25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

HPH Sector Warned About Remote Access Software Risks

Posted By on Oct 5, 2023

Healthcare professionals often require remote access to their networks and electronic health records, such as for providing remote patient care. While remote access tools can improve efficiency and allow secure access to data, these solutions also provide a possible entry point into healthcare networks for malicious actors, and attacks exploiting vulnerabilities in remote access solutions are on the rise.

Remote access solutions include virtual private networks (VPNs) that encrypt connections between a user’s device and internal networks; remote desktop software such as Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC) that allow computers to be accessed remotely by users and IT support staff; telehealth platforms that support video conferencing; and secure messaging apps, which are used to communicate securely internally and externally. Telehealth platforms and secure messaging solutions may also integrate with EHRs. All of these solutions can improve efficiency and productivity; however, they introduce risks that need to be carefully managed.

Vulnerabilities in remote access solutions are attractive to malicious actors. By exploiting vulnerabilities, threat actors can gain a foothold in internal networks and steal sensitive data, and they can also hide their malicious activities among legitimate users of the tools. Malicious use of these tools may also not generate security alerts as it is difficult to distinguish between malicious and non-malicious use.

The Health Sector Cybersecurity and Coordination Center (HC3) has recently issued an alert about the misuse of remote access solutions and has shared best practices for hardening security if remote access tools are used. Just like any software solution, remote access tools may contain vulnerabilities that can be exploited  Due to the extent to which these tools are targeted, patching of known vulnerabilities in remote access solutions should be prioritized. Errors can also be made when configuring these solutions, and if weak passwords are set, they will be vulnerable to attack.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Threat actors often attempt to brute-force weak passwords, automating login attempts using lists of usernames and commonly used passwords until the correct combination is guessed. There have been brute force attacks against healthcare organizations using botnets, where the malware-infected devices that form the botnet are used to try different username and password combinations. Login credentials for remote access solutions are often obtained using social engineering tactics, where healthcare employees are tricked into disclosing their credentials. These attacks may be conducted via email, SMS, instant messaging services, or the telephone.

Once access to healthcare networks has been gained via remote access solutions, threat actors can conduct all manner of nefarious activities including installing malware to provide persistent access to networks, moving laterally within networks to achieve a more extensive compromise, stealing sensitive data, and deploying ransomware. The AvosLocker threat group is known to use the remote access solution AnyDesk in its attacks. AnyDesk allows the group to connect remotely, and security measures are bypassed by triggering a restart of the device in safe mode. This allows the remote access tool to be used to deploy ransomware while security functions are disabled.

Securing remote access solutions can be a challenge as mitigating remote access software risks is not as simple as reconfiguring the solutions or applying patches. In its alert, HC3 offers several recommendations for hardening security including using strong authentication with MFA, ensuring the tools are always running the latest software version, implementing network segmentation to limit the potential for lateral movement, using strong encryption, monitoring logs of remote access activity, applying the principle of least privilege, and conducting regular security awareness training to educate staff on the risks associated with remote access software, phishing, and social engineering.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist