Vulnerable devices are a reminder to create solid patch management policies

HIMSS’ latest cybersecurity report highlights the continued Meltdown and Spectre threats that first appeared in early 2018, while outlining how hackers can easily exploit healthcare’s legacy systems.
By Jessica Davis
01:35 PM
Share
security vulnerabilities update software

Healthcare is one of the biggest hacking targets for two major reasons: legacy technology and the need to access data to ensure operations. This is evident in this month’s HIMSS Healthcare and Cross-Sector Cybersecurity report that contains a long list of issued patches for vulnerable devices.

The U.S. Department of Homeland Security ICS-CERT issued an alert to help organizations manage Meltdown and Spectre vulnerabilities found within all Intel CPU hardware. Discovered in early 2018, the flaw makes all devices operating with the CPU vulnerable to side-channel attacks.

While some manufacturers have found ways to work around the vulnerability, some of those methods can impact device performance. For those systems, ICS-CERT offered both workarounds and mitigations, while reminding organizations to perform risk assessments and impact analyses before deploying those methods.

DHS also alerted organizations to other Meltdown and Spectre flaws, along with an increase in attacks on routers and networked devices by nation-state actors. Similar to the attacks noted in April, these attacks are easy for hackers to deploy, and serve as a reminder that healthcare’s legacy devices are at risk.

Destructive malware – which first began to proliferate one year ago – has reared its head again with VPN filter, according to the report. The malware can be used on individual devices or multiple sources at once, which can cut off internet access for hundreds of thousands of users.

The report also highlighted a similarly destructive malware that impacts Bluetooth technology. If exploited, a hacker can gain control of devices and access personal data, and the malware can proliferate to other devices on the network.

“Adversaries stockpile exploits,” said Lee Kim, director of privacy and security for HIMSS North America. “The dangers of not having a solid patch management program are that you are low-hanging fruit.”

And for healthcare, if exploited, that low-hanging fruit can cause a long list of issues.

“Dependence on technology means that technology that does not work or that has been compromised will affect day-to-day care and operations,” said Kim. “Making assumptions about what will work as a backup measure can be dangerous. Head off the risk by regularly testing your assumptions.”

Medical device security, malware and hacking will be among the topics experts discuss at the upcoming HIMSS Healthcare Security Forum in San Francisco, June 11-12.

Healthcare Security Forum

The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com