Medical Malware: How to Protect Yourself and Your Patients
Practicing computer hygiene, or safe and secure computer habits, is the best way to prevent a virus from entering the system.
Computer malware is called a virus for a reason. Like pathogens and cancer cells, the danger of malware lies in persistence and spread. Shut it down, as the WannaCry ransomware program infecting Great Britain's National Health Services (NHS) was in May 2017, and that particular disease is eradicated.
But cancer cells in the body may develop resistance to treatments, and pathogens often develop resistance to antibiotics and antivirals, or learn, in other ways, to overcome immunity. Infections and cancers may be thought of as an arms race between agents or rogue cells and the host. The race against malware is much the same: it's a battle between hackers and security experts — though it's not at all clear who is winning. The health care sector, considered low-hanging fruit by hackers, is particularly vulnerable to attack.
In May 2017, WannaCry, which seems to have originated in North Korea but used software developed at the United States National Security Agency (NSA) and was sold on the dark web by a group called the Shadow Brokers, had a nearly catastrophic effect on the NHS.1 The ransomware locked computer systems and threatened to delete files unless ransom was paid in bitcoin. The ransomware exploited some older Windows systems that were either no longer supported by Microsoft or never had their security weaknesses patched.
But fixing the technology alone will not address the most basic problem. As Niam Yaraghi, PhD, a fellow at the Brookings Institution Center for Technology Innovation, puts it, “you can fix the technology part, you can encrypt [your data], but how are you going to fix the stupidity? If you use the most advanced technology in the world, if people click on phishing links, [hackers] will still have access to user names and passwords.” Physicians and nurses under stress, says Dr Yaraghi, can easily make such mistakes.
Much of the discussion of health care systems' vulnerability focuses on the potential theft of patient data. But according to Dr Yaraghi, medical information “really isn't all that valuable. I think [the risk of hacking] is very serious but at the same time not very serious. If you're a patient, it's likely you're being hacked, but unlikely you're being affected by the hacking.” It is, relatively speaking, easy for a hacker to steal the identity of one person. But to steal the identity of thousands would require a conspiracy.
Furthermore, says Dr Yaraghi, foreign attackers probably wouldn't be able to make much use of the data, implying that an identity theft conspiracy would have to be based in the United States, where cybercriminals can more easily be caught. This has not yet happened, and it is unlikely to occur in the future. The massive cyberattack launched against the Anthem health insurance company in 2015, in which hackers stole the protected personal information — including names, addresses, birth dates, and Social Security numbers — of 78.8 million members and employees, does not appear to have caused any personal damage. The reason for the breach remains unclear.2
The theft of personal data is not, therefore, the major threat in this age of cyber insecurity. More dangerous are ransomware attacks like WannaCry, which can shut down hospital services and destroy patient records. According to Dr Yaraghi, some hospitals are laying in stocks of bitcoin to pay off attackers in the case of a ransomware attack, implying that encrypting and backing up patient data are understood within the health care community to be insufficient.
Elliott Frantz, founder of the cybersecurity firm, Virtue Security, agrees that ransomware is easier to monetize than the theft of medical records. The WannaCry hackers demanded bitcoin for ransom — but sometimes extortion is not the attack's objective. The so-called Petya or Goldeneye attack, which may have originated in Russia and attacked many nations, including the Ukraine, could have been designed and executed out of malice: the sites designed to receive the ransom payments were not functional.