Dangerous CVEs Are Increasing Security Risks in the Healthcare Industry

by | Nov 15, 2022 | Pen Test Technical Tips

The increasing use of telemedicine, the explosion of health-based cloud apps, and innovative IoT medical devices are improving the patient care experience. However, while digitalization is enhancing the quality of care, it’s also creating exposures and vulnerabilities that elevate security and privacy risks.

According to a recent study conducted by the Ponemon Institute, nearly 90 percent of healthcare organizations had a data breach during the past two years, and 45 percent had more than five breaches within the same time period. More than 20 percent of healthcare organizations surveyed reported increased patient mortality rates after experiencing a cyberattack.

Network outages caused by cyberattacks, and medical systems held hostage by ransomware, can impair patient monitoring. Worse yet, hackers with evil intent can gain unauthorized access to patient pneumatic pumps and IV infusion tubes to administer fatal doses. Clearly, these types of malicious cyberattacks pose huge repercussions for the healthcare industry.

Publicly available exploits are found in products used every day to deliver patient care, and they can introduce significant risk if left unpatched. Many vulnerabilities can allow the execution of custom code or elevate privileges that allow bad actors to remotely access private data or change system behaviors. 

RidgeBot addresses a broad spectrum of cybersecurity exposures across a healthcare organization’s digital environment, and its plugin library includes CVE-2020-11022, CVE-2020-11023 and CVE-2015-9251.

Of particular concern are these three common vulnerabilities and exposures (CVEs) that present significant danger to the healthcare industry. CVEs are a list of publicly disclosed computer security flaws. They help IT professionals prioritize and address critical vulnerabilities to ensure their systems are protected.

  • CVE-2020-11022 is a cross-site scripting vulnerability within the JavaScript library JQuery, popular within healthcare tech stacks. Attackers exploit this vulnerability by injecting a malicious script into a web page that is executed in a victim’s browser once the page is viewed. Attackers use this vulnerability to steal cookie-based authentication credentials.
  • CVE-2020-11023 is a flaw within jQuery using HTML containing <option> elements from untrusted sources that are passed to one of jQuery’s DOM manipulation methods that can execute untrusted code. This vulnerability puts data confidentiality and integrity at risk.
  • CVE-2015-9251 is a disclosure identifier tied to a security vulnerability in jQuery before 3.0. 0. It is vulnerable to cross-site scripting attacks when a cross-domain Ajax request is performed without the dataType option, causing text and JavaScript responses to be executed. 

It doesn’t take much imagination to see how lone wolfs, hacker gangs, and nation state or state-sponsored groups could attack a hospital, encrypt all their files, and demand a massive ransom. Unfortunately, most healthcare organizations aren’t in a position to pay hefty ransoms or recover all the lost data from a backup system.

Eradicate the threat of CVE exposures with automated pentesting

Security teams try to stay one step ahead of bad actors, but no matter how well-defended their systems, security protections are never perfect. The healthcare industry is considered critical infrastructure by the U.S. government. This makes it a prime target for opportunistic bad actors, as corroborated by the number of attacks that took place just within the past two years, like Florida-based Broward Health, Kaiser Permanente in Washington state, Novant Health, and Shields Health Care, just to name a few.

Penetration testing plays an important role in enabling healthcare organizations to identify exposures, vulnerabilities, and weaknesses in their cyber defenses. Many healthcare organizations only test annually or on an ad hoc basis, rarely testing more frequently or even continuously deployed. This may be due to cost and a lack of internal expertise. However, automated pentesting allows them to eliminate the windows of opportunity for hackers, by running a test whenever they have a network change, configuration change, new application release, and new user groups allocated. This reduces risk windows from months to just days or hours.

As witnessed by the daily reports of breaches to organizations of all sizes, clearly their defensive cybersecurity prevention measures don’t always work. Organizations can no longer defend themselves by reacting to breaches. Rather than a defense strategy, it’s more like saying, “punch me, I can take it”.

To catch a cybercriminal, you must think like them

RidgeBot® automated penetration testing is modeled with a collective knowledge of threats, vulnerabilities and exploits, and leverages AI-driven decision-making. Equipped with state-of-the-art ethical hacking techniques, RidgeBot acts like a real attacker, relentlessly locating, exploiting, and documenting its findings.

RidgeBot discovers known and unknown attack vectors, validates vulnerabilities, and makes recommendations to fix them before hackers find them. RidgeBot automated and continuous testing allows defenders to take a more proactive posture toward maintaining security across all aspects of their digital environment. RidgeBot is completely automated and can be scheduled based on demand. It doesn’t require a software agent to be pre-installed on servers to validate vulnerabilities. It’s very easy to use and does not require highly skilled personnel.

If you are a healthcare organization, solution partner or service provider, and you would like to learn more about how RidgeBots can harden your defenses, please click here to contact us.