Security News

More than 100 medical devices made by GE Healthcare are affected by a potentially serious vulnerability that could allow an attacker to access or modify protected health information, medical cybersecurity company CyberMDX reported on Tuesday. The vulnerability, which is tracked as CVE-2020-25179 with a critical severity rating, has been found to impact CT scan, molecular imaging, PET, X-Ray, ultrasound and mammography devices, as well as workstations and imaging devices used in surgery.

A vulnerability in GE Healthcare's proprietary management software used for medical imaging devices could put patients' health privacy at risk. GE's closed source management software runs on top of the Unix-based operating system installed on medical imaging systems to enable remote maintenance and update procedures.

Complimenting our focus is a Threatpost eBook Healthcare Security Woes Balloon in a Covid-Era World that neatly packages our complete in-depth report on the topic. Threatpost's eBook examines these inherent security challenges, as well as how COVID-19 has drastically reshaped the healthcare space over the past year when it comes to security risk.

The pandemic's unprecedented impact on healthcare lay bare the gaping holes in the healthcare industry's cybersecurity defenses. Woods, who has worked for the past 10 years with small hospitals, healthcare focused nonprofits and government entities, added, "If technology goes offline, doctors and nurse practitioners can no longer give the quality of care that they were able to, or to as many people. Right now, with COVID-19, there's a dramatic rise in the attack surface and the number and types of systems that are being used," he said.

2021 is likely to see more of the same with a variety of threats and vulnerabilities affecting the healthcare industry. In a report released on Wednesday, security firm Kaspersky offers six predictions that will impact healthcare providers next year.

There are, of course, other factors that play a role in the attackers' preference for healthcare-related targets: the talent shortage for cybersecurity experts with healthcare expertise, the fact that most healthcare employees still don't make cybersecurity a priority, the fact that many of the devices and technologies they use run on antiquated operating systems - to name just a few. There might come a time when cybersecurity becomes a part of medical curriculums - in the meantime healthcare organizations can significantly lower the number of successful attacks with the proper defenses and training, DiMaggio notes.

Intellectual property theft will join ransomware, cloud-stored patient data theft and advanced phishing efforts as the main hallmarks of medical-related healthcare cyberattacks for the new year. These cyberattacks will have ramifications for geopolitics, with the "Attribution of attacks entailing serious consequences or aimed at the latest medical developments is sure to be cited as an argument in diplomatic disputes."

CyberMDX announced a partnership with Philips to integrate CyberMDX's Healthcare Security Suite into the newly introduced integrated Cybersecurity Services offered by Philips. Created as a platform for partnership with healthcare customers, the Philips Cybersecurity Services help define and implement strategic and tactical software and device protection.

U.S. healthcare provider AspenPointe notified patients of a data breach stemming from a September 2020 cyberattack that enabled attackers to steal protected health information and personally identifiable information. AspenPointe is a nonprofit funded by Medicaid, state, federal, and local government contracts, as well as donations, that manages 12 organizations serving over 50,000 individuals and families every.

With healthcare, in particular, I think that we've seen, you know, obviously, like policy in terms of like cybersecurity policy, IT procurement policy, kind of go to the wayside in order to bolster patient health, patient care and a pandemic. You know, not only are we saying, in healthcare an external attack surface, but absolutely, an internal attack surface increase as well.