Secondary Care

Patches aren’t the silver bullet; hospitals can keep systems running when hit by ransomware attacks

By David Ting, Founder and Chief Technology Officer, Imprivata and Gus Malezis, President & CEO, Imprivata

As news of the WannaCry ransomware attack continues to escalate, we’d like to ask you to pause for a moment and think beyond securing your perimeter. Consider that there is, or will be, an impact to your systems and network; you may have avoided WannaCry and its variants, but one (or more) will get through in the future, and you WILL BE IMPACTED.

Consider next the scenarios that will allow you to continue operating once you’ve been hit. Assume users are going to click on bad phishing link, and that you can’t completely prevent this user behavior. What can you do to minimize the infestation and impact? If you know that too many users have admin privileges, how do you limit privileges? If you have too many insecure endpoints, how do you remove them? Be prepared to go down, but, more importantly, plan to recover and resume business as quickly as possible if and when that happens.

While it’s been universally acknowledged that there’s little hospitals can do to prevent ransomware and other cyberattacks outright – due to user error and susceptibility to phishing attacks – there’s been much conversation around mitigating these types of attacks by patching systems. “Patch early and patch often” is good advice and should always be observed. However, when it comes to these types of cyberattacks, patching alone doesn’t stop the problem, it only stops the propagation of the malware. Why? Because the real source of the problem isn’t the systems, it’s the users who initially downloaded them onto their computers.

So, if you have to make the assumption that your systems are going to get compromised, how do you build resiliency around your users? How, as a healthcare industry, do we focus beyond keeping the bad guys out, to keeping our systems running?

First, and as part of a best-practices systems hardening approach, we’ve got to manage user-system privileges. The majority of users in clinical settings have full admin rights to their systems. In many cases, admin access is necessary in order for users to access legacy applications, but if a user can’t control software or run software that’s not vetted by IT, why should they have admin level privileges? It’s too easy for a user in a rush to click on a link and download malware hidden in an attachment.

We’ve learned from our customers that anywhere from 8 to 28% of users will click on a malicious link in their email. Phishing exercises and other methods of user education can be helpful tools to prevent user error, but to truly manage user vulnerability, hospital IT teams should adhere to the principle of least privilege. Take steps to limit admin rights, or, at the very least, ensure that machines with admin access can be locked down or quarantined immediately in the event of a cyber incident.

Even after you limit individual admin rights, many shared workstations still have admin level privileges to support running legacy applications. The best way to limit user access on all workstations across the hospital, and further increase resiliency in the event of a cyber attack, is to implement virtual desktop infrastructure (VDI) and eliminate antiquated desktop machines completely.

Consider that an infected virtual desktop is detected and immediately extinguished, thereby eliminating the source of the infestation and risk to the business. In rapid recovery, a new, clean virtual desktop image is instantiated, and now the user is operationally back in seconds. Contrast that to the corresponding and necessary work and process to cleanse and restore an infected physical desktop; this would take hours and/or days. Not only does this modernize your entire infrastructure, but also with virtual desktops:

  • The desktop for a user can be customized for the particular role, enabling IT to control user privileges at a fine grain level.
  • Access to data comes from a controlled and hardened (the server sitting in the data center) system, versus data spread out on thousands of devices in all sorts of conditions.
  • Vulnerable endpoints are promptly removed, so there’s nothing to breach. IT creates a personalized virtual environment for the role of users, and then controls what users access.

Adoption of VDI technology in healthcare has increased steadily from 2011 to 2015, from 35% to 66%; by the end of 2017, adoption is forecasted to be 81%. By reducing reliance on individual desktops and workstations, hospitals ensure that their systems can get back up and running fast after a breach. All they have to do is end the VDI session and they’re right back in business with a clean image free of any malware.

So, please install those patches, but try to remain focused on resilience and rapid recovery. Adopt the principle of least privilege, modernize your infrastructure with VDI, and let’s all work together to beat these hackers at their own game.