Healthcare Technology Vendor News

CISA: SolarWinds Orion Software Under Active Attack

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that sophisticated hackers are actively exploiting SolarWinds Orion IT monitoring and management software.

The cyberattack, which is ongoing, is believed to be the work of a highly sophisticated, evasive, nation state hacking group who created a Trojanized version of Orion software that has been used to deploy a backdoor into customers’ systems dubbed SUNBURST.

The supply chain attack has impacted around 18,000 customers, who are understood to have downloaded the Trojanized version of SolarWinds Orion and the SUNBURST backdoor. SolarWinds Orion is used by large public and private organizations and government agencies.

SolarWinds customers include all five branches of the U.S. military, the Pentagon, State Department, NASA and National Security Agency. Its solutions are also used by 425 of the 500 largest publicly traded U.S. companies. The US Treasury, US National Telecommunications and Information Administration (NTIA), and Department of Homeland Security are known to have been attacked. The campaign was first detected by the cybersecurity company FireEye, which was also attacked as part of this campaign.

The attacks started in spring 2020 when the first malicious versions of the Orion software were introduced. The hackers are believed to have been present in compromised networks since then. The malware is evasive, which is why it has taken so long to detect the threat. “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity,” according to FireEye. Once the backdoor has been installed, the attackers move laterally and steal data.

“We believe that this vulnerability is the result of a highly-sophisticated, targeted, and manual supply chain attack by a nation-state,” said Kevin Thompson, SolarWinds President and CEO.

The hackers gained access to SolarWinds’ software development environment and inserted the backdoor code into its library in SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, which were released between March 2020 and June 2020.

CISA issued an Emergency Directive ordering all federal civilian agencies to take immediate action to block any attack in progress by immediately disconnecting or powering down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their networks. The agencies have also been prohibited from “(re)joining the Windows host OS to the enterprise domain.”

All customers have been advised to immediately upgrade their SolarWinds Orion software to Orion Platform version 2020.2.1 HF 1. A second hotfix – 2020.2.1 HF 2 – is due to be released on Tuesday and will replace the compromised component and implement other additional security enhancements.

If it is not possible to immediately upgrade, guidelines have been released by SolarWinds for securing the Orion Platform. Organizations should also scan for signs of compromise. The signatures of the backdoor are being added to antivirus engines, and Microsoft has confirmed that all its antivirus products now detect the backdoor and users have been advised to run a full scan.

SolarWinds is working closely with FireEye, the Federal Bureau of Investigation, and the intelligence community to investigate the attacks. SolarWinds is also working with Microsoft to remove an attack vector that leads to the compromise of targets’ Microsoft Office 365 productivity tools.

It is currently unclear which group is responsible for the attack; although the Washington Post claims to have spoken to sources who confirmed the attack was the work of the Russian nation state hacking group APT29 (Cozy Bear). A spokesperson for the Kremlin said Russia had nothing to do with the attacks, stating “Russia does not conduct offensive operations in the cyber domain.”

The post CISA: SolarWinds Orion Software Under Active Attack appeared first on HIPAA Journal.

Atlantic.Net Back-Office Upgrade Greatly Improves Efficiency and Overall Customer Service

Atlantic.net has announced major behind the scenes improvements that greatly improve efficiency, ensure more precise billing, and will help the company deliver better overall customer service.

The Orlando, FL-based HIPAA-compliant hosting provider has implemented the Ubersmith business management software suite. The new back-office software suite has allowed more than 50 different subscription, billing, device management and customer support systems to be combined into a single system. Business processes that previously took 7-14 days can now be completed in a single day.

Streamlining internal processes will ensure customer support issues can be dealt with much more rapidly. The new system has allowed Atlantic.net to halve the resolution time for support issues and achieve a 55% improvement in billing for customers’ overall usage. Staff now only need to be trained on one system, rather than dozens of different systems, which will save countless hours and help to streamline resources. The elimination of redundant systems and improvement in operational efficiency will have a net positive impact on revenue growth.

The Ubersmith system is an easily customizable, integrated software suite that handles subscription billing, order management, infrastructure management, and ticketing. The modular software suite is highly flexible and can be extended and integrated with software used by other aspects of the business through the Ubersmith-supplied API and software development kit.

“We make extensive use of Ubersmith APIs to integrate with other systems that we use for payments, accounting, domain registration, security certificates and more,” said Marty Puranik, Founder and CEO, Atlantic.Net. Ubersmith is currently working on adding support for Salesforce, which will allow Atlantic.net to tie its sales and prospecting activities into the same system, including customer quotes.

The deep integration of the Ubersmith software will help Atlantic.net achieve high levels of operational efficiency, employee productivity, and deliver much higher levels of customer service.

“Atlantic.Net has done an impressive job at leveraging the capabilities we provide in Ubersmith’s business management, infrastructure and operations software,” said Kurt Daniel, CEO of Ubersmith. “We’re pleased to be an important partner for their business as they continue to grow and expand in the cloud services and hosting arenas.”

The post Atlantic.Net Back-Office Upgrade Greatly Improves Efficiency and Overall Customer Service appeared first on HIPAA Journal.

Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers

Three serious vulnerabilities have been identified in Medtronic MyCareLink (MCL) Smart Patient Readers, which could potentially be exploited to gain access to and modify patient data from the paired implanted cardiac device. Exploitation of the vulnerabilities together could permit remote code execution on the MCL Smart Patient Reader, allowing an attacker to take control of a paired cardiac device. In order to exploit the vulnerabilities, an attacker would need to be within Bluetooth signal proximity to the vulnerable product.

The flaws are present in all versions of the MCL Smart Model 25000 Patient Reader. The first vulnerability, tracked as CVE-2020-25183, is an authentication protocol vulnerability. The method used to authenticate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app can be bypassed. An attacker using another mobile device or malicious app on the patient’s smartphone could authenticate to the patient’s MCL Smart Patient Reader, tricking it into believing it is communicating with the patient’s smartphone app. The vulnerability has been assigned a CVSS v3 base score of 8.0 out of 10.

A heap-based buffer overflow event can be triggered in the MCL Smart Patient Reader software stack by an authenticated attacker running a debug command. Once triggered, an attacker could then remotely execute code on the vulnerable MCL Smart Patient Reader, potentially allowing the attacker to take control of the device. The vulnerability is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.

MCL Smart Patient Readers are also vulnerable to a race condition in the software update system, which could be exploited to upload and execute unsigned firmware on the Patient Reader. This vulnerability could also allow remote execution of arbitrary code on the MCL Smart Patient Reader and could give an attacker control of the device. The flaw is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.

The vulnerabilities were identified by researchers at the Israeli firm Sternum, with UC Santa Barbara, University of Florida, and University of Michigan researchers independently identifying the improper authentication vulnerability.

The flaws were reported to Medtronic which has now released a firmware update to fix the vulnerabilities. The firmware update can be applied by updating the MyCareLink Smartapp via the associated mobile application store. Updating to mobile application version v5.2 will ensure the update is applied on the next use; however, in order for the patch to work, the user’s smartphone must be running iOS 10 or above or Android 6.0 or above.

Users have also been advised to maintain strong physical control over their home monitors and to restrict use of the home monitors to private environments. Patients should only use home monitors that have been obtained directly from their healthcare provider or a Medtronic representative.

Medtronic has also taken steps to improve security, including implementing Sternum’s enhanced integrity validation (EIV) technology which provides early detection and real-time mitigation of known vulnerability exploitation attempts, and Sternum’s advanced detection system technology, which enables device-level logging and monitoring of all device activity and behavior.

The post Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers appeared first on HIPAA Journal.

Webinar Today: How HIPAA-Compliant Messaging Transforms Healthcare

Data show 70% of delays in providing treatment to patients is due to miscommunication, so resolving the problems that result in miscommunication in healthcare is key to improving quality of care, clinical outcomes, and the patient experience.

One of the biggest contributory factors to miscommunication is the use of outdated communications systems, which has long been a problem in healthcare. Fortunately, there is a solution that has been shown to greatly improve communication efficiency and reduce the potential for errors and miscommunication – a secure texting platform.

To find out more about secure, HIPAA-compliant messaging and how it can make care teams immediately more efficient and effective, we invite you to join this upcoming webinar.

During the webinar you will discover how this single change can lead to major improvements in collaboration, save valuable time, decrease costs, and lead to happier staff and patients.

The webinar is being hosted by TigerConnect, the leading secure healthcare messaging provider, and will take place on Wednesday, December 9 at 10 a.m. PT / 1 p.m. ET.

Webinar Details:

How HIPAA-Compliant Messaging Transforms Healthcare

Date/Time: Wednesday, December 9 – 10 a.m. PT / 12 p.m. CT / 1 p.m. ET

Hosted by:
Julie Grenuk, Nurse Executive, TigerConnect
Tommy Wright, Director of Product Marketing, TigerConnect

Register Here

The post Webinar Today: How HIPAA-Compliant Messaging Transforms Healthcare appeared first on HIPAA Journal.

Vulnerability Identified in BD Alaris Infusion Products

A high severity vulnerability has been identified in the BD Alaris PC Unit which is vulnerable to a denial of service attack which would cause it to drop its wireless capability.

The vulnerability was identified by Medigate and was reported to BD. BD subsequently reported the flaw under its responsible disclosure policy and has provided mitigations and compensating controls to help users manage the risks associated with the flaw until an updated version of BD Alaris PC Unit software is released.

The flaw affects the following BD products:

  • BD Alaris PC Unit, Model 8015, Versions 9.33.1 and earlier
  • BD Alaris Systems Manager, Versions 4.33 and earlier

The issue is due to improper authentication between vulnerable versions of the BD Alaris PC Unit and the BD Alaris Systems Manager. While the vulnerability can be exploited remotely, an attacker would need to first gain access to the network associated with the vulnerable devices, which limits the potential for exploitation.

Once access to the network is gained, an attacker could redirect the BD Alaris PC Unit’s authentication requests using custom code and complete an authentication handshake based on information extracted from the authentication requests.

Such an attack would not stop the Alaris PC Unit from functioning as programmed; however, network services would no longer be available, such as pre-populating the Alaris PC Unit with infusion parameters through EMR Interoperability or performing wireless updates of Alaris System Guardrails (DERS). An attacker would not be able to gain the necessary permissions to remotely program commands, and protected health information could not be accessed as it is encrypted. In a successful attack, the operator of the BD Alaris PC would have to manually program the pump, download data logs, or activate the new data set.

BD has already performed server upgrades which correct the vulnerability in many Systems Manager installations, with the flaw addressed in BD Alaris Systems Manager versions 12.0.1, 12.0.2, 12.1.0, and 12.1.2. The vulnerability will be corrected in the upcoming new version of BD Alaris PC Unit software.

Users can reduce the potential for exploitation by enabling the firewall on the Systems Manager server image and implementing rules restricting inbound and outbound ports services restrictions.

“If a firewall is integrated between the server network segment and its wireless network segments, implement a firewall rule with an access control list (ACL) that restricts access to the wireless network segment via the specific MAC address of the wireless card on the pump. This would restrict access to the wireless segment to only authorized devices and not allow other devices to connect and authenticate to the segment,” explained BD in its security bulletin.

Since BD Alaris Systems Manager is a critical service, it should ideally operate on a secure network protected by a firewall. Unnecessary accounts, protocols and services should be disabled.

The post Vulnerability Identified in BD Alaris Infusion Products appeared first on HIPAA Journal.

FTC Settlement with Zoom Resolves Allegations of Cybersecurity Failures and Deceptive Security Practices

The U.S. Federal Trade Commission has reached a settlement with Zoom to resolve allegations that the teleconferencing platform provider misled its customers about the level encryption and had failed to implement appropriate cybersecurity protections for its users.

During the pandemic, use of the Zoom platform skyrocketed, with business users and consumers adopting the platform in the millions. The platform was used by consumers to maintain contact with friends and family, while remote workers used the platform to communicate with the office and collaborate while working from home. The platform proved to be extremely popular in healthcare for providing telehealth services and in education for communicating with students.

Zoom reported in its second quarter earnings call that it has seen 400% growth of corporate clients with more than 10 employees and around 300 million meetings were taking place each day. The massive increase in popularity attracted the attention of security researchers, who discovered multiple security vulnerabilities in the platform.

One of the main issues concerned encryption. Zoom stated on its website that the platform offered end-to-end encryption when this was not the case. Meetings were encrypted, but Zoom was able to access customer data. The company also stated AES 256 encryption was used, when encryption was only AES 128, and recorded meetings were immediately encrypted prior to storage.

Other cybersecurity issues included a Zoom software update that circumvented a browser security feature and a lack of security protections which allowed uninvited individuals to join meetings – termed Zoombombing. The company was also discovered to be sharing email addresses, photos, and user’s names with Facebook, albeit unwittingly.

The investigation by the FTC revealed Zoom had “engaged in a series of deceptive and unfair practices that undermined the security of its users.” A settlement was reached with the firm that requires the company to implement and maintain a comprehensive security program within 60 days.

The 17-page agreement details the steps that Zoom must take to ensure the security of its platform. They include conducting annual assessments on potential internal and external security risks and developing and implementing safeguards to reduce those risks to a low and acceptable level.

Additional safeguards must be implemented to protect against unauthorized access to its network, multi-factor authentication, steps must be taken to prevent the compromise of user credentials, and data deletion controls must be implemented. Zoom is required to review all software updates to identify potential security flaws prior to rollout and must ensure that any new features or security measures do not interfere with third party security features. The company must also implement a vulnerability management program.

Zoom has been prohibited from misrepresenting the security features of its platform to users, the categories of data accessed by third parties, and how data privacy and security are maintained.

Zoom must undergo a third-party audit by an independent security firm to ensure the company is complying with all requirements of the agreement and is successfully remediating risks. The agreement will last for 5 years, during which time the FTC will be monitoring Zoom for compliance.

Zoom avoided a financial penalty, but if the company is discovered to have violated the terms of the agreement or federal laws, financial penalties will be applied up to a maximum of $43,280 per violation.

“Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection.

The post FTC Settlement with Zoom Resolves Allegations of Cybersecurity Failures and Deceptive Security Practices appeared first on HIPAA Journal.

BIONWORKS Achieves HIPAA Compliance with Compliancy Group

Compliancy Group has announced the health tech start-up BIONWORKS has achieved compliance with the standards of the Health Insurance Portability and Accountability Act (HIPAA).

BIONWORKS is a developer of cutting-edge ML-driven enterprise mobility software for the healthcare industry. The company’s flagship healthcare solution, Healthplug, is a comprehensive mobile-first workflow-driven enterprise mobility solution that accelerates the adoption of the electronic medical record, improves staff collaboration, transforms patient engagement, and enables process automation in hospitals.

Developers of software solutions that interact with electronic protected health information (ePHI) are classed as business associates under HIPAA and must therefore ensure that their software solutions incorporate safeguards to ensure the confidentiality, integrity, and availability of ePHI. The solutions must incorporate access controls to ensure that only authorized individuals can access personal and health data along with mechanisms to control the sharing of ePHI.

BIONWORKS developed its software with data integrity, privacy, and security at the core of the design and by working closely with Compliancy Group, has implemented all necessary requirements of the HIPAA Rules including the ability to conduct self-audits, create remediation plans, and mechanisms for business associate management and incident management. The company has also developed full policies and procedures, employee training materials, and full product documentation.

After completing Compliancy Group’s 6-stage HIPAA risk analysis and remediation process, Compliancy Group’s HIPAA subject matter experts assessed the good faith efforts toward HIPAA compliance and awarded BIONWORKS the HIPAA Seal of Compliance.

The HIPAA Seal of Compliance demonstrates BIOMNWORKS has implemented an effective HIPAA compliance program and is fully committed to ensuring the company and its software solutions continue to meet all requirements of the HIPAA Rules.

“We understand that “This is not a ‘set it and forget it’ sort of compliance exercise. We understand that the HIPAA Rules are written as flexible standards that are to be implemented based on the size and nature of the organization. With constant support from Compliancy Group we are confident of being able to manage this flexibility,” explained BIONWORKS.

The post BIONWORKS Achieves HIPAA Compliance with Compliancy Group appeared first on HIPAA Journal.

Atlantic Receives Gold Stevie Award for Best Healthcare Technology Solution

The HIPAA-compliant hosting company Atlantic.Net has won two Stevie Awards at the 18th Annual American Business Awards, the premier business award program in the United States.

The Stevie Awards are part of a global business award program that recognizes companies and individuals who have made a big impact over the past 12 months and have demonstrated outstanding performance in the workplace. The program is split into 8 geographic regions with nominations received from organizations in more than 70 countries. Each year approximately 12,000 nominations are received globally.

This year, more than 3,600 nominations were received from organizations of all types and sizes in America. Almost all industry sectors were represented, including for-profit and non-profit organizations, and public and private sector companies. The nominations were assessed by more than 230 professionals worldwide.

Atlantic.Net is a global cloud service provider that specializes in managed and non-managed Windows, Linux, and FreeBSD server hosting solutions with data centers located in New York, London, San Francisco, Toronto, Dallas, Ashburn, and Orlando. The company has a strong focus on compliance and is a leading provider of HIPAA-compliant hosting solutions to U.S. healthcare organizations.

Atlantic.Net picked up the Gold Award in the Healthcare Technology Solution category and a Silver Award in the Cloud Platform category. “Since starting our business 25 years ago, we have always aimed to provide the best, most innovative solutions for our clients,” said Marty Puranik, CEO of Atlantic.Net. “This year is a poignant time for businesses to navigate, particularly in the healthcare tech sector, so we are thrilled to receive this prestigious honor from the American Business Awards.”

The post Atlantic Receives Gold Stevie Award for Best Healthcare Technology Solution appeared first on HIPAA Journal.

Webinar 05/21/20: How to Double Protection for Remote Workers

Are you concerned about your remote employees accessing malicious websites, being fooled by phishing scams, or downloading malware?

On Thursday May 21, 2020, the Ireland-based cybersecurity company TitanHQ is hosting a webinar to explain how you can better protect your remote workers and significantly improve your defenses against phishing and malware attacks.

Most cyberattacks that target employees have an email and web-based component. Email security solutions are effective at blocking the majority of malicious emails, but some emails may end up being delivered to inboxes.

Links in the emails direct employees to websites were credentials are harvested or malware is downloaded. Implementing a web filtering solution provides protection from the web-based part of the attack and prevents employees from visiting malicious websites. A web filter adds an important extra layer of security against phishing attacks and malware and ransomware downloads.

During the webinar, TitanHQ will explain how COVID-19 is being exploited by cybercriminals to attack organizations and steps that can be taken to meet the challenge of protecting a largely distributed workforce.

The webinar will focus on TitanHQ’s DNS-based web filtering solution – WebTitan – and will explain the features and security layers of the solution that will help you manage user security at multiple locations.

Webinar Details

Title:     Keeping your Remote Workers TWICE as secure with SpamTitan & WebTitan

Date:     Thursday, May 21, 2020

Time:    11:00-11:30 CDT

Host:     TitanHQ

  • Derek Higgins, Engineering Manger TitanHQ
  • Eddie Monaghan, Channel Manager TitanHQ
  • Marc Ludden, Strategic Alliance Manager TitanHQ
  • Kevin Hall, Senior Systems Engineer at Datapac

Click Here to Register for the Webinar

The post Webinar 05/21/20: How to Double Protection for Remote Workers appeared first on HIPAA Journal.