Wanna Decryptor and the National Health Service’s Fatal Vulnerability: Lessons Learned? | Mark Hagland | Healthcare Blogs Skip to content Skip to navigation

Wanna Decryptor and the National Health Service’s Fatal Vulnerability: Lessons Learned?

May 14, 2017
| Reprints
Astonishingly, Britain’s NHS was still operating on the undefended Windows XP platform

In working with members of our team here at Healthcare Informatics to develop news stories around the horrific news of the Wanna Decryptor 2.0 ransomware virus outbreak this past week, I combed a variety of mainstream news and trade publications, both from the United States and from across the international media, especially from the United Kingdom and Europe, including The Independent of London, Libération of Paris, El País of Madrid, and Frankfurter Allgemeine Zeitung of Frankfurt.

And, in doing that research, on Saturday morning, one quote stood out to me in a very dramatic fashion. It was a segment of the report in The Independent by Aatif Sulleyman. He wrote this, speaking of the U.K.’s National Health Service, which was one of the hardest-hit of all organizations worldwide, by this ransomware virus, with at least 48 of the NHS’s trusts, or regional health authorities, severely impacted by it: “Up to 90 per cent of NHS computers still run Windows XP, according to a report published in the BMJ earlier this week. The operating system was released in 2001, and Microsoft cut support for it in 2014. ‘People can continue to use the software, but doing so comes with enormous risks,’ the report went on, quoting David Emm, the principal security researcher at Kaspersky, as saying that ‘Using XP is particularly bad because it’s no longer supported and there’s no way to patch it.’”

That revelation stunned me. Windows XP?? Really???? Many have noted that the NHS has been underfunded in terms of capital for years, and this inaction around IT architecture must certainly be connected to that. But still—this was a stunning revelation, particularly in light of the fact that the Wanna Decryptor attack blast has had a severe impact on at least 48 of the trusts (regional hospital authorities) within the NHS, leading to thousands of patients being turned away from care.

Then, Sunday morning, I found an article in The Times of London, by Jon Ungoed -Thomas and Dipesh Gadher, that included this: “The organisation involved in protecting NHS computer systems is operating without a permanent leader amid concerns that urgent official warnings to upgrade IT infrastructure have gone unheeded. NHS Digital is led by Rob Shaw, an interim chief executive, who has a pay package worth more than £200,000 and a £1m pension pot, according to accounts. The organisation answers to Jeremy Hunt, the health secretary, who was warned by watchdogs last July that NHS systems needed to be strengthened ‘as a matter of urgency.’”

The report by Ungoed-Thomas and Gadher went on to report that “Dame Fiona Caldicott, the national data guardian, and the Care Quality Commission informed Hunt in an eight-page letter that there was a risk of ‘serious, large-scale data losses’ from a cyber-attack unless action was taken. About a third of NHS trusts have previously suffered ransomware attacks, with one—Imperial College Healthcare, in London—infected 19 times in a year, according to data obtained under freedom of information rules. NHS Digital’s board said in March that it would ‘support the implementation’ of the steps recommended by Caldicott.”

What’s more, in another article published Sunday morning, U.K. time, in The Times, Louis Emmanuel reported that “The British researcher who helped to limit the effects of the global cyber-attack that paralysed parts of the NHS has warned that a second wave of strikes could arrive on Monday. In England, 48 NHS trusts fell victim to the hack, which caused major disruption to routine procedures and emergency services, including the cancelling of operations and postponement of cancer treatments.”

There is actually some good news in all this: Emmanuel noted in his report that “Amber Rudd, the home secretary, said yesterday that all but six of the trusts were back to normal following the attacks that crippled IT systems by locking computers and demanding a ransom.”

Still, given how quickly cybercriminals can alter their patterns to adjust to the attempts on the part of victimized organizations to address damage the cybercriminals have inflected, one must still worry about how NHS officials will cope with what might happen this coming week.

Much more fundamentally, how is it that the NHS was allowed to stay on Windows XP after Microsoft had abandoned it? That really is a huge and hugely important, question. And whatever the capital-needs deficits in the NHS, whichever senior officials in the British government (since the NHS is government-run) decided that it was OK for their clinical and operational information systems to remain on XP, also made the decision—whether they realized it or not—that it was OK to leave millions of patients in the U.K. potentially exposed to breakdowns in care delivery—a reality that has now come to pass.

The reality is that, as shocking as this Wanna Decryptor situation is, it is now becoming the global “new normal,” as the overall threat level to every large organization in the contemporary world continues to rise higher and higher with every new year, month, week, and even day.

And, in thinking about the disaster at the NHS, my mind naturally turns to hospital organizations in the U.S., especially to the independent community hospitals, and most especially the smaller and rural hospitals, that lack the resources and personnel that the large multi-hospital systems have, to address cybersecurity threats.

Discussions have been swirling for at least a few years now on the topic of the digital gap that is emerging between the patient care organizations with the resources to meet the ever-intensifying cybersecurity threats out in the world, and those without those resources. The reality is that the patient care organizations without those resources face a basketful of challenges: they lack not only the capital to fund improvements in technologies and processes; they also lack the staff to strategize around cybersecurity and to implement needed changes and improvements; and usually, they lack the level of expertise needed to execute well. Most non-health system-affiliated community hospitals—and certainly most small and rural hospitals—lack chief information security officers—and even if they’ve given someone the title of CISO, that individual likely lacks the background and expertise that large hospitals and health systems can acquire in their CISOs.

What’s more, large hospital and health system organizations are stepping up now to increasingly pay the high salaries required to get CISOs with the expertise needed to prepare for Wanna Decryptor-level cyber threats; in many cases, that means hiring from outside healthcare, as the shortage of truly qualified healthcare CISOs is actually intensifying, with the intensifying threats, rather than diminishing. And in that arena, too, small, rural, and independent community hospitals are multiply disadvantaged: rarely can they pay the big-city salaries needed to attract highly qualified CISO candidates; certainly, to attract experts from outside healthcare; and rarely do they have the resources to fund IT security departments, or to pay for the external security operations centers (SOCs) that most large hospital and health system organizations are engaging; nor to ramp up in terms of processes and technologies—for example, engaging in behavioral monitoring; enhancing backup and backup audit processes; and developing high-level IT security governance, project management, and overall management practices.

So as horrifying as this Wanna Decryptor situation has been and continues to be, it’s hard to imagine a fiercer wake-up call for patient care organizations in this country—and really, worldwide—than this current crisis. Think about this: it’s been barely 15 months since the ransomware crisis at Hollywood-Presbyterian Medical Center in Los Angeles brought ransomware into the mainstream media headlines. In that time, both the threat level and the level of public awareness of the phenomenon of ransomware/malware have skyrocketed.

And yet so many patient care organizations in the U.S.—and clearly in the U.K. and elsewhere—remain tremendously vulnerable. I know that CISOs, CIOs, and others in patient care organizations across the U.S. are working hard, very hard, to ramp up their efforts. But the fact is that the threats are outpacing our industry’s ability to address them.

Indeed, at our Healthcare Informatics Health IT Summit in Chicago on Friday afternoon, we were involved in the second day of the Summit, focused entirely on a deep dive into cybersecurity, when the news broke of the Wanna Decryptor crisis. And just as we were about to begin the final discussion panel of the day, around incident response, the fullness of the crisis became known, compelling some CIOs and CISOs in attendance to have to rush out to make calls back to their organizations. The irony of the timing was not lost on anyone present. Certainly, the fact of the global attack underscored the value of conferences like ours, to bring together industry experts, and those in the trenches, to share information, insights, resources, and ultimately, solutions and wisdom, in this critical area, going forward.

So while U.K., European, U.S. and other IT leaders work to support the addressing of the crisis in the NHS in the U.K., if there’s anything that might serve as an 11-firetruck alarm here in the U.S., this Wanna Decryptor attack should be it. Yes, expending funding and internal and external human resources on IT security is a cost center for every patient care organization that does so. But what’s the alternative? So let’s hope and pray that such a widespread disruption of patient care never occurs here in the U.S.—and work as hard—and smart—as possible to minimize the chances of it.

 

 

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


/blogs/mark-hagland/cybersecurity/wanna-decryptor-ransomware-virus-and-national-health-service-s
/blogs/mark-hagland/cybersecurity/assessing-new-cybersecurity-practices-publication-why-small-and

Assessing the New Cybersecurity Practices Publication: Why Small and Medium-Sized Care Organizations Have Reason to Rejoice

| Reprints
A new set of voluntary cybersecurity practices just released by HHS offers practical advice and conceptual supports that fill information gaps
Click To View Gallery

How helpful will the new set of voluntary cybersecurity practices that the Department of Health and Human Services (HHS) released in late December, be, to the leaders of patient care organizations? Only time will tell, as part of the value of the release will only be made manifest as the leaders of patient care organizations move forward to implement some of those practices, and the potential success of such implementations is in some way measured and benchmarked.

But the release is a first start, at least. As Healthcare Informatics Associate Editor Heather Landi reported on January 2, HHS released the set of practices in the form of a publication “that marks the culmination of a two-year effort that brought together over 150 cybersecurity and healthcare experts from industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership.”

“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health.  In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively,” Janet Vogel, HHS Acting Chief Information Security Officer (CISO), said in a statement published with the release of the new publication.

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), the primary publication of the Cybersecurity Act of 2015, Section 405(d) Task Group, aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector,” HHS officials stated. “It seeks to aid healthcare and public health organizations to develop meaningful cybersecurity objectives and outcomes. The publication includes a main document, two technical volumes, and resources and templates.”

The overall publication consists of several sections, the first being the HICP, which “examines cybersecurity threats and vulnerabilities that affect the healthcare industry. It explores five current threats and presents 10 practices to mitigate those threats; “Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations,” which offers cybersecurity practices for small healthcare organizations; “Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations”; the “Resources and Templates” portion, which “includes a variety of cybersecurity resources and templates for end users to reference”; and a Cybersecurity Practices Assessments Toolkit, which “helps organizations prioritize their cyber threats and develop their own action plans using the assessment methodology outlined in the Resources and Templates volume”—that last section being still under development as of Jan. 2.

As Landi reported, “The HICP publication aims to provide cybersecurity practices for this vast, diverse, and open sector to ultimately improve the security and safety of patients. The main document of the publication explores the five most relevant and current threats to the industry. It also recommends 10 cybersecurity practices to help mitigate these threats.”

What’s more, she wrote, “The main document presents real-life events and statistics that demonstrate the financial and patient care impacts of cyber incidents.  It also lays out a call to action for all industry stakeholders, from C-suite executives and healthcare practitioners to IT security professionals, that protective and preventive measures must be taken now. The publication also includes two technical volumes geared for IT and IT security professionals, one focusing on cybersecurity practices for small healthcare organizations, and one focused on practices for medium and large healthcare organizations.”

Among the salient statistics reported in the HICP:

  • Fifty-eight percent of malware attack victims are small businesses.
  • In 2017, cyber-attacks cost small and medium-sized businesses an average of $2.2 million.
  • Sixty of small businesses go out of business within six months of an attack.
  • And, 90 percent of small businesses do not use any data protection at all for company and customer information.

How does that translate into impacts on smaller healthcare organizations? Among other incidents, the HICP notes that:

  • A popular orthopedic practice announced that its computer system was hacked via breach of a software vendor’s log-in credentials. This breach put just under a half-million people at risk of identity theft. Of those, 500 patient profiles appeared for sale on the dark web. The information for sale included names, addresses, social security numbers, and other personally identifiable information (PII). Although not posted for sale, pertinent PHI such as X-ray results and medical diagnoses were also stolen.

 

  • A rural hospital had to replace its entire computer network after a ransomware cyber-attack froze the hospital’s electronic health record (EHR) system. Doctors were unable to review their patients’ medical histories or transmit laboratory and pharmacy orders. Officials were unable to restore essential services and could not pay the ransom for the return of their system. After consultations with the Federal Bureau of Investigation and cybersecurity experts, hospital officials made the difficult decision to replace the entire system.
  •  

Of particular practicality is some of the very basic advice given to the leaders of smaller healthcare organizations. To wit: “Doctors and nurses know that hand sanitizing is critical to prevent the spread of germs. That does not mean health care workers wash up as often as they should. Similarly, we know that cybersecurity practices reduce the risk of cyber-attacks and data breaches. Just as we are able to protect our patients from infection, we should all work towards protecting patient data to allow physicians and caregivers to trust the data and systems that enable quality health care. Just as health care professionals must wash their hands before caring for patients, health care organizations must practice good ‘cyber hygiene’ in today’s digital world, including it as a part of daily universal precautions,” the HICP notes. “Like the simple act of hand-washing, a culture of cyber-awareness does not have to be complicated or expensive for a small organization. It must simply be effective at enabling organization members to protect information that is critical to the organization’s patients and operations. Your organization’s vigilance against cyber-attacks will increase concurrently with your and your workforce’s knowledge of cybersecurity. This knowledge will enable you to advance to the next series of cybersecurity Practices, expanding your organization’s awareness of and ability to thwart cyber threats.”

Meanwhile, both smaller and larger patient care organizations will benefit from the technical supports, including a Security Risk Assessment Tool, a set of recommendations on medical devices and cybersecurity, and an incident response risk management handbook.

What this set of resources does is to fill a gap between theory and technical practice in a key area. Will it shift the entire landscape of cybersecurity for patient care organizations? No, that would be a far-too-ambitious goal. But the healthcare IT leaders of smaller and medium-sized patient care organizations in particular, will welcome practice advice and supports, as they move forward in their journeys around cybersecurity. Any such journey is inherently challenging, and federal publications and resources like these will be of real value in moving patient care organization HIT leaders forward.

 

 

More From Healthcare Informatics

/news-item/cybersecurity/hhs-releases-voluntary-healthcare-cybersecurity-practices

HHS Releases Voluntary Healthcare Cybersecurity Practices

January 2, 2019
by Heather Landi, Associate Editor
| Reprints

In late December, the Department of Health and Human Services (HHS) released voluntary cybersecurity practices to the healthcare industry with the aim of providing practice guidelines to cost-effectively reduce cybersecurity risks.

The “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication aims to provide guidance to healthcare organizations of all types and sizes, ranging from local clinics to large hospital systems.

The industry-led effort was in response to a mandate set forth by the Cybersecurity Act of 2015 Section 405(d), to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry.

According to HHS, the publication marks the culmination of a two-year effort that brought together over 150 cybersecurity and healthcare experts from industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership.

“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health.  In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively,” Janet Vogel, HHS Acting Chief Information Security Officer (CISO), said in a statement.

While technologies are vital to the healthcare industry and help provide life-saving treatments and improve patient care, these same technologies are vulnerable to myriad attacks from adversaries, ranging from criminals and hacktivists to nation-states, according to HHS. These technologies can be exploited to gain access to personal patient data or render entire hospital systems inoperable. Recent cyber-attacks against the nation’s healthcare industry continue to highlight the importance of ensuring these technologies are safe and secure.

“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats. That is exactly what this resource delivers; recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert,” Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine, said in a statement.

The HICP publication aims to provide cybersecurity practices for this vast, diverse, and open sector to ultimately improve the security and safety of patients. The main document of the publication explores the five most relevant and current threats to the industry. It also recommends 10 cybersecurity practices to help mitigate these threats.

The main document presents real-life events and statistics that demonstrate the financial and patient care impacts of cyber incidents.  It also lays out a call to action for all industry stakeholders, from C-suite executives and healthcare practitioners to IT security professionals, that protective and preventive measures must be taken now. The publication also includes two technical volumes geared for IT and IT security professionals, one focusing on cybersecurity practices for small healthcare organizations, and one focused on practices for medium and large healthcare organizations.

 

Related Insights For: Cybersecurity

/news-item/cybersecurity/cynergistek-protenus-partner-privacy-monitoring-programs

CynergisTek, Protenus Partner on Privacy Monitoring Programs

December 26, 2018
by Heather Landi, Associate Editor
| Reprints

CynergisTek, Inc., an Austin, Texas-based healthcare cybersecurity firm, is partnering with Protenus, a healthcare compliance analytics company, to combine the companies’ technology tools and services with a focus on patient privacy monitoring programs.

The partnership will grant health systems access to Protenus’ analytics platform that leverages artificial intelligence to gather data related to potential patient privacy risks, along with CynergisTek’s patient privacy monitoring services.

According to the Protenus research, insider incidents accounted for 23 percent of all breaches that occurred at health systems in Q3 2018. This figure will only continue increasing, indicating that now more than ever, health systems need a cost-effective solution to meet the daily challenges of managing patient privacy.

To address this need, CynergisTek and Protenus formed a preferred partnership to combine CynergisTek’s healthcare consulting experience and privacy programs with Protenus’ healthcare analytics technology to offer health systems both the people, processes, and technology components of a strong patient privacy monitoring program, according to the companies.

“As health systems face mounting challenges in creating and maintaining robust patient privacy monitoring programs, we identified a need to partner with a company offering complementary services so that health systems can act on the insights uncovered by our analytics,” Nick Culbertson, CEO and co-founder of Protenus, said in a statement.

 “Data privacy is evolving as a dominate theme in conversations, both in healthcare and other industries, and health systems need to take an end-to-end approach to patient privacy to truly address this complex and mission-critical challenge,” Mac McMillan, CEO and president of CynergisTek, said in a statement.

 

See more on Cybersecurity

agario agario---betebet sohbet hattı betebet bahis siteleringsbahis