As industries across the globe recover from the WannaCry ransomware attack that hit more than 300,000 machines in 150 countries, cybersecurity experts are concerned that the next attack will be even more vicious and damaging. And healthcare providers with legacy systems and subpar defenses will inevitably end up in the crosshairs.
In the immediate aftermath of Friday’s attack, government officials and healthcare cybersecurity experts stressed the importance of patching and updating legacy systems immediately.
During a press briefing on Tuesday, Thomas P. Bossert, the White House’s homeland security advisor leading the coordinated response, said that even though 48 NHS hospitals were affected by the ransomware attack, U.K. officials stressed that there was an “extremely minimal impact on disruption of patient care.”
Healthcare cybersecurity and privacy experts, consultants and attorneys that spoke with FierceHealthcare on Monday urged providers to quickly take stock of any machines that were outdated, and to deploy Microsoft’s security patch immediately.
Experts also advised healthcare organizations to ensure their data was backed up on offline and segmented networks, noting that WannaCry malware can encrypt backups that are on the same network.
They also said the attack served as a sobering dose of reality for the healthcare industry.
“It’s absolutely a wakeup call not only for the U.S. healthcare industry, but for all critical infrastructure industries,” John Riggi, a managing director in BDO Consulting’s Technology Advisory Services practice and the former chief of the FBI’s Cyber Division Outreach Section, told FierceHealthcare. “It’s a global wakeup call that cybersecurity is not just an IT problem—it is truly an enterprisewide risk issue.”
So far, U.S. hospitals have largely avoided the kind of disruption experienced by their counterparts in Britain, although many hospitals were unwilling to comment on the attack out of fear it would make them a target for cybercriminals. However, HITRUST said it had received reports of infections in medical devices, including some manufactured by Bayer and Siemens.
In many ways, the minimized impact in the U.S. boiled down to sheer luck, rather than an indication that the U.S. is better prepared for ransomware attack of this size. The timing of the attack, and a kill switch activated on Friday, gave U.S. businesses more time to react, and there were signs that the perpetrators were amateurs—as of Monday, the Bitcoin attacks linked to the malware had received less than $60,000.
Several experts also cautioned that healthcare organizations could face immediate follow-up attacks if cybercriminals begin altering the malware’s code. On Monday, White House reported that three variants of the WannaCry malware had emerged, but the updated patches released by Microsoft protected against all three.
But Friday’s attack served as a warning shot for the healthcare industry that could become a primary target for more coordinated—and more sophisticated—ransomware attacks that take advantage of the myriad vulnerabilities across healthcare institutions, specifically as a way to inflict more malicious and potentially harmful damage on patient care.
“We know that will come,” said Christine Sublett, an information security, protection and privacy consultant with Sublett Consulting. “Our hope is to do as much as we can before that happens to reduce the risk of this occurring, but recognizing that if we don’t put in place the right cybersecurity controls, that is the likely outcome.”
Patient safety concerns served as the bedrock for a much-anticipated report from the Department of Health and Human Services’ Healthcare Cybersecurity Task Force that is expected to be released this week.
Those on the task force said the report highlights some of the most concerning cybersecurity vulnerabilities in healthcare including a severe talent shortage, the proliferation of legacy systems, the industry’s increasing reliance on interconnectivity, vulnerabilities that can impact patient care and thousands of known vulnerabilities.
GRAPHIC: “Healthcare Cybersecurity is in Critical Condition” <- From our coming Healthcare Cybersecurity Task Force Report pic.twitter.com/reFExSDFAI— ♘ Josh Corman (@joshcorman) May 12, 2017
All of these issues make healthcare an ideal target for “cyber caliphate-esque” actors, ideologically motivated individuals and rogue nations, according to Joshua Corman, director of the cyber statecraft initiative at Atlantic Council’s Brent Scowcroft Center and founder of I am The Cavalry, a global grassroots organization that focuses on "issues where computer security intersects public safety and human life."
“It’s a miracle we’re not seeing more attacks like this,” he said. “We are prone in healthcare. We are prey—we just previously lacked predators.”