Healthcare patch priorities: HC3 alerts to SAP, Microsoft, Android vulnerabilities

The Department of Health and Human Services Cybersecurity Coordination Center (HC3) issued a report detailing a range of vulnerabilities disclosed in the last month, which healthcare security leaders should prioritize given the criticality and potential impact to the sector.

Among the list of vulnerabilities disclosed in April of interest to healthcare, HC3 spotlighted key disclosures from Microsoft, Android/Google, and SAP for which patching is imperative given the risk to the enterprise and evidence of active targeting again the SAP flaws. The bulletin also includes disclosures from Apple, Cisco, Adobe, Oracle, Mozilla, SonicWall, and VMWare. 

Microsoft issued patches for 145 vulnerabilities in April, 10 ranked critical and 115 marked "important." HC3 made note of two of the most pressing to healthcare: Windows Hyper V and Windows Network File System. The file system holds two critical remote code execution flaws, but they can only be exploited on systems with the NFS role enabled.

Three critical flaws in Hyper V could enable remote code execution, and “if a threat actor is able to open a specially crafted file, followed by an application on a Hyper-V guest, then that could cause the Hyper-V host operating system to execute arbitrary code.” 

Microsoft also disclosed four wormable flaws last month, which HC3 explained could “have a significant impact if the number of vulnerable machines is high enough.” Entities should employ web application firewalls to help to mitigate this type of risk.

Healthcare vulnerabilities for Google/Android flaws

In addition, Google provided updates for Android to fix 44 vulnerabilities that include several with a critical severity ranking. The most severe flaw found in the framework component could lead to local escalation of privilege without the need for added execution privileges.

Google previously provided an update to resolve the framework flaw, as well as seven high severity vulnerabilities. Its second update last month included patches for 30 vulnerabilities in a range of components, nine of which were ranked critical and found in Qualcomm functions.

For HC3, it’s crucial for health sector employees to keep their devices updated and promptly apply patches. Industry stakeholders have long warned of the risk posed by personal devices leveraging the healthcare network, particularly those that may be compromised without the users’ knowledge.

More than 30 vulnerabilities in SAP flaws

The SAP flaws appear most complex with over 30 newly updated security notes, including those tied to the Spring4Shell vulnerability found in the Java application development framework known as Spring. A successful exploit could lead to remote code execution, and “some researchers have reported observing attempts to exploit this vulnerability in the wild.” 

Lastly, in the last month, the Cybersecurity and Infrastructure Security Agency (CISA) added 22 vulnerabilities to its Known Exploited Vulnerabilities Catalog, the running list of known security flaws with a significant risk to the federal government. The directive requires the patch of these vulnerabilities within a tight deadline to prevent exploit.

Though the mandate doesn’t extend to healthcare, HC3 is urging healthcare leaders to review the catalog of vulnerabilities and consider the prioritization of the flaws as part of ongoing risk mitigation “with special consideration to each vulnerability criticality category against the risk management posture of the organization.”

The HC3 bulletin includes necessary reference to patch management and software updates provided by the vendors, which can assist healthcare entities with prioritizing patches or setting up mitigation strategies when a patch cannot be applied in a timely manner.