HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks

HIMSS has released its June Healthcare and Cross-Sector Cybersecurity Report in which healthcare organizations are warned about the risk of exploitation of vulnerabilities in application programming interfaces, man-in the middle attacks, cookie tampering, and distributed denial of service (DDoS) attacks. Healthcare organizations have also been advised to be alert to the possibility of USB devices being used to gain access to isolated networks and the increase in used of Unicode characters to create fraudulent domains for use in phishing attacks.

API Attacks Could Be the Next Big Attack Vector

Perimeter defenses are improving, making it harder for cybercriminals to gain access to healthcare networks. However, alternative avenues are being explored by hackers looking for an easier route to gain access to sensitive data. Vulnerabilities in API’s could be a weak point and several cybersecurity experts believe APIs could well prove to be the next biggest cyber-attack vector.

API usage in application development has become the norm, after all, it is easier to use a third-party solution that to develop a solution from scratch. APIs allow healthcare organizations to integrate third-party services. A study by One-Poll suggests that on average, businesses are managing 363 different APIs and two thirds of organizations expose the APIs to the public or their partners. As with any software solution, if vulnerabilities exist, it is only a matter of time before they are exploited.

Torsten George at Security Week has explained several ways that APIs can be exploited to gain access to sensitive data.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Unicode Characters Used in Convincing Impersonation Attacks

The ability to include Unicode characters in domain names is allowing cybercriminals to easily create highly convincing domains using homographs. These domains can be virtually indistinguishable to the genuine domain to the casual eye, making them ideal for use in phishing attacks. Examples include use of the Cyrillic small letter a in place of a standard a, or the use of the Latin small letter iota or the Latin small letter dotless i, in place of an i. Farsight Security has released a useful report on the matter in its Global Internationalized Domain Name Homograph Report.

New USB-Based Attack Method Identified

A new attack method has been detailed by Eleven Paths on the exploitation of hidden networks created via USB devices. This attack method could allow access to be gained to isolated computers not connected to the Internet. Simply disconnecting a computer from WiFi or not connecting the device to a network via an Ethernet cable may not be sufficient at preventing a malicious actor from gaining access to the device and sensitive data, as was demonstrated by the infection of an isolated computer with Stuxnet malware at a Nuclear power plant.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.