Background
A South India-based private hospital chain operating 8 hospitals (Bengaluru, Chennai, Hyderabad, Kochi) with a total of 1,200+ Windows endpoints, 40+ servers, and an EMR (Electronic Medical Records) system engaged CyberneticsPlus to build a vulnerability management programme.
The trigger: a ransomware attack at a competitor hospital chain in their network had caused a 5-day operational shutdown. The hospital chain’s board directed IT security leadership to assess their exposure within 30 days.
Environment:
- 1,200 Windows workstations (mix of Windows 10/11, with 140 legacy Windows 7 workstations still in use in some wards)
- 40 Windows Server instances (on-premises, mix of 2012 R2, 2016, 2019)
- EMR system: on-premises, Windows Server 2016, SQL Server 2016
- Medical devices: 200+ (out of scope — managed by device vendors, not part of IT)
- Internet connectivity at each hospital via MPLS + internet breakout
- No centralised patch management (each hospital managed by a local IT contractor)
Phase 1: Baseline Assessment (Days 1–30)
Asset Discovery
Challenge: No comprehensive asset inventory existed. Each hospital had a local contractor managing IT, with no centralised visibility.
Discovery approach:
- Network scanning (Nmap) of all 8 hospitals’ internal IP ranges via site-to-site VPN access
- Active Directory enumeration (all domain-joined machines)
- Manual interview with each hospital’s local IT contact for any non-domain-joined devices
Result: 1,247 endpoints discovered (82 more than the client believed they had — untracked machines from departed staff, a retired server still running, medical workstations not in AD).
Vulnerability Scanning
Deployed Tenable Nessus agents on all domain-joined Windows machines. Non-domain machines scanned via network scan with credentials.
Initial scan results: 1,847 vulnerabilities
| Severity | Count |
|---|---|
| Critical | 247 |
| High | 583 |
| Medium | 712 |
| Low | 305 |
Most prevalent critical vulnerabilities:
- CVE-2017-0144 (EternalBlue/MS17-010): Present on 89 Windows 7 machines and 6 Windows Server 2012 R2 instances — the same vulnerability exploited by WannaCry ransomware
- CVE-2020-1472 (Zerologon): Present on 3 domain controllers (Windows Server 2012 R2, unpatched)
- CVE-2021-34527 (PrintNightmare): Present on 140+ endpoints
- Outdated EMR system components: SQL Server 2016 past Extended Support (January 2022)
Risk Prioritisation
CyberneticsPlus applied risk-based prioritisation combining CVSS, EPSS scores, and asset classification:
| Asset Tier | Definition |
|---|---|
| Tier 1 — Crown Jewel | EMR servers, domain controllers, patient data systems |
| Tier 2 — High | Clinical workstations (nurse stations, doctor terminals) |
| Tier 3 — Standard | Admin workstations, non-clinical PCs |
| Tier 4 — Low | Legacy systems being phased out |
Top priority (Immediate — within 72 hours):
- EternalBlue on domain controllers and EMR servers (Tier 1): Direct path to network-wide ransomware
- Zerologon on domain controllers: Allows complete domain compromise without credentials
- 3 Critical CVEs on EMR servers with EPSS > 40%
High priority (14 days):
- EternalBlue on clinical workstations (Tier 2)
- PrintNightmare on all endpoints (widely exploited, easy to patch)
- Remaining Tier 1 Critical CVEs
Phase 2: Remediation Support (Days 30–90)
CyberneticsPlus worked alongside the client’s IT team and local hospital contractors:
Centralised Patch Management Deployment
-
Microsoft WSUS deployed on a central Windows Server 2019 instance
-
All 8 hospitals pointed to central WSUS via MPLS
-
Deployment rings configured:
- Ring 1 (IT/admin machines, 50 endpoints): 3-day validation
- Ring 2 (Clinical workstations, 600 endpoints): Deployed after Ring 1 validation
- Ring 3 (Legacy/critical systems): Manual review required before patch
-
Windows Server Update Services auto-approval rules:
- Critical and Security updates: auto-approved after 7 days
- Feature updates: manual approval only (no forced Windows 10→11 upgrades on clinical machines)
Legacy Windows 7 Handling
140 Windows 7 endpoints were in active use in wards (primarily patient registration terminals and lab workstations). Windows 7 reached End of Support in January 2020 — no patches available.
Options presented to hospital management:
- Upgrade to Windows 10 (preferred — eliminates vulnerability class)
- Network isolation (VLAN segmentation, restrict to minimum required connectivity)
- Application whitelisting (Windows Defender Application Control to prevent execution of unknown binaries)
Decision: Upgrade 80 of 140 machines within 60 days; isolate remaining 60 (older hardware that couldn’t run Windows 10) in a separate VLAN with no SMB access and restricted internet.
Critical Remediation Results
| Vulnerability | Before | After 30 Days | After 60 Days | After 90 Days |
|---|---|---|---|---|
| EternalBlue (Tier 1) | 95 instances | 12 | 4 | 0 |
| Zerologon | 3 | 0 | 0 | 0 |
| PrintNightmare | 847 | 310 | 45 | 12 |
| Critical (all) | 247 | 98 | 68 | 54 |
78% reduction in critical vulnerability count over 90 days (247 → 54). Remaining 54 critical findings: primarily on the 60 isolated legacy Windows 7 machines (network-isolated, not internet-facing, on standalone VLAN).
EMR System Security
The EMR system running on SQL Server 2016 (past Extended Support) required a separate approach:
- SQL Server upgraded from 2016 to 2022 (performed by EMR vendor — coordinated over a maintenance weekend)
- EMR server network access restricted: only the specific EMR client application ports allowed from clinical VLAN
- EMR database backups implemented: daily differential, weekly full, stored offline (air-gapped external drive) and on a separate server
- EMR access auditing enabled: all login events, query logging for privileged operations
Phase 3: Programme Operationalisation (Month 3+)
Ongoing programme handed to the client:
- Monthly scanning cadence: Tenable agents scan continuously; reports generated monthly with trend data
- Vulnerability triage SLAs: Critical = 7 days, High = 30 days, Medium = 90 days
- Patch management: WSUS auto-approval for Critical/Security, monthly verification call with local IT contractors
- Metrics dashboard: Vulnerability count by severity, SLA compliance rate, patch compliance percentage — reviewed monthly by IT leadership
- Annual penetration test: Added to the security programme calendar
Staff training:
- 2-hour security awareness training for all hospital staff (phishing, social engineering, safe computing)
- IT contractor training: vulnerability management process, escalation path to CyberneticsPlus for critical findings
Outcomes
Security posture (90 days):
- Critical vulnerabilities: 247 → 54 (78% reduction)
- Zerologon and EternalBlue (ransomware-enabling): eliminated from all critical systems
- Centralised patch management: 8 hospitals previously managed independently, now unified
Operational benefits:
- IT contractors no longer managing patching independently (inconsistent, error-prone) — centralised WSUS
- Monthly security posture report to hospital board (previously: no security reporting)
- Cyber insurance application: new premium 18% lower than prior year (underwriter cited VM programme and Nessus scanning as positive factors)
Ongoing programme: CyberneticsPlus provides quarterly vulnerability assessment support and an annual penetration test. The hospital chain’s security posture is reviewed annually by the board as part of NABH (National Accreditation Board for Hospitals) compliance.