One of the latest cybersecurity threats affecting healthcare is the “zero-day” attack. This happens when a threat actor exploits a vulnerability in software that is either not yet known to the developer, or is known, but not yet patched. The term “zero-day” signifies that there is no time between discovery of the vulnerability and when it is exploited by bad actors.
In 2010 browsers were hit hard by zero-day attacks. Adobe products (Flash, Reader), Internet Explorer, Java, Mozilla Firefox, Windows XP and many others were hit.
Microsoft software has suffered from zero-day attacks multiple times. The attacks often hit right after Microsoft delivers its patches. Cybercriminals take advantage of Microsoft’s monthly security update cycle by timing attacks just after the second Tuesday of each month when Microsoft releases its fixes. Ironically, the attacks show Microsoft what the new vulnerabilities are, but it usually takes weeks before they can issue the fix.
The attackers’ motivation is financial gain. Zero-day exploits are incredibly valuable on the black market. In the past, only threat actors with deep pockets could use zero-day exploits, but unfortunately they are becoming much more common among cyber criminals of all types. Personal information is sold for a profit – and medical identity is the very most valuable, more so than social security numbers and credit card information.
Rising Threat in Healthcare
Lately, zero-day attacks are hitting the healthcare sector more often. The Health Sector Cybersecurity Coordination Center (HC3) recently issued a threat brief outlining risks and mitigation tactics associated with zero-day attacks in healthcare.
Recent zero-day attacks affecting healthcare include:
- A widespread and dangerous attack on thousands of Microsoft Exchange email servers in March 2021 allowed cyber criminals to access organizational emails, revealing sensitive corporate information including electronic protected health information (PHI). The attackers infiltrated beyond email – they gained a foothold in some healthcare environments and escalated administrative access to networks and applications.
- An open source healthcare records application OpenClinic was hit in August 2020 exposing patients’ test results. Users were urged to stop using the program after developers failed to respond to reports of four zero-days. The cyber criminals were able to obtain files containing protected health information (PHI).
- Pneumatic tube systems used by hospitals to transport bloodwork, test samples, and medications were affected by a zero-day attack in August 2021. The attackers exploited flaws in the control panel software which allowed for unauthenticated and unencrypted firmware updates.
One reason healthcare is especially vulnerable is because there are so many medical devices connected to the internet used in healthcare setting, from blood pressure monitors, to infusion pumps and pacemakers. These devices are part of the Internet of Things, or IoT, woven into modern life for efficiency and convenience. Smart home products, like voice activated speakers, thermostats and appliances are some examples. These devices are just as vulnerable to security risks as computers and tablets. In healthcare, medical devices are often part of legacy systems, and yet they’re critical for patient care and safety. Tracking all the devices and keeping them current with updated software is a challenge, opening risk to patient safety and security.
Risk Management Reduces Risk
Although zero-day attacks can be surprising, fast and far-reaching, there are things you can do to lower the risk of attack, and lessen the impact if it happens. Cybersecurity experts at HC3 recommend that organizations “patch early, patch often, patch completely”.
Cybersecurity experts also recommend:
- regular HIPAA Risk Analysis and ongoing Risk Management, including a security risk assessment,
- follow the vendor’s specific instructions about patching and mitigation, because each situation is unique
- consider using a web-application firewall to review incoming traffic and filter out malicious input to prevent threat actors from reaching security vulnerabilities
- keep anti-malware and anti-virus software protection current
The best defense to cybersecurity threats in healthcare is HIPAA compliance. Complete a Risk Analysis at least once a year and follow a Risk Management Plan every day; the analysis surfaces risks and vulnerabilities in your own organization and provides specific advice to minimize those risks.