Cybersecurity briefs: Olympus IT outage, FHIR vulnerabilities and more

New research suggests vulnerabilities in healthcare's API "last mile," while another report assesses the cost of unsecured devices.
By Kat Jercich
03:25 PM

The medical technology vendor Olympus announced on Tuesday that it was investigating a potential cybersecurity incident affecting IT systems in the Americas, including the United States, Canada and Latin America.  

As part of the incident, Olympus said it suspended the affected systems and informed relevant external partners.  

It did not share any details about whether data had been compromised, or as to the specific nature of the attack.  

"We are working with appropriate third parties on this situation and will continue to take all necessary measures to serve our customers and business partners in a secure way," said the company in a statement.  

"Protecting our customers and partners and maintaining their trust in us is our highest priority," it added.  

Healthcare's 'last mile' open to attack  

Aproov, which provides API threat protection, released a report Wednesday from cybersecurity researcher Alissa Knight on the security vulnerabilities of fast healthcare interoperability resources APIs studied, and the mobile apps that access them.   

Knight's research found that healthcare FHIR APIs are subject to abuse by automated scripts and compromised apps.  

The report examined three production FHIR APIs, serving an ecosystem of 48 apps and APIs and covering aggregated electronic health record data from 25,000 providers and payers.   

All of the FHIR APIs tested allowed API access to other patients' health data using one patient's credentials, and all of the mobile apps tested did not prevent person-in-the-middle attacks.  

This could enable hackers to harvest credentials and access confidential patient data, said Aproov researchers.   

Knight recommended secure authorization, blocking noncompliant apps' access to sensitive data and enforcing a chain of custody through legal and financial accountability.  

"It is alarming how sensitive patient data moves from higher security levels to third-party aggregators where security has been found to be flagrantly lacking," said Knight in a statement.  

The price of cybersecurity concerns  

A new Ponemon Institute survey found that nearly 60% of executives that have cybersecurity decision-making power at large and midsize companies say their organizations have lost business because of security concerns for connected devices.  

In addition, a scant 11% of organizations have high confidence in their ability to respond to requests for detailed information about the components of their devices. And only half say their organizations assess the security of their products before shipping to customers.  

Although these organizations don't exclusively operate in the healthcare sphere, the findings reiterate the importance of securing connected devices across industries.  

"Hackers are finding new ways to exploit IoT/connected device vulnerabilities, and this data shows the troubling realization that many organizations are not prepared," said Matt Wyckhouse, CEO of Finite State, which published the findings.   

"It can be easy to overlook the risk, which many companies do until they face a breach or cyberattack," he said. "But the data here shows that security concerns affect organizations’ bottom lines, and a more serious approach to protecting devices is imperative."

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.