Getty Images/iStockphoto

What is a Zero-Day Attack, How Can Healthcare Defend Against Them?

Zero-day attacks pose significant dangers to the healthcare sector, but defenders can mitigate risk by patching early and often.

Defending against zero-day attacks is difficult – by nature, threat actors committing zero-day attacks are taking advantage of unknown or unpatched vulnerabilities.

Understanding the nature of these attacks, as well as the threats they pose to the healthcare sector, can help network defenders safeguard healthcare organizations from this type of cyberattack.

What is a Zero-Day Attack, Vulnerability, and Exploit?

The National Institute of Standards and Technology (NIST) defines a zero-day attack as “an attack that exploits a previously unknown hardware, firmware, or software vulnerability.”

Expanded upon by TechTarget reporters, a zero-day is a security flaw that is unknown to defenders but exploited by threat actors. A zero-day vulnerability refers to the flaw itself, while a zero-day exploit refers to the method that threat actors use to take advantage of the vulnerability (which is typically malware).

As such, a zero-day attack means that there were zero days between the time the vulnerability was discovered and when it was exploited.

The HHS Health Sector Cybersecurity Coordination Center (HC3) issued a threat brief about zero-day attacks in November 2021, exploring the threats that these attacks pose to healthcare amid an already complex and dynamic threat landscape.

“Zero-day attacks can be used both to target specific, high value targets or affect wide swathes of organizations through commonly used software,” HC3 noted. “Both pose substantial dangers to the HPH sector.”

HC3 highlighted some notable zero-day attacks waged against the healthcare sector in recent years, including an instance in August 2020 when zero-day vulnerabilities in OpenClinic, a healthcare records application, exposed patient test results.

The app developers were unresponsive to requests for patches for the four zero-day vulnerabilities, forcing users to stop using the program.

In August 2021, threat actors discovered the zero-day vulnerability known as PwnedPiper, which impacted “pneumatic tube systems used by hospitals to transport medication, bloodwork, and test samples.”

According to research by Armis, these pneumatic tube systems were used by more than 80 percent of hospitals in North America at the time, and in more than 3,000 hospitals worldwide. The vulnerability enabled attackers to exploit flaws in the control panel software and leverage hard-coded credentials to gain network access.

“The most effective mitigation for zero-day attacks is patching, which can be difficult on medical IOT or legacy systems,” HC3 added.

HC3 noted that it takes an average of 97 days to apply, test, and fully deploy patches. But healthcare organizations do not have the luxury of waiting months to patch critical systems. What’s more, cyberattacks can lead to data breaches, lengthy recovery periods, and even risks to patient safety.

As a result, healthcare entities must do everything in their power to mitigate the risks of zero-day attacks internally, which is a difficult task.

Mitigating Risks of Zero-Day Attacks In Healthcare

“Mitigating zero-day attacks completely is not possible – by nature, they are novel and unexpected attack vectors,” HC3 noted.

However, there are still proactive steps that healthcare organizations can take to mitigate risk to some extent. Keeping an eye on the latest threats, by leveraging HC3’s resources and other government guidance can help organizations keep a pulse on the latest exploits going around.

In addition, HC3 recommended implementing a web-application firewall to review incoming traffic and filter out malicious input. Additionally, runtime application self-protection (RASP) agents that sit inside an applications’ runtime can detect suspicious behavior and potentially stop threat actors from executing zero-day attacks.

In a blog post on zero-day attacks in healthcare by Paubox, a software company that offers HIPAA-compliant email services, experts also stressed the importance of network segmentation in reducing risk.

“Segregate networks and data to limit the potential spread of attacks in case of a breach,” the post stated. “Organizations should make sure to implement strong access controls between network segments.”

In addition, Paubox recommended leveraging technologies such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Security Information and Event Management (SIEM) Systems to monitor network traffic and centralize log data.  

“Take a proactive approach to avoid having to react to a bad situation in progress. You and your staff should always be vigilant and aware. The extra time you take to implement security and otherwise address potential problems is well worth the effort,” the blog post continued.

“Being prepared is undoubtedly the preferred approach versus scrambling to find and restore precious information, alerting people of a data breach, and potentially losing the trust and business of clients.”

Next Steps

Dig Deeper on Cybersecurity strategies