HHS Office for Civil Rights (OCR)’s April 3, 2019 cybersecurity newsletter highlights one of the more challenging cybersecurity vulnerabilities faced by covered entities and business associates. OCR reminds covered entities (CEs) and business associates (BAs) that compliance with the HIPAA Security Rule can help, but stops a bit short of providing concrete guidance as to how best to minimize risk. OCR warns:
One of the most dangerous tools in a hacker’s arsenal is the “zero day” exploit or attack which takes advantage of a previously unknown hardware, firmware, or software vulnerability. Hackers may discover zero day exploits by their own research or probing or may take advantage of the lag between when an exploit is discovered and when a relevant patch or anti-virus update is made available to the public.”
What exactly is a “zero day” attack? OCR summed it up pretty well. According to the National Institute of Standards and Technology (NIST), it’s an “attack that exploits a previously unknown hardware, firmware, or software vulnerability.”
The problem is the time that elapses between the discovery of the vulnerability (day zero) and the creation and implementation of the patch for it. If there’s a “lag between when an exploit is discovered and when a relevant patch or anti-virus update is made available to the public”, what can a CE or BA do? OCR suggests that an entity “consider adopting other protective measures such as additional access controls or network access limitations” to mitigate liability until a patch is available.
OCR’s June 2019 cybersecurity newsletter provides a more thorough description as to how CEs and BAs can mitigate risks associated with unpatched vulnerabilities. This newsletter also cross-references a useful resource for staying abreast of new vulnerabilities – the U.S. Computer Emergency Readiness Team (US-CERT). The US-CERT “Current Activity” web page provides updates on identified security incidents and patches, and subscribers can sign up for email alerts.
Smaller CEs and BAs may still find it difficult to stay abreast of Zero Day attacks and necessary patches. The NIST Small Business Cybersecurity Act may help (see here for resources made available as a result of the Act), and smaller entities can also make use of HHS’s recently published “Voluntary Cybersecurity Practices for the Health Care Industry.”