As you have been developing, updating and improving your HIPAA Security Plan, you have probably come across the term zero-day. To most IT departments this is a very common term; for the rest of us not only may it be new, but the words that come after it can sound increasingly ominous: zero-day flaw, vulnerability, threat, exploit, attack.
So what are zero-day issues, and should you be concerned?
The short answer is, yes. A zero-day security flaw is a fancy term for a security flaw within software that was previously unknown. The term zero refers to the number of days developers have to fix the flaws either by patching or advising a workaround.
The words that come after zero-day tell us what is happening:
- Zero-day threat or vulnerability means that an exploit has been identified, and hackers could use the flaw.
- Zero-day exploit or attack indicates that hackers have exploited the flaw and have used it to attack vulnerable devices.
- Critical zero-day flaw update means that developers have fixed the flaw and it is very important that you update your software immediately.
You may be more vulnerable to a zero-day flaw after a vendor has released a patch because hackers know that users and IT folks postpone updating for weeks or even years after a patch has been released. This isn’t always a conscious decision, sometimes it’s a simple case of overlooking the recommended patches.
What does this mean to you?
You obviously can’t fix something you don’t know is broken, so it’s important to update your software as you receive security notifications. Your IT department can setup your systems to automatically update, although this may cause some compatibility issues. Your IT Department may opt to do manual updates for this reason. Whatever direction you go, it’s imperative that you have a written policy on software updates, and that you enforce it.
Need help creating your HIPAA Security Policies and Procedures? Check out our solutions today!