May 30, 2017

Do the names WannaCrypt or WannaCry mean anything to you? They well might, by now. In a global cyberattack that began on May 12, 2017, this aggressive form of ransomware infected more than 300,000 Windows PCs in 150 countries across Europe, Latin America and Asia.

Of special note for hospitals and healthcare professionals—anesthesiologists and nurse anesthetists included—the malware attack wreaked havoc across the United Kingdom’s National Health Service, crippling many of its countries’ outdated information technology systems, forcing some hospitals to revert to paper-based methods, and putting into stark and unsettling relief the extent to which electronic medical records and networked medical devices—and, by extension, patient safety—are vulnerable to digital sabotage.

The ransomware exploits a flaw in Microsoft software that the National Security Agency (NSA) had been mining for intelligence purposes. The program was leaked. Although Microsoft fixed the software flaw in a patch released in March, inconsistencies in the patch’s application by information technology (IT) administrators left some computers vulnerable. (Some organizations don’t update their systems immediately because the update could affect operations on legacy systems.) The malware entered through “phishing” attacks that tricked email recipients into opening false links, and then spread quickly to other unpatched computers in what one IT security expert described as the first “ransom worm”—a ransomware file that can move through networks.

According to a May 15 article by Lee Kim, JD, FHIMSS, director of privacy and security for the Health Information and Management Systems Society (HIMSS), North America, the ransomware is rapidly changing and there are multiple variants—at least 65 variants of the WannaCry ransomware have been confirmed at this time. It is likely that this number will increase.

Like other ransomware attacks, the malware blocks access to files using encryption and demands payment by a deadline in a digital currency known as bitcoin. The fee increases as the deadline approaches (see image below).

Source: Symantec

Cyberattacks are a growing threat across virtually all industries, but the healthcare sector is especially susceptible. (Also see our eAlerts, “Leverage Technology to Improve Your Anesthesia or Pain Practice: Nine Takeaways from AIAPM,” “HIPPA Helps Keep Hackers at Bay: Hints for Anesthesia Providers” and “Protect Your Anesthesia Practice Against Ransomware Attacks.”)

In its 2017 Data Security Incident Response Report, law firm BakerHostetler reported that, again in 2016, the majority of cyberattacks (35 percent) occurred in healthcare. Because healthcare cyberattacks not only can jeopardize patient identity and privacy, but also can threaten safety and put lives at stake, the sector’s enhanced vulnerability presents a particularly troubling scenario.

The size and scope of cyberattacks on protected health information (PHI) and medical devices have accelerated particularly quickly during the past two years and show no signs of slowing, notes the Public Health Emergency section of the Department of Health and Human Services (HHS) on its website. (A May 15 article in Healthcare IT News details the 20 biggest healthcare breaches so far in 2017.)

In the March 2017 issue of Wired, an article ominously titled “Medical Devices Are the Next Security Nightmare” noted, with an average of 10 to 15 connected devices per hospital bed, “the broader universe of medical care gadgets creates major exposure and potential danger in the healthcare industry.” Many medical devices, such as monitoring machines, lack security scanning and easy mechanisms for downloading patches and updates. In addition, future generations of devices will require more robust built-in security protections. However, “many manufacturers either ignore security in the early planning stages, or rely on third party components that may themselves be vulnerable,” according to the article.

To address these problems and the growing threat of healthcare cyberattacks, HHS has formed a Health Care Industry Cybersecurity Task Force (HCIC). Mandated by the Cybersecurity Information Sharing Act (CISA) of 2015, which encourages business and the federal government to share information on cybersecurity in the interests of national security, the HCIC Task Force is bringing cybersecurity experts from the private and public healthcare sectors together to address healthcare’s unique challenges and disseminate information to help healthcare providers prepare for and respond to cyberattacks. The goal is to develop a single federal system for intelligence-sharing regarding healthcare cybersecurity threats.

Easy Targets

Why is healthcare such easy prey for hackers? In a recent article, John D. Halamka, MD, MS, of Harvard Medical School and chief information officer of the Beth Israel Deaconess System, posits five reasons:

• A small market. There are approximately 5,500 hospitals in the United States, which means that many healthcare IT vendors have a relatively small number of customers and lack the resources to update their software frequently.
• Under-spending on IT, including IT security. Financial institutions spend approximately 25 percent of their budget on information technology; hospitals spend an average of less than four percent. “If you’re a bank robber . . . you’ll go where the money is easiest to steal,” he says.
• Little tolerance for downtime. Patches and upgrades require time. But, as Dr. Halamker writes, in an environment in which clinicians are stressed and often overwhelmed by their work, “the challenge is to implement constant change and innovation with patches and upgrades while never disrupting clinical work or causing safety concerns. That is like changing the wings on a 747 while it’s flying.”
• Healthcare is a bottom-up industry. While other industries have a top-down, command and control structure, it is not so in many hospitals. “Most hospitals own the facility but not the doctors,” Dr. Halamka writes. “Imagine if Toyota owned the factory and independent workers arrived every day to build whatever car they wanted. That’s how hospitals work. CIOs have no authority to tell clinicians they must run a specific brand of corporate-approved phone, and they certainly do not have the budget to buy them for anyone.”
• Medical devices. Like the Wired article, Dr. Halamker also points to the vast and growing range of medical devices, equipment and gadgets as a leading source of vulnerability. “Hospitals not only have thousands of computers, phones and laptops; they also have thousands of medical devices connected to the network. IV pumps, X-ray machines and heart monitors sound like appliances, but in reality they are computers with network connections,” many of which lack security protections because manufacturers never assumed they would be attacked, he says.

Preventive Strategies

Anesthesiologists, as hospital-based physicians who use their facilities’ information management systems, are just as vulnerable as the hospitals themselves, and should encourage the administration to make sure it is doing all it can to protect against cyberattacks. Similarly, anesthesia groups running their own anesthesia information management systems (AIMS) should take their own preventive measures.

A May 4 article in CIO outlines nine strategies to ward off cyberattacks, created by online backup services provider Carbonite.

Educate and train. Educate yourself and train your employees on digital hygiene best practices. That means avoiding clickbait and advertising links, especially if they’re hosted on websites that do not have a solid reputation. Remember that a URL that begins with “https” has taken advanced safety precautions and that sites that begin with “http” are not as secure.

Keep a backup of all digital files. Invest in a high quality cloud backup system before you’re attacked—or encourage your institution to do so. If your network falls prey to a cyberattack, you can delete the infected files, remove the malware and restore clean files from the backup.

Update your antivirus software regularly. Updated security software and firewall protection are your first line of defense.

Stay abreast of ransomware news. Keep informed about new and increasingly dangerous types of ransomware. Steer clear of unsolicited emails. Avoid clicking on links inside unsolicited emails and do not open any email attachments unless you specifically asked someone to send it to you. Beware of .js, .exe, .jse, .ade and .adp files.

Understand storage and backup differences. Cloud storage does not offer the same protection from accidental deletions and ransomware as cloud backup. Be aware that many storage solutions do not automatically back up new and changed files.

Regularly update all of your applications with the latest security patches. Hackers often break into networks by exploiting unpatched software security holes.

Disable macros in word processing and spreadsheet management applications. Cybercriminals often take advantage of macros inside Microsoft Word or Microsoft Excel files because they can be used to secretly download ransomware onto your computer from a remote server.

Enforce “least privilege.” Give employees access only to the data and applications that they need to do their jobs. Too many users with administrator privileges increase the chances that hackers can steal their credentials and plant ransomware in the network.

Specific information and guidance on the WannaCry ransomware can be found in a May 19 alert from US-CERT (United States Computer Emergency Readiness Team) of the Office of Homeland Security as well as in the article by Lee Kim of HIMSS North America.

According to the third annual Bitglass Healthcare Breach Report, which aggregates data from breach disclosures in accordance with the Health Insurance Portability and Accountability Act (HIPAA), 328 healthcare organizations reported data breaches in 2016, up from 268 in 2015, and the volume of PHI that leaks because of hacking is greater than all other causes of breaches combined. This is only one more reason why cybersecurity must remain on the front burner for every clinician, anesthesia group practice and healthcare organization.

With best wishes,

Tony Mira
President and CEO