HIPAA Security And “Zero Day” Exploits: How To Stay Ahead Of The Hack

Elizabeth Litten
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

HHS Office for Civil Rights (OCR)’s April 3, 2019 cybersecurity newsletter highlights one of the more challenging cybersecurity vulnerabilities faced by covered entities and business associates.  OCR reminds covered entities (CEs) and business associates (BAs) that compliance with the HIPAA Security Rule can help, but stops a bit short of providing concrete guidance as to how best to minimize risk.  OCR warns:

One of the most dangerous tools in a hacker’s arsenal is the “zero day” exploit or attack which takes advantage of a previously unknown hardware, firmware, or software vulnerability.  Hackers may discover zero day exploits by their own research or probing or may take advantage of the lag between when an exploit is discovered and when a relevant patch or anti-virus update is made available to the public.”

What exactly is a “zero day” attack?  OCR summed it up pretty well.  According to the National Institute of Standards and Technology (NIST), it’s an “attack that exploits a previously unknown hardware, firmware, or software vulnerability.”

The problem is the time that elapses between the discovery of the vulnerability (day zero) and the creation and implementation of the patch for it.  If there’s a “lag between when an exploit is discovered and when a relevant patch or anti-virus update is made available to the public”, what can a CE or BA do?  OCR suggests that an entity “consider adopting other protective measures such as additional access controls or network access limitations” to mitigate liability until a patch is available.

OCR’s June 2019 cybersecurity newsletter provides a more thorough description as to how CEs and BAs can mitigate risks associated with unpatched vulnerabilities.   This newsletter also cross-references a useful resource for staying abreast of new vulnerabilities – the U.S. Computer Emergency Readiness Team (US-CERT).   The US-CERT “Current Activity” web page provides updates on identified security incidents and patches, and subscribers can sign up for email alerts.

Smaller CEs and BAs may still find it difficult to stay abreast of Zero Day attacks and necessary patches.  The NIST Small Business Cybersecurity Act may help (see here for resources made available as a result of the Act), and smaller entities can also make use of HHS’s recently published “Voluntary Cybersecurity Practices for the Health Care Industry.”

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide