What to do when our health system is the sickest cyber patient of them all

The large scale cyber-attack on 12 May 2017, using WannaCry ransomware infected more than 230,000 systems in 150 countries. The ransomware was region agnostic, providing instructions in almost 30 different languages and targeting many industries.

Despite the widespread and global nature of the attack, the victim gaining the most amount of attention is the UK’s National Health Service (NHS). For all the obvious reasons. The NHS effectively shutting down is one of those worst case scenarios that cyber security experts have been giving dire warnings about for years.

The attack affected many NHS hospitals in England and Scotland, and up to 70,000 devices – including operational computers, MRI scanners, blood-storage refrigerators and operating theatre equipment – may have been affected. Some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.

There have been high profile attacks in the headlines before. And don’t get me wrong, data breaches and leaking of customer’s personal information is never anything less than a very bad outcome. But with this latest development, we are getting a taste of the very serious consequences that can arise when the out of date, unsupported and vulnerable systems that our most critical services rely on are compromised and attacked.

This attack – random, widespread and opportunistic – nevertheless put people’s lives at risk. Most concerning of all – it is an attack that could have been prevented with even some of the most basic cyber secure measures.

WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware targeting Microsoft Windows operating systems. The attack spread by multiple methods, including a series of phishing emails that contained a malicious document as well as moving through similarly unprotected systems as a computer worm, taking advantage of a vulnerability in Microsoft’s Windows operating system.

An update to remove the underlying vulnerability for supported Microsoft Windows operating systems had been issued on 14 March 2017.

Due to the scale of the attack – and in an effort to contain the spread of the ransomware – Microsoft created security patches for several now-unsupported versions of Windows, including Windows XP, Windows 8 and Windows Server 2003.

In 2016, thousands of computers in 42 separate NHS trusts in England and Scotland were reported to be still running Windows XP. At the time, the UK’s Department of Health refused to pay Microsoft to keep updating the obsolete Windows XP systems.

Legacy systems, such as those that are required to interface with highly technical hardware in medical facilities, are the most susceptible to these types of attacks. As in the UK’s NHS, the hardware itself is built around applications and software that can only run on older operating systems such as Windows XP and Windows Server 2003.

Because these operating systems are no longer supported by the vendor, the onus for securing this critical machinery falls on the organisation’s IT department. These “backyard fixes” occur in-house, are applied as hastily as possible and usually leave the facility vulnerable to attack through backdoors.

There are resources out there that can help. Australia’s primary signals intelligence agency, the Australian Signals Directorate (ASD), has published the Top 4 Strategies for Mitigating Cyber Intrusions.

The Australian Government has set up the Australian Cybercrime Online Reporting Network (ACORN). This initiative allows the general public to report any type of cybercrime, including phishing, fraud or viruses.

Another initiative that has been set up by private enterprise and government entities around the world is www.NoMoreRansom.org. This website allows for victims of ransomware to check if the ransomware they have been infected with has a decryption solution available. If there is, the victim would avoid paying the ransom and would be able to unlock their files with instructions.

Australian healthcare facilities rank similarly to the NHS in terms of digitally mature policies and processes. Therefore, they are just as susceptible to attack as the NHS’s systems are. Security isn’t just about software and hardware; it falls on training our people on the best practices and ensuring that we have the correct processes in place so that the technology is used for the benefit of the public.

Generally, the majority of security events can be traced back to human error. Even something simple such as writing usernames and passwords on paper and storing them near workstations or on ID cards is a serious security issue which is widely prevalent in medical facilities around the country.

Ideally, processes should be in place that account for the dynamic nature of cyber threats. There isn’t a single fix that a facility can implement; a series of well-defined processes in conjunction with security technology and well-educated people at an industry level is the key to cyber maturity.

Without a doubt, considerable investment is required to change the way the healthcare industry securely uses technology. But this attack and its consequences show that we can’t afford to put off that transformation any longer.

The events that led to the global WannaCry infection only lend more weight for the argument that we should speed up our initiatives for change. This will ensure the safety of patients, and that the health sector continues to use various technologies as digital assets, and not as liabilities.


Want to stay up-to-date?

Stay on trend and in the know when you sign up for our latest content