WannaCry and NotPetya – What’s Next?

By Susan Lucci, Chief Privacy Officer & Senior, Just Associates
Twitter: @JA_Inc02
Twitter: @susanlucci

In the wake of the WannaCry attack, we learned that ransomware attacks are not limited to a particular target. At the time, some 52% of business organizations were still running Windows XP even though support and patch updates ended three years ago. The healthcare sector may be one of the most vulnerable to this type of attack.

This is not just an issue of losing documents and photos. This is an issue where patients’ lives are at risk.

Technology has advanced the widespread use and deployment of implanted medical devices to improve the lives of patients around the world. It has been determined that there are significant security risks that exist with them. Based on a Ponemon Institute survey:

  • 56 percent of surveyed healthcare delivery organizations (HDOs) believe an attack is likely in the next 12 months on one or more medical devices
  • 67 percent of medical device makers believe such an attack to be likely to occur in the next year.
  • Even with such concerns, only 5 percent of HDOs said they test medical devices at least once per year, while 53 percent stated they do not test devices at all
  • 9 percent of device manufactures said they conducted yearly tests, with 43 percent of manufacturers saying they did not test medical devices

The survey goes on to reveal additional disturbing findings that viruses and malware are often present and over half of the reporting HDOs report a failure to perform QA testing to identify and remediate this issue.

Considering what we have learned and the potential impact to medical devices, ECRI has identified some steps that HDOs should implement:

  • Identify networked medical devices, servers, and workstations that are operating on a Windows OS
  • Identify whether connected medical devices/device servers have gotten the relevant Microsoft Windows OS MS17-010 security patch
  • Consider running a vulnerability scan in medical device networks to identify affected medical devices
  • If medical devices/servers are identified that didn’t receive the security patch, contact the device vendor to determine the recommended actions for dealing with the current ransomware threat
  • Request prompt installation of appropriate security patches and documentation to support risk mitigation if the device is managed by a third party or independent service organization
  • Coordinate with the internal IT department to update affected medical devices in accordance with the manufacturer’s recommendations as soon as practicable

WannaCry clearly showed the world what can happen when unsupported operating systems are not upgraded, highlighting the need for patches and updates that are essential to reducing risk. Tens of thousands of computers were affected in over 150 countries and the vulnerability exploited could have been avoided if the security patches to EternalBlue had been applied. While Microsoft did deploy a patch for the older operating system, it wasn’t until after the attack had been launched.

Cybercriminal activity demonstrates that organized and sophisticated attacks are not only possible, they can be globally effective. Now that WannaCry is old news, the next big malware attack making headlines, NotPetya, appears to be a modification of the Petya ransomware. However, in this case, no ransom paid will get your information back, because the malware was specifically designed to destroy data. That should give all of us pause – especially in the healthcare sector.

Consider that for a minute: Protected health information, the very foundation for patient care, is being destroyed through malware. It’s a startling reality.

The lesson to be learned is that not upgrading to fully-supported operating systems and the automatic deployment of security patches and updates leaves systems and potentially downstream medical devices exposed and vulnerable. Layered security practices are essential for all organizations in today’s volatile world. It is a critical practice that must be adopted and managed effectively. Good security practices begin with education for the workforce, backed up by policies and procedures that specifically speak to security practices, access control, and comprehensive monitoring and auditing routines. Reminders and sharing news about the latest exploits in the cyber world go a long way in bringing data security awareness to the top of mind.

Hacking events have led to over 113 million health records compromised in 2015. Johnson and Johnson advised customers of a security vulnerability that could lead to hackers being able administer a fatal overdose of insulin.4 It has also been demonstrated that medical devices can be hacked and administer a lethal shock through a pacemaker. These concerns should absolutely be enough for this issue to be at the top of security priorities.

With WannaCry, the intent of hackers was collecting bitcoin. NotPetya malware intentionally set out to damage and destroy data. Given the ominous predictions that cybercrime will only increase in the coming year, healthcare organizations of all sizes and shapes must take intentional steps to secure their data. The healthcare sector is likely a prime target for exploitation and known vulnerabilities must be addressed as quickly as possible.

Beyond that, preparation for what’s next should be an agenda item on every senior management meeting. If there are vulnerabilities in our operating systems, the bad guys are already planning a way to exploit them.