Zero-Day Attacks Threaten Healthcare Cybersecurity

November 22, 2021 - The Health Sector Cybersecurity Coordination Center (HC3) issued a threat brief outlining risks and mitigation tactics associated with financially motivated zero-day attacks on the healthcare sector. By nature, it is impossible to eliminate zero-day attack risks, but patching systems regularly is the strongest form of defense.

The term “zero-day” indicates that there is no time between when the vulnerability is discovered by developers and when it is exploited by bad actors.

It can refer to a few different mechanisms, HC3 noted. A zero-day attack occurs when threat actors exploit a vulnerability before a patch can be developed and applied. Meanwhile, a zero-day exploit is a method that weaponizes a discovered vulnerability, and a zero-day vulnerability is an unknown flaw in a software program.

Notable zero-day attacks, regardless of industry, include a 2010 attack on an Iranian nuclear program that successfully caused centrifuges to self-destruct, and the 2021 SonicWall zero-day ransomware attack in which threat actors exploited a vulnerability and subsequently deployed FiveHands ransomware.

In August 2020, zero-day vulnerabilities in OpenClinic, a healthcare records application, exposed patient test results. Users were urged to stop using the open-source program after developers failed to respond to reports of four zero-days. The unauthorized actors were able to successfully request files containing protected health information (PHI).  

In August 2021, the zero-day vulnerability known as “PwnedPiper” impacted pneumatic tube systems used by hospitals to transport bloodwork, test samples, and medications. The attackers could exploit flaws in the control panel software, which allowed for unauthenticated and unencrypted firmware updates.

Zero-day exploits are almost always financially motivated and are incredibly valuable on the black market. In the past, only threat actors with deep pockets could use zero-day exploits, but now it is easy for any bad actor to obtain the tools and deploy sophisticated attacks.

Private sector groups such as Google’s Threat Analysis Group (TAG), Kasperksy’s Global Research & Analysis Team (GReAT), and Microsoft’s Threat Intelligence Center (MSTIC) have been continuously devoting resources to threat detection and mitigation techniques to combat zero-day vulnerabilities.

Research from Ponemon Institute indicated that it takes approximately 97 days on average to apply, test, and fully deploy patches in response to vulnerabilities. Since patching is the best defense against attacks, the delay between identifying and patching vulnerabilities can leave organizations open to attacks for an extended period of time.

This is especially difficult for the healthcare sector because medical IoT devices and legacy systems are notoriously difficult to patch.

Nonetheless, HC3 recommended that healthcare organizations “patch early, patch often, and patch completely.”

Organizations should use threat sharing resources and vulnerability disclosures to stay aware of the latest security threats and mitigate risk accordingly. In addition, healthcare entities should consider implementing a web-application firewall to review and filter incoming traffic and use runtime application self-protection (RASP) agents that can detect suspicious activity and prevent threat actors from deploying zero-days.

“Zero-day attacks can be used both to target specific, high value targets or affect wide swathes of organizations through commonly used software,” the brief explained. “Both pose substantial dangers to the [healthcare] sector.”