Alert on Advanced Persistent Threats and Zero-Day Exploits Issued by OCR

In its spring cybersecurity newsletter, the HHS’ Office for Civil Rights has warned healthcare organizations about advanced persistent threats and zero-day exploits.

Hackers target healthcare organizations because of the volume of sensitive data they keep. The protected health information (PHI) of a person is highly valuable because it may be employed for many different purposes, such as tax fraud, identity theft, and obtaining healthcare services. Sensitive data about healthcare conditions could also be employed for blackmailing people.

Healthcare organizations also hold other valuable information such as genetic data, research data, and data from experimental treatments. This information is particularly valuable to foreign governments to increase innovation.

Hackers can use different techniques to bypass defenses and quietly access networks, two of which that are now being used extensively are advanced persistent threats and zero-day exploits.

The term advanced persistent threat (APT) refers to recurring cyberattacks that try to take advantage of vulnerabilities to access data systems. These attacks can be complex, but even fairly simple attacks pose a major risk because of their persistence.

The purpose of the attacks is to quietly access data systems and steal data over an extended period of time. A number of APT groups have successfully accessed healthcare IT systems in the U.S. and and have stolen sensitive healthcare information.

Zero-day exploits refer to using previously unidentified vulnerabilities to attack companies. When the vulnerabilities are identified, patches are released to correct the flaws. Hackers will keep on exploiting the system vulnerabilities until they have been patched. It is therefore important to apply patches quickly and keep all operating systems and software programs updated.

As soon as a zero-day vulnerability is publicly revealed it doesn’t take long for hackers to develop an exploit. Quite often, exploits for vulnerabilities are used in real-world attacks just days after a patch is released.

If no patches are available immediately, such as when substantial testing is needed before they can be applied, it is necessary to employ workarounds or other security control that prevent the exploitation of the vulnerabilities. Using encryption and access controls could help minimize damage even if network access is gained by means of an exploit.

OCR cautioned about the threat of combination attacks using APTs and zero-day exploits. One example provided was the use of the EternalBlue exploit.days after the exploit was published online, it was integrated into WannaCry ransomware. WannaCry infected a huge number of computers worldwide. Microsoft released a patch for the vulnerability exploited by EternalBlue 2 months prior to the WannaCry attacks. By applying the patch promptly, organizations were shielded from the exploit and WannaCry but delayed patching left companies vulnerable to the attacks.

Healthcare companies and their business associates can enhance their defenses against zero-day exploits and APTs by employing the following measures specified in the HIPAA Security Rule:

  • Perform risk analyses to identify risks and vulnerabilities
  • Mitigate risks and vulnerabilities through a risk management process
  • Review audit and system activity logs for suspicious activity
  • Have contingency and disaster recovery plans that can be immediately implemented
  • Implement access controls to limit ePHI access
  • Encrypt ePHI
  • Establish a security awareness and training program