Cyber Security in Healthcare

On May 12th, a large scale cyber attack which Europol called “the largest ransomware attack observed in history” spread throughout the globe and has since hit more than 200,000 machines in 150 countries. Notable victims to the attack were the National Health Service (NHS) of Britain, FedEx, and multiple Russian interior and emergency ministries including their largest bank, Sberbank.

It’s now being reported that the attack was due to a relatively well-known piece of ransomware known as Wanna Decryptor or WannaCry. The essence of ransomware is that malicious hackers break into a computer and don’t release the files until a ransom is paid, which in this case was set at $300. There was also a warning included that the price would rise with time and the files deleted if the ransom was not paid after a week.

The attack on the NHS was particularly damaging and in the immediate aftermath “all systems were offline and hospitals were unable to accept incoming calls.” In addition, “scheduled appointments had to be cancelled, ambulances were diverted and some departments shut down entirely.” Whatever staff and departments were able to still run were doing so on pen and paper. Beyond the immediate and necessary services hospitals provide, there was real concern about the safety of sensitive patient data stored on many hospital servers. Luckily, Prime Minister Theresa May has said that there is no evidence that patient data has been compromised.

Though the attack was initially devastating, the NHS is already recovering and “the number of hospitals diverting patients from [emergency departments] has decreased from seven on Sunday to two.” In general, people are being told that they should turn up for scheduled appointments, though some general practitioners “are asking people to consider whether they really need to attend” surgery imminently as hospitals try to prioritize service in the wake of the attack.

Determining who exactly is responsible will be a matter of much investigation and there is not likely to be an answer any time soon. One topic in the reaction to the attack is that it may have been preventable. Indeed, Dr. Krishna Chinthapalli of the British Medical Journal warned “just hours before the hack broke that IT departments needed to do more to keep hospitals safe, and that such hacks … were a problem waiting to happen.” This comment was not without precedent; just back in January of this year, Barts Health Trust, the largest NHS trust in England, was hit by a similar ransomware cyber attack.

It is worth noting that while cyber vulnerability is a problem which people and companies around the world are just beginning to come to grips with, the healthcare industry may be at a particular disadvantage. Chris Hopson, chief executive of NHS providers, said that this is because “many hospitals use sophisticated technology such as MRI and CT scanners which are ‘bound to be using old software’ because they have a ten-year life expectancy, so are often linked to older operating systems.”

The issue of protecting our devices, computers and essential services from cyber attacks is not going away. The world is becoming more and more digitized and inter-connected, and the push and pull between malicious hackers and advancing security methods will be of great interest to all of us as we move forward in the digital age.

The IET has attempted to address some of these issues with eBooks centered around cyber security and healthcare technologies:

We’d also like to offer you some Controlled Terms and Classification Codes, which you can use to search Inspec to learn more on the topic of cyber security in health care.