Healthcare cybersecurity is a growing concern. The last few years have seen hacking and IT security incidents steadily rise and many healthcare organizations have struggled to defend their network perimeter and keep cybercriminals at bay.

2015 was a record year for healthcare industry data breaches. More patient and health plan member records were exposed or stolen in 2015 than in the previous 6 years combined, and by some distance. More than 113 million records were compromised in 2015 alone, 78.8 million of which were stolen in a single cyberattack. 2016 saw more healthcare data breaches reported than any other year, and 2017 looks set to be another record breaker.

Healthcare providers now have to secure more connected medical devices than ever before and there has been a proliferation of IoT devices in the healthcare industry. The attack surface is growing and cybercriminals are developing more sophisticated tools and techniques to attack healthcare organizations, gain access to data and hold data and networks to ransom.

The healthcare industry has been slow to respond and has lagged behind other industries when it comes to cybersecurity. However, cybersecurity budgets have increased, new technology has been purchased, and healthcare organizations are getting better at blocking attacks and keeping their networks secure.

The articles in this healthcare cybersecurity section are intended to help HIPAA covered entities decide on the best technologies to protect their networks from attack and develop effective policies, procedures and security awareness training programs to prevent costly data breaches.

Our healthcare cybersecurity section contains articles and new reports relating to:

New vulnerabilities that could be exploited to gain access to healthcare networks

Security warnings about new attack vectors currently being used by cybercriminals to gain access to healthcare networks and data

Details of new malware and ransomware that threaten the confidentiality, integrity, and availability of protected health information

Healthcare cybersecurity best practices

New guidelines for HIPAA covered entities on data and device security

Updates from the Healthcare Industry Cybersecurity Task Force

Details of cybersecurity frameworks that can be adopted by healthcare organizations to improve security posture

Advice related to the HIPAA Security Rule and the safeguards that must be applied to secure medical devices, networks and healthcare data

The latest healthcare cybersecurity surveys, reports and white papers

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules
Apr16

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

A recent study conducted by the consultancy firm CynergisTek has revealed healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules. For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules. The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year. Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%). Out of the five...

Read More
HHS Slow to Implement GAO Health IT and Cybersecurity Recommendations
Apr15

HHS Slow to Implement GAO Health IT and Cybersecurity Recommendations

The U.S. Department of Health and Human Services has been slow to implement recommendations made by the Government Accountability Office. In total. 392 recommendations have yet to be addressed, including 42 which GAO rated as high priority. Over the past four years, GAO has made hundreds of recommendations, but the HHS has only addressed 75% of them, 2% less than other government agencies. The poor implementation rate was outlined in a March 28, 2019 letter from the GAO to HHS secretary Alex Azar. GAO explained that healthcare is part of the nation’s critical infrastructure and relies heavily on computerized systems and electronic data to function. Those systems are regularly targeted by a diverse range of threat actors, so it is essential they are secured and protected from unauthorized access. GAO drew attention to four high priority recommendations covering health IT and cybersecurity that are still outstanding. “The four open priority recommendations within this area outline steps to ensure HHS can effectively monitor the effect of electronic health records programs and...

Read More
Data Security Incident Response Analysis Published by BakerHostetler
Apr11

Data Security Incident Response Analysis Published by BakerHostetler

BakerHostetler has released its fifth annual Data Security Incident Response Report, which contains an analysis of the 750+ data breaches the company helped manage in 2018. BakerHostetler suggests there has been a collision of data security, privacy, and compliance, and companies have been forced to change the way they respond to security breaches. In addition to federal and state regulations covering data breaches and notifications, companies in the United States must also comply with global privacy laws such as the EU’s General Data Protection Regulation (GDPR).  All of these different regulations make the breach response a complex process. The definitions of personal information and breach response and reporting requirements differ for GDPR, HIPAA, and across the 50 states. The failure to comply with any of the above-mentioned regulations can lead to severe financial penalties. It is therefore of major importance to be prepared for breaches and be able to respond as soon as a breach is discovered. This has led many companies to create committees to help manage data breaches,...

Read More
Study Reveals How Well Consumers Feel Health Data is Protected
Apr11

Study Reveals How Well Consumers Feel Health Data is Protected

The results of a study on healthcare cybersecurity from the perspective of consumers has recently been published by cybersecurity firm Morphisec. More than 1,000 consumers were surveyed to obtain their opinions on healthcare cybersecurity, the healthcare threat landscape, how their personal health information is being targeted, and how well they feel their health information is protected. The transition from paper records to electronic health records has improved efficiency and allows health information to be shared more easily, but vulnerabilities have been introduced that can be exploited by hackers. Morphisec notes that cyberattacks on the healthcare industry occur at more than double the rate of attacks on other industry sectors. The volume of attacks and frequency that they are reported in the media undoubtedly affects how secure consumers believe their health records are. Since 2009, more than 190 million healthcare records have been exposed or stolen, which is equivalent to 59% of the population of the United States, yet when consumers were asked if their providers have...

Read More
Hardin Memorial Health Cyberattack Results in EHR Downtime
Apr09

Hardin Memorial Health Cyberattack Results in EHR Downtime

Hardin Memorial Health in Kentucky has experienced a cyberattack which caused disruption to its IT systems and EHR downtime. The cyberattack started on the evening of Friday April 5. A statement issued by a spokesperson for the health system confirmed that IT systems were disrupted as a result of a security breach. Details of the cyberattack have not yet been released so it is unclear whether this was a hacking incident, malware or ransomware attack. The health system has been working round the clock to restore affected systems and servers. Hardin Memorial Health’s IT team has already brought most IT systems back online and has restored access to its EHR system in some units. Despite the lack of access to its EHR system, business continued as usual and the hospital did not have to cancel appointments. All 50 of its locations remained open. “At no time during this event has the quality and safety of patient care been affected,” said HMH Vice President and Chief Marketing and Development Officer, Tracee Troutt. Upon discovery of the security breach, emergency procedures were...

Read More
Malware Alters CT Scans and Creates and Removes Tumors
Apr05

Malware Alters CT Scans and Creates and Removes Tumors

There is growing concern about hackers gaining access to medical devices and conducting attacks to cause harm to patients. Now malware has been created that can add fake tumors to CT scans. The malware is not being used in real-world attacks. It has been created by researchers at the Ben Gurion University Cybersecurity Center in Israel to demonstrate just how easy it is to exploit vulnerabilities in medical imaging equipment. In addition to adding tumors to medical images the malware could be used to remove real tumors. The former could be conducted for political reasons such as preventing a candidate from running for office, the latter would prevent individuals from receiving treatment for a life-threatening illness. The technique could also be used for insurance fraud, sabotaging of medical trials, and cyber terrorism. Prior to a patient being prescribed radiation therapy or chemotherapy additional tests would be performed and the incorrect diagnosis would be identified, but patients would still be caused considerable emotional distress. The removal of tumors to make the patient...

Read More
Cross-sector and Bi-partisan Collaboration Critical for Improving Healthcare Organizations
Apr04

Cross-sector and Bi-partisan Collaboration Critical for Improving Healthcare Organizations

On February 21, 2019, Sen. Mark Warner (D-Va) wrote to several healthcare organizations and federal agencies requesting feedback on how the U.S. government and the healthcare industry can improve cybersecurity. Sen. Warner is concerned about the number of successful healthcare cyberattacks in recent years, the huge numbers of Americans who are impacted by the attacks, and the cost to the healthcare industry of remediating the attacks. In his letter, Sen. Warner referenced a study conducted by Accenture in 2015 that suggested cyberattacks would cost the healthcare industry more than $305 billion over the next 5 years. Sen. Warner asked healthcare industry stakeholders several well-crafted questions inviting them to share their thoughts on steps that are currently being taken to improve cybersecurity, address vulnerabilities, and respond to attacks. He also sought suggestions on potential strategies for the U.S. government to adopt to improve cybersecurity at a national level. Many of those contacted have responded to the request, including AdvaMed, the American Hospital Association...

Read More
OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits
Apr04

OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits

The HHS’ Office for Civil Rights has raised awareness of the risk of advanced persistent threats and zero-day exploits in its spring cybersecurity newsletter. Healthcare organizations are attractive targets for hackers due to quantity of sensitive data they store. Individual’s protected health information is highly valuable as it can be used for many different purposes, including identity theft, tax fraud, and gaining access to medical services. Sensitive information about medical conditions can also be used to blackmail individuals. Healthcare organizations also store research data, genetic data, and data from experimental treatments, all of which are of great value cybercriminals. The information can be used by foreign governments to drive innovation. There are many techniques that hackers use to break through defenses and silently gain access to networks, two of the most serious threats being advanced persistent threats and zero-day exploits. An advanced persistent threat (APT) is a term used to refer to repeated cyberattacks that attempt to exploit vulnerabilities to gain...

Read More
Webinar: April 4, 2019: Email Security, DMARC, and Sandboxing
Apr04

Webinar: April 4, 2019: Email Security, DMARC, and Sandboxing

The healthcare industry is particularly vulnerable to phishing attacks and successful attacks commonly result in significant data breaches. It is now something of a rarity for a week to pass without a healthcare phishing attack being reported. While healthcare organizations are providing security awareness training to staff and are using email security solutions, those defenses are not always effective. To improve understanding of why advanced attacks are managing to evade detection by traditional email security solutions, email security solution provider TitanHQ is hosting a webinar. During the webinar TitanHQ will explain about the threat from phishing and how organizations can protect themselves and their customers/patients. The webinar will also explain how two new features of TitanHQ’s SpamTitan email security solution – DMARC authentication and sandboxing – can protect against advanced email threats, zero-day attacks, malware, phishing, and spoofing. Webinar Details: Date : Thursday, April 4th, 2019 Time: 12pm EST Duration: 30 minutes Sign up to the Webinar here....

Read More
Study Reveals Health Information the Least Likely Data Type to be Encrypted
Apr03

Study Reveals Health Information the Least Likely Data Type to be Encrypted

Health information is the least likely data type to be encrypted, according to the Global Encryption Trends Study conducted by the Ponemon Institute on behalf of cryptographic solution provider nCipher. The study was conducted on 5,856 people across several industry sectors in 14 countries, including the United States. The aim of the study was to investigate data encryption trends, the types of data most likely to be encrypted, how extensively encryption has been adopted to improve security, and the challenges faced by companies when encrypting data. The study shows the use of encryption has steadily increased over the past four years. 45% of surveyed organizations said they have an overall encryption plan or strategy that is applied across the whole organization. 42% said they have a limited encryption plan or strategy, with encryption only used on certain applications and data types. 13% of respondents said they do not use encryption at all on any type of data. The use of encryption varies considerably from country to country. Germany leads the world with the highest prevalence...

Read More
Concerns Raised About the Sharing of Health Data with Non-HIPAA Covered Entities via Apps and Consumer Devices
Mar27

Concerns Raised About the Sharing of Health Data with Non-HIPAA Covered Entities via Apps and Consumer Devices

Earlier this month, the eHealth Initiative Foundation and Manatt Health issued a brief that calls for the introduction of a values framework to better protect health information collected, stored, and used by organizations that are not required by law to comply with Health Insurance Portability and Accountability Act (HIPAA) Rules. Health information is increasingly being collected by a wide range of apps and consumer devices. In many cases, the types of data collected by these apps and devices are the same as those collected and used by healthcare organizations. While healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of health information and uses and disclosures of that information are restricted, the same rules do not cover the data if the information is collected by other entities. It doesn’t matter what type of organization stores or uses the data. If that information is exposed it can cause considerable harm, yet this is currently something of a gray area that current regulations do not cover properly. At...

Read More
Healthcare Industry Ranks 8th for Cybersecurity but Poor DNS Health and Endpoint Security of Concern
Mar26

Healthcare Industry Ranks 8th for Cybersecurity but Poor DNS Health and Endpoint Security of Concern

Through compliance with HIPAA, healthcare organizations have achieved a baseline standard of security, but there is still plenty of room for improvement and healthcare cybersecurity is at best mediocre. Security Scorecard has ranked the healthcare industry 8th out of the 18 industry sectors for cybersecurity. The findings have been detailed in its 2019 Healthcare Cybersecurity Report. The worst aspects of security for the healthcare industry were DNS health and endpoint security, where the industry ranked 13th and 12th respectively. Without proper DNS security measures in place, attacks could take place in which DNS records are changed. Such an attack would allow cybercriminals to route web traffic to fraudulent websites where credentials could be harvested. The US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) issued a warning about this attack method in January 2019. Endpoint security is another big concern. In healthcare, employees use a wide range of different types of devices to gain access to healthcare networks, which introduces risks and...

Read More
Concerns Raised with FDA over Medical Device Security Guidance
Mar22

Concerns Raised with FDA over Medical Device Security Guidance

The U.S. Food and Drug Administration (FDA) is reviewing feedback on the guidance for medical device manufacturers issued in October 2018. Comments have been submitted on the guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, by more than 40 groups and healthcare companies before the commenting period closed on March 18. Feedback will be taken on board and the guidance will be updated accordingly. The final version of the guidance is expected to be released later this year. The requirement for medical device manufacturers to submit a ‘Cybersecurity Bill of Materials’ to the FDA as part of the premarket review has been broadly praised. The CBOM needs to include a list of software and hardware components which have vulnerabilities or are susceptible to vulnerabilities. The CBOM will help healthcare organizations assess and manage risk. However, concerns have been raised by several groups about having to include all hardware components, as it may not even be possible for device manufacturers to provide that information. If hardware...

Read More
Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs
Mar22

Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs

Two vulnerabilities have been identified in the Conexus telemetry protocol used by Medtronic MyCarelink monitors, CareLink monitors, CareLink 2090 programmers, and 17 implanted cardiac devices. Both vulnerabilities require a low level of skill to exploit, although adjacent access to a vulnerable device would be required to exploit either vulnerability. The most serious vulnerability, rated critical, is a lack of authentication and authorization controls in the Conexus telemetry protocol which would allow an attacker with adjacent short-range access to a vulnerable device to inject, replay, modify, and/or intercept data within the telemetry communication when the product’s radio is turned on. An attacker could potentially change memory in a vulnerable implanted cardiac device which could affect the functionality of the device. The vulnerability is being tracked as CVE-2019-6538 and has been assigned a CVSS v3 base score of 9.3. A second, medium severity vulnerability concerns the transmission of sensitive information in cleartext. Since the Conexus telemetry protocol does not use...

Read More
UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million
Mar22

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit. UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach. The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had...

Read More
Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices
Mar15

Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices

U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, and Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT) have introduced The Internet of Things Improvement Act, which requires all IoT devices purchased by the U.S. government to meet minimum security standards. A companion bill has been introduced in the House by Representatives by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX). Ericcson has predicted there will be 18 billion IoT devices in use by 2022 and IDC predicts IoT spending will reach $1.2 trillion the same year. As the number of IoT devices in use grows, so does concern about the security risk posed by the devices. Sen. Warner wants to make sure that a baseline for security is achieved before any IoT device is allowed to connect to a government network and wants to use the purchasing power of the U.S. government to help establish minimum standards of security for IoT devices. Currently IoT devices are coming to market with scant cybersecurity protections. When cybersecurity measures are integrated into IoT devices, it is...

Read More
Study Confirms Healthcare Employees Are Susceptible to Phishing Attacks
Mar14

Study Confirms Healthcare Employees Are Susceptible to Phishing Attacks

The healthcare industry is being targeted by cybercriminals and phishing is one of the most common ways that they gain access to healthcare networks and sensitive data. The number of successful phishing attacks on healthcare institutions is a serious concern. At HIMSS19, OCR highlighted email as being the main location of breached ePHI and the high risk of data breaches from phishing attacks. Could the high number of successful phishing attacks be mostly down to the industry being targeted more than other industry sectors, or are healthcare employees more susceptible to phishing attacks? A recently published study has provided some answers. Dr. William Gordon of Boston’s Brigham and Women’s Hospital and Harvard Medical School and his team conducted a study to determine the susceptibility of healthcare employees to phishing attacks. For the study, Gordon and his team analysed data from 6 healthcare institutions in the United States that used custom-developed tools or vendor solutions to send simulated phishing emails to their employees. The researchers analyzed data from simulated...

Read More
OIG Audits Reveal Multiple Vulnerabilities at HHS Operating Divisions
Mar14

OIG Audits Reveal Multiple Vulnerabilities at HHS Operating Divisions

Audits conducted by the HHS’ Office of Inspector General (OIG) have uncovered multiple security vulnerabilities at HHS Operating Divisions (OPDIVs). Between 2016 and 2017, OIG conducted a series of audits at eight HHS OPDIVs to determine whether implemented security controls were effective at preventing cyberattacks. OIG also tested the ability of HHS OPDIVs to detect cyberattacks and the level of skill attackers would likely need to compromise OPDIV systems or gain access to sensitive data. In addition to the audits of security controls, policies, and procedures, OIG arranged for Defense Point Security (DPS) to conduct penetration tests on behalf of OIG to assess the effectiveness of security protections. The penetration tests were conducted in accordance with government auditing standards and agreed-upon Rules of Engagement between OIG and the OPDIVs. The audits and penetration tests revealed security vulnerabilities at all eight HHS OPDIVs in configuration management, access control, data input controls, and software patching. The root causes of the problems were reported to...

Read More
Serious Security Risks Found in Healthcare Laptops
Mar14

Serious Security Risks Found in Healthcare Laptops

A recent analysis of healthcare security risks by the Clearwater CyberIntelligence Institute (CCI) has shown laptop computers pose a major threat to hospitals, health systems, and their business associates. Laptops are portable and can easily be lost or stolen which places data at risk. The devices can be accessed remotely and used to access healthcare networks, and many organizations fail to monitor how the devices are used by employees. CCI ranked laptop computers 6th among sources of risk for healthcare organizations. CCI research showed 70% of high and critical risk scenarios for laptop vulnerabilities were in three areas: Endpoint data loss (29.9%), excessive user permissions (22.4%), and dormant accounts (17.8%). The most serious risk is endpoint data loss, which was rated critical or high due to the number of vulnerabilities in this area. Within this category, 98.9% of laptops had vulnerabilities related to the failure to lock down external ports such as USB, CD, DVD, and Firewire. Consequently, it is easy for data to be copied onto portable storage devices by users. 63.3%...

Read More
Security Risks of Medical Devices Explored by Check Point
Mar12

Security Risks of Medical Devices Explored by Check Point

Researchers at Check Point have demonstrated just how easy it can be to gain access to IoT medical devices and warn that the security risks of medical devices cannot be ignored. There have been major technological advances in recent years that has resulted in an explosion of new medical devices, but the IT environments that the devices are incorporated into often lack appropriate security controls. One of the main problems is many medical devices run on legacy systems and operating systems such as Windows XP, Windows 2000, and Windows 7. Those operating systems are no longer patched and contain vulnerabilities that could easily be exploited to gain access to patient data or the network to which the devices connect. Even when patches are available, applying them can be difficult and involves considerable downtime. Consequently, devices often remain unpatched and vulnerable to attack. Many healthcare providers also use medical devices from a wide range of manufacturers. Even identifying vulnerabilities and ensuring patches are applied can be a major challenge. Check Point...

Read More
25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months
Mar11

25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months

The Verizon Mobile Security Index 2019 report indicates 25% of healthcare organizations have experienced a security breach involving a mobile device in the past 12 months. All businesses face similar risks from mobile devices, but healthcare organizations appear to be addressing risks better than most other industry sectors. Out of the eight industry sectors surveyed, healthcare experienced the second lowest number of mobile security incidents behind manufacturing/transportation. Healthcare mobile security breaches have fallen considerably since 2017 when 35% of surveyed healthcare organizations said they had experienced a mobile security breach in the past 12 months. While the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon suggests that may not necessarily be the case. Healthcare organizations may simply be struggling to identify security incidents involving mobile devices. 85% of surveyed healthcare organizations were confident that their security defenses were effective and 83% said they believed they would be able to...

Read More
Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents
Mar07

Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents

The latest Beazley Breach Insights Report confirms healthcare is the most targeted industry sector, accounting for 41% of all breaches reported to Beazley Breach Response (BBR) Services. Across all industry sectors, hacking and malware attacks were the most common cause of breaches and accounted for 47% of all incidents, followed by accidental disclosures of sensitive data (20%), insider breaches (8%), portable device loss/theft (6%), and the loss of physical records (5%). Hacking/malware incidents have increased significantly since 2017, which BBR notes is largely due to a 133% increase in business email compromise (BEC) attacks. Accidental disclosure incidents fell across all industries and insider breaches remained at a similar level to 2017. While hacking/malware incidents were the main cause of breaches in all other industry sectors, in healthcare they were on a par with accidental disclosures of protected health information, each accounting for 31% of reported breaches. Insider data breaches were significantly higher than other industry sectors and accounted for 17% of all...

Read More
HIPAA Compliance at Odds with Healthcare Cybersecurity
Mar06

HIPAA Compliance at Odds with Healthcare Cybersecurity

The College of Healthcare Information Management Executives (CHIME) has told Congress that complying with HIPAA Rules is not enough to prevent data breaches and HIPAA compliance can, in some cases, result in a lessening of healthcare cybersecurity defenses. Russell P. Branzell, President and CEO of CHIME and Shafiq Rab, CHCIO Chair of the CHIME Board of Trustees recently responded to a request for information (RFI) by Congress on ways to address rising healthcare costs. In a March 1, 2019 letter to Lamar Alexander, Chairman of the Committee on Health, Education, Labor, and Pensions (HELP), they explained that the use of technology in healthcare helps to reduce costs and can, if harnessed correctly, improve efficiency as well as outcomes. “Significant advancements in healthcare technology have been made possible through policy, however, often overly stringent prescriptive mandates have added to healthcare costs, impeded innovation and increased burdens on clinicians.” The use of technology and data sharing are essential for improving the level of care that can be provided to...

Read More
Moody’s: Hospitals at High Risk of Suffering Devastating Cyberattack
Mar06

Moody’s: Hospitals at High Risk of Suffering Devastating Cyberattack

A new Moody’s Investors Service Report has revealed four industry sectors – hospitals, banks, market infrastructure providers, and securities firms – face significant financial risks from cyberattacks. Those four sectors were determined to have high risk exposure to cyberattacks. All four sectors are heavily reliant on technology for day to day operations, distribution of content, or customer engagement. Increasing digitalization and interconnectedness within each sector and across different sectors is increasing cyber risk. For the report, Moody’s assessed vulnerability to a cyberattack and the impact such an attack could have on critical businesses processes, disclosure of data, and reputation damage. Cybersecurity measures that had been deployed to protect against attacks were not considered for the report, unless mitigants had been applied uniformly across each sector – Supply chain diversity for instance. In total, 35 broad industry sectors were assessed and were given a rating of low-risk, medium-risk, or high-risk. The health insurance, pharmaceutical, and...

Read More
IRS Issues Warning About Tax-Related Phishing Scams
Mar05

IRS Issues Warning About Tax-Related Phishing Scams

The IRS has launched its 2019 ‘Dirty Dozen’ campaign warning taxpayers about the most common tax-related phishing scams that lead to tax fraud and identity theft. Each year the IRS provides taxpayers, businesses, and tax professionals with information on the 12 most common phishing and tax scams to raise awareness of the most prevalent threats. During tax season, cybercriminals are highly active and seek tax information to commit identity theft and submit fraudulent tax returns. Each year, many consumers are fooled into disclosing their personal information and scores of organizations fall victim to these scams and disclose the tax information of employees to scammers. The scams are conducted over the phone, via text messages, on social media platforms, websites, and via email. On March 4, 2019, the IRS launched this year’s Dirty Dozen campaign with a warning about the most serious threat during tax season – phishing. On each of the following 11 weekdays, the IRS will highlight a different scam. Tax-related phishing scams are often cleverly disguised. Emails are sent that appear to...

Read More
New HIPAA Regulations in 2019
Mar04

New HIPAA Regulations in 2019

While there were expected to be some 2018 HIPAA updates, the wheels of change move slowly. OCR has been considering HIPAA updates in 2018 although it is likely to take until the middle of 2019 before any proposed HIPAA updates in 2018 are signed into law. Further, the Trump Administration’s policy of two regulations out for every new one introduced means any new HIPAA regulations in 2019 are likely to be limited. First, there will need to be some easing of existing HIPAA requirements. HIPAA updates in 2018 that were under consideration were changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS was considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of  substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided. Other potential changes to HIPAA regulations in 2018 included the removal of aspects of HIPAA that impede the ability of doctors and hospitals to coordinate to deliver...

Read More
Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity
Feb28

Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity

Senator Mark Warner (D-Va) has written letters to leaders of the Department of Health and Human Services (HHS), the Food and Drug Administration (FDA), the Centers for Medicare and Medicaid Services (CMS), the National Institute of Standards and Technology (NIST), and 12 healthcare associations requesting answers to a list of healthcare cybersecurity questions. Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, is deeply concerned about the state of cybersecurity in healthcare and is calling for a collaborative effort “to develop a short- and long-term strategy [for] reducing cybersecurity vulnerabilities in the health care sector” and “develop a national strategy that improves the safety, resilience, and security of our healthcare industry.” The healthcare industry is being targeted by cybercriminals and those attacks are succeeding far too frequently. 2014 was the sixth successive year to see an annual increase in healthcare data breaches. In 2015, another record was broken. The most healthcare records ever breached. 113 million...

Read More
Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices
Feb27

Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices

Several healthcare associations have requested a safe harbor for healthcare organizations that would prevent OCR and state attorneys general from issuing financial penalties for breaches of protected health information if the breached entity has met certain standards for safeguarding protected health information (PHI). The suggestions were made in response to the Department of Health and Human Services’ request for information (RFI) on potential changes to HIPAA to reduce the burden on healthcare organizations and improve data sharing for the coordination of patient care. The HHS received more than 1,300 comments on possible changes prior to the February 12, 2019 deadline. The safe harbor was suggested by the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Technology (AEHIT), the Association for Executives in Healthcare Information Security (AEHIS), the American Medical Association (AMA), and the American Hospital Association (AHA). Healthcare organizations can adopt cybersecurity frameworks, create layered...

Read More
New Cybersecurity Requirements for Ohio Health Insurers
Feb27

New Cybersecurity Requirements for Ohio Health Insurers

From March 20, 2019, insurance companies in Ohio will be subject to a new law (Senate Bill 273) that requires them to develop and implement a written information security program to safeguard business and personal information. The information security program must include a comprehensive internal risk assessment to identify risk and threats to systems and data. Following the risk assessment, safeguards must be implemented to protect all nonpublic information that would cause a material adverse impact to business operations or could cause harm to customers if the information were to be exposed or accessed by unauthorized individuals. Nonpublic information includes financial information, health information, and identifiers such as Social Security numbers, driver’s license numbers, state ID cards, biometric information, account numbers, credit/debit card numbers, security/access codes that permit access to a financial account, and any information (except age or gender) that is created by or derived from a healthcare provider or consumer that could be used to identify an individual in...

Read More
NHS to Phase Out Pagers by End of 2021
Feb26

NHS to Phase Out Pagers by End of 2021

The National Health Service (NHS) has commissioned a report on the costs of pagers and the extent of their use in NHS Trusts in the UK. The study revealed around 130,000 pagers are used in NHS Trusts – Approximately 10% of the world’s pagers – and the annual cost is around £6.6 million ($8.73 million). Advantages and Disadvantages of Pagers in Healthcare Pagers have served the healthcare industry well for several decades and they are still useful devices. Pagers are easy to use, they are small, easy to carry, and batteries can last months between charges. The pager system uses its own transmitters and frequencies and the signals can pass through structures. Consequently, coverage is excellent, and communication is fast and reliable. Pagers have one function and they perform that task very well. However, there are many drawbacks to pagers in healthcare. Most of the pagers used by NHS Trusts do not support two-way communication. When a message is received, a doctor must find a phone and call a number to receive the message. When an immediate response is not possible, messages are...

Read More
January 2019 Healthcare Data Breach Report
Feb25

January 2019 Healthcare Data Breach Report

After a relatively quiet month for healthcare data breaches, breach numbers rose to more typical levels and were reported at a rate of more than one per day in January. There were 33 healthcare data breaches reported in January 2019. January was the second successive month where there was a fall in the number of individuals impacted by healthcare data breaches. January’s healthcare data breaches saw 490,937 healthcare records exposed, stolen or impermissibly disclosed. Largest Healthcare Data Breaches in January 2019   Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Centerstone Insurance and Financial Services (BenefitMall) Business Associate 111589 Hacking/IT Incident 2 Las Colinas Orthopedic Surgery & Sports Medicine, PA Healthcare Provider 76000 Theft 3 Valley Hope Association Healthcare Provider 70799 Hacking/IT Incident 4 Roper St. Francis Healthcare Healthcare Provider 35253 Hacking/IT Incident 5 Managed Health Services Health Plan 31300 Hacking/IT Incident 6 EyeSouth Partners Business Associate 24113 Hacking/IT Incident 7 Dr....

Read More
NIST NCCoE Releases Mobile Device Security Guide
Feb22

NIST NCCoE Releases Mobile Device Security Guide

The National Cybersecurity Center of Excellence (NCCoE) has released final guidance on mobile device security to help organizations secure mobile devices and prevent data breaches. Mobile devices offer convenience and allow data to be accessed from any location. Not only do they allow healthcare organizations to make cost savings, they are vital for remote workers who need access to patients’ health information. Mobile devices allow onsite and offsite workers to communicate information quickly and they can help to improve patient care and outcomes. However, mobile devices introduce security risks. Stolen devices can be used to gain access to corporate email accounts, contacts, calendars, and other sensitive information stored on the devices or accessible through them. There have been many cases where mobile healthcare devices have been lost or stolen causing the exposure of patients’ protected health information. Mobile device security failures have resulted in several financial penalties for HIPAA covered entities, including a $4,348,000 civil monetary penalty for University of...

Read More
Maryland Considers Tougher Penalties for Ransomware Attacks
Feb20

Maryland Considers Tougher Penalties for Ransomware Attacks

Following a spate of ransomware attacks on businesses and hospitals in Maryland, a new bill (Senate Bill 151) has been introduced which seeks to increase the penalties for ransomware attacks. It is hoped that tougher penalties for ransomware attacks would discourage individuals from conducting attacks in the state. The bill defines ransomware as a computer or data contaminant, encryption, or lock that is introduced without authorization on a computer, computer network, or computer system that restricts access to the computer, data, network, or system and is accompanied by a demand for payment to remove the contaminant, encryption or lock. Currently in Maryland, a ransomware attack is classed as a misdemeanor if the attacker causes losses of less than $10,000 and a felony if the attack results in losses of $10,000 or more. The bill seeks to reclassify a ransomware attack as a felony if it results in aggregate losses of more than $1,000. Aggregate losses include “the value of any money, property, or service lost, stolen, or rendered unrecoverable by the crime,” along with reasonable...

Read More
Free Decryptor for GandCrab Ransomware v5.1 Released
Feb20

Free Decryptor for GandCrab Ransomware v5.1 Released

A free decryptor for GandCrab ransomware has been released that allows victims to recover files encrypted by versions 5.0.4 to 5.1 of the ransomware. Previous decryptors have only worked on version 1, 4, and some of the early version 5 variants. The new GandCrab ransomware decryptor was developed by the Romanian police with assistance provided by Bitdefender, Europol, and law enforcement agencies in Austria, Belgium, Cyprus, France, Germany, Italy, the Netherlands, UK, Canada and the United States. GandCrab ransomware was first used in attacks in January 2018. The first version of the ransomware was somewhat crude and a free decryptor was rapidly developed and released in February. Latter variants were more advanced and more adept at evading detection; however, in October, a second GandCrab ransomware decryptor was released that worked on version 4 of the ransomware. According to Europol, those decryptors have been downloaded more than 400,000 times and have allowed around 10,000 users to decrypt their files free of charge. To date, GandCrab ransomware has been used in more than...

Read More
Data Access and Sharing Risks Identified at National Institutes of Health
Feb15

Data Access and Sharing Risks Identified at National Institutes of Health

The Department of Health and Human Services’ Office of Inspector General (OIG) has published a report of the findings of an audit of the National institutes of Health (NIH). The NIH is the primary government biomedical and public health research agency in the United States and one of the foremost medical research centers in the world. The audit was conducted to determine whether adequate controls had been implemented for permitting and monitoring access to sensitive NIH data. OIG reviewed internal controls, policies, procedures, and supporting documentation, and conducted interviews with internal staff. While controls had been implemented at NIH to restrict access to sensitive data, OIG identified several areas where improvements could be made to bolster security and several recommendations were made. OIG recommended NIH should develop a security framework, conduct risk assessments, implement additional security controls to safeguard sensitive data, and should start working with an organization that has expertise and knowledge of misuse of scientific data. NIH did not concur with...

Read More
Healthcare Email Fraud Attacks Have Increased 473% in 2 Years
Feb14

Healthcare Email Fraud Attacks Have Increased 473% in 2 Years

A recent report from Proofpoint has revealed healthcare email fraud attacks have increased 473% in the past two years. Email fraud, also known as business email compromise (BEC), is one of the biggest cyber threats faced by businesses. Successful attacks can result in losses of hundreds of thousands or even millions of dollars. Figures from the FBI suggest that globally, $12.5 billion has been lost to these email fraud attacks since 2013. These email attacks are highly targeted and typically involve the spoofing of email addresses to make emails appear to have been sent internally or from a trusted individual. They often involve the use of a genuine email account within an organization that has previously been compromised in a phishing or spear phishing attack. The attacks are usually conducted to obtain sensitive data such as employee tax information or patient information, to obtain credentials to be used in further attacks, and for wire fraud. Wire fraud is the most common form of email fraud in healthcare. For the report, Proofpoint analyzed more than 160 billion emails sent by...

Read More
2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records
Feb13

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018. The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches. According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018. In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased...

Read More
HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns
Feb12

HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns

Each year, HIMSS conducts a survey to gather information about security experiences and cybersecurity practices at healthcare organizations. The survey provides insights into the state of cybersecurity in healthcare and identifies attack trends and common security gaps. 166 health information security professionals were surveyed for the 2019 HIMSS Cybersecurity Survey, which was conducted from November to December 2018. This year’s survey revealed security incidents are a universal phenomenon in healthcare. Almost three quarters (74%) of healthcare organizations experienced a significant security breach in the past 12 months. 22% said they had not experienced a significant security incident in the past year. The figures are in line with the 2018 HIMSS Cybersecurity Survey, when 21% of respondents said they had not experienced a significant security incident. In 2018, 82% of hospital systems reported a significant security incident, as did almost two thirds of non-acute and vendor organizations. The most common actors implicated in security incidents were online scam artists (28%)...

Read More
Vulnerabilities Identified in IDenticard PremiSys Access Control System
Feb04

Vulnerabilities Identified in IDenticard PremiSys Access Control System

ICS-CERT has issued an alert about three high severity vulnerabilities in the IDenticard PremiSys access control system. All versions of PremiSys software prior to version 4.1 are affected by the vulnerabilities. Successful exploitation of the vulnerabilities could result in full access being gained to the system with administrative privileges, theft of sensitive information contained in backups, and access being gained to credentials. The vulnerabilities could be exploited remotely and require a low level of skill to exploit. Details of the vulnerabilities have been publicly disclosed. The highest severity vulnerability CVE-2019-3906 concerns hard-coded credentials which allow full admin access to the PremiSys WCF Service endpoint. If successfully exploited, and attacker could obtain full access to the system with administrative privileges. The vulnerability has been assigned a CVSS v3 base score of 8.8. User credentials and other sensitive information stored in the system are encrypted; however, a weak method of encryption has been used which could potentially be cracked...

Read More
New Cybersecurity Framework for Medical Devices Issued by HSCC
Jan30

New Cybersecurity Framework for Medical Devices Issued by HSCC

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued a new cybersecurity framework for medical devices. Medical device vendors, healthcare providers, and other healthcare industry stakeholders that adopt the voluntary framework will be able to improve the security of medical devices throughout their lifecycle. The HSCC is a coalition of private sector critical healthcare infrastructure entities that have partnered with the government to identify and mitigate threats and vulnerabilities facing the healthcare sector. The group comprises more than 200 healthcare industry and government organizations. Together they work on developing strategies to address current and emerging cybersecurity challenges faced by the healthcare sector. More than 80 organizations contributed to the development of the Medical Device and Health IT Joint Security Plan (JSP), which builds on recommendations made by the Healthcare Industry Cybersecurity Task Force established by the Department of Health and Human Services following the passing of the Cybersecurity Information Sharing...

Read More
Patches Released to Mitigate KRACK Vulnerabilities Affecting Stryker Medical Beds
Jan30

Patches Released to Mitigate KRACK Vulnerabilities Affecting Stryker Medical Beds

Stryker has identified nine vulnerabilities that affect some of its Medical Beds. The vulnerabilities could potentially be exploited in a man-in-the-middle attack by an attacker within radio range of vulnerable product to replay, decrypt, or spoof frames. The vulnerabilities are present in the four-way handshake used by WPA and WPA2 wireless security protocols which allow nonce reuse in Key Reinstallation (KRACK) attacks. Similar vulnerabilities have been identified in a wide range of wireless devices. The nine vulnerabilities are summarized below: CVE-2017-13077: Reinstallation of pairwise key in the four-way handshake. CVE-2017-13078: Reinstallation of group key in the four-way handshake. CVE-2017-13079: Reinstallation of Integrity Group Temporal Key in the four-way handshake. CVE-2017-13080: Reinstallation of group key in the group key handshake. CVE-2017-13081: Reinstallation of Integrity Group Temporal Key in the group key handshake. CVE-2017-13082: Reinstallation of Pairwise Transient Key Temporal Key in the fast BSS transmission handshake. CVE-2017-13086: Reinstallation of...

Read More
Vulnerability Identified in BD FACSLyric Flow Cytometry Solution
Jan30

Vulnerability Identified in BD FACSLyric Flow Cytometry Solution

Becton, Dickinson and Company (BD) has identified an improper access control vulnerability in its BD FACSLyric flow cytometry solution. If the flaw is exploited, an attacker could gain access to administrative level privileges on a vulnerable workstation and execute commands. The vulnerability requires a low level of skill to exploit. BD extensively tests its software for potential vulnerabilities and promptly corrects flaws. BD is currently taking steps to mitigate the vulnerability for all users of vulnerable FACSLyric flow cytometry solutions. The flaw (CVE-2019-6517) is due to improper enforcement of user access control for privileged accounts. It has been given a CVSS v3 base score of 6.8 – Medium severity. BD self-reported the vulnerability to the National Cybersecurity & Communications Integration Center (NCCIC). The vulnerability is present in the following cytometry solutions: BD FACSLyric Research Use Only, Windows 10 Professional Operating System, U.S. and Malaysian Releases (Nov 2017 and Nov 2018) The U.S. release of BD FACSLyric IVD Windows 10 Professional...

Read More
GDPR Incorporated into the HITRUST CSF
Jan29

GDPR Incorporated into the HITRUST CSF

HITRUST has combined the European Union’s General Data Protection Regulation (GDPR) into the HITRUST Cybersecurity Framework (HITRUST CSF) and is working toward the creation of a single framework and assessment covering all regulatory requirements. Many countries have introduced new data privacy and security regulations that require companies to implement new policies, procedures, and technologies to keep consumers’ and customers’ data private and confidential. Organizations that wish to conduct business globally must ensure they comply with these country-specific regulations and should conduct assessments to make sure they are fully compliant. The penalties for violations of these regulations can be considerable. GDPR violations can attract a fine up to 4% of global annual turnover, or €20 million, whichever is greater. Meeting complex compliance requirements and assessing compliance efforts can be a major challenge, although HITRUST’s “one framework, one assessment” model makes the process as simple as possible. “As countries around the world continue to adopt and advance...

Read More
Multiple Flaws Identified in LabKey Server Community Edition
Jan29

Multiple Flaws Identified in LabKey Server Community Edition

Security researchers at Tenable Research have discovered multiple flaws in LabKey Server Community Edition 18.2-60106.64 which could be exploited to steal user credentials, access medical data, and run arbitrary code through the Labkey browser. LabKey Server is an open source collaboration tool that allows scientists to integrate, analyze, and share biomedical research data. While the platform serves as a secure data repository, vulnerabilities have been identified that allow security controls to be bypassed. CVE-2019-3911 – Reflected XSS Multiple flaws have been identified in all versions of LabKey Server Community Edition prior to v 18.3.0 related to the validation and sanitization of query functions, in particular, the query.sort parameter. The parameter is reflected in output to the user and is interpreted by the browser, which opens to door for a cross site scripting attack. If the flaws are exploited, an attacker could run arbitrary code within the context of the browser. Attacks are possible with and without authentication. CVE-2019-3912 – Open Redirects Open redirects via...

Read More
Analysis of 2018 Healthcare Data Breaches
Jan28

Analysis of 2018 Healthcare Data Breaches

Our 2018 healthcare data breach report reveals healthcare data breach trends, details the main causes of 2018 healthcare data breaches, the largest healthcare data breaches of the year, and 2018 healthcare data breach fines. The report was compiled using data from the Department of Health and Human Services’ Office for Civil Rights (OCR). 2018 Was a Record-Breaking Year for Healthcare Data Breaches Since October 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of U.S. healthcare data breaches. In that time frame, 2,545 healthcare data breaches have been reported. Those breaches have resulted in the theft, exposure, or impermissible disclosure of 194,853,404 healthcare records. That equates to the records of 59.8% of the population of the United States. The number of reported healthcare data breaches has been steadily increasing each year. Except for 2015, the number of reported healthcare data breaches has increased every year. In 2018, 365 healthcare data breaches of 500 or more records were reported, up almost 2% from the...

Read More
DHS Issues Emergency Warning About DNS Hijacking Attacks
Jan24

DHS Issues Emergency Warning About DNS Hijacking Attacks

The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) has issued an emergency warning about DNS hijacking attacks. All government agencies have been instructed to audit their DNS settings in the next 10 days. CISA reports that hackers have been targeting government agencies and modifying their Domain Name System records. DNS records are used to determine the IP address of a website from the domain name entered into the browser. By modifying the DNS records, web traffic and email traffic can be re-routed. This method of attack allows sensitive data to be stolen without compromising a network and users are unlikely to be aware that their communications have been intercepted. Re-routed emails are likely to go unnoticed and web traffic could be re-routed to identical copies of legitimate sites.  Since those sites have TLS/SSL certificates, no warning would be triggered by browsers. DNS attacks allow hackers to gather information about the websites visited by users and the information could be used in phishing campaigns. The attacks appear to be...

Read More
New Report Reveals Spiraling Cost of Cyberattacks
Jan23

New Report Reveals Spiraling Cost of Cyberattacks

A new report from Radware has provided insights into the threat landscape in 2018 and the spiraling cost of cyberattacks. The report shows there has been a 52% increase in the cost of cyberattacks on businesses in since 2017. For the report, Radware surveyed 790 managers, network engineers, security engineers, CIOs, CISOs, and other professionals in organizations around the globe. Respondents to the survey were asked about the issues they have faced preparing for and mitigating cyberattacks and the estimated cost of those attacks. The 2018 Threat Landscape 93% of surveyed firms said they had experienced a cyberattack in the past 12 months. The biggest threat globally was ransomware and other extortion-based attacks, which accounted for 51% of all attacks. In 2017, 60% of cyberattacks involved ransoms. The reduction has been attributed to cybercriminals switching from ransomware to cryptocurrency mining malware. Political attacks and hacktivism accounted for 31% of attacks, down from 34% in 2017. The motive behind 31% of attacks was unknown, which demonstrates that attackers are now...

Read More
Vulnerabilities Identified in Dräger Infinity Delta Patient Monitors
Jan23

Vulnerabilities Identified in Dräger Infinity Delta Patient Monitors

The U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Team (US-CERT) has issued an advisory about three vulnerabilities affecting Dräger Infinity Delta patient monitoring devices. The flaws affect all versions of Infinity Delta, Delta XL, Kappa, and infinity Explorer C700 patient monitoring devices. The flaws could lead to the disclosure of sensitive information stored in device logs, be leveraged to conduct Denial of Service (DoS) attacks, or could potentially allow an attacker to gain full control of the operating system of a vulnerable device. The flaws were discovered by Marc Ruef and Rocco Gagliardi of scip AG. The vulnerabilities are detailed below, in order of severity: CVE-2018-19014 (CWE-532) – Exposure of Information in Log Files Log files are not appropriately secured and are accessible over an unauthenticated network. An attacker could gain access to device log files and view sensitive information relating to the internals of the monitor, location of the device, and its wired network configuration. The flaw has been assigned a CVSS v3 base...

Read More
December 2018 Healthcare Data Breach Report
Jan22

December 2018 Healthcare Data Breach Report

November was a particularly bad month for healthcare data breaches, so it is no surprise that there was an improvement in December. November was the worst month of the year in terms of the number of healthcare records exposed (3,230,063) and the second worst for breaches (34). December was the second-best month for healthcare data breaches with 23 incidents reported, only one more than January. In total, 516,370 records were exposed, impermissibly disclosed, or stolen in breaches reported in December: A considerable improvement on November. Were it not for the late reporting of the Adams County breach, December would have been the best month of the year to date in terms of the records exposed. The Adams County breach was experienced in March 2018, confirmed on June 29, yet reporting to OCR was delayed until December 11. Largest Healthcare Data Breaches in December 2018 Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure 2 JAND Inc. d/b/a Warby Parker Healthcare Provider 177,890...

Read More
State AG Proposes Tougher Data Breach Notification Laws in North Carolina
Jan21

State AG Proposes Tougher Data Breach Notification Laws in North Carolina

Following an increase in data breaches affecting North Carolina residents in 2017, state Attorney General Josh Stein and state representative Jason Saine introduced a bill to update data breach notification laws in North Carolina and increase protections for state residents. The bill, Act to Strengthen Identity Theft Protections, was introduced in January 2018 and proposed changes to state laws that would have made North Carolina breach notification laws some of the toughest in the country. The January 2018 version of the bill proposed an expansion of the definition of a breach, changes to the definition of personal information, and a maximum of 15 days from the discovery of a breach to issue notifications to breach victims. Attorney General Stein and Rep. Saine unveiled a revised version of the bill on January 17, 2019. While some of the proposed updates have been scaled back, new requirements have also been introduced to increase protections for state residents. The updated bill coincides with the release of the state’s annual security breach report for 2018. The report shows...

Read More
SingHealth Breach Investigation Reveals Catalogue of Cybersecurity Failures
Jan10

SingHealth Breach Investigation Reveals Catalogue of Cybersecurity Failures

An investigation into a healthcare data breach has shown how the failure to implement basic cybersecurity measures leaves the door wide open to hackers. Healthcare organizations can invest in the latest cybersecurity technology but failing to adopt standard cybersecurity best practices and assess and maintain defenses can easily lead to an incredibly costly data breach. The breach in question occurred not in the United States, but Singapore. However, the findings of the investigation have relevance in the United States where many healthcare data breaches have been experienced due to similar cybersecurity failures. In June 2018, hackers attacked Singapore’s largest health network, SingHealth. The records of 1.5 million people were stolen, including the health records of the country’s Prime Minister, Lee Hsien Loong. To put the scale of the breach into perspective, Singapore has a population of 5.6 million. Following the breach, the Committee of Inquiry (COI) was formed to conduct a detailed investigation, the results of which were made public this week. While it is not possible to...

Read More
Feds Launch Campaign to Raise Awareness of Cyber Risks Faced by Private Sector Firms
Jan08

Feds Launch Campaign to Raise Awareness of Cyber Risks Faced by Private Sector Firms

A new public awareness campaign has been launched to raise awareness of cyber risks and to get businesses in all industry sectors to improve their information security practices and cyber defenses. The “Know the Risk, Raise your Shield” campaign is being run by the National Counterintelligence and Security Center (NCSC) at the Office of the Director of National Intelligence. The campaign advises businesses to strengthen passwords, protect social media accounts, implement safeguards to protect against phishing and spear phishing, establish who is calling before any sensitive information is disclosed over the telephone, and not to expect privacy when travelling overseas as electronic equipment can be subject to interference and surveillance. The aim of the campaign is to provide U.S. companies with information to help them understand the cyber threats they now face and to help them take steps to improve their defense against those threats. Well-financed nation-state backed threat actors are targeting private sector firms in the United States to gain access to sensitive information,...

Read More
Advertising Expenditures Increase 64% Following a Healthcare Data Breach
Jan07

Advertising Expenditures Increase 64% Following a Healthcare Data Breach

A recent study has explored the relationship between advertising expenditures and healthcare data breaches. The study shows hospitals significantly increase advertising spending following a data breach. Healthcare Data Breaches Are the Costliest to Mitigate Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. According to the Ponemon Institute/IBM Security’s 2018 cost of a data breach study, healthcare data breaches cost, on average, $408 per lost or stolen record. The costs are double, or in some cases almost triple, those in other industry sectors. Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. Click To Tweet In addition to the high costs of mitigating the breaches, the same study confirmed that loss of patients to competitors is a very real threat. Data breaches cause damage to a brand and trust in an organization can be easily lost when confidential personal information is exposed or stolen. The Ponemon Institute study revealed healthcare organizations...

Read More
Summary of 2018 HIPAA Fines and Settlements
Jan03

Summary of 2018 HIPAA Fines and Settlements

This post summarizes the 2018 HIPAA fines and settlements that have resulted from the enforcement activities of the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. Another Year of Heavy OCR HIPAA Enforcement In 2016, there was a significant increase in HIPAA files and settlements compared to the previous year. In 2016, one civil monetary penalty was issued by OCR and 12 settlements were agreed with HIPAA covered entities and their business associates. In 2015, OCR only issued 6 financial penalties. The high level of HIPAA enforcement continued in 2017 with 9 settlements agreed and one civil monetary penalty issued. While there were two settlements agreed in February 2018 to resolve HIPAA violations, there were no further settlements or penalties until June. By the end of the summer it was looking like OCR had eased up on healthcare organizations that failed to comply with HIPAA Rules. However, in September, a trio of settlements were agreed with hospitals that had allowed a film crew to record footage of patients without first...

Read More
IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity
Jan03

IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity

The Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) has issued an alert about increased Chinese malicious cyber activity targeting IT service providers such as Managed Service Provider (MSPs), Managed Security Service Providers (MSSPs), Cloud Service Providers (CSPs) and their customers. The attacks take advantage of trust relationships between IT service providers and their customers. A successful cyberattack on a CSP, MSP or MSSP can give the attackers access to healthcare networks and sensitive patient data. The DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued technical details on the tactics and techniques used by Chinese threat actors to gain access to services providers’ networks and the systems of their customers. The information has been shared to allow network defenders to take action to block the threats and reduce exposure to the Chinese threat actors’ activities. Guidance has been released for IT service providers and their customers on the steps that should be taken to improve security to prevent...

Read More
HHS Publishes Cybersecurity Best Practices for Healthcare Organizations
Jan02

HHS Publishes Cybersecurity Best Practices for Healthcare Organizations

The U.S. Department of Health and Human Services has issued voluntary cybersecurity best practices for healthcare organizations and guidelines for managing cyber threats and protecting patients. Healthcare technologies are essential for providing care to patients, yet those technologies introduce risks. If those risks are not properly managed they can result in disruption to healthcare operations, costly data breaches, and harm to patients. The HHS notes that $6.2 billion was lost by the U.S. Health Care System in 2016 as a result of data breaches and 4 out of 5 physicians in the United States have experienced some form of cyberattack. The average cost of a data breach for a healthcare organization is now $2.2 million. “Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health,” said Janet Vogel, HHS Acting Chief Information Security Officer. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems...

Read More
Most Common Security Weaknesses in Healthcare Identified
Dec28

Most Common Security Weaknesses in Healthcare Identified

The most common security weaknesses in healthcare have been identified by Clearwater. Clearwater analyzed data from IRM analyses conducted over the past six years. Millions of risk records were assessed from hospitals, Integrated Delivery Networks, and business associates of those entities to identify the most common security vulnerabilities in healthcare. The analysis revealed almost 37% of high and critical risks were in three areas: User authentication Endpoint leakage Excessive user permissions The most common security weaknesses in healthcare were deficiencies in user authentication. These are failures to correctly authenticate users and verify the level of access that users should have to an organization’s resources. These deficiencies include the use of default passwords and generic user IDs, writing down passwords and posting them on computer monitors or hiding them under keyboards, and the transmission of user credentials via email in plain text. User authentication deficiencies were most commonly associated with servers and SaaS solutions. Clearwater also notes that more...

Read More
NIST Releases Final Version of Updated Risk Management Framework
Dec27

NIST Releases Final Version of Updated Risk Management Framework

The National Institute of Standards and Technology (NIST) has released the final version of its updated Risk Management Framework (RMF 2.0). RMF 2.0 (SP 800-37 Revision 2: Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy) addresses privacy and security concerns in IT risk management. One key change in the updated version of the RMF is the introduction of a ‘Prepare’ step. This additional step involves assigning responsibilities to specific individuals, enabling enterprise-wide privacy and security controls, eliminating unnecessary functions, publishing common controls, prioritizing resources for high value assets, and establishing communication channels to ensure effective communication between the C-Suite and employees. The ‘Prepare’ step, which comes before the Categorize step, was introduced to help organizations “achieve more effective, efficient, and cost-effective security and privacy risk management processes.” RMF 2.0 requires maximum use of automation in executing the framework rules to allow...

Read More
Largest Healthcare Data Breaches of 2018
Dec27

Largest Healthcare Data Breaches of 2018

This post summarizes the largest healthcare data breaches of 2018: Healthcare data breaches that have resulted in the loss, theft, unauthorized accessing, impermissible disclosure, or improper disposal of 100,000 or more healthcare records. 2018 has seen 18 data breaches that have exposed 100,000 or more healthcare records. 8 of those breaches saw more than half a million healthcare records exposed, and three of those breaches exposed more than 1 million healthcare records. A Bad Year for Healthcare Data Breaches As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received notifications of 351 data breaches of 500 or more healthcare records. Those breaches have resulted in the exposure of 13,020,821 healthcare records. It is likely that the year will finish on a par with 2017 in terms of the number of reported healthcare data breaches; however, more than twice as many healthcare records have been exposed in 2018 than in 2017. In 2017, there were 359 data breaches of 500 or more records reported to OCR. Those breaches resulted in...

Read More
November 2018 Healthcare Data Breach Report
Dec20

November 2018 Healthcare Data Breach Report

For the second consecutive month there has been an increase in both the number of reported healthcare data breaches and the number of records exposed, stolen, or impermissibly disclosed. November was the worst month of the year to date for healthcare data breaches in terms of the number of exposed healthcare records. 3,230,063 records were exposed, stolen, or impermissibly disclosed in the breaches reported in November. To put that figure into perspective, that’s more records than were exposed in all 180 data breaches reported to the HHS’ Office for Civil Rights (OCR) in the first half of 2018. There were 34 healthcare data breaches reported to OCR in November, making it the second worst month of the year to date for breaches, behind June when 41 breaches were reported. Largest Healthcare Data Breaches in November 2018 The largest healthcare data breach of 2018 was reported in November by Accudoc Solutions, a business associate of Atrium Health that provides healthcare billing services. That single breach resulted in the exposure of more than 2.65 million healthcare records....

Read More
27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year
Dec19

27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year

According to a new report from Kaspersky Lab, 27% of healthcare employees said their organization had experienced at least one ransomware attack in the past year and 33% of those respondents said their organization had experienced multiple ransomware attacks. In its report – Cyber Pulse: The State of Cybersecurity in Healthcare – Kaspersky lab explained that up until January 1, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights has been notified of more than 110 hacking/IT-related data breaches that have affected more than 500 individuals. The impact of those breaches can be serious for the organizations concerned. Not only can breaches result in millions of dollars in costs, they can permanently damage the reputation of a healthcare organization and can result in harm being caused to patients. To investigate the state of cybersecurity in healthcare, Kaspersky Lab commissioned market research firm Opinion Matters to conduct a survey of healthcare employees in the United States and Canada to explore the perceptions of healthcare employees regarding...

Read More
Vulnerability Identified in Medtronic Encore and Carelink Programmers
Dec18

Vulnerability Identified in Medtronic Encore and Carelink Programmers

ICS-CERT has issued an advisory about a vulnerability that has been identified in certain Medtronic CareLink and Encore Programmers. Some personally identifiable information (PII) and protected health information (PHI) stored on the devices could potentially be accessed due to a lack of encryption for data at rest. The programmers are used in hospitals to program and manage Medtronic cardiac devices and may store reports containing patients’ PII/PHI. An attacker with physical access to one of the vulnerable programmers could access the reports and view patients PII/PHI. The vulnerability would require a low level of skill to exploit. The vulnerability, tracked as CVE-2018-18984 (CWE-311), was identified by security researchers Billy Rios and Jonathan Butts of Whitescope LLC who discovered encryption was either missing or stored PII/PHI was not sufficiently encrypted. The vulnerability has been assigned a CVSS V3 base score of 4.6. The vulnerability is present in all versions of CareLink 2090 Programmers, CareLink 9790 Programmers, and the 29901 Encore Programmers. Medtronic has...

Read More
Study Highlights Seriousness of Phishing Threat and Importance of Security Awareness Training
Dec17

Study Highlights Seriousness of Phishing Threat and Importance of Security Awareness Training

A new study has revealed the extent to which employees are being fooled by phishing emails and how despite the risk of a data breaches and regulatory fines, many companies are not providing security awareness training to their employees. For the study, 500 office workers were surveyed by the consultancy firm Censuswide. While all the respondents were based in Ireland, the results of the survey reflect the findings of similar studies conducted in other countries, including the United States. 14% of all surveyed office workers said that they had fallen for a phishing email, which would equate to around 185,000 office workers in Ireland. There were notable differences in susceptibility to phishing emails across the different age groups: Millennials, generation X, and baby boomers. The age group most likely to be fooled by phishing scams was millennials (17%), followed by baby boomers (7%), and Generation X (6%). Respondents were asked about how confident they were in their ability to identify phishing scams. Even though almost three times as many millennials had fallen for phishing...

Read More
30% of Healthcare Databases Misconfigured and Accessible Online
Dec12

30% of Healthcare Databases Misconfigured and Accessible Online

A recent study by the enterprise threat management platform provider Intsights has revealed an alarming amount of healthcare data is freely accessible online as a result of exposed and misconfigured databases. While a great deal of attention is being focused on the threat of cyberattacks on medical devices and ransomware attacks, one of the primary reasons why hackers target healthcare organizations is to steal patient data. Healthcare data is extremely valuable as it can be used for a multitude of nefarious purposes such as identity theft, tax fraud and medical identity theft. Healthcare data also has a long lifespan – far longer than credit card information. The failure to adequately protect healthcare data is making it far too easy for hackers to succeed. Healthcare Organizations Have Increased the Attack Surface The cloud offers healthcare organizations the opportunity to cut back on the costs of expensive in-house data centers. While cloud service providers have all the necessary safeguards in place to keep sensitive data secure, those safeguards need to be activated and...

Read More
University of Maryland Medical System Discovers 250-Device Malware Attack
Dec11

University of Maryland Medical System Discovers 250-Device Malware Attack

In the early hours of Sunday, December 9, 2018, the University of Maryland Medical System discovered an unauthorized individual had succeeded in installing malware on its network. Prompt action was taken to isolate the infected computers to contain the attack. According to a statement issued by UMMS senior VP and chief information officer, Jon P. Burns, most of the devices that were infected with the malware were desktop computers. The prompt action taken by IT staff allowed the infected computers to be quarantined quickly. No files were encrypted and there was no impact on medical services. UMMS should be commended for its rapid response. The attack was detected at 4.30am and by 7am, its networks and devices had been taken offline and affected devices had been quarantined. The majority of its systems were back online and fully functional by Monday morning. The incident highlights just how important it is for healthcare organizations to have an effective incident response plan that can be immediately implemented in the event of a malware attack. UMMS runs medical facilities in more...

Read More
DHS/FBI Issue Fresh Alert About SamSam Ransomware
Dec10

DHS/FBI Issue Fresh Alert About SamSam Ransomware

In late November, the Department of Justice indicted two Iranians over the use of SamSam ransomware, but there is unlikely to be any let up in attacks. Due to the high risk of continued SamSam ransomware attacks in the United States, the Department of Homeland Security (DHS) and the FBI have issued a fresh alert to critical infrastructure organizations about SamSam ransomware. To date, there have been more than 200 SamSam ransomware attacks, most of which have been on organizations and businesses in the United States. The threat actors behind SamSam ransomware have received approximately $6 million in ransom payments and the attacks have resulted in more than $30 million in financial losses from computer system downtime. The main methods of attack have been the use of the JexBoss Exploit Kit on vulnerable systems, and more recently, the use of Remote Desktop Protocol (RDP) to gain persistent access to systems. Access through RDP is achieved through the purchase of stolen credentials or brute force attacks. Once access is gained, privileges are escalated to gain administrator...

Read More
First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine
Dec07

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system. Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system. CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data. The failure to implement appropriate access controls is a violation of...

Read More
ONC Announces Winners of Easy EHR Issues Reporting Challenge
Dec03

ONC Announces Winners of Easy EHR Issues Reporting Challenge

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has announced the winners of its Easy EHR Issues Reporting Challenge. Currently, reporting EHR safety concerns is cumbersome and causes disruption to clinical workflows. A more efficient and user-friendly mechanism is required to allow EHR users to quickly identify, document, and report issues to their IT teams. Fast reporting of potential safety issues will allow the root causes of problems to be found more quickly and for feedback to be provided to EHR developers rapidly to ensure problems are resolved in the shortest possible timeframe. The aim of the challenge was to encourage software developers to create solutions that would help clinicians report EHR usability and safety issues more quickly and efficiently in alignment with their usual clinical workflows and make the reporting of EHR safety issues less burdensome. After assessing all submissions, ONC chose three winners: 1st Place and $45,000 was awarded to James Madison Advisory Group, which developed a...

Read More
OIG Identified Serious Security Failures at Arizona Managed Care Organizations
Nov30

OIG Identified Serious Security Failures at Arizona Managed Care Organizations

The Department of Health and Human Services’ Office of Inspector General (OIG) has issued a report on the findings of security audits at two managed care organizations (MCOs) in Arizona. OIG discovered serious security flaws in information systems that placed the confidentiality, integrity, and availability of Medicaid data and systems used to process Medicaid managed care claims at risk. OIG conducted the audits to determine whether the Arizona Medicaid MCOs were adequately protecting their information systems and Medicaid data, and whether they were in compliance with Health Insurance Portability and Accountability Act (HIPAA) security requirements. OIG discovered 19 security vulnerabilities in access controls and configuration management spanning 9 security control areas. 5 vulnerabilities were identified in the access controls category and 14 vulnerabilities were identified in the configuration management category. They included vulnerabilities in access controls, administrative controls, patch management, antivirus management, database management, server management, website...

Read More
DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks
Nov29

DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks

The U.S. Department of Justice has announced significant progress has been made in the investigation of the threat actors behind the SamSam ransomware attacks that have plagued the healthcare industry over the past couple of years. The DOJ, assisted the Royal Canadian Mounted Police, Calgary Police Service, and the UK’s National Crime Agency and West Yorkshire Police, have identified two Iranians who are believed to be behind the SamSam ransomware attacks. Both individuals – Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri – have been operating out of Iran since 2016 and have been indicted on four charges: Conspiracy to commit fraud and related computer activity Conspiracy to commit wire fraud Intentional damage to a protected computer Transmitting a demand in relation to damaging a protected computer The DOJ reports that this is the first ever U.S. indictment against criminals over a for-profit ransomware, hacking, and extortion scheme. In contrast to many threat actors who use ransomware for extortion, the SamSam ransomware group conducts targeted, manual attacks on...

Read More
2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach
Nov28

2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach

AccuDoc Solutions Inc., a provider of healthcare billing services, has experienced a major data breach in which the protected health information of 2,650,000 patients of Atrium Health was exposed. Morrisville, NC-based AccuDoc Solutions prepares bills for patients and operates the online payment system used by Atrium Health, a network of 44 hospitals throughout North Carolina, South Carolina and Georgia. On October 1, 2018, AccuDoc Solutions notified Atrium Health that some of its databases had been compromised. The breach investigation revealed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018. An extensive forensic investigation into the attack confirmed that patient information had been compromised, but the information stored in its databases could only be viewed. No PHI was downloaded by the attackers nor distributed via other channels. AccuDoc Solutions reports that the breach was due to a security vulnerability at a third-party vendor. The business relationship with that vendor has now been terminated. AccuDoc Systems has...

Read More
Ransomware Attack Results in Partial Closure of Emergency Rooms at Two Hospitals
Nov28

Ransomware Attack Results in Partial Closure of Emergency Rooms at Two Hospitals

Computer systems used by East Ohio Regional Hospital (EORH) in Martins Ferry, OH, and Ohio Valley Medical Center (OVMC) in Wheeling, WV, were taken out of action over the weekend of 24/25 November as a result of a ransomware attack. The ransomware started encrypting files on the evening of Friday, November 23. While the attackers succeeded in gaining access to certain systems by penetrating the first layer of security, the subsequent layer was not breached, and the protected health information of its patients was not compromised. Even so, the attack resulted in disruption to certain medical services at both hospitals. Patients walking into the emergency room could still be processed and treated, but the hospitals were unable to accept patients from emergency squads. During the attack the hospitals switched to paper charts to ensure data protection and e-squad patients were diverted to other hospitals. Several hospital systems were taken offline to protect the integrity of information and IT teams have been working around the clock to eradicate the ransomware, restore files, and...

Read More
NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity
Nov23

NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) has released a draft paper covering the privacy and security risks of telehealth and remote monitoring devices along with best practices for securing the telehealth and remote monitoring ecosystem. Patient monitoring systems have traditionally been deployed within healthcare facilities; however, there has been an increase in the use of remote patient monitoring systems in patients’ homes in recent years. While these systems are straightforward to secure in a controlled environment such as a hospital, the use of these systems in patients’ homes introduces new risks. Managing the risks and ensuring the remote monitoring systems and devices have an equivalent level of security as in-house systems can be a major challenge. The purpose of the paper is to create a reference architecture which addresses the security and privacy risks and provides practical steps that can be taken to improve the overall security of the remote patient monitoring environment. The paper addresses...

Read More
53% Of Healthcare Data Breaches Due to Insiders and Negligence
Nov22

53% Of Healthcare Data Breaches Due to Insiders and Negligence

The healthcare industry has had more than its fair share of hacking incidents, but the biggest threat comes from within. The actions of healthcare providers, health insurers, and their employees cause more breaches than hacking, malware, and ransomware attacks. Researchers at Michigan State University and Johns Hopkins University analyzed data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) over the past 7 years and found that more than half of breaches were the result on internal negligence. The research study, which was recently published in the journal JAMA Internal Medicine, is a follow-on from a 2017 study that explored the risk of hospital data breaches and the types of hospitals that were most prone to data breaches. While the previous research cast light on which hospitals were most vulnerable, little information was available on the main causes of the breaches. The latest study addresses that gap in knowledge. The researchers performed a retrospective analysis of the 1,183 healthcare data breaches reported to OCR between...

Read More
OIG: Cybersecurity One of Top 10 Management and Performance Challenges Faced by HHS
Nov22

OIG: Cybersecurity One of Top 10 Management and Performance Challenges Faced by HHS

The Department of Health and Human Services’ Office of Inspector General (OIG) has published its annual report on the top management and performance challenges faced by the HHS. The report lists 12 major challenges that the HHS must overcome to ensure the department achieves its aims. Given the scale of the current opioid crisis in the United States and its impact, the prevention and treatment of opioid misuse has topped this year’s list. The report also draws attention to the importance of cybersecurity protections to mitigate threats to be confidentiality, integrity, and availability of health data. Protecting HHS data, systems, and beneficiaries from cybersecurity threats made 10th spot in this year’s list. In the report, OIG explained that “data management, use, and security are essential to the effective and efficient operation of HHS’ agencies and programs.” Ensuring the integrity of IT systems and the confidentiality and availability of healthcare data are critically important to the health and well-being of Americans. The HHS has a $5 billion annual budget for IT; a...

Read More
October 2018 Healthcare Data Breach Report
Nov21

October 2018 Healthcare Data Breach Report

Our October 2018 healthcare data breach report shows there has been a month-over-month increase in healthcare data breaches with October seeing more than one healthcare data breach reported per day. 31 healthcare data breaches were reported by HIPAA-covered entities and their business associates in October – 6 incidents more than the previous month. It should be noted that one breach at a business associate was reported to OCR as three separate breaches. The number of breached records in September (134,006) was the lowest total for 6 months, but the downward trend did not continue in October. There was a massive increase in exposed protected health information (PHI) in October. 2,109,730 records were exposed, stolen or impermissibly disclosed – 1,474% more than the previous month. In October, the average breach size was 68,055 records and the median was 4,058 records. Largest Healthcare Data Breaches in October 2018 There were 11 healthcare data breaches of more than 10,000 records reported in October – A 120% increases from the five 10,000+ record breaches in September. The...

Read More
Congress Passes CISA Act: New Cybersecurity Agency to be Formed Within DHS
Nov15

Congress Passes CISA Act: New Cybersecurity Agency to be Formed Within DHS

The U.S. Department of Homeland Security will be forming a new agency solely focused on cybersecurity following the passing of new legislation by Congress. The Cybersecurity and Infrastructure Security Agency Act of 2018 (CISA Act) amends the Homeland Security Act of 2002 can calls for DHS to form a new Cybersecurity and Infrastructure Security Agency. The CISA Act was unanimously passed by the House of Representatives and just awaits the president’s signature. The new agency will be formed through the reorganization of the National Protection and Programs Directorate (NPPD) and will have the same status as other DHS agencies such as the U.S. Secret Service. The NPPD is already responsible for reducing and eliminating threats to U.S. critical physical and cyber infrastructure, with cybersecurity elements covered by the Office of Cybersecurity and Communications and the National Risk Management Center. NPPD currently coordinates IT security initiatives with other entities, local, state, tribal and territorial governments and the private sector and oversees cybersecurity at federal...

Read More
New Philips iSite and IntelliSpace PACS Vulnerability Identified
Nov12

New Philips iSite and IntelliSpace PACS Vulnerability Identified

ICS-CERT has issued an advisory about a medium severity vulnerability in Philips iSite and IntelliSpace PACS. The weak password vulnerability is present in all versions of iSite PACS and IntelliSpace PACS. If exploited, the confidentiality, integrity, and availability of a component of the system could be impacted. The vulnerability is being tracked as CVE-2018-17906 (CWE-521) and concerns the use of default credentials and a lack of authentication within third-party software. The vulnerability would require only a low level of skill to exploit, although the potential for exploitation is limited as an attacker would first need to gain local network access. The vulnerability has been assigned a CVSS v3 base score of 6.3 and was reported to Philips by a user. Philips self-reported the flaw to NCCIC. To prevent exploitation of the vulnerability, healthcare providers should restrict access to vulnerable iSite and IntelliSpace PACS systems to authorized personnel and follow standard security best practices. Phillips recommends only running IntelliSpace PACS installations in a managed...

Read More
Vulnerabilities Identified in Roche Point of Care Handheld Medical Devices
Nov08

Vulnerabilities Identified in Roche Point of Care Handheld Medical Devices

ICS-CERT has issued an advisory concerning five vulnerabilities that have been identified in Roche Point of Care handheld medical devices. Four vulnerabilities are high risk and one has been rated medium risk. Successful exploitation of the vulnerabilities could allow an unauthorized individual to gain access to the vulnerable devices, modify system settings to alter device functionality, and execute arbitrary code. The vulnerabilities affect the following Roche Point of Care handheld medical devices. Accu-Chek Inform II (except Accu-Chek Inform II Base Unit Light and Accu-Chek Inform II Base Unit NEW with Software 04.00.00 or later) CoaguChek Pro II CoaguChek XS Plus & XS Pro Cobas h 232 POC Including the related base units (BU), base unit hubs and handheld base units (HBU). CVE-2018-18564 is an improper access control vulnerability. An attacker in the adjacent network could execute arbitrary code on the system using a specially crafted message. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.3. The vulnerability is present in:...

Read More
OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices
Nov08

OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices

The HHS’ Office of Inspector General (OIG) has published the findings of an audit of the FDA’s policies and procedures for addressing medical device cybersecurity in the postmarket phase.  Several deficiencies in FDA policies and procedures were identified by OIG auditors. Ensuring the safety, security, and effectiveness of medical devices is a key management challenge for the Department of Health and Human Services. It is the responsibility of the U.S. Food and Drug Administration (FDA) to ensure all medical devices that come to market are secure and incorporate cybersecurity protections to prevent cyberattacks that could alter the functionality of the devices which could cause harm to patients. The FDA has developed policies and procedures to ensure that cybersecurity protections are reviewed before medical devices come to market and the agency has plans and processes for addressing medical device issues, such as cybersecurity incidents, in the postmarket stage. However, OIG determined that those plans and practices are insufficient in several areas. One area of weakness concerns...

Read More
Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches
Nov07

Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches

The latest installment of the Breach Barometer Report from Protenus shows there was a quarterly fall in the number of healthcare data breaches compared to Q2, 2018; however, the number of healthcare records exposed, stolen, or impermissibly disclosed increased in Q3. In each quarter of 2018, the number of healthcare records exposed in data breaches has risen. Between January and March 1,129,744 healthcare records were exposed in 110 breaches. Between April and June, 3,143,642 records were exposed in 142 breaches, and 4,390,512 healthcare records were exposed, stolen, or impermissibly disclosed between July and September in 117 breaches. The largest healthcare data breach in Q3 was reported by the Iowa Health System UnityPoint Health. The breach was due to a phishing attack that saw multiple email accounts compromised. Those accounts contained the protected health information of more than 1.4 million patients. That breach was the second phishing attack experienced by UnityPoint Health. An earlier phishing attack resulted in the exposure of 16,400 healthcare records. In Q3, hacking...

Read More
Fewer Than One Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program
Nov06

Fewer Than One Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program

An alarming number of healthcare organizations do not have comprehensive cybersecurity programs in place, according to the recently published 2018 CHIME Healthcare’s Most Wired survey. The annual CHIME survey explores the extent to which healthcare organizations have adopted health information technology and draws attention to those that are ‘Most Wired’ and have the broadest, deepest IT infrastructure. This year’s report highlights gaps in foundational technologies and strategies for security and disaster recovery. “Before provider organizations can achieve outcomes with their strategies for population health management, value-based care, patient engagement, and telehealth, they must first ensure that foundational pieces such as integration, interoperability, security, and disaster recovery are in place,” explained CHIME. The attack surface has grown considerably in recent years due to increased adoption of networked medical devices and IoT technology. Threats to the privacy of sensitive information and security of systems and devices have grown and security is now a major...

Read More
Healthcare Organizations Account for a Quarter of SamSam Ransomware Attacks
Nov05

Healthcare Organizations Account for a Quarter of SamSam Ransomware Attacks

The threat actors behind SamSam ransomware have been highly active this year and most of the attacks have been conducted in the United States. Out of the 67 organizations that the group is known to have attacked, 56 were on organizations based in the United States, according to a recent analysis by cybersecurity firm Symantec. The attacks have been conducted on a wide range of businesses and organizations, although the healthcare industry has been extensively targeted. Healthcare organizations account for 24% of the group’s ransomware attacks. It is unclear why healthcare organizations are account for so many attacks. Symantec suggests that it could be due to healthcare organizations being easier to attack than other potential targets, or that there is a perception that healthcare providers are more likely to pay the ransom as they are reliant on access to patient data to operate. In contrast to most ransomware attacks, the threat actors behind SamSam ransomware do not conduct random campaigns via email with the intention of infecting as many organizations as possible. SamSam...

Read More
Ransomware Attacks Increase: Healthcare Industry Most Heavily Targeted
Nov02

Ransomware Attacks Increase: Healthcare Industry Most Heavily Targeted

Ransomware attacks are on the rise once again and healthcare is the most targeted industry, according to the recently published Beazley’s Q3 Breach Insights Report. 37% of ransomware attacks managed by Beazley Breach Response (BBR) Services affected healthcare organizations – more than three times the number of attacks as the second most targeted industry: Professional services (11%). Kaspersky Lab, McAfee, and Malwarebytes have all released reports in 2018 that suggest ransomware attacks are in decline; however, Beazley’s figures show monthly increases in attacks in August and September, with twice the number of attacks in September compared to the previous month. It is too early to tell if this is just a blip or if attacks will continue to rise. The report highlights a growing trend in cyberattacks involving multiple malware variants. One example of which was a campaign over the summer that saw the Emotet banking Trojan downloaded as the primary payload with a secondary payload of ransomware. Emotet is used to steal bank credentials and has the capability to download further...

Read More
HHS Officially Opens its New Health Sector Cybersecurity Coordination Center
Nov01

HHS Officially Opens its New Health Sector Cybersecurity Coordination Center

The U.S. Department of Health and Human Services (HHS) has officially opened its Health Sector Cybersecurity Coordination Center (HC3). HC3, located in the Hubert H. Humphrey building at HHS headquarters in Washington D.C., was officially opened on October 29, 2018 by Deputy Secretary of the HHS, Eric Hargan. HC3’s mission is to strengthen coordination and improve information sharing within the healthcare industry. HC3 will work closely with healthcare industry stakeholders, including practitioners, organizations, and cybersecurity information sharing organizations, to gain an understanding of current threats, patterns and attack trends. Information about current and emerging threats will be shared with healthcare organizations together with details of actions that can be taken to protect healthcare systems, medical devices and patient data. The Department of Homeland Security (DHS) is the primary agency for dealing with cyber threats in the United States and is responsible for developing strategies to combat those threats. HC3 will work closely with DHS but will be solely focused...

Read More
Cybersecurity Best Practices for Healthcare Organizations
Nov01

Cybersecurity Best Practices for Healthcare Organizations

The Department of Health and Human Services’ Office for Civil Rights has drawn attention to basic cybersecurity safeguards that can be adopted by healthcare organizations to improve cyber resilience and reduce the impact of attempted cyberattacks. The advice comes at the end of cybersecurity awareness month – a four-week coordinated effort between government and industry organizations to raise awareness of the importance of cybersecurity. While all organizations need to implement policies, procedures, and technical solutions to make it harder for hackers to gain access to their systems and data, this is especially important in the healthcare industry. Hackers are actively targeting healthcare organizations as they store large quantities of highly sensitive and valuable data. Healthcare organization need to ensure that their systems are well protected against cyberattacks, which means investing in technologies to secure the network perimeter, detect intrusions, and block malware and phishing threats. Large healthcare organizations have the resources to invest heavily in...

Read More
Study Reveals 75% of Employees Lack Security Awareness
Oct25

Study Reveals 75% of Employees Lack Security Awareness

For the past three years, security awareness training company MediaPRO has conducted an annual study of employees’ security awareness and knowledge of cybersecurity best practices. The study measures the susceptibility of employees to a wide range of security threats and assesses their ability to identify phishing threats, possible malware infections, and cloud computing and social media risks. Their knowledge of best practices concerning physical security, working remotely, and reporting security incidents is also tested. This year, 1,024 employees from 7 industry sectors took part in the State of Privacy and Security Awareness study and were asked questions relating to all of the above aspects of privacy and security. MediaPRO assigned each participant a category based on the percentage of questions they got right: Hero – An individual with an excellent understanding of security and how to protect assets. Novice – Someone that has a reasonable understanding of the basics of security but needs to improve their knowledge in key areas. Risk – An individual whose lack of...

Read More
September 2018 Healthcare Data Breach Report
Oct23

September 2018 Healthcare Data Breach Report

For the second consecutive month there has been a reduction in both the number of reported healthcare data breaches and the number of exposed healthcare records. In September, there were 25 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights – the lowest breach tally since February. There was also a substantial reduction in the number of exposed/stolen healthcare records in September. Only 134,000 healthcare records were exposed/stolen in September – A 78.5% reduction in compared to August. Fewer records were exposed in September than in any other month in 2018. Causes of September 2018 Healthcare Data Breaches In August, hacking/IT incidents dominated the healthcare breach reports, but there was a major increase (55.55%) in unauthorized access/disclosure breaches in September, most of which involved paper records. There were no reported cases of lost paperwork or electronic devices containing ePHI, nor any improper disposal incidents. While there were fewer hacking/IT incidents than unauthorized access/disclosure...

Read More
OIG Publishes 2016 Medicaid Data Breach Report
Oct23

OIG Publishes 2016 Medicaid Data Breach Report

A new report released by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed the vast majority of Medicaid data breaches are relatively minor and only affect an extremely limited number of individuals. For the study, OIG assessed all breaches reported by Medicaid agencies and their contractors in 2016. According to the report, the records of 515,000 Medicaid beneficiaries were exposed in 2016, spread across 1,260 data breaches. Almost two thirds of Medicaid data breaches reported in 2016 affected a single person with a further 29% of breaches affecting between 1 and 9 individuals. Large-scale breaches, which resulted in the data of 500 or more beneficiaries being exposed, accounted for 1% of the annual total. While the breach causes were highly varied, the majority of incidents were the result of simple errors such as misaddressing a letter, fax, or email. Those breaches only resulted in a very limited amount of PHI being exposed, such as a beneficiary name and Medicaid or other ID number. Out of the 1,260 breaches only 303 resulted in the...

Read More
CMS Investigating 75,000-Record Breach of Federally Facilitated Exchanges Direct Enrollment System
Oct22

CMS Investigating 75,000-Record Breach of Federally Facilitated Exchanges Direct Enrollment System

The Centers for Medicaid & Medicare Services (CMS) has discovered hackers have gained access to a health insurance system that interacts with the HealthCare.gov website and accessed files containing the sensitive information of approximately 75,000 individuals. On October 13, 2018, CMS staff discovered anomalous activity in the Federally Facilitated Exchanges system and the Direct enrollment pathway used by agents and brokers to sign their customers up for health insurance coverage. On October 16, the CMS confirmed there had been a data breach and a public announcement about the cyberattack was made on Friday October 19, 2018. While the number of files accessed only represents a small fraction of the total number of consumer records stored in the system, it is still a sizable and serious data breach. The files contained information supplied by consumers when they apply for healthcare plans through agents and brokers, including names, telephone numbers, addresses, Social Security numbers, and income details. While the CMS has confirmed that the files have been accessed by...

Read More
FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity
Oct18

FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity

The U.S. Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) have announced a memorandum of agreement to implement a new framework to increase collaboration and improve coordination of their efforts to increase medical device security. The security of medical devices has long been a concern. Cybersecurity flaws in medical devices could potentially be exploited to cause patients harm, and with an increasing number of medical devices now connecting to healthcare networks, it is more important than ever to ensure adequate protections are in place to ensure patient safety and threats are rapidly identified, addressed and mitigated. Medical devices are a potential weak point that could be exploited to gain access to healthcare networks and sensitive data, they could be used to gain a foothold to launch further cyberattacks that could prevent healthcare providers from providing care to patients. Vulnerabilities could also be exploited to deliberately cause harm to patients. While the latter is not believed to have occurred to date, it is a very real...

Read More
Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering
Oct17

Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering

Earlier this year, spam and web filtering solution provider TitanHQ partnered with Datto Networking, the leading provider of MSP-delivered IT solutions to SMBs. The new partnership has allowed Datto to enhance security on the Datto Networking Appliance with enterprise-grade web filtering technology supplied by TitanHQ. The new web filtering functionality allows users of the appliance to carefully control the web content that can be accessed by employees and guests and provides superior protection against the full range of web-based threats. TitanHQ and Datto Networking will be holding a webinar that will include an overview of the solution along with a deep dive into the new web filtering functionality. Webinar Details: Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering Date: Thursday, October 18th Time: 11AM ET | 8AM PT | 4PM GMT/BST Speakers: John Tippett, VP, Datto Networking Andy Katz, Network Solutions Engineer Rocco Donnino, EVP of Strategic Alliances, TitanHQ Click here to register for the...

Read More
The HIPAA Risk Analysis: Guidance and Tools for HIPAA Covered Entities and Business Associates
Oct17

The HIPAA Risk Analysis: Guidance and Tools for HIPAA Covered Entities and Business Associates

The HIPAA Risk analysis is a foundational element of HIPAA compliance, yet it is something that many healthcare organizations and business associates get wrong. That places them at risk of experiencing a costly data breach and a receiving a substantial financial penalty for noncompliance. The HIPAA Risk Analysis The administrative safeguards of the HIPAA Security Rule require all HIPAA-covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” See 45 C.F.R. § 164.308(u)(1)(ii)(A). The risk analysis is a foundational element of HIPAA compliance and is the first step that must be taken when implementing safeguards that comply with and meet the standards and implementation specifications of the HIPAA Security Rule. If a risk analysis is not conducted or is only partially completed, risks are likely to remain and will therefore not be addresses through an organization’s risk management process – See § 164.308(u)(1)(ii)(B) – and will not be...

Read More
FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers
Oct16

FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers

The U.S. Food and Drug Administration (FDA) has issued a warning about vulnerabilities in certain Medtronic implantable cardiac device programmers which could potentially be exploited by hackers to change the functionality of the programmer during implantation or follow up visits. Approximately 34,000 vulnerable programmers are currently in use. The programmers are used by physicians to obtain performance data, to check the status of the battery, and to reprogram the settings on Medtronic cardiac implantable electrophysiology devices (CIEDs) such as pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors. The flaws are present in Medtronic CareLink 2090 and CareLink Encore 29901 programmers, specifically how the devices connect with the Medtronic Software Distribution Network (SDN) over the internet. The connection is required to download software updates for the programmer and firmware updates for Medtronic CIEDs. While a virtual private network (VPN) is used to establish a connection between the programmers and the Medtronic SDN,...

Read More
Most Common Healthcare Phishing Emails Identified
Oct16

Most Common Healthcare Phishing Emails Identified

A new report by Cofense has revealed the most common healthcare phishing emails and which messages are most likely to attract a click. The 2018 Cofense State of Phishing Defense Report provides insights into susceptibility, resiliency, and responses to phishing attacks, highlights how serious the threat from phishing has become, and how leading companies are managing risk. The high cost of phishing has been highlighted this week with the announcement of a settlement between the HHS’ Office for Civil Rights and Anthem Inc. The $16 million settlement resolved violations of HIPAA Rules that led to Anthem’s 78.8 million record data breach of 2015. That cyberattack started with spear phishing emails. In addition to the considerable cost of breach remediation, Anthem also settled a class action lawsuit related to the breach for $115 million. Even an average sized breach now costs $3.86 million to resolve (Ponemon/IBM Security, 2018). Previous Cofense research suggests that 91% of all data breaches start with a phishing email and research by Verizon suggests 92% of malware infections...

Read More
HHS OIG Raises Awareness of Its Cybersecurity-Related Activities on New Web Page
Oct11

HHS OIG Raises Awareness of Its Cybersecurity-Related Activities on New Web Page

The Department of Health and Human Services’ Office of Inspector General (HHS OIG) has recently created a new web page detailing some of the actions that have been taken to improve cybersecurity within the HSS as part of its efforts to improve transparency of its cybersecurity activities. The new cybersecurity-focused web page will be regularly updated to include details of cybersecurity activities that have positively affected HHS programs and have helped strengthen the cybersecurity defenses, including reports of its audits, evaluations, and inspections of its offices and agencies that HHS OIG oversees. On the new web page, HHS OIG explains that it currently uses a three-pronged approach to safeguard data and the systems on which those data are stored. They are IT security controls, risk management, and resiliency. IT security controls are technological and procedural controls that protect against vulnerabilities to the confidentiality, integrity, and availability of data and systems. Risk management is proactively identifying risks and threats and taking action to reduce those...

Read More
Vulnerabilities Identified in PeerVue Web Server, Carestream Vue RIS and Siemens Healthcare Products
Oct10

Vulnerabilities Identified in PeerVue Web Server, Carestream Vue RIS and Siemens Healthcare Products

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued five advisories in the past week about vulnerabilities discovered in equipment used by healthcare organizations in the United States. Change Healthcare PeerVue Web Server A vulnerability (CVE-2018-10624) has been identified in the Change Healthcare PeerVue Web Server which could allow an attacker to gain information about the web server that would enable it to be targeted in a cyberattack. The vulnerability only requires a low level of skill to exploit by an attacker on an adjacent network. The vulnerability exposes information through an error message. The flaw was discovered by security researcher Dan Regalado of Zingbox and has been assigned a CVSS v3 base score of 4.3. Change Healthcare took rapid action to address the vulnerability and a patch has now been issued. Users should contact Change Healthcare if they are running PeerVue Web Server 7.6.2 or earlier for information about installing the patch. Carestream Vue RIS A remotely exploitable vulnerability...

Read More
Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC
Oct08

Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC

The Healthcare & Public Health Sector Coordinating Council (HSCC) has announced it will shortly issue voluntary cybersecurity best practices for medical device manufacturers and healthcare provider organizations to help them improve their security posture. HSCC will also publish a voluntary curriculum that can be adopted by medical schools to help them train clinicians how to manage electronic health records, medical devices, and IT systems in a secure and responsible way. The announcement coincides with National Cyber Security Awareness Month and includes an update on the progress that has been made over the past 12 months and the work that the HSCC still intends to complete. HSCC explained that the global cyberattacks of 2017 involving WannaCry and NotPetya malware served as a wake-up call to the healthcare industry and demonstrated the potential harm that could be caused if an attack proved successful. Many large companies were crippled by the attacks for weeks. Fortunately, the healthcare industry in the United States escaped the attacks relatively unscathed, although the...

Read More
Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards
Oct04

Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards

The ECRI Institute, a non-profit organization that researches new approaches to improve patient care, has published its annual list of the top ten health technology hazards for 2019. The purpose of the list is to help healthcare organizations identify possible sources of danger or issues with technology that have potential to cause patients harm to allow them to take action to reduce the risk of adverse events occurring. To create the list, ECRI Institute engineers, scientists, clinicians and patient safety analysts used expertise gained through testing of medical devices, investigating safety incidents, assessing hospital practices, reviewing literature and talking to healthcare professionals and medical device suppliers to identify the main threats to medical devices and systems that warrant immediate attention. Weighting factors used to produce the final top 10 list includes the likelihood of hazards causing severe injury or death, the frequency of incidents, the number of individuals likely to be affected, insidiousness, effect on the healthcare organization, and the actions...

Read More
FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook
Oct03

FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook

On October 1, 2018, the U.S. Food and Drug Administration released a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook for healthcare delivery organizations to help them prepare for and respond to medical device cybersecurity incidents. The playbook is intended to help healthcare delivery organizations develop a preparedness and response framework to ensure they are prepared for medical device security incidents, can detect and analyze security breaches quickly, contain incidents, and rapidly recover from attacks. The playbook was developed by MITRE Corp., which worked closely with the FDA, healthcare delivery organizations, researchers, state health departments, medical device manufacturers and regional healthcare groups when developing the document. The past 12 months have seen many vulnerabilities identified in medical devices which could potentially be exploited by hackers to gain access to healthcare networks, patient health information, or to cause harm to patients. While the FDA has not received any reports to suggest an attack has been...

Read More
Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency
Oct02

Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency

The healthcare industry is extensively targeted by phishers who frequently gain access to healthcare data stored in email accounts. In some cases, those email accounts contain considerable volumes of highly sensitive protected health information. Phishing is one of the leading causes of healthcare data breaches. In August 2018, Augusta University Healthcare System announced that it was the victim of a phishing attack that saw multiple email accounts compromised. The breached email accounts contained the PHI of 417,000 patients. The incident stood out due to the number of individuals impacted by the breach, but it was just one of several healthcare organizations to fall victim to phishing attacks in August. Data from the HHS’ Office for Civil Rights shows email is the most common location of breached PHI. In July, 14 healthcare data breaches out of 28 involved email, compared to 6 network server PHI breaches – The second most common location of breached PHI. It was a similar story in May and June with 9 and 11 email breaches reported respectively. Cofense Research Shows Healthcare...

Read More
NIST Releases Guidance on Managing IoT Cybersecurity and Privacy
Oct01

NIST Releases Guidance on Managing IoT Cybersecurity and Privacy

The National Institute of Standards and Technology (NIST) has released a draft guidance document that aims to help federal agencies and other organizations understand the challenges associated with securing Internet of Things (IoT) devices and manage the cybersecurity and privacy risks that IoT devices can introduce. The guidance document – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) is the first in a series of new publications address cybersecurity and privacy together and the document is the foundation for a series of further publications that will explore IoT device cybersecurity and privacy in more detail. “IoT is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices,” explained NIST. In the guidance document, NIST identifies three high-level...

Read More
Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017
Sep28

Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017

There has been a 70% increase in healthcare data breaches between 2010 and 2017, according to a study conducted by two physicians at the Massachusetts General Hospital Center for Quantitative Health. The study, published in the Journal of the American Medical Association on September 25, involved a review of 2,149 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between 2010 and 2017. “While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure,” said Dr. Thomas McCoy Jr, director of research at Massachusetts General Hospital’s Center for Quantitative Health in Boston and lead author of the study. Every year, with the exception of 2015, the number of healthcare data breaches has increased, rising from 199 breaches in 2010 to 344 breaches in 2017. Those breaches have resulted in the loss, theft, exposure, or...

Read More
HIPAA Quiz Launched by Compliancy Group
Sep26

HIPAA Quiz Launched by Compliancy Group

A new HIPAA Quiz has been launched by the Compliancy Group, which serves as a quick and easy free tool to assess the current state of HIPAA compliance in an organization.   Healthcare organizations that have implemented policies and procedures to comply with the Health Insurance Portability and Accountability Act (HIPAA) Rules may think that they are fully compliant with all provisions of the HIPAA Privacy, Security, and Breach Notification Rules. However, HHS’ Office for Civil Rights (OCR) compliance audits and investigations into data breaches and complaints often reveal certain requirements of HIPAA have been missed or misinterpreted. OCR investigates all breaches of more than 500 records and so far in 2018, six financial penalties have been issued to HIPAA covered entities to resolve HIPAA violations. The average settlement/civil monetary penalty in 2018 is $1,491,166. State attorneys general also investigate data breaches and complaints and can also issue fines for noncompliance with HIPAA Rules. There have been five fines issued by state attorneys general in 2018 to resolve...

Read More
FDA to Increase Scrutiny of Medical Device Cybersecurity
Sep18

FDA to Increase Scrutiny of Medical Device Cybersecurity

The Department of Health and Human Services’ Office of Inspector General (OIG) has released a report which recommends the Food and Drug Administration (FDA) should scrutinize medical device cybersecurity controls more closely and more fully integrate cybersecurity into the premarket review process for medical devices. Currently, the FDA reviews cybersecurity documentation in premarket submissions to ensure medical devices have appropriate cybersecurity controls before approval is given for the devices to be marketed. FDA reviewers use 2014 FDA cybersecurity guidance as general principles when conducting reviews of new medical devices and has taken steps to ensure that devices are assessed against new and emerging threats. The FDA considers cybersecurity risks and threats that affect specific devices and applies that knowledge to all other devices with similar risk profiles. For example, if there is a known threat to a specific cardiac device from one manufacturer, all other manufacturers’ cardiac devices will be assessed against the same threat. Reviews of cybersecurity controls...

Read More
Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI
Sep06

Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI

In its August 2018 cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA-covered entities of the importance of implementing physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is processed, transmitted, or stored on electronic media and devices. Electronic devices such as desktop computers, laptops, servers, smartphones, and tablets play a vital role in the healthcare, as do electronic media such as hard drives, zip drives, tapes, memory cards, and CDs/DVDs. However, the portability of many of those devices/media means they can easily be misplaced, lost, or stolen. Physical controls are therefore essential. Anyone with physical access to electronic devices or media, whether healthcare employees or malicious actors, potentially have the ability to view, change, or delete data. Device configurations could be altered or malicious software such as ransomware or malware could be installed. All of these actions...

Read More
NY Attorney General Fines Arc of Erie County $200,000 for Security Breach
Sep04

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients. In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines. The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained. In total, 3,751 clients in New York had...

Read More
ICS-CERT Issues Advisory After Nine Vulnerabilities Discovered in Philips E-Alert Units
Sep03

ICS-CERT Issues Advisory After Nine Vulnerabilities Discovered in Philips E-Alert Units

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a further advisory about Philips healthcare devices after nine vulnerabilities were self-reported to the National Cybersecurity & Communications Integration Center (NCCIC) by the Amsterdam-based technology company. This is the fourth advisory issued by ICS-CERT in the past month. Previous advisories have been issued over cybersecurity vulnerabilities in its central patient monitoring system – Philips IntelliVue Information Center iX (1 vulnerability), Philips PageWriter Cardiographs (2 vulnerabilities), and Philips IntelliSpace Cardiovascular cardiac image and information management software (2 vulnerabilities). The latest advisory concerns nine vulnerabilities discovered in Philips eAlert units – These are non-medical devices that monitor imaging systems such as MRI machines to identify issues rapidly before they escalate. The devices are used by healthcare providers around the world. One of the vulnerabilities is rated critical, five are high severity,...

Read More
NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
Aug31

NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations

The National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) have released the final version of the NIST Cybersecurity Practice Guide for Securing Wireless Infusion Pumps in healthcare delivery organizations. Wireless infusion pumps are no longer standalone devices. They can be connected to a range of different healthcare systems, networks, and other devices and can be a major cybersecurity risk. If malicious actors are able to gain access to the wireless infusion pump ecosystem, settings could be altered on the pumps or malware could be installed that causes the devices to malfunction, resulting in operational and safety risks. An attack on the devices could result in patients coming to harm, protected health information could be exposed, and a compromise could result in disruption to healthcare services, reputation damage, and considerable financial costs. Securing wireless infusion pumps is a challenge. Standard cybersecurity solutions such as anti-virus software may affect the ability of the device to function correctly...

Read More
Critical ‘Misfortune Cookie’ Flaw Identified in Qualcomm Life Capsule Datacaptor Terminal Server
Aug30

Critical ‘Misfortune Cookie’ Flaw Identified in Qualcomm Life Capsule Datacaptor Terminal Server

A code weakness in Qualcomm Life’s Capsule Datacaptor Terminal Server (DTS) has been discovered. The flaw could be remotely exploited allowing an attacker to obtain administrator level privileges and remotely execute code. The Qualcomm Life Capsule’s Datacaptor Terminal Server is a medical gateway device used by many U.S. hospitals to network their medical devices. The Datacaptor Terminal Server is used to connect respirators, bedside monitors, infusion pumps and other medical devices to the network. The Datacaptor Terminal Server has a web management interface which allows it to be operated and configured remotely. The flaw affects the Allegro RomPager embedded webserver (versions 4.01 through 4.34) which is included in all versions of Capsule DTS. The flaw could be exploited by an attacker by sending a specially crafted HTTP cookie to the web management portal, allowing arbitrary data to be written to the devices’ memory, ultimately permitting remote code execution. The exploit would require little skill to perform and requires no authentication. If exploited, availability of the...

Read More
Critical Flaw Identified in BD Alaris Plus Medical Syringe Pumps
Aug28

Critical Flaw Identified in BD Alaris Plus Medical Syringe Pumps

A critical remotely exploitable flaw has been detected in BD Alaris Plus medical syringe pumps. The flaw would enable a threat actor to gain access to an affected medical syringe pump when it is connected to a terminal server via the serial port. If the flaw is exploited a threat actor could alter the intended function of the pump. The flaw is an improper authentication vulnerability. The software fails to perform authentication for functionality that requires a provable user identity. The flaw was identified by Elad Luz of CyberMDX who notified Becton, Dickinson and Company (BD), which in turn voluntarily reported the vulnerability to the National Cybersecurity & Communications Integration Center and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The latter issued an advisory about the vulnerability on August 23, 2018. The vulnerability affects version 2.3.6 of Alaris Plus medical syringe pumps and prior versions, specifically the Alaris GS, Alaris GH, Alaris CC, and Alaris TIVA products. The vulnerability has been assigned a CVSS v3 score of 9.4 out...

Read More
July 2018 Healthcare Data Breach Report
Aug24

July 2018 Healthcare Data Breach Report

July 2018 was the worst month of 2018 for healthcare data breaches by a considerable distance. There were 33 breaches reported in July – the same number of breaches as in June – although 543.6% more records were exposed in July than the previous month. The breaches reported in July 2018 impacted 2,292,552 patients and health plan members, which is 202,859 more records than were exposed in April, May, and June combined. A Bad Year for Patient Privacy So far in 2018 there have been 221 data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have resulted in the protected health information of 6,112,867 individuals being exposed, stolen, or impermissibly disclosed. To put that figure into perspective, it is 974,688 more records than were exposed in healthcare data breaches in all of 2017 and there are still five months left of 2018. Largest Healthcare Data Breaches of 2018 (Jan-July) Entity Name Entity Type Records Exposed Breach Type UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident CA...

Read More
Warnings Issued About Vulnerabilities in Philips PageWriter Cardiographs and IntelliVue Information Center iX
Aug23

Warnings Issued About Vulnerabilities in Philips PageWriter Cardiographs and IntelliVue Information Center iX

Over the past few months, several vulnerabilities have been discovered in Philips medical devices, software and systems. This week, two further advisories have been issued by the Industrial Control Systems Cyber Emergency Team (ICS-CERT) about vulnerabilities the firm’s real-time central monitoring system, Philips IntelliVue Information Center iX, and its PageWriter cardiographs. All three of the vulnerabilities are classed as medium risk with CVSS v3 base scores ranging between 5.7 and 6.1. CVE-1999-0103 is a denial of service vulnerability that affects the Philips IntelliVue Information Center iX version B.02. The flaw was discovered by a user of the system and was reported to Philips, which in turn reported the vulnerability to the National Cybersecurity and Communications Integration Center’s (NCCIC). The vulnerability can be exploited remotely and does not require a high level of skill. If multiple initial UDP requests are made, it could compromise the availability of the device by causing the operating system to become unresponsive. The vulnerability has been assigned a...

Read More
Updates to Cofense Phishing Simulation Platform Add Even More Opportunities for Automation
Aug23

Updates to Cofense Phishing Simulation Platform Add Even More Opportunities for Automation

Cofense has announced that further updates have been made to its award-winning phishing email simulation platform, Cofense PhishMe. The updates provide even greater opportunities for automating phishing simulation campaigns to save administrators even more time. Security awareness and anti-phishing training is now an important part of healthcare organizations’ cybersecurity programs. In addition to investing in technology to block phishing and other email-based threats, end users require training. Even layered defenses will not stop all phishing threats from reaching inboxes. Without training, end users will remain the weakest link in the security chain. Phishing simulation exercises are an important part of the training process. They allow security teams to assess how effective their training programs have been and identify weak points in the training program. They also allow security teams to identify individuals who have failed to understand certain parts of the training program. While phishing simulation platforms include some opportunities for automation and scheduling,...

Read More
Only 30% of Healthcare Organizations Have Taken Out Cybersecurity Insurance
Aug22

Only 30% of Healthcare Organizations Have Taken Out Cybersecurity Insurance

A recent survey conducted by Ovum on behalf of analytics firm FICO has revealed there has been a major increase in companies taking out cybersecurity insurance, but the healthcare industry has been slow on the uptake. In 2017 when the survey was last conducted, 50% of U.S. firms reported that they had not taken out a cybersecurity insurance policy. That percentage has fallen to 24% in 2018. While many businesses see the value in paying insurance premiums to cover the cost of mitigating cyberattacks and data breaches, that does not appear to be the case for healthcare companies. Only 30% of healthcare organizations have taken out cybersecurity insurance policies. 70% have no cybersecurity insurance cover whatsoever, even though the industry is targeted by hackers. The financial services industry, which is also heavily targeted by hackers, has been quick to take advantage of cybersecurity cover. Only 10% of surveyed financial firms had no coverage for cyberattacks. The survey was conducted on 500 companies in 11 countries including the U.S., Canada, India, and the UK. The figures for...

Read More
Survey Reveals Lack of Anti-Phishing Measures at U.S. Businesses
Aug22

Survey Reveals Lack of Anti-Phishing Measures at U.S. Businesses

Phishing is now the number one cyber threat faced by businesses but in spite of a high risk of phishing attacks occurring, businesses have been slow to respond to the threat and implement cybersecurity solutions to reduce the risk of email-related data breaches. A recent Valimail sponsored survey has shown that anti-phishing defenses are lacking at many U.S. businesses. The survey was conducted on 650 IT/IT security professionals by the Ponemon Institute. The companies had an average of 1,000 employees with average annual email security and fraud prevention budget of $2.5 million. The high risk of email-based attacks was made abundantly clear. 79% of respondents said that they had experienced a data breach or cyberattack in the past 12 months that certainly or likely involved email, such as a business email compromise attack or a phishing incident. 80% of respondents said they were very concerned about their organization’s ability to prevent or reduce email-based attacks and 53% of respondents admitted that preventing phishing attacks was very difficult. Even though the risk of...

Read More
Significant Vulnerabilities Identified in Maryland’s Medicaid Management Information System
Aug16

Significant Vulnerabilities Identified in Maryland’s Medicaid Management Information System

The Department of Health and Human Services’ Office of Inspector General (OIG) has published the findings of an audit of Maryland’s Medicaid system. The audit was conducted as part of the HHS OIG’s efforts to oversee states’ use of various Federal programs and to determine whether appropriate security controls had been implemented to protect its Medicaid Management Information System (MMIS) and Medicaid data. The audit consisted of interviews with staff members, a review of supporting documentation, and use of vulnerability scanning software on network devices, servers, websites, and databases that supported its MMIS. The audit uncovered multiple system security weaknesses that could potentially be exploited by threat actors to gain access to Medicaid data and disrupt critical Medicaid operations. Collectively, and in some cases individually, the vulnerabilities were ‘significant’ and could have compromised the integrity of the state’s Medicaid program. Details of the vulnerabilities uncovered by auditors were not disclosed publicly, although OIG did explain that the...

Read More
ICS-CERT Warns of Vulnerabilities in Philips IntelliSpace Cardiovascular Products
Aug16

ICS-CERT Warns of Vulnerabilities in Philips IntelliSpace Cardiovascular Products

ICS-CERT has issued an advisory about two vulnerabilities that have been identified in Philips IntelliSpace Cardiovascular products, one of which has been given a high severity rating and could allow a threat actor to elevate privileges and gain full control of a vulnerable device. The improper privilege management vulnerability (CVE-2018-14787) is present in IntelliSpace Cardiovascular cardiac image and information management software version 2.x and earlier releases and Xcelera V4.1 and earlier versions. The vulnerability could not be exploited remotely. Local access is required, and an authenticated user would need to have write privileges. If exploited, privileges could be escalated and access gained to folders containing executables. Arbitrary code could be executed to give the attacker full control of the system. The vulnerability has been assigned a CVSS v3 severity score of 7.3. An unquoted search path or element vulnerability (CVE-2018-14789) is present in IntelliSpace Cardiovascular Version 3.1 and earlier versions and Xcelera Version 4.1 and earlier versions. This flaw...

Read More
Microsoft ADFS Vulnerability Allows Bypassing of Multi-Factor Authentication
Aug15

Microsoft ADFS Vulnerability Allows Bypassing of Multi-Factor Authentication

A vulnerability has been discovered in Microsoft’s Active Directory Federation Services (ADFS) that allows multi-factor authentication (MFA) to be bypassed with ease. The flaw is being tracked as CVE-2018-8340 and was discovered by Andrew Lee, a security researcher at Okta. ADFS is used by many organizations to help secure accounts and ADFA is used by vendors such as SecureAuth, Okta, and RSA to add multi-factor authentication to their security offerings. To exploit the vulnerability an attacker would need to obtain the login credentials of an employee and have a valid second factor authentication token. That token could then be used as authentication to access any other person’s account if their username and password is known. A threat actor could easily obtain a username and a password by conducting a phishing campaign. The number of phishing attacks on healthcare organizations that have been reported recently show just how easy it is to fool employees into disclosing their login credentials. A brute force attempt on an account with a weak password would also work. Obtaining the...

Read More
Vulnerabilities in Patient Monitors Allow Vital Signs to be Altered in Real Time
Aug15

Vulnerabilities in Patient Monitors Allow Vital Signs to be Altered in Real Time

A security researcher at McAfee (Douglas McKee) has identified a vulnerability in the communications protocol used by patient monitoring equipment. The flaw could be exploited by a threat actor allowing patients’ vital signs to be falsified and sent to central monitoring systems. Patient monitors record patients’ vital signs and communicate the information to central monitoring systems. The central management systems collect data from many bedside patient monitors, allowing healthcare professionals to monitor multiple patients simultaneously. Information is usually sent over TCP/IP through wired or wireless connections and includes information such as blood pressure, blood oxygen levels, and heart rates. Decisions about treatment are made based on the information provided through those monitoring systems. Vital signs are integral to clinical decision making. If vital signs are misreported, decisions could be made that could cause patients to come to harm – incorrect doses of medications could be provided, the choice of drug could be influenced by bad data, an incorrect diagnosis...

Read More
Vulnerabilities in Fax Machines Can Be Exploited to Gain Network Access and Exfiltrate Sensitive Data
Aug14

Vulnerabilities in Fax Machines Can Be Exploited to Gain Network Access and Exfiltrate Sensitive Data

Despite many alternative communication methods being available, healthcare organizations still extensively use faxes to communicate. Some estimates suggest as many as 75% of all communications occur via fax in the healthcare industry. While fax machines would not rank highly on any list of possible attack vectors, new research shows that flaws in the fax protocol could be exploited to launch attacks on businesses and gain network access. The flaws were detected by researchers at Check Point who successfully exploited them to create a backdoor into a network which was used to steal information through the fax. The researchers believe there are tens of millions of vulnerable fax machines are currently in use around the world. To exploit the flaw, the researchers sent a specially crafted image file through the phone line to a target fax machine. The fax machine decoded the image and uploaded it to the memory and the researchers’ script triggered a buffer overflow condition that allowed remote code execution. The researchers were able to gain full control of the fax machine and, using...

Read More
APWG Detects 46% Rise in Phishing Websites in Q1, 2018
Aug10

APWG Detects 46% Rise in Phishing Websites in Q1, 2018

The Anti-Phishing Working Group has released its Q1, 2018 Phishing Activity Trends Report which shows there was a substantial increase in unique phishing sites detected in the first few months of 2018 compared to the final quarter of 2017. The report explores phishing attacks and methods used between January 1 and March 31, 2018. In Q1, 263,538 unique phishing sites were identified – a 46% increase from the 180,577 unique sites identified in Q4, 2017 and a 38% increase from the 190,942 sites detected in Q3, 2017. There were 60,887 unique phishing sites detected in January 2018 which was on a par with December 2017, although a substantial increase in February (88,754) and a further major increase in March (113,897). The number of unique phishing campaigns reported by APWG customers remained broadly the same in January (89,250) and February (89,010) with a slight fall in March (84,444). 235 brands were spoofed in January, rising to 273 in February, and falling to 238 in March. APWG member MarkMonitor tracked the industry sectors that were most heavily targeted in phishing campaigns....

Read More
At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018
Aug09

At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018

In total, there were 143 data breaches reported to the media or the Department of Health and Human Services’ Office for Civil Rights (OCR) in Q2, 2018 and the healthcare records of at least 3,143,642 patients were exposed, impermissibly disclosed, or stolen. Almost three times as many healthcare records were exposed or stolen in Q2, 2018 as Q1, 2018. The figures come from the Q2 2018 Breach Barometer Report from Protenus. The data for the report came from OCR data breach reports, data collected and collated by Databreaches.net, and proprietary data collected through the Protenus compliance and analytics platform, which monitors the tens of trillions of EHR access attempts by its healthcare clients. Q2 2018 Healthcare Data Breaches Month Data Breaches Records Exposed April 45 919,395 May 50 1,870,699 June 47 353,548   Q2, 2018 saw five of the top six breaches of 2018 reported. The largest breach reported – and largest breach of 2018 to date – was the 582,174-record breach at the California Department of Developmental Services – a burglary. It is unclear if any healthcare...

Read More
More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched
Aug09

More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched

OpenEMR is an open-source electronic health record management system that is used by many thousands of healthcare providers around the world. It is the leading free-to-use electronic medical record platform and is extremely popular. Around 5,000 physician offices and small healthcare providers in the United States are understood to be using OpenEMR and more than 15,000 healthcare facilities worldwide have installed the platform. Around 100 million patients have their health information stored in the database. Recently, the London-based computer research organization Project Insecurity uncovered a slew of vulnerabilities in the source code which could potentially be exploited to gain access to highly sensitive patient information, and potentially lead to the theft of all patients’ health information. The Project Insecurity team chose to investigate EMR and EHR systems due to the large number of healthcare data breaches that have been reported in recent years. OpenEMR was the natural place to start as it was the most widely used EMR system and with it being open-source, it was easy...

Read More
The Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta
Aug09

The Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta

The SamSam ransomware attack on the City of Atlanta was initially expected to cost around $6 million to resolve: Substantially more than the $51,000 ransom demand that was issued. However, city officials now believe the final cost could be around $11 million higher, according to a “confidential and privileged” document obtained by The Atlanta Journal-Constitution. The attack has prompted a complete overhaul of the city’s software and systems, including system upgrades, new software, and the purchasing of new security services, computers, tablets, laptops, and mobile phones. The Colorado Department of Transportation was also attacked with SamSam ransomware this year and was issued with a similar ransom demand. As with the City of Atlanta, the ransom was not paid. In its case, the cleanup is expected to cost around $2 million. When faced with extensive disruption and a massive clean up bill it is no surprise that many victims choose to pay the ransom. Now new figures have been released that confirm just how many victims have paid to recover their files and regain control of their...

Read More
Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps
Aug08

Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps

An advisory has been issued by ICS-CERT about vulnerabilities in MedTronic MyCareLink Patient Monitors and the MiniMed 508 Insulin Pump. This is the second advisory to be issued about MyCareLink Patient Monitors in the past six weeks. In June, ICS-CERT issued a warning about the use of a hard-coded password (CVE-2018-8870) and an exposed dangerous method or function vulnerability (CVE-2018-8868). The latest vulnerabilities to be discovered are an insufficient verification of data authenticity flaw (CVE-2018-10626) and the storage of passwords in a recoverable format (CVE-2018-10622). The vulnerabilities are present in all versions of the Medtronic MyCareLink 24950 and 24952 Patient Monitors. If an attacker were to obtain per-product credentials from the monitor and the paired implanted cardiac device, it would be possible for invalid data to be uploaded to the Medtronic Carelink network due to insufficient verification of the authenticity of uploaded data. The vulnerability has been assigned a CVSS v3 score of 4.4 (medium severity). The way that passwords are stored could allow...

Read More
Healthcare Organizations Reminded of HIPAA Rules for Disposing of Electronic Devices
Aug07

Healthcare Organizations Reminded of HIPAA Rules for Disposing of Electronic Devices

In its July Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA covered entities about HIPAA Rules for disposing of electronic devices and media. Prior to electronic equipment being scrapped, decommissioned, returned to a leasing company or resold, all electronic protected health information (ePHI) on the devices must be disposed of in a secure manner. HIPAA Rules for disposing of electronic devices cover all electronic devices capable of storing PHI, including desktop computers, laptops, servers, tablets, mobile phones, portable hard drives, zip drives, and other electronic storage devices such as CDs, DVDs, and backup tapes. Healthcare organizations also need to be careful when disposing of other electronic equipment such as fax machines, photocopiers, and printers, many of which store data on internal hard drives. These devices in particular carry a high risk of a data breach at the end of life as they are not generally thought of as devices capable of storing ePHI. If electronic devices are not disposed of securely...

Read More
NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices
Aug06

NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices

The HIPAA Security Rule requires HIPAA-covered entities to ensure the confidentiality, integrity, and availability of electronic protected health information at all times. Healthcare organizations must ensure patients’ health is not endangered, their privacy is protected, and their identities are not compromised. A range of physical, technical, and administrative controls can be implemented to secure ePHI on servers and desktop computers, but ensuring the same level of security for mobile devices can be a major challenge. Mobile devices offer many benefits for healthcare providers. They can improve access to protected health information, ensure that data can be accessed anywhere, and they help healthcare providers improve coordination of care. However, when ePHI is stored on mobile devices such as laptops, tablets and mobile phones, or is transmitted using those devices, it is particularly vulnerable. Mobile devices are easy to lose, are often stolen, and data transmitted through mobile devices can also be vulnerable to interception. In healthcare, mobile device security is a major...

Read More
Consumers More Worried About Exposure of Financial Information Than Health Data
Aug01

Consumers More Worried About Exposure of Financial Information Than Health Data

The privacy and security of health data is less of a concern for consumers than the privacy and security of financial information such as credit card numbers, according to a recent survey by the healthcare marketing agency SCOUT. The Harris Poll survey was conducted on 2,033 adults from May 10-14, 2018 as part of a new research series called SCOUT Rare Insights. The survey revealed fewer than half of consumers (49%) were very concerned about the privacy and security of their health data, whereas more than two thirds of consumers (69%) were very concerned about the privacy and security of their financial data such as credit/debit card numbers and bank account information. Consumers are often covered by insurance policies on their credit cards and can reclaim losses in many cases. A new credit card number can be issued in cases of theft and there are laws that limit personal liability. However, if health insurance information and Social Security numbers are stolen, breach victims can suffer severe losses that may not be recoverable. Medical identity theft can also cause patients...

Read More
1.4 Million Patients Warned About UnityPoint Health Phishing Attack
Jul31

1.4 Million Patients Warned About UnityPoint Health Phishing Attack

A massive UnityPoint Health phishing attack has been reported, one in which the protected health information of 1.4 million patients has potentially been obtained by hackers. This phishing incident is the largest healthcare data breach of 2018 by some distance, involving more than twice the number of healthcare records as the California Department of Developmental Services data breach reported in April and the LifeBridge Health breach reported in May. This is also the largest phishing incident to be reported by a healthcare provider since the HHS’ Office for Civil Rights (OCR) started publishing data breaches in 2009 and the largest healthcare breach since the 3,466,120-record breach reported by Newkirk Products, Inc., in August 2016. Email Impersonation Attack Fools Several Employees into Disclosing Login Credentials The UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled in a business email compromise attack....

Read More
Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform
Jul30

Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform

Cofense has developed a new product which will soon be added to its portfolio of anti-phishing solutions for healthcare organizations and incorporated into its phishing-specific security orchestration, automation and response (SOAR) platform. The announcement comes at a time when the healthcare industry has been experiencing an uptick in phishing attacks. The past few months have seen a large number of healthcare organizations fall victims to phishing attacks that have resulted in cybercriminals gaining access to employee’s email accounts and the PHI contained therein. Perimeter security defenses can be enhanced to greatly reduce the number of malicious emails that reach employees’ inboxes, but even when multiple security solutions are deployed they will not block all phishing threats. Security awareness training is essential to reduce susceptibility to phishing attacks by conditioning employees to stop and think before clicking links in emails or opening questionable email attachments and to report suspicious emails to their security teams. However, security teams can struggle to...

Read More
Warnings Issued Following Increase in ERP System Attacks
Jul27

Warnings Issued Following Increase in ERP System Attacks

The United States Computer Emergency Readiness Team (US-CERT) has warned businesses about the increasing risk of cyberattacks on enterprise resource planning (ERP) systems such as the cloud-based ERPs developed by SAP and Oracle. These web-based applications are used to manage a variety of business operations, including finances, payroll, billing, logistics, and human resources functions. Consequently, these systems contain a treasure trove of sensitive data – The exact types of data sought by cybercriminals for fraud and cyber espionage. Further, many businesses rely on their ERP systems to function. A cyberattack that takes those systems out of action can have catastrophic consequences, making the systems an attractive target for sabotage by hacktivists and nation state backed hacking groups. The US-CERT warning follows a joint report on the increasing risk of ERP system attacks by cybersecurity firms Digital Shadows and Onapsis. The report focused on two of most widely used ERP systems: SAP HANA and Oracle E-Business. The authors explained that the number of publicly available...

Read More
FDA Issues New Guidance on Use of EHR Data in Clinical Investigations
Jul19

FDA Issues New Guidance on Use of EHR Data in Clinical Investigations

The U.S. Food and Drug Administration has released new guidance on the use of EHR data in clinical investigations and emphasized that appropriate controls should be put in place to ensure the confidentiality, integrity, and availability of data. While the guidance is non-binding, it provides healthcare organizations with valuable information on steps to take when deciding whether to use EHRs as a source of data for clinical investigations, how to use them and ensure the quality and integrity of EHR data, and how to make sure that any data collected and used as an electronic source of data meets the FDA’s inspection, recordkeeping and data retention requirements. The aim of the guidance is to promote the interoperability of EHR and EDC systems and facilitate the use of EHR data in clinical investigations, such as long-term studies on the safety and effectiveness of drugs, medical devices, and combination products. The guidance does not apply to data collected for registries and natural history studies, the use of EHR data to evaluate the feasibility of trial design or as a...

Read More
June 2018 Healthcare Breach Report
Jul18

June 2018 Healthcare Breach Report

There was a 13.8% month-over-month increase in healthcare data breaches in June 2018. Data breaches were up, but the breaches were far less severe in June, with 42.48% fewer healthcare records exposed or stolen than in May. In June there were 33 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and those breaches saw 356,232 healthcare records exposed or stolen – the lowest number of records exposed in healthcare data breaches since March 2018. Healthcare Data Breaches (January-June 2018) Causes of Healthcare Data Breaches (June 2018) Unauthorized access/disclosure incidents were the biggest problem area in June, followed by hacking IT incidents. As was the case in May, there were 15 unauthorized access/disclosure breaches and 12 hacking/IT incidents. The remaining six breaches involved the theft of electronic devices (4 incidents) and paper records (2 incidents). There were no reported losses of devices or paperwork and no improper disposal incidents. Healthcare Records Exposed by Breach Type While unauthorized...

Read More
LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach
Jul17

LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach

LabCorp, one of the largest clinical laboratories in the United States, has experienced a cyberattack that has potentially resulted in hackers gaining access to patients’ sensitive information; however, data theft appears unlikely as the cyberattack has now been confirmed as being a ransomware attack. It has been suggested that variant of SamSam ransomware was used in the brute force RDP attack, although this has not been confirmed by LabCorp. The Burlington, NC-based company runs 36 primary testing laboratories throughout the United States and the Los Angeles National Genetics Institute. The company performs standard blood and urine tests, HIV tests and specialty diagnostic testing services and holds vast quantities of highly sensitive data. The cyberattack occurred over the weekend of July 14, 2018 when suspicious system activity was identified by LabCorp’s intrusion detection system within 50 minutes of the attack commencing. Prompt action was taken to terminate access to its servers and systems were taken offline to contain the attack. With its systems offline, this naturally...

Read More
Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record
Jul12

Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record

A recent study conducted by the Ponemon Institute on behalf of IBM Security has revealed the hidden cost of data breaches, and for the first time, the cost of mitigating 1 million-record+ data breaches. The study provides insights into the costs of resolving data breaches and the full financial impact on organizations’ bottom lines. For the global study, 477 organizations were recruited and more than 2,200 individuals were interviewed and asked about the data breaches experienced at their organizations and the associated costs. The breach costs were calculated using the activity-based costing (ABC) methodology. The average number of records exposed or stolen in the breaches assessed in the study was 24,615 and 31,465 in the United States. Last year, the Annual Cost of a Data Breach Study by the Ponemon Institute/IBM Security revealed the cost of breaches had fallen year over year to $3.62 million. The 2018 study, conducted between February 2017 and April 2018, showed data breach costs have risen once again. The average cost of a data breach is now $3.86 million – An annual increase...

Read More
HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks
Jul06

HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks

HIMSS has released its June Healthcare and Cross-Sector Cybersecurity Report in which healthcare organizations are warned about the risk of exploitation of vulnerabilities in application programming interfaces, man-in the middle attacks, cookie tampering, and distributed denial of service (DDoS) attacks. Healthcare organizations have also been advised to be alert to the possibility of USB devices being used to gain access to isolated networks and the increase in used of Unicode characters to create fraudulent domains for use in phishing attacks. API Attacks Could Be the Next Big Attack Vector Perimeter defenses are improving, making it harder for cybercriminals to gain access to healthcare networks. However, alternative avenues are being explored by hackers looking for an easier route to gain access to sensitive data. Vulnerabilities in API’s could be a weak point and several cybersecurity experts believe APIs could well prove to be the next biggest cyber-attack vector. API usage in application development has become the norm, after all, it is easier to use a third-party solution...

Read More
AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule
Jul05

AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule

The American Hospital Association (AHA) has voiced the concerns of its members about the HHS’ Centers for Medicare and Medicaid Services’ hospital inpatient prospective payment system proposed rule for fiscal year 2019, including the requirement to allow any health app of a patient’s choosing to connect to healthcare providers’ APIs. Consumer Education Program Required to Explain that HIPAA Doesn’t Apply to Health Apps Mobile health apps can con collect and store a considerable amount of personal and health information – in many cases, the same information that would be classed as protected Health Information (PHI) under Health Insurance Portability and Accountability Act (HIPAA) Rules. However, HIPAA does not usually apply to health app developers and therefore the health data collected, stored, and transmitted by those apps may not be protected to the level demanded by HIPAA. When consumers enter information into the apps, they may not be aware that the safeguards in place to protect their privacy may not be as stringent as those implemented by their healthcare providers. There...

Read More
Warning About HIPAA Journal Spoofing Campaign
Jul05

Warning About HIPAA Journal Spoofing Campaign

It has come to our attention that an individual not associated with HIPAA Journal has registered an email address using the HIPAA Journal brand name and is contacting physicians warning them about alleged HIPAA violations by a healthcare company. The email address being used in this spoofing campaign is hipaajournalinfo@gmail.com The subject lines of the emails reported so far are: “HIPAA Violation!” “HIPAA Violation Warning” The image below is an example of one of the messages sent in this spoofing campaign: Further emails allege several HIPAA violations have occurred at this healthcare company and the emails claim HIPAA Journal is actively investigating the violations and has obtained proof that HIPAA has been violated. This is not the case. No investigation has been launched and no evidence of any HIPAA violations has been obtained by HIPAA Journal. The emails contain links to the website – www.hipaajournal.com – and others in an attempt to add credibility. This does not appear to be a phishing campaign, but an attempt to use the HIPAA Journal name to add credibility...

Read More
OCR Draws Attention to HIPAA Patch Management Requirements
Jul03

OCR Draws Attention to HIPAA Patch Management Requirements

Healthcare organizations have been reminded of HIPAA patch management requirements to ensure the confidentiality, integrity, and availability of ePHI is safeguarded. Patch Management: A Major Challenge for Healthcare Organizations Computer software often contains errors in the code that could potentially be exploited by malicious actors to gain access to computers and healthcare networks. Software, operating system, and firmware vulnerabilities are to be expected. No operating systems, software application, or medical device is bulletproof. What is important is those vulnerabilities are identified promptly and mitigations are put in place to reduce the probability of the vulnerabilities being exploited. Security researchers often identify flaws and potential exploits. The bugs are reported to manufacturers and patches are developed to fix the vulnerabilities to prevent malicious actors from taking advantage. Unfortunately, it is not possible for software developers to test every patch thoroughly and identify all potential interactions with other software and systems and still...

Read More
Vulnerabilities Identified in Medtronic MyCareLink Patient Monitors
Jul02

Vulnerabilities Identified in Medtronic MyCareLink Patient Monitors

ICS-CERT has issued an advisory about two recently discovered vulnerabilities in Medtronic MyCareLink patient monitors. The devices are used by patients with implantable cardiac devices to transmit their heart rhythm data directly to their clinicians. While the devices have safeguards in place and transmit information over a secure Internet connection, the vulnerabilities could potentially be exploited by a malicious actor to gain privileged access to the operating system of the devices. The vulnerabilities – a hard-coded password vulnerability (CWE-259 / CVE-2018-8870) and an exposed dangerous method of function (CWE-749 / CVE-2018-8868) vulnerability – exist in all versions of 24950 and 24952 MyCareLink Monitors. The former has been assigned a CVSS v3 score of 6.4 and the latter a CVSS v3 score of 6.2. The vulnerabilities were discovered by security researcher Peter Morgan of Clever Security, who reported the issues to NCCCIC. Exploitation of the hard-coded password vulnerability would require physical access to the device. After removing the case, an individual could...

Read More
Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report
Jun29

Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report

The FBI has released its 2017 Internet Crime Report. Data for the report came from complaints made through its Internet Crime Complaints Center (IC3). The report highlights the most common online scams, the scale of Internet crime, and the substantial losses suffered as a result of Internet-related crimes. In 2017, there were 301,580 complaints made to IC3 about Internet crime, with total losses for the year exceeding $1.4 billion. Since 2013, when the first Internet Crime Report was first published, more than $5.52 billion has been lost in online scams and more than 1.4 million complaints have been received. The leading types of online crime in 2017 were non-payment/non-delivery, personal data breaches, and phishing; however, the biggest losses came from business email compromise (BEC) attacks, confidence scams/romance fraud, and non-payment/non-delivery. The losses from business email compromise scams (and email account compromise scams on consumers) exceeded $675 million. BEC/EAC scams resulted in more than three times the losses as confidence fraud/romance scams – the second...

Read More
Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist
Jun26

Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist

Many healthcare organizations have now transitioned to secure messaging systems and have retired their outdated pager systems. Healthcare organizations that have not yet made the switch to secure text messaging platforms should take note of a recent security breach that saw pages from multiple hospitals intercepted by a ‘radio hobbyist’ in Missouri. Intercepting pages using software defined radio (SDR) is nothing new. There are various websites that explain how the SDR can be used and its capabilities, including the interception of private communications. The risk of PHI being obtained by hackers using this tactic has been well documented.  All that is required is some easily obtained hardware that can be bought for around $30, a computer, and some free software. In this case, an IT worker from Johnson County, MO purchased an antenna and connected it to his laptop in order to pick up TV channels. However, he discovered he could pick up much more. By accident, he intercepted pages sent by physicians at several hospitals. The man told the Kansas City Star he intercepted pages...

Read More
Advisory Issued After 8 Vulnerabilities Discovered in Natus Xltek NeuroWorks Software
Jun21

Advisory Issued After 8 Vulnerabilities Discovered in Natus Xltek NeuroWorks Software

ICS-CERT has issued an advisory following the discovery of eight vulnerabilities in version 8 of Natus Xltek NeuroWorks software used in Natus Xltek EEG medical products. If the vulnerabilities are successfully exploited they could allow a malicious actor to crash a vulnerable device or trigger a buffer overflow condition that would allow remote code execution. All eight vulnerabilities have been assigned a CVSS v3 score above 7.0 and are rated high.  Three of the vulnerabilities – tracked as CVE-2017-2853, CVE-2017-2868, and CVE-2017-2869 – have been assigned a CVSS v3 base score of 10, the highest possible score. CVE-2017-2867 has been assigned a base score of 9.0, with the other four vulnerabilities – CVE-2017-2852, CVE-2017-2858, CVE-2017-2860, and CVE-2017-2861 – given a rating of 7.5. The vulnerabilities are a combination of stack-based buffer overflow and out-of-bounds read vulnerabilities. CVE-2017-2853 would allow an attacker to cause a buffer overflow by sending a specially crafted packet to an affected product while the product attempts to open a file requested by...

Read More
May 2018 Healthcare Data Breach Report
Jun19

May 2018 Healthcare Data Breach Report

April was a particularly bad month for healthcare data breaches with 41 reported incidents. While it is certainly good news that there has been a month-over-month reduction in healthcare data breaches, the severity of some of the breaches reported last month puts May on a par with April. There were 29 healthcare data breaches reported by healthcare providers, health plans, and business associates of covered entities in May – a 29.27% month-over month reduction in reported breaches. However, 838,587 healthcare records were exposed or stolen in those incidents – only 56,287 records fewer than the 41 incidents in April. In May, the mean breach size was 28,917 records and the median was 2,793 records. In April the mean breach size was 21,826 records and the median was 2,553 records. Causes of May 2018 Healthcare Data Breaches Unauthorized access/disclosure incidents were the most numerous type of breach in May 2018 with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two theft incidents (6.9%). There were no lost unencrypted electronic devices...

Read More
Advisory Issued About Vulnerabilities in Siemens RAPIDLab and RAPIDPoint Blood Gas Analyzers
Jun15

Advisory Issued About Vulnerabilities in Siemens RAPIDLab and RAPIDPoint Blood Gas Analyzers

Siemens has proactively issued an advisory over two recently discovered vulnerabilities in its RAPIDLab and RAPIDPoint Blood Gas Analyzers. No reports have been received to data to suggest either vulnerability has been exploited in the wild, although users of the devices are being encouraged to take steps to mitigate risk. The vulnerabilities affect Siemens RAPIDLab 1200 Series and RAPIDPoint 400/405/500 cartridge-based blood-gas, electrolyte, and metabolite analyzers. CVE-2018-4845 would allow local or remote credentialed access to the Remote View feature. Successful exploitation of the vulnerability could result in privilege escalation that could potentially compromise the confidentiality, integrity, and availability of the system. No user interaction would be required to exploit the vulnerability. The vulnerability has been assigned a CVSS v3.0 score of 8.8. CVE-2018-4846 relates to a factory account with a hardcoded password which could potentially be exploited to gain remote access to the device over port 8900/tcp, thus compromising the confidentiality, integrity, and...

Read More
Medical Device Security a Major Concern, Yet Funds Not Available to Improve Security
Jun13

Medical Device Security a Major Concern, Yet Funds Not Available to Improve Security

A recent HIMSS survey has confirmed that medical device security is a strategic priority for most healthcare organizations, yet fewer than half of healthcare providers have an approved budget for tackling security flaws in medical devices. For the study, HIMSS surveyed 101 healthcare industry practitioners in the United States and Asia on behalf of global IT company Unisys. 85% of respondents to the survey said medical device security was a strategic priority and 58% said it was a high priority, yet only 37% of respondents had an approved budget to implement their cybersecurity strategy for medical devices. Small to medium sized healthcare providers were even less likely to have appropriate funds available, with 71% of companies lacking the funds for medical device security improvements. Vulnerabilities in medical devices are frequently being identified. ICS-CERT has issued several recent advisories about flaws in a wide range of devices. In many cases, flaws are identified and corrected before they can be exploited by cybercriminals, although the WannaCry attacks last year showed...

Read More
Cofense Launches Free Tool That Checks for SaaS Applications Using Corporate Domains
Jun08

Cofense Launches Free Tool That Checks for SaaS Applications Using Corporate Domains

The anti-phishing solution provider Cofense has launched a new tool that allows organizations to check what Software-as-a-Service (SaaS) applications have been registered by employees using corporate domains. The tool identifies configured cloud services, allowing security teams to check which SaaS applications are in use and take action over unauthorized use of cloud applications by employees. The solution will query a corporate domain against a list of commonly used SaaS applications and will return a list of all SaaS applications that are in use, highlighting applications that have been provisioned without prior approval from the IT department. A file can be downloaded detailing all SaaS applications in use which can be compared with future scans to identify new SaaS applications that have been provisioned since the last time the query was run. Shadow IT introduces risks, yet IT departments are often unaware of employees’ activities. Many companies are in the dark about the software used by their employees and the cloud services registered using company domains. This new service...

Read More
Advisory Issued About Vulnerabilities in Phillips IntelliVue Patient and Avalon Fetal Monitors
Jun06

Advisory Issued About Vulnerabilities in Phillips IntelliVue Patient and Avalon Fetal Monitors

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory over vulnerabilities affecting certain Phillips IntelliVue Patient and Avalon Fetal monitors. Three vulnerabilities have been identified by Phillips and communicated to ICS-CERT: Two have been rated high and one medium. If successfully exploited, an attacker could read/write memory and introduce a denial of service through a system restart. Exploitation of the flaws could cause a delay in the diagnosis and treatment of patients. Products Affected: IntelliVue Patient Monitors MP Series (includingMP2/X2/MP30/MP50/MP70/NP90/MX700/800) Rev B-M; IntelliVue Patient Monitors MX (MX400-550) Rev J-M and (X3/MX100 for Rev M only); Avalon Fetal/Maternal Monitors FM20/FM30/FM40/FM50 with software Revisions F.0, G.0 and J.3 Vulnerabilities: CWE-0287 – Improper Authentication Vulnerability After gaining LAN access, an unauthenticated individual could exploit the vulnerability to gain access to the memory (write-what-where) on a chosen device within the same subnet....

Read More
Advisory Issued Over Vulnerabilities in BeaconMedaes TotalAlert Scroll Medical Air Systems Web Application
May31

Advisory Issued Over Vulnerabilities in BeaconMedaes TotalAlert Scroll Medical Air Systems Web Application

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory about remotely exploitable vulnerabilities in the BeaconMedaes TotalAlert Scroll Medical Air Systems web application. The vulnerabilities are present in TotalAlert Scroll Medical Air Systems running software versions 4107600010.23 and earlier and require a low level of technical skill to exploit. If successfully exploited, an attacker could view and potentially modify device information and web application setup information, although those modifications would not be sufficient to affect the ability of the device to operate as designed. BeaconMedaes has stressed that the vulnerabilities cannot be exploited to gain access to patient health information and do not compromise compliance with the NFPA 99 standard for healthcare facilities. ICS-CERT says two of the vulnerabilities have a CVSS v3 score of 7.5 out of 10 (high) and one has a CVSS v3 score of 5.3 (medium). The two vulnerabilities rated high are CWE-522 – Insufficiently protected credentials and CWE-256 – Unprotected Storage of...

Read More