In working with members of our team here at Healthcare Informatics to develop news stories around the horrific news of the Wanna Decryptor 2.0 ransomware virus outbreak this past week, I combed a variety of mainstream news and trade publications, both from the United States and from across the international media, especially from the United Kingdom and Europe, including The Independent of London, Libération of Paris, El País of Madrid, and Frankfurter Allgemeine Zeitung of Frankfurt.
And, in doing that research, on Saturday morning, one quote stood out to me in a very dramatic fashion. It was a segment of the report in The Independent by Aatif Sulleyman. He wrote this, speaking of the U.K.’s National Health Service, which was one of the hardest-hit of all organizations worldwide, by this ransomware virus, with at least 48 of the NHS’s trusts, or regional health authorities, severely impacted by it: “Up to 90 per cent of NHS computers still run Windows XP, according to a report published in the BMJ earlier this week. The operating system was released in 2001, and Microsoft cut support for it in 2014. ‘People can continue to use the software, but doing so comes with enormous risks,’ the report went on, quoting David Emm, the principal security researcher at Kaspersky, as saying that ‘Using XP is particularly bad because it’s no longer supported and there’s no way to patch it.’”
That revelation stunned me. Windows XP?? Really???? Many have noted that the NHS has been underfunded in terms of capital for years, and this inaction around IT architecture must certainly be connected to that. But still—this was a stunning revelation, particularly in light of the fact that the Wanna Decryptor attack blast has had a severe impact on at least 48 of the trusts (regional hospital authorities) within the NHS, leading to thousands of patients being turned away from care.
Then, Sunday morning, I found an article in The Times of London, by Jon Ungoed -Thomas and Dipesh Gadher, that included this: “The organisation involved in protecting NHS computer systems is operating without a permanent leader amid concerns that urgent official warnings to upgrade IT infrastructure have gone unheeded. NHS Digital is led by Rob Shaw, an interim chief executive, who has a pay package worth more than £200,000 and a £1m pension pot, according to accounts. The organisation answers to Jeremy Hunt, the health secretary, who was warned by watchdogs last July that NHS systems needed to be strengthened ‘as a matter of urgency.’”
The report by Ungoed-Thomas and Gadher went on to report that “Dame Fiona Caldicott, the national data guardian, and the Care Quality Commission informed Hunt in an eight-page letter that there was a risk of ‘serious, large-scale data losses’ from a cyber-attack unless action was taken. About a third of NHS trusts have previously suffered ransomware attacks, with one—Imperial College Healthcare, in London—infected 19 times in a year, according to data obtained under freedom of information rules. NHS Digital’s board said in March that it would ‘support the implementation’ of the steps recommended by Caldicott.”
What’s more, in another article published Sunday morning, U.K. time, in The Times, Louis Emmanuel reported that “The British researcher who helped to limit the effects of the global cyber-attack that paralysed parts of the NHS has warned that a second wave of strikes could arrive on Monday. In England, 48 NHS trusts fell victim to the hack, which caused major disruption to routine procedures and emergency services, including the cancelling of operations and postponement of cancer treatments.”
There is actually some good news in all this: Emmanuel noted in his report that “Amber Rudd, the home secretary, said yesterday that all but six of the trusts were back to normal following the attacks that crippled IT systems by locking computers and demanding a ransom.”
Still, given how quickly cybercriminals can alter their patterns to adjust to the attempts on the part of victimized organizations to address damage the cybercriminals have inflected, one must still worry about how NHS officials will cope with what might happen this coming week.
Much more fundamentally, how is it that the NHS was allowed to stay on Windows XP after Microsoft had abandoned it? That really is a huge and hugely important, question. And whatever the capital-needs deficits in the NHS, whichever senior officials in the British government (since the NHS is government-run) decided that it was OK for their clinical and operational information systems to remain on XP, also made the decision—whether they realized it or not—that it was OK to leave millions of patients in the U.K. potentially exposed to breakdowns in care delivery—a reality that has now come to pass.
The reality is that, as shocking as this Wanna Decryptor situation is, it is now becoming the global “new normal,” as the overall threat level to every large organization in the contemporary world continues to rise higher and higher with every new year, month, week, and even day.
And, in thinking about the disaster at the NHS, my mind naturally turns to hospital organizations in the U.S., especially to the independent community hospitals, and most especially the smaller and rural hospitals, that lack the resources and personnel that the large multi-hospital systems have, to address cybersecurity threats.
Discussions have been swirling for at least a few years now on the topic of the digital gap that is emerging between the patient care organizations with the resources to meet the ever-intensifying cybersecurity threats out in the world, and those without those resources. The reality is that the patient care organizations without those resources face a basketful of challenges: they lack not only the capital to fund improvements in technologies and processes; they also lack the staff to strategize around cybersecurity and to implement needed changes and improvements; and usually, they lack the level of expertise needed to execute well. Most non-health system-affiliated community hospitals—and certainly most small and rural hospitals—lack chief information security officers—and even if they’ve given someone the title of CISO, that individual likely lacks the background and expertise that large hospitals and health systems can acquire in their CISOs.
What’s more, large hospital and health system organizations are stepping up now to increasingly pay the high salaries required to get CISOs with the expertise needed to prepare for Wanna Decryptor-level cyber threats; in many cases, that means hiring from outside healthcare, as the shortage of truly qualified healthcare CISOs is actually intensifying, with the intensifying threats, rather than diminishing. And in that arena, too, small, rural, and independent community hospitals are multiply disadvantaged: rarely can they pay the big-city salaries needed to attract highly qualified CISO candidates; certainly, to attract experts from outside healthcare; and rarely do they have the resources to fund IT security departments, or to pay for the external security operations centers (SOCs) that most large hospital and health system organizations are engaging; nor to ramp up in terms of processes and technologies—for example, engaging in behavioral monitoring; enhancing backup and backup audit processes; and developing high-level IT security governance, project management, and overall management practices.
So as horrifying as this Wanna Decryptor situation has been and continues to be, it’s hard to imagine a fiercer wake-up call for patient care organizations in this country—and really, worldwide—than this current crisis. Think about this: it’s been barely 15 months since the ransomware crisis at Hollywood-Presbyterian Medical Center in Los Angeles brought ransomware into the mainstream media headlines. In that time, both the threat level and the level of public awareness of the phenomenon of ransomware/malware have skyrocketed.
And yet so many patient care organizations in the U.S.—and clearly in the U.K. and elsewhere—remain tremendously vulnerable. I know that CISOs, CIOs, and others in patient care organizations across the U.S. are working hard, very hard, to ramp up their efforts. But the fact is that the threats are outpacing our industry’s ability to address them.
Indeed, at our Healthcare Informatics Health IT Summit in Chicago on Friday afternoon, we were involved in the second day of the Summit, focused entirely on a deep dive into cybersecurity, when the news broke of the Wanna Decryptor crisis. And just as we were about to begin the final discussion panel of the day, around incident response, the fullness of the crisis became known, compelling some CIOs and CISOs in attendance to have to rush out to make calls back to their organizations. The irony of the timing was not lost on anyone present. Certainly, the fact of the global attack underscored the value of conferences like ours, to bring together industry experts, and those in the trenches, to share information, insights, resources, and ultimately, solutions and wisdom, in this critical area, going forward.
So while U.K., European, U.S. and other IT leaders work to support the addressing of the crisis in the NHS in the U.K., if there’s anything that might serve as an 11-firetruck alarm here in the U.S., this Wanna Decryptor attack should be it. Yes, expending funding and internal and external human resources on IT security is a cost center for every patient care organization that does so. But what’s the alternative? So let’s hope and pray that such a widespread disruption of patient care never occurs here in the U.S.—and work as hard—and smart—as possible to minimize the chances of it.