The Importance of Being Earnest About Patching

Social Engineering is the #1 attack vector leading to cybersecurity breaches.

However, to be successful, many of these social engineering attacks rely on a simple fact: the workstation where the end user is performing their everyday job function isn’t fully “maintained.” Patching corrects bugs in software that an attacker can leverage to take control of a target system. Once one system is compromised, “lateral traversal” will compromise other systems on the network shortly after. The net result? The attacker can escalate their privilege and access or steal all the data in your environment.

Unfortunately, no user intervention or social engineering is required (ex. log4j). As many vendors (firewall, network storage, backup devices, wireless access points, phone systems, etc.) have found, merely having a device accessible from the internet makes it a target and vulnerable to a Remote Code Execution flaw (RCE). Once an attacker has detected you have a vulnerable device via automated scans that can target thousands of machines at a time, they are free to exploit that vulnerability, download malware from the internet, and start the process of data or network compromise.

Remember: the goal of the attackers is usually financially motivated.

Attackers will either encrypt your data so you cannot read it (Ransomware), bringing all business activity to a halt, or steal it (Data Exfiltration). Either way, if you want your data back, they will try to get you to pay for it or threaten to sell/publish the information they stole. Even if you do pay, it is not guaranteed to be successful. If that stolen data contains PHI, your ASC has a HIPAA violation in addition to the grinding halt of business operations and the PR consequences of your patients finding out their PHI data was stolen. For patients, this could lead to identity theft and someone else receiving treatment under their health insurance.

Not all patches are equal.

Some patches are to fix bugs so a feature will work properly. The most important, from my perspective, are security patches to fix vulnerabilities. Vulnerabilities are rated using the Common Vulnerability Scoring System (CVSS). The higher the number, the more severe the vulnerability (max is ten which is critical). The CVSS score is based upon several factors, including 1) the ease with which a vulnerability can be exploited and 2) the potential consequences of a vulnerability being exploited. The good thing about the scoring system is that it can be used similarly to when assessing a patient’s treatment. Suppose you know the CVSS scores associated with vulnerabilities in your ASCs systems. In that case, you can prioritize which vulnerabilities need to be triaged first (CVSS 9-10 as quickly as possible) and which are less imperative right now (though not to be forgotten about).

Thankfully vendors like Microsoft & Apple advertise updates for operating systems, applications, and services regularly. This has the benefit of allowing organizations to plan for updates to be tested and deployed promptly. Similarly, browser vendors like Firefox and Chrome push updates to their software. Unfortunately, the unintended consequence of publicly publishing patches is that attackers now know there is a vulnerability they can exploit. They can quickly reverse-engineer the patch, work out how to exploit the vulnerability, and start targeting unpatched systems. At best, after a security patch is released, most organizations only have a few days (or less if it is a zero-day exploit already in use in the wild) before the vulnerability will be under active exploitation.

One key point often overlooked is that the device/software needs to be restarted for most security patches to work. This now becomes a user education issue because employees frequently put off rebooting their device, as it works just the way they like it to, and rebooting might change things or be a hassle to relaunch applications. Unfortunately, that simple decision can leave your ASC vulnerable even though you believe everything should be up to date.

As an ASC, what can you do to protect your organization and patient data? Patch early, patch often!

Computing devices like cars and surgical equipment need maintenance, and a patch management process will be required. In sizeable corporate ASC chains, IT departments manage this. For smaller ASCs, this can be outsourced to an IT Managed Service Provider or done in-house if there are staff with the necessary time and expertise. Regardless of who will perform this function, any patch management process must start by identifying all IT assets. For example:

1. Workstations
2. Tablets
3. Servers
4. Software (productivity applications, ASC software, accounting packages, web browsers, etc.)
5. Network Storage
6. Backup Appliances
7. Wireless Access Points
8. Network switches
9. Routers
10. Firewalls
11. Cell Phones
12. VoIP Phone systems
13. Network-connected patient monitors
14. Network-connected smart devices

The vendor must be identified for all of these devices, and automatic updating, especially for small ASCs, should be enabled. Ideally, your ASC would designate a system for patch testing to make sure a patch doesn’t break critical business functionality. Most vendors rigorously test patches before releasing them, but occasionally, a patch with unintended consequences is released. Once reported, these are pulled and replaced within a few days.

All vendors will have a support page from where you can find information about current updates and their installation. Alternatively, patch management systems can detect and deploy updates for you for the most commonly used operating systems and software packages. Of course, someone has to learn and manage these systems, but it does make the task easier to manage & automate.

Larger organizations with dedicated IT staff should subscribe to the US Government Agency, CISA’s Known Exploited Vulnerability Catalog Bulletin. As vulnerabilities are discovered, CISA is notified by the vendors, and your ASC could use the catalog to identify if you have a vulnerable system and what steps to take to remediate the vulnerability.

Let me remind you, once a system has a security patch applied – REBOOT! This may mean a bit of scheduling to minimize disruptions.

A final word of caution: all the patches in the world will not protect your ASC from a misconfigured device. Follow the vendor’s best practices to secure the device and never expose the management consoles or portals to the internet, only the internal network.

Be Vigilant. Stay safe.