Data security has become a top priority for healthcare organizations and it’s importance was reinforced earlier this month when computers around the world were infected by WannaCry, the largest ransomware attack in history. WannaCry, also known as WannaCrypt, is a type of trojan virus that targets Microsoft Windows systems and holds the infected computer hostage until the victim pays a ransom to regain access to their files.
WannaCry was discovered on May 12 in the U.K. and swiftly spread to an estimated 57,000 computers. The virus proliferated quickly and within days, hit more than 200,000 victims from 150 countries, disrupting healthcare systems, banks, schools and major businesses.
Although this recent incident may be stymied, ransomware attacks are on the rise. According to cybersecurity firm Symantec, ransomware attacks jumped by more than one-third to over 483,800 incidents in 2016. BioIQ’s Chief Information Officer Wes Rhea explains what you need to know about the most recent ransomware attack and why healthcare organizations should consider it a wake-up call to bolster security efforts.
What exactly does WannaCry do?
Once the virus infects a computer it encrypts all of the data, making it inaccessible to the user. Then the program displays a screen demanding the user pay a ransom of up to $300 in Bitcoin to get access back. Typically, the price increases over time until the end of a countdown, when the files are destroyed. If the user pays the ransom, he or she will receive a decryption key, enabling them to access their files again. However, even after payment is made the ransomware doesn’t automatically release the computer and decrypt the files, according to security researchers. Symantec’s technical director recommends victims save their money and rebuild their affected computers because the odds of getting back decrypted files is very small.
Who’s at risk?
Both corporations and consumers who have not recently updated their Windows PCs are at risk. The attack exploits a vulnerability in older Windows operating systems: Windows 8, Windows XP and Windows Server 2003. WannaCry travels across corporate networks, spreading through file-sharing systems and making it easy for the virus to wreak havoc on companies that haven’t updated their systems. Microsoft requires Windows 10 customers to automatically update their computers, but some people with older PCs disabled automatic updates.
What organizations were affected by WannaCry?
According to Europol, the European law enforcement agency. FedEx, Nissan, electronics maker Hitachi, Spanish telecom company Telefónica, and the United Kingdom’s National Health Service (NHS) were among the victims. The attack crippled hundreds of the UK’s clinics and several hospitals. Patients were turned away, surgeries were delayed and patient monitoring systems were inaccessible. Healthcare organizations in the U.S. were largely spared, but the WannaCry attack is not likely to be the last of its kind.
Will WannaCry make a resurgence?
Experts say the spread of the original virus has been thwarted by a security researcher in the U.K. However, hackers have created copycat versions of the virus that cyber security organizations are currently trying to stop.
Why are healthcare organizations often targets in ransomware attacks?
Many healthcare organizations still operate devices that use older, unsupported Microsoft operating systems. Hackers often target healthcare providers in particular because medical information can be sold and healthcare organizations may be more willing to pay a ransom to access crucial patient data and medical information.
What steps can be taken to prevent your machine from being infected by WannaCry?
If you’re running a Windows-powered PC, make sure all your software is up to date. Microsoft said it had taken the “highly unusual step” of releasing a patch for computers running older operating systems, so even people with older computers should update them. As always, don’t open suspicious emails, click on links you don’t know or open any files you weren’t expecting. Extortionists tricked victims into opening spam emails that appeared to contain invoices, security warnings and other legitimate files.
Should healthcare organizations take any special steps to mitigate risk?
The National Health Information Sharing and Analysis Center advises that healthcare organizations take these steps:
- Issue a companywide communication putting all staff on high alert
- Ensure all patches are up to date. Microsoft has patches available for all versions of its operating system dating back to Microsoft XP
- Prevent delivery and download of .exe attachments, both direct and contained inside zip files;
- Ensure SMB (disable ports 139 and especially 445) is not permitted into your environment from external sources. Note especially third-party VPN connections
- Apply anti-virus patches provided since May 12
- Detect/block known hashes
- Block attempts to communicate to unauthorized and new domains
- Review the list of IP hits against the sinkholed domain keeping in mind some positive hits might be from your own security team
What’s the key lesson healthcare organizations should take away from this incident?
This incident is a wake-up call for healthcare organizations, which are particularly vulnerable to security threats. The most important step toward data security and preventing future breaches begins at a fundamental level – one that ensures health data is transmitted to and from vendors, providers, health systems and patients in a safe, secure and encrypted manner. Organizations should focus on developing a mature change management and patch management process. Also, regular privacy and security training, as well as awareness communications, will go a long way. It’s very important to educate your employees on the latest virus, exploit or scam. Last but not least, don’t overlook the importance of laptop encryption and such technical controls as firewalls, intrusion prevention and detection systems.