WannaCry, Petya 1 Year Later: The Good, the Bad and the Ugly

Healthcare providers are investing more in cybersecurity, but an increase in threat sophistication and new bad actors mean the industry is still not ready for the next big global cyberattack.

It’s been about a year since the WannaCry and Petya cyberattacks ravaged IT systems around the world, crippling hospitals and technology vendors alike. The healthcare industry is still unprepared for the next big attack.

In May 2017, the WannaCry ransomware attack hit more than 300,000 computers and knocked hundreds of businesses offline, including the U.K. National Health Service. Just one month later, hackers struck again with Petya wiper malware, which permanently damaged the IT systems of its victims, including two U.S. health systems and FedEx.

What’s most concerning is that these attacks are seen by many in the security field as poorly executed test attacks – but still their victims were unprepared for the major damage they caused.

Healthcare wasn’t ready then, and a year later it’s not in any better condition to face another, more sophisticated global attack of equal or greater scope.

“WannaCry was poorly executed,” said Lee Kim, director of privacy and security for HIMSS North America. “It was just flexing the muscle in terms of what’s possible. And unfortunately, we saw stateside the various effects across the healthcare sector.”

“We were hurt by it, even though it wasn’t totally sophisticated code, even though it wasn’t as coordinated as it could be,” she added. “If that’s the test case you have to wonder: Once these threat actors get their game together and see how vulnerable we really are, they’re obviously going to evolve and get more sophisticated.”

That’s not to say that there weren’t some valuable lessons learned from these cyberattacks. But for whatever good has come from them so far, there’s plenty more to still be concerned about.

The good

While threats are increasing in sophistication and hackers show no signs of letting up, the good news is that healthcare is increasing its cybersecurity investments and making some strides to shore up some of its vulnerabilities.

“There are a lot of good things happening, in planning, and there’s some activity in Washington, D.C. that will drive things forward,” said David Finn, executive vice president of strategic innovation for CynergisTek.

In fact, a recent Cybersecurity Ventures report predicted that global healthcare cybersecurity spending will exceed $65 billion by 2021, as ransomware attacks on the sector will quadruple by 2020.
The added investments are a step in the right direction, as majority of security leaders agree that boardroom supportand funding are crucial in the fight against cybersecurity threats.

What’s also helping is that more organizations are collaborating and some are participating in partnerships with security organizations such as the National Information Sharing and Analysis Center (NH-ISAC) and MITRE. While traditional security tools are beneficial, it’s not enough in this era of sophisticated threat actors: free sharing of threat info and best practices is essential.

“Healthcare is one of the first examples of a sector or group doing this crowdsourcing approach to developing analytics,” said Julie Connolly, principal cybersecurity engineer for MITRE. “We have different ways to engage the community and we put the framework out there. It takes time, but it’s been very successful.”

To Lee Kim, collaboration and security conferences are critical in this current landscape, as the “collective wisdom” will help to change the current culture and “empower (organizations) to share the latest and greatest information on threats
and how to make us stronger.”

“If we aren’t as organized as these actors (and we are) diluted in terms of our power and numbers, how can we match up? And the answer is: We can’t,” said Kim.

The bad

Since WannaCry and Petya, ransomware has only gotten worse and there’s been “an incredible uptick since then,” said Finn. “The bad guys saw how well it worked and then started attacks” at a greater pace.

What makes health IT unique is the vast demands on both its infrastructure and operational structure, Finn explained, necessitating that some things get more prioritized than others. “The things that can wait, they get stuck to the bottom of the list,” he said. “But then they don’t get done.”

On a micro level, consider the U.K. National Health Service, one of WannaCry’s largest victims. All of its 200 trusts failed a government assessment, just one year after the attack.

While some failed due to the high standard of the test, many failed because they didn’t appropriately patch their systems. And here’s the rub: NHS failed to patch a known vulnerability just four months before WannaCry, and that flaw was what allowed the virus to proliferate.

Patching is one of the simplest ways to shore up flaws, in theory, but many organizations don’t patch as it can affect the function of the device and even interrupt service.

Training and patch management are “really the basic stuff,” said Finn. “It can be time consuming, but if you’re not doing that – everything else you do will be wasted effort.”

The FBI even released an alert in late 2017, warning that “deficient security capabilities, difficulties in patching  vulnerabilities, and a lack of consumer security awareness provide cyber actors with opportunities to exploit these devices.”

And with the number of IoT and medical devices continuing to rapidly increase – 20 to 50 billion connected devices by 2020 – the healthcare sector is continually adding to its attack surface.

Another big problem is that many healthcare organizations still fail to encrypt devices.

For example, MD Anderson Cancer Center just lost its fight with the U.S. Department of Health and Human Services after failing to encrypt its devices containing patient data used for research. The three stolen devices, left unencrypted, cost the center $4.3 million in fines.

The question is, if healthcare can’t even fix known flaws, what else is it failing to address?

Part of the trouble is that the sector is failing to hone in on incident response, explained Finn. While organizations prepare for natural disasters, airplane crashes and the like, they’re not doing exercises to prepare for downtime during a data breach or cyberattack.

“We’re not ready for the next attack because of incident response,” said Finn. “It’s interesting that an industry built around triage and taking care of the sickest patients first, isn’t prioritizing breach response.”

Organizations need to focus on recovery for now, and for what happens after getting hit with ransomware or another cyberattack, he explained. “Plan those exercises and coordinated action plan that’s ready to execute when you have that incident.”

If not, a provider can face not only an interruption to care, but a huge financial burden. Finn said he knew of one provider that aced its detection and discovered a ransomware attack incredibly quickly. The incident was isolated within 14 minutes.

“But because they hadn’t planned the recovery, it took them several months to recover and it consumed 60 percent of their annual IT budget just to get back to normal,” Finn said. “Despite the progress of some individual organizations, there’s still a lot of room to improve as an industry.”

Jorge Rey, CISO and director of information security and compliance for Kaufman Rossin, says the healthcare sector still hasn’t figured out how to manage cyber risk from a business perspective. Often, organizations tend to under-invest and still haven’t figure out whether the right responses are in place.

“The healthcare industry has matured, with HIPAA and HITECH: There are more resources, and technically we have more secure platforms and a more secure environment and framework,” said Rey. “We need continue doing what we’re doing and get better at it.”

“But even if you’re one of the organizations being very aggressive about cybersecurity – you’re still connecting to a lot of healthcare organizations that may not be doing as much,” Finn said. “You’ve created other attack vectors.”

The ugly

Ransomware may be continuing to pummel the healthcare sector, but it’s no longer the reigning threat actor. Cryptocurrency mining malware and cryptojacking are still on the rise, with hackers now looking to exploit mobile devices as much as computer systems in the near future.

The virus is more subtle than ransomware, running in the background often undetected for an extended period of time. Attackers infect the computer, or IoT device, and use its processing power to mine for cryptocurrency. It’s been incredibly lucrative for hackers, according to a recent McAfee report.

But new, invasive viruses are just the tip of the ugly nightmare.

For Kim, her biggest fear is that next time the attack will actually impact patient safety. Both Petya and WannaCry held health systems hostage. NHS had to divert patients to other locations and cancel some surgeries, that in itself could have put patients at risk.

But two recent studies examined how those flaws are leveraged by hackers and the patient safety impact.

Although exposed devices and systems don’t necessarily mean they’re vulnerable, a Trend Micro report found that these flaws can be used by hackers as a doorway into an organization. Even worse, these exposures let threat actors steal data, launch botnet attacks the like.

And if the hacker does get in, patient lives are impacted, a Medcrypt-funded recent from the University of California Cyber Team found. The surveyed delivery organizations and vendors said that between 100 to 1,000 patients had adverse events from compromised health IT infrastructure.

The threat is only going to get worse. The same study showed what happens when a cybercriminal hacks a medical device: The doctors don’t know it’s happening, and the patient continues to suffer while they attempt to figure it out.

“Medical devices are really your next train wreck that’s going to hit the industry,” said Finn. “We’ve been talking about this for more than a year – but we need to hammer the nails to start fixing the problem. We’re all going to have to come together and figure out how to fix medical device security.”

“We’ve been talking about it – and bad guys are listening,” he added. “(Devices) are not protected, easy to get into and then they can use that device to get into the hospital where all the data lives,” he continued. “But the bigger risk around the medical devices are the clinical operation and patient safety.”

There’s been an increase of IoT medical devices and some hospitals are trying to “integrate these devices into operations to improve patient care,” said Jorge Rey. “But by doing this they’re creating new attack vectors – another area of risk for the hospitals.”

Part of the challenge facing the healthcare sector is that these devices are difficult to secure and right now there’s no prescribed framework to help manage these big events, he explained.

“And what happens if someone’s patient data is modified or tamper with?” asked Lee Kim. “What happens if it’s inaccessible? We have paper records, but what if the provider can’t read cursive writing in the patient record?”

“What’s to happen in an era when the patient is in an emergency state and all you have is a doctors’ handwriting?” she added. “We just rely on faith that we’ll be OK? Who knows?”

For Kim, healthcare’s biggest issue is that “we’re so cannibalistic in healthcare.”

With everyone competing with each other, she explained, not everyone wants to share threat information. But for the industry to get better, stronger and more resilient against future major cyberattacks, working together is now a necessity.


Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.