Healthcare rife with flash software vulnerabilities

Patch management on apps lags in healthcare, exposing security vulnerabilities, says Mike Hanley.


A software security vendor recently analyzed 250,000 mobile devices and laptops/PCs used in the healthcare industry and found half of the devices were running on outdated versions of Flash, a programming software product to create web applications.

The vendor, Duo Security, sells software to verify the identity of users and the security status of their medical devices before they access applications. Flash is particularly prevalent in healthcare where it is found in twice as many computing devices compared with Flash use in other industries, according to Mike Hanley, director of the Duo Labs research and analysis unit.



The problem is that healthcare lags other industries in adopting Flash updates, asserts Hanley. For instance, when Apple releases updates, health organizations often take more than a month to achieve a 50 percent adoption rate.

This is a significant issue, Hanley says, because having outdated versions of Flash makes the industry susceptible to vulnerabilities and malware like the Cerber or Locky ransomware strains.

Also See: 7 best practices to defend against ransomware attacks

The company offers cloud-based security services to protect against breaches, credential theft and account takeover, such as two-factor authentication in addition to users entering a username and password. In the course of its services, the vendor can see the operating version of computing devices, browser versions and plug-in versions, and notify clients of outdated applications needing a patch.

Duo’s client base covers 200 different types of applications, but Epic users are dominant among those in the healthcare industry, says Hanley.

Flash has been around for many years to support web apps, videos and interactive ads and remains prevalent on browsers, he adds. Just by itself, Microsoft’s Internet Explorer browser has had about 160 unique vulnerabilities documented each year for the past three years, Hanley contends. Microsoft in January 2016 announced it would no longer provide security updates on versions of IE older than IE 11.

“Internet Explorer 11 offers improved security, increased performance, better backward compatibility, and support for the web standards that power today’s websites and services,” Microsoft noted in a January 12 posting on its Windows for Business web site. “Microsoft encourages customers to upgrade and stay up-to-date on the latest browser for a faster, more secure browsing experience.”

More for you

Loading data for hdm_tax_topic #better-outcomes...