Patients turned away. Ambulances diverted. Doctors and nurses locked out of patient files and unable to deliver care. On Friday, 45 National Health Service (NHS) organizations in the UK and Scotland and over 200,000 other victims in 150 countries fell prey to the WannaCry ransomware
The threat spread quickly, infecting vulnerable Microsoft systems that had not applied a patch released by Microsoft back in March
. The affected NHS organizations – as is often the case in healthcare organizations – had legacy Microsoft systems that were no longer supported, thus leaving them vulnerable. Other affected, non-legacy systems had simply not applied the patch.
The repercussions of the global cyber-attack have yet to be fully measured; however, what should be painfully evident is that organizations cannot afford to simply categorize cybersecurity challenges as an IT problem. Cybersecurity is a business problem, and for healthcare organizations, it is intricately interwoven with delivering quality patient care.
Even though patient data was not stolen in the WannaCry ransomware incident, surgeries were cancelled, MRI scans truncated mid-procedure, and patients told to not seek care unless for urgent cases.
As sophisticated as the WannaCry attack is, it could have been avoided by leveraging a file-integrity monitoring (FIM) tool. FIM tools monitor critical systems and alerts IT teams to unauthorized changes that could be indicative of an attack. Early detection could have halted the spread of the attack.
Because hospitals are often on legacy systems that might no longer be supported – in this case, legacy Microsoft systems – it is important to use a comprehensive FIM tool that will monitor legacy systems, as well. Tripwire Enterprise provides real time monitoring and robust coverage for a variety of platforms and operating systems, including legacy systems
However, some systems affected by WannaCry
were not legacy systems. The patch had simply not been applied. Applying a patch released by a vendor seems like a no-brainer. However, when those patches results in system configuration changes that need to be reconciled and approved by IT teams, something seemingly as simple as applying a patch requires a complex process.
With a tool like Tripwire’s Dynamic Software Reconciliation
(DSR), vendor patches are automatically categorized and approved. This provides a reliable method for identifying all legitimate changes seen during and after a security patch installation. For healthcare organizations that often have small IT security teams, DSR saves time and ensures accuracy when reconciling changes caused by vendor patches, freeing up IT resources to focus on other areas.
Case and point: hospitals systems like the NHS often have large, complex networks with thousands of assets – assets that might contain vulnerabilities that could be exploited. To understand and manage the security risk on the network, a vulnerability management solution is critical to discover and profile all network assets for vulnerabilities that could be exploited.
Tripwire’s IP360 vulnerability manager not only discovers all assets on the network but also provides an advanced vulnerability scoring to identify top risks. And when integrated with Tripwire Enterprise, system changes are placed in the context of their vulnerability risk. This helps small IT security teams be more efficient, directing their attention to the most critical risks and misconfigurations that makes a system vulnerable to a cyberattack.
The mission of healthcare organizations is to provide care to save and improve lives. As healthcare organizations increasingly rely on network-enabled systems and medical devices, investment in foundational cybersecurity tools is imperative to ensure that malicious hackers do not successfully interfere with the mission of saving lives.
If you want to learn more about how Tripwire's product suite can help your organization be prepared for similar attacks in the future, please watch this video:
Alternatively, you can find out more about the malware's operation and how you can prevent a similar attack here