As you may be aware, a global ransomware attack, called WannaCry, started on Friday May 12, 2017 and is continuing as of today. The attack has affected 200,000 Microsoft Windows based machines in over 150 countries. The cybercriminals have focused on healthcare and financial services but have affected many other industries and individuals as well.
The attack appears to make use of sophisticated Microsoft Windows vulnerabilities that have been discovered by the NSA. These vulnerabilities have been stolen from the NSA and posted on the Internet for other cybercriminals to use. Microsoft has released a security patch for the vulnerabilities, but many companies have failed to update their systems and are now falling victim to WannaCry as a result.
The attack was temporarily stopped on Friday evening but has since continued. The good news is that the attacks appear to be slowing down as many organizations are aware of the threat and have taken steps to prevent their organizations from becoming a victim.
While the attack mostly impacted organizations outside of the US, shipping giant FedEx did report that a number of their computers were impacted by the ransomware attack. Do not be lulled into thinking that this attack is over or that it will not impact US based organizations; that is simply not the case.
For those that are not familiar with ransomware we urge you to watch the below video.
What was the impact of the attack?
Among the 200,000 machines, as many as 21 hospitals and many other medical practices in the United Kingdom (UK) were affected. Hospitals and practices were forced to close and turn patients away. According to the Plymouth Herald:
more than a dozen radiotherapy treatments did have to be postponed at the weekend – and more have had to be re-arranged today.
The Peebleshire News reports
All GPs surgeries did open, though some of them had to use pen and paper.
The Belfast Telegraph reported similar stories of disruption.
Staff were forced to revert to pen and paper and use their own mobiles after the attack affected key systems, including telephones.
It is important to understand the full impact of a ransomware breach directed at a healthcare organization. Below are some or all of the functions that might be affected:
- Not having access to Electronic Health Records (EHRs). That means not having access to patient records, diagnoses, and history. Once an organization switches to an EHR they usually don’t have paper based records that they can refer to. It should be noted that ransomware can affect the ability for an organization to access cloud based EHRs even if the EHR is not directly involved in the attack.
- Not having access to files including Word documents, Excel spreadsheets, scanned files including Explanation of Benefits (EOBs), and files on shared drives or personal drives.
- Not having access to MRIs, Digital X-rays, Ultrasounds and other diagnostic equipment.
- Not having access to patient contact information and scheduling and not being able to lookup patient information to contact them to reschedule.
- Not having access to email or calendars.
- Not being able to use servers, desktop and laptops.
- Not being able to make or receive telephone calls.
Imagine what you would do if you could not perform any or all of the above functions because of a ransomware attack. How would you run your practice or business?
Many organizations are under the false impression that if they are doing data backups they will not be impacted by a ransomware attack. While it is absolutely critical to backup data, it is just as critical to check and validate that all the data has been backed up and that it is able to be restored.
Many organizations are shocked when they discover that critical data has not been backed up or that the backups are unreadable and thus unrecoverable.
Even if an organization has proper backups, it could take hours, days or even weeks to fully restore a network that has been encrypted with ransomware. During this time it may not be possible to access patient information or to provide healthcare services to patients.
What can you do?
While the WannaCry ransomware attack used sophisticated vulnerabilities to spread the ransomware, the way an organization is initially infected is through a simple phishing scam. Hackers still rely on an organization’s weakest security link – their employees.
Organizations need to ensure that employees are properly trained on spotting and avoiding phishing scams. Phishing emails are getting harder to spot and employees need to be trained to identify phishing emails. Training employees will go a long way to lower the chance of a ransomware attack.
Many ransomware attacks rely on security holes or vulnerabilities to spread ransomware once it makes its way into an organization. By applying security patches and eliminating vulnerabilities, you can minimize the impact of a ransomware attack. Many of the organizations that were victims in the UK were still running Windows XP. Windows XP is no longer supported by Microsoft and does not receive any security patch updates for the operating system.
Vulnerabilities Scans / Assessments are technical scans that look for missing security patches and discover vulnerabilities. By performing vulnerability scans, you can identify which machines on your network are susceptible to an attack. After a vulnerability scan, it is critical to remediate any findings and patch any security holes. Vulnerability scans are usually performed by an IT company or security company with sophisticated tools to find vulnerabilities in the operating system (Windows, Apple, etc.) and software applications such as Microsoft Word/Excel/PowerPoint/Outlook, Acrobat Reader (PDF), Flash, EHR systems and other software applications.
Security Risk Assessments
A Security Risk Assessment (SRA) is not only required by HIPAA regulations but will help identify gaps in security and suggest steps to strengthen security safeguards. Performing an SRA is considered one of the most important functions an organization can do to protect their network, patient and sensitive information.
Backup and Disaster Recover
As mentioned before, it is critical to ensure that all your data (patient and non-patient) is properly backed up. Backups should be performed at least nighty. Some backup services backup files as soon as they are created or modified. Backups should be taken offsite either manually or automatically copied to a service provider. Backups should be tested periodically to ensure that they are complete and that they can be restored.
In addition, a Disaster Recovery (DR) plan should be in place that has both the technology and process steps to recover in the event of a disaster, including a ransomware attack. Don’t just focus on the hardware and software components. Define the process your organization will perform if you are not able to access electronic patient information.
Unfortunately, this global ransomware attack will not be the last we hear about. Cybercriminals realize it is easier to hold data hostage than it is to steal and use the data. They also realize that worldwide healthcare organizations are woefully prepared to defend against ransomware attacks. This combination will lead to more ransomware attacks on healthcare organizations. These attacks will get more sophisticated and more frequent. If you do not take steps to prepare and defend against these attacks, there is a very good chance that your organization will be a ransomware victim in the future.