NIST Assigns Highest Risk Level to New Cyber Risk: BASH aka Shellshock

19073625On Wednesday, September 24, 2014, news broke about a newly discovered cyber security threat referred to as the BASH flaw or Shellshock.  By Thursday, September 25, 2014, cyber security experts were confirming the cyber vulnerability threat for users of UNIX and Linux based systems, including MAC IO X.  The National Institute of Standards & Technology (NIST) has rated the BASH flaw a 10 out of 10 on its vulnerability severity scale. Click here for the NIST alert. 

Devices containing the BASH flaw may include millions of stand-alone Web servers and Internet-connected devices.  HITRUST issued an alert to healthcare providers urging them to take appropriate steps to safeguard their systems.  The HITRUST alert states, in part:

“The HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) has been tracking and reporting on the Remote Code Execution Vulnerability Discovered in Bash on UNIX-based Operating Systems (OS). HITRUST C3 is issuing this alert to ensure healthcare organizations are appropriately informed and taking steps to safeguard their systems and have sufficient information to communicate the background and implications to others in their organizations. HITRUST C3 – Healthcare Sector Cyber Threat Report HI255-14.”

According to Fierce HealthHIT: “The vulnerability happens when Bash is starting up; and it could allow a hacker to create a malicious code that would allow them to gain control of a compromised server.”  HITRUST and many other cyber experts are stating that the BASH Shellshock bug is worse than Heartbleed, which was the flaw discovered in the widely used website encryption code, OpenSSL, an issue on which we reported in April 2014.  The BASH flaw reportedly allows a hacker to completely take over a computer or server.

This is one of the more complicated cyber risk flaws to try to explain to the public, but this chap from UK has produced a 4-minute You Tube video trying to do just that.  We are not vouching for the accuracy of this video (especially given that we are not computer scientists), but we can recommend following his advice at the very end of the video:  “Make sure you keep your computers and any servers you run up to date with security patches and security fixes.”  If you want a more technical description of BASH, see the article published by Troy Hunt, Software architect and Microsoft MVP, on his blog at or click here.

Healthcare CIOs: Check for vulnerability of OpenSSL servers to Heartbleed

HeartbleedBugUpdated April 13, 2014 at 6:30 pm

CYBER RISK ALERT!  Just when we thought we were safe online while using websites that display the key security “https” in the URL, we learn that nothing could be further from reality.  On April 7, 2014, security researchers at Codenomicon announced the discovery of a flaw in the OpenSSL (security socket layer) that is used in an estimated two-thirds of the servers that support websites displaying the “https” letters that we have come to trust.  Based on the back-end technology of OpenSSL, which involves what is called a “heartbeat” extension and a leakage of data from the server, this new cyber liability threat has been dubbed Heartbleed.

Vulnerability of HIT and Compliance with HIPAA.  Although the OpenSSL flaw’s name has no direct connection to health information technology (HIT), it ironically could be a pain for health care providers. Continue reading