CISA: SolarWinds Orion Software Under Active Attack
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that sophisticated hackers are actively exploiting SolarWinds Orion IT monitoring and management software. The cyberattack, which is ongoing, is believed to be the work of a highly sophisticated, evasive, nation state hacking group who created a Trojanized version of Orion software that has been used to deploy a backdoor into customers’ systems dubbed SUNBURST. The supply chain attack has impacted around 18,000 customers, who are understood to have downloaded the Trojanized version of SolarWinds Orion and the SUNBURST backdoor. SolarWinds Orion is used by large public and private organizations and government agencies. SolarWinds customers include all five branches of the U.S. military, the Pentagon, State Department, NASA and National Security Agency. Its solutions are also used by 425 of the 500 largest publicly traded U.S. companies. The US Treasury, US National Telecommunications and Information Administration (NTIA), and Department of Homeland Security are known to have been attacked. The campaign...
Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers
Three serious vulnerabilities have been identified in Medtronic MyCareLink (MCL) Smart Patient Readers, which could potentially be exploited to gain access to and modify patient data from the paired implanted cardiac device. Exploitation of the vulnerabilities together could permit remote code execution on the MCL Smart Patient Reader, allowing an attacker to take control of a paired cardiac device. In order to exploit the vulnerabilities, an attacker would need to be within Bluetooth signal proximity to the vulnerable product. The flaws are present in all versions of the MCL Smart Model 25000 Patient Reader. The first vulnerability, tracked as CVE-2020-25183, is an authentication protocol vulnerability. The method used to authenticate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app can be bypassed. An attacker using another mobile device or malicious app on the patient’s smartphone could authenticate to the patient’s MCL Smart Patient Reader, tricking it into believing it is communicating with the patient’s smartphone app. The vulnerability has been...
Are Google Home and Google Assistant HIPAA Compliant?
Can Google Home and Google Assistant be used in medical practices? Is Google Assistant HIPAA compliant or would using it in the workplace constitute a HIPAA violation? Connected home assistants such as Google Home (also known as Google Nest since 2019) are growing in popularity. According to a 2018 study by market research firm Cognilytica, 51% of people use voice assistants in the car, 39% use them at home, and 1% use them at work. Apple’s Siri has the greatest market share followed by Google Assistant, which powers Google Home smart speakers. It may be tempting to bring a Google Home device into the office and use it to take notes, get quick answers to questions, launch applications, and schedule reminders and calls. In a normal office environment, a Google Home device could possibly be used, but in healthcare, there is considerable potential for a HIPAA violation. Virtual assistants are being developed for use in healthcare and they have potential to change how physicians interact with medical records and deliver patient care, but currently most virtual assistants lack the...
Tufts Health Plan Members’ PHI Exposed in EyeMed Phishing Attack
60,545 members of Tufts Health Plan have had their protected health information exposed in a phishing attack on the vision benefits management company EyeMed. The phishing attack occurred in June 2020 and was discovered by EyeMed on July 1, 2020. Access to the breached account was terminated the same day. EyeMed notified Tufts Health Plan about the breach in September 2020. The compromised email account contained the following types of protected health information: Names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, health insurance account/identification numbers, Medicaid or Medicare numbers, driver’s license or other government identification numbers, and birth or marriage certificates. Partial or full social security numbers and/or financial information, medical diagnoses and conditions, treatment information, and/or passport numbers were implicated for some individuals. Affected individuals have been offered a 2-year complimentary membership to credit monitoring and identity protection services. Security Incident...
HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights
The Department of Health and Human Services has issued a notice of proposed rulemaking detailing multiple HIPAA Privacy Rule changes that are intended to remove regulatory burdens, improve care coordination, and give patients better access to their protected health information (PHI). OCR issued a request for public input on potential HIPAA Privacy Rule changes in December 2018 under the HHS’ Regulatory Sprint to Coordinated Care. The regulatory sprint was intended to accelerate transformation of the healthcare system and remove some of the barriers that have hampered the coordination of care, were making it difficult for healthcare providers to share patient information and placed an unnecessary burden on patients and their families who were trying to get their health information exchanged. In response to the request for information, the HHS received around 1,300 comments spanning 4,000 pages. The HHS has had to strike a balance between providing more flexibility to allow health information to be shared easily and ensuring the privacy and security of healthcare data. “Our proposed...



