You can stop hackers from stealing your data by paying attention to the most common software vulnerabilities. Software vulnerability is an open or unlocked door into your electronic records, except you have the ability to close those doors.
Keeping your software up to date is required by HIPAA, and easily becomes second nature once you fold it into your HIPAA Risk Management plan. HIPAA Risk Analysis – Risk Management is ongoing, not something you do once and forget about. Learn how to routinely check, close and lock the doors.
Software patches tend to be overlooked – but when the vendor offers them to you it’s critical to pay attention and take the time to apply the fixes the patch will bring. It actually doesn’t take a lot of time, and can save lots of money, headache and downtime later if you patch and close the doors routinely.
Technical Guidance for Cybersecurity Help
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert with technical guidance advising IT security professionals to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors. The state-sponsored cyber actors are from China, Iran, North Korea, and Russia. (CISA is part of the U.S. Department of Homeland Security.)
“Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets,” in both the public and private sector. These vulnerabilities are easy to exploit, and don’t require much time or resources to launch an attack. It’s far too easy for hackers to walk in an unlocked door.
Which Systems are at Risk?
According to the alert, a U.S. industry study released in early 2019 revealed that “the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products” probably because of how widely these systems are used.
Chances are you are using some of the vulnerable software, or have in the past: included are Microsoft products like Windows 7, Windows 8, Office 365 and Sharepoint. Adobe Flash Player before 28.0.0.161, and various Citrix products. According to the alert, a U.S. industry study released in early 2019 revealed the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of how widespread these systems are used across the country.
Ideally, organizations should be transitioning away from any software that is no longer current, or being supported by the vendor. Old legacy systems remain the most vulnerable.
The IT staff may be up to date, and all of this is done – if you are not the IT professional, ask one of them if your systems are up to date. If you’re small organization without IT staff, you can get help from CISA. Anyone is encouraged to obtain free scanning and testing services from CISA, as noted on page 5 of the alert.
New Cybersecurity Risks in 2020
The top ten vulnerabilities described in the alert are ones identified from 2016-2019, but that continue this year. In addition, changes this year like working from home, has opened up new vulnerabilities, namely:
- Unpatched Virtual Private Networks, e.g., Citrix VPN appliances
- Cloud collaboration services, like Microsoft O365
- General cybersecurity weaknesses that make organizations susceptible to ransomware attacks, like inadequate employee cybersecurity training, and a lack of system recovery and contingency plans
Hacks and Malware Spread Damage Like a Virus and Can Be Defeated in a Similar Way
One of the original metaphors for intentional hacking was a virus. Makes sense, because once a damaging program entered a system, it could travel from device to device, from office to office and person to person through email and other electronic connections, silently, unseen. It turns out, one of the best ways to control and defeat the malicious software attack is similar to fighting a pandemic. Act in concert, for your own good and for the good of others.
If more organizations in the United States patched their systems, foreign cyber threats could be significantly lessened. When the attacks succeed less often, the cost to the attackers goes up, and the malicious software doesn’t travel as far.
According to the alert:
“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.” (emphasis in italics added)
HIPAA Compliance is a Blueprint for Cybersecurity Safety
Everything this new alert recommends is routine when you have a thorough, complete, ongoing HIPAA Risk Analysis – Risk Management plan. The security risk assessment, software patches, employee training, system recovery and contingency plans are all on your Risk Analysis checklist, and if you do it correctly, there will be no surprises or last minute efforts to secure your data and keep your organization safe.