- The WannaCry ransomware attack that affected numerous sectors around the world, including healthcare organizations, was caused by North Korea, according to Tom Bossert, assistant to the president for homeland security and counterterrorism.
Bossert explained in a Wall Street Journal op-ed that North Korea was directly responsible for the cyber attack that “encrypted and rendered useless hundreds of thousands of computers in hospitals, schools, businesses and homes.”
“We do not make this allegation lightly,” Bossert wrote. “It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree. The United Kingdom attributes the attack to North Korea, and Microsoft traced the attack to cyber affiliates of the North Korean government.”
The Trump administration has since started to modernize “government information-technology to enhance the security of the systems” in the US, he added. Developers are also being asked to create patches for potentially vulnerable systems, and governments around the world are being asked to share information on vulnerable software.
“We call on the private sector to increase its accountability in the cyber realm by taking actions that deny North Korea and other bad actors the ability to launch reckless and destructive cyberattacks,” Bossert stated. “We applaud Microsoft and others for acting on their own initiative last week, without any direction or participation by the U.S., to disrupt the activities of North Korean hackers.”
DHS and the Federal Bureau of Investigation (FBI) also discussed Trojan malware variants used by the North Korean government in a recent report posted on the US Computer Emergency Readiness Team (US-CERT) website.
The agencies elaborated on North Korean government malicious cyber activity, which is referred to as “Hidden Cobra.” Those malware variants are used “in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation,” the report explained.
DHS and the FBI detailed seven malicious executable files that could potentially impact organizations. These files include ones that “are proxy applications that all use a similar cipher algorithm to mask traffic between the malware and the remote operator.”
“Two of the five proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors,” the report cautioned. “The remaining two (2) executables are remote access tools (RATs), providing remote users with the ability to run various commands on an infected system.”
The report also reminded organizations to adhere to US-CERT best practices with regard to cybersecurity measures. This includes maintaining current antivirus signatures and engines and also restricting users' permissions when it comes to installing and running unwanted software applications.
Entities should also implement regular password changes with employees and ensure that there is a strict password policy. Staff members should also be taught to practice caution with opening email attachments, especially if from an unknown sender.
US-CERT also states organizations can do the following for a strong cybersecurity approach:
- Keep operating system patches up-to-date
- Enable a personal firewall on agency workstations
- Disable unnecessary services on agency workstations and servers
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header)
- Monitor users' web browsing habits; restrict access to sites with unfavorable content
- Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.)
- Scan all software downloaded from the Internet prior to executing
- Maintain situational awareness of the latest threats; implement appropriate ACLs.
Healthcare organizations must take great care to ensure that all of their systems are regularly updated and that all employees are trained properly on the latest cybersecurity best practices. The WannaCry ransomware attack was a large-scale example of why software updates are so critical to the industry.
Outdated Microsoft Windows operating systems were a key reason the WannaCry attack was so successful, and the malware utilized the EternalBlue exploit that was allegedly developed by the National Security Agency (NSA).
FirstHealth Network of the Carolinas was one such healthcare organization that fell victim to WannaCry, and was forced to shut down its information system network in an effort to mitigate the damage.
“FirstHealth has more than 4,000 devices and more than 100 physical locations connected to its network, and each are being thoroughly checked to ensure there is no virus risk,” the FirstHealth said in a statement. “As a result of the quick response by the Information System security team, the virus did not reach any patient information, operational information or databases. Patient information has not been compromised.”
FirstHealth said it implemented an anti-virus patch that was specifically developed for the virus. The organization’s Epic EHR system was not impacted and the FirstHealth MyChart was still accessible.
“We are experiencing some delays and appointment cancellations as a result of the downtime event,” FirstHealth said. “This does not apply to critical and emergent needs.”
When cyber attacks affect healthcare systems, there is a potential that patient care could also be impacted. Entities must remain vigilant in keeping systems and software updated and properly patched to mitigate widespread damages.