It’s been almost two years to the day (May 12, 2017) when WannaCry struck networks around the world. It’s a not-so-happy anniversary for healthcare, but it was the event that precipitated the founding of Medigate. Fast forward two years to this week – Microsoft issues an alert called BlueKeep, which has the potential to be the 2019 version of WannaCry.
BlueKeep could allow an unauthenticated remote attacker to connect to a Windows server – in this case a medical device – through remote desktop protocol (RDP) and execute arbitrary code on it without any user interaction whatsoever. And if that isn’t worrisome enough, once in, it could “worm” its way quickly through the network and connected devices.
So the multi-million dollar question is: Did the industry learn what it needed to from WannaCry? Here’s what you need to know.
1. Get familiar with the remote code execution vulnerability (CVE-2019-0708)
- The vulnerability affects Windows Remote Desktop Service and is rated critical by CVSS. It does not require user interaction, which means that a user with a vulnerable Windows server exposed to the internet is at risk of a direct attack.
- BlueKeep affects devices, clients and servers running Windows XP, Windows Server 2003, Windows 7, Windows Server 2008 and Windows Server 2008 R2 (newer windows versions are not affected).
- Remote desktop uses TCP port 3389 to allow remote login to the Windows device.
- The Windows versions listed as vulnerable in BlueKeep are still widely used in healthcare.
- While Microsoft released patches for the out-of-support versions, they likely can’t be used on medical devices. Medical devices require OEM verified patches.
2. Identify what is at risk on your network
- Inventory potentially affected devices.You must identify the OS and software version for each device. It’s a tedious process if you don’t have the right tools in place but it’s a critical step in the process. This, by the way, is the step where most organizations failed during WannaCry.
- Correlate the CVE to the vulnerable medical devices you identified.
- Prioritize the list of identified devices. This is easier said than done; You”ll need to apply an understanding of clinical workflows to the identified devices.
3. Start remediation process
- Get certified patches from the manufacturers of each device on your list. Clinical Engineering will need to reach out to each manufacturer to begin the process. Due to the sheer number of device manufacturers, the outreach and tracking can be challenging and time consuming.
4. Begin mitigation immediately
It will take a while for the manufacturers to create their patches and you don’t want to leave your medical devices exposed.
- Block the relevant RDP communications using restrictive policies enforced by NAC and firewall.
- It is critical to know what each device does before you block the communications. You don’t want to block critical communications that could alter the functioning of the device or jeopardize the care of the patient.
How you currently inventory and manage your devices will determine how easy or challenging this process will be to execute. For those with manual processes, it’s going to take you awhile, so start ASAP. If you want help, let us know. Even if you’re not one of our customers, we want to help you. We care about what happens to the devices, networks and ultimately patients at each and every hospital.
We have a dedicated team of researchers that are experts in cyber security and medical devices. They can answer any questions you have. And if you want help quickly inventorying your devices, we can do that too. Time will tell if BlueKeep will be the next WannaCry but we’re going to do our best to keep that from happening.