HITRUST issues alert on operating system vulnerability

An alert has been issued by HITRUST C3 that a vulnerability--Shellshock--has been discovered in Unix- and Linux-based operating systems, as well as Apple Macs OS X, that could put them at risk to being attacked; and the organization is asking that healthcare organizations take steps to safeguard their systems from the threat.

The vulnerability was discovered on Wednesday in Bash, a shell for evaluating and executing commands from other programs within a OS, according to HITRUST's alert. The vulnerability happens when Bash is starting up; and it could allow a hacker to create a malicious code that would allow them to gain control of a compromised server.

HITRUST determined that Shellshock could be an even more serious problem than the computer bug Heartbleed--which recently enabled hackers to access the information of more than 4.5 million patients of Community Health Services.

U.S.-based Errata Security researcher Robert Graham said through the vulnerability someone could also deliver malware to computer systems or develop a computer worm to infect a vulnerable server, according to the HITRUST alert.

A patch was issued, but did not "fully remediate" the vulnerability, according to HITRUST. 

Apple reportedly told iMore that "the vast majority of OS X users are not at risk to recently reported bash vulnerabilities."

As threats and attacks grow, so does the scrutiny the healthcare industry faces. In the wake of the CHS attack, Rep. Darrell Issa (R-Calif.) has asked that a hearing be held to examine the causes and effects of the breach.

In addition, medical records are increasingly drawing the eyes of hackers as vulnerabilities and aging computer systems with outdate security features make access all the easier, according to a Reuters article.

Medical information is worth 10 times more than a credit card number on the black market, according to the article.

"As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit," Dave Kennedy, an expert on healthcare security and CEO of TrustedSEC LLC, tells Reuters.

To learn more:
- read the HITRUST alert
- check out the Reuters article