The Health Sector Cybersecurity Coordination Center (HC3) released a report outlining the threat of zero-day attacks and tactics to mitigate security risks. Since part of HIPAA compliance is utilizing reasonable safeguards to protect patient data, covered entities should pay attention to the rising threat of zero-day attacks.
What are zero-day attacks?
A key component of zero-day attacks is software applications having an unknown vulnerability. When cybercriminals discover it, they immediately launch an attack to exploit the weak spot before developers can develop a patch. Cybercriminals often use malware to execute a zero-day attack.
This type of attack is referred to as “zero-day” because there is virtually no time between developers noticing a vulnerability and cybercriminals starting to exploit it.
One of the most dangerous aspects of a zero-day attack is that it can take an average of 97 days for an IT team to apply, test, and deploy patches. This is a rather large window of opportunity for cybercriminals to attempt to exploit vulnerabilities.
How have zero-day attacks affected the healthcare industry?
In the past, zero-day attacks were reserved for incredibly sophisticated cybercriminals with significant financial resources. But as technology has developed, cybercriminals can now deploy zero-day attacks more easily. This has led to an increase in zero-day attacks since a single vulnerability can lead to thousands of patients’ data being leaked.
Covered entities should choose their software wisely to ensure vulnerabilities are patched quickly by the developers. Otherwise, they increase their risk of having their cybersecurity system hacked.
For example, OpenClinic is an open-source program for healthcare records. In late 2020, it was discovered that OpenClinic had several zero-day vulnerabilities in its application. These vulnerabilities meant that unauthorized people could request and gain access to files containing protected health information (PHI). Since developers were unresponsive to these issues, covered entities were encouraged to stop using the program.
The healthcare industry needs to utilize threat-sharing resources and vulnerability disclosures to identify security problems. Security resources like HC3 can provide insight into active zero-day vulnerabilities and available patches.
What can healthcare providers do to protect against zero-day attacks?
The problem with zero-day attacks is that they are difficult to predict. “Mitigating zero-day attacks completely is not possible – by nature, they are novel and unexpected attack vectors,” according to the HC3 report.
Proactive prevention is the best tool to avoid vulnerabilities. The HC3 report states, “Patch early, patch often, patch completely.” While patching is important for cybersecurity defense, this can be difficult for the healthcare sector. Medical IoT devices and legacy systems have gained a reputation for being difficult to patch.
There are other ways to mitigate the risk of a zero-day attack. The HC3 report discusses implementing the following security protocols:
- Using a web application firewall to monitor and review incoming and outgoing traffic
- Using runtime application self-protection (RASP) agents to detect suspicious activity
Healthcare providers will also want to send HIPAA compliant email to protect against unauthorized access to PHI. Paubox Email Suite Plus provides outgoing email encryption and robust inbound security tools to prevent malicious emails from even entering your employee’s inbox. Our HITRUST CSF certified software is ready to protect your data.