blogheader-bg.jpg

Epiphany Healthcare Blog

Security, Threats, and Bad Actors in Healthcare

Posted by Russ DeRemer on May 22, 2018 at 10:42 AM

From the desk of the President: Focus on cybersecurity 

The number of bad actors, the seriousness of damage, and the frequency of threats continues to increase in healthcare cybersecurity.  Healthcare and medical devices are under attack.  Managers must consider cybersecurity when maintaining and upgrading their medical devices.

Cyber Security

Healthcare Ransomware, Data Breaches, Represent Top Industry Threats (from the 2017 HIMSS Cybersecurity Survey) by Elizabeth Snell, Thinkstock

75% of the 239 healthcare respondents said that their organization experienced a significant security incident in the past 12 months.  Nearly all of those entities (96%) were able to identify the threat actor.

37% of healthcare respondents that experienced a security incident in the past 12 months said it was due to an online scam.  20% of those surveyed attributed the attack to a negligent insider, with another 20% said a hacker caused the issue.

55% of those surveyed said their organization has a dedicated or defined amount of the budget for cybersecurity needs.

The 2017 HIMSS Cybersecurity Survey Final Report found:

•  Patient Safety is the #1 Concern
•  Data Breach is the #2 Concern
•  Spread of Malware is the #3 Concern

Epiphany Healthcare customers have often, in the past, waited to upgrade their systems until their operating system or browsers reached end of life.  This strategy may have been OK six or seven years’ ago.  It is not today.

Today, our software has evolved with a tremendous focus on the escalating cybersecurity threats and is much more secure than the software deployed six or seven years’ ago when the constant threat did not exist.

We contract with consultants to identify system vulnerabilities.  Those vulnerabilities that can be patched are released for the current version.  Vulnerabilities that cannot be patched are addressed in the next release.  This is an ongoing process to keep up with the evolving security threats.

In summary, current versions of Epiphany’s Cardio Server are far more secure than versions from six years’ ago.  Epiphany strongly recommends that every time you add a new module or feature, include a software upgrade in your purchase.  The software is included in your annual support agreement, you only pay for project management and technical engineering to implement the upgrade.  It is the prudent course to take in today’s world.

Take a Look: Start Planning Your Upgrade

Topics: Cardio Server security, security, upgrade, cybersecurity

Epiphany's CERT Response – 8 December 2015

Posted by Jim Stanczak on December 8, 2015 at 4:42 PM

Overview

On 1 December 2015, the CERT Coordination Center (“CERT/CC”) issued Vulnerability Note VU#630239 (https://www.kb.cert.org/vuls/id/630239)“Epiphany Cardio Server version 3.3 is vulnerable to SQL and LDAP injection.”  

The note described the following potential vulnerabilities to Epiphany’s Cardio Server version 3.3: 

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2015-6537 “A SQL command may be inserted into the login page URL, causing the unauthenticated user to be logged in as an administrator.” and 

CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CVE-2015-6538 “An LDAP query may be inserted into the login page URL, causing Cardio Server to perform an LDAP query to the IP address of the attacker's choice.”  

These potential vulnerabilities were uncovered by penetration testing conducted by a 3rd party security firm. The testing was commissioned by a hospital on their Cardio Server 3.3 system. There is no evidence that either of these vulnerabilities were exploited on any of our installed systems around the world; there is no evidence that patient information was accessed or changed. A patch has been released for both of the potential vulnerabilities on affected versions.

Both vulnerabilities require that the attacker have a valid user name on the Cardio Server system. Customers with affected Cardio Server versions that have login screens exposed directly to the Internet may have a higher risk of exposure to this vulnerability.

Upon further review of these potential vulnerabilities, it has been determined that:

  • The SQL Injection vulnerability only affects Cardio Server version 3.3; and
  • The LDAP Injection vulnerability only affects Cardio Server version 3.3, 4.0 and 4.1.

Patches to eliminate these vulnerabilities for Cardio Server version 3.3, 4.0 and 4.1 are available from Epiphany Healthcare.  

1st Vulnerability Scenario—SQL Injection

“A SQL command may be inserted into the login page URL, causing the unauthenticated user to be logged in as an administrator.”

Vulnerability Mitigation

  • This potential vulnerability is only present in Cardio Server version 3.3. A patch to close the vulnerability is available. 

  • The potential vulnerability is limited to affected Cardio Server systems where a login page is displayed. If your facility uses a single sign-on solution that never presents the Cardio Server login screen to the user, this vulnerability does not apply.

2nd Vulnerability Scenario—LDAP Injection

“An LDAP query may be inserted into the login page URL, causing Cardio Server to perform an LDAP query to the IP address of the attacker's choice.”

Vulnerability Mitigation

  • This potential vulnerability may exist in Cardio Server versions 3.3, 4.0 and 4.1.  A patch to close the vulnerability exists for each version.

  • The potential vulnerability is limited to affected Cardio Server systems where the login page displays a domain-selection, drop-down menu. 

  • If your system does not display a domain-selection, drop-down menu on the login page, this vulnerability does not apply.

  • If your facility uses a single sign-on solution that never presents the Cardio Server login screen to the user, this vulnerability does not apply.

Summary

Epiphany takes its customers’ security seriously. We apologize for any inconvenience this may have caused. We have patches available for the above-named vulnerabilities. 

We have no evidence that any patient information was accessed. 

Most Cardio Server systems reside inside of our end-users’ firewalls with all the appropriate firewall protections that our end users deploy. Cardio Server login screens that are directly available from the internet are at higher risk.

Epiphany performs thorough verification and validation on each version release. Our last Cardio Server version release included ~5,000 test steps on six browsers totaling ~30,000 completed test steps.

If you are a Cardio Server 3.X customer and your system is running on Windows Server 2003, we highly recommend that you upgrade to Cardio Server version 5.0, which supports Windows Server 2008 R2 or Windows Server 2012 R2. We believe that any Cardio Server systems running under Windows Server 2003 are subject to potential security risks associated with the EOL status of Windows Server 2003.

Action

Please contact Epiphany’s Vice President of Professional Services, Kelli Sudduth, with any questions you may have, including requesting patches for your Cardio Server. Kelli’s number is: (919) 354-5050 or kellisudduth@epiphanyhd.com.

Topics: Epiphany, Cardio Server security, security, cert

Epiphany's Cardio Server Not Directly Affected by "Heartbleed Bug"

Posted by Allison Fawber on April 15, 2014 at 10:13 AM
A security issue called the "Heartbleed Bug" has affected many internetHeartbleed Bug services last week. It was announced last Tuesday that a vulnerability in OpenSSL, a widely-used cryptography software library, could allow attackers to view snippets of the memory content of web servers.

Our team has reviewed our exposure and our installations of Cardio Server are NOT directly susceptible to this vulnerability. The OpenSSL library is not a part of Microsoft's IIS server on which Cardio Server runs. Therefore, Cardio Server is not directly threatened by the vulnerability.

However, there may be vulnerable machines in the path leading to Cardio Server. Epiphany is available to work with you to ensure that your PHI is protected and help solve any other issues outside of Cardio Server that may impact our system.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
http://heartbleed.com/
https://www.openssl.org/news/secadv_20140407.txt
http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html

Topics: heartbleed bug, SSL, OpenSSL, Cardio Server security

Posts by Tag

see all

Follow Us: