Last year’s WannaCry ransomware attack on the UK health system did more than expose weaknesses in healthcare cyber resilience – it also highlighted weaknesses in emergency responses to healthcare cyber attacks.
Speaking at the recent HIMSS AsiaPac18 in Brisbane, Extreme Networks Healthcare Solutions Director Bob Zemke said a key lesson from the May 2017 attack was the importance of not just defending against risks but of also having defined response plans when systems are compromised.
The WannaCry attack hit more than 200,000 computers in over 100 countries, costing the UK’s NHS alone £92 million, exploiting a flaw in older Microsoft Windows operating systems, such as unpatched Win7 and Server 2008.
“It started hitting any device with Windows hidden in the back of their systems, even the parking meters,” Zemke said.
“It created a fear and response that was not based on logic. Instead, the response was to shut down as many systems as possible to prevent the infection from spreading.”
At many UK hospitals, this included shutting down the internal telephone system, even though it was not Windows-based.
“We saw nurses actually notifying the media that the comms systems were taken offline,” he said.
“Shutting off the systems created more panic and frustration in the clinical community. And then they went right to the media to voice their frustration and that made the situation even more of a pressure maker.”
Zemke said what is needed is a strategy for every connected device in a hospital, covering key questions such as:
- What is it?
- What does it do?
- What is the risk if the system goes offline?
- What are its normal activities and patterns of online communication?
- Does it need to talk to other systems?
- Is the device patchable or have you been instructed by the manufacturers to not apply operating system patches?
“New security challenges will always arise – that's the world we live in,” he said.
“But the process and procedures we put in place ahead of time will allow us to then adequately and formally respond when an event takes place.”
Zemke said better communication between clinical departments and the IT team was essential, including defining departmental liaisons and reporting structures, and response plans when events occur.
It was also crucial to remember that many threats to connected systems do not emerge from outside.
“Ten years ago when we looked at connected medical devices, we believed the idea that a firewall would protect them from the outside world,” Zemke said.
“We thought the vulnerabilities and threats were coming from outside hospital but what we found was we had more issues with just misconfigurations by vendors of devices operating in the same environment, rather than malicious attacks coming from the outside.”