Will information technology ever realize an imagined future where security is strong enough, reliable enough, secure enough to block any and all attacks?
It’s a dubious proposition made more uncertain by the recent WannaCry ransomware incident that started a couple of weeks ago and continued around the globe for several days. The virus was seemingly halted on Friday, May 12, when a security researcher found weaknesses in the code, but additional versions without those weaknesses have been sent out since.
Whoever is sending out WannaCry will continue, or someone else, someplace else, will send something similar or more virulent. The war is never over.
Which means hospitals, IT vendors, security firms and other HIPAA business associates must constantly work to develop better tools. In pursuit of that goal, what can we learn from the WannaCry attack thus far that can help with security moving forward?
- System updates are essential. WannaCry targeted Windows operating systems and succeeded where those operating systems lacked security updates. Hospitals in Britain’s National Health System suffered considerable damage because so many are still using Windows XP, a 16-year-old operating system. Contrast that with U.S. hospitals, which were minimally impacted. Indeed, a major concern for hospitals around the world is the use of old operating systems in a variety of settings that are no longer upgraded or supported. Microsoft rushed a Windows XP security update out after WannaCry was unleashed, but it’s not something the company wants to do or would probably be willing to do with any regularity.It probably goes without saying, but the use of unlicensed and unlicense-able software leaves hospitals completely vulnerable to malware attacks. In the U.S., this is not a significant problem. However, in China and countries similarly resistant to strong policing of intellectual property licensing and use, computers may as well put out a virus welcome mat. Reportedly, WannaCry impacted around 29,000 institutions in China.
- Devices are vulnerable. Specifically, WannaCry successfully attacked Bayer Medrad radiology devices in at least a couple of examples, the first known hacks of medical devices. The concern about medical devices is acute simply because they often control something directly related to the patient condition. A hack of the EHR system is problematic and disruptive. A hack of a medical device is potentially life-threatening.
- Even inept hackers are successful enough to be very disruptive. Possibly derived from hacking tools originally created by the National Security Agency, WannaCry had certain post-NSA vulnerabilities that researchers and security experts could identify relatively quickly. Using terms like “amateur hour” and “easy fix” to describe WannaCry, security professionals said the virus was not a particularly challenging nemesis. But even imperfect malware spread rapidly to more than 150 countries, infected hundreds of thousands of workstations and cost as much as $4 billion. Imagine what kind of damage a more successful hack could do.
- The most expensive part of ransomware is not the ransoms. It’s not unreasonable to see many hackers as anarchists with active minds, time on their hands and a perverse motivation to kick at the pillars of modern society. Most of the ransoms demanded in the WannaCry case were in the $300 to $600 range, and most organizations chose not to pay them. As of Friday, May 12, one consultancy estimated only $100,000 in total had been sent to hackers. No one was going to get independently wealthy off this hack. Still, WannaCry bled an estimated $4 billion dollars from the system. Again, imagine a much more successful effort than WannaCry and you can see how motivated hackers might be determined to bring certain essential industries—healthcare, for example—to a grinding halt without getting dollars in return.
- Subscription services are a viable alternative. A primary reason WannaCry succeeded at all is because there is so much old software out there running various computing devices. Subscription software is one way to get old software out of the market. With the subscription option, to use WannaCry as a specific example, Microsoft can quickly and easily provide security updates to all applications and operating systems. The company did, in fact, provide updates in March to patch the security hole WannaCry exploited, which made the damage in the United States much less extensive. Clearly, however, those updates did not extend to the millions of Windows instances in use globally. While technology companies have been promoting subscription software options for years, buyers have been slow to sign on. Perhaps instances like this will convince many that subscription is both the more affordable and safer option.
Right now, failsafe responses to malware and hackers are multi-pronged, and subscription software can be a significant component in that defense. Each hospital must develop a comprehensive and stringent security program as a necessary foundation for overall protection.
The security battles will continue into the foreseeable future and each will give us an opportunity to make the defenses more responsive and sophisticated. The hospitals that can learn security lessons without having to pay ransoms or endure systems shutdowns will be those that react rapidly and prepare for the various threats.
Speaking of which, have you installed those Windows security updates recently?