Exclusive Report: What Can U.S. Healthcare IT Leaders Learn, in the Wake of Wanna Cry? | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Exclusive Report: What Can U.S. Healthcare IT Leaders Learn, in the Wake of Wanna Cry?

May 17, 2017
by Mark Hagland and Heather Landi
| Reprints
What can U.S. provider leaders learn from the Wanna Cry cyberattack crisis?

What emerged on Friday morning, May 12, European time, and quickly spread across the world as one of the most intensive and extensive ransomware-based attacks to date, affecting organizational operations of all kinds in approximately 150 countries, seemed to have gotten somewhat under control by early this week, even as the attack has jolted the information technology world across the planet.

Variously known as the Wanna Cry or Wanna Decryptor ransomware virus, the phenomenon on Friday virtually shut down several dozen regional health authorities within the National Health Service of the United Kingdom, while simultaneously impacting the operations of such diverse entities as Spain’s national telephone service, La Telefónica; Germany’s railway system, Deutsche Bahn; automotive plants of the French car manufacturer, Renault; the Russian Interior Ministry; and universities in China and Taiwan.

In his breaking news article on Friday, Healthcare Informatics Managing Editor Rajiv Leventhal  quoted Creighton Magid, a partner at the international law firm Dorsey & Whitney, who noted that “The cyberattack, using a ransomware bug known as WannaCry, appears to have used an NSA exploit known as ‘Eternal Blue’ that was disclosed on the web by Shadow Brokers.  Microsoft released a patch earlier this year to address the vulnerability, but it appears that a number of hospitals and other users have not applied the patch.” Like the DDOS attack last October,” Magid said, “this attack shows that interconnected devices and systems are vulnerable to attack by nations, non-state actors and just plain crooks,” he says, adding that an attack of this scope points to the potential for an entirely different type of damage:  shutting down entire businesses, hospital systems, banks, and critical infrastructure.”

As the cyberattack’s impact continued to spread worldwide into and through Saturday, Editor-in-Chief Mark Hagland quoted a report published online at 7:50 AM eastern time that day by The New York Times’ Mark Scott, in which Scott wrote that “The attack is believed to be the first in which such a cyberweapon developed by the N.S.A. has been used by cybercriminals against computer users around the globe. While American companies like FedEx said they had also been hit,” he added, “experts said that computer users in the United States had so far been less affected than others because a British 22-year-old cybersecurity researcher inadvertently stopped the ransomware from spreading,” referring to the Kryptos Logic IT specialist. “The 22-year-old British researcher, whose Twitter handle is @MalwareTechBlog and who confirmed his involvement but insisted on anonymity because he did not want the public scrutiny,” Scott wrote, “found the kill switch’s domain name—a long and complicated set of letters. Realizing that the name was not yet registered, he bought the name himself. When the site went live, the attack stopped spreading, much to the researcher’s surprise.” Scott quoted Matthieu Suiche, founder of Comae Technologies, a cybersecurity company based in the United Arab Emirates, as saying that “The kill switch is why the U.S. hasn’t been touched so far. But it’s only temporary,” Suiche added. “All the attackers would have to do is create a variant of the hack with a different domain name. I would expect them to do that.”

As it turns out, that researcher was able to devise a “kill switch” for the virus, which had already shut down patient care delivery at dozens of British regional health authorities, and frustrated operations at a full range of other business, governmental, and educational organizations worldwide.


Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of...

What U.S. healthcare IT leaders need to know

So what does all this mean for U.S. healthcare providers? A fair amount, say industry experts and observers. “There are several lessons here,” says Mac McMillan, president and CEO of the Austin, Tex.-based CynergisTek IT security consulting firm. “One is an old lesson that we still haven’t learned as an industry, and that is that basic IT hygiene, keeping systems up to date, and not keeping systems you can’t patch, like medical devices, or segmenting them away—that people still aren’t doing those things to the extent that they need to. Basic hygiene could have saved the National Health Service here.” The National Health Service in the U.K. was still operating on the abandoned Windows XP platform, as Hagland noted in his blog on Sunday. And, says McMillan, “That’s insane.”

Meanwhile, McMillan goes on to say, “A recommendation made a few years ago by the National Security Advisor regarding the federal government’s weaponizing information systems and then not reporting that weaponization to vendors—the recommendation back then was actually that the potential cost to the private sector, to businesses, was so high that it outweighed the government doing those things. The third lesson that comes out of this,” he says, “is that it’s going to happen again; it’s just a matter of time, because all of this information is out there on the Internet. And when you look at zero-day exploits, the Symantec Threat Center recently said that there are over 4,500 zero-day attack vulnerabilities in systems that there is no fix for. So any hacker who finds those, can weaponize that, and run that attack, and they’ll have a massive initial impact, because there won’t be any way to respond. And unfortunately, the hacker community has decided that disruption in itself has become the goal.”

On the positive side of things, McMillan says, “There are several reasons why the U.S. healthcare system didn’t experience the same level of impact as elsewhere. Number one is that there have been so many attacks over the last 24 months, that we’ve actually seen investment in advanced malware technologies, email and malware gateways, advanced firewalls, so we actually have some protections to defend against these things. Number two, when this information came out from this Shadow group, and the data from the CIA, at least a lot of hospitals we work with, were right on top of that, and very interested in what to do. So as soon as Microsoft and Cisco and other vendors published their patches two months ago, the hospitals applied them.”

With regard to the vulnerability that the U.K.’s National Health Service had when this attack hit, Lee Barrett, the executive director of EHNAC, the Electronic Health Network Accreditation Commission, a Farmington, Conn.-based independent, federally recognized, standards development organization and accrediting body in U.S. healthcare, says that “Whoever the attacker was in this case, they knew that the N.H.S. was vulnerable” in working on the Windows XP operating system, “and targeted that platform. That was a major, major thing. The other thing is that what this tells organizations,” he says, “is that you’d better have your risk mitigation and preparedness plans in place and be prepared to review them, so that you can react in the moment and mitigate and reduce the amount of exposure for your organization.”

In that context, Barrett says, “In many cases, the organizations that had a good plan in place saw less impact than those who did not have a good risk mitigation and preparedness plan in place. Importantly, you need to be doing backups of all of your data, so that in the event of a ransomware attack, you’ve got a current backup of your system to reduce potential loss, and can get back to business as usual; this speaks to basic business continuity planning.”

U.S. healthcare—still far too reliant on basic tools like firewalls, antivirus protection

Looking at the broad picture around IT security in U.S. healthcare, Garrett Hall, an analyst with Orem, Utah-based KLAS Research, says while healthcare provider organizations have improved their security readiness in recent years, this recent attack indicates that the healthcare industry remains particularly vulnerable. “With all the changes in healthcare and all the budget constraints, it’s a tough issue, but we are encouraged by some of the progress we’re seeing, yet, ultimately, we’re seeing that there needs to be additional progress made,” he says.

Hall co-authored the KLAS 2017 cybersecurity report published in February. In collaboration with the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME), KLAS interviewed 200 healthcare organizations about their security programs, speaking primarily with chief information security officers (CISOs), CIOs, chief technology officers (CTOs) and other IT security professionals.

That report found that U.S. healthcare organizations are still, by and large, relying on foundational technology, such as firewalls, antivirus and malware-protection solutions, and encryption, for protection from cyberattacks.  According to KLAS, software for data loss prevention (DLP), identity and access management (IAM), mobile device management (MDM), security information and event management (SIEM) and anomalous-behavior monitoring has yet to make the projected impact due in part to still-maturing deployments and lack of resources and understanding, Hall notes.  “That was a little disconcerting to see; that a firewall vendor was having the greatest impact on cybersecurity. We anticipated that it would be more DLP vendors or vendors providing more advanced technologies, so it does suggest that healthcare is still behind on their security readiness. Even though we see improvements, we still have further to go as an industry,” he says.

One of the challenging aspects of this particular cyberattack is its complexity. In a webinar sponsored by the Armonk, N.Y.-based IBM Corporation, Kevin Albano, X-Force Iris global lead for threat intelligence at IBM Security, shared with listeners on Tuesday some insights into the Wanna Cry/Wanna Decryptor virus. The virus, he noted, infiltrates endpoints in a system and encrypts all its files, demanding a ransom payment of $300.00 U.S. in bitcoin, exploiting a known Windows vulnerability that enables remote-code execution; organizations that did not make use of the Microsoft Windows patch made available in March are now particularly vulnerable. “This is a version of WannaCry that does not have the propagation component to it, this is just the ransomware itself,” Albano told webinar attendees. “There’s another aspect to it that is the propagation aspect, using the Eternal Blue exploit, and then the DoublePulsar payload to be able to implement the WannaCry ransomware. There are three components working within it—one is the ransomware, the other is the External Blue exploit that takes advantage of vulnerability within Windows operating system, the third thing is the double pulsar payload that’s used to deliver the ransomware itself.” And, he noted, “it is the auto-propagation using the vulnerability and the exploit that is causing much of the harm as its spreading through vulnerable systems.”

What CIOs, CISOs and other healthcare IT leaders need to do next

Meanwhile, say industry experts, though U.S. hospitals by and large escaped the damaging impact of the hit that British hospitals have taken, there’s still a long journey ahead for them on IT security. Still, says CynergisTek’s McMillan, “One of the reasons that U.S. healthcare did better in this situation is that, over three years ago, OCR [the Office of Civil Rights of the Department of Health and Human Services] started cracking down on organizations with obsolete systems, declaring that a HIPAA violation. So a lot of our health systems have been doing a better job of working to eliminate these things and keep them refreshed. And everybody has become sensitive to the need to communicate quickly about threat information. So even though we don’t yet have an integrated threat alert system in the U.S., the information has been flowing.”

Some very basic “hygiene” processes must be attended to, says EHNAC’s Barrett. “For one thing, organizations need to make sure that they’re doing ongoing backups and backups of all of their data. In the event that you get hit by one of these ransomware attacks,” he says, “you need to have a current backup of your system available, to reduce the potential loss of your system, and can get back to business as usual, so it gets back to business continuity planning.” Asked about what interval is most appropriate for the auditing of backups—most patient care organizations in the U.S. are doing backup audit at most once a quarter, and many are doing backup audit only once every half-year or even year—Barrett says, “Most of the breaches and ransomware are found after they’ve been in organizations for quite a while, often for months. My best practice is, I tell organizations that they should be auditing their backups at least on a monthly basis. And that goes back to what level of risk you can afford.”

Indeed, Barrett continues, “I don’t think an organization wants to go much more than a 30-day loss in the event of a ransomware attack. So I’d say 30 days, whether you do this yourselves or you have a third-party organization do it for you. And the dialogue I was having… and it ranges pretty widely in terms of how much risk an organization at the board or audit committee level, is willing to take. And larger organizations… Can you as a hospital, afford to lose nine months or a year’s worth of data? My feeling is that you can’t. And I continue to talk to organizations that still haven’t taken this seriously, and just keep pointing the finger, saying, it’s not going to happen to us, we’re too small.”

Another absolutely key strategy, says John A. “Drew” Hamilton, Ph.D., of the Center for Cyber Innovation, at Mississippi State University (Starkville, Miss.), is basic network segmentation. “You need to separate duties and functions, to limit the damage” when a cyberattack occurs. And compartmentalization could at least limit the ability of a ransomware attack to propagate across your system.” What’s more, he says, “I think that you have to assume that people will attack you had, you’re going to have different kinds of failures. So, defense in depth is important. And with the big attacks you see, at least two big things have gone wrong. If you have an individual whose account is compromised, you should limit the damage that can go from there. The breach last year in the Office of Personnel Management in the federal government, where all the HR data was compromised was staggering. You didn’t have it compartmentalized.”

A core obstacle: the historical conservatism of healthcare operations

One of the core challenges remains a business-cultural one: healthcare remains one of the most conservative of U.S. industries, both in terms of its investments in progressive information technology, and also in terms of its data management and governance. Xu Zou, the co-founder and CEO of the Mountain View, Calif.-based ZingBox, an IoT (Internet of Things) security solutions provider, says, “We’re working in the more conservative verticals like healthcare and manufacturing. A lot of [healthcare organizations], once they’ve passed their regulatory certification requirements, they’re hesitant to make further changes,” he says. “That’s what we’re facing now. And those medical devices will probably stay on Windows XP without a security patch, probably forever. And even though the FDA is encouraging providers to patch their devices—only now are hospitals taking action. The challenge is that hospitals don’t want to have to go through the entire FDA certification process a second time,” he adds.

In all this, of course, resource issues remain a huge issue for many patient care organizations, particularly smaller and rural hospitals and many medical groups. Asked what under-resourced hospitals and other patient care organizations can do, CynergisTek’s McMillan says, “I’m going to give you two answers. My first answer will be based on the assumption that they can do this; the second will be based on what I really believe needs to happen in this country. The first answer is, if they’re going to continue to go it alone, they’re going to have to focus on the basics, and based on what can I realistically do myself, and what should I outsource to somebody else. In that case,” he says, “they need to think about their EHR as a service, as opposed to owning it. Because they’re better protected in a tier 1 hosted environment. And then the hospital can focus on medicine, and the tier 1 support system can help them.”

That having been said, McMillan goes on to say that, on a broader level, “My personal opinion is that healthcare is at the same place that the banking industry was in the 90s. In the 90s, the regulations really started to bite the banking industry, and all of a sudden, the small community banks could not keep up. So we all of a sudden had the emergence of the regional banks and the expansion of the big banks acquiring the small banks, because it became too much for them to do effectively. And the Federal Reserve understood that you couldn’t have a small community bank out there connected to the Federal Reserve, that wasn’t protected.”

In that regard, McMillan says, “In healthcare we do a disservice,” by assuming that even the smallest and least-resourced hospitals should perforce remain in operation. “Everybody says, gee, we’ve got to make it easier for them. Nonsense!” he says. “The information that they maintain for patients is just as important as the information that the large hospitals maintain So we shouldn’t be watering down [regulations and mandates around data security]; we should be saying, if you can’t do it yourself, you need to hire someone who can, or think about being acquired. And we are fast approaching a time when the small hospital cannot manage by itself any longer. And it’s not just about the data, it’s about the disruption. The small hospital hit by a ransomware attack, it’s even more devastating than with a big hospital, because those people don’t have other options, they’re often in rural areas. And we’re fast approaching a time when the stakes are just too high for the small guy to do it effectively. And it’s not fair, to be honest, but it is what it is. Nobody wanted to see their local bank that had been there for 100 years, go away. But he fact is that they couldn’t provide the same level of service of Bank of America or Wells Fargo or whoever, at the same cost or level of security. So eventually, that happened. And today, people don’t even go into the bank. Most young people haven’t even seen the inside of their bank.”



2019 Southern California San Diego Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

April 23 - 24, 2019 | Southern California


Health First Data Breach Exposes Information of 42K Patients

November 15, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

A data breach at Florida-based Health First exposed the personal information of some 42,000 patients, according to various industry media reports this week.

The website DataBreaches.net reported that in early October, the healthcare provider Health First notified the Department of Health & Human Services (HHS) of a breach that affected 42,000 patients.  The breach actually occurred earlier in the year, however, between February and May 2018, according to the report, which received a statement from the organization’s senior vice president, consumer and retail services.

The Health First executive noted that “a small number of our employees were the victims of a phishing scam which compromised some of our customers’ information. The criminals were able to gain access of these employees’ email accounts for a limited period of time.”

Health First officials also told Florida Today this week that the data breach “was fairly low-level, though it could have included some customers' Social Security numbers. Mostly it appears to have involved information such as addresses and birth dates. No medical information was compromised,” according to this report.

Phishing attacks continue to plague the healthcare industry; the single largest breach this year was a hacking incident affecting 1.4 million patient records that involved UnityPoint Health, an Iowa-based health system. That said, cybersecurity professionals are still looking for more advanced ways to get out in front of these attacks, as healthcare has traditionally lagged behind other industries in in phishing resiliency.

More From Healthcare Informatics


Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Tuesday, December 18, 2018 | 1:00 p.m. ET, 12:00 p.m. CT

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of endpoints.

Attend this session to learn why it's more important than ever for healthcare organizations to actively manage their full range of endpoints, endpoint security best practices, and how your endpoint management strategy may need to evolve over time.

Related Insights For: Cybersecurity


4.4M Patient Records Breached in Q3 2018, Protenus Finds

November 7, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

There were 117 disclosed health data breaches in the third quarter of 2018, leading to 4.4 million patient records breached, according to the Q3 Protenus Breach Barometer report.

Published by Protenus, a cybersecurity software company that issues a Breach Barometer report each month, the most recent data shows that although the number of incidents disclosed in Q3 decreased somewhat from Q2, the number of breached records increased from Q2 to Q3. Also, the number of affected patient records has continued to climb each quarter in 2018—from 1.13 million in Q1 to 3.14 million in Q2 to 4.4 million in Q3.

In Q3, the report noted that the single largest breach was a hacking incident affecting 1.4 million patient records that involved UnityPoint Health, an Iowa-based health system. Hackers used phishing techniques, “official-looking emails”, to gain access to the organization’s email system and capture employees’ passwords. This new incident follows one that took place at the same organization in April when 16,400 patient records were breached as a result of another phishing attack.

For incidents disclosed to HHS (the Department of Health & Human Services) or the media, insiders were responsible for 23 percent of the total number of breaches in Q3 2018 (27 incidents). Details were disclosed for 21 of those incidents, affecting 680,117 patient records (15 percent of total breached patient records). For this analysis, insider incidents are characterized as either insider-error or insider-wrongdoing. The former includes accidents and other incidents without malicious intent that could be considered “human error.” 

There were 19 publicly disclosed incidents that involved insider-error between July and September 2018. Details were disclosed for 16 of these incidents, affecting 389,428 patient records. In contrast, eight incidents involved insider-wrongdoing, with data disclosed for five of these incidents.

Notably, when comparing each quarter in 2018, there has been a drastic increase in the number of breached patient records as a result of insider-wrongdoing. In Q1 2018, there were about 4,600 affected patient records, in Q2 2018 there were just over 70,000 affected patient records, and in Q3 there were more than 290,000 affected patient records tied to insider-wrongdoing.

What’s more, the report found that hacking continues to threaten healthcare organizations, with another increase in incidents and affected patient records in the third quarter of 2018. Between July and September, there were 60 hacking incidents—51 percent of all Q3 2018 publicly disclosed incidents. Details were disclosed for 52 of those incidents, which affected almost 3.7 million patient records. Eight of those reported incidents specifically mentioned ransomware or malware, ten incidents mentioned a phishing attack, and two incidents mentioned another form of ransomware or extortion. However, it’s important to note that the number of hacking incidents and affected patient records have dropped considerably when comparing each month between July and September 2018.

Meanwhile, of the 117 health data breaches for which data was disclosed, it took an average of 402 days to discover a breach from when the breach occurred. The median discovery time was 51 days, and the longest incident to be discovered in Q3 2018 was due to insider-wrongdoing at a Virginia-based healthcare organization. This specific incident occurred when an employee accessed thousands of medical records over the course of their 15-year employment.

See more on Cybersecurity

betebettipobetngsbahis bahis siteleringsbahis