Healthcare Companies are Not Immune to Zero Day Attacks
On November 18, 2021, the Department of Health and Human Services (HHS) published a briefing detailing the concept of Zero Day attacks and their recent impact on the Healthcare and Public Health sector (HPH). As one of the 16 critical infrastructure sectors designated by Presidential Policy Directive 21, implementing advanced detection and protection tactics to proactively defend against Zero Day attacks are key ingredients in keeping our healthcare systems functional and trusted.
* * * * *
During the creation of this piece on Zero Day Exploits in Healthcare, Apache Software disclosed information on the “Log4j” flaw, which is likely present on millions of servers as part of a widely used logging library . Apache has released an updated Log4j tool version with a patch that is currently being deployed by IT teams across the world, including healthcare providers and vendors of software and technology used by the Healthcare and Public Health space. This serves as a very present reminder of the true danger, scope, and potential impact of unknown cybersecurity exploits.
As it relates to the healthcare sector, there may be hundreds or thousands of software applications that are in scope with this common logging library being used by medical devices, hospital operations tools, or even finance and administration IT platforms (with the possibility of lateral movement to health applications as a real threat).
* * * * *
What is a Zero Day Exploit?
“Zero Days” are security vulnerabilities that are known to a small population prior to public announcement. The zeroth day refers to the limited to no time that security teams have had to defend against this previously unknown exploit (at least until a workaround or patch is released). One of the most infamous, and earliest documented, zero day attacks was the Stuxnet virus used to attack Iran’s centrifuge program in 2010. According to the Zero Day Tracking Project, more than 80 zero day exploits have been identified in the wild, compared to 33.6 zero day exploits identified annually from 2011- 2020. This isn’t necessarily a harbinger of doom for security teams. Advanced detection techniques and more emphasis on secure code development and review are leading to the rise in identification of these attacks, rather than letting them be exploited for months or years without knowing
Impact on Healthcare and Public Health
The sprawling U.S. healthcare system is not only incredibly dependent on digital technology and software, but clearly also has a huge dependency on physical systems that are connected to IT infrastructure. As detailed in the November 2021 HHS briefing on Zero Day Attacks, in August 2021 researchers discovered a zero day exploit, PwnedPiper, that would potentially impact the pneumatic tube systems used by hospitals to transport medication, bloodwork, and test samples. In August 2020, a zero day exploit was discovered that could potentially expose patient test results and healthcare records via the open sourced “OpenClinic” application.
Zero Day exploits are problematic across nearly all industries, but in healthcare and public health, where system or infrastructure downtime can have life or death consequences, preparing to respond quickly and effectively to announcements of critical security vulnerabilities is paramount.
How should the HPH sector respond?
Preventing zero day exploits, by their nature, is not possible, but there are key strategies that the healthcare industry can take to ensure a proactive approach to security vulnerability management. There are a variety of “housekeeping” efforts that can vastly accelerate HPH responses to zero days:
- Have a Standard Operating Procedure
- Automate Software and Infrastructure Patch Management
- Hyperfocus on Third Party (Vendor) Risk Management
Have a Standard Operating Procedure
Often one of the biggest obstacles in reacting quickly to a publicly disclosed Zero Day exploit is the scramble time immediately after the exploit is announced. Panic and dysfunction are common reactions among IT teams who are suddenly told that they need to immediately fix software or systems. Healthcare IT and Security teams are more than likely already stretched thin just in supporting their IT environment, without adding on the resource stress required to quickly and effectively respond to a Zero Day that requires system patching or code changes.
Ensuring the development of a standard plan, including communication channels, can be key in avoiding the wasted time that can plague IT support teams
Figure 3: Example Zero Day Response Plan
Automate Software and Infrastructure Patch Management
Security organizations should be familiar with the standard “Patch Tuesday” approach employed by Microsoft in deploying tested patches to Windows workstations, servers, and software. However, most healthcare organizations are going to have dozens of different types of systems and software that require individual vendor patching — and it isn’t always obvious how to keep up with these releases. Ensuring that you are on top of patch management, however, is one of the clearest ways to respond to Zero Day exploits as fast as possible.
Several vendors offer large, bolt-on solutions that sit on top of your infrastructure and can automate the patching process. However, these solutions can be costly and often require true enterprise support, as well as enterprise scale to be feasible.
Because healthcare companies may not have the budget for a heavier solution over the top, lightweight solutions to automate the patch identification and patch scheduling process may be a better option. A combination of endpoint scanning solutions and automated alerts can give your IT and security support teams a clear course of action to maintain current patch levels across the digital ecosystem. Additionally, projects such as this require a “lift and shift” approach to IT Operations, which can contribute to increasing an already heavy workflow for IT operations as they migrate existing workflows and processes into a single ecosystem and potentially lose short-term cycles and existing “day-to-day” knowledge.
Hyperfocus on Third Party (Vendor) Risk Management
The healthcare and public health sector is highly dependent on third party tools, platforms, software, and infrastructure, both cyber and physical. From the systems that manage patient records to the machines that are used for patient care, many healthcare providers are a complex ecosystem of different vendors, technologies, and, unfortunately, attack vectors. To minimize the risk of zero day exploits in vendor software and infrastructure, healthcare organizations should aim to:
- Include security in the procurement process: Industry standard reports and audit opinions are available that can provide assurance to a security team that the third party they are working with has placed security and privacy measures in place for their product. Common examples of these are HITRUST or SOC 2 certifications, with HITRUST specifically aligning to the HPH sector
- Implement a lightweight Threat Modeling program: Constant evaluation and re-evaluation of critical systems and tools for potential security flaws can help mitigate risks inherent in legacy systems, especially those common in the healthcare industry. A threat modeling program, including one in which “Train the Trainer” tactics are employed can be a lightweight way to scale risk management responsibilities across an entire healthcare ecosystem
The healthcare sector should maintain security vulnerability management, especially Zero Day exploit management, as a key priority for critical systems and infrastructure. A proactive approach can help teams stay flexible and adaptable as exploit situations arise without paralyzing IT and security teams during the first key moments of a Zero Day announcement.
- https://www.zero-day.cz/ , as of December 2021
- https://portswigger.net/daily-swig/zero-day, as of December 2021
- “Zero-Day Attacks”, HHS Cybersecurity Program Office of Information Security, 11/18/2021
For any questions or comments on the analysis above, please contact:
Jacob Armijo, CISM, Manager (email@example.com)
Michael Morgenstern, Partner (firstname.lastname@example.org)