OCR Cybersecurity Newsletter: Advanced Persistent Threats and Zero Day Vulnerabilities (Spring 2019)
Available at https://www.hhs.gov/sites/default/files/spring-2019-ocr-cybersecurity-newsletter.pdf
In its Spring 2019 cybersecurity newsletter, HHS’s Office for Civil Rights (OCR) highlights the dangers of advanced persistent threats (APTs) and zero day exploits. APTs are long-term cybersecurity attacks that continuously attempt to find and exploit vulnerabilities in a target’s information systems to steal information or disrupt the target’s operations. The persistent nature of the attack, as well as the attacker’s ability to change tactics to avoid detection, make APTs a formidable threat. Zero day exploits take advantage of an organization’s previously unknown hardware, firmware, or software vulnerability. Hackers may discover zero day exploits by their own research or probing, or they may take advantage of the lag between when an exploit is discovered and when a relevant patch or anti-virus update is made available to the public. The novel nature of these exploits makes them more difficult to detect and contain than standard hacking attacks. Noting that combined APTs and zero day exploits are especially dangerous, the newsletter cites WannaCry ransomware (see our Checkpoint article) as an example of an APT that used zero day exploits to threaten computers and data worldwide, including several HIPAA covered entities and business associates in the U.S.
The newsletter notes that HIPAA security measures can be helpful in preventing, detecting, and responding to APTs and zero day exploits. Eight implementation specifications, included in HIPAA’s administrative and technical safeguards, are referenced as being especially relevant to reducing the impact of APTs and zero day attacks. For example, HIPAA-mandated risk analyses and risk-management processes can identify and mitigate risks and vulnerabilities. The newsletter concludes with links to additional cybersecurity resources.
EBIA Comment: OCR recently changed the frequency of its cybersecurity newsletters from monthly to quarterly. The newsletters rarely break new ground, but they provide important reminders for covered entities and business associates. They may also suggest significant issues that OCR has recently investigated or observed in compliance reviews, which could become enforcement priorities. For example, it is noteworthy that OCR continues its emphasis on encryption, referring in the newsletter to both data-at-rest and data-in-motion encryption. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXX.B (“Core Security Requirements: Administrative Safeguards”) and XXX.D (“Core Security Requirements: Technical Safeguards”). You may also be interested in our webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 2/20/19).
Contributing Editors: EBIA Staff.