When historians look back on 2017, they may see it as the year when abstract fears about the security of healthcare technologies solidified into a concrete threat. It wasn’t the first year that hospitals suffered serious cyberattacks. But the impact, geographic breadth and talk of links to North Korea marked out WannaCry as a new sort of cyberthreat.
In May, medical devices and computer systems at healthcare centers around the world were infected by ransomware that prevented their use until Bitcoin were paid.
The ransomware worm knocked some medical devices offline in the U.S. But the full, healthcare-halting power of cyberattacks was more clearly seen in the U.K., where more than 1,000 pieces of equipment were infected and many more were taken offline as a precaution.
Almost 20,000 hospital appointments, some of them for surgical operations, were cancelled as the healthcare system scrambled to regain control of its technologies.
This could be a watershed moment for cybersecurity.
There is already evidence that WannaCry has reshaped attitudes to the threat. In the U.K., the government has funnelled $27 million of the cash available to its overstretched healthcare service into cybersecurity.
The money will support the creation of a “a national, near real-time monitoring and alerting service that covers the whole health and care system”—assuming the U.K. can beat its poor IT track record and deliver such a service—and the hiring of ethical hackers to probe the network for vulnerabilities.
Officials’ commitment to a proactive approach with ring-fenced funds stands in stark contrast to the pre-WannaCry activities of the U.K. healthcare service, which was unable to summon the resources and coordination to ensure its network was free from vulnerable, Windows XP-based devices and computers, despite repeated warnings.
The U.S. was less severely hit by WannaCry. But, with some U.S. devices being infected and those that weren’t affected by disruptive defensive actions, the American Hospital Association (AHA) is pushing for the ransomware attack to be a watershed moment in cybersecurity in its country, too.
AHA used a loosely-linked FDA consultation as a forum to launch a WannaCry-motivated broadside against the cybersecurity policies of the agency and the medical device manufacturers it regulates.
The gist of the AHA’s argument is that the medical device industry failed to prepare for a cyberattack, was slow to respond when one did occur and recommended defensive actions that caused harm to hospitals. Leaders at the AHA want the FDA to do more.
The message from the U.K. and AHA actions is that, to a growing number of people, cybersecurity is no longer a problem organizations can shunt down the list of priorities in favor of more pressing matters. Cybersecurity is among the most pressing matters, at least while memories of WannaCry are fresh.
Whether the current sense of urgency can survive the fading of those memories—and the related ones created by Merck’s malware woes—or if the “if it ain’t broke don’t fix it” ethos will return to healthcare cybersecurity—remains to be seen.