Healthcare Industry – An Easy Target
Over the past few days, we’ve seen a new ransomware called WannaCry or WannaCrypt wreak havoc across the globe, infecting hundreds of large corporations, such as FedEx, Telefonica, and Britain’s National Health Service (NHS). Though the ransomware continued to infect computers at a more subdued pace, many corporations are still struggling to recover from the attack.
Security experts are advocating to immediately update computers and servers, to prevent the worm module in WannaCry from spreading across the networks, and infecting more machines. Applying the security update for MS17-010 is relatively painless for the majority of the corporations, with the exception of those in the healthcare industry. For example, some of the medical devices must remain connected to the manufacturer, making patching nearly impossible for the medical facility’s IT department.
Medical facilities and hospitals rely on computers which store data about patients, such as prior surgeries, medication, allergies, etc. When these systems become infected, the facility must assume a HIPPA breach, and has to resort to using “pen and paper” to provide care to their patients. In worst case scenarios, some facilities may be required to turn patients needing medical assistance away or risk having clinical mistakes. Multiple U.K. hospitals have reported that their radiology departments were completely knocked offline by the WannaCry ransomware outbreak. A hospital in Los Angeles, California, Hollywood Presbyterian Medical Center, recently had to pay $17,000 to regain control over its network.
Not a Target — This Time
Although WannaCry did not specifically target the healthcare industry, the issue is that many of the computers are often outdated. This is a direct result of the cost to certify medical devices being very expensive. This results in computers, often connected to the Internet, which are more vulnerable to attacks. Hackers realize that these computers are running older operating systems, such as Windows XP, and will target them to either lock down the computer until a ransom is paid, or to steal personally identifiable data (PII) from the servers to sell on the Dark Web.
The rush to push out security patches to Windows-based medical devices has already started, but the window of infection for WannaCry is nearly gone. IT administrators are at the mercy of medical device manufacturers, such as Bayer and Siemens, to push patches to their vulnerable devices.
There are a few things IT administrators should do while waiting for a patch to be deployed. IT administrators should be reviewing their security policies, to ensure they are doing everything they can to protect their networks. They need to put into place disaster recovery processes, which should include backing up critical data, testing the backups, assigning responsibility to personnel for backing up data and restoring systems, determining the projected downtime if systems were to be infected, and how the company would operate if forced offline.
Application whitelisting software, such as PC Matic Pro, should be installed on all Windows computers, including the medical devices. Application whitelisting utilizes a whitelist, instead of a blacklist, to allow or deny software from running. These products prevent malware from running on the computer, due to their “default-deny” setting. If the application is not on the whitelist, it is unable to execute.
The healthcare industry is one of the few industries, which without operational computers, is virtually dead. They cannot limp along such as schools or law enforcement agencies, in the event of a malware attack. Security measures must be put into place before another attack happens. As the recent
WannaCry wave has shown, malware can negatively impacted human life.
