“They have more janitors at these hospitals than they do security people.”
An ongoing network disruption to a hospital system caused by a new strain of the WannaCry virus has highlighted how vulnerable the healthcare industry remains against attacks from malware and hackers.
In a massive, high-profile attack earlier this year, a prior strain of WannaCry ransomware hit 81 British hospitals, leading to thousands of canceled appointments. A new strain of the same virus was blamed for continued network downtime at FirstHealth of the Carolinas, a not-for-profit hospital system that serves as a referral center for 15 counties.
Until now, the healthcare industry in the United States has “benefited from relative obscurity while no one was paying attention,” said Joshua Corman, a member of the Department of Health and Human Services (HHS) Healthcare Industry Cybersecurity Task Force and chief security officer at the global software company PTC. “Ransomware and WannaCry shattered that obscurity.”
Like other ransomware, WannaCry is designed to infect a computer, block access to it, and then demand money in the encrypted currency Bitcoin to unlock it.
FirstHealth’s information system team shut down the network on Oct. 17 when it first identified the threat. The network remains down due to “an abundance of caution,” according to a notice posted to the hospital group’s website. Staffers are checking 4,000 devices and more than 100 physical locations connected to the network to ensure no virus risk.
Though it caused delays and cancelled appointments, “the virus did not reach any patient information, operational information or databases,” according to the notice. FirstHealth added that the network downtime didn’t affect critical or emergent needs.
In May, another strain of WannaCry swept across Europe. The virus crippled the United Kingdom’s National Health Service, causing 19,500 canceled medical appointments, locking the computers of 600 general practitioners, and forcing 5 hospitals to divert ambulances elsewhere, according to a National Audit Office report published last week. The attack “could have been prevented by the NHS following basic IT security best practice,” the report said.
In March, the HHS established the Healthcare Industry Cybersecurity Task Force, which released a report on their findings to Congress in June. The report found that healthcare cybersecurity in the US is in “critical condition.”
“If we found out tonight that there was a new WannaCry strain, in most of those organizations there would be no qualified person who would know what to do about that,” said Joshua Corman, a member of the cybersecurity task force and chief security officer at the global software company PTC.
The task force discovered a “severe” lack of security specialists, according to Corman, with 85% or more medical organizations—particularly small, medium, and rural hospitals—lacking a single qualified security person on staff. “They have more janitors at these hospitals than they do security people,” he said.
The report also identified other risk factors for the healthcare industry, including a tendency to use outdated and unprotected software. “The equipment hospitals buy has a longer life than the operating system that it runs on,” Corman said. “They’re always going to be structurally more vulnerable until we factor that into the durable goods that hospitals invest in.”
In addition, the “gold rush” from paper to electronic health records led to premature and over-connectivity, according to Corman, who said that hospitals accepted the promise of going digital without preparing for the peril.
Without appropriately segmenting a network, over-connectivity can render a system particularly vulnerable so an attack on a single part can cause system disruption for an entire hospital, he said. The cybersecurity task force report also found that a single flaw in a single device can cause entire network outages.
“In terms of flesh and blood consequences to ransomware and hacking, we are most exposed in hospitals,” Corman said. “It’s almost a miracle that we haven’t had more hospital outages.”
A 2016 Ponemon Institute report found that the overall cost of data breaches to the healthcare industry is $6.2 billion and that attacks remain consistently high in terms of volume, frequency, impact, and cost. “New cyber threats, such as ransomware, are exacerbating the problem," said Larry Ponemon, PhD, chairman and founder of the Ponemon Institute.