jamesteohart - stock.adobe.com

New CISA PrintNightmare Order Spurs Health IT Security Concern

The CISA alert directs agencies to stop service and deploy a fix to resolve PrintNightmare and the health IT sector is responding.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive on PrintNightmare July 13th, raising concerns for health IT security leaders. 

The Emergency Directive alerts all US civilian agencies, including the health IT security sector, to immediately stop service to their Microsoft Windows print spooler and deploy a fix.  

The Microsoft print spooler service vulnerability, nicknamed PrintNightmare,  is “being actively exploited,” the CISA alert states. 

An attacker could “take control of an affected system,” CISA stated in a previous alert.  

Now, CISA is advising all federal, civilian agencies to “to immediately disable the print spooler service on Microsoft Active Directory Domain Controllers, apply the Microsoft July 2021 cumulative updates, and make additional configuration changes to all Microsoft Windows servers and workstations within one week.” 

The exploitation “of the vulnerability allows an attacker to remotely execute code with system level privileges, enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization,” the alert states.  

This emergency alert comes a direct “response to validated active exploitations. CISA is concerned that exploitation of this vulnerability may lead to full system compromise of affected agency networks if left unmitigated.” 

“Since this exploitation was identified, CISA has been engaged with Microsoft and federal civilian agencies to assess potential risk to federal agencies and critical infrastructure,” CISA’s Executive Assistant Director for Cybersecurity Eric Goldstein said in the statement.  

“CISA’s mission is to protect the nation against cybersecurity threats, and this directive reflects our determination to require emergency action for exploitations that pose an unacceptable risk to the federal civilian enterprise. We will continue to actively monitor exploitation of this vulnerability and provide additional guidance, as appropriate.” 

The directive is for federal agencies, but CISA is encouraging both public and private sector organizations to review the alert and consider steps to mitigate any vulnerability.  

The American Hospital Association received the initial Microsoft alert July 1st and responded, noting that any cyberattack on healthcare facilities and systems would be disruptive.  

“This critical vulnerability has the potential to be highly disruptive for hospitals and health systems,” John Riggi, AHA's senior advisor for cybersecurity and risk, said in a July 2nd statement.  

However, healthcare institutions do not have the same options as other sectors.  

“Simply disabling print services in hospitals and health systems is not an option as we have already heard from multiple sources in the field,” Riggi stated. “Printing services are used for everything from printing patient identification wristbands to labels for IV medications. Continuing essential patient care services must be balanced with the potential for remote exploitation of this vulnerability.” 

On July 6th and 7th, Microsoft released updates to fix the issue.  

“Microsoft has completed the investigation and has released security updates to address this vulnerability,” the Microsoft update summary states. “Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately.”  

Next Steps

Dig Deeper on Cybersecurity strategies