Healthcare Technology Vendor News

Medtronic Recalls MiniMed Remote Controllers Due to Serious Cybersecurity Vulnerability

The Food and Drug Administration (FDA) has issued a warning to users of Medtronic wireless insulin pumps about a serious security vulnerability affecting certain remote controllers.

MiniMed insulin pumps deliver insulin for the management of diabetes and the pumps are supplied with an optional remote controller device that communicates wirelessly with the insulin pump. A security researcher has identified a cybersecurity vulnerability in older models of remote controllers that use previous-generation technology that could potentially be exploited to cause harm to users of the pumps.

The cybersecurity vulnerability could be exploited by an unauthorized person to record and replay the wireless communication between the remote and the MiniMed insulin pump. Using specialist equipment, an unauthorized individual in the vicinity of the insulin pump user could send radio frequency signals to the insulin pump to instruct it to over-deliver insulin to a patient or stop insulin delivery. Over-delivering insulin could result in dangerously low blood sugar levels and stopping insulin delivery could result in diabetic ketoacidosis and even death.

Medtronic MiniMed 508 insulin pumps and the MiniMed Paradigm family of insulin pumps were already the subject of a product recall. Cybersecurity vulnerabilities had previously been identified in the pumps that could not be adequately mitigated through updates or patches.

The latest security issue has seen Medtronic expand the product recall to include all MiniMed Remote Controllers (models MMT-500 and MMT-503), which are used with the Medtronic MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps.

Medtronic has not been manufacturing or distributing the affected remote controllers since July 2018, but the devices are still used by certain patients, healthcare providers, and caregivers.

This is a Class 1 product recall – the most serious category – as the issues with the remote controllers could result in serious injury or death. The FDA says there have been no reported cases of the vulnerabilities in the devices being exploited to cause harm to patients.

The FDA says users should immediately stop using the affected remote controller, turn off the easy bolus feature, turn off the radio frequency function, delete all remote controller IDs programmed into the pump, disconnect the remote controller from the insulin pump, and return the remote controller to Medtronic.

The post Medtronic Recalls MiniMed Remote Controllers Due to Serious Cybersecurity Vulnerability appeared first on HIPAA Journal.

KLAS Research: Clinical Communication Platforms Improve Efficiency in Healthcare

The recently published 2021 KLAS Clinical Communication Platform Report has confirmed clinical communication platforms improve efficiency in healthcare, streamline communication across most areas of hospitals, and lead to concrete outcomes, with improvements to clinical communication the biggest benefit.

KLAS Research is a Utah-based company that provides data and insights into health information technology (HIT) that helps healthcare organizations identify HIT solutions that will provide important benefits and a good ROI. KLAS collects data on HIT solutions, including from healthcare industry reports, websites, and feedback from healthcare professionals that are using HIT in the workplace. KLAS analyzes the data, identifies key trends and insights, and produces reports on the findings of its research. The researchers also work with leadership teams at vendors to help them improve their HIT solutions based on user feedback to help them deliver better outcomes.

For its latest Clinical Communication Platform Report, KLAS researchers profiled some of the most innovative and cutting-edge vendors in the field whose solutions are delivering invaluable benefits in healthcare and users of clinical communication platforms were surveyed and asked for their feedback on the solutions they have adopted.

TigerConnect, the leading clinical communication platform provider in the United States, was recognized as having the largest base of acute care customers and for the value its clinical communication platform delivered. Feedback from healthcare professionals that use the platform confirmed it has led to improved efficiency for clinical support staff and improved nurse satisfaction and patient satisfaction and care through timely, efficient communication.

The top outcomes healthcare delivery organizations have achieved by implementing the TigerConnect platform are improved clinician response times, increased transparency into patient teams and schedules, and increased clinician workflow satisfaction with fewer call interruptions and much easier access to communication. TigerConnect customers confirmed the solution has helped improve patient team collaboration in terms of patient transport, bed management and environmental services, increased access to and the secure sharing of patient data, more efficient clinics and outpatient care, and a reduction in readmissions, fewer errors, and a faster crash team response.

“Our administration uses TigerConnect’s solution. If people ask for TigerConnect accounts, we can give them accounts. I don’t know how we would have been able to get through the COVID-19 pandemic without this solution,” said one TigerConnect user.

The solution was highly praised for ease of use coupled with enterprise contracting, which allows simple rollouts by many different user groups to achieve organization-wide efficient communication.

“One outcome that we have achieved with TigerConnect’s solution has been improved communication between our nurses, providers and administration. We can just text someone in administration rather than having to know their personal phone number.,” said one TigerConnect user. “The value of adding two-way asynchronous communication in our clinical areas has been huge. They can always put themselves on ‘do not disturb’ if they don’t want people to text them. When nurses or providers are actively engaged with patients, they can get the information they need with the system, and then return that information.”

This year has seen TigerConnect roll out significant feature enhancements based on customer feedback, and the company has also made key acquisitions of on-call physician scheduling and advanced middleware solutions, deepening the capabilities of its platform considerably.

“2021 has proven a tipping point as healthcare systems evolve their requirements from secure messaging to the most contextual, advanced clinical collaboration experiences. Clinicians are demanding an all-in-one mobile collaboration experience that helps them raise the standard of care and improve patient outcomes,” said Will O’Connor, MD, TigerConnect Chief Medical Information Officer. “The KLAS report validates TigerConnect in our vision to make hospitals and care delivery more agile.”

The post KLAS Research: Clinical Communication Platforms Improve Efficiency in Healthcare appeared first on HIPAA Journal.

Horizon Information Systems, Inc. Achieves HIPAA Compliance with Compliancy Group

Horizon Information Systems, Inc, a Johnstown, PA-based developer of software solutions for human service and community action agencies, has achieved compliance with the standards of the Health Insurance Portability and Accountability Act (HIPAA) with Compliancy Group.

The human services software solution developed by Horizon Information Systems comes into contact with protected health information, so the company is classed as a business associate and is required to comply with certain provisions of the HIPAA Rules.

“Our software is built to handle sensitive data belonging to real people and reputable organizations that we want to ensure are adequately protected. As technology advances, so do our efforts to safeguard all personal and health information,” said Horizon Information Systems.

To ensure the company is fully compliant with all appropriate aspects of the HIPAA Rules, Horizon Information Systems partnered with Compliancy Group. Horizon Information Systems used Compliancy Group’s proprietary HIPAA methodology and tracked its progress toward compliance using Compliancy Group’s compliance tracking software, The Guard.

After completing Compliancy Group’s Six Stage HIPAA Implementation Program, Compliancy Group’s HIPAA subject matter experts and Compliance Coaches assessed Horizon Information Systems’ good faith effort toward HIPAA compliance and confirmed the company had implemented an effective HIPAA compliance program.

After demonstrating compliance with the necessary regulatory standards of the HIPAA Privacy, Security, Breach Notification Rule, and Omnibus Rules and the HITECH Act, the company was awarded Compliancy Group’s HIPAA Seal of Compliance.

The HIPAA Seal of Compliance demonstrates to current and future customers that a company is committed to ensuring the privacy and security of protected health information and has taken the necessary steps to ensure HIPAA compliance.

 “Maintaining the HIPAA Seal of Compliance is a top priority at Horizon Information Systems, Inc. Horizon Information Systems, Inc. will be vigilant with the protection of sensitive and personal health information. Horizon believes in purposeful training that not only highlights how to remain compliant, but also teaches why we need to protect the data our software is designed to manage,” explained Horizon Information Systems. “Horizon offers an array of programs in the industries of Housing, Human Services, and Business Operations. Horizon employees are trained to respect the sensitivity of the data stored in these programs, and they are extensively educated in best practice methods of protecting our users and ourselves from any potential threats.”

The post Horizon Information Systems, Inc. Achieves HIPAA Compliance with Compliancy Group appeared first on HIPAA Journal.

CISA: SolarWinds Orion Software Under Active Attack

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that sophisticated hackers are actively exploiting SolarWinds Orion IT monitoring and management software.

The cyberattack, which is ongoing, is believed to be the work of a highly sophisticated, evasive, nation state hacking group who created a Trojanized version of Orion software that has been used to deploy a backdoor into customers’ systems dubbed SUNBURST.

The supply chain attack has impacted around 18,000 customers, who are understood to have downloaded the Trojanized version of SolarWinds Orion and the SUNBURST backdoor. SolarWinds Orion is used by large public and private organizations and government agencies.

SolarWinds customers include all five branches of the U.S. military, the Pentagon, State Department, NASA and National Security Agency. Its solutions are also used by 425 of the 500 largest publicly traded U.S. companies. The US Treasury, US National Telecommunications and Information Administration (NTIA), and Department of Homeland Security are known to have been attacked. The campaign was first detected by the cybersecurity company FireEye, which was also attacked as part of this campaign.

The attacks started in spring 2020 when the first malicious versions of the Orion software were introduced. The hackers are believed to have been present in compromised networks since then. The malware is evasive, which is why it has taken so long to detect the threat. “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity,” according to FireEye. Once the backdoor has been installed, the attackers move laterally and steal data.

“We believe that this vulnerability is the result of a highly-sophisticated, targeted, and manual supply chain attack by a nation-state,” said Kevin Thompson, SolarWinds President and CEO.

The hackers gained access to SolarWinds’ software development environment and inserted the backdoor code into its library in SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, which were released between March 2020 and June 2020.

CISA issued an Emergency Directive ordering all federal civilian agencies to take immediate action to block any attack in progress by immediately disconnecting or powering down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their networks. The agencies have also been prohibited from “(re)joining the Windows host OS to the enterprise domain.”

All customers have been advised to immediately upgrade their SolarWinds Orion software to Orion Platform version 2020.2.1 HF 1. A second hotfix – 2020.2.1 HF 2 – is due to be released on Tuesday and will replace the compromised component and implement other additional security enhancements.

If it is not possible to immediately upgrade, guidelines have been released by SolarWinds for securing the Orion Platform. Organizations should also scan for signs of compromise. The signatures of the backdoor are being added to antivirus engines, and Microsoft has confirmed that all its antivirus products now detect the backdoor and users have been advised to run a full scan.

SolarWinds is working closely with FireEye, the Federal Bureau of Investigation, and the intelligence community to investigate the attacks. SolarWinds is also working with Microsoft to remove an attack vector that leads to the compromise of targets’ Microsoft Office 365 productivity tools.

It is currently unclear which group is responsible for the attack; although the Washington Post claims to have spoken to sources who confirmed the attack was the work of the Russian nation state hacking group APT29 (Cozy Bear). A spokesperson for the Kremlin said Russia had nothing to do with the attacks, stating “Russia does not conduct offensive operations in the cyber domain.”

The post CISA: SolarWinds Orion Software Under Active Attack appeared first on HIPAA Journal.

Atlantic.Net Back-Office Upgrade Greatly Improves Efficiency and Overall Customer Service has announced major behind the scenes improvements that greatly improve efficiency, ensure more precise billing, and will help the company deliver better overall customer service.

The Orlando, FL-based HIPAA-compliant hosting provider has implemented the Ubersmith business management software suite. The new back-office software suite has allowed more than 50 different subscription, billing, device management and customer support systems to be combined into a single system. Business processes that previously took 7-14 days can now be completed in a single day.

Streamlining internal processes will ensure customer support issues can be dealt with much more rapidly. The new system has allowed to halve the resolution time for support issues and achieve a 55% improvement in billing for customers’ overall usage. Staff now only need to be trained on one system, rather than dozens of different systems, which will save countless hours and help to streamline resources. The elimination of redundant systems and improvement in operational efficiency will have a net positive impact on revenue growth.

The Ubersmith system is an easily customizable, integrated software suite that handles subscription billing, order management, infrastructure management, and ticketing. The modular software suite is highly flexible and can be extended and integrated with software used by other aspects of the business through the Ubersmith-supplied API and software development kit.

“We make extensive use of Ubersmith APIs to integrate with other systems that we use for payments, accounting, domain registration, security certificates and more,” said Marty Puranik, Founder and CEO, Atlantic.Net. Ubersmith is currently working on adding support for Salesforce, which will allow to tie its sales and prospecting activities into the same system, including customer quotes.

The deep integration of the Ubersmith software will help achieve high levels of operational efficiency, employee productivity, and deliver much higher levels of customer service.

“Atlantic.Net has done an impressive job at leveraging the capabilities we provide in Ubersmith’s business management, infrastructure and operations software,” said Kurt Daniel, CEO of Ubersmith. “We’re pleased to be an important partner for their business as they continue to grow and expand in the cloud services and hosting arenas.”

The post Atlantic.Net Back-Office Upgrade Greatly Improves Efficiency and Overall Customer Service appeared first on HIPAA Journal.

Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers

Three serious vulnerabilities have been identified in Medtronic MyCareLink (MCL) Smart Patient Readers, which could potentially be exploited to gain access to and modify patient data from the paired implanted cardiac device. Exploitation of the vulnerabilities together could permit remote code execution on the MCL Smart Patient Reader, allowing an attacker to take control of a paired cardiac device. In order to exploit the vulnerabilities, an attacker would need to be within Bluetooth signal proximity to the vulnerable product.

The flaws are present in all versions of the MCL Smart Model 25000 Patient Reader. The first vulnerability, tracked as CVE-2020-25183, is an authentication protocol vulnerability. The method used to authenticate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app can be bypassed. An attacker using another mobile device or malicious app on the patient’s smartphone could authenticate to the patient’s MCL Smart Patient Reader, tricking it into believing it is communicating with the patient’s smartphone app. The vulnerability has been assigned a CVSS v3 base score of 8.0 out of 10.

A heap-based buffer overflow event can be triggered in the MCL Smart Patient Reader software stack by an authenticated attacker running a debug command. Once triggered, an attacker could then remotely execute code on the vulnerable MCL Smart Patient Reader, potentially allowing the attacker to take control of the device. The vulnerability is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.

MCL Smart Patient Readers are also vulnerable to a race condition in the software update system, which could be exploited to upload and execute unsigned firmware on the Patient Reader. This vulnerability could also allow remote execution of arbitrary code on the MCL Smart Patient Reader and could give an attacker control of the device. The flaw is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.

The vulnerabilities were identified by researchers at the Israeli firm Sternum, with UC Santa Barbara, University of Florida, and University of Michigan researchers independently identifying the improper authentication vulnerability.

The flaws were reported to Medtronic which has now released a firmware update to fix the vulnerabilities. The firmware update can be applied by updating the MyCareLink Smartapp via the associated mobile application store. Updating to mobile application version v5.2 will ensure the update is applied on the next use; however, in order for the patch to work, the user’s smartphone must be running iOS 10 or above or Android 6.0 or above.

Users have also been advised to maintain strong physical control over their home monitors and to restrict use of the home monitors to private environments. Patients should only use home monitors that have been obtained directly from their healthcare provider or a Medtronic representative.

Medtronic has also taken steps to improve security, including implementing Sternum’s enhanced integrity validation (EIV) technology which provides early detection and real-time mitigation of known vulnerability exploitation attempts, and Sternum’s advanced detection system technology, which enables device-level logging and monitoring of all device activity and behavior.

The post Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers appeared first on HIPAA Journal.

Webinar Today: How HIPAA-Compliant Messaging Transforms Healthcare

Data show 70% of delays in providing treatment to patients is due to miscommunication, so resolving the problems that result in miscommunication in healthcare is key to improving quality of care, clinical outcomes, and the patient experience.

One of the biggest contributory factors to miscommunication is the use of outdated communications systems, which has long been a problem in healthcare. Fortunately, there is a solution that has been shown to greatly improve communication efficiency and reduce the potential for errors and miscommunication – a secure texting platform.

To find out more about secure, HIPAA-compliant messaging and how it can make care teams immediately more efficient and effective, we invite you to join this upcoming webinar.

During the webinar you will discover how this single change can lead to major improvements in collaboration, save valuable time, decrease costs, and lead to happier staff and patients.

The webinar is being hosted by TigerConnect, the leading secure healthcare messaging provider, and will take place on Wednesday, December 9 at 10 a.m. PT / 1 p.m. ET.

Webinar Details:

How HIPAA-Compliant Messaging Transforms Healthcare

Date/Time: Wednesday, December 9 – 10 a.m. PT / 12 p.m. CT / 1 p.m. ET

Hosted by:
Julie Grenuk, Nurse Executive, TigerConnect
Tommy Wright, Director of Product Marketing, TigerConnect

Register Here

The post Webinar Today: How HIPAA-Compliant Messaging Transforms Healthcare appeared first on HIPAA Journal.

Vulnerability Identified in BD Alaris Infusion Products

A high severity vulnerability has been identified in the BD Alaris PC Unit which is vulnerable to a denial of service attack which would cause it to drop its wireless capability.

The vulnerability was identified by Medigate and was reported to BD. BD subsequently reported the flaw under its responsible disclosure policy and has provided mitigations and compensating controls to help users manage the risks associated with the flaw until an updated version of BD Alaris PC Unit software is released.

The flaw affects the following BD products:

  • BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier
  • BD Alaris Systems Manager, Versions 4.33 and earlier

The issue is due to improper authentication between vulnerable versions of the BD Alaris PC Unit and the BD Alaris Systems Manager. While the vulnerability can be exploited remotely, an attacker would need to first gain access to the network associated with the vulnerable devices, which limits the potential for exploitation.

Once access to the network is gained, an attacker could redirect the BD Alaris PC Unit’s authentication requests using custom code and complete an authentication handshake based on information extracted from the authentication requests.

Such an attack would not stop the Alaris PC Unit from functioning as programmed; however, network services would no longer be available, such as pre-populating the Alaris PC Unit with infusion parameters through EMR Interoperability or performing wireless updates of Alaris System Guardrails (DERS). An attacker would not be able to gain the necessary permissions to remotely program commands, and protected health information could not be accessed as it is encrypted. In a successful attack, the operator of the BD Alaris PC would have to manually program the pump, download data logs, or activate the new data set.

BD has already performed server upgrades which correct the vulnerability in many Systems Manager installations, with the flaw addressed in BD Alaris Systems Manager versions 12.0.1, 12.0.2, 12.1.0, and 12.1.2. The vulnerability will be corrected in the upcoming new version of BD Alaris PC Unit software.

Users can reduce the potential for exploitation by enabling the firewall on the Systems Manager server image and implementing rules restricting inbound and outbound ports services restrictions.

“If a firewall is integrated between the server network segment and its wireless network segments, implement a firewall rule with an access control list (ACL) that restricts access to the wireless network segment via the specific MAC address of the wireless card on the pump. This would restrict access to the wireless segment to only authorized devices and not allow other devices to connect and authenticate to the segment,” explained BD in its security bulletin.

Since BD Alaris Systems Manager is a critical service, it should ideally operate on a secure network protected by a firewall. Unnecessary accounts, protocols and services should be disabled.

The post Vulnerability Identified in BD Alaris Infusion Products appeared first on HIPAA Journal.

FTC Settlement with Zoom Resolves Allegations of Cybersecurity Failures and Deceptive Security Practices

The U.S. Federal Trade Commission has reached a settlement with Zoom to resolve allegations that the teleconferencing platform provider misled its customers about the level encryption and had failed to implement appropriate cybersecurity protections for its users.

During the pandemic, use of the Zoom platform skyrocketed, with business users and consumers adopting the platform in the millions. The platform was used by consumers to maintain contact with friends and family, while remote workers used the platform to communicate with the office and collaborate while working from home. The platform proved to be extremely popular in healthcare for providing telehealth services and in education for communicating with students.

Zoom reported in its second quarter earnings call that it has seen 400% growth of corporate clients with more than 10 employees and around 300 million meetings were taking place each day. The massive increase in popularity attracted the attention of security researchers, who discovered multiple security vulnerabilities in the platform.

One of the main issues concerned encryption. Zoom stated on its website that the platform offered end-to-end encryption when this was not the case. Meetings were encrypted, but Zoom was able to access customer data. The company also stated AES 256 encryption was used, when encryption was only AES 128, and recorded meetings were immediately encrypted prior to storage.

Other cybersecurity issues included a Zoom software update that circumvented a browser security feature and a lack of security protections which allowed uninvited individuals to join meetings – termed Zoombombing. The company was also discovered to be sharing email addresses, photos, and user’s names with Facebook, albeit unwittingly.

The investigation by the FTC revealed Zoom had “engaged in a series of deceptive and unfair practices that undermined the security of its users.” A settlement was reached with the firm that requires the company to implement and maintain a comprehensive security program within 60 days.

The 17-page agreement details the steps that Zoom must take to ensure the security of its platform. They include conducting annual assessments on potential internal and external security risks and developing and implementing safeguards to reduce those risks to a low and acceptable level.

Additional safeguards must be implemented to protect against unauthorized access to its network, multi-factor authentication, steps must be taken to prevent the compromise of user credentials, and data deletion controls must be implemented. Zoom is required to review all software updates to identify potential security flaws prior to rollout and must ensure that any new features or security measures do not interfere with third party security features. The company must also implement a vulnerability management program.

Zoom has been prohibited from misrepresenting the security features of its platform to users, the categories of data accessed by third parties, and how data privacy and security are maintained.

Zoom must undergo a third-party audit by an independent security firm to ensure the company is complying with all requirements of the agreement and is successfully remediating risks. The agreement will last for 5 years, during which time the FTC will be monitoring Zoom for compliance.

Zoom avoided a financial penalty, but if the company is discovered to have violated the terms of the agreement or federal laws, financial penalties will be applied up to a maximum of $43,280 per violation.

“Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection.

The post FTC Settlement with Zoom Resolves Allegations of Cybersecurity Failures and Deceptive Security Practices appeared first on HIPAA Journal.