The worldwide ransomware attack using software known as “WannaCry” temporarily disrupted computers at the United Kingdom’s National Health Service, while U.S. healthcare organizations were largely spared, but CIOs and CISOs can still use this incident as a learning opportunity.
Considering the goal of a ransomware attack is for hackers to get paid in exchange for restoring access to an organization’s data, they didn't make much: IBM Security estimated only $60,000 was paid for an attack which infected more than 100,000 organizations in more than 150 countries, amounting to less than $2 in ransom collected per infected organization. The attack's effects on U.S. healthcare were confined to some Bayer and Siemens medical devices, according to cyber threat information sharing service HITRUST.
Yet it did offer a glimpse into certain vulnerablities in healthcare. One common reason for U.K. hospitals being affected was the latest security patch for Windows systems hadn’t been applied. Jim Brennan, IBM Security’s director of strategy, recommended going a step further and automating security updates.
“Relying upon manual processes and just people to get the job done is just not going to work,” Brennan said. “You need to have a way to maximize the value of your resources and automate whenever possible.”
Brennan added cognitive technology—something IBM is quite fond of—could help with identifying and protecting against new malware threats, providing “actionable insights” for cybersecurity analysts.
With the hack being so widely reported, cybersecurity officials in healthcare may be able to grab the attention of others within the C-suite and convince them of the need for broad revisions or reviews of existing policies on these attacks. Alisa Chestler, chair of the cybersecurity team at law firm Baker Donelson, would advise hospitals and other providers to take steps like sending employees an alert on how to report malware attacks, review incident response plans and make sure security patches are being applied quickly.
In her opinion, the WannaCry attack can be used as an opportunity.
“Management, legal and IT security can no longer keep ‘kicking the can’ when it comes to information security,” she said in an e-mail to HealthExec. “Knowing your compliance and contractual obligations before an event is critical.”