Want to sound really smart around the old ASC water cooler? Mention the significant risks concerning your surgery center's data represented by zero-day exploits, and enjoy the reaction of your co-workers as they gasp in awe at your technical knowledge.
What, you don't know about the risks of zero-day exploits? Read on and you will learn how this esoteric-sounding concept can threaten both your business and clinical data. More importantly, you will learn how to keep it from becoming a problem for your ASC.
Today's software systems are incredibly complex. Some of them contain literally millions of lines of code. All software has bugs and issues, which have to be corrected by the software companies through ongoing software updates, service patches and bug-fixes. This is true for any software, including ASC scheduling and billing systems, common business software like word processing and spreadsheet programs, as well as operating systems themselves. Even web browsers and messaging software have software updates. Some of these updates are designed to add new features/functionality or improve performance, but many of them are necessary to fix bugs. The HIPAA Security Rule requires ASCs and other healthcare Covered Entities to keep their systems up to date, and a very important part of this is keeping software systems updated with the latest system updates and security patches.
Most software companies roll out new features and fix bugs through a "dot-release" several times a year. That's where, for example, you upgrade from SuperSoftware 9.2 to version 9.3. But sometimes an issue is discovered that is so critical that the software company needs to release a patch or update immediately. This is most common with operating systems and web browsers. The software company (or sometimes a third party) will typically announce that an issue has been discovered, and that a software patch has already been developed and is being released.
The date that the software update is announced is known as "zero day."
The problem is, many people are so busy, or are not paying attention, that they don't know about and/or they don't install the software patch. Hackers know that at least 80 percent of all PC systems are missing these new updates, so they launch an attack that takes advantage of the vulnerabilities announced in conjunction with the zero-day update.
Even if the hacker (or really an army of hackers) had no knowledge of the vulnerability beforehand, by reading the software company's zero-day announcement, they can quickly reverse-engineer some malware that takes advantage of the threat or vulnerability.
So in the process of doing the right thing for their customers, the software companies tip off the bad guys and they exploit the security breach that the software company has just discovered and fixed, because they know that on "zero day," and for several days thereafter, most systems will not have the new software patch.
As an example, imagine the following thought experiment. Let's say there are millions of garage door openers with a numeric keypad, and it is somehow discovered that if you enter the sequence 123123, for some previously unknown reason it will unlock every garage door in the country. The garage door company makes the announcement to all its customers, and it releases a fix, but in so doing they also alert all the bad guys. Now they know that starting today pretty much every garage door can be opened with this magic code. Maybe they didn't even know about the issue until they heard it from the garage door opener company.
To avoid becoming a victim of zero-day exploits, make sure you follow HIPAA Security and best practices, and keep your software updated and patched. This is particularly true for operating systems and web browsers, but it also applies to all software in the ASC.
Marion K. Jenkins, PhD, FHIMSS, is founder and CEO of QSE Technologies, which provides IT consulting and implementation services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com.
Read more from Marion Jenkins:
- WikiLeaks Episode Underscores Risk of Portable Media in Surgery Centers
- Voice Recognition Software: Is It NaturallySpeaking?
- Healthcare IT Systems — Ready for Prime Time?