WannaCry Ransomware Healthcare Disruption: Lessons Learned, Next Steps

The recent WannaCry Ransomware attack resulted in severe disruption worldwide, affecting more than 230,000 computers in more than 150 countries. This attack was an opportunistic, untargeted attack, propagating rapidly worldwide using a computer worm to affect computers running unpatched versions of the Microsoft Windows Operating System. This attack was not specifically targeted at healthcare, but healthcare was a major casualty, in particular in the UK NHS where as many as 40 hospitals across 24 trusts were affected . In best cases the negative impacts of this ransomware infection were limited to causing delays, and in worst cases it caused shutdown of services and having to send patients elsewhere. The healthcare industry in general is a soft target for ransomware because it is often lagging other industries in security and relatively vulnerable, and it is also intolerant to disruption and therefore relatively high probability to pay, and relatively quick to pay. The typical ransoms demanded, in the case of WannaCry ransomware at $300 USD in bitcoin, pale in comparison to the disruption this causes, and such disruption is a direct threat to patient safety.

Beyond outrage, reaction to such security incidents tends to focus on one safeguard. In many cases, the "silver bullet" safeguard asserted for ransomware is backup and restore. In the case of WannaCry Ransomware it is patching systems in a timely fashion to keep them up to date. As any security professional knows, no safeguard is a “silver bullet” or panacea, and all safeguards have weaknesses and residual risk. For example, backup and restore while a great safeguard and best practice in security, can fail if not all systems are backed up, or restore fails, or ransomware gets into the backups, and even in a best case restoring from backup is disruptive and risks missing or effectively undoing updates made since the last backup, with unpredictable affects to patient safety. Similarly, patching up to date, while an excellent thing to do as part of a multi-layered, defense-in-depth approach, is far from a "silver bullet", since many security incidents and attacks do not exploit or rely on vulnerabilities in unpatched systems like the computer worm in WannaCry Ransomware did. For example, in a zero day attack there is no patch available since the software vendor is unaware of the vulnerability until it surfaces. Rather than misplacing our hope only on safeguard “silver bullets”, for effective security we need a multi-layered, defense-in-depth approach that includes backup and restore, timely patching, and many other safeguards. Such an approach should also be holistic, combining administrative safeguards such as policy, training and especially anti-phishing training, and audit and compliance, with technical safeguards such as backup and restore, patching, and encryption, and even physical safeguards such as locks, cameras, and secure disposal.

As healthcare organizations recover from WannaCry Ransomware a key recommended next step is to evaluate all of your safeguards against ransomware and other major breach types, and understand where your organizations stands in security relative to peers and the industry, whether you are relatively vulnerable, and if so specifically where (which security capabilities). This benchmark information is in addition to regulatory / data protection law and security standards required activities, and provides valuable additional input that can be used to rally support within your healthcare organization to allocate resources needed to address gaps.

Intel Health & Life Sciences is leading a global Healthcare Security Readiness Program that enables healthcare organizations, through a 1 hour, complementary, confidential workshop to benchmark their security against the healthcare industry and peer organizations of a similar focus, locale, and size. Through this engagement, healthcare organizations can see how their security maturity, priorities and readiness compare with peers and the industry across 8 types of breaches including ransomware, and across 42 key security capabilities. This enables healthcare organizations to quickly determine if they are lagging in security relative to peers and the industry, and therefore vulnerable to opportunistic attacks such as WannaCry Ransomware. They can also see through this engagement, and the confidential, encrypted reports they receive, specifically what security capabilities they have gaps in, and the level of implementation of these capabilities across the industry and their peer set. Now with more than114 health and life sciences organizations participating across nine countries, and over 40 industry partners collaborating to scale this program worldwide, this engagement provides a path for healthcare to quickly benchmark their security, identify gaps, and rally support to initiate remediation ahead of the next major cybersecurity attack. Separately, the FBI estimates that in 2016 ransomware payments hit $1B USD. The Ponemon Institute estimates that nearly 90 percent of healthcare organizations represented in their 2016 study had a data breach in the past two years, and nearly half, or 45 percent had more than five data breaches in the same time period. These results reflect that cybercrime is lucrative and all healthcare organizations have a high probability of being affected by breaches and ransomware at some point.

Early results of the Healthcare Security Readiness Program show that worldwide, ransomware is the highest priority worldwide across 8 of the most common types of breaches assessed, with 86% of organizations prioritizing this high. However, there is a huge spread in the readiness of healthcare organizations for ransomware, with the lowest scoring just 17 percent (level of implementation of 23 key security capabilities relevant to ransomware risk mitigation) and the highest 91%. With the healthcare industry as a whole having a ransomware readiness score of only 57 percent, there is much room for improvement. For example, in the case of vulnerability management and patching only 53 percent of healthcare organizations have this fully implemented, while 39 percent are working on it, and 8 percent have nothing. For backup and restore, 75 percent have this fully implemented, while 24 percent are working on it, and 1 percent have nothing. For business continuity and disaster recovery, which can include hot standby systems that can support continuity of critical services to minimize disruption from disasters such as ransomware, only 45 percent have this, while 43 percent are working on it, and 12 percent have nothing.

Where does your healthcare organization stand in security and ransomware readiness? The time is now to benchmark your security, understand if and where you are lagging, remediate ahead of the next major cybersecurity attack, and pave the way for improved healthcare that minimizes disruptions and other impacts from ransomware and other types of breaches. See Intel.com/SecurityReadiness for a concise overview of this program, a sample Security Readiness Report, and further information on how to engage in this program.

Intel Health & Life Sciences will be running a group security readiness workshop with the Infragard CHWG (Cyber Health Working Group), coordinated by the FBI, on Thursday May 25 10 am PST. Any health & life sciences organization worldwide that works with sensitive patient information is eligible to participate in this 1 hour, complementary (free), confidential workshop, and receive a detailed, confidential, encrypted report showing you how your organization compares in terms of security with the healthcare industry and peers. This session will also be recorded and available on demand for those that can’t make the live session. For further information on this event see the CHWG website or contact me.