Dive Brief:
- If you are notified of a fix for a software vulnerability, use it immediately or invite major risk. That’s the key message in the September 2017 HIMSS Healthcare and Cross-Sector Cybersecurity Report.
- Among the report’s highlights: IBM issued a patch for a “directory transversal” vulnerability in some of its WebSphere Portal products. This flaw lets an attacker move around and read file content in other directories on the server — not just the one they penetrated.
- “Don’t be complacent about the security of your website or your mobile devices,” Lee Kim, director of privacy and security at HIMSS, said, according to Healthcare IT News.
Dive Insight:
Apple and Mozilla also issued security updates recently. Apple released iOS 11.01 to plug vulnerabilities in older versions of iOS that could allow a hacker to usurp control of an affected system. Mozilla’s updates fix multiple vulnerabilities in Firefox ESR 52.4 and Firefox 56.
Healthcare organizations got a wake-up call in May when the international WannaCry ransomware attack froze computers at a number of hospitals in the UK, forcing them to suspend services and turn patients away. In all, the attack struck at least 112 countries.
It involved a type of ransomware that infiltrates computers through phishing emails and demands payment in bitcoin to access encrypted files. In the WannaCry attack, the ransomware targeted a vulnerability in Microsoft Windows, which had released a patch in March. However, many hospitals had failed to update their systems.
“Patch updates are becoming extremely important, because hackers are responding to critical bugs immediately,” Kurt Osburn, a health IT security expert with ControlScan, told Healthcare Dive in May. “Healthcare organizations are high value targets, which means their security and IT teams need to be extremely aware of what is happening in the wild and respond accordingly.”
In June, a different ransomware virus, a strain of Petya, spread across Europe and hit U.S. targets, including Nuance, Merck and Heritage Valley Health System. And in August, cybersecurity experts identified a new ransomware strain that is specifically targeting healthcare organizations. Called Defray, the virus spreads through a Microsoft Word attachment in emails sent to potential victims.
It might come as a bit of a surprise, but healthcare doesn't bear the highest costs in cybercrime. Financial services holds that dubious honor, with an average annualized cost of $18.28 million, according to the HIMSS report. Next in line are energy, aerospace and software/technology, followed by healthcare with costs totaling $12.47 million.