Healthcare Technology Vendor News

High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products

Posted by HIPAA Journal

A high severity vulnerability has been identified in certain Hillrom Welch Allyn Cardio products that allows accounts to be accessed without a password.

The vulnerability is an authentication bypass issue that exists when the Hillrom cardiology products have been configured to use single sign-on (SSO). The vulnerability allows the manual entry of all active directory (AD) accounts provisioned within the application, and access will be granted without having to provide the associated password. That means a remote attacker could access the application under the provided AD account and gain all privileges associated with the account.

The vulnerability is tracked as CVE-2021-43935 and has been assigned a CVSS v3 base score of 8.1 out of 10.

According to Hillrom, the vulnerability affects the following Hillrom Welch Allyn cardiology products:

  • Welch Allyn Q-Stress Cardiac Stress Testing System: Versions 6.0.0 through 6.3.1
  • Welch Allyn X-Scribe Cardiac Stress Testing System: Versions 5.01 through 6.3.1
  • Welch Allyn Diagnostic Cardiology Suite: Version 2.1.0
  • Welch Allyn Vision Express: Versions 6.1.0 through 6.4.0
  • Welch Allyn H-Scribe Holter Analysis System: Versions 5.01 through 6.4.0
  • Welch Allyn R-Scribe Resting ECG System: Versions 5.01 through 7.0.0
  • Welch Allyn Connex Cardio: Versions 1.0.0 through 1.1.1

Hillrom will address this vulnerability in the next software release; however, as an interim measure to prevent the vulnerability from being exploited, users of the affected products should disable the SSO feature in the respective Modality Manager Configuration settings. In addition, customers should ensure they apply proper network and physical security controls and should apply authentication for server access.

The post High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products appeared first on HIPAA Journal.

Vulnerabilities Identified in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors

Posted by HIPAA Journal

Five vulnerabilities have been identified that affect the IntelliBridge EC 40 and EC 80 Hub, Philips Patient Information Center iX, and Efficia CM series patient monitors.

IntelliBride EC 40 and EC 80 Hub

Two vulnerabilities have been identified that affect C.00.04 and prior versions of the IntelliBridge EC 40 and EC 80 Hub. Successful exploitation of the vulnerabilities could allow an unauthorized individual to execute software, change system configurations, and update/view files that may include unidentifiable patient data.

The first vulnerability is due to the use of hard-coded credentials – CVE-2021-32993 – in the software for its own inbound authentication, outbound communication to external components, or the encryption of internal data. The second vulnerability is an authentication bypass issue – CVE-2021-33017. While the standard access path of the product requires authentication, an alternative path has been identified that does not require authentication.

Both vulnerabilities have been assigned a CVSS v3 severity score of 8.1 out of 10.

Philips has not yet issued an update to correct the vulnerabilities but expects to fix the flaws by the end of the year. In the meantime, Philips recommends only deploying the products within Philips authorized specifications, and only using Philips-approved software, software configuration, system services, and security configurations. The devices should also be logically or physically isolated from the hospital network.

Patient Information Center iX and Efficia CM Series Patient Monitors

Three vulnerabilities have been identified that affect the Philips Patient Information Center iX and Efficia CM series patient monitors. The flaws could be exploited to gain access to patient data and to conduct a denial-of-service attack. While exploitation has a low attack complexity, the flaws could only be exploited via an adjacent network.

The vulnerabilities affect the following Philips products:

  • Patient Information Center iX (PIC iX): Versions B.02, C.02, C.03
  • Efficia CM Series: Revisions A.01 to C.0x and 4.0

Vulnerable versions of the PIC iX do not adequately validate input to determine whether the input has the properties to be processed safely and correctly. The vulnerability is tracked as CVE-2021-43548 and has been assigned a CVSS severity score of 6.5 out of 10.

A hard-coded cryptographic key has been used which means it is possible for encrypted data to be recovered from vulnerable versions of the PIC iX. The flaw is tracked as CVE-2021-43552 and has a CVSS score of 6.1.

A broken or risky cryptographic algorithm means sensitive data may be exposed in communications between PIC iX and Efficia CM Series patient monitors. The vulnerability is tracked as CVE-2-21-43550 and has a CVSS score of 5.9.

CVE-2021-43548 has been remediated in PIC iX C.03.06 and updates to fix the other two vulnerabilities are due to be released by the end of 2022.

To reduce the potential for exploitation of the vulnerabilities, the products should only be used in accordance with Philips authorized specifications, which include physically or logically isolating the devices from the hospital local area network, and using a firewall or router that can implement access control lists restricting access in and out of the patient monitoring network for only necessary ports and IP addresses.

Philips-issued hardware has Bitlocker Drive Encryption enabled by default and this should not be disabled. Prior to disposal, NIST SP 800-88 media sanitization guidelines should be followed. Patient information is not included in archives by default, so if archives are exported that contain patient information, the information should be stored securely with strong access controls.

The post Vulnerabilities Identified in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors appeared first on HIPAA Journal.

3 Medium Severity Vulnerabilities Identified in Philips MRI Solutions

Posted by HIPAA Journal

Three medium severity vulnerabilities have been identified in Philips MRI products which, if exploited, could allow an unauthorized individual to run software, modify the device configuration, view and updates files, and export data, including protected health information, to an untrusted environment.

Aguilar found insufficient access controls which fail to restrict access by unauthorized individuals (CVE-2021-3083), the software assigns an owner who is outside the intended control sphere (CVE-2021-3085), and sensitive data is exposed to individuals who should not be provided with access (CVE-2021-3084). Each of the vulnerabilities has been assigned a CVSS V3 base score of 6.2 out of 10.

The vulnerabilities were identified by Secureworks Adversary Group consultant, Michael Aguilar, and affect Philips MRI 1.5T: Version 5.x.x, and MRI 3T: Version 5.x.x. Aguilar reported the flaws to Philips and a patch has been scheduled for release by October 2022. In the meantime, Philips recommends implementing mitigating measures to prevent the vulnerabilities from being exploited.

The mitigations include only operating the Philips MRI machines within authorized specifications, ensuring physical and logical controls are implemented. Only authorized personnel should be allowed to access the vicinity where the MRI machines are located, and all instructions for using the machines provided by Philips should be followed.

Philips has not received any reports of the vulnerabilities being exploited, nor have there been any reports of incidents from the clinical use of the product in relation to the three vulnerabilities.

The post 3 Medium Severity Vulnerabilities Identified in Philips MRI Solutions appeared first on HIPAA Journal.

High Severity Vulnerabilities Identified in Philips Tasy EMR

Posted by HIPAA Journal

Two high severity vulnerabilities have been identified in the Philips Tasy EMR that could allow sensitive patient data to be extracted from the database. The vulnerabilities can be exploited remotely, there is a low attack complexity, and exploits for the vulnerabilities are in the public domain.

Philips says the vulnerabilities affect Tasy EMR HTML5 3.06.1803 and prior versions, with the affected products used primarily in South and Central America. The vulnerabilities were identified and publicly disclosed by a security researcher who did not follow responsible disclosure protocols and failed to coordinate with Philips.

The two flaws are both SQL injection vulnerabilities that have been assigned a CVSS v3 severity score of 8.8 out of 10. Both are due to improper neutralization of special elements in SQL commands.

The first flaw, tracked as CVE-2021-39375, allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter. The second, tracked as CVE-2021-39376, allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter.

By exploiting the flaws, a remote attacker could expose patient data, extract information from the database, or trigger a denial-of-service condition.

Philips says it reported the vulnerabilities to CISA and has fixed both vulnerabilities in Tasy EMR HTML5 to Version 3.06.1804. All healthcare providers using a vulnerable version of the EMR system should update to version 3.06.1804. or later as soon as possible to prevent exploitation. Prior to upgrading to the latest version, CISA recommends performing an impact analysis and risk assessment.

The post High Severity Vulnerabilities Identified in Philips Tasy EMR appeared first on HIPAA Journal.

Webinar Today: How HIPAA-Compliant Messaging Transforms Care Collaboration and Outcomes

Posted by HIPAA Journal

Secure, HIPAA-compliant messaging platforms have clear, measurable benefits for healthcare delivery organizations and help to solve communication problems in hospitals.

Efficient communication in healthcare is vital but all too often valuable time is wasted trying to communicate important information to busy healthcare professionals due to the continued use of outdated communication methods such as landlines, faxes, and email.

Studies have shown that communication problems in healthcare negatively affect patient outcomes. 70% of treatment delays in hospitals have been traced to miscommunications, and delays in treatment mean longer hospital stays for patients. Inefficient communication costs the healthcare industry millions of dollars each year.

Secure, HIPAA-compliant messaging platforms offer a solution. These messaging platforms incorporate the necessary safeguards to ensure they can be used to transmit ePHI to the right people at the right time without violating any provisions of the HIPAA Rules. Phone tag is eliminated, as messages are sent to individuals’ mobile devices, with notifications confirming when the messages have been delivered and read.

Users of the TigerConnect secure messaging platform have achieved a 34% increase in workflow efficiency by adopting the platform, a 75% reduction in transport time, and prescriptions are filled 50% faster, with average combined savings of $6.2 million.

This week, TigerConnect will be hosting a webinar to explain the key benefits these platforms provide. Attendees will discover how a HIPAA-compliant messaging platform can make care teams immediately more efficient and effective, which results in better collaboration, happier patients, and decreased costs.

Webinar Details

Title:      How HIPAA-Compliant Messaging Transforms Care Collaboration and Outcomes

Date:     Thursday, October 28, 2021

Time:    1.00 p.m. ET | 12 p.m. CT | 11 a.m. MT | 10 a.m. PT

Hosts:   Julie Grenuk, RN, Nurse Executive, TigerConnect; Tommy Wright, Director of Product Marketing, TigerConnect

Register for the Webinar

The post Webinar Today: How HIPAA-Compliant Messaging Transforms Care Collaboration and Outcomes appeared first on HIPAA Journal.

Vulnerabilities Identified in B. Braun Infusomat Space and Perfusor Space Infusion Pumps

Posted by HIPAA Journal

B. Braun has released software updates to fix five vulnerabilities in its Infusomat Space and Perfusor Space Infusion Pumps. The vulnerabilities could be exploited remotely in a low complexity attack.

In North America, the flaws affect Battery pack SP with WiFi (All software Versions 028U000061 and earlier) that have been installed in an Infusomat Space Infusion Pump or a Perfusor Space Infusion pump, and SpaceStation with SpaceCom 2 (All software Versions 012U000061 and earlier). The vulnerabilities were identified by Douglas McKee and Philippe Laulheret of McAfee, who reported them to B. Braun.

The most serious vulnerability is a critical flaw in B. Braun SpaceCom2 that has been assigned a CVSS severity score of 9 out of 10. The flaw – tracked as CVE-2021-33885 – is due to insufficient verification of data authenticity and could be exploited by a remote attacker to send malicious data to the device, which would be used in place of the correct data.

An improper input validation flaw – CVE-2021-33886 – would allow a remote unauthenticated attacker to gain user-level command-line access by passing a raw external string straight through to printf statements, although the attacker would need to be on the same network as the device, which limits the potential for exploitation. The flaw has been assigned a CVSS score of 6.8.

A missing authentication for critical function vulnerability – CVE-2021-33882 – could be exploited by a remote attacker to reconfigure the device from an unknown source, due to the lack of authentication on proprietary networking commands. The flaw has also been assigned a CVSS score of 6.8.

Due to unrestricted uploads of dangerous file types, a remote attacker could upload a malicious file to the /tmp directory of the device through the webpage API, which could result in critical files being overwritten affecting device functionality. The flaw is tracked as CVE-2021-33884 and has a CVSS severity score of 6.5.

The last vulnerability is an information exposure issue that could allow an attacker to obtain critical values for a pump’s internal configuration due to the transmission of sensitive information in cleartext. The flaw is tracked as CVE-2021-33883 and has been assigned a CVSS severity score of 5.9.

  1. Braun has fixed the flaws in the following software updates:
  • Battery pack SP with Wi-Fi, software 028U00062 (SN 138852 and lower)
  • Battery pack SP with Wi-Fi, software 054U00091 (SN 138853 and higher)
  • SpaceStation with SpaceCom 2 software Versions 012U000083

At present, there have been no reported cases of exploitation of the flaws; however, the updates should be applied as soon as possible.

B.Braun also recommends ensuring infusion pumps are housed in separate environments that are protected by firewalls or VLANs, that authentication measures are put in place to prevent unauthorized access, and that the devices are not directly accessible over the Internet. If remote access is required, secure methods of access should be used, such as a Virtual Private Network (VPN).

The post Vulnerabilities Identified in B. Braun Infusomat Space and Perfusor Space Infusion Pumps appeared first on HIPAA Journal.

Medtronic Recalls MiniMed Remote Controllers Due to Serious Cybersecurity Vulnerability

Posted by HIPAA Journal

The Food and Drug Administration (FDA) has issued a warning to users of Medtronic wireless insulin pumps about a serious security vulnerability affecting certain remote controllers.

MiniMed insulin pumps deliver insulin for the management of diabetes and the pumps are supplied with an optional remote controller device that communicates wirelessly with the insulin pump. A security researcher has identified a cybersecurity vulnerability in older models of remote controllers that use previous-generation technology that could potentially be exploited to cause harm to users of the pumps.

The cybersecurity vulnerability could be exploited by an unauthorized person to record and replay the wireless communication between the remote and the MiniMed insulin pump. Using specialist equipment, an unauthorized individual in the vicinity of the insulin pump user could send radio frequency signals to the insulin pump to instruct it to over-deliver insulin to a patient or stop insulin delivery. Over-delivering insulin could result in dangerously low blood sugar levels and stopping insulin delivery could result in diabetic ketoacidosis and even death.

Medtronic MiniMed 508 insulin pumps and the MiniMed Paradigm family of insulin pumps were already the subject of a product recall. Cybersecurity vulnerabilities had previously been identified in the pumps that could not be adequately mitigated through updates or patches.

The latest security issue has seen Medtronic expand the product recall to include all MiniMed Remote Controllers (models MMT-500 and MMT-503), which are used with the Medtronic MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps.

Medtronic has not been manufacturing or distributing the affected remote controllers since July 2018, but the devices are still used by certain patients, healthcare providers, and caregivers.

This is a Class 1 product recall – the most serious category – as the issues with the remote controllers could result in serious injury or death. The FDA says there have been no reported cases of the vulnerabilities in the devices being exploited to cause harm to patients.

The FDA says users should immediately stop using the affected remote controller, turn off the easy bolus feature, turn off the radio frequency function, delete all remote controller IDs programmed into the pump, disconnect the remote controller from the insulin pump, and return the remote controller to Medtronic.

The post Medtronic Recalls MiniMed Remote Controllers Due to Serious Cybersecurity Vulnerability appeared first on HIPAA Journal.

KLAS Research: Clinical Communication Platforms Improve Efficiency in Healthcare

Posted by HIPAA Journal

The recently published 2021 KLAS Clinical Communication Platform Report has confirmed clinical communication platforms improve efficiency in healthcare, streamline communication across most areas of hospitals, and lead to concrete outcomes, with improvements to clinical communication the biggest benefit.

KLAS Research is a Utah-based company that provides data and insights into health information technology (HIT) that helps healthcare organizations identify HIT solutions that will provide important benefits and a good ROI. KLAS collects data on HIT solutions, including from healthcare industry reports, websites, and feedback from healthcare professionals that are using HIT in the workplace. KLAS analyzes the data, identifies key trends and insights, and produces reports on the findings of its research. The researchers also work with leadership teams at vendors to help them improve their HIT solutions based on user feedback to help them deliver better outcomes.

For its latest Clinical Communication Platform Report, KLAS researchers profiled some of the most innovative and cutting-edge vendors in the field whose solutions are delivering invaluable benefits in healthcare and users of clinical communication platforms were surveyed and asked for their feedback on the solutions they have adopted.

TigerConnect, the leading clinical communication platform provider in the United States, was recognized as having the largest base of acute care customers and for the value its clinical communication platform delivered. Feedback from healthcare professionals that use the platform confirmed it has led to improved efficiency for clinical support staff and improved nurse satisfaction and patient satisfaction and care through timely, efficient communication.

The top outcomes healthcare delivery organizations have achieved by implementing the TigerConnect platform are improved clinician response times, increased transparency into patient teams and schedules, and increased clinician workflow satisfaction with fewer call interruptions and much easier access to communication. TigerConnect customers confirmed the solution has helped improve patient team collaboration in terms of patient transport, bed management and environmental services, increased access to and the secure sharing of patient data, more efficient clinics and outpatient care, and a reduction in readmissions, fewer errors, and a faster crash team response.

“Our administration uses TigerConnect’s solution. If people ask for TigerConnect accounts, we can give them accounts. I don’t know how we would have been able to get through the COVID-19 pandemic without this solution,” said one TigerConnect user.

The solution was highly praised for ease of use coupled with enterprise contracting, which allows simple rollouts by many different user groups to achieve organization-wide efficient communication.

“One outcome that we have achieved with TigerConnect’s solution has been improved communication between our nurses, providers and administration. We can just text someone in administration rather than having to know their personal phone number.,” said one TigerConnect user. “The value of adding two-way asynchronous communication in our clinical areas has been huge. They can always put themselves on ‘do not disturb’ if they don’t want people to text them. When nurses or providers are actively engaged with patients, they can get the information they need with the system, and then return that information.”

This year has seen TigerConnect roll out significant feature enhancements based on customer feedback, and the company has also made key acquisitions of on-call physician scheduling and advanced middleware solutions, deepening the capabilities of its platform considerably.

“2021 has proven a tipping point as healthcare systems evolve their requirements from secure messaging to the most contextual, advanced clinical collaboration experiences. Clinicians are demanding an all-in-one mobile collaboration experience that helps them raise the standard of care and improve patient outcomes,” said Will O’Connor, MD, TigerConnect Chief Medical Information Officer. “The KLAS report validates TigerConnect in our vision to make hospitals and care delivery more agile.”

The post KLAS Research: Clinical Communication Platforms Improve Efficiency in Healthcare appeared first on HIPAA Journal.

Horizon Information Systems, Inc. Achieves HIPAA Compliance with Compliancy Group

Posted by HIPAA Journal

Horizon Information Systems, Inc, a Johnstown, PA-based developer of software solutions for human service and community action agencies, has achieved compliance with the standards of the Health Insurance Portability and Accountability Act (HIPAA) with Compliancy Group.

The human services software solution developed by Horizon Information Systems comes into contact with protected health information, so the company is classed as a business associate and is required to comply with certain provisions of the HIPAA Rules.

“Our software is built to handle sensitive data belonging to real people and reputable organizations that we want to ensure are adequately protected. As technology advances, so do our efforts to safeguard all personal and health information,” said Horizon Information Systems.

To ensure the company is fully compliant with all appropriate aspects of the HIPAA Rules, Horizon Information Systems partnered with Compliancy Group. Horizon Information Systems used Compliancy Group’s proprietary HIPAA methodology and tracked its progress toward compliance using Compliancy Group’s compliance tracking software, The Guard.

After completing Compliancy Group’s Six Stage HIPAA Implementation Program, Compliancy Group’s HIPAA subject matter experts and Compliance Coaches assessed Horizon Information Systems’ good faith effort toward HIPAA compliance and confirmed the company had implemented an effective HIPAA compliance program.

After demonstrating compliance with the necessary regulatory standards of the HIPAA Privacy, Security, Breach Notification Rule, and Omnibus Rules and the HITECH Act, the company was awarded Compliancy Group’s HIPAA Seal of Compliance.

The HIPAA Seal of Compliance demonstrates to current and future customers that a company is committed to ensuring the privacy and security of protected health information and has taken the necessary steps to ensure HIPAA compliance.

 “Maintaining the HIPAA Seal of Compliance is a top priority at Horizon Information Systems, Inc. Horizon Information Systems, Inc. will be vigilant with the protection of sensitive and personal health information. Horizon believes in purposeful training that not only highlights how to remain compliant, but also teaches why we need to protect the data our software is designed to manage,” explained Horizon Information Systems. “Horizon offers an array of programs in the industries of Housing, Human Services, and Business Operations. Horizon employees are trained to respect the sensitivity of the data stored in these programs, and they are extensively educated in best practice methods of protecting our users and ourselves from any potential threats.”

The post Horizon Information Systems, Inc. Achieves HIPAA Compliance with Compliancy Group appeared first on HIPAA Journal.