D'Arcy Gue

Friday FAQ: Zero-days! Not Sci-Fi But Real-Life Security Risks

April 15, 2016

HIPAA & Security 2 Minute Read

This post is part of an ongoing series offering byte-sized nuggets of HIT-related info that you never realized you should know.

There is a lot of talk within healthcare about “zero-days.” Sounds like doomsday language, and yes, from a healthcare IT security perspective, it actually is. Zero-days — great risks for hospitals and payers — are suddenly a major aspect of the everyday vulnerability of personal health information and enterprise systems, including EHRs and financial management systems.

Here’s what you need to  know in one minute:

Zero-day vulnerability is techno-talk for a hole in software that is unknown to the vendor and that has not been disclosed to users. When this security hole is discovered by hackers, the zero-day race is on:  they quickly exploit it in an aggressive attack, before the vendor can rush in to fix the hole and protect users and its client relationships. Zero day attacks come in forms like malware, spyware or unwanted access to user information.

Have you wondered about the common notices from web browser companies telling you to immediately install updates with security patches? They often are in a race with a zero-day hacker to prevent you from heading toward a booby-trapped Web page or a malicious image file that can trick Internet Explorer, as an example, into executing malware code from outside your network. Such malware can find a home on your computer even if you carefully avoid obvious no-no’s like opening suspicious attachments or files.

What does this have to do with healthcare per se? It turns out that browsers are especially vulnerable to zero-day attacks.  Many EHRs and financial management systems are browser-based, making them especially vulnerable. In addition, many healthcare systems users are accessing those systems from devices that have internet browsers installed on them. More vulnerability.

The number of zero-day vulnerabilities found throughout 2015 doubled the number found in 2014.  “Discovering unknown vulnerabilities and figuring out how to exploit them has clearly become a go-to technique for advanced attackers, and there is no sign of this trend changing,” according to a recent study by Symantec Corporation.

One quick lesson: when a browser vendor or software company releases a security patch, pay attention and become part of the zero-day race between vendor and hacker. Install the update immediately In order to eliminate your vulnerability. I know, I know; this may require a ridiculously time-consuming computer reboot. It is very likely to be worth it.

We do internal security assessments and intrusion monitoring and detection, specific to hospitals. If you’d like to know more, contact us here or call me directly at 928-282-3038.

I would also recommend your reading our recent blog post on how many hospitals are unintentionally undermining their own data security.

Related Posts