Healthcare Technology Vendor News

Compliancy Group Confirms Integrated Technology Group is HIPAA Compliant

Posted by HIPAA Journal

Integrated Technology Group, a leading healthcare-industry focused managed service provider (MSP) in the Central Virginia region, has achieved HIPAA compliance with Compliancy Group and has demonstrated its policies and procedures are fully compliant with the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules and the requirements of the HITECH Act.

Integrated Technology Group is primarily focused on providing managed information technology services to private medical practices to help them focus on what they do best – providing care to patients. Initially the company’s main focus was providing break-fix services. Today the company offers a wide range of managed IT services, including helping medical practices with cloud integrations, continuity planning, implementing VOIP solutions, and securing their networks.

Since the provision of those services requires access to systems containing patients’ electronic protected health information, Integrated Technology Group is classed as a business associate under Health Insurance Portability and Accountability Act Rules. Consequently, just like the healthcare clients that the company serves, Integrated Technology Group must also comply with HIPAA Rules. That means implementing safeguards to ensure the confidentiality, integrity, and availability of ePHI and developing, implementing, and maintaining policies and procedures to ensure continued compliance with HIPAA Rules.

Cyberattacks on healthcare organizations are increasing by the day and the HHS’ Office for Civil Rights and state Attorneys General are enforcing compliance with HIPAA Rules much more rigorously. HIPAA compliance has never been more important for healthcare organizations and their business associates.

Integrated Technology Group has always been committed to complying with all aspects of HIPAA Rules and helping its healthcare clients meet their compliance requirements. To demonstrate the company’s commitment to privacy and security and to take its compliance program to the next level, assistance was sought from Compliancy Group.

By undertaking Compliancy Group’s proprietary 6-Stage HIPAA Risk Analysis and remediation process and using Compliancy Group’s proprietary HIPAA compliance tracking software, The Guard®, Integrated Technology Group has demonstrated its compliance program meets the stringent standards of HIPAA and the HITECH Act.

After successful completion of the program, Integrated Technology Group has been awarded Compliancy Group’s HIPAA Seal of Compliance, which demonstrates to healthcare clients that the company can offer an effective, comprehensive compliance solution to medical practices and healthcare organizations of any size or scope.

“Our capacity means your security. Which is why every one of our staff members, from technical staff to marketing personnel, went through extensive, vigorous HIPAA compliance training. The same will be required of each new hire at Integrated Technology Group,” said Paul Meadows, Integrated Technology Group President and CEO.

The post Compliancy Group Confirms Integrated Technology Group is HIPAA Compliant appeared first on HIPAA Journal.

TitanHQ Announces Record Growth in MSP Market and New ‘Margin Maker for MSPs’ Initiative

Posted by HIPAA Journal

Cloud security vendor and HIPAA Journal sponsor, TitanHQ, has enjoyed impressive growth in Q3, 2019, registering the busiest quarter for MSP business in the company’s 20+ year history.

From humble beginnings, the company has grown into the leading provider of cloud-based email and web security solutions for managed service providers that service the SMB market. Initially, the firm sold anti-spam appliances to local businesses in Galway, Ireland. Today, the company is a global provider of cloud-based network security solutions for SMBs and MSPs.

The company’s cloud-based network security solutions – SpamTitan email security, WebTitan DNS filtering, and ArcTitan email archiving – are used by more than 8,200 businesses around the world and the firm has over 2,200 MSP partners.

TitanHQ’s success in the MSP, OEM, and service provider markets can be attributed to several factors. Many other companies have only considered MSPs after products have been developed, with additional functionality added to appeal to the MSP market. With TitanHQ, MSPs have always been at the core of the design of its security solutions.

The company operates a transparent and flexibility pricing policy with highly competitive margins to help MSPs profit from offering TitanHQ’s core cloud-based network security products to their customers and grow their business.

When MSPs join the TitanShield partner program they are provided with extensive sales enablement and marketing support. Each MSP has a dedicated account manager, engineers, and a highly capable support team to help ensure success. By making it as easy as possible for its partners to succeed, the company has reaped the rewards.

The successes of Q3, 2019 look set to continue in Q4 with the launch of a new sales initiative. The Q4 program has been aptly named Margin Marker for MSPs – A disruptive price package covering both its email and web security platforms.

TitanHQ is offering an exclusive ‘once-in-a-lifetime’ price on an email and web security package that protects the two most mission critical vectors, email and the web, from malware, ransomware, botnets, phishing and spear phishing attacks.

The package includes security and breach protection for MSPs, their employees, and MSP clients, which is provided in two private clouds that can be customized to meet the needs of MSP partners. The package will ensure MSPs can build profitability instantly in Q4.

UK-based MSP, OpalIT, is already reaping the benefits of the new initiative. OpalIT operates out of Newcastle and Edinburgh and has recently transitioned from Vade and Barracuda and is now offering its clients all three TitanHQ solutions – SpamTitan email security, WebTitan DNS filtering, and ArcTitan email archiving – to its 6,000+ customer base and is reaping the rewards.

“Opal IT moved to TitanHQ because of our MSP focused solutions, ease of deployments, extensive APIs functionality and the increased margin they’re now making,” explained Rocco Donnino, EVP Strategic Alliances, TitanHQ. “Our cybersecurity bundle solutions allow MSPs to provide their downstream customers with a layered defense approach”

MSPs are encouraged to meet the TitanHQ team at key MSP events in October and November to learn more about the Margin Maker for MSPs initiative and the TitanShield partner program.

The post TitanHQ Announces Record Growth in MSP Market and New ‘Margin Maker for MSPs’ Initiative appeared first on HIPAA Journal.

Atlantic.Net Recognized in Gartner 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations

Posted by HIPAA Journal

Gartner has published its 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations (HDOs). The report contains an analysis of the healthcare cloud market and explains how the cloud can be a viable option for healthcare organizations seeking greater efficiency and flexibility than is achievable with traditional on-premises infrastructure.

Many healthcare organizations are now realizing the value of cloud-based solutions and how intelligent use of the cloud can help improve efficiency, eliminate waste, and drive down the cost of healthcare delivery. The industry may lag behind other sectors in terms of cloud adoption, but the landscape is changing fast as the healthcare cloud market matures.

Healthcare CIOs are now viewing the cloud as an extension of their internal infrastructure. While initially there was a great deal of skepticism about the cloud due to the security risks and potential for costs to spiral out of control, there is now widespread acceptance that the cloud can serve as an IT service delivery model and the healthcare industry is now much more accepting of the cloud. There are tangible benefits to be gained from adopting cloud-based infrastructure and cloud services, HIPAA regulations can be satisfied, and associated risks can be reduced to a low and acceptable level.

Gartner has responded to the growth in cloud adoption in healthcare by producing a market guide for HDOs. The guide defines and describes the market, analyzes the direction the market is taking, and details the most notable vendors that are helping HDOs transition to the cloud.

Gartner has divided the market into four tiers to help healthcare organizations differentiate cloud companies and their offerings. The top tier naturally includes the large cloud service providers (CSPs) such as Amazon (AWS), Microsoft (Azure), IBM (IBM Cloud) and Google (Google Cloud). The second tier contains smaller CSPs that offer more specialist solutions for the healthcare industry such as Healthcare Blocks and Virtustream.

The third tier consists of vertical market players that offer hosting for electronic health records. In this tier are hosting companies such as Atlantic.Net that provide secure, HIPAA-compliant hosting services for electronic health records to allow EHRs to be accessed from any location in real-time, along with HIPAA-compliant hosting for databases, websites, and cloud-based storage services.

In the final tier are platform-as-a-service providers. These are integrated delivery networks that have developed their own cloud-based products for internal use and are now selling those products to other healthcare systems to use under license. Companies such as UK Cloud Health for example.

This is the second year that the Market Guide for Cloud Service Providers to HDOs has been produced and the second time that Atlantic.Net has been named in the market guide.

“We are honored to be named in this report, which we believe further solidifies our standing within distinguished security and compliance service providers,” said Marty Puranik, CEO of Atlantic.Net. “I attribute this success to our team members and skilled engineers, who strive to deliver technological solutions with a human touch.”

Gartner’s 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations can be downloaded hereSubscription required.

The post Atlantic.Net Recognized in Gartner 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations appeared first on HIPAA Journal.

Vulnerabilities Identified in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors

Posted by HIPAA Journal

Two vulnerabilities have been identified in Philips IntelliVue WLAN firmware which affect certain IntelliVue MP monitors. The flaws could be exploited by hackers to install malicious firmware which could impact data flow and lead to an inoperable condition alert at the device and Central Station.

Philips was alerted to the flaws by security researcher Shawn Loveric of Finite State, Inc. and proactively issued a security advisory to allow users of the affected products to take steps to mitigate risk.

The flaws require a high level of skill to exploit in addition to access to a vulnerable device’s local area network. Current mitigating controls will also limit the potential for an attack. As such, Philips does not believe either vulnerability would impact clinical. Philips does not believe the flaws are being actively exploited.

The first flaw, tracked as CVE-2019-13530, concerns the use of a hard-coded password which could allow an attacker to remotely login via FTP and upload malicious firmware. The second flaw, tracked as CVE-2019-13534, allows the download of code or an executable file from a remote location without performing checks to verify the origin and integrity of the code. The flaws have each been assigned a CVSS v3 base score of 6.4 out of 10.

The following Philips products are affected:

  • IntelliVue MP monitors MP20-MP90 (M8001A/2A/3A/4A/5A/7A/8A/10A)
    • WLAN Version A, Firmware A.03.09
  • IntelliVue MP monitors MP5/5SC (M8105A/5AS)
    • WLAN Version A, Firmware A.03.09, Part #: M8096-67501
  • IntelliVue MP monitors MP2/X2 (M8102A/M3002A)
    • WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C)
  • IntelliVue MP monitors MX800/700/600 ((865240/41/42)
    • WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C)

WLAN Version B is obsolete and will not be patched. Philips has advised customers to update to the WLAN Module Version C wireless module if they are using any of the patient monitors affected by the flaws. WLAN Version C with current firmware of B.00.31 is not affected by either vulnerability. Mitigating controls include the use of authentication and authorization via WPA2, implementing a firewall rule on the wireless network, and ensuring physical controls are implemented to restrict access to the system.

The flaw in WLAN Version A will be addressed with a patch which Philips plans to release via Incenter by the end of 2019.

The post Vulnerabilities Identified in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors appeared first on HIPAA Journal.

TitanHQ Announces Fall 2019 Schedule of Roadshow Events

Posted by HIPAA Journal

TitanHQ, the leading provider of email security, web security, and email archiving solutions to SMBs and managed service providers (MSPs), has announced its fall 2019 schedule of roadshows, trade shows, and conferences.

These industry events bring together managed service providers (MSPs) Managed Security Service Providers (MSSPs) and IT professionals from around the globe to discuss the latest IT trends and technologies, obtain invaluable advice, and learn best practices to improve efficiency, security, and boost profitability.

The TitanHQ team will be attending key MSP events this fall to discuss email security and web security with MSPs. The team will explain to attendees how SpamTitan and WebTitan can lower costs by reducing the time support staff spend resolving malware infections and phishing attacks, along with the key features of the solutions that make them such a popular choice with MSPs.

This week will see the team attend the DattoCon Dublin event on September 17 followed by the Managed Services & Hosting (MSH) Summit in London on September 18, followed by a packed schedule of events throughout October.

If you are a MSP or IT professional looking to improve email and web security, are unhappy with your current service provider, or have yet to implement a web filtering, spam filtering, or email archiving service, be sure to come and meet the TitanHQ team at one of the following fall 2019 events.

Date Event Location
September 17, 2019 Datto Dublin The Alex Hotel, Dublin, Ireland
September 18, 2019 MSH Summit 155 Bishopsgate, London, UK
October 6-10, 2019 Gitex Dubai World Trade Centre, Dubai, UAE
October 7-8, 2019 CompTIA EMEA Show Park Plaza Westminster Bridge,

London, UK
October 16-17, 2019 Canalys Cybersecurity Forum SOFIA Barcelona, Spain
October 21-23, 2019 DattoCon Paris Palais des Congrès de Paris, Paris, France
October 30, 2019 MSH Summit North Hilton Hotel, Manchester, UK
October 30, 2019 IT Nation Evolve (HTG 4) Hyatt Regency, Orlando, Florida, USA
October 30, 2019 IT Nation Connect Hyatt Regency, Orlando, Florida, USA
November 5-7, 2019 Kaseya Connect NH Collection Amsterdam Gran Hotel Krasnapolsky, Amsterdam, Netherlands

If you are unable to attend any of the roadshows and conferences below, you can contact TitanHQ by telephone or email to discuss your options, book a product demonstration, and sign up for a no-obligation free trial of all TitanHQ solutions.

The post TitanHQ Announces Fall 2019 Schedule of Roadshow Events appeared first on HIPAA Journal.

Vulnerability Identified in Becton Dickinson Pyxis Drug Dispensing Cabinets

Posted by HIPAA Journal

Becton Dickinson (BD) has discovered a vulnerability in its Pyxis drug dispensing cabinets which could allow an unauthorized individual to use expired credentials to access patient data and medications.

The vulnerability was discovered by BD, which self-reported the flaw to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). ICS-CERT has recently issued an advisory about the flaw.

The vulnerability affects Pyxis ES versions 1.3.4 to 1.6.1 and Pyxis Enterprise Server with Windows Server versions 4.4 through 4.12.

The vulnerability – tracked as CVE-2019-13517 – is a session fixation flaw in which existing access privileges are not properly coordinated with the expiration of access when a vulnerable device is joined to an Active Directory (AD) domain.

This means the credentials of a previously authenticated user could be used to gain access to a vulnerable device under certain configurations. This would allow an attacker to obtain the same level of privileges as the user whose credentials are being used, which could give access to patient information and medications. Healthcare providers that do not use AD with the devices are unaffected.

The vulnerability has been assigned a CVSS V3 base score of 7.6 out of 10. ICS-CERT warns that the vulnerability is remotely exploitable and requires a low level of skill to exploit; however, BD notes that connecting the drug cabinets to hospital domains is an uncommon configuration and is not recommended by BD. Consequently, only a limited number of hospitals that use the drug carts will be affected.

The flaw has been addressed in the latest software release, v 1.6.1.1, which removes access to the file-sharing part of the Pyxis network.

Affected healthcare providers have been recommended to implement the following mitigations to reduce the risk associated with the vulnerability:

  • Never rely on expiration dates to remove users from the hospital’s Active Directory system
  • Remove users from the AD role that grants them access to the Pyxis ES system
  • Never place Pyxis ES systems on the hospital domain

BD is unaware of any cases where the vulnerability has been exploited to view data without authorization.

The post Vulnerability Identified in Becton Dickinson Pyxis Drug Dispensing Cabinets appeared first on HIPAA Journal.

82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices

Posted by HIPAA Journal

82% of healthcare providers that have implemented Internet-of-Things (IoT) devices have experienced a cyberattack on at least one of those devices over the course of the past 12 months, according to the Global Connected Industries Cybersecurity Survey from Swedish software company Irdeto.

For the report, Irdeto surveyed 700 security leaders from healthcare organizations and firms in the transportation, manufacturing, and IT industries in the United States, United Kingdom, Germany, China, and Japan. Attacks on IoT devices were common across all those industry sectors, but healthcare organizations experienced the most cyberattacks out of all industries under study.

The biggest threat from these IoT cyberattacks is theft of patient data. The attacks also have potential to compromise end user safety, result in the loss of intellectual property, operational downtime and damage to the organization’s reputation. The failure to effectively secure the devices could also potentially result in a regulatory fine.

When asked about the consequences of a cyberattack on IoT devices, the biggest concern was theft of patient data, which was rated as the main threat by 39% of healthcare respondents. Attacks on IoT devices can also threaten patient safety. 20% of respondents considered patient safety a major risk and 30% of healthcare providers that experienced an IoT cyberattack said patient safety was actually put at risk as a direct result of the attack.

12% of respondents said theft of intellectual property was a major risk, and healthcare security professionals were also concerned about downtime and damage to their organization’s reputation.

The main impact of these attacks is operational downtime, which was experienced by 43% of companies, theft of data (42%), and damage to the company’s reputation (31%).

Mitigating IoT cyberattacks comes at a considerable cost. The average cost to resolve a healthcare IoT cyberattack was $346,205, which was only beaten by attacks on the transport sector, which cost an average of $352,639 to mitigate.

Even though there are known risks associated with IoT devices, it does not appear to have deterred hospitals and other healthcare organizations from using the devices. It has been estimated up to 15 million IoT devices are now used by healthcare providers. Hospitals typically use an average of 10-15 devices per hospital bed.

Securing the devices can be a challenge, but most healthcare organizations know exactly where the vulnerabilities are. They just lack the resources to correct those vulnerabilities.

Manufacturers need to do more to secure their devices. Security is often an afterthought and safeguards are simply bolted on rather than being incorporated during the design process. Fewer than half of device manufacturers (49%) said security is factored in during the design of the devices and only 53% of device manufacturers conduct code reviews and continuous security checks.

82% of device manufacturers expressed concern about the security of their devices and feared safeguards may not be enough to prevent a successful cyberattack. 93% of device manufacturers said security of their devices could be improved a little to a great deal, as did 96% of device users.

“The previous mindset of security as an afterthought is changing. 99 percent agree that a security solution should be an enabler of new business models, not just a cost,” explained the researchers in their recent report. “This clearly indicates that businesses realize the value add that security can bring to their organization.”

The post 82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices appeared first on HIPAA Journal.

Vulnerability Discovered in Philips HDI 4000 Ultrasound Systems

Posted by HIPAA Journal

A vulnerability has been discovered in Philips HDI 4000 Ultrasound systems which could be exploited to gain access to ultrasound images. In addition to stealing data, an attacker could doctor ultrasound images to prevent diagnosis of a potentially life-threatening health condition.

Philips HDI 4000 Ultrasound systems are based on legacy operating systems such as Windows 2000 which are no longer supported. Any vulnerability in the operating system could be exploited to gain access to the system and patient data.

One such vulnerability – CVE-2019-10988 – was detected by security researchers at Check Point, who reported the problem to Philips. US-CERT has recently issued an advisory about the vulnerability.

Philips HDI 4000 Ultrasound systems reached end of life in December 2013 and are no longer sold, updated, or supported by Philips, yet many healthcare organizations continue to use the systems even through they are vulnerable to attack. US-CERT warns that multiple exploits are already in the public domain and could be used to gain access to the systems.

Since the devices are no longer supported, Philips will not be issuing an update or patch to correct the flaw. Until the systems can be retired and replaced, defensive measures should be taken to reduce the risk of the flaws being exploited.

The DHS Cybersecurity Infrastructure Security Agency (CISA) recommends users of Philips HDI 4000 Ultrasound systems should restrict system access to authorized individuals and apply the rule of least privilege. All accounts and services that are not 100% necessary should be disabled, and defense in depth strategies should be adopted.

It is strongly advisable to replace these aging systems with newer technology that runs on supported operating systems.

According to US-CERT, the vulnerabilities require a relatively high level of skill to exploit and an attacker would need access to the same local subnet as the device, hence the CVSS v3 base score of 3.0 out of 10.

The post Vulnerability Discovered in Philips HDI 4000 Ultrasound Systems appeared first on HIPAA Journal.

Code Execution Vulnerability Identified in Change Healthcare Cardiology Devices

Posted by HIPAA Journal

A vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated user to insert files that could allow the attacker to execute arbitrary code on a vulnerable device.

The vulnerability – CVE-2019-18630 – was identified by Alfonso Powers and Bradley Shubin of Asante Information Security who reported the vulnerability to Change Healthcare. Change Healthcare notified the National Cybersecurity & Communications Integration Center (NCCIC) and a security advisory has now been issued by US-CERT.

The vulnerability has been assigned a CVSS v3 base score of 7.8 out of 10 and is the result of incorrect default permissions in the default installation. While the vulnerability only requires a low level of skill to exploit, an attacker would first need local system access which will limit the potential for the flaw to be exploited.

Change Healthcare has issued an advisory for users of the following cardiology devices:

  • Horizon Cardiology 11.x and earlier
  • Horizon Cardiology 12.x
  • McKesson Cardiology 13.x
  • McKesson Cardiology 14. x
  • Change Healthcare Cardiology 14.1.x

Change Healthcare has developed a patch to correct the vulnerability. All users of the above affected products have been advised to contact their Change Healthcare Support representative to arrange for the patch to be installed.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency recommends the following mitigations to reduce the potential for the vulnerability to be exploited until such time as the patch can be applied:

  • Minimize network exposure for control system devices and/or systems.
  • Locate medical devices behind firewalls
  • Isolate medical devices as far as is possible
  • Implement safeguards that restrict access to medical devices to authorized personnel
  • Apply the principle of least privilege to access controls.
  • Apply defense-in-depth strategies
  • Disable unnecessary accounts, protocols and services.

Prior to implementing any mitigations, healthcare providers should conduct an impact risk analysis and risk assessment.

The post Code Execution Vulnerability Identified in Change Healthcare Cardiology Devices appeared first on HIPAA Journal.