HITRUST has been following the events surrounding the global WannaCry ransomware attack since it was first reported by the UK Healthcare sector. HITRUST’s Cyber Lab, in partnership with Trend Micro Labs and in cooperation with DHS, law enforcement and our members, is gathering information on the incident and have been providing guidance by regularly updating information in the HITRUST Cyber Threat XChange (CTX) on this evolving threat. Given the reported impacts to care delivery and the rate this has spread to other systems and other countries, we consider this a serious incident.
Since our first report:
- Evidence that MedRad (Bayer), Siemens and other unnamed medical devices have been infected
- IOCs were identified within the HITRUST Enhanced IOC program well in advance of last Friday’s attacks
- Organizations having implemented the HITRUST CSF controls (Control Reference “09.j Controls Against Malicious Code” and Control Reference “10.m Control of Technical Vulnerabilities”), specifically related to End Point protection and Patch Management, or an alternate compensating control, would appropriately address the threat
HITRUST will continue to track the incident and will update IOC feeds and the current threat report as more information becomes available.
What is HITRUST doing to prevent or limit the malware spread?
HITRUST is reaching out to healthcare organizations and trade associations to provide information to detect, prevent and remediate the threat and associated malware. HITRUST identified the IOCs in advance of last Friday and published them to the HITRUST CTX and has been publishing guidance continuously since Friday, May 12. It should be noted that organizations having implemented these HITRUST CSF controls specifically related to End Point protection and Patch Management, or an alternate compensating control, would appropriately address the threat:
- Control Reference “09.j Controls Against Malicious Code”: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided
- Control Reference “10.m Control of Technical Vulnerabilities”: Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization’s exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk
It should be noted that organizations leveraging the HITRUST CyberAid program have experienced no incident or exposure from this malware threat as both the firewall and end point rules were updated in advance.
Why didn’t it spread more broadly here in North America?
In this instance (not being a zero day attack), the likely explanation is that organizations have effectively implemented appropriate security controls, such as those in the HITRUST CSF, or a compensating control. It could also be that the indicators were noticed several weeks ago and shared within the HITRUST CTX. Participants in the HITRUST CTX program can consume these indicators detected at early stages of the attack lifecycle to protect themselves from the spread of malware or compromise. Since the HITRUST CTX system can analyze traffic on any port and over 100 protocols (including SMTP, SMB, http and more), members gain the visibility of threats across the many attack vectors. This gives them the ability to quickly identify threats then isolate and contain an attempted attack.