Healthcare Technology Vendor News

Vulnerabilities Identified in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors

Two vulnerabilities have been identified in Philips IntelliVue WLAN firmware which affect certain IntelliVue MP monitors. The flaws could be exploited by hackers to install malicious firmware which could impact data flow and lead to an inoperable condition alert at the device and Central Station.

Philips was alerted to the flaws by security researcher Shawn Loveric of Finite State, Inc. and proactively issued a security advisory to allow users of the affected products to take steps to mitigate risk.

The flaws require a high level of skill to exploit in addition to access to a vulnerable device’s local area network. Current mitigating controls will also limit the potential for an attack. As such, Philips does not believe either vulnerability would impact clinical. Philips does not believe the flaws are being actively exploited.

The first flaw, tracked as CVE-2019-13530, concerns the use of a hard-coded password which could allow an attacker to remotely login via FTP and upload malicious firmware. The second flaw, tracked as CVE-2019-13534, allows the download of code or an executable file from a remote location without performing checks to verify the origin and integrity of the code. The flaws have each been assigned a CVSS v3 base score of 6.4 out of 10.

The following Philips products are affected:

  • IntelliVue MP monitors MP20-MP90 (M8001A/2A/3A/4A/5A/7A/8A/10A)
    • WLAN Version A, Firmware A.03.09
  • IntelliVue MP monitors MP5/5SC (M8105A/5AS)
    • WLAN Version A, Firmware A.03.09, Part #: M8096-67501
  • IntelliVue MP monitors MP2/X2 (M8102A/M3002A)
    • WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C)
  • IntelliVue MP monitors MX800/700/600 ((865240/41/42)
    • WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C)

WLAN Version B is obsolete and will not be patched. Philips has advised customers to update to the WLAN Module Version C wireless module if they are using any of the patient monitors affected by the flaws. WLAN Version C with current firmware of B.00.31 is not affected by either vulnerability. Mitigating controls include the use of authentication and authorization via WPA2, implementing a firewall rule on the wireless network, and ensuring physical controls are implemented to restrict access to the system.

The flaw in WLAN Version A will be addressed with a patch which Philips plans to release via Incenter by the end of 2019.

The post Vulnerabilities Identified in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors appeared first on HIPAA Journal.

TitanHQ Announces Fall 2019 Schedule of Roadshow Events

TitanHQ, the leading provider of email security, web security, and email archiving solutions to SMBs and managed service providers (MSPs), has announced its fall 2019 schedule of roadshows, trade shows, and conferences.

These industry events bring together managed service providers (MSPs) Managed Security Service Providers (MSSPs) and IT professionals from around the globe to discuss the latest IT trends and technologies, obtain invaluable advice, and learn best practices to improve efficiency, security, and boost profitability.

The TitanHQ team will be attending key MSP events this fall to discuss email security and web security with MSPs. The team will explain to attendees how SpamTitan and WebTitan can lower costs by reducing the time support staff spend resolving malware infections and phishing attacks, along with the key features of the solutions that make them such a popular choice with MSPs.

This week will see the team attend the DattoCon Dublin event on September 17 followed by the Managed Services & Hosting (MSH) Summit in London on September 18, followed by a packed schedule of events throughout October.

If you are a MSP or IT professional looking to improve email and web security, are unhappy with your current service provider, or have yet to implement a web filtering, spam filtering, or email archiving service, be sure to come and meet the TitanHQ team at one of the following fall 2019 events.

Date Event Location
September 17, 2019 Datto Dublin The Alex Hotel, Dublin, Ireland
September 18, 2019 MSH Summit 155 Bishopsgate, London, UK
October 6-10, 2019 Gitex Dubai World Trade Centre, Dubai, UAE
October 7-8, 2019 CompTIA EMEA Show Park Plaza Westminster Bridge,

London, UK

October 16-17, 2019 Canalys Cybersecurity Forum SOFIA Barcelona, Spain
October 21-23, 2019 DattoCon Paris Palais des Congrès de Paris, Paris, France
October 30, 2019 MSH Summit North Hilton Hotel, Manchester, UK
October 30, 2019 IT Nation Evolve (HTG 4) Hyatt Regency, Orlando, Florida, USA
October 30, 2019 IT Nation Connect Hyatt Regency, Orlando, Florida, USA
November 5-7, 2019 Kaseya Connect NH Collection Amsterdam Gran Hotel Krasnapolsky, Amsterdam, Netherlands

If you are unable to attend any of the roadshows and conferences below, you can contact TitanHQ by telephone or email to discuss your options, book a product demonstration, and sign up for a no-obligation free trial of all TitanHQ solutions.

The post TitanHQ Announces Fall 2019 Schedule of Roadshow Events appeared first on HIPAA Journal.

Vulnerability Identified in Becton Dickinson Pyxis Drug Dispensing Cabinets

Becton Dickinson (BD) has discovered a vulnerability in its Pyxis drug dispensing cabinets which could allow an unauthorized individual to use expired credentials to access patient data and medications.

The vulnerability was discovered by BD, which self-reported the flaw to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). ICS-CERT has recently issued an advisory about the flaw.

The vulnerability affects Pyxis ES versions 1.3.4 to 1.6.1 and Pyxis Enterprise Server with Windows Server versions 4.4 through 4.12.

The vulnerability – tracked as CVE-2019-13517 – is a session fixation flaw in which existing access privileges are not properly coordinated with the expiration of access when a vulnerable device is joined to an Active Directory (AD) domain.

This means the credentials of a previously authenticated user could be used to gain access to a vulnerable device under certain configurations. This would allow an attacker to obtain the same level of privileges as the user whose credentials are being used, which could give access to patient information and medications. Healthcare providers that do not use AD with the devices are unaffected.

The vulnerability has been assigned a CVSS V3 base score of 7.6 out of 10. ICS-CERT warns that the vulnerability is remotely exploitable and requires a low level of skill to exploit; however, BD notes that connecting the drug cabinets to hospital domains is an uncommon configuration and is not recommended by BD. Consequently, only a limited number of hospitals that use the drug carts will be affected.

The flaw has been addressed in the latest software release, v 1.6.1.1, which removes access to the file-sharing part of the Pyxis network.

Affected healthcare providers have been recommended to implement the following mitigations to reduce the risk associated with the vulnerability:

  • Never rely on expiration dates to remove users from the hospital’s Active Directory system
  • Remove users from the AD role that grants them access to the Pyxis ES system
  • Never place Pyxis ES systems on the hospital domain

BD is unaware of any cases where the vulnerability has been exploited to view data without authorization.

The post Vulnerability Identified in Becton Dickinson Pyxis Drug Dispensing Cabinets appeared first on HIPAA Journal.

82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices

82% of healthcare providers that have implemented Internet-of-Things (IoT) devices have experienced a cyberattack on at least one of those devices over the course of the past 12 months, according to the Global Connected Industries Cybersecurity Survey from Swedish software company Irdeto.

For the report, Irdeto surveyed 700 security leaders from healthcare organizations and firms in the transportation, manufacturing, and IT industries in the United States, United Kingdom, Germany, China, and Japan. Attacks on IoT devices were common across all those industry sectors, but healthcare organizations experienced the most cyberattacks out of all industries under study.

The biggest threat from these IoT cyberattacks is theft of patient data. The attacks also have potential to compromise end user safety, result in the loss of intellectual property, operational downtime and damage to the organization’s reputation. The failure to effectively secure the devices could also potentially result in a regulatory fine.

When asked about the consequences of a cyberattack on IoT devices, the biggest concern was theft of patient data, which was rated as the main threat by 39% of healthcare respondents. Attacks on IoT devices can also threaten patient safety. 20% of respondents considered patient safety a major risk and 30% of healthcare providers that experienced an IoT cyberattack said patient safety was actually put at risk as a direct result of the attack.

12% of respondents said theft of intellectual property was a major risk, and healthcare security professionals were also concerned about downtime and damage to their organization’s reputation.

The main impact of these attacks is operational downtime, which was experienced by 43% of companies, theft of data (42%), and damage to the company’s reputation (31%).

Mitigating IoT cyberattacks comes at a considerable cost. The average cost to resolve a healthcare IoT cyberattack was $346,205, which was only beaten by attacks on the transport sector, which cost an average of $352,639 to mitigate.

Even though there are known risks associated with IoT devices, it does not appear to have deterred hospitals and other healthcare organizations from using the devices. It has been estimated up to 15 million IoT devices are now used by healthcare providers. Hospitals typically use an average of 10-15 devices per hospital bed.

Securing the devices can be a challenge, but most healthcare organizations know exactly where the vulnerabilities are. They just lack the resources to correct those vulnerabilities.

Manufacturers need to do more to secure their devices. Security is often an afterthought and safeguards are simply bolted on rather than being incorporated during the design process. Fewer than half of device manufacturers (49%) said security is factored in during the design of the devices and only 53% of device manufacturers conduct code reviews and continuous security checks.

82% of device manufacturers expressed concern about the security of their devices and feared safeguards may not be enough to prevent a successful cyberattack. 93% of device manufacturers said security of their devices could be improved a little to a great deal, as did 96% of device users.

“The previous mindset of security as an afterthought is changing. 99 percent agree that a security solution should be an enabler of new business models, not just a cost,” explained the researchers in their recent report. “This clearly indicates that businesses realize the value add that security can bring to their organization.”

The post 82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices appeared first on HIPAA Journal.

Vulnerability Discovered in Philips HDI 4000 Ultrasound Systems

A vulnerability has been discovered in Philips HDI 4000 Ultrasound systems which could be exploited to gain access to ultrasound images. In addition to stealing data, an attacker could doctor ultrasound images to prevent diagnosis of a potentially life-threatening health condition.

Philips HDI 4000 Ultrasound systems are based on legacy operating systems such as Windows 2000 which are no longer supported. Any vulnerability in the operating system could be exploited to gain access to the system and patient data.

One such vulnerability – CVE-2019-10988 – was detected by security researchers at Check Point, who reported the problem to Philips. US-CERT has recently issued an advisory about the vulnerability.

Philips HDI 4000 Ultrasound systems reached end of life in December 2013 and are no longer sold, updated, or supported by Philips, yet many healthcare organizations continue to use the systems even through they are vulnerable to attack. US-CERT warns that multiple exploits are already in the public domain and could be used to gain access to the systems.

Since the devices are no longer supported, Philips will not be issuing an update or patch to correct the flaw. Until the systems can be retired and replaced, defensive measures should be taken to reduce the risk of the flaws being exploited.

The DHS Cybersecurity Infrastructure Security Agency (CISA) recommends users of Philips HDI 4000 Ultrasound systems should restrict system access to authorized individuals and apply the rule of least privilege. All accounts and services that are not 100% necessary should be disabled, and defense in depth strategies should be adopted.

It is strongly advisable to replace these aging systems with newer technology that runs on supported operating systems.

According to US-CERT, the vulnerabilities require a relatively high level of skill to exploit and an attacker would need access to the same local subnet as the device, hence the CVSS v3 base score of 3.0 out of 10.

The post Vulnerability Discovered in Philips HDI 4000 Ultrasound Systems appeared first on HIPAA Journal.

Code Execution Vulnerability Identified in Change Healthcare Cardiology Devices

A vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated user to insert files that could allow the attacker to execute arbitrary code on a vulnerable device.

The vulnerability – CVE-2019-18630 – was identified by Alfonso Powers and Bradley Shubin of Asante Information Security who reported the vulnerability to Change Healthcare. Change Healthcare notified the National Cybersecurity & Communications Integration Center (NCCIC) and a security advisory has now been issued by US-CERT.

The vulnerability has been assigned a CVSS v3 base score of 7.8 out of 10 and is the result of incorrect default permissions in the default installation. While the vulnerability only requires a low level of skill to exploit, an attacker would first need local system access which will limit the potential for the flaw to be exploited.

Change Healthcare has issued an advisory for users of the following cardiology devices:

  • Horizon Cardiology 11.x and earlier
  • Horizon Cardiology 12.x
  • McKesson Cardiology 13.x
  • McKesson Cardiology 14. x
  • Change Healthcare Cardiology 14.1.x

Change Healthcare has developed a patch to correct the vulnerability. All users of the above affected products have been advised to contact their Change Healthcare Support representative to arrange for the patch to be installed.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency recommends the following mitigations to reduce the potential for the vulnerability to be exploited until such time as the patch can be applied:

  • Minimize network exposure for control system devices and/or systems.
  • Locate medical devices behind firewalls
  • Isolate medical devices as far as is possible
  • Implement safeguards that restrict access to medical devices to authorized personnel
  • Apply the principle of least privilege to access controls.
  • Apply defense-in-depth strategies
  • Disable unnecessary accounts, protocols and services.

Prior to implementing any mitigations, healthcare providers should conduct an impact risk analysis and risk assessment.

The post Code Execution Vulnerability Identified in Change Healthcare Cardiology Devices appeared first on HIPAA Journal.

CTI Technology Confirmed as HIPAA Compliant

CTI Technology, an Elgin, IL-based managed IT service provider, has demonstrated compliance with the Health Insurance Portability and Accountability Act (HIPAA) Rules using Compliancy Group’s proprietary HIPAA methodology and compliance tracking solution, The Guard.

Any company that provides a product or service to healthcare organizations that requires access to systems containing protected health information (PHI) is classed as a HIPAA business associate. Following the introduction of the HIPAA Omnibus Final Rule, all business associates of HIPAA-covered entities must comply with HIPAA Rules or face stiff financial penalties for noncompliance.

CTI Technology believes compliance with HIPAA Rules is essential for protecting patient privacy, improving data security, and reducing fraudulent activity. The company educates its clients on the measures required to ensure compliance with the HIPAA Security Rule and how, through compliance, cyberattacks can be thwarted and regulatory fines avoided.

CTI Technology has recently completed Compliancy Group’s 6-stage risk analysis and remediation program and has demonstrated compliance with the regulatory standards of the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, HIPAA Omnibus Rule, and HITECH Act.

After completing the program and demonstrating HIPAA compliance, the company was awarded Compliancy Group’s “HIPAA Seal of Compliance”. CTI Technology is one of the only tech companies in the North-western region of Chicago to ensure that all employees have received the required training and are fully aware of their responsibilities under HIPAA and the importance of the privacy and security standards and implementation specifications of HIPAA.

The HIPAA Seal of Compliance helps CTI Technology differentiate its services from its competitors and demonstrate to prospective healthcare clients that the company is fully complaint with HIPAA regulations.

The post CTI Technology Confirmed as HIPAA Compliant appeared first on HIPAA Journal.

IT Service Provider Choose Networks Achieves HIPAA Compliance with Compliancy Group

The Wichita, KS-based IT service provider, Choose Networks, has achieved HIPAA compliance with Compliancy Group.

Choose Networks was established in 2001 to provide small to medium sized businesses with enterprise-grade IT support. The company now employs over 35 people and provides IT support services to a wide range of companies, including many in the healthcare industry.

As an IT service provider, Choose Networks requires access to systems containing protected health information. As such, the company is considered a HIPAA business associate and is required to comply with HIPAA Rules.

In order to ensure that all requirements of HIPAA have been met and to demonstrate the company follows the same policies, procedures, and administrative practices as its healthcare clients, Choose Networks partnered with Compliancy Group and completed its 6-Stage HIPAA risk analysis and remediation process.

“Choose Networks delivers an excellent customer experience, and this doesn’t stop with technical guidance and support. It is paramount to do everything it takes to protect our customers,” said Lindsay Smith, Vigilance Coordinator at Choose Networks. “For this reason, we requested assistance from Compliancy Group to audit our business to ensure we understand and are upholding HIPAA compliancy regulations.”

Using Compliancy Group’s proprietary HIPAA methodology and its compliance software, The Guard, Choose Networks demonstrated compliance with all aspects of HIPAA Rules and has been awarded Compliancy Group’s HIPAA Seal of Compliance.

The Seal of Compliance confirms Choose Networks has met its requirements and has implemented an ongoing program to ensure continued compliance with the HIPAA Privacy, Security, Breach Notification Rules and the HITECH Act.

The company is using Compliancy Group’s Seal of Compliance to differentiate its services from the competition and demonstrate to prospective clients that the company is fully committed to HIPAA compliance.

The post IT Service Provider Choose Networks Achieves HIPAA Compliance with Compliancy Group appeared first on HIPAA Journal.

Direct Connect Computer Systems Inc. Recognized as HIPAA Compliant

The Cleveland, OH-based technology solution provider, Direct Connect Computer Systems, Inc., has demonstrated the company is fully compliant with Health Insurance Portability and Accountability Act (HIPAA) Rules.

Companies that provide technology solutions and services to healthcare clients that require contact with electronic protected health information (ePHI) are classed as ‘business associates’ under HIPAA.

Business associates of HIPAA covered entities must ensure they are fully compliant with the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules, and must ensure the confidentiality, integrity, and availability of ePHI at all times. Business associates face substantial fines if they are discovered not to be compliant with HIPAA Rules.

In order to start providing products and services to healthcare organizations, companies must be able to provide reasonable assurances that they are fully compliant with HIPAA Rules. To help provide those assurances and demonstrate the company’s commitment to privacy and security, Direct Connect Computer Systems, Inc., partnered with Compliancy Group and completed its Six Stage Risk Analysis and remediation process.

Using Compliancy Group’s proprietary software, The Guard, and assisted by Compliancy Group Compliance Coaches, Direct Connect Computer Systems successfully completed the program and was awarded Compliancy Group’s HIPAA Seal of Compliance.

The HIPAA Seal of Compliance recognizes Direct Connect’s good faith efforts to comply with all HIPAA and HITECH Act requirements and confirms the company has met its regulatory obligations as a HIPAA business associate.

The post Direct Connect Computer Systems Inc. Recognized as HIPAA Compliant appeared first on HIPAA Journal.