OCR Highlights Cybersecurity Risks of Advanced Persistent Threats and Zero Day Vulnerabilities

PUBLISHED: Apr 4, 2019
Relevant to: All Healthcare Organizations

According to the US Department of Health and Human Services Office for Civil Rights (OCR) newly released newsletter, an advanced persistent threat (APT) is a long-term cybersecurity attack that continuously attempts to find and exploit vulnerabilities in a target’s information systems to steal information or disrupt the target’s operations. APT attacks are not necessarily technologically sophisticated but the persistent nature of the attack, as well as the attacker’s ability to change tactics to avoid detection, make APTs a formidable threat.

APTs are especially serious threats to the health care field. Medical research information, experimental treatment testing results, and even genetic data are valuable targets for theft because of their value in driving innovation. Compromised health information can be used for identity theft Also, because an individual’s health information can contain details concerning the most private and personal aspects of one’s life, the compromise of one’s health information could also lead to an ability to blackmail an individual based on their sensitive health information.

Any security incident impacting the confidentiality, integrity, or availability of protected health information (PHI), can directly affect the health and safety of citizens. APTs have already been implicated in several cyberattacks on the healthcare sector in the U.S. and around the world.

Zero Day Exploits

“Zero Day” exploits or attacks take advantage of a previously unknown hardware, firmware, or software vulnerability. Hackers may discover zero day exploits by their own research or probing or may take advantage of the lag between when an exploit is discovered and when a relevant patch or anti-virus update is made available to the public.

These exploits are especially dangerous because their novel nature makes them more difficult to detect and contain than standard hacking attacks. An organization’s overall security management process, including monitoring of anti-virus or cybersecurity software for detection of suspicious files or activity is key to preventing these attacks.

Though hackers may exploit zero day vulnerabilities to gain unauthorized access to an organization’s computer system, appropriate safeguards, including encryption and access controls, may mitigate or even prevent unauthorized access to, or loss of, protected information. Once zero day vulnerabilities are made public, this information becomes accessible to both good and bad actors alike which means entities should have measures in place to be aware of new patches and for assessing the need to apply them.

In the event a timely patch is not available, or cannot be immediately implemented (such as when testing is needed to ensure that the patch works with components of an entity’s information systems), an entity may consider adopting other protective measures such as additional access controls or network access limitations to mitigate the impact of the zero day vulnerability until a patch is available.

A Dangerous Combination

APTs and zero day threats are dangerous enough by themselves. An APT using a zero day exploit can threaten computers and data all over the world. One such example is the EternalBlue exploit. EternalBlue targeted vulnerabilities in several of Microsoft’s Windows operating systems. Soon after the EternalBlue exploit became publically known, the WannaCry ransomware was released and began spreading, eventually infecting hundreds of thousands of computers around the world. The damages due to WannaCry infections are estimated to be in the billions of dollars. Analysis of WannaCry found that it used EternalBlue to spread and infect other systems. One of the organizations most impacted was the United Kingdom’s National Health Service (NHS) which had up to 70,000 devices infected, forcing healthcare providers to turn away patients and shut down certain services. Several HIPAA covered entities and business associates in the United States were also affected by this cyberattack.


The HIPAA Security Rule requires security measures that can be helpful in preventing, detecting and responding to cyberattacks such as those perpetrated by APTs or hackers leveraging zero day exploits. The HIPAA Security Rule includes the following security measures that can reduce the impact of an APT or zero day attack:

  • Conducting risk analyses to identify risks and vulnerabilities (See 45 CFR § 164.308(a)(1)(ii)(A));
  • Implementing a risk management process to mitigate identified risks and vulnerabilities (See 45 CFR § 164.308(a)(1)(ii)(B));
  • Regularly reviewing audit and system activity logs to identify abnormal or suspicious activity (See 45 CFR § 164.308(a)(1)(ii)(D));
  • Implementing procedures to identify and respond to security incidents (See 45 CFR § 164.308(a)(6));
  • Establishing and periodically testing contingency plans including data backup and disaster recovery plans to ensure data is backed up and recoverable (See 45 CFR § 164.308(a)(7));
  • Implementing access controls to limit access to ePHI (See 45 CFR § 164.312(a));
  • Encrypting ePHI, as appropriate, for data-at-rest and data-in-motion (See 45 CFR §§ 164.312(a)(2)(iv), (e)(2)(ii)); and
  • Implementing a security awareness and training program, including periodic security reminders and education and awareness of implemented procedures concerning malicious software protection, for all workforce members (See 45 CFR § 164.308(a)(5)).

Included with today’s notice are a selection of example policies related to the above recommendations. For additional relevant policies see MCN Healthcare’s HIPAA Guidelines Policy and Procedure Manual.

Want to read the full alert and receive alert emails?

Browse Additional Alerts