The recent global cyber-attack which infected 200,000 computers in at least 150 countries exposes costly flaws in hospital IT systems and requires a sweeping response, according to security experts.
The ransomware used in the attack – called WannaCry – brought down interior ministry computers in Russia, railway ticket machines in Germany and parts of the FedEx network in the US.
But the most disturbing cyber weakness was seen in hospitals. Staff at 61 National Health Service (NHS) organisations in England and Scotland, and in some unnamed US medical facilities, who tried to log into their computers on May 12 and 13 were greeted by a red screen saying their files, including patient medical records, had been encrypted. The gang behind the attack was after money, in the form of the virtual currency Bitcoin.
Hospitals and GP surgeries were forced to turn away patients and cancel critical appointments.
“The attack showed us that hospitals in particular are far behind the security curve,” said Tim Erlin, vice-president of product management and strategy with Tripwire, a US cybersecurity firm. “They haven’t been forced by standards and regulations to modernise their systems.”
Many medical devices today run on the internet; like the rest of the Internet of Things, they communicate with servers. Hospitals do not buy new CAT scanners or MRI machines every three years. That means much medical equipment is likely to run antiquated systems that are open to attacks delivered through the internet. As a result, experts say hospitals are low-hanging fruit for ransomware.
Lack of investment
The WannaCry worm has exposed a lack of investment in hospitals, in IT leadership, in basic infrastructure, and in staff training, said Saif Abed, an NHS doctor and founding partner at AbedGraham, a health IT strategy and risk consultancy.
“I have seen a lot of tweets apportioning blame: ‘It’s all the fault of the IT department’ or ‘how could people be so irresponsible as to click on a link’; but it’s not that straightforward,” he said.
“We have to ask why this software is still out there, why it is unpatched, why there hasn’t been the investment in clinical leadership to make people aware of the dangers, why there weren’t the people and processes in place to respond when it happened.”
A study by the EU Agency for Network and Information Security (ENISA) on hospital security backs up the claim that most hospital staff are unprepared for big cyber-attacks, finding that clinical staff are likely to circumvent security measures simply because of time pressures.
Warning ignored
The complacency around computer security in health systems has been highlighted, said Udo Helmbrecht, head of ENISA. “It’s a pity that people don’t learn their lessons,” he said. “A ransomware attack like WannaCry happened in a hospital near Cologne last year. If it can happen in Germany, you know it can happen anywhere.”
In the case of the German hospital, an email attachment allowed the ransomware to enter the system. With computers immobilised, staff resorted to pen and paper. A fax machine was used to exchange patient reports.
The clean-up operation to remove all traces of the malware took weeks, with security experts using special software to cleanse the 100 infected servers and 900 medical devices.
“The biggest issue is that hospital administrators consider themselves to be low risk,” said Aggelos Kiayias, chair in cyber security and privacy at Edinburgh University.
But they will increasingly find themselves targets in attacks, which are set to grow more frequent and sophisticated. “Cybercrime like this is cheap to do, so they’ll keep coming. Bitcoin has made it easier for attackers in a way, you no longer have to meet someone down a dark alley to pay the ransom. What we have to do in response is to make attackers’ lives harder,” Kiayias said.
Security requirements
Frustrating cyber attacks starts with several sensible steps. Hospitals should come up with a fresh set of security requirements for medical device suppliers, said Erlin. Devices should be tested to meet standards before purchasing contracts are signed.
In some cases, vendors restrict hospitals from making changes to their devices – like adding security patches. In other cases, security patches are no longer available. Before the attack, a majority of hospitals in the UK were still running computers on Windows XP, a Microsoft operating system from 2001 that the company no longer supports. A government contract with Microsoft to update the software for the NHS expired two years ago.
“In other industries, cyber attacks have brought watershed moments. WannaCry could be it for the healthcare sector, providing the spur for new investment and a greater awareness of security issues,” Erlin said.
It is not yet clear that this will be the case. A doctor, Krishna Chinthapalli, published an article in the British Medical Journal warning about ransomware just days before the attack. He still sees signs of complacency. “Being election time in the UK, the attack has already been superseded by various political stories,” he said. “I had hoped to see commitments on IT spending and upgrades in the NHS, but sadly I have not heard much about these.”