3 Medium Severity Vulnerabilities Identified in Philips MRI Solutions
Three medium severity vulnerabilities have been identified in Philips MRI products which, if exploited, could allow an unauthorized individual to run software, modify the device configuration, view and updates files, and export data, including protected health information (PHI), to an untrusted environment. Aguilar found insufficient access controls which fail to restrict access by unauthorized individuals (CVE-2021-3083), the software assigns an owner who is outside the intended control sphere (CVE-2021-3085), and sensitive data is exposed to individuals who should not be provided with access (CVE-2021-3084). Each of the vulnerabilities has been assigned a CVSS V3 base score of 6.2 out of 10. The vulnerabilities were identified by Secureworks Adversary Group consultant, Michael Aguilar, and affect Philips MRI 1.5T: Version 5.x.x, and MRI 3T: Version 5.x.x. Aguilar reported the flaws to Philips and a patch has been scheduled for release by October 2022. In the meantime, Philips recommends implementing mitigating measures to prevent the vulnerabilities from being exploited. The...
Ransomware Roundup: 5 Healthcare Organizations Fall Victim to Ransomware Attacks
Ransomware attacks have recently been reported by Surecare Specialty Pharmacy, Victory Health Partners, Strategic Benefits Advisors, Blue Shield of California, and Blue Cross of California. PHI of 8,412 Patients Potentially Compromised in Surecare Specialty Pharmacy Ransomware Attack El Paso, TX-based Surecare Specialty Pharmacy has recently announced it was the victim of a sophisticated ransomware attack on August 16, 2021. Surecare’s IT service provider took immediate action when the attack was detected, and a third-party forensics firm was engaged to investigate the attack. The investigation confirmed on August 31, 2021, that files containing a limited amount of patients’ protected health information may have been accessed and/or exfiltrated prior to the deployment of ransomware, although no evidence was found to indicate that was the case nor have any reports been received that suggest any misuse of patient data. A review of the encrypted files confirmed they contained patient names, addresses, dates of birth, health insurance information, and prescription information. The...
PHI Potentially Compromised in Hacking Incidents at Four Healthcare Providers
Four healthcare providers have recently announced their IT systems have been compromised and patient data may have been accessed. Hacker Gains Access to Server of New York Psychotherapy and Counseling Center New York Psychotherapy and Counseling Center (NYPCC), an NYC-based non-profit mental health services provider, has announced it was the victim of a cyberattack that was discovered on September 11, 2021. Steps were immediately taken to secure its systems and prevent further unauthorized access and a third-party cybersecurity firm was engaged to conduct a forensic investigation to determine the nature and scope of the attack. NYPCC said its electronic medical record system was not compromised; however, the attacker is believed to have accessed some files on the server that contained patients’ protected health information (PHI). A review of the files on the server revealed the following information may have been compromised: names, dates of service, addresses, Medicaid IDs, and dates of birth. NYPCC said it is committed to continually reviewing and updating its security protocols...
Chinese APT Group Compromised Healthcare Organizations by Exploiting Zoho Password Management Platform Flaw
An advanced persistent threat (APT) actor has been conducting an espionage campaign that has seen the systems of at least 9 organizations compromised. The campaign targeted organizations in a range of critical sectors, including healthcare, energy, defense, technology, and education. The campaign was identified by security researchers at Palo Alto Networks and while the identity of the hacking group has yet to be confirmed, the researchers believe the attacks were most likely conducted by the Chinese state-sponsored hacking group APT27, aka Iron Tiger, Emissary Panda, TG-3390, and LuckyMouse based on the use of hacking tools and techniques that match previous APT27 activity. The campaign exploited a critical vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus, an enterprise password management and single sign-on solution developed by Zoho. Successful exploitation of the flaw allows remote attackers to execute arbitrary code and take full control of vulnerable systems. On September 17, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a...
PHI of 320,000 Patients Potentially Compromised in EHR Vendor Hacking Incident
QRS Inc, a Tennessee-based healthcare technology services company and provider of the Paradigm practice management and electronic health records (EHR) solution, has announced a HIPAA compliance data breach involving the protected health information (PHI) of almost 320,000 individuals. The cyberattack was detected on August 26, 2021, three days after a server was breached. QRS explained in its breach notification letters that a hacker gained access to the electronic patient portal and potentially accessed and exfiltrated the PHI of patients of some of its healthcare provider clients. When the breach was detected, the compromised server was immediately taken offline to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the attack. Assisted by a third-party computer forensics firm, QRS determined the breach was limited to a single server. No other QRS systems nor those of its clients were affected. The compromised server contained files that included PHI such as names, addresses, dates of birth, Social Security numbers, patient...



