Even though a security researcher discovered a kill switch that deactivated ransomware strain WannaCry’s ability to encrypt data, that doesn’t prevent the malware from scanning hospital networks and finding vulnerable systems to infect. 

Two large multi-state hospital systems, in fact, are still struggling to restore normal operations after the May 12 WannaCry ransomware attacks, the U.S. Department of Health and Human Services said in an internal email Monday. HHS did not name the health systems but did note that this is not a new attack.

WannaCry hackers exploited a Windows SMB vulnerability. Microsoft issued a patch for the flaw in a March update, and a secondary patch for outdated systems soon after the attack. These patches are able to prevent an exploit, but won’t help computers already infected with the virus. 

[Also: Hospital survival guide for a world overflowing with unsecured medical devices]

Hospital security teams should reimage any and all infected devices, then apply the latest Microsoft patch to prevent the malware from infecting new systems. 

That said, security professionals who have installed the Microsoft patch on outdated systems should know those are still at risk of infection if a hacker used another vulnerability to infect the computer. So HHS recommended that organizations block port 445 on all firewalls. 

And if you haven’t already, now is the time to work with IT vendors to make sure their systems detect and block WannaCry and try to pinpoint systems that exhibit network scanning capability consistent with WannaCry.

HHS officials also suggested that any hospitals that were infected with WannaCry report the incident to the local FBI Field Office Cyber Task Force or U.S. Secret Service Electronic Crimes Task Force -- organizations that suspect the infected of a medical device should call the FDA emergency line.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn