Health IT leaders can use WannaCry attack to their advantage

The worldwide ransomware attack using software known as “WannaCry” temporarily disrupted computers at the United Kingdom’s National Health Service, while U.S. healthcare organizations were largely spared, but CIOs and CISOs can still use this incident as a learning opportunity.

Considering the goal of a ransomware attack is for hackers to get paid in exchange for restoring access to an organization’s data, they didn't make much: IBM Security estimated only $60,000 was paid for an attack which infected more than 100,000 organizations in more than 150 countries, amounting to less than $2 in ransom collected per infected organization. The attack's effects on U.S. healthcare were confined to some Bayer and Siemens medical devices, according to cyber threat information sharing service HITRUST.

Yet it did offer a glimpse into certain vulnerablities in healthcare. One common reason for U.K. hospitals being affected was the latest security patch for Windows systems hadn’t been applied. Jim Brennan, IBM Security’s director of strategy, recommended going a step further and automating security updates.

“Relying upon manual processes and just people to get the job done is just not going to work,” Brennan said. “You need to have a way to maximize the value of your resources and automate whenever possible.”

Brennan added cognitive technology—something IBM is quite fond of—could help with identifying and protecting against new malware threats, providing “actionable insights” for cybersecurity analysts.

With the hack being so widely reported, cybersecurity officials in healthcare may be able to grab the attention of others within the C-suite and convince them of the need for broad revisions or reviews of existing policies on these attacks. Alisa Chestler, chair of the cybersecurity team at law firm Baker Donelson, would advise hospitals and other providers to take steps like sending employees an alert on how to report malware attacks, review incident response plans and make sure security patches are being applied quickly.

In her opinion, the WannaCry attack can be used as an opportunity.

“Management, legal and IT security can no longer keep ‘kicking the can’ when it comes to information security,” she said in an e-mail to HealthExec. “Knowing your compliance and contractual obligations before an event is critical.”

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.