Health Care is always a highest target, please highly consider this message from the Federal HHS Office of Civil Rights. Patches will be required as it is currently a big vulnerability and we want you all to be protected. Here is the information we are passing on to you:
January 15, 2020
Cyber Notice: Emergency Directive to Mitigate Windows Vulnerabilities
OCR is sharing the following update from the HHS Critical Infrastructure Protection Public-Private Partnership
Healthcare and Public Health Sector
Emergency Directive to Mitigate Windows Vulnerabilities
January 14, 2020
This email has been prepared by the HHS ASPR Division of Critical Infrastructure Protection (CIP).
If you observe or experience any impacts to critical infrastructure due to the incident, or have a request for information, please email us at CIP@hhs.gov
The purpose of this bulletin is to notify you of a number vulnerabilities identified in Microsoft Windows operating systems which if not addressed, pose significant threat to the environment. On January 14, 2020, Microsoft released a software patch to mitigate these vulnerabilities in supported Windows operating systems. Subsequently, The Cybersecurity and Infrastructure Security Agency (CISA) released an Emergency Directive and Activity Alert addressing critical vulnerabilities affecting Windows CryptoAPI and Windows Remote Desktop Protocol (RDP) server and client. Some of the vulnerabilities could enable a remote attacker to decrypt, modify, or inject data on user connections DHS has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and as a result has issued an emergency directives to all Federal agencies to patch their environment immediately. Due to the seriousness of these vulnerabilities, ASPR CIP strongly recommends that all HPH entities also consider patching their environment as soon as possible. This recommendation is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the sector and high potential for a compromise of integrity and confidentiality of information.
Upcoming CISA Call and Additional Resources
The Cybersecurity and Infrastructure Security Agency (CISA) has scheduled a call for Wednesday 1/15 at 2:15 PM ET. This call is targeted at Chief Information Officers/Chief Information Security Officers. Sector Coordinating Councils/Information Sharing Analysis Centers etc.
Additionally, the following resources can be used for more information:
- Activity Alert AA20-014A: Critical Vulnerabilities in Microsoft Windows Operating Systems
- Emergency Directive 20-02: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday
- CISA Blog: Windows Vulnerabilities That Require Immediate Attention
- National Security Agency Cybersecurity Advisory
Customer support service by UserEcho