'Patch early, patch often': HHS cyber arm issues warning on zero-day attacks
Photo: U.S. Department of Health and Human Services
by WEBN-TV/Flickr, licensed under CC BY-ND 2.0
The U.S. Department of Health and Human Services' cybersecurity arm issued a threat briefing this past week about zero-day attacks and their potential risk to the healthcare system.
"Mitigating zero-day attacks completely is not possible – by nature, they are novel and unexpected attack vectors," said the Health Sector Cybersecurity Coordination Center in a public presentation.
One helpful mitigation? "Patch early, patch often, patch completely."
WHY IT MATTERS
As the agency outlined in the briefing, a zero-day attack is defined as a vulnerability exploited by threat actors before a patch is developed and applied.
The number of zero-day exploits caught in the wild has skyrocketed this year: By September 2021, Massachusetts Institute of Technology researchers had tracked at least 66.
HC3 reviewed a few recent high-profile zero-day vulnerabilities in the healthcare sector, such as vulnerabilities flagged this past year in the records application OpenClinic that exposed patients' test results.
And in August 2021, a vulnerability was discovered affecting pneumatic tube systems used by hospitals.
The agency noted that zero-day exploits are "incredibly valuable," with a single vulnerability potentially putting millions of customers at risk.
These exploits can also be leveraged for lucrative attack avenues, such as ransomware.
In addition to patching, the agency recommended implementing a web-application firewall to review incoming traffic and filter out malicious input, as well as making use of runtime application self-protection agents.
THE LARGER TREND
Federal agencies have raised the alarm about several cyber threats to the healthcare system this year.
In the past few months, HC3 has also warned health organizations about BlackMatter ransomware and the LockBit variant. The FBI has chimed in too, issuing alerts about Conti ransomware and Hive ransomware.
ON THE RECORD
"Zero-day attacks can be used both to target specific, high value targets or affect wide swathes of organizations through commonly used software," said HC3 officials. "Both pose substantial dangers to the [healthcare and public health] sector."
Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.