OCR Warns of Advanced Persistent Threats and Zero-Day Vulnerabilities
OCR Now Publishing Quarterly instead of Monthly Cyber-Security Newsletters
In the Spring 2019 newsletter for the Office for Civil Rights (OCR), it was mentioned that they have moved away from a monthly cyber-security newsletter to a quarterly one. No worries though, they will continue to provide guidance to HIPAA covered entities and business associates to help keep them in compliance with the HIPAA Security Rule by identifying emerging or prevalent issues and providing best practices to safeguard PHI.
For the first quarter's newsletter, the OCR shared information regarding Advanced Persistent Threats and Zero-Day Vulnerabilities.
What Are Advanced Persistent Threats?
An Advanced Persistent Threat (APT) is a long-term cyber-security attack that continuously attempts to find and exploit vulnerabilities in the target's information systems to steal information or disrupt the target's operations. Although individual APT attacks need not to be technologically sophisticated, the persistent nature of the attack, as well as the attacker's ability to change tactics to avoid detection, make APTs a formidable threat.
The OCR mentions that APTs are a serious threat to the healthcare industry. Healthcare is a multi-billion dollar industry that has endless amounts of data being stored and utilized. Including:
- Data to develop new drugs and treatments.
- Medical research information, experimental treatment testing results, and genetic data that are valuable targets for theft because of their value in driving innovation.
- Health information that is used by healthcare providers and insurers to pay for the care individuals receive, and if compromised the information may be used by cyber-criminals for purposes such as identity theft, that could lead to financial fraud including theft of health insurance coverage benefits.
- A compromise of health information can also lead to an ability to blackmail an individual based on their sensitive information.
APTs have already been implicated in multiple cyber-attacks in the healthcare industry throughout the United States and around the world.
What are Zero-Day Vulnerabilities?
The OCR's newsletter alerts us to one of the most dangerous tools in a hacker's arsenal, the "Zero-Day" exploit or attack which takes advantage of previously unknown hardware, firmware, or software vulnerability. The OCR goes on to say that hackers may discover Zero-Day exploits by doing their own research, by probing, or they may take advantage of the lag between when an exploit is discovered and when a relevant patch or anti-virus update is made available to the public.
One of the reasons why these types of attacks are especially dangerous is because their novel nature makes them more difficult to detect and contain than standard hacking attacks. The OCR also said that the possibility of such an attack emphasizes the importance of an organization's overall security management process which includes monitoring of anti-virus or cyber-security software for detection of suspicious files or activity. Though hackers may exploit Zero-Day vulnerabilities to gain unauthorized access to an organization's computer system, appropriate safeguards, including encryption and access controls, may mitigate or even prevent unauthorized access to, or loss of, protected information. If these vulnerabilities are made public, information becomes accessible to both good and bad actors alike. Entities should have measures in place to be aware of new patches and for assessing the need to apply them. In the event a timely patch is not available or cannot be immediately implemented (such as when testing is needed to ensure that the patch works with components of an entity's information systems), an entity may consider adopting other protective measures such as additional access controls or network access limitations to mitigate the impact of the Zero-Day vulnerability until a patch is available.
Recommendations for Covered Entities and Business Associates
While there are many security measures that organizations can proactively implement to help mitigate or prevent the damage that an APT or Zero-Day attack may cause, at the very least the OCR recommends the following HIPAA Security Rule Measures:
- Conducting a security risk analysis to identify risks and vulnerabilities;
- Implementing a risk management process to mitigate identified risks and vulnerabilities;
- Regularly reviewing audit and system activity logs to identify abnormal or suspicious activity;
- Implementing procedures to identify and respond to security incidents
- Establishing and periodically testing contingency plans including data backup and disaster recovery plans to ensure data is backed up and recoverable;
- Implementing access controls to limit access to ePHI;
- Encrypting ePHI, as appropriate, for data-at-rest and data-in-motion; and
- Implementing a security awareness and training program, including periodic security reminders and education and awareness of implemented procedures concerning malicious software protection, for all workforce members.
This OCR newsletter is an important reminder to all of us in the healthcare industry that we need to be watchful and proactive in our efforts so that we prevent attacks, limit any Zero-Day vulnerabilities, and avoid an advanced persistent threat.