Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Mar 8, 2022 | Compliance News, Healthcare Information Technology
This week, researchers at Palo Alto’s Unit 42 team shared a report that reveals security issues and vulnerabilities typically occur in smart infusion pumps. These bedside gadgets systemize the distribution of drugs and fluids to patients and are interconnected to networks to permit them to be remotely controlled by hospitals.
The researchers employed crowdsourced scans from over 200,000 infusion pumps at hospitals and other medical providers and sought out vulnerabilities and security problems that can possibly be exploited. The devices were tested against about 40 known vulnerabilities and about 70 other IoT vulnerabilities.
Three-quarters of the 200,000 infusion pumps were found to have security issues that positioned them at substantial risk of being affected by hackers. Worryingly, 52% of the assessed devices were observed to be susceptible to two major infusion pump vulnerabilities dating back to 2019, one of which is a critical vulnerability given a CVSS severity score of 9.8 of 10 (Wind River VxWorks CVE-2019-12255), whereas the other is a high severity vulnerability having a CVSS score of 7.1 (Wind River VxWorks CVE-2019-12264).
Vulnerabilities in infusion pumps may be taken advantage of to cause injury to people. By acquiring access to the equipment, attackers can prevent the delivery of medicines and fluids or cause the gadgets to provide likely fatal amounts of medications. Vulnerabilities may additionally be exploited to acquire access to, alter, or remove sensitive patient records, and it is the latter sort of vulnerability that is most typical.
Though a number of these vulnerabilities and warnings may be unrealistic for attackers to exploit unless physically existing in a business, all stand for a probable risk to the general safety of healthcare companies and the protection of patients – in particular in cases wherein threat actors may be driven to add further resources into attacking a target. The uncovering of security problems in three out of four infusion pumps analyzed demonstrates the requirement for the healthcare sector to redouble efforts to secure against recognized vulnerabilities, while faithfully following recommendations for infusion pumps and hospital systems.
Great hospitals and clinics could make use of thousands of infusion pumps. Whenever vulnerabilities are uncovered, patching or implementing compensating controls immediately can be a serious concern. First, the impacted devices ought to be known, then they need to be patched, repaired, or substituted. When any vulnerable device is neglected, it will continue to be prone to attack and a patient’s life could be put at stake.
It is crucial to retain an exact inventory of infusion pumps (along with other IoMT devices) being used and to have the ability to immediately uncover, locate, and examine the usage of the devices. Security teams must carry out a holistic risk examination and proactively uncover vulnerabilities and discover compliance issues.
Risk reduction plans must be implemented. Real-time risk tracking, reporting, and notifying are essential for institutions to proactively minimize IoMT threats. Regular profiling of device activity and behavior brings information that may be properly changed into risk-based Zero-Trust policy regulations. Hospitals and clinics ought to take steps also to prevent known targeted IoT malware, spyware, and exploits, avoid the implementation of DNS for C2 communications, and halt access to bad URLs and also malicious websites to avert the loss of sensitive information.
by Maria Perez | Mar 1, 2022 | Compliance News
Two HIPAA-regulated entities have not long ago commenced sending notifications to persons whose protected health information (PHI) was likely jeopardized in cyberattacks that took place over 12 months ago. One entity took 18 months to inform impacted people that their PHI was accessed and possibly stolen.
Comprehensive Health Services Informs 94,449 Patients Concerning September 2020 Cyberattack
Comprehensive Health Services located in Cape Canaveral, FL offers employees medical services. It is additionally a part of Acuity International, which lately reported its encounter with a cyberattack that was discovered on September 30, 2020.
The security incident was observed after a number of fake wire transfers were made using its accounts. Third-party forensics professionals were employed to find out the severity of the security incident, safeguard its digital environment, distinguish how the attacker acquired systems’ access, and whether or not any sensitive data was copied from those systems.
Comprehensive Health Services mentioned in its breach notice to the Maine Attorney general that it established on November 3, 2021, that the personal information of some people hired by one of its clients could have been viewed and exfiltrated in the attack. The provider mailed notification letters to those affected persons on February 15, 2022 and provided those persons with either 12 or 24 months of credit monitoring and identity theft protection services. It is unknown why the company took 15 months to ensure the compromise of protected health information, and then an extra three months to send out notification letters to impacted people.
Based on the breach report forwarded to the Maine Attorney General, the PHI of 94,449 persons was likely affected.
Minimally Invasive Surgery of Hawaii Alerts Patients Regarding February 2021 Cyberattack
Orthopedic Associates of Hawaii, All Access Ortho, and Specialty Suites, dba Minimally Invasive Surgery of Hawaii (MISH), has commenced informing patients that were affected by an event leading to the breach of their PHI.
The recent occurrence was a ransomware attack noticed on February 19, 2021. As per the breach notifications, the attacker encrypted information on systems that comprised patient information. Steps were undertaken to speedily regain records and know if the unauthorized actor accessed or got files made up of patient information.
MISH stated the investigation established on or approximately April 2, 2021, that the threat actor viewed its systems between February 12, 2021, and February 19, 2021, and acquired limited files. An analysis was then performed to find out which patients were impacted and the types of data that were acquired, and then the contact data of those people must be verified.
Notification letters dated February 19, 2021, were mailed to the California attorney general, even though the breach report was sent to the HHS’ Office for Civil Rights last April 2021. According to the breach report, 500 persons were affected, even though 500 is usually utilized as a placeholder right until the finalized total of impacted people is known.
MISH explained these types of data were exposed: complete names, addresses, birth dates, medical treatment and diagnosis details, health insurance data, and a small number of Social Security numbers. There is no proof found that reveals the improper use of patient information. Impacted persons got offers of free credit monitoring and identity theft protection services.
MISH mentioned it evaluated its guidelines and procedures and has put in place further administrative and technical safety measures to strengthen security.
by Maria Perez | Feb 22, 2022 | Compliance News
HIMSS has shared the results of its 2021 Healthcare Cybersecurity Survey which revealed that 67% of respondents have encountered a minimum of one major security occurrence in the past year, with the most prominent security breaches caused by phishing attacks.
The 2021 HIMSS Healthcare Cybersecurity Survey was performed on 167 medical care cybersecurity experts, who were responsible for everyday cybersecurity operations or oversight.
The surveyed IT specialists were inquired about the major security breaches they had suffered in the past 12 months, and in 45% of incidents it was a phishing attack, and 57% of survey participants mentioned the most significant breach concerned phishing. Phishing attacks are most often carried out by email. 71% of the major security incidents are email-related phishing attacks; nonetheless, 27% stated there was a considerable voice phishing incident (vishing), 21% reported they had substantial SMS phishing incident (smishing), and 16% claimed there was a substantial social media phishing incident.
Phishing was the most prevalent first point of compromise, accounting for 71% of the major security breaches. Following are social engineering attacks at 15%. Human error is usually the reason behind major data breaches, making up 19% of the big security breaches, with 15% a result of the extended use of legacy software for which support is no longer given. The survey additionally showed standard security controls were not totally implemented at a lot of businesses.
Ransomware attacks still affect the healthcare industry, and the attacks usually bring about major trouble and have substantial mitigation costs. 17% of respondents stated the biggest security incident they encountered was a ransomware attack. 7% of survey participants claimed negligent insider activity triggered the major security incident, though HIMSS states that medical companies typically do not have strong defenses against insider breaches, thus it is probable that these sorts of breaches were underreported.
Taking into consideration the degree to which phishing results in account breaches or serious cyberattacks, it is crucial for healthcare institutions to use effective email security measures to stop phishing emails and to furthermore invest in security awareness training for the employees. Not only one security solution can prohibit all phishing attacks, therefore it is important for the labor force to acquire training on how to determine phishing and social engineering attacks. Educating employees on security best practices can help to lessen human error which commonly causes data breaches.
The prolonged usage of legacy programs when it is the end-of-life can be a concern in medical care, nevertheless, plans must be made to update out-of-date systems, and if that is not achievable, mitigations must be applied to make exploiting vulnerabilities harder, like separating legacy programs and not exposing them online.
44% of survey respondents mentioned their most critical breach had no minimal effect; nevertheless, 32% stated security breaches prompted interruption to systems that impacted business functions, 26% explained security breaches disturbed IT systems, and 22% reported security breaches triggered data breaches or data loss. 21% stated the security breaches had affected clinical care, and 17% stated the most critical security incident led to financial loss.
Regardless of the risk of cyberattacks, finances for cybersecurity budgets continue to be slim. 40% of surveyed IT experts mentioned 6% or less of their IT budget was dedicated to cybersecurity, which is the same proportion as the last four years although the risk of attacks has gone up. 40% of survey participants stated they either had funds that did not change since last year or had lessened, and 35% mentioned their cybersecurity fund is not predicted to alter.
The HIMSS survey asked respondents to know about the biggest security problems, which for 47% of participants was not enough budget. Employees’ compliance with guidelines and procedures was a serious problem for 43% of respondents, the prolonged use of legacy software programs was a concern for 39% of participants, and 34% reported they had problems with patch and vulnerability management.
Personnel making mistakes, identity and access management, device management, developing a cybersecurity culture, information leaks, and shadow IT were likewise regarded as big security issues.
The discoveries of the 2021 HIMSS Healthcare Cybersecurity Survey indicate that healthcare companies still have considerable problems to overcome. These limitations to progress involve restricted security budgets, increasing legacy footprints, and the expanding volume of cyber-attacks and compromises. In addition, fundamental security controls were not completely enforced by a lot of organizations. Most likely, the major weakness is the human factor. Medical providers ought to do more to help healthcare cybersecurity specialists and their cybersecurity plans.
by Maria Perez | Feb 15, 2022 | Compliance News
Cross Timbers Health Clinics based in Brownwood, Texas, operating under the brand AccelHealth, experienced a ransomware attack on December 15, 2021. As a result, the Federally Qualified Health Center could not gain access to selected files and folders on its network. AccelHealth hired third-party forensics professionals to investigate the security breach who confirmed that unauthorized people first acquired access to its system on December 9, 2021.
Throughout the 6 days when the attackers had access to the network, they may have viewed or gotten files that contain patient data. A detailed evaluation of all files on the exposed parts of the system revealed they comprised the protected health information (PHI) of 48,126 patients, such as names, addresses, dates of birth, driver’s license numbers, financial account details, Social Security numbers, health insurance details, treatment, and diagnosis data and medical record numbers.
There was no evidence found of data exfiltration and, while issuing notification letters, no report was obtained that suggests actual or attempted misuse of patient data. AccellHealth stated additional technical security steps are being enforced to avoid further cyber attacks and affected persons were given no-cost credit monitoring services.
Pace Center for Girls Became Aware of 11-Month System Breach
Pace Center for Girls based in Jacksonville, FL provides a 6-12 education program for at-risk teenage girls. It has been found that unauthorized individuals accessed certain infrastructure systems and might have viewed or got the sensitive information of current and former students.
The security breach was discovered in the week of December 13, 2021, and the following investigation affirmed last January 2021 that unauthorized persons got access to segments of its IT infrastructure that held sensitive records. The breached information included students’ full names, phone numbers, addresses, birth dates, Florida Department of Juvenile Justice identification numbers, enrollment information, parent/guardian names, and behavioral health details.
Pace Center for Girls stated a third-party cybersecurity agency was employed to help secure its network and physical computer access and evaluate its data security and gateway security systems. Extra security procedures will be carried out, as necessary, to better safeguard against unauthorized access. Affected people were told to place fraud warnings with Equifax, Experian, and TransUnion to detect any fake use of their personal data. The breach report was submitted to the HHS’ Office for Civil Rights indicating that up to 18,300 individuals were impacted.
by Maria Perez | Feb 8, 2022 | Healthcare Industry News
Ransomware groups are increasingly exploiting unpatched vulnerabilities in software programs and operating systems to obtain access to organization systems, and they are using zero-day vulnerabilities easily. Unpatched vulnerabilities are right now the principal attack vector in ransomware attacks, based on Ivanti’s Ransomware Year-End Spotlight report.
Ivanti joined with the next-gen SOAR and threat intelligence solutions company Cyware and Certifying Numbering Authority (CNA) Cyber Security Works in making the report, which determined 32 new ransomware variants last 2021, which went up by 26% compared to last year. There are currently 157 identified ransomware families, which are being utilized in cyberattacks on companies.
Ivanti claims 65 new vulnerabilities were found in 2021 that ransomware gangs are known to have used in attacks. This number is 29% higher year-over-year. There is a total number of 288 vulnerabilities connected to ransomware attacks. 37% of the new vulnerabilities were buzzing on the dark web and were exploited in a number of attacks, while 56% of the 223 older vulnerabilities remain consistently taken advantage of by ransomware groups.
Ransomware gangs and the first access brokers they usually use are seeking zero-day vulnerabilities to be employed in their attacks even before CVE codes are designated to the vulnerabilities and are included in the National Vulnerability Database (NVD). Examples are the following: Sonic Wall (CVE-2021-20016) QNAP (CVE-2021-28799), Apache Log4j (CVE-2021-44228), and Kaseya (CVE-2021-30116) vulnerabilities.
The report demonstrates the importance of using patches immediately and the necessity to prioritize patching to make certain that weaponized vulnerabilities are patched first of all. Although it is vital to keep an eye on vulnerabilities as they are put in the NVD, security teams must also subscribe to get threat intelligence news and security advisories from security bureaus and need to be looking out for exploitation occurrences and vulnerability developments.
Though ransomware attacks on businesses are prevalent, ransomware groups are in search of big paydays and are more and more attacking supply chain networks and managed service providers in order to cause problems on as many firms as possible. A supply chain attack or an attack on a managed service provider enables a ransomware group to carry out ransomware attacks on many or even hundreds of victim sites, much like in the REvil’s ransomware attack on the Kaseya VSA remote management service.
Ransomware gangs are furthermore increasingly working with others in these means:
- ransomware-as-a-service (RaaS), where affiliates are employed to perform many attacks for a percentage of the ransom profits
- exploit-as-a-service, where exploits for identified vulnerabilities are leased from coders
- dropper-as-a-service operations, where ransomware groups pay malware operators to install malicious payloads on unsecured devices.
Ransomware gangs are more advanced today, and their attacks are more effective. These attackers are using automated tool kits to take advantage of vulnerabilities and go deeper into breached networks, explained Srinivas Mukkamala, Ivanti’s Senior VP of Security Products. Institutions should be extra attentive and patch weaponized vulnerabilities right away. This calls for utilizing a combo of risk-based vulnerability prioritization and computerized patch intelligence to discover and prioritize vulnerability weaknesses and then quicken remediation.
