Remember WannaCry? The ransomware worm attacked hospitals among other industries in 2017 by exploiting a weakness on Windows machines. Once in a network, the worm would encrypt files and hold them ransom.

What happened?

Security researchers eventually shut most of the worm down, but it is still rampant throughout the internet. Armis has found in a new study that the worm is not only healthy but continues to wreak havoc.

Armis’ Ben Seri, vice president of research, and Michael Parker, CMO, spoke about what made WannaCry so difficult to eradicate, why hospitals remain ripe targets, and what they can do to prevent attacks and the spread of ransomware.

Why it matters?

“I think that the fact that WannaCry was so loud and made so much noise, that kind of made people in the industry take notice,” Seri said. Still, many of the virus’ properties enable it to thrive in the kind of networks hospitals maintain.

“Part of the reason the healthcare industry is so affected is because it has so many unmanaged devices in its networks,” he said, including things like running older versions of operating systems that are no longer supported. “In many cases, it’s just too much of an effort for hospitals to be able to upgrade these systems.”

The software in a medical-specific device is often custom made, Seri says, and “to get an upgrade of the system is very difficult,” as manufacturers are loath to rush out any modification that could impact patient safety. Because of this, machines with outdated software can remain sitting ducks long after vulnerabilities are known.

What is the trend?

“WannaCry is very aggressive in its ability to spread,” Seri explained. He warns that because of this, segmentation alone is not enough to stop the spread of malware. For example, an organization could see a network removed from the internet as “secure enough,” and not needing additional scrutiny. An infected computer might escape notice and lie dormant for a period of time.

“Eventually mistakes happen,” Seri stated. “Parts of the network might be even temporarily bridged and connected to other parts of a hospital network.”

Additionally, a new class of devices is emerging that can’t receive patches or direct security updates. These range from things like smart TVs to Internet of Things-enabled HVAC systems. They can easily fall prey to a malware attack like WannaCry because of their simple architecture, which may not fit into a hospital’s existing network management agent.

“You need to identify what devices are most at risk from attack,” Seri advised. He said that organizations can find these vulnerable machines through careful inventory and auditing – then apply patches where possible.

“But you need to do better than that,” he contended. “You need to be able to monitor incoming connections and the front doors of the network. You need to be understanding the risks on a daily basis.”

Having an up-to-date picture of all of the assets on a network allows a hospital to proceed accordingly. Knowing which IoT devices are active means knowing which communications to the outside internet are allowed and which should be blocked or could signal a breach or attack. Because ransomware worms are far from being eradicated, hospitals need to understand the risks and have a plan to be prepared.

On the record

CMOs should “want to know everything in and around the hospital environment and healthcare delivery organization,” Parker said. “Anything in and around it on the network becomes a potential exposure point.”

Benjamin Harris is a Maine-based freelance writer and former new media producer for HIMSS Media.
Twitter: @BenzoHarris.