What emerged on Friday morning, May 12, European time, and quickly spread across the world as one of the most intensive and extensive ransomware-based attacks to date, affecting organizational operations of all kinds in approximately 150 countries, seemed to have gotten somewhat under control by early this week, even as the attack has jolted the information technology world across the planet.
Variously known as the Wanna Cry or Wanna Decryptor ransomware virus, the phenomenon on Friday virtually shut down several dozen regional health authorities within the National Health Service of the United Kingdom, while simultaneously impacting the operations of such diverse entities as Spain’s national telephone service, La Telefónica; Germany’s railway system, Deutsche Bahn; automotive plants of the French car manufacturer, Renault; the Russian Interior Ministry; and universities in China and Taiwan.
In his breaking news article on Friday, Healthcare Informatics Managing Editor Rajiv Leventhal quoted Creighton Magid, a partner at the international law firm Dorsey & Whitney, who noted that “The cyberattack, using a ransomware bug known as WannaCry, appears to have used an NSA exploit known as ‘Eternal Blue’ that was disclosed on the web by Shadow Brokers. Microsoft released a patch earlier this year to address the vulnerability, but it appears that a number of hospitals and other users have not applied the patch.” Like the DDOS attack last October,” Magid said, “this attack shows that interconnected devices and systems are vulnerable to attack by nations, non-state actors and just plain crooks,” he says, adding that an attack of this scope points to the potential for an entirely different type of damage: shutting down entire businesses, hospital systems, banks, and critical infrastructure.”
As the cyberattack’s impact continued to spread worldwide into and through Saturday, Editor-in-Chief Mark Hagland quoted a report published online at 7:50 AM eastern time that day by The New York Times’ Mark Scott, in which Scott wrote that “The attack is believed to be the first in which such a cyberweapon developed by the N.S.A. has been used by cybercriminals against computer users around the globe. While American companies like FedEx said they had also been hit,” he added, “experts said that computer users in the United States had so far been less affected than others because a British 22-year-old cybersecurity researcher inadvertently stopped the ransomware from spreading,” referring to the Kryptos Logic IT specialist. “The 22-year-old British researcher, whose Twitter handle is @MalwareTechBlog and who confirmed his involvement but insisted on anonymity because he did not want the public scrutiny,” Scott wrote, “found the kill switch’s domain name—a long and complicated set of letters. Realizing that the name was not yet registered, he bought the name himself. When the site went live, the attack stopped spreading, much to the researcher’s surprise.” Scott quoted Matthieu Suiche, founder of Comae Technologies, a cybersecurity company based in the United Arab Emirates, as saying that “The kill switch is why the U.S. hasn’t been touched so far. But it’s only temporary,” Suiche added. “All the attackers would have to do is create a variant of the hack with a different domain name. I would expect them to do that.”
As it turns out, that researcher was able to devise a “kill switch” for the virus, which had already shut down patient care delivery at dozens of British regional health authorities, and frustrated operations at a full range of other business, governmental, and educational organizations worldwide.
What U.S. healthcare IT leaders need to know
So what does all this mean for U.S. healthcare providers? A fair amount, say industry experts and observers. “There are several lessons here,” says Mac McMillan, president and CEO of the Austin, Tex.-based CynergisTek IT security consulting firm. “One is an old lesson that we still haven’t learned as an industry, and that is that basic IT hygiene, keeping systems up to date, and not keeping systems you can’t patch, like medical devices, or segmenting them away—that people still aren’t doing those things to the extent that they need to. Basic hygiene could have saved the National Health Service here.” The National Health Service in the U.K. was still operating on the abandoned Windows XP platform, as Hagland noted in his blog on Sunday. And, says McMillan, “That’s insane.”
Meanwhile, McMillan goes on to say, “A recommendation made a few years ago by the National Security Advisor regarding the federal government’s weaponizing information systems and then not reporting that weaponization to vendors—the recommendation back then was actually that the potential cost to the private sector, to businesses, was so high that it outweighed the government doing those things. The third lesson that comes out of this,” he says, “is that it’s going to happen again; it’s just a matter of time, because all of this information is out there on the Internet. And when you look at zero-day exploits, the Symantec Threat Center recently said that there are over 4,500 zero-day attack vulnerabilities in systems that there is no fix for. So any hacker who finds those, can weaponize that, and run that attack, and they’ll have a massive initial impact, because there won’t be any way to respond. And unfortunately, the hacker community has decided that disruption in itself has become the goal.”
On the positive side of things, McMillan says, “There are several reasons why the U.S. healthcare system didn’t experience the same level of impact as elsewhere. Number one is that there have been so many attacks over the last 24 months, that we’ve actually seen investment in advanced malware technologies, email and malware gateways, advanced firewalls, so we actually have some protections to defend against these things. Number two, when this information came out from this Shadow group, and the data from the CIA, at least a lot of hospitals we work with, were right on top of that, and very interested in what to do. So as soon as Microsoft and Cisco and other vendors published their patches two months ago, the hospitals applied them.”
With regard to the vulnerability that the U.K.’s National Health Service had when this attack hit, Lee Barrett, the executive director of EHNAC, the Electronic Health Network Accreditation Commission, a Farmington, Conn.-based independent, federally recognized, standards development organization and accrediting body in U.S. healthcare, says that “Whoever the attacker was in this case, they knew that the N.H.S. was vulnerable” in working on the Windows XP operating system, “and targeted that platform. That was a major, major thing. The other thing is that what this tells organizations,” he says, “is that you’d better have your risk mitigation and preparedness plans in place and be prepared to review them, so that you can react in the moment and mitigate and reduce the amount of exposure for your organization.”
In that context, Barrett says, “In many cases, the organizations that had a good plan in place saw less impact than those who did not have a good risk mitigation and preparedness plan in place. Importantly, you need to be doing backups of all of your data, so that in the event of a ransomware attack, you’ve got a current backup of your system to reduce potential loss, and can get back to business as usual; this speaks to basic business continuity planning.”
U.S. healthcare—still far too reliant on basic tools like firewalls, antivirus protection
Looking at the broad picture around IT security in U.S. healthcare, Garrett Hall, an analyst with Orem, Utah-based KLAS Research, says while healthcare provider organizations have improved their security readiness in recent years, this recent attack indicates that the healthcare industry remains particularly vulnerable. “With all the changes in healthcare and all the budget constraints, it’s a tough issue, but we are encouraged by some of the progress we’re seeing, yet, ultimately, we’re seeing that there needs to be additional progress made,” he says.
Hall co-authored the KLAS 2017 cybersecurity report published in February. In collaboration with the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME), KLAS interviewed 200 healthcare organizations about their security programs, speaking primarily with chief information security officers (CISOs), CIOs, chief technology officers (CTOs) and other IT security professionals.
That report found that U.S. healthcare organizations are still, by and large, relying on foundational technology, such as firewalls, antivirus and malware-protection solutions, and encryption, for protection from cyberattacks. According to KLAS, software for data loss prevention (DLP), identity and access management (IAM), mobile device management (MDM), security information and event management (SIEM) and anomalous-behavior monitoring has yet to make the projected impact due in part to still-maturing deployments and lack of resources and understanding, Hall notes. “That was a little disconcerting to see; that a firewall vendor was having the greatest impact on cybersecurity. We anticipated that it would be more DLP vendors or vendors providing more advanced technologies, so it does suggest that healthcare is still behind on their security readiness. Even though we see improvements, we still have further to go as an industry,” he says.
One of the challenging aspects of this particular cyberattack is its complexity. In a webinar sponsored by the Armonk, N.Y.-based IBM Corporation, Kevin Albano, X-Force Iris global lead for threat intelligence at IBM Security, shared with listeners on Tuesday some insights into the Wanna Cry/Wanna Decryptor virus. The virus, he noted, infiltrates endpoints in a system and encrypts all its files, demanding a ransom payment of $300.00 U.S. in bitcoin, exploiting a known Windows vulnerability that enables remote-code execution; organizations that did not make use of the Microsoft Windows patch made available in March are now particularly vulnerable. “This is a version of WannaCry that does not have the propagation component to it, this is just the ransomware itself,” Albano told webinar attendees. “There’s another aspect to it that is the propagation aspect, using the Eternal Blue exploit, and then the DoublePulsar payload to be able to implement the WannaCry ransomware. There are three components working within it—one is the ransomware, the other is the External Blue exploit that takes advantage of vulnerability within Windows operating system, the third thing is the double pulsar payload that’s used to deliver the ransomware itself.” And, he noted, “it is the auto-propagation using the vulnerability and the exploit that is causing much of the harm as its spreading through vulnerable systems.”
What CIOs, CISOs and other healthcare IT leaders need to do next
Meanwhile, say industry experts, though U.S. hospitals by and large escaped the damaging impact of the hit that British hospitals have taken, there’s still a long journey ahead for them on IT security. Still, says CynergisTek’s McMillan, “One of the reasons that U.S. healthcare did better in this situation is that, over three years ago, OCR [the Office of Civil Rights of the Department of Health and Human Services] started cracking down on organizations with obsolete systems, declaring that a HIPAA violation. So a lot of our health systems have been doing a better job of working to eliminate these things and keep them refreshed. And everybody has become sensitive to the need to communicate quickly about threat information. So even though we don’t yet have an integrated threat alert system in the U.S., the information has been flowing.”
Some very basic “hygiene” processes must be attended to, says EHNAC’s Barrett. “For one thing, organizations need to make sure that they’re doing ongoing backups and backups of all of their data. In the event that you get hit by one of these ransomware attacks,” he says, “you need to have a current backup of your system available, to reduce the potential loss of your system, and can get back to business as usual, so it gets back to business continuity planning.” Asked about what interval is most appropriate for the auditing of backups—most patient care organizations in the U.S. are doing backup audit at most once a quarter, and many are doing backup audit only once every half-year or even year—Barrett says, “Most of the breaches and ransomware are found after they’ve been in organizations for quite a while, often for months. My best practice is, I tell organizations that they should be auditing their backups at least on a monthly basis. And that goes back to what level of risk you can afford.”
Indeed, Barrett continues, “I don’t think an organization wants to go much more than a 30-day loss in the event of a ransomware attack. So I’d say 30 days, whether you do this yourselves or you have a third-party organization do it for you. And the dialogue I was having… and it ranges pretty widely in terms of how much risk an organization at the board or audit committee level, is willing to take. And larger organizations… Can you as a hospital, afford to lose nine months or a year’s worth of data? My feeling is that you can’t. And I continue to talk to organizations that still haven’t taken this seriously, and just keep pointing the finger, saying, it’s not going to happen to us, we’re too small.”
Another absolutely key strategy, says John A. “Drew” Hamilton, Ph.D., of the Center for Cyber Innovation, at Mississippi State University (Starkville, Miss.), is basic network segmentation. “You need to separate duties and functions, to limit the damage” when a cyberattack occurs. And compartmentalization could at least limit the ability of a ransomware attack to propagate across your system.” What’s more, he says, “I think that you have to assume that people will attack you had, you’re going to have different kinds of failures. So, defense in depth is important. And with the big attacks you see, at least two big things have gone wrong. If you have an individual whose account is compromised, you should limit the damage that can go from there. The breach last year in the Office of Personnel Management in the federal government, where all the HR data was compromised was staggering. You didn’t have it compartmentalized.”
A core obstacle: the historical conservatism of healthcare operations
One of the core challenges remains a business-cultural one: healthcare remains one of the most conservative of U.S. industries, both in terms of its investments in progressive information technology, and also in terms of its data management and governance. Xu Zou, the co-founder and CEO of the Mountain View, Calif.-based ZingBox, an IoT (Internet of Things) security solutions provider, says, “We’re working in the more conservative verticals like healthcare and manufacturing. A lot of [healthcare organizations], once they’ve passed their regulatory certification requirements, they’re hesitant to make further changes,” he says. “That’s what we’re facing now. And those medical devices will probably stay on Windows XP without a security patch, probably forever. And even though the FDA is encouraging providers to patch their devices—only now are hospitals taking action. The challenge is that hospitals don’t want to have to go through the entire FDA certification process a second time,” he adds.
In all this, of course, resource issues remain a huge issue for many patient care organizations, particularly smaller and rural hospitals and many medical groups. Asked what under-resourced hospitals and other patient care organizations can do, CynergisTek’s McMillan says, “I’m going to give you two answers. My first answer will be based on the assumption that they can do this; the second will be based on what I really believe needs to happen in this country. The first answer is, if they’re going to continue to go it alone, they’re going to have to focus on the basics, and based on what can I realistically do myself, and what should I outsource to somebody else. In that case,” he says, “they need to think about their EHR as a service, as opposed to owning it. Because they’re better protected in a tier 1 hosted environment. And then the hospital can focus on medicine, and the tier 1 support system can help them.”
That having been said, McMillan goes on to say that, on a broader level, “My personal opinion is that healthcare is at the same place that the banking industry was in the 90s. In the 90s, the regulations really started to bite the banking industry, and all of a sudden, the small community banks could not keep up. So we all of a sudden had the emergence of the regional banks and the expansion of the big banks acquiring the small banks, because it became too much for them to do effectively. And the Federal Reserve understood that you couldn’t have a small community bank out there connected to the Federal Reserve, that wasn’t protected.”
In that regard, McMillan says, “In healthcare we do a disservice,” by assuming that even the smallest and least-resourced hospitals should perforce remain in operation. “Everybody says, gee, we’ve got to make it easier for them. Nonsense!” he says. “The information that they maintain for patients is just as important as the information that the large hospitals maintain So we shouldn’t be watering down [regulations and mandates around data security]; we should be saying, if you can’t do it yourself, you need to hire someone who can, or think about being acquired. And we are fast approaching a time when the small hospital cannot manage by itself any longer. And it’s not just about the data, it’s about the disruption. The small hospital hit by a ransomware attack, it’s even more devastating than with a big hospital, because those people don’t have other options, they’re often in rural areas. And we’re fast approaching a time when the stakes are just too high for the small guy to do it effectively. And it’s not fair, to be honest, but it is what it is. Nobody wanted to see their local bank that had been there for 100 years, go away. But he fact is that they couldn’t provide the same level of service of Bank of America or Wells Fargo or whoever, at the same cost or level of security. So eventually, that happened. And today, people don’t even go into the bank. Most young people haven’t even seen the inside of their bank.”