Healthcare Technology Vendor News

Survey: Emergency Preparedness and Security Trends in Healthcare

Each year, Rave Mobile Safety conducts a survey to identify healthcare security trends and determine the state of emergency preparedness in the healthcare industry.

For the 2020 Emergency Preparedness and Security Trends in Healthcare report, insight is being sought from leaders in the healthcare community.

Many HIPAA Journal readers have already participated in last year’s survey and have provided information on the measures that have been deployed to improve safety in emergency situations. Their answers will be used to gain an overview of emergency preparedness throughout the United States.

If you have not already participated, you are invited to share your feedback in this anonymous survey (click here).

This is an opportunity for you to find out how your healthcare industry colleagues nationwide communicate in emergency preparedness and security matters and where they expect to take these practices next.

You can participate completely anonymously.

After you complete the survey, you will have the opportunity to enter into a raffle for a $200 gift card from the survey sponsor.

If you provide your email address, you’ll receive the anonymized survey results before they are published as well as entering the raffle.

HIPAA Journal will eventually publish the results of the survey.

Note: HIPAA Journal is not conducting this survey and does not receive any payment for promoting this survey. HIPAA Journal has no commercial relationship with the survey sponsor. If your organization is running a survey that is of interest to healthcare professionals, you can contact us with the details.

The post Survey: Emergency Preparedness and Security Trends in Healthcare appeared first on HIPAA Journal.

Vulnerability Identified in GE Aestiva and Aespire Anesthesia Machines

An improper authentication vulnerability has been identified in GE Aestiva and Aespire Anesthesia devices which are used in hospitals throughout the United States.

The vulnerability – CVE-2019-10966 – could allow a remote attacker to modify the parameters of a vulnerable device and silence alarms. Possible alterations include making changes to gas composition parameters to correct flow sensor readings for gas density and altering the time on the device.

The flaw is due to the exposure of certain terminal server implementations which extend GE Healthcare anesthesia device serial ports to TCP/IP networks. The vulnerability could be exploited if serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration.

The vulnerability has been assigned a CVSS v3 base score of 5.3 out of 10 and affects GE Aestiva and Aespire versions 7100 and 7900.

GE Healthcare has confirmed this is not a vulnerability in GE Healthcare device themselves. While the flaw could be exploited, GE Healthcare has determined via a formal risk investigation that “there is no introduction of clinical hazard of direct patient risk.” When the device is in use, changes would not alter the delivery of therapy to a patient and exploitation of the vulnerability would not result in information exposure.

GE Healthcare has provided mitigations to prevent exploitation of the vulnerability. When connecting GE Healthcare anesthesia device serial ports to TCP/IP networks, secure terminal servers should be used and best practices for terminal servers should be followed.

The security features of secure terminal servers include user authentication, strong encryption, network controls, VPN, logging and audit capability, and secure configuration and management options.

Best practices to adopt include governance, management, and secure deployment measures, including the use of VLANS, device isolation, and network segmentation.

The post Vulnerability Identified in GE Aestiva and Aespire Anesthesia Machines appeared first on HIPAA Journal.

Consumers Concerned About Medical Device Security

The importance consumers place on the privacy and security of their health information has been explored in a recent nCipher Security survey.

The survey was conducted on 1,300 U.S. consumers and explored attitudes toward online privacy, the sharing of sensitive information, and data breaches.

The survey revealed consumers are more concerned about their financial information being hacked than their health information. 42% of respondents said their biggest cybersecurity concern was their financial information being stolen, compared to 14% whose main concern was the theft of their health data.

Concern about financial losses is understandable. Theft of financial information can have immediate and potentially very serious consequences. Theft of health data may not be viewed to be as important by comparison, but consumers are still concerned about the consequences of a breach of their personal information.

Over one third of consumers said they were worried that hackers would tamper with their data and 44% were concerned about identity theft after a data breach. 22% of consumers said they were concerned that the hacking of a connected device would jeopardize their health.

The survey explored the main privacy and security concerns related to the sharing of personal information. The biggest privacy concerns were providing SSNs or credit card numbers over the phone (46%), online banking (35%) and online shopping (34%). 16% of respondents thought their private information was most vulnerable when downloading health records or using an internet-connected medical device.

An increasing number of people are now using personal devices to track their movements and monitor their health. Only 37% of survey respondents said they do not record health metrics on some kind of internet-connected device.

23% of consumers use smartphones for that purpose, 135 have internet-connected scales, 12% wear fitness trackers, and 10% use an Apple Watch or similar device. 19% of consumers connect to their provider’s website to track and record their health information.

The survey suggests many consumers have strong feelings about medical device security. More than half of respondents (52%) believed the best way to protect personal data on medical devices is encryption. In the event of a cyberattack, personal information would not be put at risk.

35% of consumers said they should be required to validate their devices regularly to better protect privacy and 31% of respondents thought medical devices should be independently certified.  18% are in favor of government-controlled medical devices. 17% of respondents said executives should be fired if personal healthcare data is exposed, including executives at medical device manufacturers.

The post Consumers Concerned About Medical Device Security appeared first on HIPAA Journal.

Medtronic Recalls Insulin Pumps Due to Cybersecurity Risk

The United States Computer Emergency Readiness Team (US-CERT) and the Food and Drug Administration (FDA) have issued alerts about cybersecurity flaws in certain Medtronic insulin pumps.

The affected insulin pumps connect with other devices such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices using wireless RF. Vulnerabilities have been identified in certain MiniMed 508 and MiniMed Paradigm insulin pumps which could allow an attacker with adjacent access to an affected product to intercept, modify, or interfere with the RF communications to or from the product.

Consequently, it would be possible to read data sent to and from the device, alter the settings of the insulin pump, and take control of insulin delivery. An attack could therefore result in hypoglycemia, diabetic ketoacidosis, or death.

The flaw – CVE-2019-10964 – is due to the communications protocol not properly implementing authentication or authorization and has been assigned a CVSS v3 base score of 7.1 out of 10.

The flaw was uncovered by security researchers Nathanael Paul, Jay Radcliffe, and Barnaby Jack, Billy Rios, Jonathan Butts, and Jesse Young, with assistance provided by Medtronic.

The following devices are vulnerable:

  • MiniMed 508 pump – All versions
  • MiniMed Paradigm (511 pump, 512/712 pumps, 712E pump, 515/715 pumps, 522/722 pumps, 522K/722K pumps.
  • MiniMed 523/723 and 523K/723K pumps – Software versions 2.4A or lower
  • MiniMed Paradigm Veo 554/754 pumps – Software versions 2.6A or lower
  • MiniMed Paradigm Veo 554CM and 754CM models only – Software versions 2.7A or lower

FDA deputy director of strategic partnerships and technology innovation Suzanne Schwartz said, “The risk of patient harm if such a vulnerability were left unaddressed is significant.” At this stage, no one is known to have exploited the flaw in a real-world attack.

While there are mitigations that can help to reduce the risk of exploitation of the vulnerability, Medtronic has been unable to develop a patch or software update that can correct the flaw. Consequently, the decision was taken to recall all affected insulin pumps and replace them with devices with more robust cybersecurity protections.

Medtronic says there are around 4,000 patients using the vulnerable insulin pumps in the United States. All have been asked to contact their care providers as soon as possible to arrange for their insulin pump to be replaced.

The post Medtronic Recalls Insulin Pumps Due to Cybersecurity Risk appeared first on HIPAA Journal.

Siemens Healthineers Products Vulnerable to Microsoft BlueKeep Wormable Flaw

Six security advisories have been issued covering Siemens Healthineers products. The flaws have been assigned a CVSS v3 score of 9.8 and concern the recently announced Microsoft BlueKeep RDS flaw – CVE-2019-0708.

CVE-2019-0708 is a remotely exploitable flaw that requires no user interaction to exploit. An attacker could exploit the flaw and gain full control of a vulnerable device by sending specially crafted requests to Remote Desktop Services on a vulnerable device via RDP.

The flaw is wormable and can be exploited to spread malware to all vulnerable devices on a network in a similar fashion to the WannaCry attacks of 2017. The severity of the vulnerability prompted Microsoft to issue patches for all vulnerable operating systems, including unsupported Windows versions which are still used in many healthcare and industrial facilities.

The flaw affects Windows 2003, Windows XP, Windows 7, Windows Server 2008 and Windows Server 2008 R2. If the patch cannot be applied, RDP should be disabled, port 3389 should be blocked at the firewall, and Network Level Authentication (NLA) should be enabled.

Following Microsoft’s announcement about the RDS flaw and the release of the patches, Siemens conducted an investigation to determine which Siemens Healthineers products were affected. 6 classes of product were found to be vulnerable.

The exploitability of the vulnerability on these products will depend on the specific configuration and deployment environment. The vulnerabilities can generally be addressed by applying the Microsoft patch, although compatibility of the patch with any devices beyond end-of-life cannot be guaranteed.

Customers with vulnerable devices can obtain patch and remediation advice from their local Siemens Healthineers customer service engineer, portal, or Regional Support Center.

Siemens Healthineers Software Products

MagicLinkA, MagicView (100W and 300), Medicalis (Clinical Decision Support, Intelligo, Referral Management, and Workflow Orchestrator), Screening Navigator, Syngo (Dynamics, Imaging, Plaza, Workflow MLR, Worlflow SLR, via, via View&Go, and via WebViewer), and Teamplay.

Users should install the Microsoft patch. Risk can be reduced by ensuring a secure deployment in accordance with Siemens recommendations and ensuring AV software is in use and is regularly updated.

Siemens Healthineers Advanced Therapy Products

System Acom, Sensis and VM SIS Virtual Server

Siemens recommends disabling RDP on Acom systems and following Microsoft’s workarounds and mitigations on Sensis and VM SIS Virtual Server until a patch is made available.

Siemens Healthineers Radiation Oncology Products

All versions of Lantis

Siemens recommends disabling RDP and closing TCP port 3389

Siemens Healthineers Laboratory Diagnostics Products

Most Laboratory Diagnostics products are unaffected by the vulnerability.

Vulnerable products are:

Atellica Solution, Apto by Siemens, Aptio by Inpeco, Streamlab, CentraLink, Syngo Lab Process Manager, Viva E, and Viva Twin. Siemens Healthineers will provide customers with further information on the plan and details of activities to improve security.

For the following products, customers should use Microsoft’s workarounds and mitigations until Siemens makes a patch available on June 3, 2019.

Atellica COAG 360 (Windows 7), Atellica NEPH 630 (Windows 7), BCS XP (XP and Windows 7), BN ProSpec (XP and Windows 7),

The patch is currently under investigation for the following products. Microsoft’s workarounds and mitigations should be used in the interim.

CS 2000 (XP and Windows 7), CS 2100 (XP and Windows 7), CS 2500 (Windows 7), and CS 5100 (XP and Windows 7).

Siemens Healthineers Radiography and Mobile X-Ray Products

All versions of the following products with the Canon detector are vulnerable. Customers should contact their Siemens Regional Support Center for advice and, if possible, should block TCP port 3389.

Axiom (Multix M, Vertic MD Trauma, and Solitaire M), MobileTT XP Digital, Multix (Pro ACSS P, Pro P, PRO/PRO ACSS/PRO Navy, Swing, TOP, Top ACSS, and TOP P/TOP ACSS P), and Vertix Solitaire.

Siemens Healthineers Point of Care Diagnostics Products

AUWi, AUWi Pro, Rapid Point 500 (v2.2, 2.2.1, 2.2.2, 2.3, 2.3.1, and 2.3.2)

No immediate action is required as a patch will be made available in June 2019. In the meantime, Microsoft’s workaround and mitigations can be used for interim countermeasures.

The post Siemens Healthineers Products Vulnerable to Microsoft BlueKeep Wormable Flaw appeared first on HIPAA Journal.

Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering

Medical Informatics Engineering (MIE) is required to pay a financial penalty of $900,000 to resolve a multi-state action over HIPAA violations related to a breach of 3.9 million records in 2015. The announcement comes just a few days after the HHS’ Office for Civil Rights settled its HIPAA violation case with MIE for $100,000.

MIE licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), provides patient portal and personal health record services to healthcare providers that allow patients to access and manage their health information. By providing those services, MIE and NMC are business associates and are required to comply with HIPAA Rules.

Between May 7 and May 26 2015, hackers gained access to a server containing data related to its NMC service.  Names, addresses, usernames, passwords, and sensitive health information were potentially accessed and stolen.

A lawsuit was filed in December 2018 alleging MIE and NMC had violated state laws and several HIPAA provisions. 16 state attorneys general were named as plaintiffs in the lawsuit: Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.

The plaintiffs’ investigation into the breach revealed hackers had exploited several vulnerabilities, MIE had poor password policies in place, and security management protocols had not been followed.

Under the terms of the consent judgement, in addition to the financial penalty, MIE must implement and maintain an information security program and deploy a security incident and event monitoring (SIEM) solution to allow it to detect and respond quickly to cyberattacks.

Data loss prevention technology must be deployed to prevent the unauthorized exfiltration of data, controls must be implemented to prevent SQL injection attacks, and activity logs must be maintained and regularly reviewed.

Password policies must be implemented that require the use of strong, complex passwords and multi-factor authentication and single sign-on must be used on all systems that store or are used to access ePHI.

Additional controls need to be implemented covering the creation of accounts that have access to ePHI. MIE must refrain from using generic accounts that can be accessed via the Internet and no generic accounts are allowed to have administrative privileges.

MIE is also required to comply with all the administrative and technical safeguards of the HIPAA Security Rule and states’ deceptive trade practices acts with respect to the collection, maintenance, and safeguarding of consumers’ protected health information. Reasonable security policies and procedures must be implemented and maintained to protect that information. MIE must also provide appropriate training to all employees regarding its information security policies and procedures at least annually.

In addition, MIE is required to engage a third-party professional to conduct an annual risk analysis to identify threats and vulnerabilities to ePHI each year for the next five years. A report of the findings of that risk analysis and the recommendations must be sent to the Indiana Attorney General within 180 days and annually thereafter.

The consent judgement has been agreed by all parties and resolves the alleged HIPAA violations and violations of state laws. The consent judgement now awaits court approval. The consent judgement can be found on the website of the Florida Office of the Attorney General – PDF.

The post Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering appeared first on HIPAA Journal.

HHS Confirms When HIPAA Fines Can be Issued to Business Associates

Since the Department of Health and Human Services implemented the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities can be directly fined for violations of HIPAA Rules.

On May 24, 2019, to clear up confusion about business associate liability for HIPAA violations, the HHS’ Office for Civil Rights clarified exactly what HIPAA violations could result in a financial penalty for a business associate.

Business associates of HIPAA Covered entities can only be held directly liable for the requirements and prohibitions of the HIPAA Rules detailed below. OCR does not have the authority to issue financial penalties to business associates for any aspect of HIPAA noncompliance not detailed on the list.

 

You can download the HHS Fact Sheet on direct liability of business associates on this link.

business associate liability for HIPAA violations

Penalties for HIPAA Violations by Business Associates

The HITECH Act called for an increase in financial penalties for noncompliance with HIPAA Rules. In 2009, the HHS determined that the language of the HITECH Act called for a maximum financial penalty of $1.5 million for violations of an identical provision in a single year. That maximum penalty amount was applied across the four penalty tiers, regardless of the level of culpability.

A re-examination of the text of the HITECH Act in 2019 saw the HHS interpret the penalty requirements differently. The $1.5 million maximum penalty was kept for the highest penalty tier, but each of the other penalty tiers had the maximum possible fine reduced to reflect the level of culpability.

Subject to further rulemaking, the HHS will be using the penalty structure detailed in the infographic below.

 

The post HHS Confirms When HIPAA Fines Can be Issued to Business Associates appeared first on HIPAA Journal.

Vulnerabilities Identified in Siemens Sinamics Perfect Harmony Drives and Scalance Access Points

Siemens has discovered several high-severity vulnerabilities and one critical vulnerability in the Scalance W1750D direct access point. The vulnerabilities can be exploited remotely and require a low level of skill to exploit.

If exploited, an attacker could gain access to the W1750D device and execute arbitrary code within its underlying operating system, gain access to sensitive information, perform administrative actions on the device, and expose session cookies for an administrative session.

The vulnerabilities are present in all versions prior to 8.4.0.1

CVE-2018-7084 is a critical command injection vulnerability in the web interface that could allow arbitrary system commands to be performed within the underlying operating system. If exploited, files could be copied, the configuration could be read, the device could be rebooted, and files could be written or deleted.  The vulnerability has been assigned a CVSSv3 base score of 9.8 out of 10.

CVE-2019-7083 is a high-severity information exposure vulnerability that could allow an attacker to access core dumps of previously crashed processes via the web interface of the device. The vulnerability has been assigned a CVSSv3 base score of 7.5 out of 10.

CVE-2019-16417 is a high-severity information exposure vulnerability that could allow an attacker to access recently cached configuration commands by sending a specially crafted URL to the web interface. The vulnerability has been assigned a CVSSv3 base score of 7.5 out of 10.

CVE-2019-7082 is a high-severity command injection vulnerability that could allow an authenticated administrative user to execute arbitrary commands on the underlying operating system. The vulnerability has been assigned a CVSSv3 base score of 7.2 out of 10.

CVE-2019-7064 is a medium-severity cross-site scripting vulnerability that could allow an attacker to perform administrative actions on a vulnerable device or expose admin session cookies by tricking an administrator into clicking a malicious hyperlink. The vulnerability has been assigned a CVSSv3 base score of 6.4 out of 10.

Siemens has fixed all flaws in version 8.4.0.1 and advises users to upgrade the operating system as soon as possible to correct the flaws.

If the update cannot be applied, the following workarounds will reduce the risk of the vulnerabilities being exploited:

  • Restrict access to the web-based management interface to the internal or VPN network.
  • Do not browse other websites and do not click on external links while being authenticated to the administrative web interface.
  • Apply appropriate strategies for mitigation.

Siemens Sinamics Perfect Harmony GH180 Fieldbus Network Vulnerability

A high-severity vulnerability has been identified in the Siemens Sinamics Perfect Harmony GH180 Fieldbus Network. ). The flaw is remotely exploitable, requires a low level of skill to exploit, and requires no privileges or user interaction.

The flaw is present in the follow medium voltage converters

  • Siemens Sinamics Perfect Harmony GH180 with NXG I control and GH180 with NXG II control: MLFBs: 6SR2. . . -, 6SR3. . . -, 6SR4. . . -: The flaw affects all versions with option G21, G22, G23, G26, G28, G31, G32, G38, G43 or G46

The flaw concerns improper input validation and could be exploited to trigger a denial-of-service condition by sending specially crafted packets to the device, causing the device to restart, which would compromise the availability of the affected system. Network access to the device would be required to exploit the vulnerability.

The vulnerability – CVE-2019-6574 – has been assigned a CVSSv3 base score of 7.5 out of 10.

To correct the flaw, users should upgrade to NXGpro control. If the upgrade is not possible, the following workaround has been suggested:

  • Disable the fieldbus parameter read/write functionality
  • Apply cell protection concept and implement defense in depth

Siemens Sinamics Perfect Harmony GH180 Drives NXG I and NXG II Vulnerability

A high-severity vulnerability has been identified in Siemens Sinamics Perfect Harmony GH180 Drives (NXG I and NXG II). The flaw is remotely exploitable, requires a low level of skill to exploit, and requires no privileges or user interaction.

If exploited, an individual with access to the Ethernet Modbus Interface could trigger a denial-of-service condition exceeding the number of available connections and compromise the availability of the affected system.

The vulnerability is present in all versions of GH180 with NXG I control and CH180 with NXG II control (MLFBs: 6SR2. . . -, 6SR3. . . -, 6SR4. . . -)

The vulnerability – CVE-2019-6578 – has been assigned a CVSSv3 base score of 7.5 out of 10.

To correct the flaw, users should upgrade to NXGpro control. If the upgrade is not possible, the following workaround has been suggested:

  • Install a protocol bridge that isolates the networks and eliminates direct connections to the Ethernet Modbus Interface.
  • Apply cell protection concept and implement defense in depth.

The post Vulnerabilities Identified in Siemens Sinamics Perfect Harmony Drives and Scalance Access Points appeared first on HIPAA Journal.

DHS Issues Security Best Practices to Mitigate Risks Associated with Office 365 Migrations

Body:

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a new analysis report highlighting some of the common risks and vulnerabilities associated with transitioning from on-premise mail services to cloud-based services such as Microsoft Office 365. The report details best practices to adopt to manage risks and prevent user and mailbox compromises.

Many healthcare organizations have realized the benefits of transitioning to cloud-based email services yet lack the in-house expertise to manage their migrations. Many have used third-party service providers to migrate their email services to Office 365. CISA notes that use of third parties to manage Office 365 migrations has led to an increase in security incidents.

Over the past 6 months, CISA has had several engagements with customers who have used third-party service providers to manage their migrations and discovered a range of different Office 365 configurations that lowered organization’s security posture and left them vulnerable to phishing and other cyberattacks.

CISA notes that the majority of those organizations didn’t have a dedicated IT security team that was focused on cloud security and, as a result, vulnerabilities went unnoticed. In some cases, the organization experienced mailbox compromises as a result of the risks and vulnerabilities introduced during Office 365 migrations.

According to the AR19-133A analysis report, some of the most common vulnerabilities that were identified which could easily lead to data breaches are:

The failure to implement multifactor authentication for Global Active Directory (AD) Global Administrators. Despite these accounts having the highest level of privileges at the tenant level, MFA is not enabled by default.

Disabled mailbox auditing – The failure to implement mailbox auditing means actions taken by mailbox owners, delegates, and administrators will not be logged. This will hamper investigations into mailbox activity and potential data breaches. Customers who implemented Office 365 prior to 2019 are required to explicitly enable mailbox auditing.

Enabled password syncing – With this setting enabled, the password from on-premises AD overwrites the password in Azure AD, which means that if a mailbox was compromised prior to migration to Office 365, when the sync occurs, an attacker would be able to move laterally to the cloud.

Authentication not supported by legacy protocols – Office 365 uses Azure AD for authentication with Exchange Online; however, several protocols (e.g. POP3, IMAP, and SMTP) used for authentication with Exchange Online do not support modern authentication mechanisms such as MFA. Without MFA, accounts will only be secured by a password, which will greatly increase the attack surface.

CISA suggests several best practices to adopt to ensure that migrating to Office 365 does not result in the lowering of an organization’s security posture:

  • Implement multi-factor authentication – It is the best mitigation technique to protect against credential theft via phishing attacks
  • Ensure audit logging is configured in the Security and Compliance Center
  • Ensure mailbox auditing is activated for each user
  • Ensure Azure AD is correctly configured prior to migrating users to Office 365
  • Ensure legacy email protocols are disabled or are limited to specific users

The post DHS Issues Security Best Practices to Mitigate Risks Associated with Office 365 Migrations appeared first on HIPAA Journal.