Security Issues Found in 75% of Infusion Pumps

This week, researchers at Palo Alto’s Unit 42 team shared a report that reveals security issues and vulnerabilities typically occur in smart infusion pumps. These bedside gadgets systemize the distribution of drugs and fluids to patients and are interconnected to networks to permit them to be remotely controlled by hospitals.

The researchers employed crowdsourced scans from over 200,000 infusion pumps at hospitals and other medical providers and sought out vulnerabilities and security problems that can possibly be exploited. The devices were tested against about 40 known vulnerabilities and about 70 other IoT vulnerabilities.

Three-quarters of the 200,000 infusion pumps were found to have security issues that positioned them at substantial risk of being affected by hackers. Worryingly, 52% of the assessed devices were observed to be susceptible to two major infusion pump vulnerabilities dating back to 2019, one of which is a critical vulnerability given a CVSS severity score of 9.8 of 10 (Wind River VxWorks CVE-2019-12255), whereas the other is a high severity vulnerability having a CVSS score of 7.1 (Wind River VxWorks CVE-2019-12264).

Vulnerabilities in infusion pumps may be taken advantage of to cause injury to people. By acquiring access to the equipment, attackers can prevent the delivery of medicines and fluids or cause the gadgets to provide likely fatal amounts of medications. Vulnerabilities may additionally be exploited to acquire access to, alter, or remove sensitive patient records, and it is the latter sort of vulnerability that is most typical.

Though a number of these vulnerabilities and warnings may be unrealistic for attackers to exploit unless physically existing in a business, all stand for a probable risk to the general safety of healthcare companies and the protection of patients – in particular in cases wherein threat actors may be driven to add further resources into attacking a target. The uncovering of security problems in three out of four infusion pumps analyzed demonstrates the requirement for the healthcare sector to redouble efforts to secure against recognized vulnerabilities, while faithfully following recommendations for infusion pumps and hospital systems.

Great hospitals and clinics could make use of thousands of infusion pumps. Whenever vulnerabilities are uncovered, patching or implementing compensating controls immediately can be a serious concern. First, the impacted devices ought to be known, then they need to be patched, repaired, or substituted. When any vulnerable device is neglected, it will continue to be prone to attack and a patient’s life could be put at stake.

It is crucial to retain an exact inventory of infusion pumps (along with other IoMT devices) being used and to have the ability to immediately uncover, locate, and examine the usage of the devices. Security teams must carry out a holistic risk examination and proactively uncover vulnerabilities and discover compliance issues.

Risk reduction plans must be implemented. Real-time risk tracking, reporting, and notifying are essential for institutions to proactively minimize IoMT threats. Regular profiling of device activity and behavior brings information that may be properly changed into risk-based Zero-Trust policy regulations. Hospitals and clinics ought to take steps also to prevent known targeted IoT malware, spyware, and exploits, avoid the implementation of DNS for C2 communications, and halt access to bad URLs and also malicious websites to avert the loss of sensitive information.

People Just Notified Regarding the September 2020 and February 2021 Cyberattacks

Two HIPAA-regulated entities have not long ago commenced sending notifications to persons whose protected health information (PHI) was likely jeopardized in cyberattacks that took place over 12 months ago. One entity took 18 months to inform impacted people that their PHI was accessed and possibly stolen.

Comprehensive Health Services Informs 94,449 Patients Concerning September 2020 Cyberattack

Comprehensive Health Services located in Cape Canaveral, FL offers employees medical services. It is additionally a part of Acuity International, which lately reported its encounter with a cyberattack that was discovered on September 30, 2020.

The security incident was observed after a number of fake wire transfers were made using its accounts. Third-party forensics professionals were employed to find out the severity of the security incident, safeguard its digital environment, distinguish how the attacker acquired systems’ access, and whether or not any sensitive data was copied from those systems.

Comprehensive Health Services mentioned in its breach notice to the Maine Attorney general that it established on November 3, 2021, that the personal information of some people hired by one of its clients could have been viewed and exfiltrated in the attack. The provider mailed notification letters to those affected persons on February 15, 2022 and provided those persons with either 12 or 24 months of credit monitoring and identity theft protection services. It is unknown why the company took 15 months to ensure the compromise of protected health information, and then an extra three months to send out notification letters to impacted people.

Based on the breach report forwarded to the Maine Attorney General, the PHI of 94,449 persons was likely affected.

Minimally Invasive Surgery of Hawaii Alerts Patients Regarding February 2021 Cyberattack

Orthopedic Associates of Hawaii, All Access Ortho, and Specialty Suites, dba Minimally Invasive Surgery of Hawaii (MISH), has commenced informing patients that were affected by an event leading to the breach of their PHI.

The recent occurrence was a ransomware attack noticed on February 19, 2021. As per the breach notifications, the attacker encrypted information on systems that comprised patient information. Steps were undertaken to speedily regain records and know if the unauthorized actor accessed or got files made up of patient information.

MISH stated the investigation established on or approximately April 2, 2021, that the threat actor viewed its systems between February 12, 2021, and February 19, 2021, and acquired limited files. An analysis was then performed to find out which patients were impacted and the types of data that were acquired, and then the contact data of those people must be verified.

Notification letters dated February 19, 2021, were mailed to the California attorney general, even though the breach report was sent to the HHS’ Office for Civil Rights last April 2021. According to the breach report, 500 persons were affected, even though 500 is usually utilized as a placeholder right until the finalized total of impacted people is known.

MISH explained these types of data were exposed: complete names, addresses, birth dates, medical treatment and diagnosis details, health insurance data, and a small number of Social Security numbers. There is no proof found that reveals the improper use of patient information. Impacted persons got offers of free credit monitoring and identity theft protection services.

MISH mentioned it evaluated its guidelines and procedures and has put in place further administrative and technical safety measures to strengthen security.

HIMSS Cybersecurity Survey Indicates the Human Factor is the Major Vulnerability in Medical Care

HIMSS has shared the results of its 2021 Healthcare Cybersecurity Survey which revealed that 67% of respondents have encountered a minimum of one major security occurrence in the past year, with the most prominent security breaches caused by phishing attacks.

The 2021 HIMSS Healthcare Cybersecurity Survey was performed on 167 medical care cybersecurity experts, who were responsible for everyday cybersecurity operations or oversight.

The surveyed IT specialists were inquired about the major security breaches they had suffered in the past 12 months, and in 45% of incidents it was a phishing attack, and 57% of survey participants mentioned the most significant breach concerned phishing. Phishing attacks are most often carried out by email. 71% of the major security incidents are email-related phishing attacks; nonetheless, 27% stated there was a considerable voice phishing incident (vishing), 21% reported they had substantial SMS phishing incident (smishing), and 16% claimed there was a substantial social media phishing incident.

Phishing was the most prevalent first point of compromise, accounting for 71% of the major security breaches. Following are social engineering attacks at 15%. Human error is usually the reason behind major data breaches, making up 19% of the big security breaches, with 15% a result of the extended use of legacy software for which support is no longer given. The survey additionally showed standard security controls were not totally implemented at a lot of businesses.

Ransomware attacks still affect the healthcare industry, and the attacks usually bring about major trouble and have substantial mitigation costs. 17% of respondents stated the biggest security incident they encountered was a ransomware attack. 7% of survey participants claimed negligent insider activity triggered the major security incident, though HIMSS states that medical companies typically do not have strong defenses against insider breaches, thus it is probable that these sorts of breaches were underreported.

Taking into consideration the degree to which phishing results in account breaches or serious cyberattacks, it is crucial for healthcare institutions to use effective email security measures to stop phishing emails and to furthermore invest in security awareness training for the employees. Not only one security solution can prohibit all phishing attacks, therefore it is important for the labor force to acquire training on how to determine phishing and social engineering attacks. Educating employees on security best practices can help to lessen human error which commonly causes data breaches.

The prolonged usage of legacy programs when it is the end-of-life can be a concern in medical care, nevertheless, plans must be made to update out-of-date systems, and if that is not achievable, mitigations must be applied to make exploiting vulnerabilities harder, like separating legacy programs and not exposing them online.

44% of survey respondents mentioned their most critical breach had no minimal effect; nevertheless, 32% stated security breaches prompted interruption to systems that impacted business functions, 26% explained security breaches disturbed IT systems, and 22% reported security breaches triggered data breaches or data loss. 21% stated the security breaches had affected clinical care, and 17% stated the most critical security incident led to financial loss.

Regardless of the risk of cyberattacks, finances for cybersecurity budgets continue to be slim. 40% of surveyed IT experts mentioned 6% or less of their IT budget was dedicated to cybersecurity, which is the same proportion as the last four years although the risk of attacks has gone up. 40% of survey participants stated they either had funds that did not change since last year or had lessened, and 35% mentioned their cybersecurity fund is not predicted to alter.

The HIMSS survey asked respondents to know about the biggest security problems, which for 47% of participants was not enough budget. Employees’ compliance with guidelines and procedures was a serious problem for 43% of respondents, the prolonged use of legacy software programs was a concern for 39% of participants, and 34% reported they had problems with patch and vulnerability management.

Personnel making mistakes, identity and access management, device management, developing a cybersecurity culture, information leaks, and shadow IT were likewise regarded as big security issues.

The discoveries of the 2021 HIMSS Healthcare Cybersecurity Survey indicate that healthcare companies still have considerable problems to overcome. These limitations to progress involve restricted security budgets, increasing legacy footprints, and the expanding volume of cyber-attacks and compromises. In addition, fundamental security controls were not completely enforced by a lot of organizations. Most likely, the major weakness is the human factor. Medical providers ought to do more to help healthcare cybersecurity specialists and their cybersecurity plans.

AccelHealth and Pace Center for Girls Reported Hacking Incidents

Cross Timbers Health Clinics based in Brownwood, Texas, operating under the brand AccelHealth, experienced a ransomware attack on December 15, 2021. As a result, the Federally Qualified Health Center could not gain access to selected files and folders on its network. AccelHealth hired third-party forensics professionals to investigate the security breach who confirmed that unauthorized people first acquired access to its system on December 9, 2021.

Throughout the 6 days when the attackers had access to the network, they may have viewed or gotten files that contain patient data. A detailed evaluation of all files on the exposed parts of the system revealed they comprised the protected health information (PHI) of 48,126 patients, such as names, addresses, dates of birth, driver’s license numbers, financial account details, Social Security numbers, health insurance details, treatment, and diagnosis data and medical record numbers.

There was no evidence found of data exfiltration and, while issuing notification letters, no report was obtained that suggests actual or attempted misuse of patient data. AccellHealth stated additional technical security steps are being enforced to avoid further cyber attacks and affected persons were given no-cost credit monitoring services.

Pace Center for Girls Became Aware of 11-Month System Breach

Pace Center for Girls based in Jacksonville, FL provides a 6-12 education program for at-risk teenage girls. It has been found that unauthorized individuals accessed certain infrastructure systems and might have viewed or got the sensitive information of current and former students.

The security breach was discovered in the week of December 13, 2021, and the following investigation affirmed last January 2021 that unauthorized persons got access to segments of its IT infrastructure that held sensitive records. The breached information included students’ full names, phone numbers, addresses, birth dates, Florida Department of Juvenile Justice identification numbers, enrollment information, parent/guardian names, and behavioral health details.

Pace Center for Girls stated a third-party cybersecurity agency was employed to help secure its network and physical computer access and evaluate its data security and gateway security systems. Extra security procedures will be carried out, as necessary, to better safeguard against unauthorized access. Affected people were told to place fraud warnings with Equifax, Experian, and TransUnion to detect any fake use of their personal data. The breach report was submitted to the HHS’ Office for Civil Rights indicating that up to 18,300 individuals were impacted.

Cyberattacks and Data Theft Announced by Medical Healthcare Solutions and Advocates Inc.

Advocates Inc. in Massachusetts., a non-profit provider of support services for people encountering life challenges including autism, brain injury, addiction intellectual handicaps, behavioral health, and mental health, has reported it recently suffered a sophisticated cyberattack and data theft occurrence.

Advocates discovered on October 1, 2021, that an unauthorized person had obtained access to its system and copied files comprising the sensitive data of patients and staff members. A prominent cybersecurity agency was engaged to aid with the inquiry, which revealed that an anonymous individual had accessed its network and duplicated files in a period of four days between September 14, 2021 and September 18, 2021.

The files included names, birth dates, addresses, Social Security numbers, medical insurance details, client ID numbers, diagnoses, and treatment details. After validating the individuals impacted, Advocate compiled updated contact data to be able to issue the written notifications, thus the delay in providing notification letters.

The cyberattack report was sent to the Federal Bureau of Investigation and government authorities. The breach report sent to the Department of Health and Human Services’ Office for Civil Rights reveals the protected health information (PHI) of 68,236 persons was contained in the stolen information. Advocates mentioned it doesn’t know if any actual or attempted improper use of the stolen data; nevertheless, as a preventative measure, affected people were provided free credit monitoring and identity theft protection services.

PHI Compromised in Cyberattack on Medical Healthcare Solutions

The medical billing firm Medical Healthcare Solutions located in Boston, MA has lately reported it encountered a cyberattack. The attack was identified on November 19, 2021, and steps were promptly taken to safeguard its system to stop more unauthorized access. The investigation established an unauthorized person had acquired access to its network from October 1, 2021 to October 4, 2021, and stolen a number of files from its system.

An analysis of the stolen records showed they comprised these types of information: Name, address, birth date, sex, telephone number, email address, driver’s license/state ID number, Social Security number, financial account number, payment card number, card CVV/expiration, routing number, diagnosis/treatment details, procedure type, provider name, prescription data, date of service, patient account number, medical record number insurance group number, insurance ID number, insurance plan name, claim number, provider ID number, process code, treatment price, and diagnosis code.

A final record of persons impacted by the breach was secured on January 8, and notification letters were already distributed. Free credit monitoring and identity theft protection services were given to affected people. The breach report was submitted to the HHS’ Office for Civil Rights, nevertheless, it has not yet been posted on the breach site, therefore it is presently not clear how many persons were impacted.

More Than 50% of All Healthcare IoT Devices Have an Identified, Unpatched Critical Vulnerability

The latest research by Cynerio, a healthcare IoT security platform provider, has shown that 53% of connected medical devices and other healthcare IoT devices have at the least one unresolved critical vulnerability that can probably be taken advantage of to acquire access to systems and sensitive records or impact the availability of the devices. The researchers likewise identified one-third of bedside healthcare IoT devices have a minimum of one unpatched critical vulnerability that may impact service availability, data privacy, or put patient safety at risk.

The researchers assessed the connected device footprints at over 300 hospitals to determine threats and vulnerabilities existing in their Internet of Medical Things (IoMT) and IoT devices. The most often utilized healthcare IoT device is IV pumps, which constitute approximately 38% of a hospital’s IoT footprint. These devices were known to be the most susceptible to attack, as 73% got a vulnerability that can jeopardize patient safety, service accessibility, or cause information theft. 50% of VOIP systems included vulnerabilities, with patient monitors, ultrasound devices, and medication dispensers the next most unsecured device types.

The lately reported Urgent11 and Ripple20 IoT vulnerabilities are obviously a reason for concern; nevertheless, there are far more prevalent and quickly exploitable vulnerabilities in IoT and IoMT devices. The Urgent11 and Ripple20 vulnerabilities have an effect on close to 10% of medical IoT and IoMT devices, although the most well-known risk was weak credentials. Standard passwords can simply be located in online device guides and weak passwords are prone to brute force attacks. 1/5 or 21% of IoT and IoMT devices were identified to have default or inadequate credentials.

Most pharmacology, oncology, and laboratory units and substantial numbers of the gadgets employed in neurology, radiology, and surgery sections were using obsolete Windows versions (older than Windows 10) which are likely vulnerable.

Unaddressed software programs and firmware vulnerabilities are usual in bedside gadgets, with the most usual being wrong input validation, inappropriate authentication, and the ongoing usage of devices for which a device recall alert was given. With no visibility into the devices connected to the network and detailed stock of all IoT and IoMT devices, determining and responding to vulnerabilities before attackers exploit them will be a serious challenge and it is going to be inescapable that certain devices will continue to be vulnerable.

A lot of medical instruments are utilized in critical care settings, where very minimal downtime happens. Over 80% of healthcare IoT devices are employed every month or more often, which provides security teams a short time to identify and deal with vulnerabilities and separate the network. An IT solution ready that could provide visibility into interconnected medical devices and give key details on the security of those equipment will allow security teams to determine vulnerable devices and schedule updates.

Frequently, it’s not possible to use patches. In many cases, medical IoT devices are in continual use and they are usually utilized beyond the end-of-support time. In these instances, the best security choice is virtual patching, where steps are undertaken to avert the exploitation of vulnerabilities like quarantining devices and sectioning the system.

Sectioning the network is one of the most critical steps to take on to strengthen healthcare IoT and IoMT security. When segmentation is done that takes into account healthcare workflows and patient care situations, Cybnerio claims 92% of critical risks in IoT and IoMT devices may be successfully mitigated.

Nearly all medical IoT and IoMT cybersecurity initiatives are targeted on developing a complete inventory of all IoT and IoMT devices and getting data concerning those devices to determine probable risks. Hospitals and health networks don’t require more information – they need to have innovative solutions that minimize risks and enable them to combat cyberattacks, and as medical device security specialists, it’s time for all of us to step up.

Online Pharmacy Alerts 105,000 Patients Concerning Cyberattack and Probable Theft of PHI

The digital pharmacy and health application creator Ravkoo in Auburndale, FL has begun informing selected patients concerning an unauthorized person who accessed and likely stole their sensitive personal information.

Ravkoo makes use of Amazon Web Services (AWS) to host its online prescription site. The site suffered a cyberattack that was noticed on September 27, 2021. After the knowledge of the data breach, Ravkoo took prompt action to safeguard the website and engaged third-party cybersecurity specialists to aid in the forensic investigation, mitigation, recovery, and remediation initiatives.

The investigation established the compromise of sensitive patient data, which include names, telephone numbers, addresses, a number of prescription details, and limited medical information. Ravkoo explained the affected site didn’t include any Social Security numbers, which are not retained in the impacted portal. The forensic investigation uncovered no proof that suggested the improper use of data stored in the portal.

Ravkoo already submitted the cyberattack report to the Federal Bureau of Investigation (FBI) and is helping with the inquiry. Ravkoo likewise has employed forensics professionals to assess the security of its AWS system. Steps are currently being undertaken to strengthen security to avert other data breaches down the road.

The security breach report has been sent to the Department of Health and Human Services’ Office for Civil Rights stating that approximately 105,000 persons were impacted. Affected people are being given free use of Kroll’s online credit monitoring service as a preventative measure, which consists of access to resolution services in the eventuality of identity theft.

The Intercept’s Micah Lee mentioned in a September 28, 2021 Twitter update that an attacker had taken responsibility for the cyberattack on Ravkoo and stated the patient site was “hilariously easy” to get into and needed the usage of a secret admin website that any user can sign in to and get patient records.

PHI of Anthem Members and Advocate Aurora Health Patients Possibly Exposed

Anthem Inc. has notified 2,003 people that an unauthorized person possibly seen or acquired their protected health information (PHI) after getting access to the network of one of its business associates.

Anthem partners with the insurance broker OneDigital based in Atlanta, GA, which gives assistance for people signed up in group health plans to support them in getting and taking care of their health insurance. OneDigital was provided access to the protected health information of a number of members to guide them or their existing or past employer to get and take care of their medical insurance policy.

On November 24, 2021, OneDigital alerted Anthem concerning a system server hacking incident that took place in January 2021. Anthem stated the incident investigation did not show any direct proof that there was unauthorized access or theft of PHI, however, those activities cannot be eliminated.

The types of data kept on the breached systems consisted of names, birth dates, addresses, healthcare company names, health insurance numbers, group numbers, dates and types of medical care services, medical record numbers, medication data, laboratory test data, payment details, claims data, driver’s license numbers, and Social Security numbers.

Anthem provided the impacted persons with complimentary credit monitoring and identity theft protection services for one year. Anthem mentioned it is working together with OneDigital to lessen the chance of the same breaches taking place later on.

Exposure of the PHI of Over 1,700 Advocate Aurora Health Patients Because of Billing Error

The 26-hospital health system located in Illinois, Advocate Aurora Health, has informed over 1,700 individuals concerning the possible breach of some of their PHI.

Approximately on July 29, 2021, the hospital made billing statements and sent them to patients by mail, however, they were unable to reach their destination. The documents included some PHI, for example, patients’ names, the types of services received, dates of service, the name of the medical care provider they went to, and visit account numbers.

Advocate Aurora Health became aware of the billing problem on October 29, 2021. The following investigation showed there was an unintentional alteration to its billing application that was not noticed so that the statements were sent to the incorrect address. Advocate Aurora Health stated it didn’t get any report of actual or attempted improper use of any patient information resulting from the incident, nevertheless patients were advised by mail as a preventative measure and were given free credit monitoring services.

Advocate Aurora Health explained it is changing its internal processes and technical solutions to avert identical breaches down the road. The breach report was sent to the HHS’ Office for Civil Rights as impacting 1,729 persons.

Broward Health Alerts More Than 1.3 Million People Regarding the October 2021 Data Breach

At the beginning of the year, a big breach was announced by Broward Health located in Florida, which has just started informing over 1.3 million patients and workers concerning a data breach that took place on October 15, 2021. A hacker obtained access to the Broward Health system via a third-party healthcare provider’s office that was given access to the Broward Health network for delivering medical services.

Broward Health uncovered and stopped the attack on October 19, 2021, and performed a password reset for all staff members to avert more unauthorized access. With the assistance of a third-party cybersecurity firm, Broward Health carried out a thorough investigation to find out the nature and extent of the breach.

The investigation established that the attacker acquired access to sections of the system where worker and patient data were saved, which include sensitive data: names, addresses, email addresses, birth dates, telephone numbers, financial/bank account details, health insurance data, medical backgrounds, medical problems, treatment and diagnosis details, medical record numbers, Social Security numbers, and driver’s license numbers. Broward Health reported some records were exfiltrated from its networks.

The cyberattack report was sent to the Department of Justice which wanted Broward Health to put off distributing breach notification letters to affected people in order not to obstruct the law enforcement inquiry.

Broward Health took action to boost security and avert the same occurrences down the road, which comprise of using multifactor authentication for all end-users of its network and establishing minimum-security specifications for all devices not maintained by Broward Health’s IT department having network access. Those security prerequisites will be effective this January.

Broward Health did not receive any reports that show patient or staff information was misused, nevertheless as a preventative measure against identity theft and fraud, impacted persons were provided a free two-year membership to the Experian IdentityWorksSM service, consisting of identity theft protection, discovery, and resolution services.

The breach hasn’t shown up on the HHS’ Office for Civil Rights breach website although it was documented with the Maine Attorney General as likely impacting 1,357,879 individuals.

Data Breaches Reported by Texas ENT Specialists and Virginia Department of Behavioral Health and Developmental Services

Texas Ear, Nose & Throat Specialists P.A. (Texas ENT Specialists) has reported it experienced a cyberattack that was discovered on October 19, 2021.

As soon as the attack was discovered, quick action was undertaken to avoid further access to the network by unauthorized persons. A third-party cybersecurity company was involved to investigate and identify the nature and scope of the cyberattack. The forensic investigation showed that the attackers initially obtained access to its systems on August 9, 2021, and from then on until August 15, they copied and extracted files from its network.

An analysis of those files established they included the protected health information (PHI) of 535,489 individuals, such as names, birth dates, procedure codes, and health record numbers. A subset of people additionally had their Social Security numbers compromised; nevertheless, its electronic medical record system was not affected.

Texas ENT Specialists sent notification letters to affected persons on December 10, 2021. Patients whose Social Security numbers were compromised were given a free membership to Experian’s identity theft monitoring service.

Texas ENT Specialists reported that it has increased its privacy and data security program and has put in place more technical security procedures to better secure and keep an eye on its systems.

Virginia Department of Behavioral Health and Developmental Services Experiences Second Funding Portal Breach

The Virginia Department of Behavioral Health and Developmental Services (DBHDS) is informing 4,037 people who tried for Individual and Family Support Program (IFSP) financial assistance that their PHI might have been impermissibly exposed. The breach impacted its IFSP Funding Website and took place on October 7, 2021. The breach was noticed in just minutes and the site was promptly taken off the internet to avert continuing unauthorized data access.

In 2019, DBHDS suffered a breach of its IFSP funding webpage that exposed the records of 1,442 persons. In the following 17 months, the internal team and the Virginia Information Technology Agency (VITA) reviewed the attack and tried to duplicate and fix the problem. Considerable testing of the Portal was carried out, and it was confirmed the Portal was clear to run once again. The newest breach looks a lot like the 2019 occurrence and might likewise have made possible the viewing of information by other individuals.

DBHDS mentioned it won’t make an effort to fix the Portal once more, and an alternate solution may be determined for future IFSP application processes. Persons whose application data were compromised could register for zero-cost credit monitoring services for two years.