- Application programming interfaces (APIs) will be exploited more by hackers to gain access to healthcare organizations and execute a healthcare data breach or other type of cyberattack, according to the June 2018 HIMSS Healthcare and Cross-sector Cybersecurity Report.
Common API attack vectors include man in the middle attacks, session cookie tampering, and distributed denial of service attacks, the report noted.
Recognizing the security risk that insecure APIs could pose for healthcare, the American Hospital Association (AHA) recently recommended that stakeholders in the mobile healthcare environment develop a secure app ecosystem for sharing health data.
“To ensure a robust, secure set of tools for individuals to engage with hospitals and health systems via apps, stakeholders will need to work together to build an app ecosystem that is based on a rigorous and continuous vetting process that takes into account evolving risks. This could be done in the public sector, through certification, or through a public-private partnership,” AHA said.
AHA also called on the US federal government to develop a consumer education program to make it clear that commercial providers of health apps may not be subject to the HIPAA Privacy Rule.
“Commercial app companies generally are not HIPAA-covered entities. Therefore, when information flows from a hospital’s information system to an app, it likely no longer will be protected by HIPAA,” said AHA.
“Most individuals will not be aware of this change and may be surprised when commercial app companies share their sensitive health information obtained from a hospital, such as diagnoses, medications or test results, in ways that are not allowed by HIPAA,” the association noted.
The June HIMSS report also related that ICS-CERT recently issued an advisory on hard-coded password and other vulnerabilities in the Medtronic MyCareLink handheld patient monitor used for patients with an implantable heart device.
The cybersecurity vulnerabilities could allow an attacker to gain access to the operating system and product development code and to read and write arbitrary memory values on the device, the advisory noted.
The MyCareLink monitor, which allows patients to transmit device data to the Medtronic CareLink network using a cell connection to clinicians, contains a debug code to test the functioning of the monitor’s communication interfaces.
Hard-coded passwords pose a risk to many medical devices. ICS-CERT recently flagged Philips for a hard-coded password vulnerability in its Brilliance CT scanners. The vulnerability could be exploited by an attacker to steal PHI and other sensitive data files
The device software contains hard-coded credentials, such as a password or cryptographic key, which it uses for inbound authentication, outbound communication, and/or encryption of internal data. Because hard-coded credentials are easy to guess, an attacker could compromise the credentials and gain access to the system, the advisory warned.
Siemens recently warned about a hard-coded password vulnerability in its RAPID blood-gas analyzers. The vulnerability affects the RAPIDLab 12 system, a cartridge-based blood-gas, electrolyte, and metabolite analyzer designed for use in medium- to high-volume clinical laboratories, and the RAPIDPoint 400/405/500 systems, a cartridge-based blood-gas, electrolyte, and metabolite analyzer designed for use in point-of-care environments.
The use of hard-coded passwords increases the risk significantly that attackers can guess password.
“On many systems, a default administration account exists which is set to a simple default password which is hard-coded into the program or device,” explained the Open Web Application Security Project (OWASP) on its website.
“This hard-coded password is the same for each device or system of this type and often is not changed or disabled by end users. If a malicious user comes across a device of this kind, it is a simple matter of looking up the default password (which is freely available and public on the internet) and logging in with complete access,” the group explained.
“In systems which authenticate with a back-end service, hard-coded passwords within closed source or drop-in solution systems require that the back-end service use a password which can be easily discovered. Client-side systems with hard-coded passwords propose even more of a threat, since the extraction of a password from a binary is exceedingly simple,” it concluded.