HHS warns of increasing zero-day attacks in healthcare

The U.S. Department of Health and Human Services (HHS) issued a cybersecurity briefing (PDF) warning health systems about the threat of “zero-day attacks.”

Zero-day attacks occur when hackers weaponize an unknown vulnerability in a system to target the flaw before the developers have identified it. These bad actors even often sell these vulnerabilities to other hackers who can’t find them on their own.

These attacks are typically financially motivated, HHS said, and a single flaw in the system can put millions of users at risk.

As a result, not only can zero-day attacks endanger patients and their data, but hospitals can incur heavy financial burdens trying to patch the vulnerabilities.

RELATED: Relentless cyberattacks are putting financial pressure on hospitals: Fitch Ratings

Zero-day attacks have become more common in recent years and have more than doubled this year compared to 2020, according to trackers like the 0day project.

Perhaps the most famous zero-day attack to date occurred in 2010 when the Stuxnet worm exploited multiple vulnerabilities in Windows systems and reportedly destroyed multiple centrifuges at a nuclear power plant in Iran.

This past August, a set of bugs known collectively as “PwnedPiper” were discovered in the control panel software of pneumatic tube systems that hospitals use to transport medication, bloodwork and test samples. If exploited, the vulnerabilities could have affected 80% of North America’s biggest hospitals.

The very nature of the attacks makes it impossible to eliminate the threat altogether—if the software flaw isn’t known, it can’t be corrected.

HHS’ advice: “Patch early, patch often, patch completely.”

The agency also recommended the use of firewalls to monitor incoming traffic for potential worrisome inputs.

RELATED: 2020 offered a ‘perfect storm’ for cybercriminals with ransomware attacks costing the industry $21B

Hospitals can be hit especially hard by cyberattacks when their resources are stretched thin.

Criminals increasingly targeted healthcare organizations during the COVID-19 pandemic, when hospitals couldn’t afford downtime in their systems. A Comparitech report found that hackers collected more than $2.1 million in ransom payments from healthcare providers in 2020.

Healthcare staff should be better trained to identify potential threats, Paul Bischoff, editor of Comparitech, told Fierce Healthcare in a March interview about the report.

“Staff need to be trained to spot and avoid phishing and brush up on basic digital hygiene,” said Bischoff. “Hospital systems need to be hardened and backed up regularly so they can be quickly restored in the event of a ransomware attack.”