NSA Provides Guidance to Mitigate VPN Vulnerabilities to Hackers

In October 2020 and April 2021, the U.S. National Security Administration posted advisories regarding known vulnerabilities that Chinese and Russian hackers use to breach U.S. and other networks.

Our Observations:

  1. Many of the vulnerabilities are in Virtual Private Network (VPN) software solutions specifically designed to prevent hacking.
  2. It is interesting to note, that in light of the U.S. Administration’s newly announced sanctions against Russia, that China has exploited many more vulnerabilities than Russia, according to the U.S. National Security Administration’s published vulnerabilities list (see below).
  3. In healthcare, HIPAA Covered Entities should review the material and contact their vendors for additional guidance, yet, that may be inadequate.
    • For example, some of the vendors with impacted systems and vulnerabilities have opportunistically reported vulnerabilities in other vendors’ systems, but not in their own.
    • Specifically, Fortinet reports vulnerabilities that its “Lab” detects but has not reported a vulnerability in its own Fortinet FortiGate VPN.  As of April 15, 2021 there are no 2020 or 2021 updates on Fortinet’s searchable vulnerabilities list pertaining to its own FortiGate VPN. (See https://www.fortiguard.com/ )
  4. For the sectors of the healthcare industry that use or disclose protected health information (PHI) and who are HIPAA Covered Entities, there are specific Administrative Safeguards that are designed to encourage cyclical review and revision of policies to prevent against hacking and breaches of Protected Health Information (PHI).  See Administrative Safeguards in this article.

I. Administrative Safeguards (See §164.308(a)(1))

The first standard under Administrative Safeguards section is the Security Management Process. This standard requires covered entities to: “Implement policies and procedures to prevent, detect, contain and correct security violations.” The purpose of this standard is to establish the administrative processes and procedures that a covered entity will use to implement the security program in its environment.

There are four implementation specifications in the Security Management Process standard.  Here are the first two:

Risk Analysis (Required)

‘Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity’ as provided for in § 164.308(a)(1)(ii)(A)

Covered Entities’ Risk Analysis is implemented by the policies and policy review as well as our security infrastructure. Known vulnerabilities should be identified in the infrastructure, policies should be revised, and technology updates or replacements should be performed to mitigate risks.

Risk Management (Required)

‘“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”

Covered Entities’ Risk Management should be implemented by the policies and policy review, as well as in security infrastructure.

II. Russian hacking associated vulnerabilities

On April 15, 2021 the U.S. National Security Administration published known vulnerabilities that impact U.S. and Allied networks.

NSA states that users of these products should mitigate against the following known vulnerabilities including two VPNs

  • CVE-2018-13379 Fortinet FortiGate VPN.
  • CVE-2019-9670 Synacor Zimbra Collaboration Suite.
  • CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN.
  • CVE-2019-19781 Citrix Application Delivery Controller and Gateway.

III. Chinese hacking associated vulnerabilities

Related Posts

HIPAA Expert Witness

Healthcare Cyber Security Standards

Electronic Health Record Forensic Expert

Works Cited

 See https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF  

See https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/

See also

Disclaimer of Endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed in furtherance of NSA’s cybersecurity missions, including its responsibilities to identify and disseminate threats to National Security Systems, Department of Defense, and Defense Industrial Base information systems, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Tags: , , ,

Michael F. Arrigo

Michael Arrigo, an expert witness, and healthcare executive, brings four decades of experience in the software, financial services, and healthcare industries. In 2000, Mr. Arrigo founded No World Borders, a healthcare data, regulations, and economics firm with clients in the pharmaceutical, medical device, hospital, surgical center, physician group, diagnostic imaging, genetic testing, health I.T., and health insurance markets. His expertise spans the federal health programs Medicare and Medicaid and private insurance. He advises Medicare Advantage Organizations that provide health insurance under Part C of the Medicare Act. Mr. Arrigo serves as an expert witness regarding medical coding and billing, fraud damages, and electronic health record software for the U.S. Department of Justice. He has valued well over $1 billion in medical billings in personal injury liens, malpractice, and insurance fraud cases. The U.S. Court of Appeals considered Mr. Arrigo's opinion regarding loss amounts, vacating, and remanding sentencing in a fraud case. Mr. Arrigo provides expertise in the Medicare Secondary Payer Act, Medicare LCDs, anti-trust litigation, medical intellectual property and trade secrets, HIPAA privacy, health care electronic claim data Standards, physician compensation, Anti-Kickback Statute, Stark law, the Affordable Care Act, False Claims Act, and the ARRA HITECH Act. Arrigo advises investors on merger and acquisition (M&A) diligence in the healthcare industry on transactions cumulatively valued at over $1 billion. Mr. Arrigo spent over ten years in Silicon Valley software firms in roles from Product Manager to CEO. He was product manager for a leading-edge database technology joint venture that became commercialized as Microsoft SQL Server, Vice President of Marketing for a software company when it grew from under $2 million in revenue to a $50 million acquisition by a company now merged into Cincom Systems, hired by private equity investors to serve as Vice President of Marketing for a secure email software company until its acquisition and multi $million investor exit by a company now merged into Axway Software S.A. (Euronext: AXW.PA), and CEO of one of the first cloud-based billing software companies, licensing its technology to Citrix Systems (NASDAQ: CTXS). Later, before entering the healthcare industry, he joined Fortune 500 company Fidelity National Financial (NYSE: FNF) as a Vice President, overseeing eCommerce solutions for the mortgage banking industry. While serving as a Vice President at Fortune 500 company First American Financial (NYSE: FAF), he oversaw eCommerce and regulatory compliance technology initiatives for the top ten mortgage banks and led the Sarbanes Oxley Act Section 302 internal controls I.T. audit for the company, supporting Section 404 of the Sarbanes Oxley Act. Mr. Arrigo earned his Bachelor of Science in Business Administration from the University of Southern California. Before that, he studied computer science, statistics, and economics at the University of California, Irvine. His post-graduate studies include biomedical ethics at Harvard Medical School, biomedical informatics at Stanford Medical School, blockchain and crypto-economics at the Massachusetts Institute of Technology, and training as a Certified Professional Medical Auditor (CPMA). Mr. Arrigo is qualified to serve as a director due to his experience in healthcare data, regulations, and economics, his leadership roles in software and financial services public companies, and his healthcare M&A diligence and public company regulatory experience. Mr. Arrigo is quoted in The Wall Street Journal, Fortune Magazine, Kaiser Health News, Consumer Affairs, National Public Radio (NPR), NBC News Houston, USA Today / Milwaukee Journal Sentinel, Medical Economics, Capitol ForumThe Daily Beast, the Lund Report, Inside Higher Ed, New England Psychologist, and other press and media outlets. He authored a peer-reviewed article regarding clinical documentation quality to support accurate medical coding, billing, and good patient care, published by Healthcare Financial Management Association (HFMA) and published in Healthcare I.T. News. Mr. Arrigo serves as a member of the board of directors of a publicly traded company in the healthcare and data analytics industry, where his duties include: member, audit committee; chair, compensation committee; member, special committee.