Providers face crucial Monday as ransomware threat looms
A variety of government agencies and security firms used the weekend to disseminate information to healthcare organizations that anticipated threats from the worldwide ransomware attacks that began to surface on Friday.
Concern grew over the weekend that more computers might be infected with the ransomware malware that struck a variety of organizations around the world. For healthcare providers, the crippling attack that struck the United Kingdom’s National Health Service was most worrisome.
Late Friday afternoon and then over the weekend, federal agencies distributed alerts to provider organizations on steps to take to prevent ransomware incidents.
“The United States Computer Emergency Readiness Team (US-CERT) has received multiple reports of WannaCry ransomware infections in several countries around the world,” said an alert from the Department of Homeland Security and distributed late Friday afternoon by the Office of the National Coordinator for Health Information Technology. “Ransomware spreads easily when it encounters unpatched or outdated software. The WannaCry ransomware may be exploiting a vulnerability in Server Message Block 1.0 (SMBv1).”
ONC distributed a second alert on Saturday, this time from the Department of Health and Human Services, detailing further suggested steps that providers could take to prevent issues with the ransomware assault.
“Recently, attackers have been scanning the Internet for Remote Desktop Protocol (RDP) servers open to the Internet,” the HHS advisory noted. “Once connected, an attacker can try to guess passwords for users on the system, or look for backdoors giving them access. Once in, it is just like they are logged onto the system.”
The advisory suggested the following steps for providers to raise their security posture:
- Disable RDP services on computers that don’t need the capability. “There are several ways of doing this based on which version of Microsoft Windows you are using,” it noted.
- If RDP services are needed, “only allow network access where needed. Block other network connections using Access Control Lists or firewalls, and especially from any address on the Internet.”
- Make sure users know which version of Microsoft Windows they are using. Older versions, such as Windows XP, are no longer supported by Windows and have not been updated with patches to protect them from vulnerabilities exploited by the malware.
In a separate alert issued Friday afternoon, HHS noted concern that the ransomware detected in the UK and other international locations was affecting hospitals and healthcare information systems. “We are also aware that there is evidence of this attack occurring inside the United States,” HHS said.
HHS is advising providers to use best practices in handling emails from outside sources, particularly to avoid clicking on links or attachments that look suspicious.
In addition, the agency said it is taking steps to protect its own systems, including:
- Implementing, through its Office of the Chief Information Officer, an enterprise block across all OpDivs and StaffDivs and is ensuring all patching is up to date.
- Working with Department of Homeland Security to scan HHS’ CIDR IP addresses through the DHS NCATS program to identify RDP and SMB.
- Notifying VA and DHA and shared cyber threat information.
- Coordinating with National Health Service (England) and UK-CERT.
“HHS through its law enforcement and intelligence resources with the Office of Inspector General and Office of Security and Strategic Information, have ongoing communications and are sharing and exchanging information with other key partners including the US Department of Homeland Security and the Federal Bureau of Investigation,” the agency noted.
Security experts say the incident highlights the importance of patch management, a practice that is often difficult in healthcare organizations, which typically have hundreds of computers linked to networks and face challenges in managing updates to those devices.
The current vulnerability is related to Windows Server Messenger Block (SMB) which was addressed by Microsoft in mid-March, says Kurt Osburn of ControlScan, a security firm.
“Patch updates are becoming extremely important, because hackers are responding to critical bugs immediately,” Osburn says. “Healthcare organizations are high-value targets, which means their security and IT teams need to be extremely aware of what is happening in the wild and respond accordingly.”
The lag in deploying patches is a glaring weakness for most healthcare organizations, says William MacArthur, threat researcher for RiskIQ, a digital threat management firm. “Hospitals and healthcare networks are particularly vulnerable because updating their networks is disruptive to the crucial day-to-day operations, and their operating systems are very specifically designed.”
Healthcare organizations in the U.S. have been hit by ransomware before, and in general have been reluctant to pay hackers to regain access to their data. In its most recent guidance, HHS discouraged ransom payments, saying that practice “does not guarantee access will be restored.”
Still, one law firm suggests that providers get grounded in requirements for paying a ransom and use safe practices to ensure that a payment achieves desired results.
Ransomware attacks are pervasive and will continue, warns Michael Morgan, a partner in the cybersecurity practice at the McDermott Will & Emery law firm. He advises healthcare organizations to learn about bitcoin, a digital currency often demanded by hackers to regain access to data, and how to obtain it in case payment is necessary.
If a hacker can make demands on you, you can make demands on the hacker, Morgan advises. Insist on proof the attacker can encrypt. Ask the hacker to decrypt files and send back to you to confirm these are your files before paying.
In some ransomware cases, the victim organization will pay and get from the attacker not a decryption key, but a program. Don’t run the program because if it has a “back door” in it, the attacker can come back and hit you again.
You’ll have to hire a security consultant to study how the program functions and if malicious applications remain that will allow the attacker to return, Morgan advises. “You don’t want to receive a program; you want a decryption key.”
To better protect the organization from ransomware, don’t just go to Windows and click on “backup,” but segregate data backups—do multiple backups and don’t have them all in the same place as ransom tools will search for standard backups.