Emergency Directive to Mitigate Windows Vulnerabilities

The Office for Civil Rights (OCR) is the entity that enforces HIPAA regulations.  In partnership with the Cybersecurity and Infrastructure Security Agency (CISA) and the Division of Critical Infrastructure Protection (CIP), the OCR has shared a directive regarding critical Windows vulnerabilities that need to be addressed as soon as possible.  Although the directive is mandatory for Federal entities, OCR strongly recommends that all healthcare and public health sector entities also consider patching their environments as soon as they are able.

Eagle Associates highly recommends patching as soon as possible to protect your networks/devices from malware and other activity that would cause considerable disruption and expense.  We advise that you work with your IT staff/vendor to implement the patches, because healthcare entities are attractive targets for malware, due to the value and sensitive nature of PHI.  In addition, you could be the subject of investigation and enforcement action if it was found that you didn’t take reasonable steps to mitigate known risks, such as this vulnerability.

Please read the full directive for complete details, but among the vulnerabilities patched were weaknesses in how Windows validates Elliptic Curve Cryptography (ECC) certificates and how Windows handles connection requests in the Remote Desktop Protocol (RDP) server and client.  The vulnerabilities affect all supported versions of Windows (including Windows 10, Windows Server 2012 etc.), and other related products as follows:

  • Internet Explorer
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ASP.NET Core
  • .NET Core
  • .NET Framework
  • OneDrive for Android
  • Microsoft Dynamics

You can read the directive here: https://cyber.dhs.gov/ed/20-02/

The Microsoft patch information can be found here: