During the 3rd and 4th quarters of 2019, many hospitals and labs rushed to upgrade their computers to Windows 10. Why? Because Microsoft was about to stop supporting security updates and no one wants to be on the Health and Human Services’ naughty list.
Now we’re almost a week past the support cut-off and SURPRISE! You’re still not safe! The holidays might be over, but Windows is the gift that keeps on givin’.
On January 14th, 2020, Microsoft released a critical patch to Windows 10 and Windows Server 2016 after the National Security Agency reported the problem. The bug in question affects the cryptographic component of a computer that confirms whether a patch or any web connection is secure and legitimate. It can allow an attacker to exploit a network’s encryption validation mechanisms and provide an avenue with which to push malicious software without being detected.
What Does This Mean for Healthcare Providers?
This should raise concerns for healthcare providers regarding HIPAA compliance. Health information privacy laws require appropriate safeguards and confidential handling to protect patients’ personal health information. If a healthcare provider cannot guarantee that someone logging in to the network is an authorized user, or confirm the legitimacy of an unknown device connected to the network, then highly sensitive patient information is at risk of exposure to any number of criminal actors. If hackers manage to gain access to more advanced systems, they could potentially destroy or take patient data hostage, which can create legal and financial nightmares for providers.
The bug also puts any future upgrades and software updates at risk of being illegitimate and hiding other malicious content. If this bug were to be exploited, any nefarious entity could disguise exploits in your network as innocent, and authorize updates to services and other software. Without patching, these entities could proliferate throughout your network forever, without ever being suspected.
Keeping Healthcare Networks Healthy
So what can you do? Under the HIPAA Security Rule, 45 C.F.R. § 164.308 (a)(5)(ii)(B), organizations must implement procedures for detecting, guarding against, and reporting malicious software. Industry best practices suggest that IT and security departments should deploy this patch immediately to ensure that no unauthorized agents try to exploit your network. It's also highly encouraged that your organization run vulnerability assessment scans to validate the origin of any new software or connections established since you upgraded to Windows 10.
Even after your IT department has implemented the patch, there are many ways to continue to ensure your private data is non-exploitable. Enforcing strict group policies, implementing regular security updates, and maintaining an in-depth posture of defense will help to keep your network safe. Additionally, having users engage in computer security training, as well as purging old software and users should keep your network running safe and sound!
As always, if you have any concerns about how these bugs and their patches might affect your network, please contact our support team. We are always here to help!