Century Cures Act of 2016. They are intended to make it easier for healthcare data to be exchanged between providers, insurers, and patients and are a key part of creating a patient-centric healthcare system and put patients in control of their own health records.

“These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for them to improve their own health, find the providers that meet their needs, and drive quality through greater coordination,” explained HHS Secretary, Alex Azar.

Easy Access to Patient Records Through APIs

One of the ways that patients are given easy access to their health data is through the use of application programming interfaces (APIs). APIs can be leveraged to connect different IT systems and software solutions to allow data to be easily transferred from one to the other. The use of APIs has driven innovation in many sectors, but they have not been adopted in healthcare to give patients easy access to their medical records. The final rules will ensure that changes.

The use of APIs will allow healthcare providers to easily share a patients’ electronic health records with other healthcare organizations with different EHR systems. It will also allow patients to have their healthcare data, including medical records, sent to a third-party health app if thy so wish. The rules also include provisions to ensure that patient data contained in electronic health records is provided to patients at no additional cost when it is accessed electronically.

Improving Interoperability of Health Data

The CMS Interoperability and Patient Access final rule, part of the Trump Administration’s MyHealthEData initiative, is aimed at improving interoperability and patient access to healthcare data. “[The] final rule is focused on driving interoperability and patient access to health information by liberating patient data using CMS authority to regulate Medicare Advantage (MA), Medicaid, CHIP, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs),” explained CMS in the Interoperability and Patient Fact Sheet, published on March 9, 2020.

The lack of effective exchange of healthcare data has had a negative effect on patient outcomes and is also contributing to high healthcare costs. The CMS final rule removes barriers to information sharing to give patients easy access to their healthcare data, it will improve interoperability, drive innovation, and reduce the burden on payers and providers. When patient health information moves freely, patient care can be coordinated easily, costs can be reduced, and patient outcomes are likely to improve.

“Delivering interoperability actually gives patients the ability to manage their healthcare the same way they manage their finances, travel and every other component of their lives. This requires using modern computing standards and APIs that give patients access to their health information and gives them the ability to use the tools they want to shop for and coordinate their own care on their smartphones,” said Don Rucker, M.D., national coordinator for health information technology.

Final Rules Will Drive Innovation

In addition to requiring healthcare providers to share medical records with third party apps at the request of patients, the CMS rule also calls for health insurers to share cost information with third-party apps. This will give patients information about the out-of-pocket expenses they are likely to incur. This will allow patients to plan and budget for medical bills.

“The days of patients being kept in the dark are over,” said CMS Administrator Seema Verma. “These rules begin a new chapter by requiring insurance plans to share health data with their patients in a format suitable for their phones or other device of their choice. We are holding payers to a higher standard while protecting patient privacy through secure access to their health information. Patients can expect improved quality and better outcomes at a lower cost.”

The CMS final rule also requires CMS-regulated payers to make provider directory information available publicly via a standards-based API. This will encourage innovation and will allow third-party app developers to create services that allow patients to find providers that can offer care and treatment. These apps could also be used by clinicians to find other providers to help with care coordination.

The CMS rule also calls for payer-to-payer clinical health data exchange to allow patients to take their data with them when they change payers and to create a cumulative health record with their current payer. “Having a patient’s health information in one place will facilitate informed decision-making, efficient care, and ultimately can lead to better health outcomes,” explained the CMS.

Preventing Information Blocking

The ONC’s 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule details information blocking practices such as anti-competitive behavior which are prohibited and reasonable and necessary activities that are not classed as information blocking and are permitted. One area where problems will be eased is the sharing of screenshots and videos related to EHR use. Many EHR providers prohibit the use screenshots and videos, when these are important for communicating about usability, the user experience, and interoperability.

The CMS has confirmed that starting in late 2020, using data collected for the 2019 performance year data, the CMS will be reporting clinicians, hospitals, and critical access hospitals that are believed to be engaging in information blocking practices based on how they attested to certain Promoting Interoperability Program requirements.

Patient Privacy and Data Security

The proposed rules will improve interoperability and reduce information blocking, but there has been fierce criticism of the rules by some groups, mostly in relation to patient privacy. Both the American Hospital Association (AHA) and the American Medical Association (AMA) have been vocal critics of the rules criticized the rules, with one of the main issues related to the sharing of health records with third-party apps.

Healthcare providers are required to comply with HIPAA and must ensure safeguards are implemented to ensure patient data is protected. Health app developers and other entities not required to comply with HIPAA, may not have appropriate privacy protections in place. There is also considerable potential for secondary uses of patient health information without the knowledge of patients.

The AHA and AMA are not alone. Many privacy advocates and health systems have expressed concern about the proposed rules and patient privacy. Last year, Epic wrote to the HHS Secretary voicing concern and even threatened legal action if patient privacy was not protected. The letter was signed by 60 healthcare systems.

The CMS and ONC have made patient privacy a key priority. Both the CMS and ONC want to ensure patient data flows freely, but also that patient privacy is protected. To ensure the privacy and security of patient data in transit, the ONC and CMS have adopted the Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) Release 4.0.1 as the standard to support data exchange via APIs.

That standard ensures patient privacy and security for the transfer of health data but does not cover patient data once it has been transferred to a third party. To address risks after data has been transferred, healthcare organizations are permitted to ask third-party app developers to attest to certain privacy provisions, such as whether there will be any secondary uses of patient data and to make sure patients are informed about what those secondary uses will be.

The post HHS Releases Final Interoperability and Information Blocking Rules appeared first on HIPAA Journal.

‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices

Posted by HIPAA Journal

A group of 12 vulnerabilities dubbed SweynTooth have been identified by researchers at the Singapore University of Technology and Design which are present in the Bluetooth Low Energy (BLE) chips manufactured by at least 7 companies.

BLE chips are used in smart home devices, fitness trackers, wearable health devices, and medical devices and give them their wireless connectivity. BLE chips with the SweynTooth vulnerabilities are used in insulin pumps, pacemakers, and blood glucose monitors as well as hospital equipment such as ultrasound machines and patient monitors.

It is not yet known exactly how many medical devices and wearable health devices are impacted by the flaws as manufacturers obtain their BLE chips from several sources. Some security researchers believe millions of medical devices could be vulnerable. BLE chips are used in around 500 different products. Hundreds of millions of devices could be affected.

The vulnerabilities are present in BLE chips manufactured by Cypress, Dialog Semiconductors, Microchip, NXP Semiconductors, STMicroelectronics, Texas Instruments, and Telink Semiconductor. The vulnerabilities have been assigned CVSS v3 base scores ranging from 6.1-6.9 out of 10.

7 of the vulnerabilities could be exploited to crash vulnerable devices, which would stop the devices communicating and may cause them to stop working entirely. 4 vulnerabilities could be exploited to deadlock devices, causing them to freeze and stop functioning correctly. One vulnerability could result in a security bypass which would allow an attacker to gain access to device functions that are usually only accessible by an authorized device administrator. The flaws can be exploited remotely by an attacker, although only if the attacker is within radio range of a vulnerable device. The range of BLE varies from device to device, with a maximum range of less than 100 m (328 ft).

Both the U.S. Food and Drug Administration (FDA) and the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) have issued alerts about the vulnerabilities this week. The FDA explained that affected device manufacturers have been notified about the flaws and are assessing which devices are affected. Mitigations are being developed that can be implemented to reduce the risk of exploitation until patches are released to correct the flaws.

Cypress, NXP, Texas Instruments, and Telelink have already released patches to correct the flaws. Dialog has issued two patches, with the remaining patches scheduled to be released by the end of March 2020. Currently, patches have yet to be released by Microchip and STMicroelectronics.

The FDA has advised BLE chip and device manufacturers to conduct risk assessments to determine the potential impact of the flaws. Healthcare providers have been advised to contact the manufacturers of their devices to find out if they are affected, and the actions they need to take to reduce the risk of exploitation. Patients have been advised to monitor their devices for abnormal behavior and to seek medical help immediately if they feel their medical devices are not functioning correctly.

The post ‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices appeared first on HIPAA Journal.

Medtronic Issues Patches for CareLink Programmers and Implanted Cardiac Devices

Posted by HIPAA Journal

The medical device manufacturer Medtronic has issued patches to correct flaws in its CareLink 2090 and CareLink Encore 29901 programmers, implantable cardioverter defibrillators (ICDs), and cardiac resynchronization therapy defibrillators (CRT-Ds).

The vulnerabilities were first identified by security researchers in 2018 and 2019. When Medtronic was informed about the vulnerabilities, mitigations were quickly published to reduce the risk of exploitation of the vulnerabilities and allow customers to continue to use the affected products safely. The development and release of patches for these complex and safety-critical devices has taken a long time due to the required regulatory approval process.

“Development and validation can take a significant amount of time and also includes a required regulatory review process before we can distribute updates to products. Medtronic worked to develop security remediations quickly while also ensuring the patches continue to maintain comprehensive safety and functionality,” explained Medtronic.

In 2018, Security researchers Billy Rios and Jonathan Butts identified three vulnerabilities in Medtronic’s CareLink 2090 and CareLink Encore 29901 devices, prompting an advisory to be issued in February 2018. The devices are used to program and manage implanted cardiac devices. The vulnerabilities would allow an attacker to alter the firmware via a man-in-the-middle attack, access files contained in the system, obtain device usernames and passwords, and remotely control implanted Medtronic devices.

Several researchers were credited with the discovered two further vulnerabilities in 2019 in the Medtronic Conexus telemetry protocol, prompting a second Medtronic advisory in March 2019. The vulnerabilities concern the lack of encryption, authentication, and authorization. If exploited, an attacker could intercept, replay, and modify data, and change the configuration of implanted devices, programmers, and home monitors. One of the vulnerabilities, CVE-2019-6538, was rated critical and was assigned a CVSS v3 base score of 9.3 out of 10.

The latest patches correct the flaws in CareLink monitors and programmers and MyCareLink monitors. Patches have also been released for approximately half of the affected Medtronic implantable devices impacted by the Conexus vulnerabilities:

  • Brava™ CRT-D, all models
  • Evera MRI™ ICD, all models
  • Evera™ ICD, all models
  • Mirro MRI™ ICD, all models
  • Primo MRI™ ICD, all models
  • Viva™ CRT-D, all models

Patches for all the remaining vulnerable devices will be released later this year.

To prevent exploitation of the flaws, Medtronic disabled the software development network (SDN) that was used to deliver device updates, so software needed to be updated manually via a secured USB. Now that patches have been released, the SDN has been reactivated and it can be used by customers to update their devices.

Medtronic has been monitoring for exploitation of the vulnerabilities and says there have been no cyberattacks or privacy breaches as a result of the vulnerabilities and no patients have been harmed.

The post Medtronic Issues Patches for CareLink Programmers and Implanted Cardiac Devices appeared first on HIPAA Journal.

Critical ‘MDHex’ Vulnerabilities Identified in GE Healthcare Patient Monitoring Products

Posted by HIPAA Journal

Critical vulnerabilities have been identified in GE Healthcare patient monitoring products by a security researcher at CyberMDX.

Elad Luz, Head of Research at CyberMDX, identified six vulnerabilities, five of which have been rated critical and one high severity. The five critical vulnerabilities have been assigned the maximum CVSS v3 score of 10 out of 10. The other vulnerability has a CVSS v3 score of 8.5 out of 10.

Exploitation of the flaws could render the affected products unusable. Remote attackers could also alter the functionality of vulnerable devices, including changing or disabling alarm settings, and steal protected health information stored on the devices.

CyberMDX initially investigated the CARESCAPE Clinical Information Center (CIC) Pro product, but discovered the flaws affected patient monitors, servers, and telemetry systems. The vulnerabilities have been collectively named MDHex and are tracked under the CVEs: CVE-2020-6961, CVE-2020-6962, CVE-2020-6963, CVE-2020-6964, CVE-2020- 6965, and CVE-2020-6966. GE Healthcare has confirmed that the vulnerabilities could have serious consequences for patients and hundreds of thousands of devices may be affected.

CVE-2020-6961 (CVSS 10.0) is due to unprotected storage of credentials (CWE-256). The flaw could allow an attacker to obtain the SSH private key from configuration files via a SSH connection and remotely execute arbitrary code on vulnerable devices. The same SSH key is shared across all vulnerable products.

CVE-2020-6962 (CVSS 10.0) is an input validation vulnerability (CWE-20) in the configuration utility of the web-based system. If exploited, an attacker could remotely execute arbitrary code.

CVE-2020-6963 (CVSS 10.0) concerns the use of hard-coded Server Message Block (SMB) credentials (CWE-798). An attacker could establish an SMB connection and read or write files on the system. The credentials could be obtained through the password recovery utility of the Windows XP Embedded operating system.

CVE-2020-6964 (CVSS 10.0) is due to missing authentication for critical function (CWE-306) concerning the integrated Kavoom! Keyboard/mouse software. If exploited, an attacker could remotely input keystrokes and alter device settings on all vulnerable devices on the network without authentication.

CVE-2020- 6965 (CVSS 8.5) is due to the failure to restrict the upload of dangerous file types (CWE-434). An attacker could upload arbitrary files through the software update facility.

CVE-2020-6966 (CVSS 10.0) is due to inadequate encryption strength (CWE-326). Weak encryption is used for remote desktop control through VNC software, which cloud lead to remote code execution on vulnerable networked devices. The necessary credentials could also be obtained from publicly available product documentation.

According to a recent ICS-CERT Advisory, the following GE Healthcare products are affected:

  • ApexPro Telemetry Server, Versions 4.2 and prior
  • CARESCAPE Telemetry Server, Versions 4.2 and prior
  • Clinical Information Center (CIC), Versions 4.X and 5.X
  • CARESCAPE Telemetry Server, Version 4.3
  • CARESCAPE Central Station (CSCS), Versions 1.X; Versions 2.X
  • B450, Version 2.X
  • B650, Version 1.X; Version 2.X
  • B850, Version 1.X; Version 2.X

GE Healthcare is currently developing patches for the vulnerable products which are expected to be released in Q2, 2020. In the meantime, GE Healthcare has published a series of mitigations to reduce the risk of exploitation of the vulnerabilities.

Healthcare providers should follow standard network security best practices and ensure mission critical (MC) and information exchange (IX) networks have been configured correctly and meet the requirements outlined in the Patient Monitoring Network Configuration Guide, CARESCAPE Network Configuration Guide, and product technical and service manuals.

If connectivity is required outside the MC and/or IX networks, a router/firewall should be used. GE Healthcare recommends blocking all incoming traffic from outside the network at the MC and IX router firewall, except when required for clinical data flows.

The following ports should be blocked for traffic initiated from outside the MC and IX network: TCP Port 22 for SSH and TCP and UDP Ports 137, 138, 139, and 445 for NetBIOS and SMB as well as TCP Ports 10000, 5225, 5800, 5900, and 10001.

Physical access to Central Stations, Telemetry Servers, and the MC and IX networks should be restricted, password management best practices should be followed, and default passwords for Webmin should be changed.

Exploits for the vulnerabilities are not believed to have been made public and GE Healthcare is unaware of any attempted cyberattacks or injuries to patients as a result of the flaws.

The post Critical ‘MDHex’ Vulnerabilities Identified in GE Healthcare Patient Monitoring Products appeared first on HIPAA Journal.