Why Patching Windows Is So Urgent in Healthcare SectorHHS Issues Alert Calling Attention to Vulnerabilities to Fix
The Department of Health and Human Services is alerting healthcare organizations to the urgency of patching the Microsoft Windows 10 severe vulnerability revealed by the National Security Agency and dozens of other vulnerabilities disclosed by Microsoft.
Meanwhile, security researchers have started releasing "proof of concept" code to show how attackers potentially could exploit the critical Windows 10 flaw (see: Windows Vulnerability: Researchers Demonstrate Exploits).
Healthcare organizations need to take immediate action to update their Windows devices by initiating out-of-cycle patch updates if they are not configured to auto-update, says Clyde Hewitt executive advisor at security consulting firm CynergisTek. “Even if auto-updates are enabled, they may be set to delay install until a scheduled downtime. In this case, patch updates should be performed out-of-cycle, if possible.”
Former healthcare CISO Mark Johnson, a principal of the consultancy LBMC Information Security says that although healthcare entities often lag in addressing important patches, “these critical vulnerablities in Windows 10 are time sensitive, and organizations should move forward quickly.”
On Wednesday, HHS distributed an “emergency directive” from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency to mitigate critical vulnerabilities affecting Windows CryptoAPI and Windows Remote Desktop Protocol server and client.
”On Jan. 14, Microsoft released a software patch to mitigate these vulnerabilities in supported Windows operating systems,” HHS notes. ”Due to the seriousness of these vulnerabilities, [HHS] strongly recommends that all healthcare and public health entities also consider patching their environment as soon as possible."
The recommendations are based “on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the sector and high potential for a compromise of integrity and confidentiality of information,” the HHS alert notes.
DHS says the CryptoAPI spoofing vulnerability – CVE-2020-0601 - affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019. “This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus,” DHS says. “Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.”
In addition, DHS says Windows RD Gateway and Windows Remote Desktop Client vulnerabilities – CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611 - affect Windows Server 2012 and newer.
“In addition, CVE-2020-0611 affects Windows 7 and newer. These vulnerabilities - in the Windows Remote Desktop Client and RD Gateway Server - allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.”
’Free’ Windows 7 Support Ended
The HHS alert about the urgency of patching Windows 10 comes as Microsoft earlier this week ended free security updates and patches for its aging Windows 7 operating system, as well as Windows Server 2008 and 2008 R2 and Office 2010 (see: Windows 7: Microsoft Ceases Free Security Updates.
Organizations can still pay for so-called "extended support," but over the long term such support costs can add up, while organizations still need to pay to move to updated systems and hardware.
Hewitt of CynergistTek says he finds it ironic that Windows 7, Windows Server 2008, and 2008 R2 support ended on Jan. 14, the same day Microsoft released an emergency patch for Windows 10.
”This should serve as a wake-up call to all healthcare organizations because the next vulnerability discovered may target the end-of-life operating systems,” he says. “Implementing compensating controls might introduce significant operational impacts, such as blocking all remote access as in the case of the recent case.”
He also notes: ”Any medical device that cannot be patched would be vulnerable, but laboratory, pharmacy and radiological systems would be at a higher risk because many of these depend on an internet connection for updates or support. “
That’s why it’s so essential to upgrade operating systems to the current versions that receive automated updates from Microsoft, he stresses.
Cathie Brown, vice president of professional services at privacy and security consultancy Clearwater, says the most important thing for organizations to do immediately is to assess their systems for updated patches, including the ones just released for Windows10. "Many healthcare entities do not have a mature patching program. It’s one of the hardest parts of security because patches can be disruptive and it can be difficult to have time to test patches before moving them into production environments," she says.
"Patching today is critical to maintain and protect healthcare systems and patient information. Also, patching must be managed as a program and a priority within healthcare entities."