Unprecedented cyberattack of scale on the NHS
On 12 May 2017, the WannaCry ransomware hit 61 NHS trusts and hospitals in the UK in what is known today as one of the most serious cyberattacks on any healthcare network before. Operations and clinic appointments had to be cancelled; and there were still patients being diverted from certain accident and emergency departments one week after the incident. Hospitals had lost the use of landlines and internet connections, and several hospitals in the U.K confirmed receiving demands for ransomware payments in bitcoin, with deadlines for compliance.
It immediately channeled the attention towards the fact how vulnerable healthcare systems against cyberattacks are; and how acute is the need for the protection of precious patient data. However, the cyberattack of scale should have not come as a surprise. In March 2016, WIRED published an article about the reasons why hospitals are the best target for ransomware.
They explained how the Hollywood Presbyterian Medical Center in Los Angeles was attacked similarly a month earlier. The medical facility paid a sum of $17,000 in bitcoins for releasing its computers, which were offline for a week. WIRED also reported another US example: the Methodist Hospital in Henderson, Kentucky was also “besieged” by ransomware a bit more than a year ago. The facility declared a “state of emergency”, but within a couple of days they could restore their operations using backups. But unfortunately, there are many more examples already. According to the latest study of the Ponemon Institute, 88 per cent of all ransomware attacks were tied to the healthcare industry in the US last year. So, sadly I am convinced that the NHS attack was not the last in the line.
Why are hospitals so vulnerable to ransomware?
1) Privacy vs. transparency
In order to respond to the truly puzzling question, why hospitals are so vulnerable to ransomware, it has to be acknowledged how the role of data, as well as healthcare data changed in the last couple of years. As you know, data is the new oil. Or I’d prefer to say data is the new bacon, but let’s just stick with the notion that its value is soaring. Companies are harnessing incredible amounts of information out of big data sets and exchanging it for revenues and profits.
And the most amazing process is, how wilfully people are giving up their data. It resonates with Dave Egger’s brilliant book, The Circle posing the question where the boundaries of our privacy and transparency are. I’m sure I do not have to remind anyone that as our digital footprint gets bigger and bigger, the amount of stored information about any one of us multiplies with unimaginable speed. And once your data is out there, it creates vulnerabilities.
This is increasingly valid for healthcare, where big chunks of sensitive information is reaching the cloud lately. Healthcare processes, such as imaging are getting automated through digital platforms, healthcare wearables and sensors feed individuals with all kinds of data about their heart rate, blood pressure, step count, sleep cycles etc.
2) Medical data is the new credit card number
While on the one hand, healthcare is getting democratized through digital health, meaning we have a chance to live longer and healthier with the use of disruptive technologies, on the other hand, we are paying for it partly with our data. Istvan Lam, Founder and CEO of Tresorit, Hungarian data privacy company reminded me of forecasts, according to which healthcare is going to be the most targeted sector of hackers in 2017, as medical information is worth 10 times more than your credit card number on the dark web.
And before you ask, why anyone’s chest X-ray would be of any interest to anyone else, I assure you – it’s not the black-and-white artistic image of your lungs. It is the patient data, with which criminals could create fake identification documents to buy drugs, medicine or medical equipment, or combine a patient number with a false provider number and file fictional claims with insurance companies.
Healthcare is one of the most vulnerable sectors for cybercrime
One of the main reasons for ransomware successfully attacking hospitals is the same reason why healthcare facilities are generally more sensitive towards data loss or data unavailability caused by human error or a sudden technical glitch. It’s a combination of aging IT infrastructure and weak IT security practices. In case of the recent NHS ransomware attack in the UK, the problem seems to have been a failure to apply a routine software patch from Microsoft for the Windows XP operating system. Moreover, as WIRED mentions, hospital staff is usually not trained in IT security awareness, and healthcare facilities do not concentrate on cybersecurity issues in general.
If we add to the formula, that hospitals provide critical care and rely on patient records including drug and disease histories, surgery directives and other medical information, ransomware will make even more sense. Healthcare facilities would not risk delays resulting in any disruption in medical care that may result in death or lawsuits. They would rather pay the ransom in their first shock.
What should healthcare facilities do for prevention in the future?
First of all, I believe hospitals and healthcare facilities have to elevate their vigilance about IT security and IT issues in general to a higher level. “Two things are key in prevention. First, healthcare institutions and organizations should use anti-virus software with anti-ransomware protection to protect themselves. Second, it is crucial for everyone to update operating systems and software applications”, explained the CEO of Tresorit.
Istvan Lam also mentioned back-ups. To mitigate the damage of an attack like WannaCry, secure backup can help. With that, it is possible to restore the files to the original, uninfected version, he said. Gitlab and Amazon S3 recommended the same based on their experiences – not only for cybercrime, but any other IT mishap. As human error can occur at any organization and data loss is always a possibility, it is important that healthcare organizations prepare, test, and perform backup and recovery operations.
Moreover, the staff of hospitals and healthcare facilities, who are regularly working with electronic, digital and networked devices, should have more training about cybersecurity issues; or the facilities themselves should have more experts nearby in order to handle such events more smoothly.
What could governments do in order to avoid ransomware blocking hospitals?
While individual hospitals and healthcare facilities can also do a lot to secure their own institutional IT background, there should be more comprehensive, systemic response in the long run. I asked NHS Digital about their plans and future steps about countering similar attacks, but they haven’t responded to my queries yet.
I believe that healthcare regulators and governments should place more emphasis on data protection, as well as the overall security of healthcare systems. The legal framework does not match the requirements of the digital age in many countries either, which in a better scenario only hinders the movement of data at some redundant points, while in the worst case scenario forthrightly endangers data security. I strongly advise governments to update their data protection framework as well as data security requirements for healthcare systems.
Istvan Lam emphasized another aspect of the NHS ransomware story: the vulnerabilities, which were turned against the various IT systems by the allegedly North Korean hacker group, were leaked by hackers who stole them from the US National Security Agency. The CEO of Tresorit said it is a common practice that intelligence agencies buy zero-day vulnerabilities from the dark net. However, most of the times they do not forward this information to the technology companies so that the developers can patch their software with security fixes and protect their users against attacks. Microsoft is now explicitly blaming the NSA for stockpiling vulnerabilities. In the US, there is a process that regulates this (the Vulnerabilities Equities Process), but security activists are calling for an update as it is not working properly, he explained.
Does the future hold blockchain technology as the adequate response?
Patientory founder and CEO Chrissa McFarlane urges the UK government “to get behind a blockchain-enabled national IT health system and at the same time help to remove legal obstacles in the movement of data amongst providers.” The basic idea of the blockchain technology is that rather than storing data in a single database, multiple copies of the same data are synchronized in ledgers shared across a network of users. Blockchain is in this way a ‘distributed ledger’. And when changes are made in one copy of a ledger, every other copy held in every other location is simultaneously updated. The network as a whole polices and guarantees the validity of the data, making it less vulnerable against attacks.
There are many ways to leverage on the technology in healthcare. Patientory helps hospitals to secure their patient data, while enabling patients to follow the fate of their own data. They had a pilot project with 500 patients so far. If there was any doubt whether there is enough proof for the workings of blockchain technology, McFarlane reminded me that an entire country is already hooked on such a medical record system: Estonia. In March 2017, the Baltic country’s eHealth Authority has signed a deal with Guardtime, a blockchain pioneer, to secure the health records of over a million Estonians. Already in 2015, over 80,000 medical certificates were forwarded electronically to its Road Administration Agency to facilitate driving licence renewals. And in 2016, the country signed a joint declaration with Finland looking at automatic cross-border data exchange for social insurance benefits and digital prescriptions.
If there were political will and comprehensive financial support, other countries could also follow Estonia’s as well as Dubai’s lead. The latter has also started to test blockchain technology for securing its electronic medical records. Patientory’s CEO believes the implementation of blockchain technology in case of a complete national healthcare system, such as that of the UK would hopefully not last longer than two years. In any case, the technology is already there.
The building of a high-level data security system must become the number one priority of every, connected healthcare network. We should do everything in order to efficiently protect patient data in the age of the digital tsunami, as the accumulation of data will only accelerate in the years to come.
Keep on reading The Medical Futurist! In the next part of our article series, we will deal with the data privacy and security challenges of medical devices and the health internet of things.