Healthcare Technology Vendor News

Vulnerability Identified in Philips IntelliBridge EC40/80 Hubs

A vulnerability has been identified in the Philips IntelliBridge EC40/80 hub which could allow an attacker to gain access to the hub and execute software, modify files, change the system configuration, and gain access to identifiable patient information.

Philips IntelliBridge EC40/80 hubs are used to transfer medical device data from one format to another, based on set specifications. The hub does not alter the settings or parameters of any of the medical devices to which it connects.

The vulnerability could be exploited by an attacker to capture and replay a session and gain access to the hub. The flaw is due to the SSH server running on the affected products being configured to allow weak ciphers.

The vulnerability would only require a low level of skill to exploit, but in order to exploit the flaw an attacker would need to have network access. The flaw – CVE-2019-18241 – has a CVSS v3 base score of 6.3 out of 10 – Medium severity.

The flaw was reported to Philips by New York-Presbyterian Hospital’s Medical Technology Solutions team, and under its responsible vulnerability disclosure policy, Philips reported the vulnerability to the DHS Cybersecurity Infrastructure Security Agency.

The vulnerability is present in all versions of the EC40 and EC80 hubs and will be addressed in a new release, which will not be available until the end of Q3, 2020.

Until Philips issues the new release, users of the affected hubs have been advised to implement the following mitigation measures to reduce the potential for exploitation.

  1. Only operate the hub within Philips authorized specifications, using Philips approved software, configurations, system services, and security configurations
  2. There is no clinical requirement for these devices to communicate outside the Philips clinical network. The devices should be logically or physically separated from the hospital network.
  3. Users should block access to the SSH port. SSH is not meant to be used for clinical purposes, only for product support.
  4. Use a long and complex SSH password and make sure password distribution is controlled to ensure SSH is used via physical access only.

The post Vulnerability Identified in Philips IntelliBridge EC40/80 Hubs appeared first on HIPAA Journal.

Google Confirms it has Legitimate Access to Millions of Ascension Patients’ Health Records

Following a report in the Wall Street Journal, Google has confirmed it is collaborating with one of the largest healthcare systems in the United States, which gives it access to a huge volume of patient data.

Google has partnered Ascension, the world’s largest catholic health system and the second largest non-profit health system in the United States. Ascension operates more than 2,600 healthcare facilities in 21 states, including 150 hospitals and over 50 senior living facilities.

The collaboration has given Google access to patient health information such as names, dates of birth, medical test results, diagnoses, treatment information, service dates, and other personal and clinical information.

The project – code name Project Nightingale – had been kept under the radar prior to the WSJ Report, which claimed that at least 150 Google employees have allegedly been able to access patient data as part of the project and that access to patient data had been granted without patients or physicians being informed. Both Google and Ascension made announcements about the Project Nightingale collaboration after the WSJ story was published.

In a November 11 press release, Ascension said it “is working with Google to optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients and clinical providers across the continuum of care.”

Google explained in its announcement that it had previously mentioned the collaboration in July 2019 in its Q2 earnings call, in which it stated, “Google Cloud’s AI and ML solutions are helping healthcare organizations like Ascension improve the healthcare experience and outcomes.”

Google explained in its November 11 blog post that collaboration with Ascension is focused on A) Shifting Ascension’s infrastructure to the Google Cloud platform; B) Helping Ascension implement G Suite productivity tools and; C) Extending tools to doctors and nurses to improve care. Google also stated that some of the tools it is working on are not yet active in clinical development and are still in the early testing stage, hence the code name, Project Nightingale.

Another goal of the collaboration is to use Google’s considerable computing capabilities to analyze patient data with a view to developing software that leverages its AI and machine learning technology to deliver more targeted care to patients.

Ascension said the it will be “Exploring artificial intelligence/machine learning applications that will have the potential to support improvements in clinical quality and effectiveness, patient safety, and advocacy on behalf of vulnerable populations, as well as increase consumer and provider satisfaction.”

As a business associate of Ascension, Google has confirmed that access to patient data is legitimate and in full compliance with Health insurance Portability and Accountability Act (HIPAA) Rules. Google has signed a BAA with Ascension and has implemented appropriate safeguards to keep patient information secure and is in full compliance with all requirements of HIPAA.

Ascension has also confirmed that the partnership is “underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.”

While patients may be concerned that Google now has access to some of their most sensitive data, it is not standard practice for healthcare organizations to announce collaborations with third-party companies that provide services that require access to protected health information. However, a proactive announcement rather than a reactive press release may have helped allay fears and concerns.

The post Google Confirms it has Legitimate Access to Millions of Ascension Patients’ Health Records appeared first on HIPAA Journal.

Vulnerabilities Identified in Medtronic Valleylab Energy Platform and Electrosurgery Products

6 vulnerabilities have been identified in the Medtronic Valleylab energy platform and electrosurgery products, including one critical flaw that could allow an attacker to gain access to the Valleylab Energy platform and view/ overwrite files and remotely execute arbitrary code.

The vulnerabilities were identified by Medtronic which reported the flaws to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency under its responsible vulnerability disclosure policy.

Four vulnerabilities have been identified in the following Medtronic Valleylab products

  • Valleylab Exchange Client, Version 3.4 and below
  • Valleylab FT10 Energy Platform (VLFT10GEN) software Version 4.0.0 and below
  • Valleylab FX8 Energy Platform (VLFX8GEN) software Version 1.1.0 and below

The critical vulnerability is an improper input validation flaw in the rssh utility, which facilitates file uploads. Exploitation of the vulnerability would allow an attacker to gain administrative access to files, allowing those files to be viewed, altered, or deleted. The flaw could also allow remote execution of arbitrary code.

The flaw has been assigned two CVE codes – CVE-2019-3464 and CVE-2019-3463. A CVSS v3 base score of 9.8 has been calculated for the flaws.

The products also use multiple sets of hard-coded credentials. If those credentials were discovered by an attacker, they could be used to read files on a vulnerable device. This flaw has been assigned the CVSS code – CVE-2019-13543 – and has a CVSS v3 base score of 5.4.

Vulnerable products use a descrypt algorithm for operating system password hashing. If interactive, network-based logons are disabled, combined with the other vulnerabilities, an attacker could obtain local shell access and view these hashes. The flaw – CVE-2019-13539 – has a CVSS v3 base score of 7.0.

Medtronic has released a patch for the FT10 platform, which should be applied as soon as possible. The FX8 platform will be patched in early 2020. Medtronic notes that the above products are supplied with network connections disabled by default and the Ethernet port is disabled on reboot; however, the company is aware that users often enable network connectivity.

Until the patches are applied to correct the flaws, Medtronic advises users to disconnect vulnerable products from IP networks or ensure those networks are segregated and are not accessible over the internet or via other untrusted networks.

Two further vulnerabilities have been identified in the following Medtronic Valleylab energy and electrosurgery products:

  • Valleylab FT10 Energy Platform (VLFT10GEN)
    • Version 2.1.0 and lower and Version 2.0.3 and lower
  • Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States)
    • Version 1.20.2 and lower

The FT10/LS10 Energy Platform incorporates an RFID security mechanism for authentication between the platform and instruments to prevent inauthentic instruments from being used. This security mechanism can be bypassed. The flaw has been assigned the CVE code, CVS-2019-13531, and has a CVSS v3 base score of 4.8.

The RFID security mechanism does not apply read protection, which could allow full read access to RFID security mechanism data. This flaw – CVE-2019-3535 – has a CVSS v3 base score of 4.6.

A patch has been issued to correct both of these flaws.

The post Vulnerabilities Identified in Medtronic Valleylab Energy Platform and Electrosurgery Products appeared first on HIPAA Journal.

Speakap Confirmed as HIPAA Compliant by Compliancy Group

The communication platform provider Speakap has announced it has achieved compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules with Compliancy Group.

Speakap has developed a communications platform that helps healthcare organizations communicate quickly and efficiently with their frontline staff, even if they do not have easy access to computers. Through a mobile app, healthcare organizations can maintain contact with deskless workers and communicate with the entire workforce through a desktop version of the app. The app is used by businesses in a wide range of industry sectors; however, in order to offer the communications solution to the healthcare industry, Speakap needed to ensure that its platform, policies, and procedures were in full compliance with HIPAA Rules.

Since the platform can be used to communicate ePHI, Speakap is classed as a business associate under HIPAA and must ensure administrative, physical, and technical safeguards are incorporated into its solution and the company fulfils its responsibilities with respect to HIPAA.

To ensure that the company was fully compliant, Speakap sought assistance from Compliancy Group. Using Compliancy Group’s proprietary software solution, The Guard, and assisted by its compliance coaches, the company successfully completed Compliancy Group’s 6-stage risk analysis and risk remediation process.

Compliancy Group’s HIPAA experts have verified Speakap’s good faith efforts toward HIPAA compliance and have awarded the company its HIPAA Seal of Compliance. The HIPAA Seal of Compliance confirms that Speakap has the safeguards, policies, and procedures in place and has developed and implemented an effective HIPAA compliance program and has met the necessary regulatory standards of the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, HIPAA Omnibus Rule, and the HITECH Act.

“Speakap’s HIPAA compliance builds upon the company’s commitment to offer trusted and secure solutions that comply with the highest industry standards,” said Speakap CEO, Erwin Van Der Vlist. “We’re providing those who require HIPAA compliance the highest levels of trust and the peace of mind they deserve. The platforms we provide are backed by the extraordinary measures we take to deliver industry-leading services.”

The post Speakap Confirmed as HIPAA Compliant by Compliancy Group appeared first on HIPAA Journal.

Compliancy Group Helps Technology Response Team Achieve HIPAA Compliance

Compliancy Group has announced that Technology Response Team has successfully completed its 6-stage HIPAA risk analysis and remediation process and has demonstrated compliance with the standards of the HIPAA Privacy, Security, Breach Notification, and Omnibus Rules.

Technology Response Team is a Managed Service Provider (MSP) based in Denver, CO that provides a wide range of IT support and cybersecurity services to healthcare organizations in the Denver Front Range and helps them succeed through the use of technology.

The company translates complex computer terminology into language that can be easily understood by its clients and helps them implement IT solutions that improve efficiency and protect against malicious attacks.

Naturally, the services provided to healthcare organizations mean the company will come into contact with systems used to create, receive, store, process, and transmit electronic protected health information. As such, Technology Response Team is classed as a business associate and is required to comply with HIPAA.

Technology Response Team is committed to compliance and by partnering with Compliancy Group has taken its compliance program to the next level. Through the use of Compliancy Group’s proprietary software, The Guard, and assisted by its compliance coaches, Technology Response Team demonstrated that its compliance program covers all aspects of HIPAA Rules and the company is a HIPAA-compliant.

After successfully completing the 6-stage HIPAA risk analysis and remediation process, Compliancy Group awarded the MSP the ‘HIPAA Seal of Compliance’. The HIPAA Seal of Compliance confirms that the company’s good faith effort toward HIPAA compliance have been assessed and verified by Compliancy Group’s compliance coaches as meeting HIPAA standards.

Through the incorporation of HIPAA policies and procedures and staff training, the company is in a better position to serve clients in the healthcare industry and implement solutions that will help with their compliance efforts and secure their systems from malicious attacks.

The post Compliancy Group Helps Technology Response Team Achieve HIPAA Compliance appeared first on HIPAA Journal.

Compliancy Group Confirms Integrated Technology Group is HIPAA Compliant

Integrated Technology Group, a leading healthcare-industry focused managed service provider (MSP) in the Central Virginia region, has achieved HIPAA compliance with Compliancy Group and has demonstrated its policies and procedures are fully compliant with the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules and the requirements of the HITECH Act.

Integrated Technology Group is primarily focused on providing managed information technology services to private medical practices to help them focus on what they do best – providing care to patients. Initially the company’s main focus was providing break-fix services. Today the company offers a wide range of managed IT services, including helping medical practices with cloud integrations, continuity planning, implementing VOIP solutions, and securing their networks.

Since the provision of those services requires access to systems containing patients’ electronic protected health information, Integrated Technology Group is classed as a business associate under Health Insurance Portability and Accountability Act Rules. Consequently, just like the healthcare clients that the company serves, Integrated Technology Group must also comply with HIPAA Rules. That means implementing safeguards to ensure the confidentiality, integrity, and availability of ePHI and developing, implementing, and maintaining policies and procedures to ensure continued compliance with HIPAA Rules.

Cyberattacks on healthcare organizations are increasing by the day and the HHS’ Office for Civil Rights and state Attorneys General are enforcing compliance with HIPAA Rules much more rigorously. HIPAA compliance has never been more important for healthcare organizations and their business associates.

Integrated Technology Group has always been committed to complying with all aspects of HIPAA Rules and helping its healthcare clients meet their compliance requirements. To demonstrate the company’s commitment to privacy and security and to take its compliance program to the next level, assistance was sought from Compliancy Group.

By undertaking Compliancy Group’s proprietary 6-Stage HIPAA Risk Analysis and remediation process and using Compliancy Group’s proprietary HIPAA compliance tracking software, The Guard®, Integrated Technology Group has demonstrated its compliance program meets the stringent standards of HIPAA and the HITECH Act.

After successful completion of the program, Integrated Technology Group has been awarded Compliancy Group’s HIPAA Seal of Compliance, which demonstrates to healthcare clients that the company can offer an effective, comprehensive compliance solution to medical practices and healthcare organizations of any size or scope.

“Our capacity means your security. Which is why every one of our staff members, from technical staff to marketing personnel, went through extensive, vigorous HIPAA compliance training. The same will be required of each new hire at Integrated Technology Group,” said Paul Meadows, Integrated Technology Group President and CEO.

The post Compliancy Group Confirms Integrated Technology Group is HIPAA Compliant appeared first on HIPAA Journal.

TitanHQ Announces Record Growth in MSP Market and New ‘Margin Maker for MSPs’ Initiative

Cloud security vendor and HIPAA Journal sponsor, TitanHQ, has enjoyed impressive growth in Q3, 2019, registering the busiest quarter for MSP business in the company’s 20+ year history.

From humble beginnings, the company has grown into the leading provider of cloud-based email and web security solutions for managed service providers that service the SMB market. Initially, the firm sold anti-spam appliances to local businesses in Galway, Ireland. Today, the company is a global provider of cloud-based network security solutions for SMBs and MSPs.

The company’s cloud-based network security solutions – SpamTitan email security, WebTitan DNS filtering, and ArcTitan email archiving – are used by more than 8,200 businesses around the world and the firm has over 2,200 MSP partners.

TitanHQ’s success in the MSP, OEM, and service provider markets can be attributed to several factors. Many other companies have only considered MSPs after products have been developed, with additional functionality added to appeal to the MSP market. With TitanHQ, MSPs have always been at the core of the design of its security solutions.

The company operates a transparent and flexibility pricing policy with highly competitive margins to help MSPs profit from offering TitanHQ’s core cloud-based network security products to their customers and grow their business.

When MSPs join the TitanShield partner program they are provided with extensive sales enablement and marketing support. Each MSP has a dedicated account manager, engineers, and a highly capable support team to help ensure success. By making it as easy as possible for its partners to succeed, the company has reaped the rewards.

The successes of Q3, 2019 look set to continue in Q4 with the launch of a new sales initiative. The Q4 program has been aptly named Margin Marker for MSPs – A disruptive price package covering both its email and web security platforms.

TitanHQ is offering an exclusive ‘once-in-a-lifetime’ price on an email and web security package that protects the two most mission critical vectors, email and the web, from malware, ransomware, botnets, phishing and spear phishing attacks.

The package includes security and breach protection for MSPs, their employees, and MSP clients, which is provided in two private clouds that can be customized to meet the needs of MSP partners. The package will ensure MSPs can build profitability instantly in Q4.

UK-based MSP, OpalIT, is already reaping the benefits of the new initiative. OpalIT operates out of Newcastle and Edinburgh and has recently transitioned from Vade and Barracuda and is now offering its clients all three TitanHQ solutions – SpamTitan email security, WebTitan DNS filtering, and ArcTitan email archiving – to its 6,000+ customer base and is reaping the rewards.

“Opal IT moved to TitanHQ because of our MSP focused solutions, ease of deployments, extensive APIs functionality and the increased margin they’re now making,” explained Rocco Donnino, EVP Strategic Alliances, TitanHQ. “Our cybersecurity bundle solutions allow MSPs to provide their downstream customers with a layered defense approach”

MSPs are encouraged to meet the TitanHQ team at key MSP events in October and November to learn more about the Margin Maker for MSPs initiative and the TitanShield partner program.

The post TitanHQ Announces Record Growth in MSP Market and New ‘Margin Maker for MSPs’ Initiative appeared first on HIPAA Journal.

Atlantic.Net Recognized in Gartner 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations

Gartner has published its 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations (HDOs). The report contains an analysis of the healthcare cloud market and explains how the cloud can be a viable option for healthcare organizations seeking greater efficiency and flexibility than is achievable with traditional on-premises infrastructure.

Many healthcare organizations are now realizing the value of cloud-based solutions and how intelligent use of the cloud can help improve efficiency, eliminate waste, and drive down the cost of healthcare delivery. The industry may lag behind other sectors in terms of cloud adoption, but the landscape is changing fast as the healthcare cloud market matures.

Healthcare CIOs are now viewing the cloud as an extension of their internal infrastructure. While initially there was a great deal of skepticism about the cloud due to the security risks and potential for costs to spiral out of control, there is now widespread acceptance that the cloud can serve as an IT service delivery model and the healthcare industry is now much more accepting of the cloud. There are tangible benefits to be gained from adopting cloud-based infrastructure and cloud services, HIPAA regulations can be satisfied, and associated risks can be reduced to a low and acceptable level.

Gartner has responded to the growth in cloud adoption in healthcare by producing a market guide for HDOs. The guide defines and describes the market, analyzes the direction the market is taking, and details the most notable vendors that are helping HDOs transition to the cloud.

Gartner has divided the market into four tiers to help healthcare organizations differentiate cloud companies and their offerings. The top tier naturally includes the large cloud service providers (CSPs) such as Amazon (AWS), Microsoft (Azure), IBM (IBM Cloud) and Google (Google Cloud). The second tier contains smaller CSPs that offer more specialist solutions for the healthcare industry such as Healthcare Blocks and Virtustream.

The third tier consists of vertical market players that offer hosting for electronic health records. In this tier are hosting companies such as Atlantic.Net that provide secure, HIPAA-compliant hosting services for electronic health records to allow EHRs to be accessed from any location in real-time, along with HIPAA-compliant hosting for databases, websites, and cloud-based storage services.

In the final tier are platform-as-a-service providers. These are integrated delivery networks that have developed their own cloud-based products for internal use and are now selling those products to other healthcare systems to use under license. Companies such as UK Cloud Health for example.

This is the second year that the Market Guide for Cloud Service Providers to HDOs has been produced and the second time that Atlantic.Net has been named in the market guide.

“We are honored to be named in this report, which we believe further solidifies our standing within distinguished security and compliance service providers,” said Marty Puranik, CEO of Atlantic.Net. “I attribute this success to our team members and skilled engineers, who strive to deliver technological solutions with a human touch.”

Gartner’s 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations can be downloaded hereSubscription required.

The post Atlantic.Net Recognized in Gartner 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations appeared first on HIPAA Journal.

Vulnerabilities Identified in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors

Two vulnerabilities have been identified in Philips IntelliVue WLAN firmware which affect certain IntelliVue MP monitors. The flaws could be exploited by hackers to install malicious firmware which could impact data flow and lead to an inoperable condition alert at the device and Central Station.

Philips was alerted to the flaws by security researcher Shawn Loveric of Finite State, Inc. and proactively issued a security advisory to allow users of the affected products to take steps to mitigate risk.

The flaws require a high level of skill to exploit in addition to access to a vulnerable device’s local area network. Current mitigating controls will also limit the potential for an attack. As such, Philips does not believe either vulnerability would impact clinical. Philips does not believe the flaws are being actively exploited.

The first flaw, tracked as CVE-2019-13530, concerns the use of a hard-coded password which could allow an attacker to remotely login via FTP and upload malicious firmware. The second flaw, tracked as CVE-2019-13534, allows the download of code or an executable file from a remote location without performing checks to verify the origin and integrity of the code. The flaws have each been assigned a CVSS v3 base score of 6.4 out of 10.

The following Philips products are affected:

  • IntelliVue MP monitors MP20-MP90 (M8001A/2A/3A/4A/5A/7A/8A/10A)
    • WLAN Version A, Firmware A.03.09
  • IntelliVue MP monitors MP5/5SC (M8105A/5AS)
    • WLAN Version A, Firmware A.03.09, Part #: M8096-67501
  • IntelliVue MP monitors MP2/X2 (M8102A/M3002A)
    • WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C)
  • IntelliVue MP monitors MX800/700/600 ((865240/41/42)
    • WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C)

WLAN Version B is obsolete and will not be patched. Philips has advised customers to update to the WLAN Module Version C wireless module if they are using any of the patient monitors affected by the flaws. WLAN Version C with current firmware of B.00.31 is not affected by either vulnerability. Mitigating controls include the use of authentication and authorization via WPA2, implementing a firewall rule on the wireless network, and ensuring physical controls are implemented to restrict access to the system.

The flaw in WLAN Version A will be addressed with a patch which Philips plans to release via Incenter by the end of 2019.

The post Vulnerabilities Identified in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors appeared first on HIPAA Journal.