Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Medical Security. Show all posts

Swatting: Cyber Attacks on Healthcare

 


In a concerning trend, cybercriminals are using a tactic called "swatting" to target medical institutions via their patients, aiming to coerce hospitals into paying ransoms. Swatting involves making repeated false reports to the police about individuals, leading armed authorities to unsuspecting victims' homes. 

What's Happening

Threat actors are pressuring US hospitals by threatening patients with swatting incidents unless a ransom is paid. This extreme form of prank-calling has escalated to involve bomb threats and other serious allegations, forcing authorities to intervene in patients' homes.

The Motive 

The attackers believe that by applying this pressure on hospitals, they can secure a ransom payment. A recent incident at the Fred Hutchinson Cancer Center in Seattle involved stolen medical records, and the threat actors escalated by targeting patients with the swatting technique. 

The Impact

This disturbing tactic not only puts patients at risk but also adds an extra layer of urgency for hospitals to meet ransom demands. It highlights the high-stakes nature of cyber threats against medical institutions. 

When faced with cybercriminals making swatting threats, Fred Hutchinson Cancer Center took immediate action. They alerted the FBI and local police, who collaborated on investigating these threats as part of the broader cybersecurity incident. This highlights the seriousness of the situation and the coordinated effort to address the issue. 

In a parallel incident, Integris Health in Oklahoma encountered a cyber-attack that potentially exposed patients' personal data. Shockingly, some individuals received emails from threat actors, signalling an intention to sell their information if specific demands were not met. This underscores the direct impact on individuals and the concerning methods employed by cybercriminals. 

Recent events highlight the shifting nature of cyber threats targeting healthcare. Experts notice a change in tactics, where criminals are getting more extreme. It's important to note that how institutions deal with these tactics can differ widely. Stay aware, as the scenario keeps evolving. 

 Healthcare Cybersecurity: What You Need to Know

In the latest updates on cybersecurity in healthcare, a lot is happening that affects us all. Not only are there weird swatting and ransom tactics, but now there's a new worry – sneaky phishing attacks targeting our hospitals. Cybercriminals are using trickier methods to get their hands on private patient info. This means it's super important for hospitals to step up their online security game. 

Understanding these tactics is crucial for both hospitals and the public. Cybersecurity in healthcare affects individuals directly, putting personal information at risk. Staying informed empowers us to collectively contribute to the protection of healthcare systems and personal data.



Telehealth Companies Monetizing and Sharing Health Data

These reports come despite company promises to prospective patients that their user data, including information about mental health and addiction treatment, will remain confidential. 

Senators Amy Klobuchar, Susan Collins, Maria Cantwell, and Cynthia Lummis expressed their concern over the protection of patients' sensitive health information by well-known telehealth companies. 

They referenced an investigation by STAT and The Markup that uncovered the deliberate sharing of patient data by telehealth companies with tech giants such as Meta, Facebook, Google, TikTok, Microsoft and Twitter, and other advertising platforms. 

It has been reported that these digital health companies are monitoring and distributing the personally identifiable health information of their clients, including their contact information, financial details, and more. 

“Telehealth…has become a popular and effective way for many Americans to receive care.  One-fifth of the U.S. population resides in rural or medically-underserved communities where access to virtual care is vital. This access should not come at the cost of exposing personal and identifiable information to the world’s largest advertising ecosystems,” the senators added. 

Senators Amy Klobuchar (D-Minn.), Susan Collins (R-Maine), Maria Cantwell (D-Wash.), and Cynthia Lummis (R-Wyo.) recently sent letters to telehealth companies Monument, Workit Health, and Cerebral, inquiring about their data sharing practices. 

“Recent reports highlight how your company shares users’ contact information and health care data that should be confidential. This information is reportedly sent to advertising platforms, along with the information needed to identify users. This data is extremely personal, and it can be used to target advertisements for services that may be unnecessary or potentially harmful physically, psychologically, or emotionally,” the letter reads.

Telehealth involves the provision of healthcare services and information through the use of electronic communication and information technologies. It enables remote patient-provider communication to provide services including consultation, education, monitoring, intervention, and even admission for treatment, overcoming the barriers of distance.

XSS Bugs in Canon's Vitrea View Tool, Can Expose Patient Data


XSS Bugs in Canon's Vitrea View

In a penetration test, Trustwave Spiderlabs' experts found two reflected cross-site scriptings (XSS) flaws, together termed as CVE-2022-3746, in third-party software for Canon Medical's Vitrea View. The Vitrea View feature lets you view and safely share medical images via DICOM standard. 

"Canon Medical released a patch for these issues in version 7.7.6. We recommend all customers on version 7. x to update to the latest release. We always appreciate vendors like Canon Medical that approach the disclosure process with transparency and in the interest of the security of their products and users."

A threat actor can activate the bugs to access/change patient details (i.e. stored scans and images) and get extra access to some features related to Vitrea View. 

The first problem is an unauthorized Reflected XSS that exists in an error message at /vitrea-view/error/, reflecting all input following the /error/ subdirectory back to the user, with minor limitations. 

How does the bug work?

The researchers observed that space characters and single and double quotes can alter the reflection. The use of base 64 encoding and backticks (`) can allow to escape these restrictions, as well as importing remote scripts. 

The second problem is one more Reflected XSS within the Vitrea View Administrative panel. A threat actor can access the panel by luring the victims to click on a specially made link. 

The researchers found the search for 'limit', 'offset', and 'group' in the 'Group and Users' page of the admin panel all highlight their inputs back to the user, after the text is entered rather than anticipated numerical inputs. 

The report says :

"Like the previous finding, the reflected input is slightly restricted, as it does not allow spaces. Once an authenticated admin is coerced into visiting the affected URL, it is possible to create and modify the Python, JavaScript, and Groovy scripts used by the Vitrea View application.”

The researchers also wrote a proof-of-concept for both these vulnerabilities. Canon Medical handled these two vulnerabilities by releasing Vitrea View version 7.7.6.