Just when we thought the WannaCry risk was in the rearview mirror, a new threat emerged. If you are wondering whether you should be concerned, or if you need to do something more, the answers are “yes” and “yes”. As we’ve reported before, always update your software and install patches provided by the software provider. As with WannaCry, the new threat exploits weaknesses in Microsoft products.
Information from the Department of Health and Human Services follows:
Two reports were released by Microsoft and the U.S. Department of Homeland Security (DHS) (last) week about multiple vulnerabilities with Microsoft products, including the Windows operating system, and a threat by a group DHS labels as “Hidden Cobra”. Both relate to the same type of vulnerability that allowed WannaCry to spread. Importantly, simply installing the Microsoft patches will not necessarily protect against “Hidden Cobra” since they use a wide range of vulnerabilities. DHS states “Hidden Cobra” targets are “...the media, aerospace, financial, and critical infrastructure sectors in the United States and globally”, so targeting of the Healthcare and Public Health sector systems and devices in the U.S. is possible.
Your IT staff is likely aware of the technical side, but if you are an office manager or compliance staff, you can do more by maintaining HIPAA policies and procedures. Together with IT staff, be sure to complete your annual Risk Analysis, follow your Risk Management Plan and conduct Workforce Training keep your organization safe and information secure. Stay in touch with IT staff and immediately report to them anything that seems wrong. The strongest defense against cyber threats, including ransomware, is a full HIPAA compliance program that includes a contingency plan. Everything you need is in The HIPAA E-Tool®