Shield Data Network Confirmed as HIPAA Compliant

Posted by Steve Alder

The Durham, NC-based digital medical record retrieval service, Shield Data Network, has recently been confirmed as HIPAA compliant by Compliancy Group.

Shield Data Network streamlines, centralizes and secures the process of obtaining medical records for cases or claims and saves its clients time, reduces the administrative burden of retrieving medical records, and ensures data privacy. The service is used by law firms, insurance companies, and other entities that require access to patient health records.

Since access is required to medical records, Shield Data Network is classed as a business associate under HIPAA and is required to comply with certain provisions of the HIPAA Rules. The team at Shield Data Network consists of experienced professionals who have spent years in the medical record retrieval industry, so they are well aware of the importance of HIPAA compliance. To ensure the company is fully compliant with the HIPAA Rules, Shield Data Network chose to adopt Compliancy Group’s HIPAA compliance methodology.

Compliancy Group has developed a HIPAA compliance software solution called The Guard, which HIPAA-regulated entities can use to track their compliance efforts and ensure that they address all appropriate provisions of the HIPAA Privacy, Security, Breach Notification, and Omnibus Rules and the HITECH Act. Compliancy Group has developed an implementation program that includes a 6-stage risk analysis and remediation process, and after completing the program, clients are assessed to determine if they are HIPAA-compliant.

Compliancy Group’s HIPAA experts assessed Shield Data Network and confirmed that it was fully compliant with the requirements of HIPAA and the HITECH Act and had implemented an effective program to ensure compliance is maintained over time. As such, Shield Data Network was awarded the HIPAA Seal of Compliance, which demonstrates to current and future clients that Shield Data Network is committed to ensuring the privacy and security of electronic protected health information and is fully compliant with the HIPAA Rules.

The post Shield Data Network Confirmed as HIPAA Compliant appeared first on HIPAA Journal.

Critical RCE Vulnerability Identified in Medtronic Paceart Optima System

Posted by Steve Alder

A critical vulnerability has been identified in the Medtronic Paceart Optima System, which is used to compile and manage patients’ cardiac data. The vulnerability is tracked as CVE-2023-31222 and is due to the deserialization of untrusted data. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10.

The vulnerability affects all versions of Paceart Optima up to and including version 1.11 and can be exploited remotely by an unauthorized user by sending specially crafted messages to the Paceart Optima system. Successful exploitation of the flaw would allow an attacker to remotely execute arbitrary code and gain a foothold for network penetration. The flaw could also be exploited to trigger a denial-of-service condition resulting in the Paceart Optima system becoming slow and unresponsive, preventing healthcare delivery organizations from using the system.

The flaw can only be exploited if the Paceart Messaging Service is enabled in the Paceart Optima system, which is an optional service. An immediate mitigation to prevent the flaw from being exploited is to disable that service on the Application Server. Medtronic has provided instructions for manually disabling the Paceart Messaging Service on the Application Server and disabling message queuing on the Application Server, which will fully mitigate the vulnerability. Medtronic should be contacted for mitigation advice if a healthcare delivery organization is running a combined Application Server and Integration Server.

Medtronic has fixed the vulnerability in v1.12, and healthcare organizations should contact Medtronic to schedule the update; however, the recommended mitigation steps should be followed to prevent exploitation until the update is installed. Medtronic said the vulnerability was discovered during routine monitoring and there have been no detected instances of the vulnerability being exploited.

CISA recommends additional defensive measures to improve security and reduce the risk of exploitation of vulnerabilities. These include minimizing network exposure and ensuring control systems are not accessible from the Internet, locating control system networks and devices behind firewalls, and only using secure methods for remote access, such as VPNs.

The post Critical RCE Vulnerability Identified in Medtronic Paceart Optima System appeared first on HIPAA Journal.