The attack on the UK’s National Health Services (NHS) – which forced up to 40 hospital trusts to cancel surgeries and appointments, as well as divert ambulances – freaked everyone out. Hackers blocked access to vital medical files using strong encryption, and demanded hospitals to pay ransom before they could unlock the files. As ransomware attacks habitually unfold, the hackers threatened to delete the medical records if their demands were not met within one week. [i]
This was part of a wide scale ransomware attack, which has so far affected more than 200 000 individuals across 150 countries.
The scale of this attack is unprecedented, but ransomware attacks are not new. Back in 1989, in what was to become the first ever ransomware attack, a Harvard-trained evolutionary biologist Joseph L. Popp created a malicious program called AIDS Trojan, or PC Cyborg. He then sent 20,000 infected diskettes disguised as “AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference. Popp’s program, which used simple asymmetric encryption, was relatively easy to mitigate but lay footing for what would become arguably the most prevalent and vexing security threat two decades later.
Today, even the least sophisticated can easily join affiliate programs and distribute malicious programs to millions of victims on behalf of the malware creators on a commission basis. As one hacker said, “The only things you need are a computer and the ability to follow clear instructions. If you can do that you will never have to worry about your finances again."[ii]
Putting thousands of patient lives at risk for a $300 ransom is sickening; it’s a manifestation of the selfish, greedy world in which we live.
Even some entrenched con-artists endeavor to hold life sacred. For instance, in the aftermath of the widely publicised 2016 ransomware attack on the Hollywood Presbyterian Hospital, a number of hackers openly vented their disgust towards the heartless act, according to security firm Flashpoint.
One reputable, high-profile member of a Russian cyber-crime forum voiced his discontent:
From the bottom of my heart I sincerely wish that the mothers of all ransomware distributors end up in the hospital, and that the computer responsible for the resuscitation machine gets infected with it the malware.
Another hacker voiced support,
Dirt bags, the move is completely unethical. Do not touch hospitals!
This widespread sentiment within the hacker community that attacking hospitals is reckless and unacceptable is rather surprising. However, recent episodes have conveyed a steady and unambiguous message – this threat will only grow wider and grislier. These incidents are a stark warning to those charged with governing healthcare institutions that debilitating, irrational attacks are not prevented merely because they are inconceivable – it’s time to act. The old trade-off of technology investment versus front-line patient care no longer makes sense. Technology is now interwoven into the entire healthcare value chain.
As this danger unfolds, healthcare institutions are finding themselves woefully unprepared. The origins of their predicament lie in many factors, chiefly decades-old technologies resulting from years of technology investment neglect.
According to The Telegraph, 90 per cent of NHS trusts in the UK were using Windows XP – a 16-year-old operating system. Security experts said that computers using operating software introduced before 2007 were particularly vulnerable, leaving many NHS systems highly exposed. Bloomberg recons that hospitals seem at least a decade behind the standard security curve.
Granted, hospitals don’t have fat bank accounts to invest in world-class digital environments like their private sector counterparts. Maintaining life-critical records on applications that vendors ceased to support a decade ago, however, is utterly indefensible.
Amidst all the big words and phrases being thrown around (sophisticated cyber weapons, enormous cyber-attack, like tomahawk missiles stolen, and so forth), let’s remember one thing: This attack would have been prevented by one of the most rudimentary cyber security controls (Maintaining a vendor supported digital fleet and sticking to monthly patching cycles).
A number of experts have long warned against the rising cyber threat against the healthcare sector. The internet is replete with such messages. The tragedy was that they were ignored or discounted.
Faced with this immediate quandary, many health care institutions will be tempted to invest in fancy technical solutions, or engage consultants to conduct lengthy bench-marking exercises - overlooking the hugely obvious cost effective measures to deter or promptly recover from attacks. As The Economist puts it, it’s tempting to believe that the cyber security problems can be solved with yet more technical wizardry.
Technology indeed plays its part, but it can also give a false sense of invulnerability. Cyber resilient enterprises put cyber-security fundamentals at the core of their strategies:
- Running critical processes on modern, vendor supported infrastructure. The hackers who crippled one of Melbourne’s largest hospital networks in 2016 also exploited vulnerabilities in its unsupported Windows XP fleet.
- Rigorously sticking to their patching policies. The threat in question exploited a file-sharing vulnerability in Windows, for which Microsoft issued a fix back in March 2017. This means organisations that run a Microsoft supported fleet and diligently complied with their monthly patching cycles were not impacted.
- Maintaining a cyber savvy workforce through highly engaging, tailored awareness programs.
- Having senior leadership that demonstrate unwavering commitment to cyber resiliency, are intricately engaged in cyber security initiatives and hold middle management accountable.
- Maintaining basic security hygiene – restricting access to privileged accounts, regularly validating access for employees, hardening systems, identifying and promptly fixing vulnerabilities and so forth.
Defending enterprises against these opportunistic ransomware attacks is not rocket science. One effective measure to promptly recover from ransomware attacks is taking routine back-ups, storing them offline, and regularly testing the control. Sounds straight forward, yet many enterprises fail to operate this basic control. According to the Storage Magazine, over 34% of companies do not test their backups and of those tested 77% found that tape backups failed to restore. According to Microsoft, 42% of attempted recoveries from tape backups in the past year have failed.
This is not a counsel of misery, but unless health care institutions up their game, more and more patient’s lives will be exposed. Of course protecting patients from this potent threat won’t come cheap, but health care institutions must make these investments. People’s lives depend on them.
Phil is an experienced head of cybersecurity, strategic advisor, author, and public speaker. He is the Amazon best selling author of The Five Anchors of Cyber Leadership, a practical cyber strategy book for senior business leaders. 2017 winner of ISACA International’s Michael Cangemi Best Book/Article Award, for major contributions in the field of IS Audit, control and security.