HST Pathways
  • Who We Help
    • Surgery Centers
    • Management Groups
    • Anesthesia Providers
    • Physician Practices
    • Hospitals / HOPDs
  • Products

    • Surgery Center Management

    • Electronic Charting

    • Scheduling and Care Communication

    • Patient Estimating & Authorization

    • Patient Texting & Pre-Assessment

    • End-to-End Solutions

    • Launching Pad for All Things HST
  • Resources
    • Resources
    • Blog
    • Podcast
    • News
    • Events
    • Partners & Integrations
  • About
    • Why HST?
    • Team
    • Careers
  • Support
    • Client Support
    • Patient Support
  • Login
    • Patient Login
    • Client Login
  • Schedule a Demo
Select Page

The Importance of Being Earnest About Patching

by Richard Lang | Nov 18, 2022 | Compliance, Cybersecurity, Patient Safety

4 minute read
Richard Lang
Richard Lang

 

Social Engineering is the #1 attack vector leading to cybersecurity breaches.

However, to be successful, many of these social engineering attacks rely on a simple fact: the workstation where the end user is performing their everyday job function isn’t fully “maintained.” Patching corrects bugs in software that an attacker can leverage to take control of a target system. Once one system is compromised, “lateral traversal” will compromise other systems on the network shortly after. The net result? The attacker can escalate their privilege and access or steal all the data in your environment.

Unfortunately, no user intervention or social engineering is required (ex. log4j). As many vendors (firewall, network storage, backup devices, wireless access points, phone systems, etc.) have found, merely having a device accessible from the internet makes it a target and vulnerable to a Remote Code Execution flaw (RCE). Once an attacker has detected you have a vulnerable device via automated scans that can target thousands of machines at a time, they are free to exploit that vulnerability, download malware from the internet, and start the process of data or network compromise.

 

Remember: the goal of the attackers is usually financially motivated.

Attackers will either encrypt your data so you cannot read it (Ransomware), bringing all business activity to a halt, or steal it (Data Exfiltration). Either way, if you want your data back, they will try to get you to pay for it or threaten to sell/publish the information they stole. Even if you do pay, it is not guaranteed to be successful. If that stolen data contains PHI, your ASC has a HIPAA violation in addition to the grinding halt of business operations and the PR consequences of your patients finding out their PHI data was stolen. For patients, this could lead to identity theft and someone else receiving treatment under their health insurance.

 

Not all patches are equal.

Some patches are to fix bugs so a feature will work properly. The most important, from my perspective, are security patches to fix vulnerabilities. Vulnerabilities are rated using the Common Vulnerability Scoring System (CVSS). The higher the number, the more severe the vulnerability (max is ten which is critical). The CVSS score is based upon several factors, including 1) the ease with which a vulnerability can be exploited and 2) the potential consequences of a vulnerability being exploited. The good thing about the scoring system is that it can be used similarly to when assessing a patient’s treatment. Suppose you know the CVSS scores associated with vulnerabilities in your ASCs systems. In that case, you can prioritize which vulnerabilities need to be triaged first (CVSS 9-10 as quickly as possible) and which are less imperative right now (though not to be forgotten about).

Thankfully vendors like Microsoft & Apple advertise updates for operating systems, applications, and services regularly. This has the benefit of allowing organizations to plan for updates to be tested and deployed promptly. Similarly, browser vendors like Firefox and Chrome push updates to their software. Unfortunately, the unintended consequence of publicly publishing patches is that attackers now know there is a vulnerability they can exploit. They can quickly reverse-engineer the patch, work out how to exploit the vulnerability, and start targeting unpatched systems. At best, after a security patch is released, most organizations only have a few days (or less if it is a zero-day exploit already in use in the wild) before the vulnerability will be under active exploitation.

One key point often overlooked is that the device/software needs to be restarted for most security patches to work. This now becomes a user education issue because employees frequently put off rebooting their device, as it works just the way they like it to, and rebooting might change things or be a hassle to relaunch applications. Unfortunately, that simple decision can leave your ASC vulnerable even though you believe everything should be up to date.

 

As an ASC, what can you do to protect your organization and patient data? Patch early, patch often!

Computing devices like cars and surgical equipment need maintenance, and a patch management process will be required. In sizeable corporate ASC chains, IT departments manage this. For smaller ASCs, this can be outsourced to an IT Managed Service Provider or done in-house if there are staff with the necessary time and expertise. Regardless of who will perform this function, any patch management process must start by identifying all IT assets. For example:

  1. Workstations
  2. Tablets
  3. Servers
  4. Software (productivity applications, ASC software, accounting packages, web browsers, etc.)
  5. Network Storage
  6. Backup Appliances
  7. Wireless Access Points
  8. Network switches
  9. Routers
  10. Firewalls
  11. Cell Phones
  12. VoIP Phone systems
  13. Network-connected patient monitors
  14. Network-connected smart devices

 

The vendor must be identified for all of these devices, and automatic updating, especially for small ASCs, should be enabled. Ideally, your ASC would designate a system for patch testing to make sure a patch doesn’t break critical business functionality. Most vendors rigorously test patches before releasing them, but occasionally, a patch with unintended consequences is released. Once reported, these are pulled and replaced within a few days.

All vendors will have a support page from where you can find information about current updates and their installation. Alternatively, patch management systems can detect and deploy updates for you for the most commonly used operating systems and software packages. Of course, someone has to learn and manage these systems, but it does make the task easier to manage & automate.

Larger organizations with dedicated IT staff should subscribe to the US Government Agency, CISA’s Known Exploited Vulnerability Catalog Bulletin. As vulnerabilities are discovered, CISA is notified by the vendors, and your ASC could use the catalog to identify if you have a vulnerable system and what steps to take to remediate the vulnerability.

 

Let me remind you, once a system has a security patch applied – REBOOT! This may mean a bit of scheduling to minimize disruptions.

A final word of caution: all the patches in the world will not protect your ASC from a misconfigured device. Follow the vendor’s best practices to secure the device and never expose the management consoles or portals to the internet, only the internal network.

Be Vigilant. Stay safe.

Don’t miss out on the good stuff – Subscribe to HST’s Blog!

Every two weeks we’ll email you our newest blog posts. No fluff – just helpful content delivered right to your inbox.

Categories

  • Administrator's Corner
  • Behind the Scenes
  • Clinical Strategy
  • CMS
  • Compliance
  • Cures Act 2020
  • Cybersecurity
  • Electronic Charting
  • EMR/EHR
  • ePrescriptions
  • Featured
  • Health & Wellness
  • HST Case Coordination
  • HST eChart
  • HST Home
  • HST Practice Management
  • Just For Fun
  • Leadership
  • News
  • No Surprises Act
  • Patient Engagement
  • Patient Estimations
  • Patient Safety
  • Price Transparency
  • Revenue Cycle Management
  • Supply Chain Management
  • Surgical Scheduling
  • This Week in Surgery Centers
  • Webinars

Recent Posts

  • This Week in Surgery Centers: Dr. Kenjarski – Optimizing Case Scheduling for All Stakeholders
  • This Week in Surgery Centers: Gwen Donithan – Benchmarking to Improve Care & Your Bottom Line
  • This Week in Surgery Centers: Kara Newbury – Acting on CMS’ 2023 Final Medicare Rule
  • This Week in Surgery Centers: 2022 Highlight Reel
  • This Week in Surgery Centers: Adam Hornback – Real Ways to Reduce Waste & Increase Recycling

               

 

 

PRODUCTS

Bundled Products
HST Home
HST Practice Management
HST eChart
HST Case Coordination
HST Price Transparency
HST Patient Engagement

RESOURCES

Resources
Blog
Podcast
News
Events
Partners & Integrations
Security Overview

ABOUT

Why HST?
Team
Careers

CONTACT

Contact Us

1801 West End Ave
Suite 300
Nashville, TN 37203

© Copyright HST, Healthcare Systems & Technologies, LLC 2023. All rights reserved.   |   Privacy Policy   |   Terms and Conditions