April 11, 2017
By all accounts, the last three years have shown the healthcare industry that it is a major target for hackers, and will be for many years to come. “Zero-days” is one lesser known term for one of the most common types of cybercrime that we all should be wary of. These are created by holes in software that are unknown to the vendor, and so have not been disclosed to users. When such a security hole is discovered by hackers, the zero-day race is on: the hackers quickly exploit it in an aggressive attack, before the vendor can rush in to fix the hole and protect users and their personal data. The number of zero-day vulnerabilities found in 2015 doubled the number found in 2014. Predictions are that zero-day exploits will rise from one-per-week in 2015 to one-per-day by 2021. How might zero-days affect you and/or your hospital?
Zero-day attacks come in forms like malware, spyware or unwanted access to user information through software we use. In the past hackers concerned themselves more with attacking data center infrastructures, but in the hybrid cloud era, applications and data itself are becoming key points of criminal entry. For example, in 2016 numerous zero-day flaws were discovered in commercial software by Adobe, Microsoft and Apple, with Adobe leading the pack at 135 vulnerabilities. “We predict that more software flaws will be discovered in Adobe and Apple products in addition to Microsoft’s,” Trend Micro notes in its security predictions for 2017.
Discovering software vulnerabilities and figuring out how to exploit them has clearly become a go-to technique for advanced attackers, and there is no sign of this trend changing, according to a recent study by Symantec Corporation. It notes that the healthcare industry is always going to be a target for hackers because of the high value of patient information for hackers who put it up for sale. Unfortunately, the risks are only going to grow because of healthcare’s robust demand for better software to support patient care, e-health computer applications, mobile device-based apps, and teleheath tools as a whole. At the same time, an extreme shortage of qualified IT security specialists is contributing to a lack of sufficient internal security resources for hospitals as well as other industries. Even with the right technology, many IT teams simply don’t have enough hours in the day to investigate frequent threats and defend against them.
While discovery of increasing zero-day flaws threatens to overwhelm security defenders, the good news is that efforts are being made to counter the damage those flaws can create through various organized initiatives. A leader is DARPA — the U.S. Defense Advanced Research Projects Agency — which demonstrated in August 2016 the future of zero day combat during its Cyber Grand Challenge. The Challenge gave seven teams the opportunity to show how automated solutions they had developed could not only find bugs in software but replace the buggy code with secure code.
As the security community works to prevent threats and manage hacking incidents, here is one quick lesson to all software users: when a browser vendor or software company releases a security patch, pay attention and become part of the zero-day race between vendor and hacker. Install the update immediately In order to eliminate your vulnerability. More than likely, your action will be worth your time.
Phoenix does internal security assessments and intrusion monitoring and detection, specific to hospitals. If you’d like to know more, contact us here or call me directly at 928-282-3038.