Software vulnerabilities pose a growing threat to healthcare organizations and their customers. In 2021, and publicly reported, compared to 23,269 in 2020. Exploitation of these vulnerabilities can have significant impacts on healthcare organizations, including the breach of patient data, infection by ransomware or other malware, interruptions to clinical care or other disruptions to an organization’s business. Remediating vulnerabilities before exploitation is essential to managing risk to healthcare organizations and their customers.
A vulnerability remediation strategy should include these 4 steps:
An organization needs to know that vulnerabilities exist before can they be patched. Some methods that companies should employ to find software vulnerabilities include:
- Scanning: Vulnerability scanners identify known vulnerabilities in applications based on signatures and common vulnerability enumeration (CVE) records. Running a vulnerability scanner from both inside and outside the corporate network perimeter provides visibility into an organization’s digital attack surface.
- Testing: Not all vulnerabilities are recorded in CVEs, especially not for code developed in-house. Performing regular testing using static and dynamic application security testing (SAST/DAST) and similar solutions can help with identification of these vulnerabilities.
- Software Composition Analysis (SCA): SCA testing identifies the libraries and other third-party code used within an organization’s applications. Insight into these dependencies is critical to identifying and addressing any vulnerabilities that they contain.
2. Prioritization of Software Vulnerabilities
Vulnerabilities in software are common, and, in many cases, the resources required to address all of them may exceed an organization’s resources. Time and effort devoted to patch management are not spent accomplishing other tasks, which may be more important and valuable to the organization.
When determining which vulnerabilities to address and in which order to do so, an organization should consider a few different factors, including:
- Severity: Different vulnerabilities can have varying impacts on the organization if exploited. Consider both the impact of the vulnerability and the affected systems to determine the severity of a vulnerability. For example, a moderate vulnerability on a critical system may have a greater impact than a critical issue affecting a single employee’s workstation.
- Exploitability: Some vulnerabilities are easier to exploit than others. For example, a vulnerability in a public-facing web application is more likely to be exploited than one that requires privileged access to an organization’s internal systems.
- Probability: Not every vulnerability is actively targeted by threat actors, so vulnerabilities for which an exploit is known to exist and be actively used should be prioritized. For example, the Zerologon and Log4j vulnerabilities required urgent patches due to active exploitation by threat actors. Based on these factors, an organization can determine the risk that each vulnerability poses to the organization. This risk can be used to determine the order in which vulnerabilities should be addressed and to identify those for which remediation does not provide sufficient return on investment.
3. Patch Deployment and Testing
The complexity of vulnerability remediation can vary greatly. In some cases, manufacturers provide a patch. The patch might even roll out automatically to affected systems. In others, an organization may need to fix vulnerabilities in its own code. If a fix is not possible, an organization may need to disable vulnerable functions to manage the risk.
In all cases, thoroughly tested patches before deployment. This ensures that the update actually fixes the issue and does not create additional problems for the organization.
4. Ongoing Monitoring of Vulnerabilities
While updates are tested before deployment, this doesn’t guarantee that they do their jobs perfectly. Multiple examples exist of threat actors exploiting vulnerabilities that remained after or were introduced by updates designed to close a security hole.
Ongoing monitoring provides an organization with insight into these potential issues. Rescan the environment after patches have been implemented to ensure any and all vulnerability remediation has been successful.
Stay on top of cybersecurity risks that could impact your healthcare organization; download our latest quarterly trends report today.
This blog borrows from a post originally published by our sister company, MorganFranklin Consulting.