WannaCry Attack on Healthcare Shows Need for Better Detection

As May 12, 2017 dawned, healthcare staff and patients began arriving at the U.K.’s National Health System (NHS) facilities for what many expected to be a routine day of medical treatments for conditions ranging from common colds to serious surgeries.

But by mid-morning, NHS was in a state of “chaos.” Major IT systems and some networked medical devices were unusable. Patients were turned away from pre-scheduled procedures, and only the most dire of cases could be admitted to emergency rooms for treatment. Medical staff resorted to pens and paper to record notes on patients’ symptoms, diagnoses and treatments.

The NHS had become one of 300,000 victim systems across 95 countries infected by WannaCry, the largest ransomware attack to date.

WannaCry has become a real-life case study for what security researchers had warned for years is possible in healthcare networks, which pose unique challenges for security professionals. In a previous post, we outlined the scale, scope and current state of the challenge.

In some ways, WannaCry represents a unique case of ransomware. For instance, the breadth of WannaCry’s spread was enabled by its exploit of a recently disclosed zero-day vulnerability in Server Message Block (SMB) version 1 (included in Microsoft Windows), a protocol that allows networked devices to share local resources, such as printers. WannaCry was especially virulent because it self-propagated across networks, much like a computer worm. The worm-like trait of WannaCry, which allowed its rapid spread, can be distinguished from other ransomware strains, which have relied on human error to initially infect and continue spreading.

In other ways, WannaCry is like many everyday malware threats to healthcare environments. For instance, as one of tens of thousands of brand-new ransomware strains in recent years, signature-based antivirus solutions did not initially detect WannaCry because no signature existed before it was released in the wild. Microsoft issued a security patch for the SMB vulnerability in March, but many victims had failed to implement it, an all-too-frequent occurrence. And WannaCry was similar to other ransomware in effect: Medical staff and systems were paralyzed in providing patient care and services.

Certainly, “defense-in-depth” architectures employing traditional security technologies can help to secure healthcare networks from some threats. But what repeated ransomware incidents have demonstrated is that some attacks require a different approach to detection and prevention.

Healthcare environments are particularly well-suited to newer security technologies, such as supervised machine learning used at the network edge to analyze content. BluVector’s supervised machine learning detects malware threats like WannaCry at its initial breach, based on malicious traits that make it both similar to and different from previous ransomware.

All Threat Reports