Summer 2017 Newsletter - Forget Fancy Tools

Back to the Basics of InfoSec Impact of WannaCry on Hospitals & Healthcare

By Jason Johnson, Board Member, NorCal HIMSS

Raise your hand if the last couple of weeks have made you WannaCry. For the record, my hand is up. Since the outbreak of the WannaCry ransomware worm on May 12, security professionals and system administrators have been scrambling to patch systems, gather data, and assess the real impact.

While the latest cyber incident did not have a huge impact in the US, save for some Bayer medical gear running XP, it did wake people up all over the world to the reach that a cyber attack can have. But wait, everyone said there was a patch released two months ago, so currently patched and updated systems are not vulnerable. What a relief, right? Wrong. Since most large organizations, especially in healthcare, are 90-120 days behind on patching, countering this outbreak was squarely on the shoulders of system administrators. Healthcare is especially vulnerable since some systems are vendor managed and/or FDA-regulated.

Many of us in Health IT, and cyber security especially, are constantly inundated with countless emails, calls, and LinkedIn messages about the latest cool new security tool that will save our organization’s nether regions when an attacker comes knocking at the door. While we all need to keep our eyes on the product landscape to ensure our networks are as secure as possible, I challenge you to get back to the basics. Good security does not mean having dozens of the latest tools in your stack. A lot of the time, it simply means good system administration.

Even if you have these basic tools in place, slamming a patch or security change into production can have very adverse effects, to say the least, as seen recently in Queensland. In a situation like the WannaCry outbreak, there will not be time to test the patches against every application. This is where a partnership with our vendors is critical. Healthcare organizations must demand quick turnaround times for vendors to test critical OS patches, timely communication about threats, and readily available assistance when security changes cause problems.

A threat like WannaCry will come up again—soon—and there will likely be another patch or fix against it shortly before or after. Instead of calling your security product account executives, take a step back and clean up what you already have in place. Deploy central software management, clean up active directory and DNS, and review group policies. Reporting can also be a bottleneck since a rapidly evolving threat will not wait for your teams to manually check hundreds or thousands of servers and endpoints.

Another unique challenge within healthcare, and hospitals especially, is that we do not shut down after 5pm (or should I say, 17:00). Many organizations have been trying to get a monthly or quarterly downtime window to apply system updates and changes. Some have succeeded in getting buy-in from senior leadership, but for the many who have not, now is the time to revisit this necessary approach.

The next threat could hit the US harder than this outbreak, and we will not have weeks or even days to clean up our asset management system. We need to stay nimble and as up to date as possible to ensure our patients’ information and our business continuity stay intact and secure.