Ransomware shutting down vital services -- what's the solution?

To me it seems like most enterprises-- particularly local governments, hospitals and schools-- need to get rid of Windows and run off Chromebooks and cloud services. They just don’t have and aren’t going to get the technical expertise required to prevent or easily recover from ransomware attacks.

Or they need to use a super-locked-down Windows, but it seems like that would be harder to implement when the admins you have available demonstrably suck.

What they really need is a competent IT director. And yes, if not working off a straight mainframe/cloud source, then a super clamped down Windows is the only choice. If people aren’t doing that they’re insane (and stupid).

That’s kind of like saying that PC gamers all need to switch to Linux so they can avoid viruses.

Why wouldn’t they? Organizations respond to costs. At least business does.

I’m not sure what the relevance here is. Most enterprise apps are web-based, while PC games are not.

Basically because you aren’t guaranteed to get a good IT admin just by paying more, and if you don’t have good talent in place you’re no in a position to judge talent that you are hiring.

If you can’t evaluate employees that you are hiring, the incentives are always to minimize costs.

This strikes me as a similar situation as when pirates were menacing shipping routes around Somalia. There are very clear ways to solve the problem, they just all involve money. Whether the people involved want to spend the money or not is all that matters.

So, someone is taking advantage of your poorly secured, internet-connected systems that also house your critical medical data and infrastructure? And people are both surprised that this is happening and perplexed about how to fix it?

I think this is seriously something that Baron Trump would actually be able to fix, because the solutions are all super obvious.

Hire competent IT people. Who actually care about security. Give them money to secure your systems.

Until then, unplug all your mission-critical computers from the internet and/or airgap them.

Problem solved.

Based on this comment, I assume you’re in IT and work for a terrible boss that doesn’t realize how awesome you are!

Regardless, not everywhere is like that. Once some innovative company sets the standard, other groups will follow.

I’m an optimist though.

Not sure about most, but definitely not all. And it only takes one critical app to hold everything back.

For instance, my workstation is currently using Windows 7 with Internet Explorer 8. Why? Because if we update it, something important will break.

Nope, but I’ve seen the IT practices at some small and medium non-IT focused organizations.

I’m not sure what you mean by “the standard” here. I’m sure there are existing organizations that do a great job with security, but I don’t see that spreading. My experience is that many talented IT people tend to move to larger or more IT-focused organizations as their careers progress, leaving lots of smaller enterprises either with novices or just the less good.

This is not accurate, unfortunately. For example, most EHR solutions.

On the other other hand, the market leader in EHRs offers a hosted solution taking the problem off the healthcare organization’s plate (which I guess fits the “cloud services” approach). Assuming your organization isn’t a control freak about PHI, so there’s that.

This is true, which is why I quantified my statement with “most” - the problem is hosted solutions tend to be even more expensive than traditional solutions, which are themselves incredibly expensive to begin with. Smaller critical access hospitals don’t often have that choice, if they want to keep the door open for their community.

And then there is the real possibility the hosted solution is the one hit with a ransomware attack.

Usually, I’d recommend Linux, but I’m pretty sure that’s out of the question as most software used in hospitals is very likely single-platform.
And Linux is still very much hackable, just not as easily.

I don’t really think there is a way around having proper IT staff, including security. After all, hospitals have traditional security as well, don’t they? IT security should very soon become traditional as well or there will be more trouble.

I am curious what system they are on. It says they were transferring to MEDITECH last year, but no info if they completed the project.

I am sure this will make the rounds.

We had that for a little while too, then those old systems were pretty much forcefully replaced, is my understanding… as in buy a new one now. We’ve had a lot of security policies and updates over just a few years.

We’re also to set-up to run 100% on paper if required, or more likely a read only back-up mode with the primary system down.

They just don’t have and aren’t going to get the technical expertise required to prevent or easily recover from ransomware attacks.

They just don’t have and aren’t going to get the technical expertise required to actually run Linux and have all of their staff use it :)

Also, things like Chromebooks, Android, desktop Linux etc are still vulnerable to viruses and exploits. But the thing is that people don’t target those, because the vast majority of the planet runs Windows.

Should a hospital be running some form of Linux, and doesn’t update it, then a dedicated hacker could probably target it just by looking at the bug reports since then and now and designing an exploit just for those.

And that’s ignoring the app themselves that the hospital staff will be using. Those are often complete turds and will probably be full of more exploitable security holes than the underlying OS!

The fact is that, due to the complexity of all of the systems involved, it’s quite hard to stop someone from technologically disrupting you if they want to. They’ll find a way.

The question is never how to totally prevent that, but how to make it as hard as possible.
And how to be best prepared for worst-case scenarios.

Hospitals already tackle a lot of that (backup generators, etc.), but not generally IT-wise.

The UK threw GBP 12bn at NHS IT and still ended up with a ton of Windows XP computers getting taken over by WannaCry and every single trust failing their cybersecurity inspections

I work for a large health care system, we have been manually patching a lot medical devices (i.e. EEG, EMG, Central monitoring system, etc.) with bluekeep and Dejablue vulnerability since beginning of the year. Just remember, not all computers in hospital are belong to IT, most IT PCs in our health system are enterprise newer PCs that have patching managed and pushed by IT. But these are window xp, window 7 based medical devices that are networked in the hospital. These devices are expansive to replace or refresh, once the warranty is over, and machine gets old, it just there and never patched as no one will think these are actually PC, thus they are very vulnerable to attack.

For instance, about a year ago (I think?) a transcription contractor got hit with ransomware and they were down for roughly a month. Never did hear whether they recovered themselves or paid off the attacker.

Yeah, medical devices pretty much only get updated if they’re replaced. Which is very expensive in most cases. Best you can do is firewall the shit out of them.

So who wants to talk about implantable medical device vulnerabilities? :-D