Category Archives: Healthcare

Healthcare related posts

75% of Smart Medical Devices Tested are Vulnerable to Hacking

This should make you feel better. Especially under the current situation.

Palo Alto Networks Unit 42, an extremely well-known and well-respected group of security researchers, tested 200,000 network-connected infusion pumps used in medical facilities.

75% of the devices tested had security vulnerabilities that would allow hackers to exploit them.

The purpose of the test was to assess the reliability and security of smart infusion pumps used by the healthcare industry. The vast majority of hospitals use smart infusion pumps.

If that wasn’t bad enough, the researchers say that the pumps were vulnerable to one or more of forty different known security vulnerabilities.

In addition to that, the pumps were also vulnerable to up to seventy other IoT device vulnerabilities.

Even though information about security measures was available, healthcare facilities have chosen not to protect the devices. There are likely many reasons including time and money, the FDA, manufacturers, old unsupported hardware and others but that won’t be considered good reasons if people start dying.

If a medical device is hacked, the hacker would likely want to cause panic. An example of that might be Russian hackers working on behalf of the government, mad at the U.S. and wanting to cause panic.

Unfortunately, the way regulation tends to work in the United States is that we wait until people die and then pretend we didn’t know about the problem. I hope that is not the case here, but I am not optimistic. Credit: Hackread

Security News for the Week Ending January 21, 2022

Russia Arrests Some REvil Gang Members

At this point we don’t know who they ticked off, but Putin’s goons arrested 14 people and seized 426 million Roubles (about $5.5 million), $600,000 USD, 500,000 euros, computers and 20 cars. These guys definitely will not be getting a Christmas card from Vlad next year. Credit: Yahoo News

Gas or Electric – Which is Better When You are on a Virginia Highway in a Blizzard

Couldn’t resist the dig on Virginia – the government of which could not figure out recently that ice storms could cause problems and where people were stranded on the Interstate for over 24 hours with no food, water or heat. The question that electric car naysayers have been asking – or really telling – is that if you are in an electric car, stuck in a traffic jam, you are going to run out of juice and have to be towed somewhere to get a charge (vs. putting a few gallons in to your gas tank). If you want to see the details of the argument, go to the link, but at least this analysis says that it is a bit of a toss up because of all of the variables. Credit: Vice

Europe Wants to Create Its Own DNS Infrastructure

The EU doesn’t like anything that it can’t control and especially if it is controlled by companies in the U.S. The project, called DNS4EU, would enable DNS filtering, support all DNS standards and, most importantly, would effectively be under the government’s thumb, meaning that they could tell DNS4EU to block whatever the various governments wanted. Bigger point, EU ISPs won’t be happy to lose the revenue that they get from currently selling their users’ data, so it is unclear whether, unless EU law forces them to use it, they would encourage it. Credit: The Record

More Than Half of Connected Medical Devices Have Critical Vulnerabilities

A new report from Cynerio says that 53% of Internet-connected medical devices analyzed were found to have a known critical vulnerability. In addition a third of bedside healthcare IoT devices have an identified critical risk. This includes missing passes, unsupported operating systems and default passwords left operation. Credit:Cynerio

Some Russian Hackers Worried About Being Arrested

After recent arrests by Russia’s FSB of the REvil hackers, there is some chatter on Russian message boards about not wanting to go to jail. One hacker said that those who expect that Russia would protect them will be greatly disappointed. Some are even suggesting moving to a more favorable (to them) jurisdiction, but there likely aren’t many of those. If Russia continues this then the paranoia will likely increase, which is good for us. Credit: ZDNet

Security News for the Week Ending November 12, 2021

Feds Having Some Success In Going After Hackers

The DoJ announced the arrest of a Ukrainian who is accused of deploying ransomware on behalf of the REvil ransomware gang. They also seized $6 million in cryptocurrency. The Ukrainian was arrested in Poland (crooks are not smart. If you are in the crosshairs of U.S. law enforcement, do not go to countries with extradition treaties with us. They also arrested other REvil affiliates in Romania and Kuwait. Understand while this is all good, it is also a drop in the bucket with regard to the amount of cybercrime affecting us. Credit: Bleeping Computer

State Department Sends Emergency Employee Message: Change Passwords

On Tuesday afternoon the State Department sent out an official text message to employees telling them to change passwords now and increase the length from 12 to 16 characters. They are not even confirming the message but the only logical conclusion is that they were hacked. Credit: Just the News

Missouri Apologizes for Governor’s Political Stunt

After the St. Louis newspaper discovered that a state website that allows the public to check on teachers’ credentials was leaking the personal information of hundreds of thousands of teachers, the governor tried to get the newspaper and the reporter arrested and charged with hacking. He even ordered the highway patrol to investigate the crime. Now the state’s department of education is apologizing to the teachers and offering them credit monitoring. The governor said that the newpaper’s hacking was going to cost the state $50 million. Turns out the cost is really $800,000. And the highway patrol is still investigating. The Governor has not apologized. Credit: ZDNet

Dutch Newspaper Accuses US Spy Agency of Orchestrating 2016 Booking.com Breach

Booking.com was hacked in 2016 and they did not disclose the breach. The newspaper says that Booking.com relied on advice from law firm Hogan Lovells saying they did not have to disclose it. The hackers came across a poorly secured server with customer PINs which allowed them to steal the information. The company asked the Dutch spy agency for help after an internal investigation tied the hacker to US spy agencies. The company acknowledged that it did not disclose the breach and that was consistent with the laws in effect at the time. This hack looks very similar to an attack that Snowden disclosed eight years ago. Credit: The Register

13 Security Bugs Impact Important Healthcare Devices

Researchers have published details of a suite of 13 vulnerabilities in the Nucleus real time operating system from Siemens that is used across many industries including healthcare, automotive and aerospace. Called Nucleus:13, the flaws affect the TCP/IP stack, a common attack vector in these type of operating systems. This revelation is part of a larger investigation into TCP/IP software which discovered 78 vulnerabilities in 14 different TCP/IP stacks. A different research team found 19 flaws in a different TCP/IP stack. Siemens has released patches for the current versions of the OS, but there is no way for an end user to know what version is in their medical device – that is until software bills of material become legally mandatory. Credit: Bleeping Computer

Security News for the Week Ending October 22, 2021

State Acknowledges Data Breach After 10 Months

I guess better late than never. Finally, the State of Illinois is admitting to a data breach, sort of. Here is what they are now saying. Check the dates below. Notice who was among the last to know – the victims. Can the state be fined for breaking the law? We shall see.

Pursuant to the requirements of the Health Insurance Portability and Accountability Act, 45 CFR Sections 164.400-414, the Illinois Department of Healthcare and Family Services (HFS) and the Illinois Department of Human Services (IDHS) (collectively the Departments) in conjunction with the Illinois Department of Innovation and Technology (DoIT) are notifying the media of an incident within the State of Illinois Integrated Eligibility System (IES).

IES is the eligibility system of record for State-funded medical benefits programs, the Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF). On November 24, 2020, the State discovered an issue within IES. Upon investigation, the Departments discovered that household members who were once on a case and had their access removed could still see information even after they were no longer part of that case.

In response to this incident, on January 8, 2021, IES was updated to limit case access to only the head of household, and prior and other current household members no longer have access. To date, the Departments are unaware of any actual or attempted misuse of personal information as a result of the incident and the number of potentially affected individuals was limited.

The Departments notified the members of the Illinois General Assembly on July 29, 2021, the potentially affected individuals on September 9, 2021, and the Office of the Illinois Attorney General on September 10, 2021.

Tesco Launches First Checkout-Free Store in London

Following in line with companies like Amazon, retailers like Tesco in London are working on letting customers shop in their stores and not having to stop at the checkout line. This is done with a crazy number of cameras and sensors. My guess is that they are willing to take some losses in the short term to try and figure out the weak spots and how people plan to game the system, but this is surveillance to the the max. It requires that you have their app and they will automatically charge your credit card, which has to be on file. Me, I’m okay with the checkout line. Credit: Computing

Facebook Plans to Rebrand Itself

Okay, this is not really security related, but fun for Friday. Facebook, apparently, wants to rebrand itself. They have been quiet about this but will announce the new name at their annual conference this month. Note that they didn’t ask for suggestions; they probably would have gotten a bunch that referred to different body parts than people’s faces. But, this is kind of like what Google did with Alphabet a couple of years ago. Facebook as a company has lots of brands and it probably doesn’t make sense, any more, for the parent company to still be called Facebook. Credit: Computing

CISA Wants the 24 Hour Breach Reporting Law for Incidents

There are bills working their way through Congress right now that would make it mandatory that certain companies report breaches and some attacks within either 24 or 72 hours, depending on the bill. CISA is putting its weight behind 24 hours. This probably will include anything designated as critical infrastructure, which is a lot, and possibly some others. Stay tuned to see what passes. Companies would rather keep hacks secret, if possible, but if the bill passes and companies might be fined or executives go to jail, they will probably disclose. The disclosure would be to the government, probably, and not publicly. Credit: FCW

CISA Says Ransomware Targeted SCADA Systems of 3 US Water Treatment Plants

The FBI, CISA, EPA and NSA issued a joint alert saying that cyberattacks against water and wastewater treatment plants are up. They revealed that the industrial control system (ICS) or SCADA systems at three plants had been hit by ransomware and that the malware had been lurking inside for about a month before it launched the attacks. They target the outdated software and poorly configured hardware of these systems and it is a pretty easy attack. Drinking water is the primary target, they say. My guess is that they do that because poisoning people will create more chaos. Credit: Hack Read

Security News for the Week Ending August 20, 2021

Well That Seems Like a Bit Over the Top

A pharmacist in Illinois faces up to 120 years in prison for selling dozens of (I assume blank) Covid vaccine cards. The pharmacist sold 134 cards to 11 buyers for roughly $1276. He is being charged with theft of government property. That seems like a stretch, but maybe. Mostly they want to make a point that if you want a fake vaccine card, you should create them on Photoshop yourself. Yes, it will take you a few hours, but it isn’t very hard. That makes it harder for the feds to discover that you did that. And don’t brag about it on social media. Mind you, just because you do make it yourself doesn’t mean you aren’t breaking the law. Falsely using a government seal, for example, is crime, but it probably won’t get you 120 years, which is why the came up with this creative charge. Just doing a quick Google search, I found blank cards online, so I have no idea why anyone would buy one. Blank cards were also for sale on Amazon for a while – 10 for $12.99. Credit: Bleeping Computer

Another Day, Another Cryptocurrency Hack

Last week a hacker stole $600 million in cryptocurrency for fun … and then gave it back. This week hackers stole $97 million from the crypto exchange ‘Liquid’. This time it doesn’t appear to be a joke. The exchanges are getting better at freezing the money when this happens because the have so much experience at it. That is probably not a good thing. For the hackers, that is. Credit: Data Breach Today

Blackberry Says Older Versions of it’s QNX OS Vulnerable

Blackberry sells a real time operating system used in cars, medical equipment and other embedded equipment. This includes 175 million cars (this number doesn’t include the tens of millions of other devices which could have been bought pre-fix and are still in use in factories, warehouses and many other places). But the cars are older cars – Blackberry says that they fixed the bugs in 2012 – after denying for months that they existed. That likely (maybe) means that products that were DESIGNED after 2013 or 2014 are not vulnerable, but that could be a design date and not a manufacture date or sale date. Blackberry has released patches to manufacturers, but that doesn’t mean that patches have been installed. Credit: The Register

Ransomware 4.0? Maybe

First there was ransomware. Just encrypt your files and demand money. Then ransomware 2.0 – steal your data and demand money to get it back. Next came ransomware 3.0. With this generation, the hackers go directly to the businesses’ customers (one example was a psychotherapy practice where the hackers threatened to release the therapists’ notes if the patients didn’t pay up). Now comes version 4. With V4, the hackers offer employees of the intended victim a cut of the action if they release the ransomware into their employer’s network. Wow. This is getting out of hand. Credit: Brian Krebs

Security News for the Week Ending August 13, 2021

Android Trojan Hits 140 Countries, 10,000 Victims Via Social Media Hijack

Security company Zimperium says they have found a new trojan they call Flytrap that has been around since March and compromises users’ phones who side load apps from third party app stores. Once the malicious app is on the user’s phone, it uses that user’s social media credibility to infect other users. They say the infected apps are still available for download on third party app stores. Credit: ZDNet

NY Police Department Bought Surveillance Gear Out of a Secret Slush Fund

While the police might not like my term for it, the fund is secret and not subject to oversight by anyone. Since 2007, the city has spent over $150 million this way for mobile x-ray vans, Stingrays and other stuff. The documents that were released were heavily redacted although transparency groups are still trying to get more information. Last year the city passed a law after heavy pressure outlawing the practice, but there are still a lot of gaps in the available information. Credit: Wired

U of Kentucky Had a Bad Day

The University of Kentucky has an active security program. As part of that program they conduct periodic penetration tests. This is a good thing. What made it a bad day is that the pentesters discovered that they weren’t the first people to hack the University. In fact, in January 2021, hackers broke in and stole the entire database of over 350,000 users. How/why did they get in? Two clues. First the university says that the platform was developed in the early 2000’s – long before we were worrying much about hackers. Second, they said they are moving the servers, after the breach, to its centralized server system. This likely means that this system was a second class citizen and protected accordingly. Credit: The Record

Amazon Stepping Up Employee Surveillance Due to Fraud

Data theft, insider threats and imposters accessing customer data at Amazon has gotten so bad that Amazon is considering using keystroke monitoring software to help identify who the good guys are. Credit: Threatpost

Hospitals In Way Over Their Heads on IoT

Phillips and CyberMDX released a new report on the state of IoT in hospitals. They split the survey between hospitals with more than 1,000 beds and those with less. A third of the respondents had less than 10,000 devices, almost a third had less than 25,000 devices and another 20% worked for hospitals with less than 50,000 devices. While most of the hospitals had an idea of the number of the devices on their network, 15% of the mid sized and 13% of the large hospitals did not even know how many devices were on their network. Almost half of the respondents said their staffing for IoT and medical device security was inadequate. The rest just don’t know that it is inadequate. The rest of the article is even more depressing. Credit: ZDNet