<div dir="ltr"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><a href="https://www.careersinfosecurity.com/email-breach-at-oxygen-equipment-maker-affects-30000-a-10804">https://www.careersinfosecurity.com/email-breach-at-oxygen-equipment-maker-affects-30000-a-10804</a></div><div dir="ltr"><br></div><div dir="ltr"><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Unauthorized access to an employee's email account has resulted in a breach affecting 30,000 current and former rental customers of Inogen, a maker and supplier of oxygen equipment, the publicly traded company has disclosed in a filing with the Securities and Exchange Commission.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><b style="box-sizing:border-box;font-weight:bold">See Also:</b><span> </span><a href="https://www.careersinfosecurity.com/webinars/how-to-scale-your-vendor-risk-management-program-w-1326?rf=promotional_webinar" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none">How to Scale Your Vendor Risk Management Program</a></p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">In addition to customers' personal information, Inogen says the breach may have exposed nonpublic financial information of the Goleta, Calif.-based company.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Inogen's<span> </span><a href="https://www.sec.gov/Archives/edgar/data/1294133/000156459018008092/ingn-8k_20180413.htm" target="_blank" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none">8-K filing</a><span> </span>with the SEC on April 13 says that the unauthorized access from outside the company to an employee's emails and attached files appears to have occurred between Jan. 2 and March 14, 2018.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Some of the messages and file attachments may have contained personal information of Inogen equipment rental customers, including name, address, telephone number, email address, date of birth, date of death, Medicare identification number, insurance policy information and type of medical equipment provided.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Inogen is notifying affected individuals and offering them free credit monitoring and an insurance reimbursement policy, the company notes in its filing.</p><h3 style="box-sizing:border-box;font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-weight:500;line-height:1.1;color:rgb(51,51,51);margin-top:22px;margin-bottom:11px;font-size:24px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Breach Notification</h3><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Ali Bauerlein, Inogen's CFO, tells Information Security Media Group that the company is reporting the incident to the U.S. Department of Health and Human Services as a health data breach under<span> </span><a href="http://www.healthcareinfosecurity.com/hipaa-hitech-c-282" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none">HIPAA</a>, and it's also notifying state attorneys generals.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">The<span> </span><a href="http://www.healthcareinfosecurity.com/breach-response-c-324" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none">breach</a><span> </span>was detected on March 14, she says.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">A forensics investigation so far has determined that the attacker gained access to the employee's email through compromising the worker's credentials, Bauerlein says. The IP address of the intruder was based in another country, she says, declining to identify the nation. The company has not yet determined what kind of attack was involved - "whether phishing, man-in-the-middle or something else," she says.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Privacy and security attorney Laura Hammargren of the law firm Mayer Brown, who is not involved in the Inogen case, notes: "What is interesting to me about the breach is that Inogen made this an SEC filing; it begs the question of whether the SEC's recent guidance will prompt more regular disclosure of data incidents."</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">The SEC says its<span> </span><a href="https://www.databreachtoday.com/sec-releases-updated-cybersecurity-guidance-a-10678" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none">revised cybersecurity guidance</a><span> </span>issued in February is aimed at assisting publicly traded companies in preparing disclosures about cybersecurity risks and incidents.</p><h3 style="box-sizing:border-box;font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-weight:500;line-height:1.1;color:rgb(51,51,51);margin-top:22px;margin-bottom:11px;font-size:24px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Taking Action</h3><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Inogen notes in the SEC filing that it has hired a forensics firm to investigate the incident and to help bolster security of its systems. The company is requiring all email users to change their passwords.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">The company has also implemented multifactor<span> </span><a href="http://www.healthcareinfosecurity.com/authentication-c-206" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none">authentication</a><span> </span>for remote email access and has taken additional steps to further limit access to its systems and other preventive measures, including enhanced<span> </span><a href="http://www.healthcareinfosecurity.com/awareness-training-c-27" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none">training</a><span> </span>and use of electronic tools, the filing notes.</p><h3 style="box-sizing:border-box;font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-weight:500;line-height:1.1;color:rgb(51,51,51);margin-top:22px;margin-bottom:11px;font-size:24px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Insurance Coverage</h3><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Inogen has insurance coverage in place for certain potential liabilities and costs relating to the incident, but this insurance may not be adequate to protect against all costs, the company notes in the filing. Bauerein says Inogen has not yet determined the potential costs of the breach.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Litigation attorney<span> </span><a href="https://www.healthcareinfosecurity.com/interviews/what-comes-next-in-carefirst-data-breach-case-i-3894" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none">Patricia "Trish" Carreiro</a><span> </span>of the law firm Axinn, Veltrop & Harkrider who is not involved with the case, says the Inogen breach illustrates that insurance for cyber incidents and breaches differs from most other kinds of insurance.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">"Part of what makes cyber insurance so unique is that there is no uniform 'basic' cyber insurance policy," she says. "Every policy's language is different, and they usually include options for many different coverages. What coverage a client needs depends on what their risks are and what other tools they have in place to protect themselves from those risks. Some of the most important coverage to have is for the costs of your forensic investigation - this is a common coverage."</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Other useful coverage, she says, includes business interruption, data breach notification expenses, attorney's fees, public relations professional fees, call center expenses and credit monitoring or identity theft insurance for impacted individuals.</p><h3 style="box-sizing:border-box;font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-weight:500;line-height:1.1;color:rgb(51,51,51);margin-top:22px;margin-bottom:11px;font-size:24px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Other Incidents</h3><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Other medical equipment makers and suppliers should take notice of the Inogen incident, Carreiro says.</p><blockquote style="box-sizing:border-box;padding:11px 22px;margin:0px 0px 22px;font-size:22px;border-left:5px solid rgb(238,238,238);color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">"The Inogen data breach is a reminder to makers and suppliers of medical technology and devices that they are not exempt from the threat of data breaches."</blockquote><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">"It's easy to think data breaches are other companies' problems," she says. "The Inogen data breach is a reminder to makers and suppliers of medical technology and devices that they are not exempt from the threat of data breaches. Payment card information or medical records aren't the only things whose exposure counts as a data breach."</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">In fact, the Inogen data security incident is not the first breach involving a supplier of oxygen medical equipment.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Last June,<span> </span><a href="https://www.healthcareinfosecurity.com/ransomware-attack-affects-500000-patients-a-10057" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none">Airway Oxygen</a>, based in Grand Rapids, Mich., reported to HHS a hacking incident potentially impacting 500,000 current and past customers. In that incident, the company said its anti-virus software alerted IT staff that a<span> </span><a href="https://ransomware.databreachtoday.com/" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none">ransomware</a><span> </span>attack was in progress against its systems.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">The Airway Oxygen incident was the second largest health data breach reported to federal regulators in 2017, according to the HHS HIPAA Breach Reporting Tool website. Also commonly called the<span> </span><a href="https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf" target="_blank" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none">"wall of shame,"</a><span> </span>the website lists reports of breaches impacting 500 or more individuals.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">In addition, at least one medical technology firm has entered a HIPAA settlement with HHS's Office for Civil Rights as the result of a breach investigation.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Last April, OCR smacked<span> </span><a href="https://www.healthcareinfosecurity.com/hhs-smacks-heart-monitoring-firm-25-million-settlement-a-9863" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none">CardioNet</a>, a Malvern, Pa.-based mobile heart-monitoring technology firm, with a $2.5 million HIPAA settlement related to findings from an investigation into a 2012 breach involving a stolen<span> </span><a href="http://www.healthcareinfosecurity.com/encryption-c-209" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none">unencrypted</a><span> </span>laptop computer. The hefty fine reflects regulators also finding that the organization lacked a sufficient risk analysis and risk mitigation.</p><h3 style="box-sizing:border-box;font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-weight:500;line-height:1.1;color:rgb(51,51,51);margin-top:22px;margin-bottom:11px;font-size:24px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Medical Device Risks</h3><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">While the Inogen breach does not appear to involve the company's medical equipment products, experts note that<span> </span><a href="http://www.healthcareinfosecurity.com/mobility-c-212" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none">medical devices</a><span> </span>are increasingly at risk for cyberattack.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">For instance, in August 2015, the Food and Drug Administration for the first time, issued a warning urging healthcare organizations to discontinue the use of a family of infusion pumps from manufacturer<span> </span><a href="https://www.healthcareinfosecurity.com/fda-discontinue-use-flawed-infusion-pumps-a-8449" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none">Hospira</a><span> </span>due to cybersecurity vulnerabilities that potentially allow unauthorized users to control the device and change the dosage the pump delivers to patients.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">More recently, in March, the Department of Homeland Security issued a warning of vulnerabilities involving hardcoded and default credentials in certain medical imaging product lines from GE Healthcare, which may allow a remote attacker to bypass authentication and gain access to the affected devices (see<span> </span><a href="https://www.healthcareinfosecurity.com/dhs-some-ge-imaging-devices-are-vulnerable-a-10727" style="box-sizing:border-box;background-color:transparent;color:rgb(70,147,217);text-decoration:none"><i style="box-sizing:border-box">DHS: Some GE Imaging Devices Are Vulnerable</i></a>).</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Healthcare entities and manufacturers must consider the cybersecurity risks to devices, says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.</p><p style="box-sizing:border-box;margin:0px 0px 18px;font-weight:100;color:rgb(51,51,51);font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:18px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">"It's crucial that medical device manufacturers and healthcare facilities should take steps to assess for information security threats and vulnerabilities associated with their medical devices," he says. "This vulnerability increases as medical devices are increasingly connected to the internet, hospital networks and to other medical devices."</p><br><br clear="all"><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span style="font-size:10pt"></span></b><span style="font-size:10pt"></span><span style="font-family:arial,helvetica,sans-serif"></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>