Health care IT departments must defend against cyber attacks — and also the NSA

Facilities must shift to emphasize protection of patient health rather than patient records

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Every suc­cess­ful cyber attack pro­vides a learn­ing oppor­tu­ni­ty for tech­nol­o­gists. Wan­naCry pro­vides two: Big orga­ni­za­tions, par­tic­u­lar­ly in health care, must learn to pri­or­i­tize safe­ty over com­pli­ance; and while doing that, they shouldn’t have to fight against Amer­i­can-made weaponry.

Bob Sul­li­van, jour­nal­ist and one of the found­ing mem­bers of

For a long time, many health care providers have been wor­ried about the wrong thing in cybersecurity—compliance rather than patient safe­ty. With the Wan­naCry attack, we see the most fright­en­ing exam­ple yet of the dev­as­tat­ing consequences.

Relat­ed analy­sis: Wan­naCry rais­es specter of surge in self-spread­ing attacks

Last year, after a spate of ran­somware attacks, U.S. and Cana­di­an author­i­ties rang a five-alarm bell about hos­pi­tals and ran­somware. But at about the same, oth­er parts of the U.S. gov­ern­ment were busy devel­op­ing cyber weapons that even­tu­al­ly would be used, to great effect, against hos­pi­tals worldwide.

First, the health care lesson.

So far, in one of the worst cyber attacks in recent mem­o­ry, Wan­naCry has hit com­put­ers in 150 coun­tries, accord­ing to Europol. The clever attack encrypts files and demands ran­som from vic­tims. The soft­ware can run in 27 dif­fer­ent lan­guages, accord­ing to U.S. cyber­se­cu­ri­ty officials.

U.K. health cen­ters were hit so hard, some were turn­ing away patients.

There’s a rea­son hos­pi­tals are at par­tic­u­lar risk from these kinds of attacks. In the U.K., many were still run­ning old sys­tems like Win­dows XP, which no longer gets reg­u­lar secu­ri­ty updates from Microsoft.

Health facil­i­ties strug­gle with defense

These sit­u­a­tions are not uncom­mon in health facil­i­ties. Many have sin­gle-task PCs scat­tered around the build­ing that hard­ly attract a moment’s notice, let alone reg­u­lar secu­ri­ty updates. I dis­cussed this prob­lem recent­ly with Geoff Gen­try, part of a team from Inde­pen­dent Secu­ri­ty Eval­u­a­tors. They did a large-scale review of hos­pi­tal cyber defens­es on the U.S. East Coast last year. While old com­put­ers are a big part of the prob­lem, old think­ing is even worse, he said. In the Unit­ed States, most health facil­i­ties are more wor­ried about HIPAA law­suits than hackers.

We are defend­ing the wrong asset,” he told me. “We are defend­ing patient records instead of patient health.”

If some­one steals a patient record, sure, they can do dam­age. They can per­haps mess up a patient’s cred­it report. But if some­one hacks and alters a patient record, the con­se­quences can be much more dire.

HIPAA falls short

For almost two decades, HIPAA has been inef­fec­tive at pro­tect­ing patient pri­va­cy, and instead has cre­at­ed a sys­tem of con­fu­sion, fear and busy work that has cost the indus­try bil­lions. Puni­tive mea­sures for com­pli­ance fail­ures should not dis­in­cen­tivize the secu­ri­ty process, and health care orga­ni­za­tions should be reward­ed for proac­tive secu­ri­ty work that pro­tects patient health and pri­va­cy,” the report says. “(HIPAA has) not been suc­cess­ful in cur­tail­ing the rise of suc­cess­ful attacks aimed at com­pro­mis­ing patient records, as can be seen in the year over year increase in suc­cess­ful attacks. This is no sur­prise how­ev­er, since com­pli­ance rarely suc­ceeds at address­ing any­thing more than the low­est bar of adver­sary faced, and so long as more and bet­ter adver­saries come on to the scene, these attempts will con­tin­ue to fail.”

Once again, it appears hos­pi­tal sys­tems have escaped the true night­mare scenario—wide-scale injuries or deaths result­ing from mis­be­hav­ing tech­nol­o­gy. But the warn­ing signs couldn’t be more clear. That’s one les­son from WannaCry.

The oth­er might be more pro­found. Why are secu­ri­ty pro­fes­sion­als forced to beat back NSA-made cyber-weapons today?

High-risk gov­ern­ment cyber games 

The real lega­cy of Wan­naCry will be the malware’s gov­ern­ment-based ori­gins. Dur­ing the week­end, Microsoft called out the NSA for research­ing and hid­ing vul­ner­a­bil­i­ties, com­par­ing this inci­dent to theft of a U.S. missile.

This attack pro­vides yet anoth­er exam­ple of why the stock­pil­ing of vul­ner­a­bil­i­ties by gov­ern­ments is such a prob­lem. This is an emerg­ing pat­tern in 2017,” chief coun­sel Brad Smith wrote in a blog post. “We have seen vul­ner­a­bil­i­ties stored by the CIA show up on Wik­iLeaks, and now this vul­ner­a­bil­i­ty stolen from the NSA has affect­ed cus­tomers around the world. Repeat­ed­ly, exploits in the hands of gov­ern­ments have leaked into the pub­lic domain and caused wide­spread dam­age. An equiv­a­lent sce­nario with con­ven­tion­al weapons would be the U.S. mil­i­tary hav­ing some of its Tom­a­hawk mis­siles stolen.”

Coop­er­a­tion among countries

Smith repeat­ed Microsoft’s recent and time­ly call for a “Dig­i­tal Gene­va Con­ven­tion” that would require gov­ern­ments to share infor­ma­tion on vul­ner­a­bil­i­ties, rather than stock­pile them.

Relat­ed sto­ry: Glob­al pan­el puts togeth­er tool­box to sta­bi­lize cyber­se­cu­ri­ty worldwide

This most recent attack rep­re­sents a com­plete­ly unin­tend­ed but dis­con­cert­ing link between the two most seri­ous forms of cyber­se­cu­ri­ty threats in the world today—nation-state action and orga­nized crim­i­nal action,” he said. “The gov­ern­ments of the world should treat this attack as a wake-up call. They need to take a dif­fer­ent approach and adhere in cyber space to the same rules applied to weapons in the phys­i­cal world. We need gov­ern­ments to con­sid­er the dam­age to civil­ians that comes from hoard­ing these vul­ner­a­bil­i­ties and the use of these exploits.”

There’s a lot of blame to go around for the Wan­naCry fias­co. Sure­ly, orga­ni­za­tions that allow them­selves to be hit by flaws that had been patched two months ear­li­er deserve a heap­ing por­tion. But ulti­mate­ly, Wan­naCry shows that the kinds of cyber games played by the NSA—the kind exposed by Edward Snowden—are, in fact, dan­ger­ous. In a con­nect­ed world, unin­tend­ed con­se­quences can spread very fast around the world. Sad­ly, solu­tions make the rounds much more slowly.

More sto­ries relat­ed to health care secu­ri­ty and threat prevention:
Hos­pi­tal hacks show HIPAA might be dan­ger­ous to our health
Cul­tur­al shift favor­ing coop­er­a­tion, not com­pe­ti­tion, improves cybersecurity
Give your com­put­er net­work a health checkup