Why Security Controls Need to Advance

We talk to our partner-clients about the dangers of complacency and how the HIPAA Security Rule represents the most basic (but important) administrative, physical and technical security controls. For example, HIPAA doesn't tell us to perform whitelisting, to implement 802.1x authentication (or even multi-factor authentication) or even set password parameters (the password citation is administrative and addresses training).

We read this morning about Microsoft's monthly patch and how one vulnerability being addressed, http.sys, is a worm. For those less technical about malware, a worm traditionally does not need a user to spread its payload from one computer to another. Worms, once installed, look for other vulnerable assets and spread themselves. This specific worm attack is probably a negligible risk to most organizations, through the lens of a consultant working the HIPAA space, as it requires a criminal with technical knowledge to create network packets to exploit a computer and the target server is traditionally (i.e. by default) not configured to be vulnerable to this attack.

So why the post? One, to remind everyone to keep patching their systems to stay ahead of the bad guys and their malware. Two, that criminals continue to refine their attacks to the point that only a single system is required to be infected before the entire network is under attack. Lastly, we encourage our healthcare community information services staff to adopt and follow a cybersecurity framework (CSF). CSF include SANS Critical 20, NIST SP800-53 and others.

Stay (HIPAA) safe, Alan -