Security Issues Identified in 75% of Infusion Pumps
This week, researchers at Palo Alto’s Unit 42 team published a report that shows security gaps and vulnerabilities often exist in smart infusion pumps. These bedside devices automate the delivery of medications and fluids to patients and are connected to networks to allow them to be remotely managed by hospitals. The researchers used crowdsourced scans from more than 200,000 infusion pumps at hospitals and other healthcare organizations and searched for vulnerabilities and security gaps that could potentially be exploited. The devices were assessed against more than 40 known vulnerabilities and over 70 other IoT vulnerabilities. 75% of the 200,000 infusion pumps were discovered to have security gaps that placed them at an increased risk of being compromised by hackers. Worryingly, 52% of the analyzed devices were found to be vulnerable to two serious infusion pump vulnerabilities dating back to 2019, one of which is a critical flaw with a CVSS severity score of 9.8 out of 10 (Wind River VxWorks CVE-2019-12255), and the other is a high severity flaw with a CVSS score of 7.1 (Wind...
BD Discloses 2 Vulnerabilities in its Pyxis, Rowa, and Viper LT Products
Becton, Dickinson and Company (BD) has self-reported two vulnerabilities that affect its BD Pyxis automated medication dispensing systems, BD Rowa pouch packaging systems, and BD Viper LT automated molecular testing systems. Both vulnerabilities are due to the use of hard-coded credentials. If exploited, the vulnerabilities could allow an unauthorized individual to access, modify, and delete sensitive data, which could include electronic protected health information (ePHI). The most serious vulnerability, tracked as CVE-2022-22765, affects all versions of the BD Viper LT system from 2.0. The vulnerability has been assigned a CVSS severity score of 8.0 out of 10. BD is currently working on a fix for the vulnerability, which will be included in the upcoming BD Viper LT system Version 4.80 software release. In the meantime, BD has suggested implementing compensating controls, such as ensuring physical access controls are in place, only permitting authorized individuals to access the system, disconnecting the system from the network access where possible, and if it is not possible to...
Monongalia Health System Suffers Another Major Data Breach
West Virginia-based Monongalia Health System (Mon Health) has announced it was the victim of a cyberattack that has exposed patient, employee, and contractor data. This is the second major HIPAA compliance data breach to be reported by the health system in the past 12 months. Mon Health has confirmed that these two data breaches are separate incidents, although it is unclear at this stage if they are in any way related. The previous data breach was the result of a phishing attack that saw several employee email accounts compromised. Mon Health announced the breach on December 21, 2021, and said the security breach was discovered in July 2021 when a vendor reported not receiving a payment. The attackers used the compromised email accounts to divert a wire transfer. The investigation into the breach determined the email accounts were compromised between May 10, 2021, and August 15, 2021, and they contained the protected health information of 398,164 patients. In this incident, IT systems were not disrupted. According to the latest Mon Health press release, the latest breach was...
Paying a Ransom Doesn’t Put an End to the Extortion
The healthcare industry has been extensively targeted by ransomware gangs and victims often see paying the ransom as the best option to ensure a quick recovery, but the payment does not always put an end to the extortion. Many victims have paid the ransom to obtain the decryption keys or to prevent the publication of stolen data, only for the ransomware actors to continue with the extortion. The advice of the Federal Bureau of Investigation (FBI) is never to pay a ransom following a ransomware attack, as doing allows the threat actors to put more resources into their attacks, it encourages other threat groups to get involved in ransomware, and because there is no guarantee that paying a ransom will allow the recovery of data or prevent the misuse of stolen data. A recent survey conducted by the cybersecurity firm Venafi has helped to quantify the extent to which further extortion occurs. The survey has provided some important statistics about what happens when victims pay or do not pay the ransom demands. The survey was conducted on 1,506 IT security officers from the United...
HHS Warns of Potential Threats to the Healthcare Sector
The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the U.S. health sector about potential cyber threats that could spill over from the conflict in Ukraine and affect U.S. healthcare organizations. HC3 said the HHS is unaware of any specific threats to the Health and Public Health (HPH) Sector; however, it is clear that allies on both sides of the conflict have cyber capabilities and there are fears that there could be cyberattacks on the HPH sector as a consequence of the conflict. HC3 has warned that threats could come from three areas: Threat actors linked to the Russian government, threat actors linked to the Belarussian government, and cybercriminal groups operating out of Russia and its neighboring states. There is also potential for other cybercriminal groups to either get involved in the conflict or take advantage of the conflict to conduct unrelated cyberattacks. “Russia has for several decades been one of the most capable cyber powers in the world. Going back to the Moonlight Maze attacks against the...



