Healthcare Technology Vendor News

Healthcare Organizations Warned About Maximum Severity Vulnerabilities in Illumina Devices

Five vulnerabilities that require immediate patching have been identified in the Illumina Local Run Manager (LRM), which is used by Illumina In Vitro Diagnostic (IVD) devices and Illumina Researcher Use Only (ROU) instruments. The affected devices are used for clinical diagnostic DNA sequencing and testing for various genetic conditions, and for research use. Four of the vulnerabilities are critical, with three having a maximum CVSS severity score of 10 out of 10.

The vulnerabilities affect the following devices and instruments:

Illumina IVD Devices

  • NextSeq 550Dx: LRM Versions 1.3 to 3.1
  • MiSeq Dx: LRM Versions 1.3 to 3.1

Illumina ROU Devices

  • NextSeq 500 Instrument: LRM Versions 1.3 to 3.1
  • NextSeq 550 Instrument: LRM Versions 1.3 to 3.1
  • MiSeq Instrument: LRM Versions 1.3 to 3.1
  • iSeq 100 Instrument: LRM Versions 1.3 to 3.1
  • MiniSeq Instrument: LRM Versions 1.3 to 3.1

A threat actor could exploit the vulnerabilities remotely, take control of the instruments, and perform any action at the operating system level such as modifying the settings, configurations, software, or data on the instrument. It would also be possible to exploit the vulnerabilities to interact with the connected network through the affected product.

The vulnerabilities are:

  • CVE-2022-1517 – A remote code execution vulnerability due to the LRM utilizing elevated privileges, which would allow a malicious actor to upload and execute code at the operating system level. The vulnerability has a CVSS v3 severity score of 10 (critical)
  • CVE-2022-1518 – A directory traversal vulnerability that allows a malicious actor to upload outside the intended directory structure. The vulnerability has a CVSS v3 severity score of 10 (critical)
  • CVE-2022-1519 – The failure to restrict uploads of dangerous file types. A malicious actor could upload any file type, including executable code that allows for a remote code exploit. The vulnerability has a CVSS v3 severity score of 10 (critical)
  • CVE-2022-1521 – A lack of authentication or authorization in the default configuration, which would allow a malicious actor to inject, replay, modify, and/or intercept sensitive data. The vulnerability has a CVSS y3 severity score of 9.1 (critical)
  • CVE-2022-1524 – A lack of TLS encryption for the transmission of sensitive information, putting information – including credentials – at risk of interception in a man-in-the-middle attack. The vulnerability has a CVSS v3 severity score of 7.4 (high severity)

The vulnerabilities were reported to Illumina by Pentest, Ltd. Illumina has developed a software patch that will prevent the vulnerabilities from being exploited remotely as an interim fix while a permanent solution is developed for current and future instruments.

The U.S. Food and Drug Administration and the Cybersecurity and Infrastructure Security Agency (CISA) have issued security alerts urging immediate action to be taken to address the vulnerabilities.

The patch for Internet-connected instruments is available here. If the instruments are not connected to the Internet, users should contact Illumina Tech Support.

The post Healthcare Organizations Warned About Maximum Severity Vulnerabilities in Illumina Devices appeared first on HIPAA Journal.

Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites

A recent study by Source Defense examined the risks associated with the use of third- and fourth-party code on websites and found that all modern, dynamic websites included code that could be targeted by hackers to gain access to sensitive data.

SOurce Defense explained that websites typically have their own third-party supply chains, with those third parties providing a range of services and functions related to site performance, tracking and analytics, and improving conversion rates to generate more sales.

The inclusion of third- and fourth-party code on websites also introduces security and compliance risks. On the compliance side, tracking code has the potential to violate data privacy laws such as the EU’s General Data Protection Regulation (GDPR) and from a security perspective, the code included on websites may have vulnerabilities that can be exploited by threat actors to gain access to sensitive data, including protected health information.

To explore the risks associated with third- and fourth-party code, Source Defense scanned the top 4,300 websites based on traffic and analyzed their results to identify the scale of the digital supply chain, how many partners are involved on a typical website, whether the inclusion of code by those partners leaves websites exposed to cyberattacks, whether sensitive data is being exposed, and the types of attacks that could be conducted on websites that take advantage of the digital supply chain.

The findings of the analysis are detailed in the report, Third-Party Digital Supply Chain Risk: Exposing the Shadow Code on Your Web Properties. Source Defense explained that there would be little point in a threat actor compromising a script on a static webpage; however, if scripts were included on webpages that collect sensitive data, threat actors could add malicious code to steal sensitive data. The researchers found that, on average, there were 12 third-party and 3 fourth-party scripts per website on web pages that collected data, such as login pages, account registration pages, and payment collection pages.

They identified six features on websites that could be exploited by threat actors that were commonly found on websites: Code to retrieve form input (49%), button click listeners (49%), link click listeners (43%), code to modify forms (23%), form submit listeners (22%), and input change listeners (14%). Every modern, dynamic website assessed for the study was found to contain one or more of those features.

An analysis was conducted of between 40 and 50 websites in industries where there is a higher-than-average risk. The researchers found that higher-risk industries such as healthcare had more than the average number of scripts. Healthcare websites had an average of 13 third-party and 5 fourth-party scripts on sensitive pages.

There may be a legitimate reason for including these scripts on the pages but adding that code introduces risk. “For example, a script might allow form fields to be changed or added on the fly to provide website users with a more personalized experience,” explained Source Defense in the report. “However, a threat actor could exploit this capability to add additional fields asking for credentials and personal information, which would then be sent to attacker’s website.”

“This data makes it clear that managing risk inherent in third- and fourth-party scripts is both a very necessary and a very challenging task,” explained the researchers, who recommend assessing websites for third party code, educating management about the risks, implementing a website client-side security solution, categorizing and consolidating scripts, and finding ways to recuse exposure and compliance risks.

The post Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites appeared first on HIPAA Journal.

Five Eyes Intelligence Alliance Warns of Increase in Cyberattacks Targeting Managed Service Providers

The Five Eyes intelligence alliance, which consists of cybersecurity agencies from the United States, United Kingdom, Australia, New Zealand, and Canada, has issued a joint alert warning about the increasing number of cyberattacks targeting managed service providers (MSPs).

MSPs are attractive targets for cybercriminals and nation-state threat actors. Many businesses rely on MSPs to provide information and communication technology (ICT) and IT infrastructure services, as it is often easier and more cost-effective than developing the capabilities to handle those functions internally.

In order to provide those services, MSPs require trusted connectivity and privileged access to the networks of their clients. Cyber threat actors target vulnerable MSPs and use them as the initial access vector to gain access to the networks of all businesses and organizations that they support. It is far easier to conduct a cyberattack on a vulnerable MSP and gain access to the networks of dozens of businesses than to target those businesses directly.

When MSP systems are compromised, it may take several months before the intrusion is detected, during which time threat actors may conduct cyber espionage on the MSP and its customers or prepare for other follow-on activities such as ransomware attacks.

The Five Eyes agencies provide recommendations for baseline security measures that MSPs and their customers should implement and also recommend customers review their contracts with MSPs to ensure that the contracts specify that their MSPs must implement the recommended measures and controls.

Steps need to be taken to improve defenses to prevent the initial compromise. Cyber threat actors commonly exploit vulnerable devices and Internet-facing services and conduct phishing and brute force attacks to gain a foothold in MSP networks. The Five Eyes agencies recommend MSPs and their customers:

  • Improve the security of vulnerable devices
  • Protect internet-facing services
  • Defend against brute force and password spraying
  • Defend against phishing

It is vital to enable or improve monitoring and logging processes to allow intrusions to be rapidly detected. Since threat actors may compromise networks for months, all organizations should store their most important logs for at least six months. “Whether through a comprehensive security information and event management (SIEM) solution or discrete logging tools, implement and maintain a segregated logging regime to detect threats to networks,” suggest the agencies in the alert.

It is important to secure remote access applications and enforce multi-factor authentication as far as possible, and ensure MFA is implemented on all accounts that allow access to customer environments. Customers of MSPs should ensure that their contracts state that MFA must be used on accounts that are used to access their systems.

The Five Eyes agencies also suggest

  • Managing internal architecture risks and segregating internal networks
  • Applying the principle of least privilege
  • Deprecating obsolete accounts and infrastructure
  • Applying software updates and patches promptly
  • Backing up systems and data regularly and testing backups
  • Developing and exercising incident response and recovery plans
  • Understanding and proactively managing supply chain risk
  • Promoting transparency
  • Managing account authentication and authorization

MSPs and their customers will have unique environments, so the recommendations should be applied as appropriate in accordance with their specific security needs and appropriate regulations.

The post Five Eyes Intelligence Alliance Warns of Increase in Cyberattacks Targeting Managed Service Providers appeared first on HIPAA Journal.

BD Discloses 2 Vulnerabilities in its Pyxis, Rowa, and Viper LT Products

Becton, Dickinson and Company (BD) has self-reported two vulnerabilities that affect its BD Pyxis automated medication dispensing systems, BD Rowa pouch packaging systems, and BD Viper LT automated molecular testing systems.

Both vulnerabilities are due to the use of hard-coded credentials. If exploited, the vulnerabilities could allow an unauthorized individual to access, modify, and delete sensitive data, which could include electronic protected health information (ePHI).

The most serious vulnerability, tracked as CVE-2022-22765, affects all versions of the BD Viper LT system from 2.0. The vulnerability has been assigned a CVSS severity score of 8.0 out of 10.

BD is currently working on a fix for the vulnerability, which will be included in the upcoming BD Viper LT system Version 4.80 software release. In the meantime, BD has suggested implementing compensating controls, such as ensuring physical access controls are in place, only permitting authorized individuals to access the system, disconnecting the system from the network access where possible, and if it is not possible to disconnect the system from network access, to implement industry-standard network security policies and procedures.

The second vulnerability, tracked as CVE-2022-22766, affects the BD Pyxis range of products and BD Rowa Pouch Packaging Systems. The vulnerability has been assigned a CVSS severity score of 7.0 out of 10. If exploited, an attacker could gain access to the file system and exploit application files that could be used to decrypt application credentials or gain access to ePHI.

Credentials are BD managed and are not visible to or used by customers to access or use BD Pyxis devices. That means that in order to exploit the vulnerability, threat actors would have to gain access to the hardcoded credentials, infiltrate a facility’s network, and gain access to individual devices.

BD said it is in the process of strengthening credential management capabilities in BD Pyxis devices. In the meantime, compensating controls can be implemented for the affected products. These include limiting physical access to authorized personnel, tightly controlling the management of BD Pyxis system credentials provided to authorized users, isolating products in a secure VLAN or behind firewalls, and monitoring and logging network traffic. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts. Users should work with their BD support team to ensure all patching and virus definitions are up to date.

“BD is committed to transparency with our customers and makes product security information, including vulnerability disclosures, available through the BD Cybersecurity Trust Center,” said BD in a statement. “As part of this commitment, BD posted product security bulletins about the use of hardcoded credentials… Hardcoded credentials are not used directly by customers or end-users to access these systems.”

There have been no reports of the vulnerabilities being exploited in clinical settings. BD self-reported the vulnerabilities to the FDA, ISAOs, and CISA for maximum awareness.

The post BD Discloses 2 Vulnerabilities in its Pyxis, Rowa, and Viper LT Products appeared first on HIPAA Journal.

Celo Launches Healthcare Messaging Platform for Teams

Celo has launched a new healthcare messaging platform for teams in the United States, with U.S. operations run from its Seattle, WA headquarters and led by Celo’s chief growth officer, Jack Clough.

Healthcare organizations have been slow to adopt modern communications technologies compared to other industry sectors and pagers, faxes, and email are still extensively used for communication between care teams, even though these outdated modes of communication are inefficient. In other industry sectors, instant messaging solutions have been widely adopted and have been shown to improve collaboration between individuals and teams and improve communication efficiency.

There are problems with using generic business messaging products and services in healthcare. The solutions tend to lack the features required by healthcare organizations and many lack the required privacy and security measures to allow healthcare data to be communicated via the platforms and are a compliance risk. Secure messaging app providers are classed as business associates under HIPAA, and many messaging app providers are unwilling to enter into business associate agreements with HIPAA-covered entities.

The Celo secure messaging platform was designed by a medical doctor and has been built specifically to meet the needs of the healthcare industry. The Celo healthcare secure messaging platform allows messages to be sent securely through the platform and appropriate safeguards have been implemented to ensure compliance with HIPAA and the HITECH Act.

At the core of the solution is a secure messaging app that includes an on-call feature that allows users to instantly communicate with the right on-call professionals. The solution includes a reporting dashboard that provides insights into areas where improvements can be made, such as resource allocation and process enhancements. The platform also includes a rostering optimization feature, that allows users to send role-based messages rather than having to find specific providers from the directory and a broadcast feature that allows administrators to send mass messages and see in real-time which staff members have received and read the messages.

The platform is compatible with iOS, Android, and can be accessed via the web. The platform can be used free of charge by individuals and teams, with the full-featured product available for a recurring fee with its Premium and Enterprise packages.

The platform has already been adopted by more than 800 healthcare organizations in the United States, United Kingdom, and New Zealand – countries that have strict legislation covering the transmission of sensitive healthcare data – to improve communication efficiency, worker productivity, and optimize clinical workflows.

The post Celo Launches Healthcare Messaging Platform for Teams appeared first on HIPAA Journal.

High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products

A high severity vulnerability has been identified in certain Hillrom Welch Allyn Cardio products that allows accounts to be accessed without a password.

The vulnerability is an authentication bypass issue that exists when the Hillrom cardiology products have been configured to use single sign-on (SSO). The vulnerability allows the manual entry of all active directory (AD) accounts provisioned within the application, and access will be granted without having to provide the associated password. That means a remote attacker could access the application under the provided AD account and gain all privileges associated with the account.

The vulnerability is tracked as CVE-2021-43935 and has been assigned a CVSS v3 base score of 8.1 out of 10.

According to Hillrom, the vulnerability affects the following Hillrom Welch Allyn cardiology products:

  • Welch Allyn Q-Stress Cardiac Stress Testing System: Versions 6.0.0 through 6.3.1
  • Welch Allyn X-Scribe Cardiac Stress Testing System: Versions 5.01 through 6.3.1
  • Welch Allyn Diagnostic Cardiology Suite: Version 2.1.0
  • Welch Allyn Vision Express: Versions 6.1.0 through 6.4.0
  • Welch Allyn H-Scribe Holter Analysis System: Versions 5.01 through 6.4.0
  • Welch Allyn R-Scribe Resting ECG System: Versions 5.01 through 7.0.0
  • Welch Allyn Connex Cardio: Versions 1.0.0 through 1.1.1

Hillrom will address this vulnerability in the next software release; however, as an interim measure to prevent the vulnerability from being exploited, users of the affected products should disable the SSO feature in the respective Modality Manager Configuration settings. In addition, customers should ensure they apply proper network and physical security controls and should apply authentication for server access.

The post High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products appeared first on HIPAA Journal.

Vulnerabilities Identified in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors

Five vulnerabilities have been identified that affect the IntelliBridge EC 40 and EC 80 Hub, Philips Patient Information Center iX, and Efficia CM series patient monitors.

IntelliBride EC 40 and EC 80 Hub

Two vulnerabilities have been identified that affect C.00.04 and prior versions of the IntelliBridge EC 40 and EC 80 Hub. Successful exploitation of the vulnerabilities could allow an unauthorized individual to execute software, change system configurations, and update/view files that may include unidentifiable patient data.

The first vulnerability is due to the use of hard-coded credentials – CVE-2021-32993 – in the software for its own inbound authentication, outbound communication to external components, or the encryption of internal data. The second vulnerability is an authentication bypass issue – CVE-2021-33017. While the standard access path of the product requires authentication, an alternative path has been identified that does not require authentication.

Both vulnerabilities have been assigned a CVSS v3 severity score of 8.1 out of 10.

Philips has not yet issued an update to correct the vulnerabilities but expects to fix the flaws by the end of the year. In the meantime, Philips recommends only deploying the products within Philips authorized specifications, and only using Philips-approved software, software configuration, system services, and security configurations. The devices should also be logically or physically isolated from the hospital network.

Patient Information Center iX and Efficia CM Series Patient Monitors

Three vulnerabilities have been identified that affect the Philips Patient Information Center iX and Efficia CM series patient monitors. The flaws could be exploited to gain access to patient data and to conduct a denial-of-service attack. While exploitation has a low attack complexity, the flaws could only be exploited via an adjacent network.

The vulnerabilities affect the following Philips products:

  • Patient Information Center iX (PIC iX): Versions B.02, C.02, C.03
  • Efficia CM Series: Revisions A.01 to C.0x and 4.0

Vulnerable versions of the PIC iX do not adequately validate input to determine whether the input has the properties to be processed safely and correctly. The vulnerability is tracked as CVE-2021-43548 and has been assigned a CVSS severity score of 6.5 out of 10.

A hard-coded cryptographic key has been used which means it is possible for encrypted data to be recovered from vulnerable versions of the PIC iX. The flaw is tracked as CVE-2021-43552 and has a CVSS score of 6.1.

A broken or risky cryptographic algorithm means sensitive data may be exposed in communications between PIC iX and Efficia CM Series patient monitors. The vulnerability is tracked as CVE-2-21-43550 and has a CVSS score of 5.9.

CVE-2021-43548 has been remediated in PIC iX C.03.06 and updates to fix the other two vulnerabilities are due to be released by the end of 2022.

To reduce the potential for exploitation of the vulnerabilities, the products should only be used in accordance with Philips authorized specifications, which include physically or logically isolating the devices from the hospital local area network, and using a firewall or router that can implement access control lists restricting access in and out of the patient monitoring network for only necessary ports and IP addresses.

Philips-issued hardware has Bitlocker Drive Encryption enabled by default and this should not be disabled. Prior to disposal, NIST SP 800-88 media sanitization guidelines should be followed. Patient information is not included in archives by default, so if archives are exported that contain patient information, the information should be stored securely with strong access controls.

The post Vulnerabilities Identified in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors appeared first on HIPAA Journal.

3 Medium Severity Vulnerabilities Identified in Philips MRI Solutions

Three medium severity vulnerabilities have been identified in Philips MRI products which, if exploited, could allow an unauthorized individual to run software, modify the device configuration, view and updates files, and export data, including protected health information, to an untrusted environment.

Aguilar found insufficient access controls which fail to restrict access by unauthorized individuals (CVE-2021-3083), the software assigns an owner who is outside the intended control sphere (CVE-2021-3085), and sensitive data is exposed to individuals who should not be provided with access (CVE-2021-3084). Each of the vulnerabilities has been assigned a CVSS V3 base score of 6.2 out of 10.

The vulnerabilities were identified by Secureworks Adversary Group consultant, Michael Aguilar, and affect Philips MRI 1.5T: Version 5.x.x, and MRI 3T: Version 5.x.x. Aguilar reported the flaws to Philips and a patch has been scheduled for release by October 2022. In the meantime, Philips recommends implementing mitigating measures to prevent the vulnerabilities from being exploited.

The mitigations include only operating the Philips MRI machines within authorized specifications, ensuring physical and logical controls are implemented. Only authorized personnel should be allowed to access the vicinity where the MRI machines are located, and all instructions for using the machines provided by Philips should be followed.

Philips has not received any reports of the vulnerabilities being exploited, nor have there been any reports of incidents from the clinical use of the product in relation to the three vulnerabilities.

The post 3 Medium Severity Vulnerabilities Identified in Philips MRI Solutions appeared first on HIPAA Journal.

High Severity Vulnerabilities Identified in Philips Tasy EMR

Two high severity vulnerabilities have been identified in the Philips Tasy EMR that could allow sensitive patient data to be extracted from the database. The vulnerabilities can be exploited remotely, there is a low attack complexity, and exploits for the vulnerabilities are in the public domain.

Philips says the vulnerabilities affect Tasy EMR HTML5 3.06.1803 and prior versions, with the affected products used primarily in South and Central America. The vulnerabilities were identified and publicly disclosed by a security researcher who did not follow responsible disclosure protocols and failed to coordinate with Philips.

The two flaws are both SQL injection vulnerabilities that have been assigned a CVSS v3 severity score of 8.8 out of 10. Both are due to improper neutralization of special elements in SQL commands.

The first flaw, tracked as CVE-2021-39375, allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter. The second, tracked as CVE-2021-39376, allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter.

By exploiting the flaws, a remote attacker could expose patient data, extract information from the database, or trigger a denial-of-service condition.

Philips says it reported the vulnerabilities to CISA and has fixed both vulnerabilities in Tasy EMR HTML5 to Version 3.06.1804. All healthcare providers using a vulnerable version of the EMR system should update to version 3.06.1804. or later as soon as possible to prevent exploitation. Prior to upgrading to the latest version, CISA recommends performing an impact analysis and risk assessment.

The post High Severity Vulnerabilities Identified in Philips Tasy EMR appeared first on HIPAA Journal.