Cyber Notice: Emergency Directive to Mitigate Windows Vulnerabilities

Alicia Swanson 4 years ago in Industry News/Discussion 0

Health Care is always a highest target, please highly consider this message from the Federal HHS Office of Civil Rights. Patches will be required as it is currently a big vulnerability and we want you all to be protected.  Here is the information we are passing on to you:

January 15, 2020

Cyber Notice: Emergency Directive to Mitigate Windows Vulnerabilities

OCR is sharing the following update from the HHS Critical Infrastructure Protection Public-Private Partnership

Healthcare and Public Health Sector

Emergency Directive to Mitigate Windows Vulnerabilities

Update #1

January 14, 2020

This email has been prepared by the HHS ASPR Division of Critical Infrastructure Protection (CIP).

If you observe or experience any impacts to critical infrastructure due to the incident, or have a request for information, please email us at CIP@hhs.gov

The purpose of this bulletin is to notify you of a number vulnerabilities identified in Microsoft Windows operating systems which if not addressed, pose significant threat to the environment. On January 14, 2020, Microsoft released a software patch to mitigate these vulnerabilities in supported Windows operating systems. Subsequently, The Cybersecurity and Infrastructure Security Agency (CISA) released an Emergency Directive and Activity Alert addressing critical vulnerabilities affecting Windows CryptoAPI and Windows Remote Desktop Protocol (RDP) server and client. Some of the vulnerabilities could enable a remote attacker to decrypt, modify, or inject data on user connections DHS has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and as a result has issued an emergency directives to all Federal agencies to patch their environment immediately. Due to the seriousness of these vulnerabilities, ASPR CIP strongly recommends that all HPH entities also consider patching their environment as soon as possible. This recommendation is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the sector and high potential for a compromise of integrity and confidentiality of information.

Upcoming CISA Call and Additional Resources

The Cybersecurity and Infrastructure Security Agency (CISA) has scheduled a call for Wednesday 1/15 at 2:15 PM ET. This call is targeted at Chief Information Officers/Chief Information Security Officers. Sector Coordinating Councils/Information Sharing Analysis Centers etc.

Additionally, the following resources can be used for more information: