In the Wake of the WannaCry Computer Ransomware, Are you Prepared?
Photo-illustration by Carrie Baker, DO
ACEP Informatics Section Newsletter Editor
Ohio University & Wright State University, Dayton, Ohio
Emergency Medicine Specialists
Clinical Informatics, Kettering Health Network
WannaCry: A first of many attacks on our patients
Jeff Tully, MD
Information Security Research
Maricopa, Phoenix, AZ
Christian Dameff, MD
EMRA Board, Informatics Coordinator
Chief resident – Maricopa, Phoenix, AZ (current)
Clinical Informatics Fellow - University of California, San Diego (July 2017)
A sixty-five-year-old English man with a history of high cholesterol and elevated blood pressures awoke this morning in Liverpool with a mild, dull ache in his chest. Throughout the day his discomfort worsened, just a little, slowly crawling along his left shoulder and settling deep in his gut. The very personification of the stiff British upper lip, the gentleman thought about stopping in on his local doctor, but dismissed the thought moments later. Besides- he had heard on the radio earlier that NHS hospitals were closed to all but the most serious of emergencies- and surely this gnawing ache wasn’t an emergency.
This hypothetical patient- doomed to death from a fictitious but massive heart attack- sprung to life in our heads the moment we learned, earlier today, about what is now one of biggest cyber-attacks in history. A malicious piece of code - member of a family of computer viruses known as “ransomware” – having infiltrated scores of computer networks across (at last count) ninety-nine countries, erupted within its hosts, locking down crucial data while demanding anonymous Bitcoin payments for their release.
As practicing physicians with a keen interest in the burgeoning field of medical cybersecurity, today’s events were a sobering reminder that healthcare faces a new and unprecedented threat. While multinational corporations and world governments were counted among the “WannaCry” ransomware victims, the story originally broke with reports that Britain’s National Health Service suffered a devastating electronic attack that drew the attention of the Prime Minister herself.
Dozens of NHS hospitals, clinics, and administrative facilities were compromised in the attack- some through computers running Microsoft Windows XP, originally released in 2001 with its last official upgrade in 2008- resulting in an inability for doctors to access key systems and essential files.
Most importantly, the threat lies not just in the capture and potential exposure of private health information- which often contain one’s deepest secrets and darkest vices amongst routine laboratory work and vital signs- but in the downstream damage effected when medical care itself suffers as a result. Indeed, affected hospitals in the U.K cancelled surgeries, diverted patients to other facilities, and warned away potential patients not suffering from life threatening emergencies.
Such attacks are not novel, with hospitals closer to home having felt the sting of ransomware in recent years. But today’s attack was breathtaking for the scope of the disaster, as well as for the fact that the operation was not particularly directed toward the healthcare arena, thus raising the specter of what may come when malicious hackers, realizing the potential for widespread mayhem and financial gain, set their sights solely on our hospitals- hospitals which in many cases run outdated and vulnerable legacy systems.
So what, aside from gawking, are doctors, nurses, and other medical professionals to do? While we place an implicit trust in the vast expanse of technology we use to treat and care for patients, we need to become aware of the inherent dangers that exist in today’s Internet connected world. Basic literacy of cybersecurity “hygiene“- from avoiding the trap of classic “phishing” scam emails to the creation of more robust passwords and regular updating of our operating systems can be simple first steps toward secure solutions.
Ultimately, we need to take events like today as the harbingers they are- warnings that our patients now face an additional threat in addition to disease and injury- a threat just as dangerous as the most serious infection or wound.
We would not at all be surprised to learn, in the coming days, of patients in the vein of our imaginary Englishman, who, dissuaded from or unable to seek care due to the sheer stress placed on a beleaguered system today, suffered real, even fatal, harm.
Return to Newsletter