Multiple Security Vulnerabilities Identified at Arizona VA Healthcare System

Posted by Steve Alder

A recent inspection of the Northern Arizona VA Healthcare System by the Department of Veterans Affairs Office of Inspector General (OIG) found deficiencies in all three security control areas that were investigated – configuration management, security management, and access controls.

The Northern Arizona VA Healthcare System includes the Bob Stump Department of Veteran Affairs Medical Center in Prescott and 11 clinics in the state and serves approximately 33,000 veterans. The inspection was performed as the Northern Arizona VA Healthcare System had not previously been visited as part of a Federal Information Security Modernization Act of 2014 (FISMA) audit.

The inspection revealed the Northern Arizona VA Healthcare System had deficiencies in four configuration management controls – vulnerability management, flaw remediation, unsupported components, and baseline configurations. While the VA has a vulnerability management program, the inspectors identified vulnerabilities that the Office of Information and Technology (OIT) had failed to identify, even though the same scanning tools were used. Many of those vulnerabilities were rated critical or high severity.

Several devices were found to be missing security patches. Patches were available to address the critical and high-severity flaws but they had not been applied, leaving the devices at risk of unauthorized access, alteration, or destruction. Components continued to be used despite reaching end-of-life. For instance, 71 of the 80 healthcare system network switches were using operating systems that were no longer supported by the vendor, which means security patches are no longer issued. Consequently, weaknesses and vulnerabilities would not be addressed and could be exploited by malicious actors. Baseline configurations were identified that deviated from the OIT baseline. For instance, a local database had multiple vulnerabilities as a result of baseline configurations that deviated from the OIT baseline. If the OIT baseline configuration is not used, OIT would be unaware of any weaknesses impacting the database.

One deficiency was identified in security management – continuous monitoring of the inventory. The inspectors found almost twice the number of devices on the network than were identified in the VA’s cybersecurity management service for workflow automation and continuous monitoring (eMASS). While OIT had an inventory of devices that contained most of the networked devices, the inventory was not routinely updated in eMASS. As a result of the failure to update the inventory, management was making risk decisions based on inaccurate system information.

The inspectors also found 7 deficiencies in access controls: physical access, video surveillance, environmental controls, equipment installation, emergency power, fire protection controls, and water detection. For instance, the healthcare system had an automated physical access control system where employees use badges to enter buildings and rooms, but it had not been fully deployed, with staff often using keys for access. While key inventories are required every 6 months, they had not been conducted in more than two years due to locksmith turnover and the failure to accurately track key distribution.

The OIG made 11 recommendations, 6 to the assistant secretary for information and technology and chief information officer and five to the Northern Arizona VA Healthcare System director.  VA IT management and the Northern Arizona VA Healthcare System director concurred with all of the recommendations. The recommendations include implementing an effective vulnerability management program, ensuring vulnerabilities are remediated within established time frames, transitioning unmanaged databases to the VA Enterprise Cloud, ensuring all network devices maintain vendor support, implementing an improved inventory process, ensuring network infrastructure is properly installed, and ensuring physical access controls are implemented.

While the findings of the audit were specific to the Northern Arizona VA Healthcare System, similar vulnerabilities are likely to exist in other VA healthcare systems. The OIG recommends all VA healthcare systems review the findings of the inspection and implement the same recommendations if similar security deficiencies are identified.

The post Multiple Security Vulnerabilities Identified at Arizona VA Healthcare System appeared first on HIPAA Journal.

Vulnerabilities Identified in Popular Telemedicine Software Development Kit

Posted by Steve Alder

Security flaws have been identified in the QuickBlox software development kit (SDK) and application programming interface (API) that supports the real-time chat and video applications used by many telemedicine providers.

The vulnerabilities were identified by security researchers from Claroty’s Team82 and Check Point Research who collaborated to look into the security of the popular QuickBlox SDK and API, which support applications used in telemedicine, finance, and smart IoT device applications. The SDK and API are provided to mobile and web application developers to deliver user management, real-time public and private chats, and incorporate security features to support HIPAA and GDPR compliance.

The researchers identified two vulnerabilities that put sensitive data at risk, including protected health information (PHI). Given the extent to which the QuickBlox chat and video framework is used, the sensitive information of millions of individuals was at risk of exposure. CVE-2023-311847 is a high-severity flaw with a CVSS 3.1 base score of 7.8 and is due to the creation of hard-coded credentials. The second vulnerability, tracked as CVE-2023-31185, is a high-severity flaw with a CVSS 3.1 base score of 7.5 and allows information disclosure via an unspecified request.

The vulnerabilities make it possible to log in to QuickBlox on behalf of any user – doctor or patient – and view all of their data, including personal information, medical histories, chat histories, and medical record files. The researchers say full impersonation is also possible, so a malicious actor could log in as any doctor, modify information, and communicate in real-time via chat and video with real patients. The patient would be unaware that they were not chatting with a real physician. The researchers developed proof-of-concept exploits for the vulnerabilities against multiple applications and demonstrated how secret tokens and passwords embedded in applications along with the use of an insecure QuickBlox API would allow malicious actors to gain access to the PHI of millions of users.

The researchers looked at a popular telemedicine application that integrates with the QuickBlox SDK and provides chat and video services allowing patients to communicate with doctors. The researchers were able to exploit the QuickBlox vulnerabilities alongside specific telemedicine app vulnerabilities, and gain access to the entire user database, along with related medical records and medical histories stored in the application. They were also able to log in as any user, making it possible to impersonate a doctor. At the time of publication, the telemedicine application was still running the vulnerable versions of the framework.

Team82 and CPR worked closely with QuickBlox to resolve the identified vulnerabilities. QuickBlox has now designed a new, secure architecture and API to eliminate the vulnerabilities. All users should ensure they migrate to the latest version as soon as possible to the flaws being exploited.

The post Vulnerabilities Identified in Popular Telemedicine Software Development Kit appeared first on HIPAA Journal.