HHS' Health Sector Cybersecurity Coordination Center on Nov. 18 released a threat brief outlining the risks zero-day attacks pose on hospitals and the healthcare sector.
Six things to know:
- A zero-day attack is when hackers leverage an unknown vulnerability to launch a cyberattack. HHS said zero-day exploits can yield more than $1 million for perpetrators. From 2018-21, Zerodium's public zero-day prices have increased as much as 1,150 percent for high-end attacks.
- A marketplace for these vulnerabilities allows hackers who cannot find their own zero-day vulnerabilities to buy one from another hacker. Also, a single vulnerability can put 1 million people at risk.
- Bug bounty programs and dedicated private sector groups dedicated to finding zero-day vulnerabilities have contributed to more of them being discovered.
- HHS gave examples of how zero-day vulnerabilities can pose substantial dangers for the healthcare industry. Zero-day vulnerability "PwnedPiper" was discovered in August. It left pneumatic tube systems used by hospitals to transport medication and blood work vulnerable. If undiscovered, hackers could have exploited the flaw in its control panel software to access it.
- Healthcare records app OpenClinic had four zero-day vulnerabilities in August 2020 that were discovered; they exposed patients' test results. App developers were unresponsive, so users were urged to stop using the program.
- HHS recommends hospitals and other healthcare organizations patch vulnerabilities early and often, implement a firewall to review traffic and monitor potentially corrupt inputs.