The NHS ransomware event and security challenges for the U.S healthcare system

Which industry went from nearly zero to 1 billion dollars in 2016? If you guessed ransomware, you would be right. Ransomware payments were expected to hit $1 billion in 2016, according to the FBI. The malware that affected over 100,000 organizations last weekend in 150 countries may have delivered that kind of revenue in a single day to the cyberattackers.

Late last week, reports emerged of a large-scale ransomware attack against the U.K’s NHS hospitals that impacted nearly 50 hospitals; it was later confirmed to be part of a larger international cyberattack. Reports emerged of hospitals turning away ambulances because they feared being unable to treat patients. Hospitals had lost the use of landlines and internet connections, and several hospitals in the U.K confirmed receiving demands for ransomware payments in bitcoin, with deadlines for compliance.

The attack was by a self-propagating variant of malicious ransomware dubbed WCry/WannaCry. It appears as if the malware was leveraging Server Message Block (SMB) exploits for which Microsoft issued a critical patch (MS17-010) on March 14. Once it infects a system, the malware encrypts the local contents of the host, denying the users access to their data until a ransom is paid.

According to Rich Barger, director of cybersecurity research at information security software company Splunk, “The WCry/WannaCry ransomware strain hit 11 countries in just three hours. This is one of the largest global ransomware attacks the cyber community has ever seen.”

While it isn’t clear how many hospitals have been impacted in the United States, the Office of the National Coordinator of Health IT (ONC) reports that the U.S. Computer Emergency Readiness Team (US-CERT) has received multiple reports of WannaCry ransomware infections in several countries around the world. The ONC advised individuals and organizations not to pay the ransom, because doing so won’t guarantee that access will be restored.

Healthcare is among the most vulnerable sectors for healthcare data breaches and ransomware. I have written previously in this column that a combination of aging IT infrastructure and weak IT security practices have made healthcare a soft target. Healthcare is in need of an urgent “building code” upgrade. In the case of the NHS in the U.K., the problem seems to have been a failure to apply a routine software patch from Microsoft. (For its part, Microsoft stepped up and offered free patches even for unsupported operating systems to help contain the damage). This could happen in any part of the healthcare ecosystem, and in fact many of the recent data breach incidents have occurred not in hospitals but at HIPAA business associates. Healthcare’s vulnerability is thus no longer restricted to medical information, since cyberattackers are looking for any kind of personal information that can be sold in the stolen data market.

So, what are the options for the affected hospitals and enterprises? One option is to pay, of course. Many hospitals have done that in the past year, however the FBI frowns on that. Paying ransomware is no guarantee that access to systems will be restored, and moreover, it exposes the victim to further ransomware demands.

Immediate options for affected hospitals include trying to recover data from a secure backup (if it exists), apply the software patch, disable the vulnerable software if it is not being used, and isolate the affected parts. In some ways, that approach is akin to the way submarines compartmentalize when one of the holds gets flooded — seal off that part and continue operating with the remaining functioning parts.

In the world of internet of things (IoT) devices, the points of vulnerability have multiplied. The exciting possibilities of IoT in healthcare — expected to be a $163 billion market in 2020, according to consulting firm Accenture — is tempered by the implications of device-level vulnerabilities. Medical devices, in particular, have been identified as highly vulnerable and hacked medical devices may now be the single biggest threat to healthcare IT security. Security breaches of the nature we witnessed over the weekend may make healthcare enterprises more conservative about adopting emerging technology solutions to unlock insights from data.

While short-term fixes may enable hospitals to recover their data and resume normal operations, the vulnerabilities can persist for years, with malware residing in IT systems like sleeper cells.

In the longer term, cybersecurity is more about following basic rules and processes to prevent incidents. Rich Barger of Splunk stresses the paramount need for critical enterprises to have a ransomware playbook in place for when they are attacked. The FBI and the ONC have issued detailed guidelines on how organizations can protect themselves against ransomware attacks, and how to report them when they do happen. Having a playbook is one thing, ensuring it is followed rigorously is another. Clinicians and administrators, already stretched, cannot be faulted for not being up to speed on the latest techniques of cyberattackers. This is a fundamental culture change, and enterprises have to prepare for a long haul.

Regardless of the precautions, ransomware is likely to be the No. 1 method of cyberattack in 2017, and this latest attack — bigger in scale and scope than anything we have ever seen — may just be the beginning. By an interesting coincidence, President Trump signed an executive order last week aimed at upgrading the cyberdefenses of U.S. federal agencies — a move that could lead to stronger enforcement and tougher punitive measures for cybercriminals.

In a lighter vein, Barger concludes, “One thing is for sure — somebody is going to get very rich, or spend a very long amount of time in jail.”