Healthcare CIOs Face Cyber Risk: Internet Explorer Gives Hackers Total Access (Microsoft Issues Patch)

Microsoft's IE browser allows hackers to get keys for total access to otherwise secured data

Updated May 1, 2014 at 5:30 pm

The old weather proverb about March, in like a lion and out like a lamb, hit April in the reverse in the world of cyber security.  While the first six days of April seemed relatively calm in the cyber world, on Monday, April 7, 2014, the Heartbleed flaw in encryption security was announced (see our previous post here).  As of April 26, 2014, the month was still roaring like a lion with yet another newly discovered cyber security threat to Internet Explorer (IE), first announced by FireEye Research Labs.  Microsoft quickly confirmed the flaw on its Security TechCenter webpage.   Today, May 1, 2014, Microsoft released a critical security update announcing a patch for all versions of Microsoft IE, including XP, which have the vulnerable flaw.  This patch, which fixes the vulnerability discussed further in this article, should be immediately installed.

IE’s Vulnerability Dubbed “Operation Clandestine Fox.”  FireEye named the flaw “Operation Clandestine Fox” for a couple of reasons.  One is that hackers are already exploiting the vulnerability in an active “campaign.”  Further, FireEye said the exploits are “clandestine” because the hackers lure computer users to malicious web code, like a “fox” who lures prey to a watering hole and then moves in for the kill.

With the IE vulnerability, the hacker can use Adobe Flash content, a popular website or an email to bait the computer user to click on malicious HTML code.  This allows the hacker to download the malicious software to the user’s computer.  Once downloaded, the hacker gains access to the user’s computer and can then gather the information needed to access other programs and networks accessed by the user.  Such access can include otherwise secure servers, databases and networks.  The risk has been perceived as sufficiently significant to prompt the U.S. Department of Homeland Security to issue a security advisory to its CERT Vulnerability Alerts Database webpage.  Microsoft and Homeland Security are updating their advisories almost daily, requiring daily, if not hourly, vigilance on the part of Chief Information Officers (CIOs) in developing a responsive action plan.

HIPAA Security Rule Compliance: Develop An Action Plan. CIOs should immediately assess newly identified cyber security vulnerabilities posed to its networks and develop an action plan to address them.  The risk assessment should include an evaluation of how confidential electronic data is accessed by others such as employees, medical staff, patients, and third-party vendors.  Ensuring security is especially critical for those who can remotely access your organization’s electronic health record system. Continue reading