Hold off on updating to the current Mac operating system.
A major security flaw in the latest version of macOS, High Sierra, allows users to log in without proper credentials.
This flaw that could affect the confidentiality of personal and patient information. This also includes the disclosure of protected health information (PHI). By only using the username “root” with no password, it allows any user, authorized or not, to log in and make changes at the administrator level. This will also make changes to critical server data if permissions are granted to the authorized user. Administrator privileges would also allow the user to open, edit, create or download information stored on this previously secure computer. Besides the lost equipment and personal information stored, this could cost rural health practices in HIPAA violation fines due to a PHI breach.
What should you do if you have already updated to the latest version of macOS?
More than 1 million computers nationwide are stolen every year, so physical security is an important factor. This security hole usually requires physical access to the machine. The best way to prevent unauthorized access is always keep the machine in a secured area only accessible to the intended user.
Apple is aware of this situation. Below is the company’s statement as of Nov. 29, 2017:
“We are working on a software update to address this issue,” an Apple spokesperson said. “In the meantime, setting a root password prevents unauthorized access to your Mac. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
Always ensure there are no bugs/security issues within the intended upgrade before proceeding to a newer version of a system. If the update was installed prior to setting the new upgrade issues, ensure the latest patch is installed to prevent any unauthorized access. If you’re a KRHIO client, we can assist with ensuring proper security measures are taken and answer any questions.