20 February 2016
In both cases the attack was initiated by emails with malicious attachments. In both cases the impact was nearly the same: Hospital operations came almost to halt. And in both cases the IT groups were able to prevent the worst by rapid and effective intervention.
IT operations, and thus medical operations, was massively hampered for some days because the malware rapidly changed its code. In such cases pattern based anti-malware systems have only a limited effect in recovery of IT operations.
From my point of view, an effective ISMS is the best way to deal with ransomware. And the way the IT groups dealt with the attack shows, that they have an ISMS or something similar implemented and practiced.
Hospitals are becoming increasingly dependent on a fully operational IT infrastructure. Even a shutdown of some days is hardly possible. Therefore, we need an entirely new approach for providing services to hospital staff.
Spear phishing attacks, drive-by downloads, java script attacks, etc. are omnipresent today. Thus computers are potentially compromised because they are connected to the internet. This holds even if the computers are operated inside a company network only.
The ‘trusted computer in a trusted company network’ paradigm is no longer relevant. A shift to the ‘zero trust’ paradigm is imperative to prevent unacceptable outtakes.
The good news is that the technology for implementation of a ‘zero trust’ paradigm is ready today:
The hospital IT systems are isolated in a Core Data Services Network (CDSN). Access to the CDSN is provided via virtual desktops. The Virtual Desktop Infrastructure (VDI) is hosted in the CDSN. Email- and internet access is blocked in the CDSN, as well as data exchange between the virtual desktops and the user workstations. Data exchange between the CDSN and the user workstations is controlled through secure gateways. Only the user workstations or smart devices have access to the internet and the company’s email system, which remains outside the CDSN.
This is just a blue print. With Software Defined Networking it’s easier to implement today.
The big advantage is that, even if a user’s workstation is compromised, the likelihood of an impact on the hospital’s IT systems and data in the CDSN is dramatically reduced. And recovery from an attack with ransomware is very easy: Run a fresh installation of Windows on the compromised computer. Sound’s easy, doesn’t it?
Have a good weekend.