Thousands of computers across the globe were “held hostage” during the recent WannaCry ransomware attacks that encrypted files on Microsoft Windows operating systems that had not been either patched or upgraded. The dust has now settled, and what we have learned from those attacks is that they could have been prevented.
As a former hospital CIO, I am prepared to share ideas for how you can best protect your operations and the private, personal data of the patients in your care.
What exactly happened and why it matters
The perpetrators behind the WannaCry attack employed ransomware using what is known as an RSA 2048-bit cipher to encrypt files. (A 128-bit cipher is considered secure to the point of being theoretically impenetrable by brute force—a typical bank uses 256-bit encryption technology.) The attackers then required “ransom” in the form of a bitcoin payment, which if not made immediately, increased incrementally over the time that elapsed until payment was made.
The attack was significant because it exploited known vulnerabilities in the system and software—in other words, it wasn’t a “zero-day attack.” And for that reason, there is no good justification as to why this shouldn’t have been prevented—this attack targeted the known weakness in the Windows XP operating system.
The impact was less severe here in the U.S. than in Europe. That said, it’s still a major concern for healthcare professionals. Primarily, because it is another successful attack against old hardware, unpatched software, and operating systems. As providers and guardians of patients and their protected personal data, we must prioritize and avoid the “it will happen to the other guys, not me” mentality and quit tempting fate.
There are too many physician practices; small, medium, and large hospitals; academic medical centers; expansive integrated healthcare systems; and other healthcare partners who have yet to completely upgrade their Windows desktop environment to a supported operating system. How many Windows XP machines, or just outdated machines, are sitting on your network right now? Each and every one adds risk. To effectively safeguard operations and patient data against attack, the nonchalance must stop.
Actions to take right now
- Scrap the old. Put pressure on vendors to move products from old to new operating systems. This often is easier said than done for individuals in an immense industry, but there are steps that can protect operations and mitigate the risk of a perilous attack. These go far beyond simply installing those patches regularly and emergency patches expediently. If need be, get management involved in taking actionable steps to proactively set that tone.
- It’s time for a risk assessment and analysis. This will identify security gaps and provide detailed actionable steps to mitigate risk and align priorities. The key point is making sure one doesn’t blindly walk through the documentation. One recommendation is to consult the National Institute of Standards and Technology (NIST) Special Publication 800-30, commonly called NIST SP 800-30. Starting with NIST, then applying the SANS Institute’s Top 20 Critical Security Controls for Effective Cyber Defense, is the best way to conduct the risk assessment and analysis. One can even do this internally or enlist the aid of an IT professional if additional assistance is required. The key is making sure your expert has experience in healthcare (e., don’t go to the local drive-thru burger joint for a seafood dinner).
The financial impact of falling victim
The healthcare industry is complex, and the healthcare environment is not merely another security company model. There is no shortage of hackers who revel in the conquest of exposing vulnerabilities. Over the years, hacking has become a viable career track, with some offenders specifically targeting healthcare. It’s not like the old days where one sat around waiting to see if an attack happened to someone else.
The costs and disruption of service can be crippling, but pale in comparison to costs associated with a breach. If you are a Covered Entity or even a Business Associate, a risk assessment and analysis is required annually; and federal authorities are auditing for compliance. The Department of Health and Human Services must intake and review 100% of reported breaches. Many result in full HIPAA compliance reviews ending with fines and public embarrassment. Once those hefty fines are levied, the financial impact will be greater than any upfront investment in system upgrades or risk assessment fees. It simply does not make sound financial sense to wait for a breach.
What would your “health inspection score” be?
Patients often are provided with a false security blanket—that their personal data is safe with providers. Patients are not privy to the results of risk analyses, nor will they know if risk-mitigating actions were taken to secure data. The Health Department rates restaurants after inspecting their facilities for critical health violations. While healthcare providers are not currently given an inspection score, those days could be ahead if regulations change. If subject to a “data safety score” today, how would your operations fair? If your patients and clients saw a low score on your door, how would they feel about entrusting their personal, protected data and their lives to your facility? Patients might turn around and locate a provider more proactive at protecting private data by mitigating the known risks. The last thing any enterprise needs is a PR fiasco that could have been avoided through preventive measures.