Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Health Devices. Show all posts

FTC: Health App and Device Makers Should Comply With Health Breach Notification Rule

 

The Federal Trade Commission on 15th September authorized a policy statement reminding makers of health applications and linked devices that gather health-related data to follow a ten-year-old data breach notification rule. The regulation is part of the agency's push toward more robust technology enforcement under Chair Lina Khan, who hinted that more scrutiny of data-based ecosystems related to such apps and devices could be on the way. 

In written remarks, Chair Lina Khan stated, "The Commission will enforce this Rule with vigour." According to the FTC, the law applies to a range of vendors, as well as their third-party service providers, who are not covered by the HIPAA breach notification rule but are held liable when clients' sensitive health data is breached. 

After being charged with studying and establishing strategies to protect health information as part of the American Recovery and Reinvestment Act in 2009, the FTC created the Health Breach Notification Rule. 

The rule requires suppliers of personal health records and PHR-related companies to notify U.S. consumers and the FTC when unsecured identifiable health information is breached, or risk civil penalties, according to the FTC. "In practical terms, this means that entities covered by the Rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information," the FTC says. 

Since the rule's inception, there has been a proliferation of apps for tracking anything from fertility and menstruation to mental health, as well as linked gadgets that collect health-related data, such as fitness trackers. 

The FTC's warning comes after the agency and fertility mobile app maker Flo Health reached an agreement in June over data-sharing privacy concerns. According to the FTC, the start-up company misled millions of women about how it shared their sensitive health data with third-party analytics firms like Facebook and Google, in violation of the FTC Act. 

According to privacy attorney Kirk Nahra of the law firm WilmerHale, the FTC's actions on the Health Breach Notification Rule "are an interesting endeavour to widen how that rule has been understood since it was implemented."

"It is focusing attention on a much larger group of health-related companies, and changing how the FTC has looked at that rule and how the industry has perceived it. I expect meaningful challenges to this 'clarification' if it is put into play," he notes. 

Failure to comply might result in "monetary penalties of up to $43,792 per violation per day," according to the new policy statement.

15 Philips Vue Vulnerabilities Could Result in Full Takeover of the Devices

 

CISA has released an advisory about several vulnerabilities found in Philips Vue PACS health devices. In the hands of a hacker, the 15 Philips Vue Vulnerabilities found in the Philips Clinical Collaboration Platform Portal might lead to remote code execution attacks. 

The danger that these vulnerabilities pose, according to CISA (the United States Cybersecurity and Infrastructure Security Agency), is as follows: 

Successful exploitation of these vulnerabilities could allow an unauthorized person or process to hear in on conversations, view or alter data, gain system access, execute code, install unauthorized software, or compromise system data integrity, all of which could compromise the system's confidentiality, integrity, or availability. 

The vulnerabilities demand immediate attention and patching since four of the fifteen have a CVSS rating of 9.8. (Common Vulnerability Scoring System). 

The discovered vulnerabilities were characterized as follows in the advisory released for informational purposes, according to the CISA website: 

#1 CVE-2020-1938: 9.8 CVSS scored flaw caused by improper validation of the received data. 

#2 CVE-2018-12326 and CVE-2018-11218: the software that works through a memory buffer cannot read or write to an outside of the buffer area memory location. It can be found on the Redis component. 

#3 CVE-2020-4670: scored with 9.8 CVSS, it’s caused by improper authentication. The Redis Software cannot assert the validity of the threat actor’s given identity claim. 

#4 CVE-2018-8014: the default set by the software is not secure (it’s intended to be modified by the administrator). 

#5 CVE-2021-33020: expired passwords and cryptographic keys the product uses lead to increasing the timing window. 

#6 CVE-2018-10115: it exists in the third-party component 7-Zip. Incorrect initialization of the resource leads to unexpected status. 

#7 CVE-2021-27501: specific development coding rules are not implemented by the software. 

#8 CVE-2021-33018: a damaged algorithm of cryptography might lead to data leakage. 

#9 CVE-2021-27497: the protection mechanism is not properly used by the product. 

#10 CVE-2012-1708: it lies in the third-party Oracle Database component and is related to data integrity. 

#11 CVE-2015-9251: user-controllable input is not correctly neutralized before locating it in output. 

#12 CVE-2021-27493: structured data or messages are not ensured in a proper way. 

#13 CVE-2019-9636: the Unicode encoding from the input is not accurately managed by the software. 

#14 CVE-2021-33024: the method to protect authentication credentials is insecure. 

#15 CVE-2021-33022: the communication channel through which sensitive data is transmitted might be sniffed. 

According to reports, the impacted devices are Vue Speech 12.2 and previous variants, Vue Motion and Philips Vue PACS, MyVue. Some of them have been fixed, while others will not receive security upgrades until 2022.

Safety measures: 

A reasonable strategy, according to SCMagazine, would be to limit the gadgets' network connections. Administrators should be in charge of remote devices and control system networks; they must separate them from the company's network and place them behind firewalls. 

However, if certain appliances with Philips Vue vulnerabilities are to be utilized remotely, it is not suggested to do so without a secure connection, such as an updated VPN.