A serious ransomware attack called WanaCrypt0r is currently affecting a wide variety of people and companies in 74 countries. Among the first affected are multiple NHS hospitals in the UK, who have had crucial patient data taken hostage. The culprits demand a measly $300 to be paid in Bitcoin, which is often the cryptocurrency of choice for such nefarious acts. In response, affected hospitals with the National Health Service are cancelling appointments, and urging everyone who doesn’t have an emergency to stay away until the situation is resolved. The attackers, ransoming captured health data, underscore a fundamental truth of the modern internet: all data is a potential liability, and protecting sensitive data cannot simply be an afterthought.
Hospitals convert observations into data, often highly sensitive data, and they do it for thousands of individuals. That data is the nugget worth ransoming. When ransomware targets home computers, there is only so much a criminal can charge an individual, and there are some security services and tools individuals can use to protect themselves from subsequent attacks. There’s little an individual can do to protect deeply personal information about them held in a hospital system, which should encourage hospitals to place a premium on securing their data. If not, ransom attacks like this can force hospitals to pay immediately or suffer the permanent loss of data.
Here's what a London GP sees when trying to connect to the NHS network pic.twitter.com/lV8zXarAXS— Rory Cellan-Jones (@ruskin147) May 12, 2017
Security researchers focused on specific pieces of health care equipment routinely find basic security vulnerabilities, like drug injectors or pacemakers that accept firmware updates without authenticating that the updates are genuine. One such weakness even led the FDA to call upon hospitals to stop using an easily compromised device. Yet it’s access to data that may prove to be the greatest risk from weak cybersecurity in hospitals.
Individual profiles stolen from insurance providers can be up to twenty times as valuable as credit card information on the black market. With medical information, people can fraudulently obtain drugs with blackmarket resale value, or even commit medical identity theft. Putting a ransom on specific medical devices, like insulin pumps or pacemakers, lets criminals extort the people who need those machines or suffer.
And in a hospital that runs on data, not having access to that information can threaten even the smallest details, like what to feed patients.
A major concern at the moment is patient meals for this evening because dietary needs on stored digitally— Jamie Lopez (@jamie_lopez1) May 12, 2017
Part of the problem appears to be hospital computers running on older, vulnerable operating systems, which could in the future be solved by regulations requiring better security from the start, though that certianly won’t solve the problem as it’s unfolding today. It does appear that someone paid the $300 bitcoin ransom but it’s almost certain that more money will change hands before this is over.
This ransomware attack isn’t limited to just the NHS, though hitting a hospital may be the worst outcome of it. Several companies in Spain also appear to be under the same kind of ransomware attack. The attack spread to 74 other countries by this afternoon. The attack appears focused on a Windows vulnerability, discovered by the NSA and published in the leak of NSA files. Microsoft published information for how to patch this exploit back in March, but fixing holes in cybersecurity isn’t always a priority, even when the patches are provided to end users.
One consequence of poor cybersecurity practices and lax patching is letting things like ransomware into the NHS system. And it appears that the NHS was not particularly well positioned to stop these kinds of attacks. In November 2016, a security investigation by Sky News and cybersecurity experts Hacker House in the NHS found “misconfigured email servers, outdated software and security certificates, along with NHS trusts’ emails and passwords, through public searches.”