Healthcare Compliance Training and Certification

Cybersecurity

IDenticard PremiSys Access Control System Flaws Discovered

by | Feb 7, 2019

ICS-CERT has released a waring in relation to three high severity vulnerabilities in the IDenticard PremiSys access control system. All versions of PremiSys software before version 4.1 are affected by the flaws.

If the vulnerabilities are effectively targeted it could lead to full access being obtained to the system with administrative privileges, theft of sensitive information included in backups, and access being gained to details. The flaws could be targeted from a remote location and require a low level of expertise to exploit. Details of the flaws have been publicly disclosed.

The highest severity vulnerability CVE-2019-3906 is in related to hard-coded credentials which permit full admin access to the PremiSys WCF Service endpoint. If properly exploited the hacker could gain full access to the system with administrative privileges. The vulnerability has been given a CVSS v3 base score of 8.8.

User credentials and other sensitive data stored in the system are encrypted; however, a weak method of encryption has been implemented which could possibly be cracked leading to the exposure and theft of information. The vulnerability (CVE-2019-3907) has been given a CVSS v3 base score of 7.5.

Backup files are saved by the system as encrypted zip files; however, the password needed to unlock the backups is hard-coded and cannot be amended. There is a chance a hacker could obtain access to the backup files and view/steal information. The vulnerability (CVE-2019-3908) has been given a CVSS v3 base score of 7.5.

Tenable’s Jimi Sebree identified and reported the flaws.

IDenticard has addressed the hard-coded credentials vulnerability (CVE-2019-3906). Users should run an update to bring the software up to date with version 4.1 to address the vulnerability IDenticard is currently developing a remedy for the other two flaws. A software update addressing those vulnerabilities is due to be released in February 2019.

As a temporary measure mitigation, NCCIC advises restricting and monitoring access to Port 9003/TCP, placing the system behind a firewall and ensuring the access control system cannot be logged onto the Internet. If remote access is possible, secure methods should be used for access, including an up-to-date VPN.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy