HHS calls on healthcare organizations to patch Windows vulnerabilities

Register now

The Department of Health and Human Services is urging all healthcare entities to use patches to address several new critical vulnerabilities impacting Microsoft Windows operating systems.

“This recommendation is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the sector and high potential for a compromise of integrity and confidentiality of information,” states a bulletin issued by the HHS Office of the Assistant Secretary for Preparedness and Response’s Division of Critical Infrastructure Protection.

The warning from ASPR is in response to an Emergency Directive and Activity Alert issued this week by the Cybersecurity and Infrastructure Security Agency.

“On Jan. 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement,” states the CISA alert. “Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway) and Windows Remote Desktop Client.”

According to CISA, an attacker could remotely exploit these vulnerabilities to decrypt, modify or inject data on user connections. As a result, the agency strongly recommended that organizations install critical patches as soon as possible.

CISA contends that organizations prioritize patching by starting with mission-critical systems, internet-facing systems and networked servers. After those have been addressed, the agency contends that organizations should then prioritize patching other affected information technology.

This week also marked the End Of Life for the Windows 7 operating system. While Microsoft ended mainstream support for Windows 7 in January 2015, the EOL phase officially began on January 14, and Microsoft will no longer be offering updates of security fixes for the OS.

According to cybersecurity vendor Cynerio, almost 50 percent of all medical devices running on Windows use Windows 7, putting hospitals at risk of cyberattack.

Cynerio CEO Leon Lerman makes the case that the Windows 7 EOL “only adds to the inherent weaknesses of hospital networks,” which must assess their vulnerabilities. To address the problem, the company is offering hospitals a complementary risk assessment until February 14; it can be contacted here.

For reprint and licensing requests for this article, click here.