1,400 Vulnerabilities Found in Popular Drug Cabinet System
According to an advisory issued by the Department of Homeland Security, a popular drug cabinet system has been found to have over 1,400 vulnerabilities, many of which could be exploited remotely using publically available exploits. Furthermore, the exploits could be executed by an attacker with a low level of skill. The drug cabinet discovered to contain these vulnerabilities is version 8.1.3 of the Pyxis SupplyStation by CareFusion, which has not been updated since April 2010. However, vulnerabilities exist with a number of older versions of the system, many of which are still in operation and are used in a number of facilities in the United States. The automated drug cabinets dispense products and maintain an accurate stock inventory in real time. Two independent security researchers, Billy Rios and Mike Ahmadi, obtained a decommissioned Pyxis SupplyStation and conducted a static binary analysis against the system’s firmware to search for vulnerabilities. The researchers discovered 1,418 vulnerabilities existed in the version they tested. The vulnerabilities do not exist in the...
Vendor Error Places Mind Springs Health Patients’ PHI in Search Engines
Earlier this month, Virtua Medical Group announced a data breach that resulted from an error made by a transcription service vendor. The protected health information (PHI) of 1,654 patients could be accessed via the Internet and data had been indexed by search engines. It would appear that Virtua was not the only company to be affected by the server configuration error made by its business associate. Mind Springs Health, a Colorado-based provider of mental health and substance abuse services, appears to also have been affected. 2,147 patients have now been notified that their PHI has been exposed as a result of a server misconfiguration error made by an unnamed transcription service provider. As was the case with the Virtua Medical Group data breach, the incident occurred in early January. The substitute breach notice placed on the Mind Springs Health website does not mention when the error occurred, only that it was discovered on January 8, 2016. Highly sensitive data such as Social Security numbers, financial information, credit card numbers, and insurance details were not...
Government Accountability Office Report Identifies Many HealthCare.Gov Security Flaws
A new report published by the Government Accountability Office has highlighted a number of security weaknesses with the HealthCare.gov website “that could place sensitive information at risk of unauthorized disclosure, modification, or loss.” Under the Patient Protection and Affordable Care Act, the Centers for Medicare and Medicaid Services is responsible for overseeing state-based marketplaces that allow consumers to compare and purchase health insurance and for securing federal systems to which marketplaces connect, which include its data hub. GAO was requested to conduct a review of security issues relating to the data hub, in addition to assessing CMS oversight of state-based marketplaces. The review included describing security incidents reported by CMS, assessing incident data, analyzing security controls, and reviewing its policies and procedures. The report indicates there were 316 security incidents involving the HealthCare.gov web portal between October 2013 and March 2015. In one instance a hacker was able to break through security defenses and succeeded in...
2,200 Michigan Dental Patients Notified of PHI Breach
2,200 Blue Chip Dental patients have been notified that a backup system installed to safeguard patients’ protected health information (PHI) has played a part in its exposure. The Social Security numbers, medical insurance information, names, and addresses of patients have potentially been compromised as a result of the loss of a portable storage device used to store data backups. Late last year, Blue Chip Dental implemented a backup system to better protect patient data. The backup system was installed “to store our digital information offsite in case of fire or other disaster to our building,” according to the substitute breach notice placed on the company website. The backup system was part of a $25,000 digital security overhaul. On January 26, 2016, a portable storage device used for the backup system was discovered to have gone missing. No evidence has been uncovered to suggest data have been obtained or accessed inappropriately although the missing backup drive has now been declared lost. Blue Chip Dental contacted the firm used to install the digital security system and...
Data-Capturing Virus Discovered by Mercy Hospital in Iowa City
A computer virus may have allowed hackers to obtain the data of approximately 15,000 patients of Mercy Iowa City, according to a statement released by the hospital late last week. Patients started to be notified of the security breach by mail on Friday March 25, 2016., and have been informed that their name, address, date of birth, medical diagnoses, treatment information, and health insurance details – including their policy number and provider name – may have been compromised. Some Social Security numbers could also have been improperly accessed as a result of the infection. Only a small percentage of Mercy patients have been affected by the breach, all of whom had previously visited either Iowa City’s Mercy Hospital or Mercy Clinic for treatment. Mercy enlisted the services of a leading computer forensics firm to conduct a full analysis of its computer systems after a tip off was received from law enforcement on January 29, 2015., about a potential computer virus infection. The forensic analysis revealed a number of the hospital’s computers had been infected with a virus...



