When patches fail: How to keep hospitals running when a ransomware attack hits

Affecting computers in at least 150 countries across the globe, the WannaCry ransomware attack is yet another reminder that it’s not a matter of if, but when, a system will get hit with a cyberattack.

Security leaders must think beyond securing the perimeter of their enterprise. Be prepared to go down, but, more importantly, be ready and able to resume business when it happens.

You will get hit: Planning for post-attack

It bears repeating: You will get hit, and you must plan for it. Part of that is taking proactive steps to safeguard against risk. If you assume users are going to click on a bad link, how do you stop it? If you know that too many users have admin access, how do you limit privileges? If you have too many insecure endpoints, how do you remove them?

While there’s little that hospitals can do to prevent ransomware and other cyberattacks outright, patching is one way to help mitigate risk. “Patch early and patch often” should be the mantra. But when it comes to these types of cyberattacks, patching alone doesn’t stop the problem -- it only stops the propagation of the malware. This is because the real source of the problem isn’t the systems, it’s the users who initially downloaded them onto their computers.

Operating under the assumption that your system is going to get compromised, how do you build resiliency around your users? How, as a healthcare industry, do we focus beyond keeping the bad guys out, to keeping our systems running?

Build resiliency by managing user rights

The first step is to manage user rights. The majority of users in clinical settings have full admin rights to their systems. In many cases, admin access is necessary in order for users to access legacy applications, but if a user can’t control software or run software that’s not vetted by IT, why should they have admin level privileges? It’s too easy for a user in a rush to click on a link and download malware hidden in an attachment.

We’ve learned from our customers that anywhere from eight to 28 percent of users will click on a malicious link in their email. Phishing exercises and other methods of user education can be helpful tools to prevent user error, but to truly manage user vulnerability, hospital IT teams should adhere to the principle of least privilege. Take steps to limit admin rights, or, at the very least, ensure that machines with admin access can be locked down or quarantined immediately in the event of a cyber incident.

Update infrastructure with VDI

Even with limited individual admin rights, many shared workstations still have admin level privileges to support running legacy applications. The best way to limit user access on all workstations across the hospital and further increase resiliency in the event of a cyberattack is to implement virtual desktop infrastructure (VDI) and completely eliminate antiquated desktop machines.

Consider that an infected virtual desktop is detected and immediately extinguished, eliminating the infestation source and risk to the business. With rapid recovery, a new, clean virtual desktop image is instantiated the user is operationally back in a matter of seconds. Conversely, the work and process to cleanse and restore an infected physical desktop would take hours or even days. Not only does this modernize entire infrastructures, but virtual desktops also:
• Customize desktops for users in particular roles, enabling IT to control user privileges at a fine grain level.
• Access data from a controlled and hardened system, versus data spread across thousands of devices in various conditions.
• Remove vulnerable endpoints, so there’s nothing to breach. IT creates a personalized virtual environment for the role of users and controls what users access.

Adoption of VDI technology in healthcare has increased steadily from 2011 to 2015, from 35 percent to 66 percent. By the end of 2017, adoption is forecasted to be 81 percent. By reducing reliance on individual desktops and workstations, hospitals ensure that their systems can get back up and running quickly after a breach. All they have to do is end the VDI session and they’re right back in business, free of any malware.

So, while installing patches are key, try to also remain focused on resilience and rapid recovery. Adopt the principle of least privilege, modernize your infrastructure with VDI, and let’s beat these hackers at their own game.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2021. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.