Healthcare Technology Vendor News

Zoom Reaches Settlement with NY Attorney General Over Privacy and Security Issues

Zoom reached an agreement with the New York Attorney General’s office and has committed to implementing better privacy and security controls for its teleconferencing platform. New York Attorney General Letitia James launched an investigation into Zoom after researchers uncovered a number of privacy and security issues with the platform earlier this year.

Zoom has proven to be one of the most popular teleconferencing platforms during the COVID-19 pandemic. In March, more than 200 million individuals were participating in Zoom meetings with usership growing by 2,000% in the space of just three months. As the number of users grew and the platform started to be used more frequently by consumers and students, flaws in the platform started to emerge.

Meeting participants started reporting cases of uninvited people joining and disrupting private meetings. Several of these “Zoombombing” attacks saw participants racially abused and harassed on the basis of religion and gender. There were also several reported cases of uninvited individuals joining meetings and displaying pornographic images.

Then security researchers started uncovering privacy and security issues with the platform. Zoom stated on its website that Zoom meetings were protected with end-to-end encryption, but it was discovered that Zoom had used AES 128 bit encryption rather than AES 256 bit encryption and its end-to-end encryption claim was false. Zoom was also discovered to have issued encryption keys through data centers in China, even though meetings were taking place between users in the United States.

Zoom used Facebook’s SDK for iOS to allow users of the iOS mobile app to login through Facebook, which meant that Facebook was provided with technical data related to users’ devices each time they opened the Zoom app. While Zoom did state in its privacy policy that third-party tools may collect information about users, data was discovered to have been passed to Facebook even when users had not used the Facebook login with the app.  There were also privacy issues associated with the LinkedIn Sales Navigator feature, which allowed meeting participants to view the LinkedIn profiles of other meeting participants, even when they had taken steps to remain anonymous by adopting pseudonyms. The Company Directory feature of the platform was found to violate the privacy of some users by leaking personal information to other users if they had the same email domain.

Zoom responded quickly to the privacy and security issues and corrected most within a few days of discovery. The firm also announced that it was halting all development work to concentrate on privacy and security. The company also enacted a CISO Council and Advisory Board to focus on privacy and security and Zoom recently announced that it has acquired the start-up firm Keybase, which will help to implement end-to-end encryption for Zoom meetings.

Under the terms off the settlement with the New York Attorney General’s office, Zoom has agreed to implement a comprehensive data security program to ensure its users are protected. The program will be overseen by Zoom’s head of security. The company has also agreed to conduct a comprehensive security risk assessment and code review and will fix all identified security issues with the platform. Privacy controls will also be implemented to protect free accounts, such as those used by schools.

Under the terms of the settlement, Zoom must continue to review privacy and security and implement further protections to give its users greater control over their privacy. Steps must also be taken to regulate abusive activity on the platform.

“This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don’t have to worry while participating in a video call,” said Attorney General James.

The post Zoom Reaches Settlement with NY Attorney General Over Privacy and Security Issues appeared first on HIPAA Journal.

Safe Partner Inc. Confirmed as HIPAA Compliant

Compliancy Group has announced that Safe Partner Inc. has demonstrated it has implemented an effective HIPAA compliance program and has successfully completed its proprietary 6-stage HIPAA risk analysis and remediation process.

Safe Partner Inc. is a Belmont, CA-based boutique software development and consulting company that provides a full range of software services, from design to development, implementation, and ongoing customer support. The company was formed in 1995 and works with clients in a wide range of industry sectors, including healthcare. Some of the software solutions developed by the company interact with healthcare data, which means the company is classed as a business associate and must comply with HIPAA Rules.

To ensure that no aspect of HIPAA compliance was missed, Safe Partner Inc sought assistance from Compliancy Group. Assisted by the company’s compliance coaches and using the firm’s HIPAA compliance tracking software solution, The Guard, Safe Partner Inc was able to demonstrate its HIPAA compliance program covered all aspects of the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules. The company also conducted a comprehensive risk analysis to identify all potential risks to the confidentiality, integrity, and availability of protected health information, and ensured risks were effectively mitigated in accordance with the requirements of the HIPAA Security Rule.

After demonstrating to Compliancy Group that its policies and procedures met the minimum standards required by HIPAA, the company’s good faith effort toward HIPAA compliance was recognized and the company was awarded the Compliancy Group HIPAA Seal of Compliance.

The HIPAA Seal of Compliance helps the company differentiate its services and demonstrates to current and future clients that Safe Partner Inc. is committed to ensuring the privacy and security of any healthcare data provided to the company or accessible through its software solutions.

The post Safe Partner Inc. Confirmed as HIPAA Compliant appeared first on HIPAA Journal.

Compliancy Group Helps Acemanage Smart Inc Achieve HIPAA Compliance

Compliancy Group has announced that the Canadian start-up firm, Acemanage Smart Inc, has implemented an effective HIPAA compliance program and has demonstrated it is meeting all the requirements of the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules.

Acemanage Smart Inc. has developed several software solutions over the past two years, including the WholisticDr platform. The WholisticDr platform allows patients in remote and rural areas to find practitioners and receive high quality medical care and is powered by artificial intelligence to make the process as quick and easy as possible.

Through the platform, holistic doctors and practitioners can list their practices, make appointments, manage billing and insurance, talk with and text other members and patients, conduct telehealth visits, and exchange health records, lab test results, and prescriptions.

As a business associate, Acemanage Smart Inc. is required to comply with HIPAA Rules. To ensure that its software solutions and staff are fully compliant with HIPAA Rules, Acemanage Smart Inc. has been working with Compliancy Group. Assisted by Compliancy Group’s compliance coaches, and using the firm’s proprietary HIPAA compliance tracking software, The Guard, Acemanage Smart Inc. has been able to confirm that all requirements of HIPAA have been satisfied.

“Patient’s health data are super confidential for our clients and us. We wanted to be accountable to our clients and stay to the highest standard of security in order to all of our clients feel safe and secure. So Acemanage Smart Inc has put extra time and effort to make sure our team are HIPAA compliant,” explained Acemanage Smart.

After completing Compliancy Group’s 6-stage HIPAA risk analysis and remediation process, the company was awarded with Compliancy Group’s HIPAA Seal of Compliance, which demonstrating the company’s good faith effort towards HIPAA compliance and shows healthcare clients that patient data is being protected to the high standards demanded by HIPAA.

The post Compliancy Group Helps Acemanage Smart Inc Achieve HIPAA Compliance appeared first on HIPAA Journal.

Compliance Group Helps Eyeward Inc. Achieve HIPAA Compliance

Compliancy Group has announced that Eyeward inc. has implemented an effective HIPAA compliance program and has achieved HIPAA compliance.

EyeWard is a free-to-use peer-to-peer consulting platform for iOS that allows healthcare professionals to connect with colleagues and securely communicate and share medical images. The app is intended to help physicians share clinical knowledge and consult with other medical professionals. Use of the app allows physicians to improve workflow and deliver better care to patients.

“Eyeward is dedicated to helping physicians provide the highest standard of care for their patients. Understanding that this level of care may require the use of sensitive health care information, Eyeward wanted to ensure all the appropriate measures were taken to properly safeguard PHI,” said Eyeward CEO, Stephen Atallah.

To ensure compliance with all provisions of HIPAA, Eyeward teamed up with Compliancy Group. Using Compliancy Group’s HIPAA compliance tracking solution, The Guard, and assisted by its compliance coaches, Eyeward was able to ensure its solution, policies, and procedures were fully compliant with HIPAA requirements.

Eyeward also completed Compliancy Group’s 6-stage HIPAA Risk Analysis and remediation process and the company’s good faith effort toward HIPAA compliance saw the firm awarded Compliancy Group’s HIPAA Seal of Compliance.

The Seal of Compliance demonstrates to HIPAA-covered entities and business associates that Eyeward has implemented an effective HIPAA compliance program and that its platform meets all requirements of HIPAA Rules and can be used for securely communicating patient information.

“By using our platform, doctors are putting their trust in Eyeward to secure their health care data,” said Atallah. “We wanted our users to know that we are doing all that we can to protect them and their patients.”

The post Compliance Group Helps Eyeward Inc. Achieve HIPAA Compliance appeared first on HIPAA Journal.

Vulnerability Identified in BD Pyxis MedStation and Pyxis Anesthesia (PAS) ES System

Becton, Dickinson and Company (BD) has identified a medium severity vulnerability in version 1.6.1 of the BD Pyxis MedStation medication dispensing system and the Pyxis Anesthesia (PAS) ES System of its anesthesia carts. If exploited, the vulnerability would allow an attacker to gain access to sensitive data.

BD devices use a software application implementation called kiosk mode. When in kiosk mode, restrictions are in place that limit the actions that can be performed. The vulnerability is a protection mechanism failure (CWE-693) which could allow an attacker to escape the restricted desktop environment, which would allow sensitive data to be accessed and altered.

The vulnerability only requires a low level of skill to exploit, but exploitation would require physical access to a vulnerable device. BD has performed a risk evaluation and has determined the risk of exploitation is low. As such, the vulnerability has been assigned a CVSS v3 base score of 6.8 out of 10.

BD is proactive in assessing its products to identify security vulnerabilities. The company operates with transparency and communicates security issues to customers in a timely fashion to allow them to take steps to effectively manage risk. While the vulnerability could potentially result in information disclosure, due to the low risk of exploitation customers have been advised not to discontinue use as the benefits of using the devices far outweigh the risk.

BD is in the process of deploying an update for the affected products which will strengthen kiosk mode and make it harder for currently known methods of kiosk escape to be used. Until the update is applied to vulnerable devices, BD has offered mitigations that will limit exploitation. Hospitals using the affected devices should limit physical access to the devices to authorized personnel, impacted systems should be isolated and only connected to trusted systems, and the devices should be monitored for unplanned reboots using network monitoring tools.

The post Vulnerability Identified in BD Pyxis MedStation and Pyxis Anesthesia (PAS) ES System appeared first on HIPAA Journal.

iland Named 2019 Veeam Impact Cloud & Service Provider Partner of the Year

iland has been named 2019 Veeam Impact Cloud & Service Provider Partner of the Year in North America by Veeam Software. This is the fifth year of the annual awards and the fourth time iland has collected the title, having also received the award in 2015, 2017, and 2018.

The annual awards recognize North America Veeam ProPartners and Veeam Cloud & Service Provider (VCSP) partners that have extensive knowledge of Veeam Software and have demonstrated success in delivering Veeam solutions to their customers and providing first-class support. To be considered for the awards, companies must also display a high level of innovation and continued product education.

iland’s cloud solutions have been developed to ensure that businesses are well protected from cyberattacks and ransomware, and provide peace of mind that should disaster strike, customer data will be protected and recoverable. The cloud backup and disaster-recovery-as-a-service offerings provide direct integration and 100% compatibility with Veeam’s backup and replication software and are provided to businesses by more than 500 channel partners around the world. One of those partners, CDW, also collected a Veeam award, being named 2019 Veeam Impact Partner of the Year in North America.

Iland also offers several other products that take advantage of the strength of Veeam backup solutions, including iland Test Drive, Autopilot Managed Recovery, Catalyst, and LabEngine.

“For more than 10 years, iland and Veeam have successfully partnered to help our joint customers navigate complex IT challenges. From migrating to the cloud, to backing up Office 365, to creating sophisticated disaster recovery plans, the beauty of our partnership is that we have solutions for every business,” explained Dante Orsini, iland senior vice president of business development. “Just as the Veeam backup technology continues to evolve, iland consistently finds new ways to easily and securely connect our customers to the cloud. Receiving this award for the fourth time represents a tireless commitment with Veeam and our global partners to deliver the most simple, flexible and reliable cloud data protection solutions on the market. We look forward to the decade ahead and our continued partnership with Veeam as we prepare our joint customers to embrace the next generation of IT innovation.”

The post iland Named 2019 Veeam Impact Cloud & Service Provider Partner of the Year appeared first on HIPAA Journal.

‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices

A group of 12 vulnerabilities dubbed SweynTooth have been identified by researchers at the Singapore University of Technology and Design which are present in the Bluetooth Low Energy (BLE) chips manufactured by at least 7 companies.

BLE chips are used in smart home devices, fitness trackers, wearable health devices, and medical devices and give them their wireless connectivity. BLE chips with the SweynTooth vulnerabilities are used in insulin pumps, pacemakers, and blood glucose monitors as well as hospital equipment such as ultrasound machines and patient monitors.

It is not yet known exactly how many medical devices and wearable health devices are impacted by the flaws as manufacturers obtain their BLE chips from several sources. Some security researchers believe millions of medical devices could be vulnerable. BLE chips are used in around 500 different products. Hundreds of millions of devices could be affected.

The vulnerabilities are present in BLE chips manufactured by Cypress, Dialog Semiconductors, Microchip, NXP Semiconductors, STMicroelectronics, Texas Instruments, and Telink Semiconductor. The vulnerabilities have been assigned CVSS v3 base scores ranging from 6.1-6.9 out of 10.

7 of the vulnerabilities could be exploited to crash vulnerable devices, which would stop the devices communicating and may cause them to stop working entirely. 4 vulnerabilities could be exploited to deadlock devices, causing them to freeze and stop functioning correctly. One vulnerability could result in a security bypass which would allow an attacker to gain access to device functions that are usually only accessible by an authorized device administrator. The flaws can be exploited remotely by an attacker, although only if the attacker is within radio range of a vulnerable device. The range of BLE varies from device to device, with a maximum range of less than 100 m (328 ft).

Both the U.S. Food and Drug Administration (FDA) and the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) have issued alerts about the vulnerabilities this week. The FDA explained that affected device manufacturers have been notified about the flaws and are assessing which devices are affected. Mitigations are being developed that can be implemented to reduce the risk of exploitation until patches are released to correct the flaws.

Cypress, NXP, Texas Instruments, and Telelink have already released patches to correct the flaws. Dialog has issued two patches, with the remaining patches scheduled to be released by the end of March 2020. Currently, patches have yet to be released by Microchip and STMicroelectronics.

The FDA has advised BLE chip and device manufacturers to conduct risk assessments to determine the potential impact of the flaws. Healthcare providers have been advised to contact the manufacturers of their devices to find out if they are affected, and the actions they need to take to reduce the risk of exploitation. Patients have been advised to monitor their devices for abnormal behavior and to seek medical help immediately if they feel their medical devices are not functioning correctly.

The post ‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices appeared first on HIPAA Journal.

iland Secure Cloud Console Update Improves Visibility of Global BaaS Environments

iland has announced its Secure Cloud Console has been updated and enhanced with Veeam Cloud Connect to provide greater visibility and control of multi-location backups for large enterprises and managed service providers (MSPs).

The update gives large enterprises and MSPs a single pane of glass view and support for global cloud backups. Customers are provided with increased granularity that allows them to leverage real-time data over multiple accounts and gives them greater control over multiple tenants without extra work or permissions.

Storage management has also been simplified with greater opportunities for self-service, allowing customers to reallocated resources and add new tenants. The update allows global MSPs and enterprises to provide backup-as-a-service internally and, through a single interface, manage multiple repositories and locations.

The iland BAAS Insider Protection feature is an air-gapped repository for data that provides protection against internal and external threats, including ransomware attacks. Customers can now view the status of multi-tenant environments through a single view and Veeam Cloud Connect tenant names and passwords can be updated easily from any location. The entire portfolio of Veeam cloud-based backup solutions can now be managed from a single, unified console.

“With these latest updates, we’re making it easy for channel and enterprise IT customers to extend backup services around the world with a simple, easy-to-use common interface,” said Dante Orsini, iland senior vice president of business development.

The latest updates to iland Secure Cloud Backup with Veeam Cloud Connect have now been rolled out across all 10 of iland’s data centers. New customers can take advantage of a free 30-day trial that includes 5TBs of data.

The post iland Secure Cloud Console Update Improves Visibility of Global BaaS Environments appeared first on HIPAA Journal.

Carbon Neutral Green Cloud Launched by Connectria

Connectria has announced it has launched a carbon neutral ‘green cloud’ in its data centers in the European Union and North America.

The new green cloud is available for companies running IBM i and VMware systems and it has been made possible by a new systems architecture at Connectria’s advanced data centers. Companies taking advantage of the new green cloud can reduce their energy consumption by up to 95%.

Connectria explained that data centers account for 3% of worldwide energy consumption, so making data centers carbon neutral is not just a token gesture. It can significantly reduce energy consumption and help companies reduce their carbon footprint.

“Connectria’s Amsterdam data center is a model of energy efficiency and sustainability, designated as a Leed Gold facility,” said Rusty Putzler, COO of Connectria. The data center uses a combination of biomass and hydroelectric power, drawing all of its power from 100% renewable energy sources. This is achieved while still ensuring reliability for its customers.

Data centers generate a lot of heat. To ensure that energy is not wasted, it is captured and used to heat facilities at the University of Amsterdam campus. Connectria says the Amsterdam data center is one of the most energy-efficient data centers in the world and helps the company deliver a carbon neutral footprint for VMware and IBM i clouds.

Connectria has a “No Jerks Allowed philosophy, which it applies to the staff it recruits and how employees treat customers. This philosophy has now been applied to the environment. “By creating carbon-neutral IBM i and VMware Clouds, Connectria is doing our part to take care of our planet, and not be jerks,” says Connectria.

The post Carbon Neutral Green Cloud Launched by Connectria appeared first on HIPAA Journal.