Massive Cyber Attack Nearly Shuts Down the NHS
One of these weeks, I’m going to share a heartwarming story about a healthcare discovery that promises to improve the lives of millions of patients around the world. Unfortunately, this isn’t that week.
Last Friday, news broke that the NHS (National Health Service, UK) was dealing with a massive ransomware attack that locked staff out of their computers and threw dozens of healthcare facilities into a state of chaos.
It soon became apparent that the NHS was not the sole target of the attacks, rather a highly vulnerable entity brought to its knees by a broader attack that saw a Malware variant named “WannaCry” released on the world. (View map of attacks)
In addition to the NHS, other high profile organizations including Telefonica (Spain), Renault (France), Deutsche Bahn (Germany), Sberbank (Russia), and FedEx (USA) were impacted. All told, over 74 countries and 200,000 computers were affected, making the WannaCry attack one of the largest, most successful cyber attacks in history.
Today, the world is still making sense of the attack and what can be done to prevent something similar from occurring in the future. Although patches and protocols to stop the spread of the attack have been made available, there are still very real concerns that the attack will impact more users before it is entirely snuffed out.
In the following sections, I will attempt to distill what we know about the attack and its impact on healthcare. If you’re looking for a more technical breakdown of the attack, I highly recommend this blog from the good folks at Talos.
What exactly is “ransomware”?
Ransomware refers to malicious software that blocks access to files on a computer until a ransom is paid, most commonly in the form of Bitcoin. Some common triggers include clicking on a link, downloading a file, or, in the case of this attack, spreading throughout a network of computers after impacting one user. The affected computers at the NHS displayed this message:
How do these attacks start?
Unfortunately, attacks often start from a “phishing” e-mail, which is something that looks like a real e-mail with a link or attachment you download that unleashes the malware program on your computer. Sometimes, these attacks are limited to one user, but in the case of WannaCry, the program was designed to search the local network for specific weaknesses and spread like wildfire without needing anyone else to click on a link or download a file. This is why it was so devastating. Before you chalk this all up to one careless employee, watch this video from Cisco that demonstrates just how easy it is to be a victim of a phishing e-mail:
Why was the NHS so vulnerable?
Remember Microsoft XP? You know, the OS released back in 2001? The one that Microsoft stopped supporting in 2014? Well, most of the NHS is still running it. Unsupported software is extremely susceptible to these kinds of attacks because no one is making updates or security patches in response to new threats. The NHS knew they had an issue but lacked either the funds or expertise to address it appropriately, and this attack spread quickly throughout NHS systems due to the exploitation of a known vulnerability in XP that hadn’t been fixed.
Wait, was this malware really created by the NSA?
*Gulp* I’ll let the big news channels cover this one in depth, but all signs point to yes. The NSA apparently has a program where they seek out vulnerabilities in systems (Microsoft, etc.) and develop ways to exploit them. Theoretically, this exercise is done in the name of national defense (…or something), but in practice, there is a very serious issues when malicious software developed by the government is stolen and used by criminals (as in our current case).
This is an example where instead of notifying Microsoft of an issue and urging them to release an update to resolve it, the NSA instead developed a program to exploit it. The program was then stolen and used to execute one of the largest cyber attacks in history, causing not only financial harm, but in the case of the NHS, possibly death.
One of the most interesting things to come out of this whole thing is Microsoft now taking a very public stance against this type of activity by governments.
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action.”
What happened to patients?
In an attempt to stop the spread of the ransomware attack, NHS facilities shut down their IT systems. This left them not only without computers and patient records but even phone systems. Signs were posted on doors imploring patients to wait until the issue was resolved and to only come to clinics for emergencies. Surgeries needed to be postponed or rescheduled and actions that had to be taken were recorded on paper with hopes of reconciling later. It appears all of the providers and staff at these clinics performed heroically; however, the real issue, the one with no clear resolution, deals with rescheduling. Many NHS patients are on long wait lists for important procedures and losing an entire day or multiple days of appointments can’t be easily reconciled. The financial damage of this attack, all things considered, is minuscule, but the patients affected face serious hardship.
What’s next?
We’re not out of the weeds yet. An attack of this magnitude always spawns copycats. It is likely that there will be an ongoing battle between cybersecurity professionals and malicious actors for the near future. In the meantime, IT staff will be on code red and healthcare organizations will scramble to develop strategies to protect themselves. What this attack reveals is the very real vulnerabilities of our interconnected systems and the ramifications for not keeping systems up to date. This will very likely cause projects to be halted while systems are analyzed and new checks are added to security protocols.
At the same time, this attack reveals a sad reality — how are healthcare organizations supposed to prevent or respond to these kinds of attacks? If banks, telecom giants, and global logistics leaders are susceptible, what is a healthcare organization with limited resources to do? Sure, some leading organizations have immense resources, but what about small practices? What about specialty groups? They are caregivers, not IT experts, and while they do their best to keep up with regulations, they’re operating at a severe deficit when it comes to expertise. This forces them to hope whomever they partner with is technically secure and capable of handling any malicious attacks. I don’t have a solution for this problem; if anything, this reveals the need for very pragmatic, well-rehearsed contingency plans.
Unfortunately, it seems that it’s not a matter of if an attack like this will happen, but when. If we are going to be effective in limiting the negative impact on patients, healthcare is going to need to develop the “fire drill” equivalent for when these systems are compromised. It’s a pipe dream to think there will ever be security that is 100% effective as this game of cat and mouse between cyber criminals and security professionals continues.
For now, we will keep an eye on this fallout and keep you up to date. Thanks for reading and see you next week!
Authors note: this post was originally published on 5/15/2017 over on my company’s blog. When in a fit or procrastination I decided to move all of my “Last Week in Healthcare” posts to Medium I didn’t think back dating posts would be difficult, but alas, it is. Moving forward, posts will reflect the actual date I published the content. Cheers!
