WannaCry: What's the Impact on U.S. Healthcare?So Far, the Sector Appears to Have Escaped a Major Disruption
As organizations around the globe - including hospitals in the United Kingdom - recover from the spread of WannaCry ransomware, healthcare entities in the United States so far appear to have mostly avoided the crisis.
While WannaCry has spread to North America, the impact on healthcare entities so far appears to be relatively limited, The Healthcare Information Trust Alliance, a cyber threat information sharing organization, told Information Security Media Group on Monday.
"One member within the community has identified an indicator [of infection]; however, it was contained quickly," HITRUST reported.
The alliance adds that while it has also seen other indicators of potential compromises based on information being shared within the organization's Enhanced IOC Collection Program, it has no hard evidence of actual compromises.
An official at another cyber information sharing entity, who asked for anonymity, offered a similar assessment: "We are not aware of any widespread infections within the U.S." The official said the group had received "one or two" anecdotal reports of infections.
It's possible that early warnings - including news reports about the attacks as well as alerts from the Department of Health and Human Services and the Department of Homeland Security - about the seriousness of the situation helped dull the potential impact by jostling U.S. entities to reassessing the status of their own systems, including software patches.
"Having the attacks break out first in Europe did provide a heads-up for organizations in the states, and many scrambled to provide information and steps to mitigate the threat, so that IT teams could quickly assess their situation and take action," says Mac McMillan, president of the security consulting firm CynergisTek. "U.S. healthcare is doing a better job today of protecting against malware and that definitely contributed."
WannaCry ransomware exploits a flaw in Windows server message block, or SMB, functionality that was present in every Windows operating system from XP to Server 2008 R2. Microsoft quietly patched the flaw for currently supported operating systems in March, before the flaw's existence was revealed in April when the Shadow Brokers released a dump of "Equation Group" attack tools, which are believed to have been developed by the U.S. National Security Agency.
But unsupported Microsoft Windows operating systems - widely used around the world, and especially in the healthcare sector - continued to be at risk. After the WannaCry outbreak began unfolding Friday, however, Microsoft that night released free SMB patches for Windows XP, Server 2003 and 8 operating system users. While Microsoft had developed the patches in February, they had previously only been provided to customers who paid for pricey extended-support contracts.
Jennings Aske, vice president and CISO at New York-Presbyterian Hospital, says his organization took immediate action when news of the attacks broke. "Upon learning of the attacks, we evaluated controls at all hospitals in our system. This includes endpoint security, patching and other relevant controls," he says.
Other steps included monitoring medical devices and other systems running legacy Windows software that's vulnerable to the WannaCry ransomware.
"In this case, we are applying the patches for XP and 2003 that were released by Microsoft where we can," Aske says. "We also try to isolate medical devices from our primary network, as well as from direct internet access. We also have disabled the SMB protocol where we can."
Medical Devices Also Vulnerable in U.K.
On May 13, the U.K.'s National Health System issued a statement responding to "widespread speculation about the use of Microsoft Windows XP by NHS organizations, who commission IT systems locally depending on population need" (see NHS Denies Widespread Windows XP Use).
NHS noted that "while the vast majority are running contemporary systems," some hardware, including some medical devices equipment, are among the 4.7 percent of systems that still run XP. "Some expensive hardware - such as MRI scanners - cannot be updated immediately, and in such instances organizations will take steps to mitigate any risk, such as by isolating the device from the main network," NHS noted.
Meanwhile in the U.S., HHS issued several email alerts not long after news of the attacks first broke on Friday. In the latest alert sent Monday, HHS noted that it received "anecdotal notices of medical device ransomware infection."
While many legacy medical devices in use at healthcare entities in the U.S. and elsewhere run older operating systems, "WannaCry affects more than just Windows XP," says Kevin Fu, associate professor of electrical engineering and computer science at the University of Michigan's Archimedes Research Center for Medical Device Security and founder of cybersecurity vendor Virta Laboratories. "The root cause [for medical devices being vulnerable to cyberattack] is that too many medical devices depend on unmaintainable or unpatched operating systems. Medical device software ages more like milk than like wine, and it's getting older and chunkier every day.
Dale Nordenberg, M.D., executive director of the Medical Device Innovation, Safety and Security Consortium, says the group is working with the National Health Information Sharing and Analysis Center to collect recommendations from stakeholders, including medical device vendors, on how healthcare entities might address potential WannaCry-related vulnerability issues.
In addition to HHS noting anecdotal reports about infected medical devices, the department in its May 15 alert also warned about potential social engineering schemes in the aftermath of the attacks.
"A partner noted an exploitative social engineering activity whereby an individual called a hospital claiming to be from Microsoft and offering support if given access to their servers," HHS writes. "It is likely that malicious actors will try and take advantage of the current situation in similar ways."
Truth vs. Fiction?
In a statement provided to ISMG, the NH-ISAC said reports of ransoms being paid by organizations worldwide being hit by the WannaCry attacks appear to be overstated.
"Despite media alarmist reports ... to the tune of $725 million, the total amount of money actually paid for the ransom campaign stands at approximately 207 payments across three bitcoin wallets totaling 31 BTC or $55,000. This is not indicative of a massive campaign."
NH-ISAC also claims that "no one has been able to pinpoint how this new ransomware variant is being distributed to victims - malvertising, exploit kits, email spam, etc. There is no information to indicate that Remote Desktop Protocol is a vector.
"There is a lot of erroneous reporting occurring in the media and amongst the vendor community - for example, seeing WannaCry infections coming from email or phishing or RDP. Currently there is zero evidence to support the theory that WannaCry is being distributed via a spam campaign or RDP. Other phishing attacks are taking advantage of the situation."
Many of the large entities impacted had SMB exposed to the internet, specifically port 445, NH-ISAC reports. "This could be how the ransomware got in," it says.
NH-ISAC advises that healthcare organizations take these mitigation steps:
- Issue a companywide communication putting all staff on high alert;
- Ensure all patches are up to date. Microsoft has patches available for all versions of its operating system dating back to Microsoft XP;
- Prevent delivery and download of .exe attachments, both direct and contained inside zip files;
- Ensure SMB (disable ports 139 and especially 445) is not permitted into your environment from external sources. Note especially third-party VPN connections;
- Apply anti-virus patches provided since May 12;
- Detect/block known hashes;
- Block attempts to communicate to unauthorized and new domains;
- Review the list of IP hits against the sinkholed domain keeping in mind some positive hits might be from your own security team.
The key lesson that U.S. healthcare organizations should learn from the WannaCry troubles worldwide, Aske says, is that they need to "continue to invest in cyber controls, including hardening of systems and infrastructure. The focus on compliance - i.e., device encryption - to the exclusion of advanced endpoint security, security monitoring and other related cyber defenses, has left the industry vulnerable."