DHS Issues Warning About Cybersecurity Vulnerabilities in Wireless Infusion Pumps | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

DHS Issues Warning About Cybersecurity Vulnerabilities in Wireless Infusion Pumps

September 12, 2017
by Heather Landi
| Reprints

The U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT) last week issued an advisory outlining eight vulnerabilities in Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump.

The vulnerabilities, identified by independent researcher Scott Gayou, could be exploited remotely, according to DHS ICS-CERT. “Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump,” the agency wrote. “Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.”

Smiths Medical is planning to release a new product version to address these vulnerabilities in January, 2018. In the interim, NCCIC/ICS-CERT is recommending that users apply the identified compensating controls until the new version can be applied.

According to the advisory, Smiths Medical recommends users apply the following defensive measures:

  • Assign static IP addresses to the Medfusion 4000 Wireless Syringe Infusion Pump.
  • Monitor network activity for rogue DNS and DHCP servers.
  • Ensure network segments which the Medfusion 4000 medical infusion pumps are installed are segmented from other hospital and clinical information technology infrastructure.
  • Consider network micro segmentation.
  • Consider use of network virtual local area networks (VLANs) for the segmentation of the Medfusion 4000 medical infusion pumps.
  • Apply proper password hygiene standards across systems (i.e., use uppercase, lowercase, special characters, and a minimum character length of eight).
  • Do not re-use passwords.
  • Routinely take backups and perform routine evaluations.

 

2018 Seattle Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

October 22 - 23, 2018 | Seattle


/news-item/cybersecurity/dhs-issues-warning-about-cybersecurity-vulnerabilities-wireless-infusion
/news-item/cybersecurity/phishing-attack-georgia-health-system-may-have-exposed-400k-patients-data

Phishing Attack at Georgia Health System May Have Exposed 400K Patients’ Data

August 20, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

Augusta University Health System, based in Augusta, Georgia, has reported that a phishing attack on email accounts that occurred last fall may have led to the unauthorized access of protected health information (PHI) of approximately 417,000 individuals.

In a notice posted on its website, Augusta University officials said the organization was targeted by a series of fraudulent emails on Sept. 10-11, 2017. “These sophisticated phishing emails solicited usernames and passwords, giving attackers access to a small number of internal email accounts,” officials said.

A second phishing attack occurred July 11, 2018, and appears to be smaller in scope, Augusta University President Brooks Keel, Ph.D., wrote in a separate message.

Augusta University officials said that, upon recognizing the nature of the attack, security leaders took action to stop the intrusion, including disabling the impacted email accounts, requiring password changes for the compromised accounts, and maintaining heightened monitoring of the accounts to ensure that no other suspicious activity was taking place.

On July 31, 2018, investigators determined that email accounts accessed earlier by an unauthorized user may have given them access to the personal and PHI of approximately 417,000 individuals.

While the investigation verified that personal information was contained in compromised email accounts, no misuse of information has been reported at this time, Keel wrote in his message.

In some cases, patient information that may have been contained in compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, dates of service and/or insurance information.

For a small percentage, information that may have been viewed included a Social Security number and/or driver’s license number, organization officials said.

Keel also wrote that IT staff reacted quickly to contain the July 11, 2018, attack. “The number of email accounts involved in this attack is fewer than those in the September attack. The investigation into the consequences of that attack is still underway,” Keel wrote.

 In response to the incident, the organization has taken or will be promptly initiating several actions to protect against future incidents, Keel stated. Organization leadership created a new position of vice president for audit, compliance, ethics and risk management to bring “fresh leadership and direction to compliance functions.”

The organization also is implementing multifactor authentication for off-campus email and system access, reviewing and adopting solutions to limit email retention, and leadership is taking steps to implement a policy banning PHI in email communications.

In addition, Augusta University officials said the organization is employing software to screen emails for PHI or personally identifiable information (PII) to prevent them from sending, increasing employee training in preventing security breaches, and enhancing compliance-related policies and procedures.

Augusta University will offer free credit monitoring services for one year to individuals whose Social Security number was included in the compromised email accounts.

More From Healthcare Informatics

/article/cybersecurity/podcast-ahas-cybersecurity-leader-john-riggi-evolving-cyber-threats-facing

PODCAST: AHA's Cybersecurity Leader John Riggi on the Evolving Cyber Threats Facing Healthcare

August 17, 2018
by Heather Landi, Associate Editor
| Reprints
Riggi believes the cyber threats against healthcare are increasing in severity, complexity and frequency
Click To View Gallery

 

Within the healthcare industry, cyber threats are constantly evolving as the threat landscape changes, and executive leaders at patient care organizations all face the same daunting challenge of protecting information systems and patient data.

A recent report found that cyberthreats are continuing to increase and shift, and even though ransomware attacks are significantly declining, cyberattacks overall are on the rise. A Protenus Breach Barometer report found that 3 million patient records were breached in the second quarter of 2018 alone. At the same time, an IBM Security study found that the cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year. Overall, the healthcare industry continues to incur the highest cost for data breaches compared to any other industry.

Another report based on a survey of hackers uncovered some alarming results: about a quarter of hackers surveyed say they can complete a breach of a hospital or healthcare organization under five hours.

On top of all that, recent high-profile healthcare cybersecurity incidents in the past few months serve as a stark reminder that the healthcare industry continues to be a ripe target for attacks. One cyber attack on Singapore’s public health system, SingHealth, breached the records of 1.5 million people and targeted the country’s prime minister. The breach impacted about a quarter of Singapore’s population of 5.6 million people.

John Riggi, who serves in the newly created role of senior advisor for cybersecurity and risk with the American Hospital Association (AHA), sees the  cyber threats against healthcare increasing in severity, complexity and frequency. Prior to his role at AHA, Riggi spent nearly 30 years with the FBI, including in the cyber division.

Riggi dives into the evolving cyber threats facing the healthcare industry right now, including sophisitcated criminal organizations, nation-state actors and cryptocurrency mining malware. Case in point, the incident of cryptocurrency mining on healthcare networks and other critical infrastructure networks increased by 1,000 percent from late 2017 to the present, Riggi says. He also discusses the implications of recent high-profile cyber incidents such as the hack at SingHealth.

The podcast runs about 13 minutes in length. You can listen to all Healthcare Informatics podcasts right here.


Related Insights For: Cybersecurity

/whitepaper/who-can-healthcare-trust-when-ransomware-hits

Who Can Healthcare Trust When Ransomware Hits?

Please register to download


WannaCry and Petya caused business impact for several organizations and in both cases the damage was largely mitigated across the industry. This information is widely known.

What is not widely known is what the role of information sharing was between private industry and the public sector specifically between the NH-ISAC Threat Intelligence Committee members (TIC) and the HHS Healthcare Cybersecurity Communications and Integration Center (HCCIC).

See more on Cybersecurity