Updated May 1, 2014 at 5:30 pm

The old weather proverb about March, in like a lion and out like a lamb, hit April in the reverse in the world of cyber security.  While the first six days of April seemed relatively calm in the cyber world, on Monday, April 7, 2014, the Heartbleed flaw in encryption security was announced (see our previous post here).  As of April 26, 2014, the month was still roaring like a lion with yet another newly discovered cyber security threat to Internet Explorer (IE), first announced by FireEye Research Labs.  Microsoft quickly confirmed the flaw on its Security TechCenter webpage.   Today, May 1, 2014, Microsoft released a critical security update announcing a patch for all versions of Microsoft IE, including XP, which have the vulnerable flaw.  This patch, which fixes the vulnerability discussed further in this article, should be immediately installed.

IE’s Vulnerability Dubbed “Operation Clandestine Fox.”  FireEye named the flaw “Operation Clandestine Fox” for a couple of reasons.  One is that hackers are already exploiting the vulnerability in an active “campaign.”  Further, FireEye said the exploits are “clandestine” because the hackers lure computer users to malicious web code, like a “fox” who lures prey to a watering hole and then moves in for the kill.

With the IE vulnerability, the hacker can use Adobe Flash content, a popular website or an email to bait the computer user to click on malicious HTML code.  This allows the hacker to download the malicious software to the user’s computer.  Once downloaded, the hacker gains access to the user’s computer and can then gather the information needed to access other programs and networks accessed by the user.  Such access can include otherwise secure servers, databases and networks.  The risk has been perceived as sufficiently significant to prompt the U.S. Department of Homeland Security to issue a security advisory to its CERT Vulnerability Alerts Database webpage.  Microsoft and Homeland Security are updating their advisories almost daily, requiring daily, if not hourly, vigilance on the part of Chief Information Officers (CIOs) in developing a responsive action plan.

HIPAA Security Rule Compliance: Develop An Action Plan. CIOs should immediately assess newly identified cyber security vulnerabilities posed to its networks and develop an action plan to address them.  The risk assessment should include an evaluation of how confidential electronic data is accessed by others such as employees, medical staff, patients, and third-party vendors.  Ensuring security is especially critical for those who can remotely access your organization’s electronic health record system.

           Consider Workarounds and alternative browser options.  The action plan should include, among other things, disabling vulnerable software and add-ons (e.g., Flash Player on IE before the patch), an evaluation of workarounds for the continued use of vulnerable browsers and software and whether other internet browsers are available to employees, medical staff, patients and vendors who access or exchange confidential data on the entity’s systems.  Assess the feasibility of implementing the workarounds suggested by the software vendor on devices controlled by the organization.  Microsoft and Homeland Security issued workarounds until a patch was available, but some security experts considered them too complex for the average computer user to implement on their own computers and mobile devices.  Accordingly, for an identified browser vulnerability, the organization may need to advise employees, medical staff, patients and vendors to use others browsers for remote access to the organization’s network.  If using another browser is the preferred approach, determine and recommend the browser (including the version number) that will work best with the organization’s network.  Before recommending an alternative browser, however, check for security alerts on that browser.  (For example, on April 29, 2014, only a few days after the IE bug was announced, Mozilla issued Firefox Version 29 to fix a critical vulnerability in a prior browser version that allows the installation of malicious code that required no user interaction beyond normal browsing.)

           Change Passwords.  Security experts recommend changing log-in passwords to all potentially affected access points after an internet, website or network vulnerability has been identified.  Organizations should consider implementing a mandatory password change for all authorized users before allowing continued access to the organization’s network.  Advise authorized users to select a password for the organization’s networks that is different from the password they use for personal websites.  Additionally, because of the Heartbleed issue announced on April 7, 2014, passwords used on any website vulnerable to Heartbleed before that website was patched and new certificates issued are not secure and should not be recycled.

           Safe Internet and Computer Use.  Remind those with access to your network to always use special caution when visiting websites, to avoid clicking suspicious links, or opening email messages from unfamiliar senders, regardless of what internet browser they use.

           IT Support.  The organization’s technology alerts should include help desk support.  Ensure that help desk personnel are adequately resourced and prepared to assist users in implementing suggested responsive action to a vulnerability threat.

           Cyber Security Management Plan & Continued Vigilance.  Finally, use April’s cyber security lessons to develop a written cyber security management plan that includes a procedure with steps to address the next cyber security crisis.  Set up a knowledgeable cyber security team responsible for monitoring cyber security advisories including, among others, the Homeland Security CERT website, and include an internal notification procedure when new risks are identified.  For smaller organizations, consider rotating the responsibility among members of the team to prevent cyber security risk identification fatigue ( “RIF” for those who like acronyms).  If you use a third-party vendor to manage your network, ask to see the vendor’s cyber security management plan.

There’s simply no rest for the weary healthcare CIO!