Jared M. Bruce

HHS Advises Health Care Entities Immediately Patch Operating System Vulnerabilities

January 29, 2020Articles

On Jan. 15, 2019, the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) shared a bulletin published by the Office of the Assistant Secretary for Preparedness and Response, Critical Infrastructure Protection Public-Private Partnership (ASPR CIP) regarding a number of vulnerabilities identified in Microsoft Windows operating systems, which if not addressed, pose significant a threat to the environment.

On Jan. 14, 2020, Microsoft released a security software patch to mitigate these vulnerabilities in supported Windows operating systems. Microsoft’s security software update guide is available here.

Subsequently, the federal Cybersecurity and Infrastructure Security Agency (CISA) released an Emergency Directive and Activity Alert addressing critical vulnerabilities affecting Windows CryptoAPI and Windows Remote Desktop Protocol (RDP) server and client. Some of the vulnerabilities could enable a remote attacker to decrypt, modify, or inject data on user connections. Due to the seriousness of these vulnerabilities, ASPR CIP strongly recommends all health care and public sector entities also consider patching their environment as soon as possible. This recommendation is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the sector and high potential for a compromise of integrity and confidentiality of information.

The full CISA alert is available here.

If you have any questions regarding this bulletin published by HHS-OCR or other health care cybersecurity concerns, please contact your Dinsmore health care attorney.