Q&A: Lesson from NHS attack? Don’t delay security patches

The May 12 cyberattack that hit the United Kingdom’s National Health Service (NHS), FedEx and other companies around the globe could have been limited if computers had been regularly applying security patches.

The very same ransomware attack which caused British hospitals to lose access to patient records and turn away scheduled appointments had been covered in a March security patch by Microsoft. The problem was many computer systems hadn’t applied the patch. In other cases, hospitals were using older operating systems, with the BBC reporting many NHS facilities still use 16-year-old Windows XP.

Office of the National Coordinator for Health IT (ONC) has issued a warning, asking providers to “report any ransomware incidents to the Internet Crime Complaint Center (IC3).”

Even without having a comparable impact on U.S. healthcare, there are still lessons to be learned from the attack, according to John Christly, chief information security officer (CISO) at security service providers Netsurion and EventTracker. He spoke to HealthExec about what made this ransomware attack unique and how healthcare CISOs can point to it to get others in the C-suite to prioritize cybersecurity.    

HealthExec: This particular kind of ransomware attack, called Wanna DeCryptor or WannaCry—what makes it different than other ransomware attacks targeted at healthcare?

Christly: This ransomware was a little different in that it took advantage of a vulnerability that was just patched recently by Microsoft, as opposed to trying to use very old exploits or vulnerabilities. It shows that the attackers are no longer waiting very long to take advantage of exploits that they can use. We have a saying that the day after Patch Tuesday is called Hack Wednesday—and in this case, that was almost the case.

Are U.S. healthcare systems any more or less prepared than those in the U.K.?

In my opinion, U.S. healthcare systems are just as easily attacked as their U.K. counterparts, maybe even more so depending on how progressive the organization is, and how mature their information security program is. Any group that waits very long to patch their systems for one reason or another is just asking for trouble. Systems should be patched as soon as patches are made available, and those patches should definitely not exist for more than 30 days before being applied to affected systems.

In healthcare and many other industries, the fear of a newly released patch causing havoc of its own and taking systems down is enough to keep companies from implementing them for several months, until they can do the necessary rounds of system testing and put the updates through their internal change control procedures. The problem is that this testing and change management process is not designed to react quickly to critical patches-- then systems can be left vulnerable to these types of exploits. 

What kind of strategies should CIOs and CISOs in healthcare be putting in place to avoid or handle these attacks?

CIOs and CISOs in healthcare should be putting in automated vulnerability testing as well as automated patching systems that can help identify and remediate systems on a proactive basis. Too many companies still don't have a good handle on what could be hundreds or thousands of PCs, servers, and laptops that need to be monitored down to the exact patch that may be missing. Once patches are released, whatever testing needs to occur needs to be done quickly, so that the fixes to these issues can be applied right away.

If systems are too sensitive or processes are such where the patches need to go through too much "red-tape" to be applied quickly, then the affected systems need to be segregated into their own part of the network without internet access until they can be fixed. 

Is enough being done on the regulatory side to handle these attacks?

No—while there are regulations such as HIPAA and PCI—these only really come into play after a breach. The regulations need to be strengthened so that businesses know that they have to keep their systems secure and up to date or else they should not be allowed to remain in business.

Cybersecurity needs to be a discussion that is mandated at all board meetings, and should be a topic that all executives are very open and transparent about. There remain some real issues in getting systems upgraded and just as many with keeping them up to date with necessary patches and other security measures. These topics cannot be left to CIOs and CISOs to have to deal with on their own without proper support from the CFOs, legal teams, internal audit, risk management, and of course, the board.