Understanding worm attacks

Two years after the ransomware WannaCry wreaked havoc, the threat to hospitals from worm attacks has not diminished. The BlueKeep vulnerability is the latest to raise cybersecurity fears, but is healthcare doing enough to protect itself?
By Tammy Lovell
02:42 AM

Cybersecurity experts recently warned that the CVE-2019-0708 vulnerability, dubbed BlueKeep, is a ticking time bomb that could turn into an entrance door for worm attacks. 

The flaw in the remote desktop protocol (RDP) present in Windows 7, Windows XP, Server 2003 and Server 2008 could allow a hacker to connect to a server and executive arbitrary code without user interaction.

Microsoft has warned that nearly one million computers connected to the internet are at risk and urged customers to update immediately to ensure a patch is in place. 

“It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,” Microsoft wrote in a security notice to customers.

Axel Wirth, distinguished healthcare architect at U.S. software firm Symantec, told Healthcare IT News sister publication HIMSS Insights that although BlueKeep hasn’t been maliciously exploited yet, that shouldn’t put anyone at ease.

“This type of vulnerability, as we’ve seen with WannaCry, has the potential to do a lot of damage – mainly because of its potential to impact care delivery and shut down health services,” he warns.

Attractive target

The complexity of infrastructure and number of different devices on the network make healthcare particularly susceptible to high-impact cyberattacks, Wirth explains.

“I don’t think there is another industry with so many devices running different operating systems of varying maturity and age, integrated into one whole system. It’s a great challenge to maintain that and keep that secure,” he says. 

This challenge is amplified by complex organisational structures, which impact quick decision-making over security issues, and the need to integrate with external health networks.

The richness of patient data available, which adversaries can use and monetise for many purposes, is a big driver for attackers. Patient safety concerns put health institutions under pressure to restore operations and have in some cases led to a willingness to pay hackers.

Last year, Indianapolis health network Hancock Health paid a $55,000 ransom to regain access to computer systems after attackers injected malware and encrypted more than 1,400 files at the height of the flu season.

Lessons learned?

So, with these risks in mind, why are health institutions still slow to carry out essential security tasks like patching? 

A study by cybersecurity firm Armis found that around 40% of healthcare delivery organisations have experienced at least one WannaCry attack in the past six months, despite patches being issued for the vulnerability. 

The report attributes the problem to “old and unmanaged devices, which are difficult to patch due to operational complexities.” In healthcare organisations, medical devices are often based on outdated Windows versions and cannot be updated without complete remodeling.

“Patching is an important component of any good security programme, but there are many systems that can’t be patched easily -- for example, they may not be supported by the manufacturer,” Wirth says.

“Furthermore, you may have to synchronise your update schedule with clinical care delivery, especially if it is a complex and time-consuming process, requiring the upgrade of multiple devices at once or requiring retesting of the device.”

The NHS was particularly hard-hit by WannaCry, with the Department of Health and Social Care estimating it cost around $115 million and caused more than 19,000 appointments to be cancelled. Yet, a recent report by Imperial College London’s Institute of Global Health Innovation concluded the NHS still remains vulnerable to cyberattacks and must take urgent steps to defend against threats.

NHS Digital told HIMSS Insights it has triaged BlueKeep as a high-severity threat and distributed guidance across the health and care sector, but there is no guarantee if the advice will be implemented. 

Urgent measures

In addition to patching, Wirth says health institutions should consider their network security and architecture.

“Networks should be kept separate as much as possible, so that if one segment gets infected, it doesn’t spread and the impact is contained,” he says. It is especially important to keep business and clinical systems separate. External connections should also be minimised.

In addition, Wirth recommends addressing the “human side” of the problem. All staff should be well-trained in how to use systems, so “they’re not doing something they’re not supposed to do and also they’re able to recognise a security incident, should it occur,” he says.

This article was first published in the newest issue of HIMSS Insights, which looks at cybersecurity in healthcare. Healthcare IT News and HIMSS Insights are HIMSS Media publications.