Healthcare Patch Priorities: HC3 Alerts for SAP, Microsoft, and Android Vulnerabilities

Signs are seen at the headquarters of SAP AG, Germany’s largest software company, on January 8, 2013, in Walldorf, Germany. (Photo by Thomas Lounis/Getty Images)

The Department of Health and Human Services’ Cyber ​​Security Coordination Center (HC3) has released a report detailing a set of vulnerabilities revealed last month, which healthcare security leaders must prioritize given the importance and potential impact on the sector.

Among the list of vulnerabilities disclosed in April of interest to the healthcare industry, HC3 highlighted key disclosures from Microsoft, Android/Google, and SAP that a patch is necessary given the risks to the enterprise and evidence of active targeting again of SAP flaws. . The newsletter also includes disclosures from Apple, Cisco, Adobe, Oracle, Mozilla, SonicWall, and VMWare.

Microsoft released patches for 145 vulnerabilities in April, 10 of which are critical and 115 marked as “important”. HC3 notes two of the most pressing concerns in healthcare: Windows Hyper V and Windows Network File System. The file system has two significant flaws in remote code execution, but they can only be exploited on systems that have the NFS role enabled.

Three serious flaws in Hyper V can enable remote code execution, and “if an actor is able to open a specially crafted file, followed by an application on a Hyper-V guest, it could cause the Hyper-V host operating system to execute code random “.

Microsoft also revealed four vulnerable flaws last month, which HC3 explained could have “a significant impact if the number of devices at risk is high enough”. Entities should use web application firewalls to help mitigate this type of risk.

Healthcare vulnerabilities for Google / Android flaws

In addition, Google has provided Android updates to fix 44 security vulnerabilities that include several vulnerabilities with a critical severity rating. A more serious flaw found in a framework component could result in local privilege escalation without the need for additional execution privileges.

Google previously provided an update to resolve the framework flaw, as well as seven highly severe security vulnerabilities. Its second update last month included patches for 30 vulnerabilities in a range of components, nine of which were classified as critical and found in Qualcomm’s functionality.

For HC3, it is essential for health sector personnel to keep their equipment up to date and to apply corrections immediately. Industry stakeholders have long warned of the risks posed by personal devices that take advantage of the healthcare network, particularly those that may be hacked without users’ knowledge.

Over 30 SAP vulnerabilities

SAP flaws are more complex with more than 30 newly updated security notes, including those related to the Spring4Shell vulnerability found in the Java application development framework known as Spring. A successful exploit can lead to remote code execution,” “Some researchers have reported noticing attempts to exploit this vulnerability in the wild.”

Finally, last month, the Cybersecurity and Infrastructure Security Agency (CISA) added 22 vulnerabilities to its catalog of known exploits, a running list of known security flaws that pose a significant risk to the federal government. The directive requires that these vulnerabilities be patched within a tight deadline to prevent exploitation.

Although the mandate does not extend to healthcare, HC3 urges healthcare leaders to review the catalog of vulnerabilities and consider prioritizing vulnerabilities as part of ongoing risk mitigation “with special consideration for each critical vulnerability category versus risk management position in an organization.” “

The HC3 Bulletin includes a necessary reference to patch management and software updates provided by vendors, which can assist healthcare entities in prioritizing patches or preparing mitigation strategies when a patch cannot be applied in a timely manner.

Leave a Comment

Your email address will not be published.