MINNEAPOLIS -- Computer experts inside hospitals were working diligently on Wednesday to address a serious new security vulnerability in older versions of the Windows operating system, which is still used in many health care devices even though Microsoft hasn't actively supported the older software in years.
Julie Flaschenriem, chief information officer at Hennepin Healthcare, said the Minneapolis health system activated a command center Tuesday evening when news of the vulnerability broke. As of Wednesday, the team was working through its prioritized list of action items for securing any older devices that need attention.
"We know -- and the whole world knows -- that there are people out there that are trying to exploit this one. And every organization around here, whether it's health care or any other thing, is trying to prevent it," said Flaschenriem, who has held information-technology roles at several health systems in the Twin Cities. "We all have certain risks around this that we work to mitigate. ... Because this has happened enough now, we have plans in place that we can put together and start working on it the minute something like this happens."
On Tuesday, Microsoft began urging users of older operating systems to immediately install security patches or take other steps to secure themselves from a vulnerability that could be exploited and quickly spread global chaos, as happened in 2017 with the so-called "WannaCry" ransomware attack.
In that case, the attack proved destructive even though the security patch to fix it had been available for months. WannaCry affected thousands of unpatched computers worldwide, bringing down hospital networks in the United Kingdom and causing the cancellation of 19,000 medical appointments there two years ago.
"Now that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening," Simon Pope, director of incident response at the Microsoft Security Response Center, wrote in a blog post Tuesday. "We are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows."
On Tuesday, Microsoft revealed a "zero day" vulnerability in older operating systems that have a feature called "remote desktop protocol." RDP is the system that lets a user remotely control a computer, like when a company's help desk personnel take control of a computer remotely while troubleshooting a problem.
The vulnerability is considered "highly likely" to be incorporated into malware in the near future, judging by Microsoft's proprietary risk score and the CVSS base risk score of 9.8. (CVSS is a 1-10 scale, with higher numbers representing more severe security risks.)
The vulnerability, which has not yet been exploited by malicious hackers, requires no user interaction and can spread easily among unpatched computers on a network, similar to the WannaCry malware.
"The thing that makes this one so dangerous is that you don't need any access," said Jeremy Sneeden, a manager in the threat and vulnerability management department at Allina Health, which owns and operates 13 hospitals in Minnesota and Wisconsin. "A lot of vulnerabilities you need a username and password, or some sort of access to the machine, to make the vulnerability work. But these -- I guess they're calling them 'wormable' now -- they don't need credentials, and that's why they spread so quickly."