The recent global breach hit the United Kingdom's National Health Service especially hard. But outdated systems and a lack of updates made the incident predictable. Some simple steps could have reduced the risk.
By now, news of the “largest ransomware attack in history,” has spread far beyond IT and cybersecurity circles. Over the course of a weekend, hackers launched a global ransomware attack that affected more than 300,000 computers globally—halting day-to-day operations at organizations on 3 continents. Some of the hardest hit victims were hospitals, particularly in the United Kingdom.
Intelligence and cybersecurity experts have determined that the WannaCry ransomware attack disrupted operations at more than 50 National Health Service (NHS) trusts—including hospitals, surgical centers, rehabilitation centers and pharmacies—in England, and an additional 13 in Scotland. By encrypting data and locking users out of their operating systems, the attackers blocked health professionals from accessing patient records, managing appointments and even halted some surgeries. Thus, hundreds of appointments had to be cancelled, ambulances were forced to change routes and operations were delayed.
Unfortunately, this is not the first instance of a cyberattack on healthcare institutions—the NHS had encountered a number of more localized disruptions in the months leading up to the WannaCry attack. Despite warnings from IT experts and security companies, hospitals and other health agencies are at risk for future large-scale attacks.
Earlier this month, I spoke on a panel at the spring meeting of AJMC®’s ACO and Emerging Healthcare Delivery Coalition, where I was joined by other IT experts to discuss the new era of accountable healthcare. The reality of modern healthcare cybersecurity today is not a question of if, but when health systems will suffer a breach. Our health system and the organizations that comprise it must take every action possible to stay ahead of the curve.
It is now more important than ever to recognize that organizations need better, more frequent training for health professionals and more robust company policies to prevent history from repeating itself. Below are some tips to help companies reduce the chance of another WannaCry attack:
1. Make security part of company culture. Hospitals and other healthcare organizations are prime targets for hackers for the patient information they possess. By adopting company policies and values that keep privacy and security at the core of operations, organizations can help employees take on a more proactive mindset regarding security from day one. Consider using tactics like a mentor program, professional development and town halls to better communicate with employees.
2. Don’t treat it as “check the box.” Going through the motions can leave organizations vulnerable to the fast-evolving nature of cyberattacks. Hackers are constantly coming up with creative tactics to infiltrate and halt systems. Their aggression can only be met by proactive, innovative thinking geared toward staying a step ahead. Organizations should know what legacy systems are on their network and where they may have potential exposures. Separating legacy systems from primary networks can help limit exposure to attacks.
3. Teach people the basics. In many cyberattacks, including this most recent incident, a single user can infect an entire organization’s system by simply opening the wrong email. Make sure that all employees understand how to recognize a suspicious email, corrupted files and other red flags. Equipping teams with basic cybersecurity knowledge and best practices can help eliminate many of the quickest routes for malware to infiltrate systems.
4. Update your systems. The countries and industries who were most impacted by the WannaCry ransomware attack were those that had not updated their operating systems in a timely fashion. It is now known that hackers utilized a hole in Microsoft operating systems. Microsoft offered a “patch” to address this vulnerability months ago; however, the attack was still overwhelmingly effective because NHS computers were using a 15-year-old, out-of-date version of Windows XP that does not offer support or security updates. In addition, hundreds of thousands of users across the globe failed to proactively update their systems accordingly. Organizations should ensure they are keeping up with software updates, regularly installing security patches and developing a strong incidence response plan to expedite the handling of responses to attacks.
By taking these steps, companies can help defend the health system from another large-scale attack. I encourage all healthcare professionals to research cybersecurity best practices that will undoubtedly help protect your organization or facility.
Follow Dan Konzen on Twitter @dankonzen or LinkedIn https://www.linkedin.com/in/dankonzen/.