Thousands of computers across the globe were “held hostage” during the recent WannaCry ransomware attacks that encrypted files on Microsoft Windows operating systems that had not been either patched or upgraded. The dust has now settled, and what we have learned from those attacks is that they could have been prevented.
As a former hospital CIO, I am prepared to share ideas for how you can best protect your operations and the private, personal data of the patients in your care.
What exactly happened and why it matters
The perpetrators behind the WannaCry attack employed ransomware using what is known as an RSA 2048-bit cipher to encrypt files. (A 128-bit cipher is considered secure to the point of being theoretically impenetrable by brute force—a typical bank uses 256-bit encryption technology.) The attackers then required “ransom” in the form of a bitcoin payment, which if not made immediately, increased incrementally over the time that elapsed until payment was made.
The attack was significant because it exploited known vulnerabilities in the system and software—in other words, it wasn’t a “zero-day attack.” And for that reason, there is no good justification as to why this shouldn’t have been prevented—this attack targeted the known weakness in the Windows XP operating system.
The impact was less severe here in the U.S. than in Europe. That said, it’s still a major concern for healthcare professionals. Primarily, because it is another successful attack against old hardware, unpatched software, and operating systems. As providers and guardians of patients and their protected personal data, we must prioritize and avoid the “it will happen to the other guys, not me” mentality and quit tempting fate.
There are too many physician practices; small, medium, and large hospitals; academic medical centers; expansive integrated healthcare systems; and other healthcare partners who have yet to completely upgrade their Windows desktop environment to a supported operating system. How many Windows XP machines, or just outdated machines, are sitting on your network right now? Each and every one adds risk. To effectively safeguard operations and patient data against attack, the nonchalance must stop.
Actions to take right now
- Scrap the old. Put pressure on vendors to move products from old to new operating systems. This often is easier said than done for individuals in an immense industry, but there are steps that can protect operations and mitigate the risk of a perilous attack. These go far beyond simply installing those patches regularly and emergency patches expediently. If need be, get management involved in taking actionable steps to proactively set that tone.
- It’s time for a risk assessment and analysis. This will identify security gaps and provide detailed actionable steps to mitigate risk and align priorities. The key point is making sure one doesn’t blindly walk through the documentation. One recommendation is to consult the National Institute of Standards and Technology (NIST) Special Publication 800-30, commonly called NIST SP 800-30. Starting with NIST, then applying the SANS Institute’s Top 20 Critical Security Controls for Effective Cyber Defense, is the best way to conduct the risk assessment and analysis. One can even do this internally or enlist the aid of an IT professional if additional assistance is required. The key is making sure your expert has experience in healthcare (e., don’t go to the local drive-thru burger joint for a seafood dinner).