High Severity Vulnerabilities Identified in MicroDicom DICOM Viewer

Posted by Steve Alder

Two high-severity vulnerabilities have been identified in the free-to-use MicroDicom DICOM Viewer, which is used to view and manipulate DICOM images. Successful exploitation of the vulnerabilities could lead to remote code execution and memory corruption.

The first is a heap-based buffer overflow vulnerability tracked as CVE-2024-22100 which can be exploited in a low-complexity attack by tricking a user into opening a malicious DCM file, which would allow a remote attacker to execute arbitrary code on vulnerable versions of the DICOM Viewer.

The second vulnerability is an out-of-bounds write issue due to a lack of proper validation of user-supplied data. Successful exploitation of the flaw could result in memory corruption within the application. The vulnerability is tracked as CVE-2024-25578.

The vulnerabilities affect MicroDicom DICOM Viewer versions 2023.3 (Build 9342) and prior versions and have been fixed in version 2024.1. Users have been advised to update to the latest version as soon as possible. There are currently no indications that the vulnerabilities have been exploited in attacks.

The post High Severity Vulnerabilities Identified in MicroDicom DICOM Viewer appeared first on HIPAA Journal.

How to Write an HHS OIG Complaint

Posted by Steve Alder

The best way to write an HHS OIG complaint to increase the chances of the complaint being investigated is to prepare a narrative explaining the nature, scope, and time frame of the activity being complained about, and how you came to learn about the activity. When you submit the complaint, the chances of the complaint being investigated are further improved if you can provide supporting evidence and the contact information of a third party who can corroborate the narrative.

Each year, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) receives thousands of complaints, tips, and reports of alleged fraud, waste, and abuse in Federal healthcare programs. HHS OIG does not have the resources to investigate every one, so it prioritizes complaints according to the type of activity and the evidence submitted to support the complaint.

In addition, HHS OIG only has the authority to investigate complaints relating to certain activities, and many complaints can be rejected after being reviewed for relevance. The activities HHS OIG has the authority to investigate include:

  • Whistleblower complaints about fraud, waste, and abuse in HHS programs.
  • False or fraudulent (overpriced) claims submitted to Medicare or Medicaid.
  • Kickbacks or inducements for referrals by Medicare or Medicaid providers.
  • Medical identity theft involving Medicare and/or Medicaid beneficiaries.
  • The failure of a hospital to evaluate and stabilize an emergency patient.
  • Patient abuse or neglect in nursing homes and long-term care facilities.
  • Human trafficking by HHS employees, grantees, and contractors.
  • Crimes, gross misconduct, or conflicts of interest involving HHS employees, recipients of HHS grants, or HHS contractors.

Complaints relating to Medicare policies, coverage, claims, and payment decisions, Social Security fraud, identity theft unrelated to HHS programs, and discrimination within HHS departments are not investigated by HHS OIG. Complaints of this nature will be rejected on review without the complainant being notified of the decision. Therefore it is important that when you write an HHS OIG complaint, the nature of the activity is one that HHS OIG has the authority to investigate.

How to Submit an HHS OIG Complaint

There are various ways to submit an HHS OIG complaint. The most effective is the online OIG HHS Hotline because this method of submitting an HHS OIG complaint allows complainants to upload documents in support of the complaint electronically. Alternative methods such as mail and fax are not so easy to use; and, if you use mail, you are advised not to send original documents, digital media, or physical devices because these will not be returned even if the complaint is rejected.

When you submit an HHS OIG complaint online, you also have the option of requesting confidentiality inasmuch as your identity is only known to HHS OIG investigators (unless a disclosure is required by law). You may also submit complaints anonymously, but this course of action precludes HHS OIG from investigating a complaint as a whistleblower retaliation complaint, and may hinder the initial review and/or the subsequent investigation into your compliant.

If your complaint is investigated and upheld, there are several potential outcomes depending on the nature of the activity. Most upheld fraud, waste, and abuse complaints and violations of the HHS OIG anti-kickback regulations are resolved by a civil monetary penalty and/or a Corporate Integrity Agreement. However, more serious complaints, criminal complaints, and the failure of a hospital to evaluate and stabilize an emergency patient are likely to result in exclusion from HHS programs.

Individuals concerned about the potential consequences of submitting an HHS OIG complaint – or who need help to write an HHS OIG complaint – are advised to speak with an HHS OIG advisor on 1-800-477-8477 (1-800-HHS-TIPS). Alternatively, if you would prefer independent advice before speaking with an HHS OIG advisor, it is recommended you speak with a legal professional who has experience in healthcare regulatory compliance.

The post How to Write an HHS OIG Complaint appeared first on HIPAA Journal.

CISA, FBI Share Latest Threat Intelligence on Phobos Ransomware

Posted by Steve Alder

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have shared the latest threat intelligence about Phobos ransomware, which has been used to attack municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities. Phobos ransomware is related to multiple ransomware variants, including Elking, Eight, Devos, Backmydata, and Faust ransomware. The Backmydata variant was used in a February 2024 attack in Romania that resulted in systems being taken offline at around 100 healthcare facilities.

Phobos ransomware is a ransomware-as-a-service (RaaS) group that has been active since May 2019. The group commonly gains access to victims’ networks through phishing campaigns that deliver malware via spoofed attachments with hidden payloads, including the Smokeloader backdoor trojan. Affiliates also use IP scanning tools such as Angry IP Scanner to identify vulnerable Remote Desktop Protocol (RDP) ports that are subjected to brute force attacks, and affiliates have been observed leveraging RDP to attack Microsoft Windows devices. Attacks often involve Cobalt Strike, Bloodhound, and Sharphound, Mimikatz to obtain credentials, NirSoft, and Remote Desktop Passview to export browser client credentials.

Phobos engages in double extortion tactics, where sensitive data is exfiltrated in addition to file encryption and victims have to pay for the keys to decrypt data and to prevent the publication of their stolen data on the group’s data leak site. Volume shadow copies are deleted from Windows environments to hinder attempts to recover without paying the ransom. The ransom demands are often of the order of several million dollars.

The Health Sector Cybersecurity Coordination Center issued an alert about Phobos ransomware in July 2021 after several attacks on organizations in the healthcare and public health sector. The latest alert shares updated tactics, techniques, and procedures used by the group in attacks up to February 2024, along with the latest Indicators of Compromise (IoCs), MITRE ATT&CK techniques, and recommended mitigations.

The post CISA, FBI Share Latest Threat Intelligence on Phobos Ransomware appeared first on HIPAA Journal.