Latest HIPAA News

Ransomware Attack on Salina Family Healthcare Impacts 77,000 Patients

Posted by HIPAA Journal

In June, ransomware was installed on servers and workstations at Salina Family Healthcare in Kansas resulting in the encryption and potential disclosure of patients protected health information.

The attack occurred on June 18, 2017. Salina Family Healthcare was able to limit the extent of the attack by taking swift action to secure its systems. It was also possible to restore the encrypted data from recent backups so no ransom needed to be paid.

A third-party computer forensics firm was contracted to analyze its systems to determine how the ransomware was installed and whether the attackers succeeded in gaining access to or stealing patient data. While evidence of data theft was not uncovered, the firm was unable to rule out the possibility that the actors behind the attack viewed or copied patient data.

The protected health information potentially accessed includes names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance details.

While data access was possible, no reports have been received to suggest any information has been stolen and misused, although patients should be alert to the possibility of data theft and should monitor their accounts and Explanation of Benefits statements closely for any sign of fraudulent activity.

Patients potentially impacted by the attack have now been notified of the security breach and have been offered credit monitoring and identity theft restoration services for 12 months without charge out of an abundance of caution.

Salina Family Healthcare has already taken a number of steps to improve security following the ransomware attack. Those measures include upgrading network servers, regularly scanning the network for viruses, providing the workforce with additional security training on malware threats, and limiting Internet access for staff to reduce exposure.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 77,337 patients and payment guarantors have potentially been impacted by the security incident.

The post Ransomware Attack on Salina Family Healthcare Impacts 77,000 Patients appeared first on HIPAA Journal.

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords.

Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.”

The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security.

To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator.

NIST suggests physical security mechanisms should be adopted to prevent the theft of cryptographic authenticators, while system security controls should be implemented to prevent malicious actors from gaining access to systems and installing malware such as keyloggers.

Security is only as good as the users of the system, so periodic training is required to ensure users understand their obligations and the importance of reporting suspected account compromises.

Out-of-band techniques (something you have) are also recommended to verify proof of possession of registered devices such as cell phones.

Passwords are categorized as ‘memorized secrets’ by NIST, which suggests a minimum of 8 characters should be used, although longer memorized secrets of at least 64 characters should be encouraged. UNICODE characters, special characters and spaces should be allowed.

The use of spaces does not add to password complexity, although it does help end users set strong passwords such as secret phrases. The longer the memorized secret, the harder it will be for malicious actors to guess.

Brute force attacks are used to gain access to systems by repeatedly guessing passwords. These automated attacks can involve many thousands of guesses, and start with commonly used passwords, dictionary words, repetitive and consecutive sequences of characters (aaaaaaaa, 12341234, 1234abcd), context specific words (server1, MRIpassword), and other weak passwords such as the use of the username in the password and passwords previously exposed in past data breaches.

Administrators should therefore set password policies that prevent these password choices. In the case of dictionary words, all words less than the minimum character requirement can be discounted. NIST says the use of password strength monitors helps end users select strong passwords.

While the forced use of special characters, lower case letters, and upper case letters can improve password strength, in reality, this may not be the case. Forcing users to use at least one lower case letter, one uppercase letter, one number and one special character may not result in the creation of stronger passwords.

NIST says, “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought,” but “the impact on usability and memorability is severe.” Such a system means the password will be made much more difficult to remember and end users end up circumventing policies as a result. For example, with those controls in place, Password1! would be acceptable, even though the password is weak.

NIST says “Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner.”

By allowing the use of spaces in passwords, users can choose more complex secrets, especially if the upper character limit is not overly restrictive. NIST recommends allowing long passwords (within reason). (See Appendix A – Strength of Memorized Secrets).

NIST also points out that there are other methods that can be adopted that provide greater protection than strong passwords. “Blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks.”

NIST also points out that while these measures – and strong passwords – can help to thwart brute force attacks, they are not effective against many forms of password-related attacks. Even if a 100-character strong password is used, it will still be obtained by a malicious actor who has installed keylogging malware or if an employee responds to a social engineering or phishing attack. Other security controls must therefore be implemented to prevent these sorts of attacks.

The post NIST Updates Digital Identity Guidelines and Tweaks Password Advice appeared first on HIPAA Journal.

Phillips Ships DoseWise Portal with Serious Vulnerabilities

Posted by HIPAA Journal

The Phillips web-based radiation monitoring app – DoseWise Portal (DWP) – has been shipped with serious vulnerabilities that could be easily exploited by hackers to gain access to patients’ protected health information. ISC-CERT has warned healthcare providers the vulnerabilities could be remotely exploited by hackers with a low level of skill to gain access to medical data.

Two vulnerabilities have been identified. The first (CVE-2017-9656) is the use of hard-coded credentials in a back-end database with high privileges that could jeopardize the confidentiality, integrity and availability of stored data and the database itself. In order for an attacker to exploit the vulnerability, elevated privileges would be required to gain access to the system files of the back-office database. Even so, ICS-CERT says an attacker with a low level of skill could exploit the vulnerability and has given it a CVSS v3 rating of 9.1 out of 10.

The second vulnerability (CVE-2017-9654) involves cleartext storage of sensitive information in back-end system files. The vulnerability has been given a CVSS V3 rating of 6.5 out of 10.

ICS-CERT is unaware of any exploits that are publicly available that could be used to exploit the vulnerabilities, although healthcare organizations have been advised to implement mitigations. Until a new DWP is released – which is expected later this month – healthcare organizations have been advised to ensure network security best practices are implemented and port 1433 is blocked if a separate SQL server is not being used.

Best practices include minimizing network exposure by ensuring the devices/systems are not accessible from the Internet, locating the systems/devices behind firewalls, and isolating them from the business network. If remote access is required, systems should only be accessed via a VPN that has been updated to the latest version.

Phillips says the vulnerable versions are 1.1.7.333 and 2.1.1.3069. Phillips will be releasing a new version of DWP (2.1.2.3188) for users of DWP version 2.1.1.3069, which will update the authentication method and remove hard-coded password vulnerabilities. DWP version 1.1.7.333 will be updated to change and fully encrypt stored passwords.

Publicly Available Exploits Exist for Siemens CT/PET System Vulnerabilities

The ICS-CERT warning comes just a few days after a warning about four serious vulnerabilities in Siemens CT and PET systems that could be remotely exploited to gain access to the devices. In that case, exploits for the vulnerabilities are publicly available. The vulnerabilities have existed for at least two years and affect the Windows 7 OS on which the Siemens CT/PET systems are based.

With hackers increasingly targeting healthcare organizations to gain access to medical data and extort money, it is essential that medical device and app developers conduct more extensive security tests to ensure vulnerabilities are identified and corrected before the devices come to market. Post market vulnerability testing is also essential to make sure the devices remain secure throughout their life cycles.

The post Phillips Ships DoseWise Portal with Serious Vulnerabilities appeared first on HIPAA Journal.

Healthcare Hacking Incidents Overtook Insider Breaches in July

Posted by HIPAA Journal

Throughout 2017, the leading cause of healthcare data breaches has been insiders; however, in July hacking incidents dominated the breach reports.

Almost half of the breaches (17 incidents) reported in July for which the cause of the breach is known were attributed to hacking, which includes ransomware and malware attacks. Ransomware was involved in 10 of the 17 incidents.

The Protenus Breach Barometer report for July shows there were 36 reported breaches – The third lowest monthly total in 2017 and a major reduction from the previous month when 52 data breaches were reported – the worst month of the year to date by some distance.

In July, 575,142 individuals are known to have been impacted by healthcare data breaches, although figures have only been released for 29 of the incidents. The worst breach reported in July – a ransomware attack on
Women’s Health Care Group of PA – impacted 300,000 individuals.

While hacking incidents are usually lower than insider breaches, they typically result in the theft or exposure of the most healthcare records. July was no exception. Protenus reports that 21 times more records were exposed/stolen as a result of hacking incidents than breaches involving insiders. Hacking incidents impacted 516,053 of the 575,142 known victims in July.

There were 8 confirmed insider breaches (22.2% of the total) which resulted in the theft/exposure of 24,212 records. Three were attributed to errors by insiders with five caused by insider wrongdoing. 8.3% of the breaches were due to loss or theft, with three incidents involving the theft of physical records.

At the end of July, the Department of Health and Human Services’ Office for Civil Rights’ cybersecurity newsletter highlighted the risk from phishing attacks, reminding HIPAA-covered entities of the need to conduct security awareness training. July was a particularly bad month for phishing, with 5 phishing incidents reported.

The majority of breaches were experienced by healthcare providers (80.5%) followed by health plans (8.3%) and business associates (5.5%). More business associates may have been involved in the breaches according to Protenus, although insufficient data was available to confirm this. 5.5% of the breaches were attributed to other entities, including one fire dispatch center.

Over the past few months, the time taken by covered entities to report data breaches has improved, with June seeing virtually all breaches reported inside the 60-day window stipulated by the HIPAA Breach Notification Rule. However, there was a slight deterioration in July. The average time to report the breaches was 67.5 days, although the median was 60 days.

It should be noted that unnecessarily delaying breach reports is a violation of HIPAA Rules. Healthcare organizations should not wait until the 60-day deadline arrives before sending notification letters to patients/plan members and informing OCR.

The time taken to discover data breaches is poor in the healthcare industry. In July, the average time to discover a breach was 503 days (median was 79.5 days). The average time was skewed by a single breach that took an astonishing 14 years to discover – a breach involving an insider who had been snooping on patient records.

California, Georgia, and Indiana topped the list for the states worst affected by healthcare data breaches with three incidents apiece.

The post Healthcare Hacking Incidents Overtook Insider Breaches in July appeared first on HIPAA Journal.

August Sees OCR Breach Reports Surpass 2,000 Incidents

Posted by HIPAA Journal

Following the introduction of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its Wall of Shame.  August saw an unwanted milestone reached. There have now been more than 2,000 healthcare data breaches (impacting more than 500 individuals) reported to OCR since 2009.

As of today, there have been 2,022 healthcare data breaches reported. Those breaches have resulted in the theft/exposure of 174,993,734 individuals’ protected health information. Healthcare organizations are getting better at discovering and reporting breaches, but the figures clearly show a major hike in security incidents. In the past three years, the total has jumped from around 1,000 breaches to more than 2,000.

The recent KPMG 2017 Cyber Healthcare & Life Sciences Survey showed that 47% of healthcare organizations have experienced a data breach in the past two years, up from 37% in 2015 when the survey was last conducted. An ITRC/CyberScout study showed there has been a 29% increase in data breaches so far in 2017.

In contrast to other industries, the biggest cause of data breaches is insiders (Protenus/databreaches.net): Both deliberate actions by ‘bad apples’ and accidental breaches as a result of simple errors and negligence. Hacking (including malware/ransomware attacks) is the second biggest cause.

Healthcare Organizations Should Not Ignore the Threat from Phishing

Many healthcare data breaches occur as a result of phishing. Research conducted by PhishMe suggests 91% of data breaches start with a phishing email, with the attackers using phishing to obtain login credentials or install malware/ransomware.

A recent Global Threat Intelligence Report released by NTT Security showed the extent to which phishing is used to distribute malware. In Q2, 2017, 67% of malware attacks saw malware delivered via phishing emails.

Jon Heimerl, manager of the Threat Intelligence communications team, pointed out that while phishing is used extensively to spread malware, it isn’t often rated as one of the biggest threats. Heimerl said, “I have not seen any studies where CISOs are saying their No. 1 concern is phishing attacks. If you went around a room, it would likely be ransomware and DDoS as the No. 1 and No. 2 things on their mind, in my view.”

Countering the threat from phishing requires software solutions to block spam emails from being delivered to end users, security awareness training to teach employees how to identify email threats, and phishing simulations to put security awareness training to the test and identify vulnerable individuals in need of further training.

New Exploit Kit and Recent Ransomware Attacks Highlight Importance of Prompt Patching

Email remains the main delivery vector for malware, although the WannaCry attacks showed that malware can easily be installed if patch management practices are poor. The ransomware attacks were made possible thanks to the release of exploits by the hacking group Shadow Brokers and poor patching practices.  Prompt patching would have protected organizations against WannaCry.

Exploit kits also pose a threat. Exploit kits are web-based tools that probe for vulnerabilities in browsers and plugins. Exploits are loaded to the kit that are used to silently download malware when a visitor to a domain hosting the kit is discovered to have a vulnerable browser.

This week, a new exploit kit has started to be offered on underground forums at cut price rates. For as little as $80 a day, cybercriminals can rent the new Disdain exploit kit and use it to spread malware. Exploit kit activity has fallen over the past 12 months, although the threat of web-based attacks should not be ignored.

The Disdain exploit kit can leverage at least 15 vulnerabilities to download malicious payloads, including vulnerabilities in Firefox (CVE-2017-5375, CVE-2016-9078, CVE-2014-8636, CVE-2014-1510, CVE-2013-1710), Internet Explorer (CVE-2017-0037, CVE-2016-0189, CVE-2015-2419, CVE-2014-6332, CVE-2013-2551), IE and Edge (CVE-2016-7200), Adobe Flash (CVE-2016-4117, CVE-2016-1019, CVE-2015-5119), and Cisco Web Ex (CVE-2017-3823). While many of these vulnerabilities are relatively new, patches have been released to address all of the flaws.

 

To reduce the risk of exploit kit attacks, healthcare organizations should ensure all browsers are updated automatically and regular checks are performed to ensure all employees are using the latest versions. A web filtering solution is also beneficial to block access to domains known to be used for malware distribution, host exploit kits or phishing.

The post August Sees OCR Breach Reports Surpass 2,000 Incidents appeared first on HIPAA Journal.

HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs

Posted by HIPAA Journal

HIMSS has published the findings of its 2017 Cybersecurity Survey. The survey was conducted on 126 cybersecurity professionals from the healthcare industry between April and May 2017. Most of the respondents were executive and non-executive managers who were primarily responsible or had some responsibility for information security in their organization.

The report shows healthcare organizations in the United States are increasingly making cybersecurity a priority and have been enhancing their cybersecurity programs over the past 12 months. More healthcare organizations have increased their cybersecurity staff and adopted holistic cybersecurity practices and perspectives in key areas.

The survey revealed 75% of respondents are now conducting regular penetration tests to identify potential vulnerabilities and determine how resilient they are to cyberattacks. In response to the considerable threat from within, 75% of respondents have implemented insider threat management programs and 85% are now conducting risk assessments at least once every 12 months.

While these results are encouraging, there is still considerable room for improvement. 15% of organizations are not conducting annual risk assessments and 25% do not have an insider threat management program, even though insiders are the biggest cause of healthcare data breaches.

HIMSS says, “Many CISOs and other senior information security leaders know that HIPAA compliance alone is not enough and that adopting and implementing a robust security framework is a necessary prerequisite for having a robust security program.”

A majority of respondents have adopted at least one cybersecurity framework, the most popular being the NIST CSF (62%) followed by HITRUST CSF (25%) and ISO (25%). Organizations that have hired a CISO are much more likely to implement a cybersecurity framework. Only 5% of organizations with a CISO have not adopted the NIST CSF.

Healthcare organizations now appreciate the importance of conducting regular security awareness training for the workforce, such as training employees how to recognize phishing emails and social engineering attacks and the importance of reporting potential security incidents to the IT department. 87% of respondents said they run security awareness training sessions for the workforce at least once a year.

60% of respondents said they now employee a senior information security leader such as a CISO to oversee their cybersecurity programs and 80% have dedicated cybersecurity staff.

71% of respondents said they divert some of their budget to cybersecurity, with 60% allocating 3% or more of their budget to their cybersecurity program.

When asked about the biggest threats, the greatest concerns were medical device security, patient safety – especially in relation to attacks on medical devices – PHI breaches, and malware.

Rod Piechowski, senior director, health information systems, HIMSS said, “This data is encouraging because it shows that many organizations are making security programs a priority; however, there is room for continued improvement. Our hope is that the new research will be an important resource for organizations navigating the complex security landscape.”

Full details of the findings of the HIMSS 2017 Cybersecurity Survey are available on this link.

The post HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs appeared first on HIPAA Journal.

$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching

Posted by HIPAA Journal

The importance of applying patches promptly to address critical security vulnerabilities has been highlighted by a recent $5.5 million data breach settlement.

Yesterday, New York Attorney General Eric T. Schneiderman announced a settlement has been reached with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, to resolve a multi-state data breach investigation involving New York and 32 other states.

Nationwide will pay a total of $5.5 million, $103,736.78 of which will go to New York State. The settlement will cover the costs of the investigation and litigation, with the remaining funds used for consumer protection law enforcement and other purposes.

The investigation was launched following a 2012 breach of the sensitive data of 1.27 million individuals, some of whom were customers, although many had only obtained quotes from Nationwide and its subsidiary and did not go on to take out insurance policies.

In 2012, hackers infiltrated Nationwide’s systems and stole the personal information of consumers along with highly sensitive data such as Social Security numbers, driver’s license numbers, and credit scoring information.

The hackers gained access to its systems via a vulnerability in a third-party web application. While not all data breaches are the fault of the breached entity, in this case the breach could easily have been prevented. A patch to address the critical vulnerability had been released by the third-party software company three years earlier. Nationwide had failed to apply the patch. The patch was only applied after the breach occurred.

The data breach investigation was led by Attorneys General for Connecticut, the District of Columbia, Florida and Maryland. Connecticut Attorney General George Jepsen said, “It is critically important that companies take seriously the maintenance of their computer software systems and their data security protocols.”

Attorney General Schneiderman said, “Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.” Schneiderman went on to say, “This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don’t.”

The settlement was agreed under a no-fault agreement. In addition to the financial penalty, Nationwide is required to ensure its software is kept up to date, including third-party software applications, and data security must be improved. Nationwide is also required to hire a technology officer to monitor and manage patches and software updates and update its policies and procedures for storing and maintaining consumers’ personal information.

Nationwide must also make clear to consumers that their personal information is retained, even if they do not sign up for insurance policies with the company or its subsidiaries.

Nationwide is not a HIPAA-covered entity, but the settlement does serve as a warning for healthcare organizations that fail to adopt security best practices. OCR is not the only regulator that can issue large fines for the failure to protect sensitive information.

This is just one of several actions taken by attorneys general for data breaches and the response to them. Earlier this year, CoPilot Provider Support Services Inc., was fined $130,000 by the New York Attorney General.

In that case, the fine was not for the breach but the lack of action afterwards. The breach occurred in October 2015, CoPilot contacted the FBI about the incident in February 2016, then delayed the issuing of breach notification letters until January 2017. The fine was not for a HIPAA violation, but a breach of General Business Law § 899-aa for unnecessarily delaying breach notifications to consumers.

The post $5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching appeared first on HIPAA Journal.

U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoes

Posted by HIPAA Journal

West Virginia senators Joe Manchin and Shelley Moore Capito have announced that Jessie’s Law has been passed by the Senate. The legislation is intended to ensure doctors are provided with details of a patient’s previous substance abuse history if consent to share the information is provided by the patient.

Jesse’s law takes its name from Michigan resident Jessica Grubb who was in recovery from opioid abuse when she underwent surgery. She had been struggling with addition for seven years, but prior to surgery had been clean for 6 months.

Her parents, who were at the hospital while their daughter underwent surgery, had repeatedly told doctors not to prescribe opioids unless their daughter was under the strictest supervision. However, her discharging physician gave her a prescription for 50 oxycodone tablets. Grubb overdosed and died the same night she was discharged from hospital. Her discharging doctor did not receive the information about her history of opioid use.

The bill, which was introduced by Sen. Manchin and co-sponsored by Capito, will ensure physicians are better informed about the medical histories of recovering addicts, while preserving the privacy of patients. The new bill states a “history of opioid use disorder should, only at the patient’s request, be prominently displayed in the medical records (including electronic health records).”

The Department of Health and Human Services will be required to publish guidelines on when healthcare providers are permitted to prominently display details of a patient’s history of opioid use on their medical record.

Jessie’s mother Kate Grubb said, “I am ever so grateful for the passage of Jessie’s Law; it eases a mother’s aching heart that this law will save other lives and give meaning to Jessie’s death.”

The bill will now proceed to the U.S. House of Representatives’ Committee on Energy and Commerce for consideration.

Legislation Proposed to Align Part 2 Regulations with HIPAA to Improve Patient Care

Congressmen Tim Murphy and Earl Blumenauer introduced a similar bill – The Overdose Prevention and Patient Safety (OPPS) Act (HR 3545) – late last month. The bill is intended to align 42 Code of Federal Regulations Part 2 (Part 2) with HIPAA rules and will ensure doctors have access to their patients’ complete medical histories, including details of addiction treatment. Details of addiction treatment are prohibited from being shared with doctors. However, without access to full medical records, tragic incidents such as what happened to Grubb could occur time and again.

Rep. Murphy said, “The Overdose Prevention and Patient Safety Act will allow doctors to deliver optimal, lifesaving medical care, while maintaining the highest level of privacy for the patient.” Murphy also explained that while sharing sensitive information on substance use will help patients get the care they need; patient privacy must be protected. “We do not want patients with substance use disorders to be made vulnerable as a result of seeking treatment for addiction, this legislation strengthens protections of their records.”

The Overdose Prevention and Patient Safety Act reads, “Any record…that has been used or disclosed to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient in violation of paragraphs (1) or (2), shall be excluded from evidence in any proposed or actual proceedings relating to such criminal charges or investigation and absent good cause shown shall result in the automatic dismissal of any proceedings for which the content of the record was offered.”

A coalition of more than 30 healthcare stakeholders wrote to Reps Murphy and Blumenauer to express support for the bill. In the letter, the coalition points out that while the Substance Abuse and Mental Health Services Administration (SAMHSA) recently released a final rule that will modernize Part 2, the final rule does not go far enough.

The post U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoes appeared first on HIPAA Journal.

Medical Device Cybersecurity Act Takes Aim at Medical Device Security

Posted by HIPAA Journal

A new bill has been introduced in Congress that aims to ensure the confidential medical information of patients on medical devices is protected and security is improved to make the devices more resilient to hacks.

The bill – The Medical Device Cybersecurity Act of 2017 – was introduced on August 1, 2017 by Senator Richard Blumenthal (D-CT) and is supported by the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS).

Recent ransomware and malware attacks and hacks have demonstrated how vulnerable some medical devices are. Ransomware incidents have resulted in medical devices being taken out of action, causing major disruptions at hospitals and delaying the treatment of patients. There is no sign of these incidents slowing or stopping. In all likelihood, they will increase.

While healthcare organizations are working hard to improve their defenses against cyberattacks, medical device manufacturers are not doing enough to ensure their devices are secure and remain so for the lifespan of the products. Many medical devices have been found to contain a slew of vulnerabilities that could be exploited by cybercriminals.

Yesterday, The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a warning about vulnerabilities in Siemens CT and PET scanner systems. The four vulnerabilities could all be exploited remotely and ICS-CERT said attacks would require a low skill level.

In March last year, the Department of Homeland Security issued an alert about the Pyxis Supply Station from CareFusion. The drug cabinet system was found to have 1,418 vulnerabilities.

Last year flaws were discovered in St. Jude Medical devices that if exploited, would cause the devices to malfunction.

Medical devices are coming to market that have not been adequately tested for security flaws. The problem is widespread. Earlier this year, researchers from security firm WhiteScope conducted an analysis of implantable cardiac devices and programmers. The researchers discovered more than 8,000 security flaws in multiple devices.

A new form of MedJack malware was discovered earlier this year. The malware was developed specifically to attack medical devices such as heart monitors and MRI machines. An earlier version of the malware was used to attack medical devices at three hospitals in 2016.

As Blumenthal correctly points out, “The security of medical devices is in critical condition.” The new bill seeks to address the problem and improve the security of medical devices and increase transparency. If passed, the Medical Device Cybersecurity Act would make healthcare organizations aware of the cyber capabilities of devices and the extent to which those devices have been tested.

Blumenthal points out in a recent blog post, “My bill will strengthen the entire healthcare network against the ubiquitous threat of cyberattacks. Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”

The Medical Device Cybersecurity Act of 2017 would amend the Federal Food, Drug and Cosmetic Act. Some of the key changes detailed in the Medical Device Cybersecurity Act of 2017 are:

Require all medical devices to be thoroughly tested for vulnerabilities before sale. A cyber report card would be created for devices that would detail the tests that have been performed.

Remote access protections would need to be incorporated into devices to prevent unauthorized access from inside and outside of hospitals.

The bill would require crucial cybersecurity fixes and updates to remain free and not require FDA recertification.

Manufacturers would be required to issue guidance for end-of-life of the devices, detailing how the devices should be disposed of to avoid the exposure of sensitive data. Blumenthal also proposes that ICS-CERT’s responsibilities are expanded to include medical devices.

The post Medical Device Cybersecurity Act Takes Aim at Medical Device Security appeared first on HIPAA Journal.