lolloj - Fotolia


Health IT should remain vigilant after WannaCry ransomware attack

While U.S. hospitals were relatively unscathed by the WannaCry ransomware attack, healthcare organizations would be wise to review and update their security tools and practices.

Ransomware has already forced health IT to get more aggressive toward increasing their security safeguards and protections against attacks through emails and infected websites. Unfortunately, the battle is far from over.

Attackers took advantage of the hidden EternalBlue exploit in Windows operating systems. EternalBlue and other tools were found in a dump of National Security Agency-linked exploits and infected computers worldwide with ransomware. In May 2017, the WannaCry ransomware attack, which is based on the EternalBlue exploit, and several of its variants caused widespread disruption to users and organizations in more than 150 countries.

Despite its global reach, WannaCry did not cause as serious a disruption to the U.S. market as it did to other markets. So, why was this strain of ransomware so different from others? And why didn't U.S. hospitals press the panic button when the rest of the world did?

The WannaCry ransomware attack demanded the infected user pay $300 to restore their files. The monetary amount increased to $600 if the user didn't comply with the attacker's request within seven days. Unfortunately, as with many ransomware attacks, there is no easy way to recover files without the encryption key, and most victims resort to restoring backups to resume operations.

In this latest case of ransomware, the weakness was discovered in the Server Message Block service and the protocol used for storage. While primarily targeting older Windows operating systems, such as Windows XP and Windows Server 2003, Microsoft immediately released a patch when it first learned of the vulnerability. The company even went as far as to patch Windows versions that previously reached end of life.

WannaCry operates differently from traditional ransomware

Successful ransomware attacks are the result of attackers using email to trick users into clicking or opening messages that contain attachments with malicious code. This practice has proven to be successful and continues to be the preferred method by cybercriminals. Once the infection occurs, the infected machine gets most of its files encrypted, and then the key to decrypting the files is sold back to the end users using bitcoin to keep the identity of the criminal hidden. These types of attacks typically force users without backups to pay the ransom.

However, WannaCry spread at a much faster rate than traditional ransomware attacks. The infection acted more like a computer worm, scanning the network for computers with a specific vulnerability and then infecting them. This helped it spread inside company servers and machines -- and across the internet, as well. 

How hospitals can combat ransomware

Ongoing end-user training and advanced security protection tools have been successful at reducing the risks of serious infections for the most part. IT departments across healthcare organizations have had a much lower infection rate when employing those preventative steps. However, in watching the global impact of the WannaCry ransomware attack, IT departments are questioning their readiness and protection levels.

Despite the frenzy that this latest threat has caused worldwide, U.S. healthcare organizations have so far seen minimal infections. That can be credited to the fact that, under HIPAA, most IT departments have ensured their systems are patched, and Windows Server 2003 and Windows XP are isolated or removed from their networks.

Attacks that involve the use of hidden vulnerabilities discovered by government intelligence agencies are considered some of the most serious. When an exploit is leaked, cybercriminals waste no time using them to infect and target computers worldwide. As a result, concerns continue to grow in health IT circles and the notion that staying patched up is no longer enough to maintain adequate protections.

Many hospitals have already adjusted their security practices to include advanced threat protection tools that can detect and block threats based on behavior and not just their signature. Employing some of these new protection methods is not a guarantee, but it provides the next-level protection that adds another layer to further keep more malicious code out of hospitals.

Next Steps

After WannaCry, healthcare orgs must invest in security tools

Tips for responding to a healthcare ransomware attack

Use security best practices to prevent a ransomware attack

Dig Deeper on Electronic medical records security and data loss prevention