June 6, 2020

June 05, 2020

Subscribe to Latest Legal News and Analysis

June 04, 2020

Subscribe to Latest Legal News and Analysis

June 03, 2020

Subscribe to Latest Legal News and Analysis

Federal Government Issues Alert on Top Ten Cybersecurity Vulnerabilities

Robust cybersecurity continues to be of paramount importance as the COVID-19 outbreak develops and cybercriminals seek to exploit a remote workforce, which necessitates that companies check their policies, procedures, and controls to ensure they are addressing the highest areas of risk.  On May 12, 2020, the Cybersecurity and Infrastructure Security Agency (“CISA”) at the U.S. Department of Homeland Security (“DHS”) issued an Alert identifying the top 10 cybersecurity vulnerabilities routinely exploited by foreign malicious actors. The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) shared the Alert so healthcare organizations can likewise take appropriate action to reduce the potential risk of exploitation, as entities in this field are increasingly the target of cyberattacks.

Issuance of the Alert is consistent with the trend of federal agencies keeping a close eye to cybersecurity issues this year.  Besides the Alert, recent developments include the Federal Trade Commission (“FTC”) seeking comment on whether revisions should be implemented to its breach notification rule, which requires personal health record (“PHR”) vendors not covered by HIPAA to inform consumers and the FTC of breaches with 60 days, in addition to other activity.[1]  By way of reference use of PHRs, which are an electronic record of an individual’s health information by which the individual controls access to the information and may have the ability to manage, track, and participate in his/her own health care management, is growing which likely provided the impetus for this development.

As the Alert states, “foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets.”  The Alert goes on to explain that “exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.”  The Alert was shared with the goal of having U.S. public and private sectors degrade some foreign cyber threats through increased efforts to patch systems and implement comprehensive programs to keep system patching up to date.

What Does the Alert Cover?

  • Identification of Top 10 Most Exploited Vulnerabilities 2016–2019: The Alert provides details on vulnerabilities routinely exploited by foreign cyber actors—primarily Common Vulnerabilities and Exposures (“CVEs”)—to help organizations reduce the risk of these foreign threats.  The Alert identifies the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 by CVE classification.

  • Vulnerabilities Exploited in 2020: In addition to the top 10 vulnerabilities from 2016 to 2019, the Alert reports on other vulnerabilities routinely exploited by sophisticated foreign cyber actors in 2020. This includes, among others:

    • Cyber actors increasingly targeting unpatched Virtual Private Network vulnerabilities;

    • The targeting of organizations whose rapid deployment of cloud collaboration services may have led to oversights in security configurations and vulnerable to attack; and

    • Preexisting cybersecurity weaknesses—such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans—that continue to make organizations susceptible to ransomware attacks in 2020.

  • Mitigations for Vulnerabilities: The Alert provides detailed technical mitigation measures for each of the vulnerabilities identified above.

What measures can an organization take to protect itself from cyber threats?

A comprehensive cybersecurity program is essential for every organization, particularly for those entities operating in the healthcare industry that handle the Protected Health Information (“PHI”) of patients.  Cybersecurity-related issues frequently encountered by entities in the healthcare sectors range from malware that compromises the integrity of systems and privacy of patients to distributed denial of service (DDoS) attacks that disrupt facilities’ ability to provide patient care.  While other sectors are vulnerable to these attacks as well, for the healthcare sector cyberattacks can have widespread ramifications well beyond loss of privacy and financial loss.

© Copyright 2020 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs
Partner

Elliot Golding is a member of Squire Patton Boggs' Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He was selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, which recognizes those who “represent the best and the brightest of the data law bar around the world.”

Elliot partners with clients to proactively...

202-457-6407
Kristin L. Bryan Senior Associate Cleveland Litigation Products Liability Healthcare
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this capacity, she helps clients proactively manage risk by developing and implementing comprehensive privacy policies. Kristin has also represented clients in government investigations regarding their online privacy, marketing and safety practices.

216-479-8070