Healthcare Providers Must Embrace Disaster Recovery Planning

A massive ransomware attack using a vulnerability released as part of a dump of NSA data has disrupted services in the UK’s National Health Service and many other government and private organizations across Europe. Because of an incredible stroke of luck by a British researcher, the main wave of the attack didn’t have much of an impact in North America, but it serves as a sober warning of the risks ransomware poses and the danger of using outdated legacy systems for vital services — many of the UK’s hospitals still run Windows XP.

The attack exploited a vulnerability in the Windows SMB system, a patch for which was released some weeks before the attack. It appears the attacks weren’t intended to target healthcare providers. The ransom demands were unusually low for a targeted attack against a large organization. Rather, the criminals fired off their malware without caring who was hurt.

Unfortunately, we can expect to see more attacks of this sort in coming years. Amoral criminals are a fact of life on the web, and organizations must expect to be attacked and have processes in place to mitigate the likelihood that the attacks are successful.

So what can organizations do to reduce the chances that a ransomware attack will take their critical infrastructure offline?

Patch Quickly

Large organizations move slowly, especially when they manage thousands of machines in multiple locations. The criminals have no such limitation, as demonstrated by the speed with which the SMB vulnerability went from wide disclosure to practical application. Organizations must be prepared to install patches as soon as they become available.

Plan For The Worst

Ransomware depends on being able to deprive organizations of data. Even if a ransomware attack is successful, recovery time can be reduced to hours if the data is backed up and alternative infrastructure hosted off-site is ready to take over. Disaster recovery planning should be at the heart of any organization’s IT strategy. We’ve seen what can happen when it isn’t.

Embrace The Cloud

Let’s imagine an alternative scenario. Instead of thousands of old PCs running legacy software on Windows XP, the affected organizations used thin clients that accessed cloud applications or Desktop-as-a-Service platforms. The data was backed-up offsite and standby infrastructure was ready go.

Cloud platforms of this sort are easier to patch quickly and automatically than a massively distributed and heterogeneous collection of desktop machines, so it’s entirely likely that the vulnerability could have been patched before the attack hit. Even if the attack was successful, recovery could have been much faster. Virtual desktops might have been quickly reimaged to restore a known good version and data quickly restored from backups. Recovery would have taken hours rather than days, and when critical healthcare services are involved, time is of the utmost importance.

Businesses and public service providers have a responsibility to be prepared. The criminals aren’t going anywhere, but the technology exists to minimize their impact.