HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Serious Adobe Flash Security Vulnerability Discovered

In addition to dealing with the increased threat of Cryptowall ransomware and Stegoloader malware attacks, healthcare IT professionals must be aware of the latest software security vulnerabilities as they can all too easily cause a data breach. Adobe Flash in particular is a major security risk, with yet another serious security vulnerability discovered in the past few days.

The latest Adobe Flash security flaw has an easy fix; the company issued a patch last week to tackle the vulnerability; however any computer that does not have the latest version of the software installed is a potential attack point for hackers. This could pose a problem for multiple hospital systems with thousands of networked computers to update.

Another Adobe Flash Hacking Risk Discovered


The security vulnerability was discovered not by Adobe, but FireEye Intelligence, a cyber-security company specializing in zero-day malware and advanced security threats.

The company identified a security flaw which can be exploited by criminals to gain access to computers running Adobe Flash software. Hackers use a specially modified video file to gain access. Once the system has been compromised, attackers are able to view and copy data from the PC, and if the infected computer is networked, they can also potentially gain access to a considerable volume of healthcare data.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

FireEye says, “After successfully exploiting a target host, this group will quickly dump credentials, move laterally to additional hosts, and install custom backdoors. APT3’s command and control (CnC) infrastructure is difficult to track, as there is little overlap across campaigns.” FireEye also reports that “a Chinese hacking collective known as APT3 is already exploiting the vulnerability by sending phishing emails to companies in the engineering, telecommunication and aerospace industries.”

FireEye also discovered the vulnerability can be exploited through the Magnitude exploit kit; a popular package that cybercriminals can use to put together their own malicious software without having to write their own exploits.

Healthcare Providers Must Take Action


Due to the number of security flaws already found in Adobe Flash, and the ease at which hackers can exploit the software, any computer that has not been updated in the past few months could contain multiple security vulnerabilities. Hackers could already be using the flaw to gain access to protected health information stored on computer networks.

At the present moment in time, hackers do not appear to be using the Adobe security flaw to target the healthcare industry, but a risk of attack does exist. Health IT departments should therefore take action and ensure all networked computers have had the latest version of the software installed to reduce the risk of a data breach.

The software will be updated automatically and the new patch installed, but users must accept the update. It would therefore be a wise move to issue a security bulletin to all staff asking them to install the Adobe Flash update, if it has not already been run. Computers should also be configured to block pop ups and Flash should not be set to autoplay; both settings can increase the risk of attack.


Adobe Asks Users to Find the Software Flaws


In a bizarre game of hide and seek, Adobe is asking software users to find all the software flaws that exist in Adobe’s suite of products. This may not be quite as challenging as it would seem; Adobe has been alerted to a number of security flaws this year and more will undoubtedly exist and be uncovered. This is the fourth case of zero-day malware to have affected Adobe this year.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.