Patch management can be a tedious task for practices. It is time-consuming and sometimes, it can cause computers not to boot back up. Because of this, a lot of practices often let this task fall to the wayside. This is especially true in small practices where this often falls to practice managers who are already overworked. Unfortunately, keeping your computers patched and up to date is critical to protecting your data. The city of Baltimore is finding that out now first hand as they deal with a city-wide outbreak of ransomware that has shut down most of the government computers for over three weeks.
On May 7, 2019, the city government of Baltimore’s computers was infected with ransomware. The attackers had frozen computers responsible for real estate sales, health service alerts, water bills, and many others. A demand was made by the attackers for $17,000 per system or $102,000 for all of them. The ransom note said:
“We won’t talk more, all we know is MONEY!”
The city immediately reached out to the FBI for help. But as of now, the Bureau hasn’t been able to locate the group responsible for the attack. They type of ransomware that was used was, however, identified as “RobbinHood”. This is a new type of malware that has been making the rounds recently.
But this isn’t the scariest part of this story.
Ransomware using stolen US government tools
In 2017, a secretive group of hackers released a trove of tools created by the US National Security Agency online. These tools were designed to exploit holes found in various operating systems and programs like Mircosoft Windows. The NSA likely used the tools for attacking the computers of unfriendly governments and terrorist groups. This group called itself the Shadow Brokers. All of the exploits that were released for previously unknown to software manufacturers such as Microsoft. Many of these exploits were able to compromise Windows systems.
The release of these tools has been called the most serious breach of NSA security, ever. Even more destructive than the revelations of Edward Snowden.
One of the exploits, known as EternalBlue, was first used in ransomware back in 2017. Hackers from Russia, North Korea, and China have used the tool to wreak havoc all over the world and cause billions of dollars in damage. In 2017, the WannaCry ransomware attack used EternalBlue to spread worldwide. After that, the NotPetya cyberattack also used EternalBlue.
Microsoft released an emergency patch for the vulnerability that EternalBlue exploited in March 2017. The NSA had known about the vulnerability for at least five years and had not informed Microsoft. After the theft of its tools, the NSA was forced to release the vulnerability information to Microsoft, who was then able to create a patch for it.
In this latest ransomware attack, it appears the city of Baltimore never installed the patch update released by Microsoft. Even though it was released more than two years ago, the patch doesn’t seem to have made it to the city’s computers. This opened the city up to the current ransomware emergency.
Patch management is critical for achieving HIPAA compliance
This current emergency illustrates why keeping your computers up to date with patch management is so critical. The simple task of not installing a single update over two years ago led to what is likely to be a very expensive mistake for the city of Baltimore.
Practices may think that they are too small for such an attack to happen to them. Unfortunately, this isn’t the case. A recent ransomware attack targeted a small practice in Michigan and caused it to close down for good.
Everyone is a target. Hackers are not looking for cities or practices. They are simply looking for vulnerable computers. Think of it as a thief going through a subdivision and trying the front door of every house. He doesn’t know who lives in the house, just that the door is open. When he finds an open door, he robs the house. Ransomware works the same way. Hackers scan the internet looking for computers that are susceptible to specific holes, or vulnerabilities. Once they find one, they begin the ransomware infection. One of the ways to stop this is to make sure you have kept up with your patch management up to date. If your computers don’t show up on these scans, your chances of being infected go down tremendously.
Don’t take my word for it. Here it directly from HHS:
“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.” OCR Director Jocelyn Samuels
You can read the bulletin here.
HHS also wants your practice to take patch management seriously. It’s a critical part of protecting your patient data.
Keeping your software up to date isn’t just about your operating system. It also includes your practice management and EMR software.
Your Risk Assessment should outline this as a threat and your policies and procedures should have a documented process for addressing these issues.