Search This Blog

Search Tool

May 15, 2017

The NHS Got Lucky - For Now Cyber Attacks Will Only Get Worse by Beau Woods: The Guardian | Opinion - May 15, 2017

Beau Woods

During a panel discussion last week at the Heart Rhythm symposium in Chicago, a physician asked me why I was raising the alarm over cybersecurity as a public health hazard. Twenty-four hours later, almost 20% of UK public health trusts had suffered a criminal ransomware attack. It’s too early to tell what harm may have been done, either via the direct tampering of medical devices, delayed care from turning patients away, or avoidable mistakes. After 10 to 12 hours, independent security researchers (@HackerFantastic, @kafeine, @MalwareTechBlog, and others) cooperated in a prompt, agile and open manner, analysing the attack, preventing its spread and equipping people to respond and recover.
Friday’s attack was nearly identical to one suffered by a small hospital I worked with nearly a decade ago. The natal intensive care unit shut down when a network worm accidentally took the fetal heart monitors offline. This put our most helpless patients at even greater risk, as doctors and nurses scrambled to respond. Delivering healthcare the old fashioned way to these fragile lives takes more staff, costs more, and is more error prone. Doctors and nurses heroically worked to give high-quality care, while the hospital administration worked hard to get back to normal. With their permission, I acted quickly to hack the devices, wipe out the malware and inoculate against similar attacks. But while these actions makes great headlines, they can’t form the basis of the resilient societal systems that we must build at the intersection of cybersecurity and public safety.
Friday’s outages bring uncomfortable truths into public consciousness. As the world begins to benefit more and more from precision medicine, data-driven disease research and home healthcare, new technologies bring new classes of accidents and criminals and terrorists that must be anticipated and avoided. Cyber crises like this one may shatter public confidence in the public health system, delaying these benefits for years.
Lasting solutions to this problem involve more than finding a single point of failure and fixing it, as the recent Health and Human Services Task Force found. While a single vulnerability in a single system can cause a denial of patient care, healthcare providers can have hundreds of vulnerabilities, in hundreds of types of systems, from any of thousands of manufacturers. Meanwhile, thousands of hospitals have no full-time IT or security staff to assess or address cybersecurity issues. At the same time, established approaches to secure enterprise IT are expensive and ill-suited to healthcare environments, meaning we need new and different approaches. While the public health system has wrestled with these issues for decades, it remains vulnerable and exposed. We are ill-equipped, ill-prepared and out of time.

Beau Woods (@beauwoods)
Global spread of the #WannaCry malware. Data from @MalwareTechLab visualized by @nytimes
To preserve trust in the public health system, its technological dependencies must be trustworthy. Cybersafety must be addressed with a sense of urgency, supported by public and political will. In America, the good news is that Food and Drug administration leadership has stepped up, device makers are improving, security researchers are stepping in to help, and healthcare delivery organisations are getting better. By 5pm on Sunday, all but six of the NHS national trusts were back to normal. Hard work and quick thinking by unpaid volunteers – along with a lot of luck – disarmed this potential crisis quickly. But now criminals and terrorists are more fully aware of the impact they could have.
The bad news is that the capabilities of even the lowest skill criminals and terrorists are increasing faster than we can defend against them. At current course and speed, cybersafety crises like these will become routine. When the consequences of failure impact public health and national security, we must do better.