[This is part 1 of a two-part series]
The recent global cyberattacks that practically crippled the National Health Service (NHS) in the United Kingdom (England and Scotland specifically) exposed and highlighted just how vulnerable the global healthcare industry is to system breaches and unauthorized access to key, electronically protected, patients’ health information (ePHI). Even though it exploited an existing vulnerability within Microsoft’s Windows operating system that got fixed relatively quickly upon identification of the “WannaCry” ransomware, the fast propagation and broad business-impacting nature of this ransomware attack showcased that ransomware is very much a growing threat to address today and a much greater concern that affects all of IT within businesses, more-so by the healthcare industry.
As the healthcare industry becomes more technologically advanced and digitizes healthcare data and transactions, the potential for operational disruption increases with a potential to cause inadvertent patient harm. Given the real risk of such events, the healthcare industry needs to take the current cyberattacks as a forewarning, learn from the root cause analysis from such events, and implement mitigating safeguards against future attacks. The threat is real and imminent for the industry to address in terms of policies and procedures that need to be established, reviewed and updated, staff educated and trained on the perpetuation of cyberattacks, and enforcing compliance with best practices. In this article, we highlight the recent “WannaCry” cyberattack and the key takeaways for the healthcare industry to consider when putting protective processes, screening protocols, and network system monitoring in place.
On Friday May 12, 2017, a massive global ransomware known as “WannaCry” or “Wanna Decryptor” was orchestrated, attacking and locking down data and/or shutting down computers in countries around the world. According to the BBC, by Monday May 15, 2017, the “WannaCry” virus had spread to and attacked over 200,000 computers in over 150 countries. There have been reports of attacks in the UK, US, Canada, Australia, Russia, New Zealand, Japan, and China. Hospitals across the NHS were among the hardest hit with 47 NHS trusts reporting problems at their healthcare establishments in England and 13 additional NHS trusts affected in Scotland. Some hospitals had to divert patients from their A & E departments as routine daily operations systems were non-operational, and in many cases, cancel routine surgeries and elective admissions due to data inaccessibility. Within ambulatory care settings, GP appointments were canceled as doctors and nurses were unable to access patient information. In essence, the UK healthcare system ground to a halt for over 48 hours.
Ransomware operates by targeting a user’s computer through various means, one of the common methods being through emails with corrupt attachments. Once such an email is opened and the attachment clicked, the ransomware inoculates and exploits system vulnerabilities to infect the computer, with the added ability to scan the network for other vulnerable computers, infecting them as well, even without the user’s interaction with his/her machine. The “WannaCry” attack worked by encrypting the files on a computer’s hard drive and on any other devices connected to it, including USB devices. The user gets locked out of the system and the ransomware initiates a monetary ransom demand to be paid in Bitcoins (virtual currency) before access is restored to the system for the users. If the ransom is not paid by a certain date (in this case May 21, 2017) there is also the added threat of the ransom being doubled within a few days and mass deletion of files within a week if the user continues to refuse to pay up. Like with any ransom demand, it is recommended that businesses not pay as it further exposes them for future exploitation by the perpetrators and there is no guarantee that access to files will be restored upon payment.
How did this happen?
All this resulted from a vulnerability in Microsoft Windows which left it open to possible attacks from external sources. In March 2017, Microsoft released a security update to fix the vulnerability for operating systems that are still supported by Microsoft, such as Windows Vista, Windows Server 2008, Windows 7, Windows Server 2012 and Windows 2016. However, systems that are no longer supported by Microsoft, such as Windows XP and Windows Server 2003, were left vulnerable to attacks as no fix was released for these systems. The “WannaCry” ransomware exploited this and attacked these systems, resulting in the chaos that followed. It should be noted that Microsoft did provide the needed fix for the vulnerabilities within the exploited operating systems in a relatively short time following the identification of the propagating attack.
Why did this happen?
As mentioned above, Microsoft provided a fix for the vulnerability in March, yet this cyberattack occurred in May – why did this happen?
- Old antiquated systems with outdated non-supported versions of MS Windows in use – most, if not all, of the systems affected were operating on an outdated version of Windows that are no longer supported by Microsoft (Windows XP, Windows 8, Windows Server 2003). Since the attack, Microsoft released an emergency patch for these unsupported systems, an unprecedented move by the company to mitigate further harm to businesses.
- Systems not updated with required patches to plug known vulnerabilities in the currently supported versions of MS Windows – It is most likely that systems may not have been updated despite the fix being released in March by Microsoft for all of the supported versions of MS Windows in use. In our experience, businesses routinely scan their network and systems for vulnerabilities but fail to apply required fixes or patches in a timely manner. Several patches or updates can be applied automatically, but in many instances on some networks or systems, they have to be applied manually. Also, in a number of cases, specific remediation steps have to be followed and require appropriate staff with the proper knowledge to execute. With healthcare systems getting more digitized, today there is a shortage of knowledgeable resources and required talent.
- Poor adherence to existing policies and procedures and/or lack of adequate security risk mitigation policies or procedures to follow in order to address current or emerging IT threats – It is our opinion that businesses need to have very robust IT security risk identification, remediation, and active mitigation policies and procedures in effect that are enforced through regular audits. In addition, since a number of vulnerabilities depend on human exploitation and weaknesses, staff need to be educated and be properly trained to identify such threats through continuous enforcement and to implement best practices such as not opening emails from untrusted or non-recognizable persons or sources.
Considering the downtime cost, disruption to services for essential care, and real patient harm from delayed care, the recent “WannaCry” cyberattack has highlighted the primary fact that prevention is better than a reactive cure to just plugging exploited vulnerabilities. The healthcare industry needs to invest in better policing itself and plugging vulnerabilities in a timely fashion.