We all heard about the Wannacry ransomware on the NHS and other organisations recently, but what are the lessons for dental practices and other small business?
Well, the general lesson is a wake-up call to take security more seriously then many businesses have to date. This includes;
- Having a decent and dedicated firewall on the network
- Ensuring all machines are up to date with good anti-virus in place
- Ensuring that users have good strong passwords
- Ensuring that users don't have admin rights they don't need
- Training staff on appropriate Internet and email use
So, what specifically went wrong that allowed Wannacry to run rampage across 47 NHS Trusts, and what can be done in particular to prevent this type of attack on your business?
The single biggest problem with the NHS networks infected, wasn't (as myth had it) that they had some XP machines on the networks; rather it was that the Windows 7 machines had not been kept up to date. Microsoft had already released a patch that fixed the vulnerability that Wannacry exploited - this had been made available to all Windows 7 computers around the world in March 2017. The problem here was that the NHS IT responsible had not yet rolled out the patch when the attack occurred. Their computers are presumably not set to auto-update; if they were, this particular attack could not have happened.
But does this mean that simply enabling auto-updating is the answer? Well, not necessarily...
I have sympathy with the IT departments managing huge NHS hospitals and other networks; they cannot really set the computers to auto-update as we do at Dental IT, as this could risk their installed applications not working. Software companies (that I have come across anyway) do not have a great track record in ensuring that their software is tested with pending Windows updates, so there is a chance that a currently installed application won't work when an update applies. What should happen is that, the NHS IT departments download the pending Windows updates as soon as they are publicly available and test these in a test-bench environment, to see if there is any compatibility problems. If there are no problems, the update should be installed ASAP after testing. One this occasion, it appears that the gap between the testing and roll-out of the Windows updates was too long.
So, were any Dental IT managed networks affected, and are they set to auto-update?
No, no Dental IT managed networks were infected at all, and every server and every workstation was set to auto-update across our entire customer base. Using out monitoring software, Souter, we were able to run a powershell command across our entire customer server base, and confirm that every server had received the update.
But given the above software compatibility problem, is this in itself a risk?
The answer is yes, and indeed we have seen this in the past. A Windows update in 2016 saw almost every network with Carestream (previously Practiceworks, previously Kodak) R4 stop working, due to a compatibility problem between the R4 software and the Windows update. This affected many of our customers, as well as (I expect) many hundreds of customer networks across the country using R4 software. It was impossible to get through to their helpdesk on that day! However, as soon as we realised that the problem was, we reverted the Windows update so that each site with the problem could operate again; so disruption was minimised, and the particular update was blocked until the software company released an update.
So whilst setting computers to update is not without risk, my judgement and recommendation, is that for small business networks, this is by far the best policy. Safety is the best policy, and it seems to be if there is a choice between infection and potential data loss, or some disruption and downtime, the latter risk is the least worst option.
Last edited: 26 October 2017