Global ransomware attack raises questions about basic cybersecurity measures

A ransomware attack launched May 12 crippled systems around the world and raised questions about the healthcare industry’s ability to withstand a massive cyberattack. A variant of ransomware called WannaCry infected more than 300,000 computer in 150 countries, including the United Kingdom’s National Health Service (NHS) and international shipping company FedEx, the Telegraph reported.

The United States Computer Emergency Readiness Team (US-CERT) and the Department of Homeland Security (DHS) released an email warning May 12 with details about the attack. WannaCry exploits a known vulnerability in Microsoft’s Server Message Block 1.0, a vulnerability that was addressed by Microsoft in a March 16 security patch. One of the potential infection vectors is phishing emails, according to the FBI. US-CERT’s alert also included recommended steps for prevention such as applying the Microsoft patch, enabling spam filters and antimalware software, testing backups, and assigning users the lowest level of privilege necessary for their duties. Organizations infected by WannaCry are encouraged to contact their local FBI field office.

The Office for Civil Rights (OCR) released a series of email updates to its HIPAA privacy and security listservs. A ransomware infection is considered a security incident. OCR assumes a breach in the case of ransomware attack if the data is not encrypted to at least National Institute of Standards and Technology (NIST) standards.

The covered entity (CE) or business associate (BA) must prove through forensic or other evidence that the affected protected health information (PHI) was properly encrypted at the time of the attack. In addition, the CE or BA must perform a four-factor risk assessment to determine whether the incident is a reportable breach, according to OCR’s ransomware guidance. The risk assessment must be conducted and the breach reported no later than 60 days after the CE or BA knew or should have known of the breach.  A request by law enforcement to hold reports tolls the 60-day reporting deadline, OCR said. Reporting to local or federal law enforcement, DHS, or other HHS agencies does not constitute reporting to OCR. Breaches must be reported to OCR following the requirements set out in the HIPAA Breach Notification Rule. CEs and BAs can find additional resources on HIPAA and ransomware at OCR’s security rule guidance and security FAQs.

Cybersecurity experts were able to slow the spread of the ransomware, according to Wired. Although WannaCry had a massive impact, experts believe it was not a sophisticated type of malware. The investigation into the origins of WannaCry is still on-going.

Healthcare organizations in the U.S. may have dodged the attack, but they can learn some valuable lessons from the incident, says Frank Ruelas, MBA, president of HIPAA College in Casa Grande, Arizona.

“A fortunate aspect about lessons learned from this incident is that many hospitals will benefit from not having to go through the ordeal of dealing with the WannaCry malware attack,” he says. “For one thing, this event clearly highlights the need for the timely installation of software patches.”

Microsoft generally releases patches on the second Tuesday of each month, known as “Patch Tuesday” in the IT community, Ruelas says. It is vital that IT departments install patches in a timely manner to address issues such as security vulnerabilities the patches are designed to fix. Some patches are minor and may require a system reboot that takes only a few minutes. Other patches may take longer to install. Understanding how long a patch may take to install will help organizations decide when to schedule installation to cause the least amount of disruption while getting the patch installed as quickly as is practical, Ruelas says.

“I believe that looking at the organization’s patch management process starting with when the patch is available through the steps leading to and including how and when the patch gets installed is an excellent exercise,” Ruelas says. “This way organizations can validate if their process is operating as expected and within the expectations of the organization or if there may be some fixes that are needed to address any process issues that may exist.”

Ransomware is a type of malware; therefore, prevention is not significantly different from measures used to protect against malware in general. It’s the response that singles ransomware out. Awareness and organization are key to a successful ransomware response, Ruelas says.

“I strongly suggest that organizations have a well-established communication tree to ensure that the identified individuals that are tasked to respond to incidents are notified in as timely a manner as possible,” he says.

Organizations must take responsibility for leaving themselves open to attacks, says Kevin Beaver, CISSP, independent information security consultant at Principle Logic, LLC, in Atlanta, Georgia.

“Every single one of us working in IT, security, and business today are complicit in these challenges,” he says. “From inadequate network security controls to gaps in software patching to people clicking where they shouldn’t, these ransomware attacks spread for a reason. I don't know how many more widespread malware infections and breaches we'll have to endure, but I do know that everyone has a hand in these challenges before us.”