The old weather proverb about March, in like a lion and out like a lamb, hit April in the reverse in the world of cyber security. While the first six days of April seemed relatively calm in the cyber world, on Monday, April 7, 2014, the Heartbleed flaw in encryption security was announced (see our previous post here). As of April 26, 2014, the month was still roaring like a lion with yet another newly discovered cyber security threat to Internet Explorer (IE), first announced by FireEye Research Labs. Microsoft quickly confirmed the flaw on its Security TechCenter webpage. All versions of Microsoft IE have the vulnerable coding flaw.
IE’s Vulnerability Dubbed “Operation Clandestine Fox”. FireEye named the flaw “Operation Clandestine Fox” for a couple of reasons. One is that hackers are already exploiting the vulnerability in an active “campaign”. Further, FireEye said the exploits are “clandestine” because the hackers lure computer users to malicious web code, like a “fox” who lures prey to a watering hole and then moves in for the kill.
With the IE vulnerability, the hacker can use Adobe Flash content, a popular website or an email to bait the computer user to click on malicious HTML code. This allows the hacker to download the malicious software to the user’s computer. Once downloaded, the hacker gains access to the user’s computer, and can then gather the information needed to access other programs and networks accessed by the user. Such access can include otherwise secure servers, databases and networks. The risk has been perceived as sufficiently significant to prompt the U.S. Department of Homeland Security to issue asecurity advisory to its CERT Vulnerability Alerts Database webpage. Microsoft and Homeland Security are updating their advisories almost daily, requiring daily, if not hourly, vigilance on the part of Chief Information Officers (CIOs) and Health Information Technology (HIT) managers in developing a responsive action plan.
HIPAA Security Rule Compliance: Develop Action Plan. CIOs and HIT managers for “covered entities” and their “business associates” (as defined by HIPAA) should immediately assess the risk and develop an action plan to address the newly identified IE vulnerability. Covered entities include health care providers, health care benefit plans, and health care clearinghouses. The risk assessment should include an evaluation of how confidential electronic data, including patient and financial data, is accessed by employees and third-party vendors. Ensuring security is especially critical for employees and medical staff who can remotely access the electronic health record.
Workarounds and alternative browser options. The action plan should include, among other things, a determination of available workarounds for IE and whether internet browsers other than IE are available to employees, medical staff and vendors for purposes of accessing and exchanging confidential data on the entity’s HIT systems. Assess the feasibility of implementing the workarounds suggested by Microsoft and Homeland Security on devices controlled by the organization. The workarounds may be too complex for computer users to implement on their own home computers and mobile devices used for remote access, however. Accordingly, the organization may need to advise employees and medical staff to use an internet browser other than IE for remote access to the organization’s network. If using another browser is the best option, determine and recommend the browser (including the version number) that will work best with the organization’s network. Before recommending an alternative browser, check for security alerts on that browser. (On April 29, 2014, Mozilla issued Firefox Version 29 to fix a critical vulnerability in a prior browser version that allows the installation of malicious code that required no user interaction beyond normal browsing.)
IT Support. The organization’s technology alerts also might include help desk support information. Ensure that help desk personnel are adequately resourced and prepared to assist users in implementing suggested responsive action to the vulnerability threat.
Safe Internet and Computer Use. Additionally, evaluate whether employees and medical staff and others with secured access to the covered entity’s network should change the log-in passwords they use on the entity’s network. Advise employees and medical staff to use a password for the organization’s networks that is different from the password they use for personal websites. Remind employees to always use special caution when visiting websites, to avoid clicking suspicious links, or opening email messages from unfamiliar senders, regardless of what internet browser they use.
There’s simply no rest for the weary healthcare CIO!