Be on the lookout for APT and zero-day exploits, OCR warns
In its latest cybersecurity newsletter, OCR highlights two security threats that are targeting healthcare: advanced persistent threats (APT) and zero-day exploits.
APT attacks are long-term cybersecurity threats that continuously attempt to find and exploit vulnerabilities in the target’s information systems and are marked by persistence and changing tactics to avoid detection, OCR explains. In addition to health information of individuals, such attacks may also target information systems that use medical research information, experimental treatment testing results, and genetic data. According to OCR, APTs have already been implicated in several cyberattacks on the healthcare sector.
The second type of threat OCR covers is a “zero day” exploit, which is an attack that takes advantage of a previously unknown vulnerability, which may be discovered by hackers via research, probing, or by taking advantage of the time gap between when a vulnerability is discovered and when a relevant patch becomes available. These exploits are dangerous because of their unknown nature.
OCR states that safeguards like encryption and access controls may help mitigate or prevent unauthorized access, but covered entities (CE) should have measures in place to be aware of new patches and assess the need to apply them.
OCR also recommends the following measures for CEs and business associates:
- Conducting risk analyses to identify risks and vulnerabilities
- Implementing a risk management process to mitigate identified risks and vulnerabilities
- Regularly reviewing audit and system activity logs to identify abnormal or suspicious activity
- Implementing procedures to identify and respond to security incidents
- Establishing and periodically testing contingency plans including data backup and disaster recovery plans to ensure data is backed up and recoverable
- Implementing a security awareness and training program, including periodic security reminders and education and awareness of implemented procedures concerning malicious software protection, for all workforce members