Last Friday, one of the biggest ransomware outbreaks in history infected over 200,000 machines in more than 150 countries. From FedEx to Telefónica, companies across the world effectively lost control of their IT systems, but one of the main victims was the UK’s National Health Service (NHS). The impact of the cyberattack is still being felt at the time of writing.
IT systems in 47 NHS Trusts in England and 13 in Scotland have been infected by malware known as WannaCrypt. The malware encrypts the hospitals’ digital files and refuses to restore them until a ransom is paid in the form of $300 in the cryptocurrency Bitcoin.
As a consequence, hospitals have been forced to cancel operations and resort to the use of pen and paper to record patient data. The spread of the malware was slowed on Saturday when a cybersecurity expert known as @malwaretechblog “accidentally” registered the domain name used by WannaCrypt, but the impact is ongoing.
The theory behind the attack is that the malware was initially made available online following the leak of cyber-tools by the hacking group the Shadow Brokers on April 14. One of the tools leaked, known as EternalBlue, was supposedly created by the US National Security Agency (NSA). The tool exploits vulnerabilities in unpatched Windows machines, leading some to lay the blame at the feet of the NSA for not making the flaw public. Others suggest that organizations should be more proactive in updating their operating systems.
For the NHS, however, many of the infected machines, such as MRI scanners, are built to last for up to ten years. As such, these machines were using the much older Windows XP operating system, for which there was no patch. (Microsoft did release a patch over the weekend).
The problem is that the UK government claims it has warned the NHS on numerous occasions that it must update old systems and move away from the XP OS as soon as possible. This, it claims, was made clear in 2014, via a letter from the Cabinet Office, and again in 2015, when the government did not extend its deal with Microsoft to continue support for Windows XP.
According to the BBC, IT professionals within the health service contend that the problem actually relates to a security update issued by Microsoft in March of this year, which would have dealt with a vulnerability known as Server Message Block – a protocol for sharing files across a network.
Healthcare technology specialist Dr Joe McDonald told the BBC that the problems are twofold. First, there is no one centralized approach to IT for local NHS Trusts across the UK, which means each Trust takes care of things like updates individually. Second, the costs of keeping IT systems up-to-date are too great for NHS Trusts, facing increasingly tight budgets against a backdrop of cuts.
However, the UK government Defence Secretary, Sir Michael Fallon, told The Marr Show on Sunday that “We’re spending around £50 million on the NHS cyber systems to improve their security. We have encouraged NHS trusts to reduce their exposure to the weakest system, the Windows XP.” Additionally, NHS Digital has told Sky News that the necessary patch was made available on its cyber portal last month and that staff were informed of this update.
Nevertheless, while various cybersecurity experts seek to get to the bottom of this attack, it raises questions about the increasing use of internet-connected technologies in the healthcare sector. With ransomware attacks on the rise and NHS budgets increasingly squeezed, what is the prospect of success for more advanced technologies, such as IoT – where everything from wristbands to surgical theatre lighting systems to heartrate monitors could potentially be connected to the internet – if basic IT systems cannot be properly maintained, locked down and protected?
Responsibility and trust
Unsurprisingly, Javvad Malik, a security advocate at AlienVault – a cybersecurity company – told Internet of Business that security must be the priority for IoT device manufacturers.
“IoT in enterprises as a whole represents a vulnerability and healthcare is no exception,” Malik said. “We’ve seen that IoT devices typically lack any security features leaving them open to exploitation. This has been the case with the Mirai botnet, where IoT devices were used to launch huge DDoS attacks. Similarly, it wouldn’t be too difficult to turn hospital IoT devices into a botnet to attack other systems or to make them unavailable.”
“It is a joint responsibility for manufacturers to ensure any embedded smart features in medical equipment is adequately secured, and also for hospitals to apply security controls such as segregating IoT networks, changing default passwords, as well as continuous threat detection capabilities to monitor the environment.”
But what about consumer trust? News of this ransomware attack has spread far and wide, and is likely to cause alarm among private citizens, whether they have an understanding of these technologies or not.
The National Cyber Security Center has released its recommendations on what users should do to protect themselves in light of Friday’s attack – which Internet of Business encourages everyone to read – but the success of this attack indicates that there is still a lack of public knowledge surrounding the dangers of cyberattacks. Without this trust and understanding, consumers are unlikely to be convinced that the benefits of connecting their health systems to the internet outweigh the dangers.