Why the NHS Ransomware Attack Worked

Mark Wilson, the Senior Vice President, Marketing for BlackBerry.
Mark Wilson, the Senior Vice President, Marketing for BlackBerry.

Guest written by: Mark Wilson, the Senior Vice President, Marketing for BlackBerry

Healthcare is an industry under siege. This statement was true a few days ago and was underscored by the recent massive ransomware attack. Care providers are targeted by cybercriminals with greater frequency than any other organization. And thanks to old equipment and flagging security standards, these attacks find success far more often than they should.

Security is no longer just about protecting our data — it’s about protecting our health, our safety and our well-being. Thousands of innocent patients were affected by today’s attack, ranging from diverted ambulances to canceled open heart surgeries.

But what’s the root of these attacks? Why do they occur with such frequency? And more importantly, what can be done about them?

What Makes Healthcare Such an Attractive Target?
In 2016, the number of major cyberattacks targeting healthcare organizations increased by 63%.  There is every indication that this number will increase even further in 2017. This past March, for example, healthcare organizations saw 155% more breached records than they did the previous year.

From a criminal’s perspective, healthcare records are a golden goose. They contain all the information necessary for medical identity fraud, an extremely lucrative crime. And they sell for up to ten times the price of stolen credit card numbers on the black market.

This is compounded by the fact that healthcare security still lags well behind other industries. It is easier for a criminal to lift medical data from several small clinics than it is to steal money from a bank, for example. Given the potential for a much greater payoff, it isn’t difficult to see why so many criminals have hospitals and clinics in their crosshairs.

And unfortunately, there’s no easy solution to this paradigm.

How Has it Gotten This Bad?
The heart of healthcare’s cybersecurity woes can be traced to a single cause – the men and women who run healthcare organizations are clinicians, not IT professionals. Though brilliant physicians and businesspeople, they are not security experts. They allot most their organizational budget towards excellent patient care and medical advances.

IT is often an afterthought, even as more and more healthcare data is digitized. It’s why aging, outdated legacy infrastructure is so common a sight in hospitals. It’s why healthcare IT departments are understaffed, overworked, and under-budgeted. And it’s why for hackers, healthcare organizations are an ideal target, the perfect blend of valuable data and poor security.

The entry of connected devices into hospitals and clinics will make things even worse if left unaddressed. Internet of Things (IoT) medical devices like infusion pumps and cardiac implants frequently contain vulnerabilities with the potential to be life-threatening. As for regulations and security standards – which many providers already have difficulty adhering to – they have failed to evolve as quickly as the threat landscape.

Why a Cultural Shift is the First Step in the Right Direction?
There are many things that need to change about the healthcare industry if we’re to better protect patient data. The first and most important, however, is its culture. I’m not saying we should de-prioritise patient care and medical research in favor of cybersecurity – far from it.

Rather, I’m saying that device makers and care providers alike need to stop treating care and security as two separate entities. They aren’t. Ensuring health data is safe from people who’d misuse it is just as much a part of effective patient care as efficient treatment.

Technology is available to make the theft of healthcare more difficult. Providers can update their IT systems. They can incorporate diligent employee training courses and security guidelines. They can deploy multiple layers of cyber threat protection and secure their networks. If they don’t, the WannaCry’s of the world will continue to wreak havoc on the industry by stealing data and ending life.

While today’s attacks are extremely unfortunate, I hope it serves as a wake-up call to care providers. Protecting patients doesn’t end when they walk out the door. They have an obligation to keep their patient’s information safe, and that starts and ends with security.