A ransomware cyberattack of unprecedented scale recently infected more than 230,000 computers in over 150 countries, including Britain’s National Health Service. Who’s responsible, what are the implications for healthcare systems, and how can we protect ourselves and our industry?
As healthcare marketers, our job is to help our clients communicate in alignment with the FDA mission of “protecting the public health by assuring the safety, efficacy, and security” of drugs, biological products, and medical devices. Together, we are responsible for “advancing the public health by helping to speed innovations that make medicines more effective and safer,” and by helping the public get the “accurate, science-based information they need to use medicines” to maintain and improve their health.
That tension between efficacy and safety underscores the essence of “fair balance” and the regulated environment in which we operate. Digital communications technology has exponentially increased audience engagement but with a commensurate level of risk, making data privacy and security a continuous and central challenge. The healthcare industry therefore takes the active prevention of and successful reaction to data breaches as seriously as does the financial sector—with consequences that can be even more dire.
As we’ve seen, personal health information is particularly vulnerable and constantly under attack. Breaches range in type, severity, and intent, covering the gamut from lost and stolen assets to privilege misuse, crimeware to cyber-espionage. Meanwhile, large scale denial-of-service strikes make headlines—especially when originating from household gadgets and appliances—while malware viruses in various form and to varied degrees of sinistral efficiency have been plaguing the Internet since 1988.
Cryptoworms & Emergency Rooms
If healthIT experts didn’t have enough to worry about already, meet “WannaCry,” unleashed on May 12th and still running amok. The most rabid ransomware to date, the cryptoworm targeted computers running the Microsoft Windows OS and encrypted the data of those neglecting to update their systems with the latest security patch, demanding a ransom—payable in Bitcoin—for the locked data to be released back to the user. A health system cyber nightmare come true, the worm hit Britain’s NHS fast and hard, and got worse from there:
Attacking first in Spain and rapidly migrating to England, within hours WannaCry encrypted the data on more than 2,000 unprotected systems and 70,000 devices across 40 NHS hospitals, completely disabling their entire health systems. Impacted devices included computers, MRI scanners, blood-storage refrigerators, and operating equipment. Of greatest concern, emergency services were also disrupted, ambulances rushing critically vulnerable patients to unaffected hospitals across the country.
“We are running limited services – we are prioritising emergencies, you can still be seen by a GP. We can still process prescriptions. We have NO access to results, x-rays, blood tests or hospital letters. We will update you as soon as we can.” Text message sent from their doctors from St Stephen’s Health Center in East London
Kill Switches & Bitcoin Wallets
Back in mid-March, Microsoft released a critical security update for its Windows operating system called MS17-010 which addressed the exact vulnerabilities WannaCry would exploit two months later. The ensuing problems were two-fold: 1) A mysterious hacker group known as “The Shadow Brokers” allegedly stole US government designed malware from the NSA (not making this stuff up), making the sinistral code public a month after the update; and 2) Millions of computers and devices around the world never installed the security patch.
That oversight or neglect made these systems vulnerable to “EternalBlue,” a string of that NSA malware that enabled the ransomware worm to exploit Microsoft’s Server Message Block (SMB) protocol, enter and install “DoublePulsar,” a backdoor implant tool that transfers and runs the malicious software. The attacked system is disabled, its data encrypted, and a ransom note is displayed; the worm in turn scans other connected computers, copies itself, and then exploits other vulnerable systems, spreading virally.
Fortunately a weakness in the worm’s modus operandi led to a fix: Marcus Hutchens, a 22-year-old white hat hacker under the Twitter de plume @MalwareTech discovered a string of worm code that pinged the obscure URL iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com before replicating. By simply purchasing and activating the domain, infected machines received a response that terminated the program. Marcus thereby activated a “kill switch” that stopped the virus, essentially preventing its spread to North America and Asia.
Another amazing element of this sci-fi-esque crytovirology thriller is the bitcoin ransom process, which were directed at only three static wallets, transparent to the public. Check out the tweet feed tracker, which documents every payment to the perpetrators! Past ransomware attacks dynamically generated a new bitcoin address for each infected device, automating the decryption process. Lack of such sophistication suggests those behind WannaCry are rookies—their take of only $100K suggesting naiveté or non-monetary intent.
Although the hackers’ take is minuscule compared to the breadth of exposure and disruption, experts estimate overall damage to systems and the opportunity costs of down time at over $4 billion. That’s not counting the human impact, especially for the affected healthcare systems from the National Health Service to hospitals in Canada, Colombia, Indonesia, and Slovakia. A crisis of truly international proportion, its perpetrators still unidentified even if their ransom payments are completely visible, WannaCry raises alarm bells.
Take the Blue Pill
The smoke clearing, fingers started pointing. Microsoft President and Chief Legal Officer Brad Smith urged collective action to thwart the growing cyberthreat, stressed the attack is a “wakeup call,” and addressed the “unintended but disconcerting” link between government stockpiling of vulnerabilities and organized crime. More immediately, individual and enterprise users need to pay close attention to Windows updates, especially those deemed “critical” to help stop similar malware and ransomware attacks before they spread.
Alf Whitehead, SVP of Data Science at Klick, takes a similarly practical tack. “Yes, the attack was terrible. And yes, likely irresponsible on the part of the NSA. But more than that, the individuals and companies that got breached were also irresponsible. Microsoft released a patch for this in March. It’s May. They had more than two months to get that patch applied to secure their systems, for all supported versions of Windows. Otherwise, they were running an unsupported version of Windows, and gambling with their own users’ safety.”
Alf also cites the Verizon Data Breach Investigations Report (DBIR) for 2017, which notes that nearly everyone is slow to apply patches, even “critical” ones that could prevent the infection and spread of ransomware worms like WannaCry. “Companies really need to adjust their strategies to get critical patches up in days (or preferably hours), not hundreds of days. Microsoft provides technologies like SCCM and WSUS to make this automated. These technologies need to be used, though…”
Your Trusted Healthcare Technology Partner
Here at Klick, we take security as seriously as we do technology. Experts in each, you should settle for nothing less than both. Does your agency partner understand the complex landscape, recognize threats before they threaten, and keep your infrastructure safe? When was the last time you updated your systems? Preventable IT problems are like preventable diseases, the onus on practitioner and patient. When was the last time you called Klick Health? If not now, then when?