How US healthcare spent the weekend protecting against WannaCry
Many U.S. healthcare systems worked through the weekend to shore up systems to avoid falling victim to a global ransomware attack that took down 20 percent of the U.K.’s National Health Service Friday.
“We immediately started an inventory of all of our workstations and servers to determine what patching would be needed,” said Darin Prill, senior director of information systems technology at Children’s Mercy Hospital in Kansas City. “All of the patching was accomplished by late Friday evening, including all legacy, older operating systems for which Microsoft made a patch available. We immediately informed our user community to continue to be vigilant with unknown or suspicious attachments.”
The hospital also ensured that all of its security tools – Palo/Wildfire, Sophos, Open DNS, etc. – were updated with the newest tools, and that its security operations center had new use-cases built for monitoring any suspicious traffic or events, Prill said.
The attack, which began Friday and so far has affected about 250,000 systems across the globe, was traced to the WannaCry ransomware, a tool that showed up in a batch of leaked hacker tools from the U.S. National Security Agency. Once a machine is infected, it locks down and prompts a user to pay up to $600 in Bitcoin to gain access back.
“User awareness is key in these situations,” he said. “Ensuring they understand the threat and the exposure and explaining in easy to understand language sets up that first line of defense. Letting them know what the ransomware looks like, and what steps to take if they encounter the virus help them help us stop the spread if an infection occurs.”
Officials at Albany Medical Center in Albany, New York also detailed a quick response to the attack.
“As with other urgent matters, our technical staff have been working since Friday to respond to what we hear from official guidance sources as well as technical releases from our vendors,” said IT security officer Kris Kusche.
“Like previous ransomware attacks, this appears to be an opportunity for the cybercriminals to make money off of compromised users and organizations. At $300 per ransom the potential payoff of even a small percentage of hundreds of thousands of compromised machines could be significant.”
HHS calls offer guidance
Shortly after the attack spread Friday, the Trump Administration directed the U.S. Department of Health and Human Services to set up conference calls with providers to update facilities on the government’s response.
According to Tressa Springmann, vice president and chief information officer at Baltimore-based LifeBridge Health, HHS held calls Friday, Saturday and Monday morning. “The one this morning had more than 2,500 participants, most of them from the healthcare community,” she said.
“If I could summarize what's been going on with this worm, and what we know – a lot of it is unconfirmed, at least in the U.S. – but literally the most aggressive mitigation is to make sure you're patching,” she said. “This has to do with a vulnerability in Windows, and as we know, not everybody has the liberty and luxury of bringing down systems and keeping up with Microsoft patching.”
Springmann said officials have spotted about 65 different variants of the ransomware.
"That means it's not just coming in through email. Lots of different ways of coming in,” she said. “There have been no decryption keys identified, so far.”
Preparation and quick response key against ransomware
These types of ramsomware attacks are serious threats, so when healthcare executives know something is imminent, they must respond as quickly as possible, said Ed Ricks, vice president and CIO at Beaufort Memorial Hospital in South Carolina.
“While our engineering team is small, we stayed engaged with the national calls and updates and quickly worked to mitigate risk as much as possible by implementing the most current Microsoft security updates, and best practices as defined by our vendor partners,” Ricks said. “This did lead to an organized but unplanned downtime for our electronic health record as we applied updates, but was the most prudent thing to do at the time.”
Barry Caplin, vice president and chief information security official at Fairview Health Services, said the system created a command center that ran through the weekend.
“We were validating that all systems are patched, updated A/V signatures and known malware hashes are in place, and that workstation, server and gateway protection tools are updated with new information as it comes out,” he said. “Additionally, healthcare organizations in this area have been communicating and sharing information.”
Patch, patch, patch clinical systems
As John Halamka, MD, CIO at Beth Israel Deaconess Medical Center in Boston, sees it, healthcare IT is always in a balance of reliability, functionality and security. And that may account for why systems are left vulnerable.
“Each time a patch is introduced, the act of changing a mission critical system impacts reliability and functionality,” he said.
“By prioritizing clinical functionality and uptime, healthcare organizations may not always have the most up-to-date software. Thus, healthcare, in general, may be more vulnerable than other industries to cyberattacks, and the scope of the impact to the NHS in the U.K. illustrates the problem."
He said that some mission-critical systems were built years ago and never migrated to today’s modern platforms. In 2017, there are still commercial products that require Windows XP for which few patches are available, he said.
In a rare move, Microsoft on Friday released a patch for XP systems to protect users from attacks, even though the company said it no longer supports that operating system.
Many of the NHS systems that were affected ran on XP.
“If you haven’t patched, then patch. If you don’t have a solid process in place for ongoing patching, then this is a great opportunity to do so,” said Caplin. “As with all security issues, this is also an opportunity to review and assure that multi-layered defenses are in place including white-listing, backups and restores, IPS, network segmentation, system hardening and asset management.”
Brickman said providers should follow guidance that the law enforcement agencies have provided since the attack, including deploying required patches and security signature updates and reinforcing safe email and internet browsing practices.
“Also key is having a team that monitors these events and proactively starts planning for remediation, which gets an organization out in front of the issue,” said Prill. “Our security operations center was already starting the inventory and use-case development early Friday morning upon first notice that the virus was hitting in Europe.”