WannaCry Post Mortem: Early Warning Indicators and Lessons Learned for the Healthcare Industry
<< All Blogs

Date: August 4, 2017

Written by HITRUST Independent Security Journalist Sean Martin. 

As the saying goes, “those who don’t learn from history are doomed to repeat it.” Some very recent history that’s worth tuning in to is the story of the WannaCry attacks that took place this past April and May. This vicious form of ransomware is bound to resurface—along with many new forms that can potentially impair the IT networks of healthcare organizations.

On June 28, 2017, HITRUST hosted a webinar that provided a valuable debrief and analysis of the recent cyber-attack on the healthcare industry; the attack became known as “WannaCry”. The live presentation was hosted by Elie Nasrallah, Director of Cyber Security Strategy, and Michael Frederick, Vice President of Operations—both of whom work for HITRUST. Their special guest was Ed Cabrera, Chief Cybersecurity Officer for Trend Micro. Following is a quick rundown of their key points.

The Ironic Origin of WannaCry

Version 1.0 of WannaCry hit computers around the world on April 17. Files on many Windows servers and desktops were encrypted, and the victims had to find an expert who could eradicate the ransomware and decrypt their files or else pay the ransom to get their files back. What made the attacks even more frustrating was that the payments had to be issued in bitcoin, a form of digital currency that can’t be traced.

Version 2.0 of WannaCry attacked machines roughly one month later and then continued to make its rounds well into June and July. Like other forms of ransomware, WannaCry attempts to encrypt files on a machine it can penetrate and then spreads the attack to other machines on the same network leveraging the vulnerable Server Message Block version 1 (SMBv1) networking protocol found on Windows machines.

The vulnerability, referred to a “ExternalBlue,” ironically was identified by the National Security Agency, and it mostly targets older Windows servers—including versions 2012, 2008 and 6.1. The Shadow Brokers, a well-known international hackers’ group, leaked the exploit to the general hacker community and they quickly took action.

Impact Felt Globally—Especially by Healthcare

The impact of WannaCry was felt worldwide. Nearly 300,000 machines were infected in more than 200 countries. This includes approximately 113,000 servers and workstations in the U.S. The ransomware managed to stop production at a Honda plant in Japan and impacted traffic cameras in Victoria, British Columbia.

The effect on the healthcare industry was particularly acute. Countless people in need of medical care at several National Health Service hospitals in the UK were not able to receive treatment. The Heritage Valley Health System in Pennsylvania temporarily shut down and at least one surgery postponed. And the pharmaceutical firm Merck Research Laboratories in Boston also discovered its network had been compromised. Standard laptops, desktops, and servers were not the only devices affected; HITRUST investigations also found MedRad (Bayer), Siemens, and other unnamed medical devices were infected.

How to Get Ahead of the Next Attack—Because It Will Happen

The webinar hosts also noted that this won’t be the last we’ve seen of attacks both similar and identical to this one, and therefore provided several suggestions to the webinar attendees on how to get a jump on the next strain of ransomware:

  • Patch all Windows-based machines (servers, workstations, laptops, and medical devices) to comply with Microsoft Security Bulletin S17-010.
  • Disable SMBv1 on non-essential servers and systems; this is the file protocol most commonly used by Windows.
  • Ensure all security solutions have updated patterns/signatures and optimal configuration settings.
  • Deploy firewalls and intrusion prevention systems where practical.
  • Ensure that there are regular backups and routinely check the integrity of backed-up critical data.
  • Consider providing end user awareness training and remind end users to be diligent and to report any suspicious activity.

The webinar panel also emphasized that time is of the essence—there’s no telling when the next attack will occur. It’s best to apply these measures immediately and then revisit them on a regular basis. Defending against ransomware isn’t a one-time fix; it’s an on-going battle.

Survey Identifies Common Ransomware Challenges Faced by Healthcare Organizations

Even if ransomware has not yet impacted your organization, the threat is very real. In a post-event survey of the audience, who all represent various healthcare entities, 15% indicated that their organizations were impacted by WannaCry. Of those who were not impacted, two-thirds chalk it up primarily to applying patches on a regular basis.

The audience also shared some of their most pressing concerns when it comes to defending against ransomware:

  • Receiving immediate alerts.
  • Identifying the countries and specific businesses impacted by an attack.
  • Determining which specific machines and operating systems are impacted.
  • Getting frequent updates as attacks evolve.
  • Reducing the mean time between discovery and mitigation.
  • Gaining access to continual education on lessons learned from past attacks.
  • Finding a way to collaborate with industry colleagues to share information and strategies.
  • Obtaining attack explanations and recommendations that non-technical people can understand.

Another frustrating situation for senior management teams at healthcare organizations is having to continually remind IT personnel of the importance of keeping patches up to date. Many have also discovered that IT does not continuously make sure system backups are valid. Both of these leave the organization at risk of compromise and with an inability to recover from a ransomware attack, the latter of which could put the organization at serious risk of compromising patient care.

The HITRUST Threat XChange: Your Partner in the Fight Against Ransomware

While routine patching and backups should be part of the core security management program, it’s not always possible to keep abreast of the risks that the healthcare industry faces from stealthy and conniving cybercriminals that attempt to leverage both known and zero-day vulnerabilities to do their deeds. One way to address this challenge and to defend against ransomware attacks like WannaCry is to take advantage of the HITRUST Cyber Threat XChange (HITRUST CTX). The program enables healthcare organizations to significantly accelerate the detection of, and their response to, cyber threats such as that found in WannaCry.

In this particular instance, as one of many examples, HITRUST CTX detected the WannaCry indicators of compromise from within the program and warned other program members several weeks in advance of the outbreak, giving them an opportunity to run through their own checklist (similar to the one above) before the attack found their organization. To accomplish this, the program uses an enhanced indicators-of-compromise (IOC) system to detect threats early in the attack lifecycle and issues warnings to all participants so they can protect their environments. HITRUST focused the last 18 months on expanding its collection of indicators of threat and compromise through its Enhanced IOC Collection program, which continues to lead the industry in identification of unique IOCs.

The various indicators that are collected and shared include ransomware hashes, malicious URLs, and the IP addresses of any command-and-control servers attempting to upload ransomware. While there are no silver bullets in layered defense, these indicators—approximately 10,000 per day—benefit each HITRUST CTX participant by enhancing their current security layers to thwart targeted healthcare attacks and block known threats that their defenses are unaware of. Since HITRUST CTX has been finely-tuned to reduce false positives, these indicators are comprised of all forms of legitimate malware such as ransomware, Trojans and worms coming through many different attack vectors including email, web, and networking protocols such as SMB.

The HITRUST CTX program greatly reduces the risk of cyberattacks and breaches of both known and unknown threats by detecting them in the wild across all stages of the attack lifecycle and sharing this critical information with the program participants, oftentimes well ahead of the attack reaching their organizations. This includes identifying lateral movement across networks and sharing those threat indicators in near real-time; a capability not found in threat information sharing programs that are limited to inbound/outbound indicators.

Recognizing the value of this program and the potential impact it can have on the industry, HITRUST decided to enhance the program, announcing a strategic partnership with Trend Micro to create the HITRUST Cyber Threat Management and Response Center. The new center will expand and enhance the capabilities of the HITRUST Cyber Threat XChange, offering unique capabilities that are a significant advancement in aiding organizations across varying cybersecurity maturity levels to defend against the increasing volume and sophistication of cyber threats while delivering enhanced capabilities to address cyber threat management, defense, and response based on an organization’s unique cyber maturity level.

<< All Blogs

Chat Now

This is where you can start a live chat with a member of our team