Few U.S. healthcare organizations affected by WannaCry
With more than 300,000 computers worldwide compromised by the WannaCry ransomware in at least 150 countries, including the National Health Service in the United Kingdom, Monday was expected to be a day of reckoning for U.S. healthcare organizations facing the file-encrypting malware.
However, Tom Bossert, President Trump’s Homeland Security Advisor, told members of the media that the infection rates have “slowed over the weekend” since WannaCry started in the U.K. on Friday and quickly spread to the rest of the globe.
While the ransomware disrupted telecommunications companies, hospitals and other organizations globally, Bossert emphasized during the daily White House press briefing held Monday afternoon that the “U.S. infection rate has been lower than many parts of the world” with only a “small number of affected parties in the U.S.” No federal systems were affected.
Nonetheless, Bossert added that “we may still see a significant impact on additional networks as these malware attacks morph and change.”
Healthcare organizations still carry risk because many still operate devices that use older, unsupported versions of Microsoft operating systems.
A lot of healthcare systems are running older versions of Windows, such as Windows XP, says Avi Rubin, who is director of the Health and Medical Security Lab at Johns Hopkins University.. “Those were extremely vulnerable because they had their systems running for a long time without updates,” he says. “Microsoft issued an emergency patch over the weekend addressing this situation for those people.”
In addition, providers still are considered highly desired targets for ransomware because medical information is valuable to hackers, who can sell it for a variety of purposes, and healthcare organizations might be more willing to pay a ransom because having access to encrypted medical data is crucial to maintaining continuity of care.
Lee Kim, director of privacy and security for HIMSS North America, contends that there have been anecdotal reports by healthcare providers around the world—including the U.S.—of infections affecting their computers and medical devices. And, she says because there are multiple variants of the WannaCry ransomware, it is still a very serious international cyber threat.
“The ransomware is rapidly changing, and there are multiple variants—at least 65 variants of the WannaCry ransomware have been confirmed at this time,” according to Kim, who says it is likely that this number will increase.
“We haven’t seen anything quite like this before—the way in which it has spread and affected so many people,” says Avi Rubin, who is director of the Health and Medical Security Lab at Johns Hopkins University. “In terms of awareness and impact on people, it’s probably been the biggest one so far.”
Likewise, Reg Harnish, CEO of GreyCastle Security, comments that “it’s tough to think of another ransomware situation that has been this impactful.”
Yet, Bossert claimed in Monday’s press briefing that if organizations follow the mitigation advice published by the Department of Homeland Security, the Federal Bureau of Investigation and Microsoft—and have patched their systems—they will be “protected against all these variants.”
Kim calls WannaCry the world’s first ransomworm—ransomware with the ability to self-propagate without user intervention or interaction. At the same time, she notes that the “success” of the WannaCry ransomware is “based upon one tried and true fact—many individuals and organizations do not patch their systems in a timely manner.”
Likewise, Bossert emphasized that the only computers that can be compromised by WannaCry are those that do not have the latest security patches available from Microsoft. “Make sure your IT service providers or IT folks within your organizations are patching your software—that’s the bottom line,” added Bossert.
On Friday, Microsoft took what the software vendor itself called the “highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.”
Rubin also points out that on March 14 Microsoft released a security update that addressed the very vulnerability that the WannaCry ransomware is exploiting. “There are actually legitimate reasons to wait to patch your systems. But updating your Microsoft operating system is something that should be done relatively quickly,” he concludes. “I don’t think waiting two months is reasonable. Anybody who patched their Windows system in the last two months would not have been vulnerable to this.”
John Riggi, former FBI Section Chief for the Cyber Division Outreach Section and currently head of services firm BDO’s Cybersecurity and Financial Crimes Unit, believes that because the WannaCry ransomware started out in Europe and spread to the rest of the world—including Asia—the sequence of attacks in other countries worked to the advantage of U.S. organizations.
“The fact that it started out in Europe served as an early warning system of sorts for U.S. organizations to ensure that they had time for patches to be implemented,” says Riggi.
Although the U.S. appears to have dodged a bullet, at least for now, going forward Riggi asserts that overall the healthcare industry is particularly vulnerable to ransomware and is a high-priority target for cybercriminals because of the high value of health data.
“The fundamental issue with healthcare data is that it has enduring value to the cybercriminal,” he says. “A credit card number generally has a very limited shelf life before the bank detects fraudulent charges, and a credit card number can be easily cancelled or replaced. Now, a medical diagnosis or an X-ray, for instance, cannot be cancelled so therefore it has enduring value.”
However, Harnish predicts that healthcare will continue to see an increase in the different types of cyber threats, not just ransomware.
“Imagine that instead of all of the data being encrypted, what if it was just changed and providers didn’t know which data was wrong like which leg to amputate, what particular allergies a patient has, or which prescription medications need to be administered?” he asks. “That to me is far scarier than a bunch of hard drives being encrypted.”
Harnish expects those kinds of “integrity attacks” on health data to happen at some point in the not-too-distant future.