Robust cybersecurity continues to be of paramount importance as the COVID-19 outbreak develops and cybercriminals seek to exploit a remote workforce, which necessitates that companies check their policies, procedures, and controls to ensure they are addressing the highest areas of risk. On May 12, 2020, the Cybersecurity and Infrastructure Security Agency (“CISA”) at the U.S. Department of Homeland Security (“DHS”) issued an Alert identifying the top 10 cybersecurity vulnerabilities routinely exploited by foreign malicious actors. The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) shared the Alert so healthcare organizations can likewise take appropriate action to reduce the potential risk of exploitation, as entities in this field are increasingly the target of cyberattacks.
Issuance of the Alert is consistent with the trend of federal agencies keeping a close eye to cybersecurity issues this year. Besides the Alert, recent developments include the Federal Trade Commission (“FTC”) seeking comment on whether revisions should be implemented to its breach notification rule, which requires personal health record (“PHR”) vendors not covered by HIPAA to inform consumers and the FTC of breaches with 60 days, in addition to other activity. By way of reference use of PHRs, which are an electronic record of an individual’s health information by which the individual controls access to the information and may have the ability to manage, track, and participate in his/her own health care management, is growing which likely provided the impetus for this development.
As the Alert states, “foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets.” The Alert goes on to explain that “exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.” The Alert was shared with the goal of having U.S. public and private sectors degrade some foreign cyber threats through increased efforts to patch systems and implement comprehensive programs to keep system patching up to date.
What Does the Alert Cover?
- Identification of Top 10 Most Exploited Vulnerabilities 2016–2019: The Alert provides details on vulnerabilities routinely exploited by foreign cyber actors—primarily Common Vulnerabilities and Exposures (“CVEs”)—to help organizations reduce the risk of these foreign threats. The Alert identifies the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 by CVE classification.
- Vulnerabilities Exploited in 2020: In addition to the top 10 vulnerabilities from 2016 to 2019, the Alert reports on other vulnerabilities routinely exploited by sophisticated foreign cyber actors in 2020. This includes, among others:
- Cyber actors increasingly targeting unpatched Virtual Private Network vulnerabilities;
- The targeting of organizations whose rapid deployment of cloud collaboration services may have led to oversights in security configurations and vulnerable to attack; and
- Preexisting cybersecurity weaknesses—such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans—that continue to make organizations susceptible to ransomware attacks in 2020.
- Mitigations for Vulnerabilities: The Alert provides detailed technical mitigation measures for each of the vulnerabilities identified above.
What measures can an organization take to protect itself from cyber threats?
A comprehensive cybersecurity program is essential for every organization, particularly for those entities operating in the healthcare industry that handle the Protected Health Information (“PHI”) of patients. Cybersecurity-related issues frequently encountered by entities in the healthcare sectors range from malware that compromises the integrity of systems and privacy of patients to distributed denial of service (DDoS) attacks that disrupt facilities’ ability to provide patient care. While other sectors are vulnerable to these attacks as well, for the healthcare sector cyberattacks can have widespread ramifications well beyond loss of privacy and financial loss.
Our team can provide detailed advice to navigate what cybersecurity risks impact the healthcare sector, particularly in light of the complex regulatory requirements already imposed under HIPAA and other applicable statutes. We can also assist in overall cybersecurity compliance efforts and help develop integrated compliance policies that can be administered effectively and efficiently in the face of operating environments subject to flux.