For hospitals defending against cyberattacks, patch management remains a struggle

Cybersecurity experts were disturbed, but not necessarily surprised, at the WannaCry ransomware attack that ripped through more than 150 countries over the weekend. Many had predicted an attack of this size and scope was an imminent threat for some time, and most were relieved that U.S. hospitals and systems were generally spared.

Two specific issues have bubbled to the surface in the wake of that attack, highlighting the gaps that still exist within the healthcare industry with even basic cybersecurity controls.

Workforce shortages and patch management—two issues that often go hand in hand—raised concerns about the industry’s ability to fight of future attacks that may be even more targeted. Some of these concerns are addressed in a report from the Department of Health and Human Services’ Cybersecurity Task Force, which is expected to be released next week.

Aside from the more pressing, immediate calls to update and patch IT systems and solidify backups, several experts that spoke with FierceHealthcare wondered how this event might shape cybersecurity in healthcare moving forward.

RELATED: After WannaCry, experts worry healthcare’s vulnerabilities will make the next ransomware attack even worse

One positive takeaway: The attack will likely give hospital IT risk managers the “ammunition they need” to request more investment from hospital boards to get rid of old systems and software and invest in updated infrastructure, said Marc Voses, a partner at Kaufman Dolowich Voluck LLP in New York, New York.

“What I hope it doesn’t result in is business as usual because the U.S. wasn’t affected as much the U.K.’s healthcare system,” he said. “I hope it does spur spending an allocation of resources for these types of events. Not only that, but I hope the government will assist healthcare institutions in implementing cybersecurity.”

Public-private coordination may be critical going forward, particularly for an industry that is already years behind where it needs to be in terms of protecting its IT systems. Christine Sublett, an information security, protection and privacy consultant with Sublett Consulting who also serves on the HHS Cybersecurity Task Force, said healthcare “would be in a much better place” if the Task Force’s report had been released several years ago. She pointed to some of the vulnerabilities within small, rural healthcare providers that get by with fewer resources and virtually no dedicated cybersecurity staff.

RELATED: CHIME—Ransomware top concern for health IT, security execs

Although there are no official figures, Joshua Corman, director of the cyber statecraft initiative at Atlantic Council’s Brent Scowcroft Center and founder of I am The Cavalry, who also serves on the Task Force, said the group of nearly two dozen experts estimated that more than 85% of small- or medium-sized hospitals lack a single qualified security person on staff.

“It’s going to take a concerted effort between public and private industry to find a way to work together and adopt these recommendations to reduce the risks in healthcare,” Sublett said, referring the recommendations outlined in the report. “When I’m talking about risk, I’m really talking about patient harm and delivery of care.”

Patching isn’t as easy as it sounds

The WannaCry attack also exposed some of the nuanced complications hospitals face when it comes to patching or upgrading software.

Patch management and inventory management have been particularly difficult for healthcare organizations that have various iterations of software throughout the system and often lack a robust approach to asset management. In addition to coordinating updates for thousands of machines, hospital IT teams have to account for various software layered on top of the operating system that could be rendered inoperable following a security patch.

RELATED: We asked the experts: Is healthcare prepared for a wide-scale cyberattack like WannaCry?

“There is tremendous complexity in the systems [hospitals] are running,” said Michael Morgan, a partner at McDermott Will & Emory. “Just keeping track of it can be an overwhelming task.”

In an email to FierceHealthcare, a HITRUST spokesperson said the organization "saw and shared" indicators of compromise (IOC) on its threat exchange several weeks ago, adding that "those most severely impacted by the ransomware attacks had likely not adopted a security framework" or "implemented a sound patching program for their endpoints and servers."

HITRUST indicated that several medical devices have been infected, including those manufactured by Bayer and Siemens.

RELATED: Healthcare industry braces as experts predict second round of ransomware attacks

“When a patch comes in, it’s not like [hospitals] don’t want to apply it, they just don’t have an automated way and efficient way of applying it,” said Shahryar Shaghaghi, the national leader of technology advisory services head of international cybersecurity at BDO consulting.

This may be an opportunity for the government to take on a dedicated role to facilitate patch management by requiring software companies to publish a schedule of patch updates. That’s an idea that has been kicked around at the HHS Office of the National Coordinator for Health IT (ONC), according to Lucia Savage, chief privacy and regulatory officer at Omada Health and the former chief privacy officer at ONC. Although it was discussed by her staff, Savage said she didn’t know if the ONC had any plans require software companies to publish patch schedules.

As a company that has been around for just six years, Omada has the advantage of operating on more modernized systems that are easier to patch, along with a dedicated cadre of cybersecurity professionals to monitor and implement software updates. Hospitals with older legacy systems have awkward configurations and face far more challenges, especially if cybersecurity responsibilities are spread out among IT staff members.

For those systems, a patch schedule could help, Savage says, by providing healthcare organizations more time to coordinate updates.  

“I would like nothing better than to see—whether it’s ONC certification rules or federal guidance—that says software companies have to publish their patching schedules so [hospitals] know how often they are releasing patches and you can plan your workload accordingly,” she said.

An ONC spokesperson had “no information” when asked if the agency was discussing a requirement to have software companies post their patch schedule.

Savage added that the WannaCry attack is the latest, and largest, in a series of warnings directed at the healthcare industry that highlights the real patient care concerns that could result from a targeted ransomware attack.

“There have been a series wake-up calls in healthcare and this is pretty loud one,” she said. “I hope people are really paying attention. Apparently, patients were turned away in England and that’s the last thing we all want, is for people to not get the care they need.”