©Illustration by medithIT, 2017.
More people today understand the implications of acting on a phishing email or opening an unsolicited computer file. Still, the cyberinfrastructure that underlies our daily lives is so far reaching it can sometimes be hard to grasp.
A worldwide ransomware attack on Friday, however, highlighted how reliant businesses—especially hospitals and healthcare providers—are on their computer systems. The attack, a version of WannaCry ransomware called Wanna Decyptor, used malicious software—delivered by email—to encrypt files on infected computers. Most affected users were directed to pay fees of about $300 to have their files restored.
The May 12 attack hobbled many companies, but wreaked exceptional havoc on the National Health Service (NHS) in the United Kingdom. Because the malware exploited vulnerabilities in older Microsoft operating software, NHS computers—many of which still use outdated and unsupported systems—were especially at risk. Newer systems that failed to install a security patch released in March were also susceptible.
Although the widespread attack didn’t specifically target NHS, the UK system nearly shutdown— providers couldn’t access patient files, order tests or X-rays, write prescriptions, or even print simple patient information.
“Without the IT systems, I suspect test results will be missed and will definitely be delayed,” the Guardian quoted one doctor as saying on the day of the incident. “Handovers are much more difficult. It will, absolutely certainly, impact patient safety negatively, even if that impact can’t be clearly measured.”
It appears the attackers’ aim was to make money, but a similar ploy by terrorists or hostile governments could create an emergency situation and then use the same tactics to thwart response, experts say.
“The worst [scenario] we can imagine is if some malicious actor wants to undertake an act of terrorism and hamper the local response to that [attack]—disrupting 9-1-1 communications entirely,” Trey Forgety, director of government affairs for the National Emergency Number Association, told The Atlantic in March.
Although there were few reports of U.S. health providers hit in the WannaCry attack, there were at least two more serious instances of medical devices being affected. Federal systems, such as the U.S. Department of Health and Human Services, were secure as of Monday, according to U.S. Department of Homeland Security Adviser Tom Bossert.
Still, similar ransomware attacks that crippled several hospitals last year show that the United States is far from immune to hackers’ methods.
While the impacts in the United Kingdom might raise questions about U.S. preparedness for cyberattacks, the issue doesn’t lie as much in national security as it does in the type of the information contained in healthcare systems themselves.
“The fundamental issue with healthcare data is that it has enduring value to the cybercriminal,” former FBI Section Chief for the Cyber Division Outreach Section John Riggi told HealthData Management. “A credit card number generally has a very limited shelf life before the bank detects fraudulent charges, and a credit card number can be easily cancelled or replaced.”
The need to access data in life-and-death situations also means that healthcare industries might be more willing to pay the requested ransom than other businesses would. That was the case with Hollywood Presbyterian Medical Center, which paid $17,000 to restore ransomed files after a February 2016 attack.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Hollywood Presbyterian President Allen Stefanek wrote in a statement following the incident. “In the best interest of restoring normal operations, we did this.”
Security experts warn against paying such ransoms since it contributes to the spread of ransomware use. What they do suggest is keeping operating systems up to date, creating breaks in interfaces that could allow infection to spread, and installing software patches in a timely manner.
In the United States, HHS has established a Health Care Industry Cybersecurity Task Force to examine the distinct risks faced by the industry from cyberattacks and to create a plan for sharing cyberintelligence in real time. It’s Technical Resource Assistance Center and Information Exchange (TRACIE) has also compiled a wealth of information to help health organizations mitigate against attacks. Even more resources are available from the National Library of Medicine's Disaster Information Management Reserch Center Disaster Lit database.
Those resources and others will likely be valuable in the months to come. Despite the notoriety of the recent ransomware attack, there are other imminent threats on the horizon, according to experts.
“Imagine that instead of all of the data being encrypted, what if it was just changed and providers didn’t know which data was wrong like which leg to amputate, what particular allergies a patient has, or which prescription medications need to be administered?” Reg Harnish of GreyCastle Security asked HealthData Management. “That to me is far scarier than a bunch of hard drives being encrypted.”