Healthcare and public health sector partners were advised by the Department of Health and Human Services (DHHS) about a cyber vulnerability in certain Microsoft products. Two reports were released by Microsoft and DHHS this week addressing multiple vulnerabilities with Microsoft products, including the Windows operating system, and a threat by a group DHHS labeled “Hidden Cobra”.
Both reports relate to the same type of vulnerability that allowed the WannaCry ransomware to spread. Importantly, simply installing the Microsoft patches will not necessarily protect from “Hidden Cobra” since they do not exploit a single vulnerability, but use a wide range of vulnerabilities. According to DHHS “Hidden Cobra” targets the media, aerospace, financial, and critical infrastructure sectors in the United States, as well as globally. DHHS anticipates that “Hidden Cobra” will also target the healthcare and public health sector systems and devices in the U.S., as well.
DHHS encourages you to review the “HHS Healthcare Cybersecurity and Communications Integration Center (HCCIC) Microsoft Vulnerabilities & Hidden Cobra 101 Report, June 15, 2017” for technical information and resources to support your efforts in mitigating this threat. Also, if users or administrators detect the custom tools indicative of “Hidden Cobra”, these tools should be immediately flagged, reported to the Department of Homeland Security National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation. (See, Alert (TA17-164A).)
If your organization has not undergone a risk assessment in the past year, you are encouraged to consider undertaking one at this time to evaluate your organization’s potential privacy and cyber vulnerability. To assist you, we have a Free HIPAA Risk Assessment tool available on our website. While not a comprehensive risk assessment, our online risk assessment tool can be completed in less than 30 minutes and will provide you with immediate access to a Compliance Evaluation Report to assist you in identifying where your organization may be at risk so that you might consider what additional action is required.
Let us know how we might help!