Healthcare Technology Vendor News

‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices

A group of 12 vulnerabilities dubbed SweynTooth have been identified by researchers at the Singapore University of Technology and Design which are present in the Bluetooth Low Energy (BLE) chips manufactured by at least 7 companies.

BLE chips are used in smart home devices, fitness trackers, wearable health devices, and medical devices and give them their wireless connectivity. BLE chips with the SweynTooth vulnerabilities are used in insulin pumps, pacemakers, and blood glucose monitors as well as hospital equipment such as ultrasound machines and patient monitors.

It is not yet known exactly how many medical devices and wearable health devices are impacted by the flaws as manufacturers obtain their BLE chips from several sources. Some security researchers believe millions of medical devices could be vulnerable. BLE chips are used in around 500 different products. Hundreds of millions of devices could be affected.

The vulnerabilities are present in BLE chips manufactured by Cypress, Dialog Semiconductors, Microchip, NXP Semiconductors, STMicroelectronics, Texas Instruments, and Telink Semiconductor. The vulnerabilities have been assigned CVSS v3 base scores ranging from 6.1-6.9 out of 10.

7 of the vulnerabilities could be exploited to crash vulnerable devices, which would stop the devices communicating and may cause them to stop working entirely. 4 vulnerabilities could be exploited to deadlock devices, causing them to freeze and stop functioning correctly. One vulnerability could result in a security bypass which would allow an attacker to gain access to device functions that are usually only accessible by an authorized device administrator. The flaws can be exploited remotely by an attacker, although only if the attacker is within radio range of a vulnerable device. The range of BLE varies from device to device, with a maximum range of less than 100 m (328 ft).

Both the U.S. Food and Drug Administration (FDA) and the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) have issued alerts about the vulnerabilities this week. The FDA explained that affected device manufacturers have been notified about the flaws and are assessing which devices are affected. Mitigations are being developed that can be implemented to reduce the risk of exploitation until patches are released to correct the flaws.

Cypress, NXP, Texas Instruments, and Telelink have already released patches to correct the flaws. Dialog has issued two patches, with the remaining patches scheduled to be released by the end of March 2020. Currently, patches have yet to be released by Microchip and STMicroelectronics.

The FDA has advised BLE chip and device manufacturers to conduct risk assessments to determine the potential impact of the flaws. Healthcare providers have been advised to contact the manufacturers of their devices to find out if they are affected, and the actions they need to take to reduce the risk of exploitation. Patients have been advised to monitor their devices for abnormal behavior and to seek medical help immediately if they feel their medical devices are not functioning correctly.

The post ‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices appeared first on HIPAA Journal.

iland Secure Cloud Console Update Improves Visibility of Global BaaS Environments

iland has announced its Secure Cloud Console has been updated and enhanced with Veeam Cloud Connect to provide greater visibility and control of multi-location backups for large enterprises and managed service providers (MSPs).

The update gives large enterprises and MSPs a single pane of glass view and support for global cloud backups. Customers are provided with increased granularity that allows them to leverage real-time data over multiple accounts and gives them greater control over multiple tenants without extra work or permissions.

Storage management has also been simplified with greater opportunities for self-service, allowing customers to reallocated resources and add new tenants. The update allows global MSPs and enterprises to provide backup-as-a-service internally and, through a single interface, manage multiple repositories and locations.

The iland BAAS Insider Protection feature is an air-gapped repository for data that provides protection against internal and external threats, including ransomware attacks. Customers can now view the status of multi-tenant environments through a single view and Veeam Cloud Connect tenant names and passwords can be updated easily from any location. The entire portfolio of Veeam cloud-based backup solutions can now be managed from a single, unified console.

“With these latest updates, we’re making it easy for channel and enterprise IT customers to extend backup services around the world with a simple, easy-to-use common interface,” said Dante Orsini, iland senior vice president of business development.

The latest updates to iland Secure Cloud Backup with Veeam Cloud Connect have now been rolled out across all 10 of iland’s data centers. New customers can take advantage of a free 30-day trial that includes 5TBs of data.

The post iland Secure Cloud Console Update Improves Visibility of Global BaaS Environments appeared first on HIPAA Journal.

Carbon Neutral Green Cloud Launched by Connectria

Connectria has announced it has launched a carbon neutral ‘green cloud’ in its data centers in the European Union and North America.

The new green cloud is available for companies running IBM i and VMware systems and it has been made possible by a new systems architecture at Connectria’s advanced data centers. Companies taking advantage of the new green cloud can reduce their energy consumption by up to 95%.

Connectria explained that data centers account for 3% of worldwide energy consumption, so making data centers carbon neutral is not just a token gesture. It can significantly reduce energy consumption and help companies reduce their carbon footprint.

“Connectria’s Amsterdam data center is a model of energy efficiency and sustainability, designated as a Leed Gold facility,” said Rusty Putzler, COO of Connectria. The data center uses a combination of biomass and hydroelectric power, drawing all of its power from 100% renewable energy sources. This is achieved while still ensuring reliability for its customers.

Data centers generate a lot of heat. To ensure that energy is not wasted, it is captured and used to heat facilities at the University of Amsterdam campus. Connectria says the Amsterdam data center is one of the most energy-efficient data centers in the world and helps the company deliver a carbon neutral footprint for VMware and IBM i clouds.

Connectria has a “No Jerks Allowed philosophy, which it applies to the staff it recruits and how employees treat customers. This philosophy has now been applied to the environment. “By creating carbon-neutral IBM i and VMware Clouds, Connectria is doing our part to take care of our planet, and not be jerks,” says Connectria.

The post Carbon Neutral Green Cloud Launched by Connectria appeared first on HIPAA Journal.

Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep

The healthcare industry is digitizing business management and data management processes and is adopting new technology to improve efficiency and cut costs, but that technology, in many cases, has been added to infrastructure, processes, and software from a different era and as a result, many vulnerabilities are introduced.

The healthcare industry is being targeted by cybercriminals who are looking for any chink in the armor to conduct their attacks, and many of those attacks are succeeding. The healthcare industry is the most targeted industry sector and one third of data breaches in the United States happen in hospitals.

According to the recently published 2020 Healthcare Security Vision Report from CyberMDX almost 30% of healthcare delivery organizations (HDOs) have experienced a data breach in the past 12 months, clearly demonstrating that the healthcare industry is struggling to address vulnerabilities and block cyberattacks.

Part of the reason is the number of difficult-to-secure devices that connect to healthcare network. The attack surface is huge. It has been estimated that globally there are around 450 million medical devices connected to healthcare networks and 30% of those devices are in the United States. That equates to around 19,300 connected medical devices and clinical assets per hospital in the United States. It is not uncommon for large hospitals to have more than 100,000 connected devices. On average, one in 10 devices on hospital networks are medical devices.

The report reveals 80% of device makers and HDOs say medical devices are difficult to secure due to a lack of knowledge on how to secure them, a lack of training on secure coding practices, and pressure to meet product deadlines.

71% of HDOs say they do not have a comprehensive cybersecurity program that includes medical devices, and 56% believe there will be a cyberattack on their medical devices in the next 12 months. That figure jumps to 58% when you ask medical device manufacturers. Even if an attack occurred, only 18% of HDOs say they are confident that they would be able to detect such an attack.

45% of Medical Devices Vulnerable to Flaws Such as BlueKeep

CyberMDX’s analysis revealed 61% of medical devices are exposed to some degree of cyber risk. 15% are exposed to BlueKeep flaws, 25% are exposed to DejaBlue flaws, and 55% of imaging devices run on outdated software that is vulnerable to exploits such as BlueKeep and DejaBlue. Overall, around 22% of Windows devices on hospital networks are vulnerable to BlueKeep.

BlueKeep and DejaBlue are vulnerabilities that can be exploited via Remote Desktop Protocol (RDP). The flaws can be exploited remotely and allow an attacker to take full control of vulnerable devices. BlueKeep is also wormable, so malware could be created that could spread to other vulnerable devices on a network with no user interaction required.

BlueKeep affects older Windows versions – Windows XP to Windows 7 and Windows Server 2003 to 2008 R2 – but many medical devices run on those older operating systems and have not been updated to protect against exploitation. DejaBlue affects Windows 7 and later versions.

Even Linux-based operating systems are vulnerable. Approximately 15% of connected hospital assets and 30% of medical devices are vulnerable to a flaw known as SACK Panic. It has been estimated that around 45% of medical devices are vulnerable to at least one flaw.

Prompt Patching is Critical, But That’s Not Straightforward

CyberMDX’s research found that 11% of HDOs don’t patch their medical devices at all and when patches are applied, the process is slow. 4 months after a vulnerability as serious as BlueKeep is discovered, an average hospital will only have patched around 40% of vulnerable devices.

The situation could actually be far worse, as the report reveals 25% of HDOs do not have a full inventory of their connected devices and an additional 13% say their inventory is unreliable. 36% do not have a formal BYOD policy and CyberMDX says a typical hospital has lost track of around 30% of its connected devices.

Patching medical devices is no easy task. “Where vulnerabilities concern unmanaged devices, there is no easy way to identify the relevant patch level for each device and no way to centrally push patches (through the active directory and SCCM) to devices distributed throughout the organization,” explained CyberMDX. “For these devices, technicians must individually investigate and manually attend the affected devices.”

Alarmingly, even though medical devices are vulnerable to attack, a majority of HDOs neglect granular network segmentation or segment their networks for reasons other than security, so when network segmentation is used, segments contain a variety of different devices with some connections open to the internet.

If flaws are exploited, many HDOs would struggle to detect an attack. More than a third of HDOs do not continuously monitor their connected devices and a further 21% identify, profile, and monitor their devices manually.

So, What is the Solution?

Improving the security of medical devices is no easy task, as CyberMDX explains. It requires “continuous review of configuration practices, segmentation, network restrictions, appropriate use, credential management, vulnerability monitoring, patching & updating, lifecycle management, recall tracking, access and role controls, compliance assurance, pen testing, live context-aware traffic monitoring & analysis, oversight of partner and third-party security practices, and more.” Further, “If you don’t know what devices you have networked, you won’t be able to understand their individual attack vectors.”

Improving security is certainly a daunting task, but the goal is not to make your organization 100% secure, as that would be an impossible goal. The aim should be to address the most important issues and to significantly reduce the attack surface.

“By more clearly defining lifecycle-wide security responsibilities and expectations with your vendors, by restricting functionally unnecessary in-VLAN communications, by investing in staff-wide cyber training, by normalizing basic network hygiene practices (like password and access management, patching & updating, etc.), and by tweaking security policies (at the NAC or firewall level) specifically for monitors, infusion pumps, and patient tracking devices, you can dramatically shrink your attack surface in short order,” suggest CyberMDX.

The post Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep appeared first on HIPAA Journal.

Medtronic Issues Patches for CareLink Programmers and Implanted Cardiac Devices

The medical device manufacturer Medtronic has issued patches to correct flaws in its CareLink 2090 and CareLink Encore 29901 programmers, implantable cardioverter defibrillators (ICDs), and cardiac resynchronization therapy defibrillators (CRT-Ds).

The vulnerabilities were first identified by security researchers in 2018 and 2019. When Medtronic was informed about the vulnerabilities, mitigations were quickly published to reduce the risk of exploitation of the vulnerabilities and allow customers to continue to use the affected products safely. The development and release of patches for these complex and safety-critical devices has taken a long time due to the required regulatory approval process.

“Development and validation can take a significant amount of time and also includes a required regulatory review process before we can distribute updates to products. Medtronic worked to develop security remediations quickly while also ensuring the patches continue to maintain comprehensive safety and functionality,” explained Medtronic.

In 2018, Security researchers Billy Rios and Jonathan Butts identified three vulnerabilities in Medtronic’s CareLink 2090 and CareLink Encore 29901 devices, prompting an advisory to be issued in February 2018. The devices are used to program and manage implanted cardiac devices. The vulnerabilities would allow an attacker to alter the firmware via a man-in-the-middle attack, access files contained in the system, obtain device usernames and passwords, and remotely control implanted Medtronic devices.

Several researchers were credited with the discovered two further vulnerabilities in 2019 in the Medtronic Conexus telemetry protocol, prompting a second Medtronic advisory in March 2019. The vulnerabilities concern the lack of encryption, authentication, and authorization. If exploited, an attacker could intercept, replay, and modify data, and change the configuration of implanted devices, programmers, and home monitors. One of the vulnerabilities, CVE-2019-6538, was rated critical and was assigned a CVSS v3 base score of 9.3 out of 10.

The latest patches correct the flaws in CareLink monitors and programmers and MyCareLink monitors. Patches have also been released for approximately half of the affected Medtronic implantable devices impacted by the Conexus vulnerabilities:

  • Brava™ CRT-D, all models
  • Evera MRI™ ICD, all models
  • Evera™ ICD, all models
  • Mirro MRI™ ICD, all models
  • Primo MRI™ ICD, all models
  • Viva™ CRT-D, all models

Patches for all the remaining vulnerable devices will be released later this year.

To prevent exploitation of the flaws, Medtronic disabled the software development network (SDN) that was used to deliver device updates, so software needed to be updated manually via a secured USB. Now that patches have been released, the SDN has been reactivated and it can be used by customers to update their devices.

Medtronic has been monitoring for exploitation of the vulnerabilities and says there have been no cyberattacks or privacy breaches as a result of the vulnerabilities and no patients have been harmed.

The post Medtronic Issues Patches for CareLink Programmers and Implanted Cardiac Devices appeared first on HIPAA Journal.

How One Company is Helping to Drive Down the Cost of U.S. Healthcare and Improve Patient Outcomes

2019 Health Statistics published by the Organisation for Economic Co-operation and Development’s (OECD) show healthcare expenditures in the United States are significantly higher than those in other developed countries. A 2018 Harvard study of 11 developed countries showed the United States had the highest healthcare costs relative to its GDP out of all 11 countries studied. Per capita healthcare spending was found to be almost twice that of other wealthy, developed countries.

Higher costs are not necessarily bad if they translate into better patient outcomes, but the OECD figures show that is not the case. The United States performed poorly for patient outcomes, even though the costs of healthcare are so high. Reducing the cost of healthcare is a major challenge and there is no silver bullet, but there are ways for costs to be reduced and for patient outcomes to be improved.

The Trump Administration is committed to reducing the cost of healthcare through executive orders and HHS rulings. In November 2018 an executive order – Improving Price and Quality Transparency in American Healthcare – was issued which is intended to improve healthcare price transparency to increase competition among hospitals and insurers and drive down healthcare spending.

Another key area where costs can be cut is by eliminating wastage in healthcare. A great deal of money being wasted due to inefficiency, such as the continued use of outdated communications technology.

The healthcare industry is still heavily reliant on communications technology from the 1970s. Advances are being made and new communications tools are being introduced, but oftentimes when new communications technology is purchased, it tends to be introduced in silos and healthcare organizations fail to achieve the full benefits. As a result, communications problems persist.

Communication inefficiencies are costing the healthcare industry dearly and that cost is being passed onto patients. Research shows communication inefficiencies cost a single 500-bed hospital around $4 million a year. The breakdown in communication is estimated to be a major factor in 70% of medical error deaths, according to a study published in the Journal of Medical Internet Research.

One company helping to cut the cost of healthcare is TigerConnect. TigerConnect has developed an advanced communications and collaboration solution that allows all members of care teams to communicate and collaborate quickly, efficiently, and effectively. The platform helps accelerate productivity and eliminates wastage, which allows healthcare providers to reduce the cost of healthcare. The solution has also been shown to improve patient outcomes.

The platform has been shown to reduce wait times in emergency departments, reduce the potential for medical errors, reduce the length of hospitals stays, and the platform helps improve staff morale, especially among physicians. The platform eliminates phone tag, allows all members of the care team to access the data they need to make decisions, and ensures proper patient handoffs, which is where the majority of medical errors occur.  

The TigerConnect team is committed to solving pervasive problems in healthcare communication and continues to innovate and develop its solution to meet the need of healthcare organizations of all sizes. The platform has proven popular with healthcare organizations and the company has been enjoying a period of tremendous growth, according to 2019 figures released today.

The TigerConnect solution is the most widely adopted healthcare communications and collaboration platform in the United States and 2019 has seen the company expand its industry footprint further. More than 600 new clients have been added in 2019, including 100 new enterprise clients such as Geisinger, NCH Healthcare System, Penn State Health, University of Maryland Medical System, Einstein Medical Center, Cooper University Health Care, and St. Luke’s University Health Network. More than 6,000 healthcare organizations are now using the platform.

TigerConnect has also expanded its workforce to cope with the increased demand. Over 50 new members of staff joined the company in 2019. TigerConnect also created new leadership roles, with the appointment of former Vacasa CTO, Tim Goodwin, as its first Chief Technology Officer, former McKesson consultant Sarah Shillington as the SVP of client success, and former Expedia executive, Allie Hanegan as VP of People.

TigerConnect is now looking to make greater gains in 2020 and has launched several initiatives to accelerate growth. Ahead of HIMSS20, TigerConnect will be launching several major product and partner initiatives, the company will be aggressively marketing its solution toward new clients and will also be looking to expand its footprint with its existing customer base. TigerConnect has also confirmed it will be forming a client advisory group and will be leveraging additional forums to get feedback from users to identify areas where the platform can be further improved.

“As we look ahead to the next decade, we see nothing but greenfield opportunity to redefine the way healthcare teams, payers, and patients connect and collaborate. We remain steadfast in our mission to partner with care organizations of every size and type, providing them with the world’s most advanced collaboration technology to produce a vision of the future we can all be proud of,” said Brad Brooks, co-founder, and CEO of TigerConnect.

The post How One Company is Helping to Drive Down the Cost of U.S. Healthcare and Improve Patient Outcomes appeared first on HIPAA Journal.

2020 Emergency Preparedness and Security Trends in Healthcare Survey

Every year, Rave Mobile Safety conducts a nationwide survey to identify healthcare security trends and assess the state of emergency preparedness and security trends in the healthcare industry.

For the 2020 Emergency Preparedness and Security Trends in Healthcare report, Rave Mobile Security is seeking insights from leaders in the healthcare industry on the efforts they have made to prepare for emergency situations.

Many HIPAA Journal readers participated in last year’s survey and have provided information on the steps they have taken to improve safety in the workplace in emergency situations. That information has been used to get an overview of emergency preparedness in the United States.

The 2020 survey is now being conducted and HIPAA Journal readers have been requested to take part in the study. If you so wish, you can participate completely anonymously.

You can participate in the survey by clicking the following link:

Click here for the Emergency Preparedness and Security Trends in Healthcare Survey.

If you provide your email address, you’ll receive the anonymized survey results before they are published and will be entered into a prize draw for a $200 gift card from the survey sponsor.

HIPAA Journal will eventually publish the results of the survey.

Note: HIPAA Journal is not conducting this survey and does not receive any payment for promoting this survey. HIPAA Journal has no commercial relationship with the survey sponsor. If your organization is running a survey that is of interest to healthcare professionals, you can contact us with the details.

The post 2020 Emergency Preparedness and Security Trends in Healthcare Survey appeared first on HIPAA Journal.

TitanHQ and Pax8 Partnership Announced

Pax8 partners can now benefit from two new cybersecurity solutions thanks to a new partnership with TitanHQ.

Pax8 is a born in the cloud distributor that connects the channel ecosystem to its award-winning transactional cloud marketplace. Pax8 helps its partners achieve more in the cloud through productivity, infrastructure, continuity, and security solutions. The company is one of the fastest growing in the world and has been placed at number 60 in the 2019 Inc. 5000 list and is a true leader in the cloud.

Pax8 greatly simplifies the cloud for managed service providers and allows them to easily find, purchase, and implement cloud-based solutions from leading vendors. Two areas where Pax8 partners required greater choice were email and web security. Options have now been increased in both areas thanks to the new partnership with TitanHQ.

TitanHQ is the leading provider of cloud-based email and web security solutions for MSPs serving the SMB market. Under the new partnership agreement, Pax8 partners can now protect their and their client’s networks with TitanHQ’s multi-award-winning email security solution, SpamTitan, and its DNS filtering solution, WebTitan Cloud.

“TitanHQ’s cloud-based AI-driven threat intelligence technology protects email and web security solutions for MSPs and their customers,” said Ryan Walsh, chief channel officer at Pax8. “Our partners are excited about the addition of TitanHQ and the ability to protect their clients’ businesses by blocking malware, phishing, ransomware, and links to malicious websites from emails.”

SpamTitan provides protection from phishing, spear phishing, and email impersonation attacks and blocks known and zero-day malware threats. WebTitan provides protection against the web-based element of cyberattacks such as exploit kits, phishing kits, and drive-by malware downloads.

The solutions incorporate many MSP-friendly features and Pax8 partners benefit from a fully transparent pricing policy, centralized billing, and industry-leading technical support.

“I am delighted to partner with the Pax8 team,” said Ronan Kavanagh, CEO TitanHQ. “Their focus and dedication to the MSP community is completely aligned with ours at TitanHQ, and we look forward to delivering our integrated solutions to their partners and customers.”

The post TitanHQ and Pax8 Partnership Announced appeared first on HIPAA Journal.

Amazon Lex is Now HIPAA Compliant

Amazon has announced that the Amazon Lex chatbot service now supports HIPAA compliance and can be used by healthcare organizations without violating Health Insurance Portability and Accountability Act Rules.

Amazon Lex is a service that allows customers to build conversational interfaces into applications using text and voice. It allows the creation of chatbots that use lifelike, natural language to engage with customers, ask questions, collect and give out information, and complete a range of different tasks such as scheduling appointments. The conversational engine that powers Amazon Lex is also used by Amazon Alexa.

Until recently, there was limited potential for use of Amazon Lex in healthcare as the solution was not HIPAA-compliant and could therefore not be used in connection with electronic protected health information (ePHI). The service was also not covered by Amazon’s business associate agreement (BAA).

On December 11, 2019, Amazon confirmed that Amazon Lex is now included in its AWS business associate agreement (BAA) addendum and that the service is eligible for use with workloads involving ePHI, provided that a BAA is in place. Amazon Lex has been subjected to third-party security assessments under multiple AWS compliance programs, and in addition to being HIPAA eligible is also compliant with PCI and SOC.

As with any software solution, a BAA does not guarantee compliance. Amazon has ensured appropriate safeguards have been implemented to ensure the confidentiality, integrity, and availability of ePHI, but it is the responsibility of users to ensure that the solution is implemented correctly and used in a manner that complies with HIPAA Rules.

Amazon has released a whitepaper on Architecting for HIPAA Security and Compliance on AWS, which details best practices for configuring AWS services that store, process, and transmit ePHI. Guidelines on the administration of Amazon Lex have also been published.

The post Amazon Lex is Now HIPAA Compliant appeared first on HIPAA Journal.