BD Discloses Vulnerabilities in FACSChorus Software

Posted by Steve Alder

Becton, Dickinson and Company (BD) has recently disclosed seven vulnerabilities in its FACSChorus software. The vulnerabilities are low- to medium-severity with CVSS scores ranging from 2.4 to 5.4. Successful exploitation of the vulnerabilities could allow an attacker to modify system configurations, access sensitive data, or access system components; however, in order to exploit the vulnerabilities an attacker would need to have physical access.

The vulnerabilities, in order of severity, are:

CVE-2023-29060 – Missing protection mechanism for alternate hardware interface – CVSS 5.4

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1 – The workstation operating system does not restrict what devices can interact with its USB ports. The vulnerability could be exploited with physical access to gain access to system information and potentially exfiltrate data.

CVE-2023-29061 – Missing authentication for critical function – CVSS 5.2

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1. The workstation has no BIOS password. The vulnerability could be exploited with physical access to change the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication.

CVE-2023-29064 – Hard-coded credentials – CVSS 4.1

Vulnerability is present in BD FACSChorus v5.0 and v5.1. The software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, including tokens and passwords for administrative accounts.

CVE-2023-29065 – Insecure inherited permissions – CVSS 4.1

Vulnerability is present in BD FACSChorus v5.0 and v5.1. The software database can be accessed directly with the privileges of the currently logged-in user. Exploitation would allow a threat actor with physical access to potentially gain credentials, and then alter or destroy data stored in the database.

CVE-2023-29062 – Improper authentication – CVSS 3.8

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1. The operating system hosting the FACSChorus application is configured to allow the transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. NTLMv2 hashes can be sent to a malicious entity position on the local network and can be brute-forced if a weak password is used.

CVE-2023-29066 – Incorrect privilege assignment – CVSS 3.2

Vulnerability is present in BD FACSChorus v5.0 and v5.1 and the respective workstations. The software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders.

CVE-2023-29063 – Missing protection mechanism for alternate hardware interface – CVSS 2.4

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1. The workstation does not prevent physical access to its PCI express (PCIe) slots. A threat actor could insert a PCI card designed for memory capture and isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup.

BD notified CISA about the vulnerabilities and confirmed that all 7 of the vulnerabilities will be addressed in an upcoming software release but has suggested mitigations and compensating controls that can be implemented in the interim. These include ensuring physical access controls are in place to restrict access to the software and respective workstations to authorized end users, ensuring industry-standard security controls are implemented if the workstations are connected to the local network, and tightly controlling administrative access to the software and workstations.

The post BD Discloses Vulnerabilities in FACSChorus Software appeared first on HIPAA Journal.

Iowa Community HomeCare Sued over March 2023 Ransomware Attack

Posted by Steve Alder

UI Community HomeCare and UI Community Medical Services, which are subsidiaries of University of Iowa (UI) Health Care, are being sued by a former employee and a patient over a March 2023 ransomware attack and data breach. The data breach was disclosed by IU Health Care in May 2023, but occurred in March 2023 and affected its subsidiaries. Iowa Community HomeCare discovered the security breach on March 23, 2023, when files on its network were encrypted. The investigation confirmed there had been unauthorized access to files containing sensitive data on March 23, 2023.

Personal and protected health information was exposed, and potentially stolen, such as names, birthdates, addresses, phone numbers, medical record numbers, referring physician names, dates of service, health insurance information, billing and claims information, medical history information, and diagnosis/treatment information. At the time of issuing notifications, Iowa Community HomeCare had identified no attempted or actual misuse of the stolen data. The data breach was reported to the HHS’ Office for Civil Rights as affecting up to 67,897 individuals.

The lawsuit was filed against UI Community HomeCare and UI Community Medical Services and claims the attack and data breach could have been prevented if the defendants had implemented appropriate security measures. While security measures had been implemented, the lawsuit alleges the defendants willfully avoided their data security obligations at the expense of plaintiffs and class members by utilizing cheaper, ineffective security measures.

The defendants are also alleged to have failed to disclose to patients that substandard cybersecurity measures were in place and vulnerabilities had not been addressed, which led the plaintiffs and class members to believe their sensitive information would be adequately protected when making decisions about purchasing and availing of the defendants’ services. As such, the plaintiffs claim that the defendants’ profits, benefits, and other compensation were obtained improperly and that the defendants are not legally entitled to retail any of the benefits, compensation, or profits realized from their transactions.

The lawsuit names Becky Kaefring and Kimberly Sullivan as plaintiffs. Kaefring worked for UI Community HomeCare between 2003 and 2019 and Sullivan’s child received health care services from UI Community HomeCare. The plaintiffs allege they have suffered injuries as a result of the data breach including lost time, annoyance, interference, inconvenience, and anxiety about the exposure of their sensitive data, and that they are faced with the burden of having to closely monitor for identity theft and fraud for years to come.

Kaefring alleges negligence, negligence per se, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty and Sullivan alleges negligence, breach of implied contract, breach of implied covenant of good faith and fair dealing, and unjust enrichment. The lawsuit seeks class action certification, damages, a refund, and injunctive relief, including an order from the court compelling the defendant to make substantial improvements to security.

The post Iowa Community HomeCare Sued over March 2023 Ransomware Attack appeared first on HIPAA Journal.