Hospitals and medical devices in the U.S. are extremely vulnerable to the type of massive cyber attack that tore through more than 150 countries Friday, and some health care providers here may have already been—or soon will be—hit, cybersecurity analysts warn.
The attack relied on a type of malicious software called ransomware, which keeps users from accessing their computer systems until they pay a ransom. The pernicious new strain, aptly named WannaCry, froze or slowed business and health care computer systems around the world, including several within the U.K.’s National Health Service.
The malware exploits a vulnerability in the Windows operating system that many system administrators have not yet patched—including at many U.S. hospitals, experts warn. Moreover, WannaCry does not distinguish between a computer, smartphone or medical device. And, unlike the case with many other cyber attacks, a user need not click a link to unknowingly install it; if a health care system is connected to the internet and using an outdated system, the malware can find it and infect it.
“It’s kind of like we closed our doors but left them unlocked, so the malware just wiggles doorknobs until it finds one that’s open and walks in. You don’t need to be there to get robbed,” says Kevin Fu, CEO and chief scientist of health care security company Virta Labs and director of the Archimedes Center for Medical Devices at the University of Michigan. “We know the vulnerability is out there for U.S. hospitals” because many of its health care facilities have outdated systems, he says.
In a hospital setting, a WannaCry infection can cause serious problems including blocking access to patient records and lab results or a failure to share allergy or drug interaction information with hospital computers or other devices. A user may only discover the security breach after turning on a device, when a locked screen comes up stating the person’s data is being held hostage unless a ransom is paid. The ransom fees (reportedly between $300 and $600) are apparently designed to be low enough to incentivize payment.
No hospital or other medical organization in U.S. had publicly reported a WannaCry attack as of the beginning of this week. Exactly why—or even if—hospitals and medical systems here have avoided the latest malware attack remains unknown. The U.S. health care system is less centralized than the U.K.’s, which may have provided some degree of insulation, says Alex Heid, chief research officer at SecurityScorecard, a risk management cybersecurity firm that tracks cyber attacks on health care in the U.S. Still, Heid warns U.S. health care providers’ computer networks may already be under assault from threats that are not widely known. “It is likely that [WannaCry] just didn’t hit a large network of our sites—the equivalent of NHS—but I guarantee American systems did get impacted in some regard,” he says, noting historically many companies have simply paid small ransoms rather than publicize that they have had glitches.
It is no secret health care providers are worried. One large hospital system in Boston took some drastic steps this weekend, disabling all attachments in e-mails—even though WannaCry can spread without any victim interaction, Fu says. “I would say we had dodged a bullet [compared with the U.K.], but I think the bullets are still coming and we know we are just as vulnerable,” he says, noting the malware could be further tweaked to cause future problems.
Cyber attacks against hospital systems are already widespread. Last year Heid’s company released an analysis concluding about 75 percent of all major health care providers had experienced malware infections that could cause them to lose data or money. “The American health care system still has a lot of the same problems that would lead to the type of problems we saw in the U.K.,” Heid says. “Mainly, there is a lot of legacy software and outdated software that is very prevalent in the medical field.”
U.S. government guidance released in July 2016 states that under current health privacy law, health care providers must report malware attacks. But so far that action has not led to a significant increase in reports of incidents, Fu says, citing his own unpublished analysis comparing the number of reports over time. This apparent lack of change, he notes, could suggest that many institutions may still not be reporting attacks.
Like many computer and smartphone users, hospitals and health care systems may opt not to install security patches and fixes because such upgrades could require a system to temporarily go offline or be slowed. Some facilities may not even be aware they are at risk, either because they have no IT department or because different facilities are handling different branches of their systems, Fu says.
But failure to take speedy, comprehensive action puts companies and hospitals at risk. “Once something is connected to the internet and gets infected, it’s just a matter of what the attacker wants to do with it: lock it up, break it or sell it to the highest bidder,” Heid says. “The most important thing now is, if anyone has been ignoring Windows updates to get them installed.” In our interconnected world there is always risk, he notes—but “best practices can make you less of a target—and you don’t want to be the lowest-hanging fruit.”