The pMD Blog
Three Lessons Providers Should Learn From WannaCry

To an industry notoriously slow in its embrace of new technology, the WannaCry ransomware attack should serve as a wake-up call. While it paralyzed computers the world over, WannaCry seemed to have had an outsized effect on the healthcare industry; it hijacked the systems of dozens of National Health Service (NHS) facilities in the UK as well as computers in medical practices all over the world.

No medical professional wants to turn away patients or shut down operations because malicious actors were able to hold their critical data for ransom, but at least some good news came out of this nightmare scenario. Healthcare practices all over the world are now asking themselves what they can do to prevent hackers and criminals from successfully attacking their systems. By incorporating valuable lessons from WannaCry, hospitals can shore up their IT defenses and help prevent future malware attacks. What follows are some of the most valuable lessons healthcare providers can take away from WannaCry.

Update Your Systems

It may not seem like a major concern for hospitals running their day-to-day operations, but outdated systems - ones that are no longer supported or updated by developers - are much more likely to have vulnerabilities that can be exploited by malicious actors. WannaCry spread across computer networks by exploiting a Windows vulnerability that hackers stole from an NSA leak. While Microsoft released a fix for the vulnerability on March 14, the fix did not cover Windows XP, which Microsoft stopped supporting in 2014, and which many computers in NHS hospitals were still running when WannaCry struck.

Even though Microsoft eventually pushed out a Windows XP update to patch up the vulnerability exploited by WannaCry, it was only after the bug had already infiltrated computers all over the world. For future vulnerabilities, companies may choose not to release fixes for outdated systems - and they will definitely choose not to apply such fixes to unlicensed software. In countries like China and Russia, which have avoided implementing strong intellectual property policies, WannaCry has had an outsized effect, since it was able to spread much more easily across systems that ran unlicensed, and therefore outdated, software.

Choose Subscription Software

Of course, ensuring that every operating system and every application is up-to-date can be a time-consuming process. One way practices can avoid having to manually update some systems is by choosing software services (like pMD!) that work on a subscription service model, which are less likely to provide outdated software. By nature, subscription services are constantly updated by developers and automatically deployed to users. Though Microsoft did release a fix for the WannaCry vulnerability in March, a whole month before the malware started actively exploiting it, millions of Windows machines had evidently failed to update and install that fix at the time it struck.

Train Your Staff

Many cases of malware can be prevented with effective staff training. Though the WannaCry malware spread from computer to computer automatically, worming its way across computer networks, many other malware instances enter computer systems when victims themselves inadvertently expose their systems. Employees across all levels of the practice should:

  • 1.  Never click on suspicious links or open suspicious messages, and should always report suspicious activity to their IT administrator or to another appropriate person in their organization

  • 2.  Pay close attention to their passwords by not using the same password everywhere and by enabling two-factor authentication

  • 3.  Always make sure their systems are up-to-date (see the first section of this blog post!). Practices that put in place long-term security education programs that raise awareness of such risks as phishing attempts can prevent future malware attacks and decrease their risk of infection significantly.

For healthcare practices all over the world, the trade-off between cleaning up the mess after these types of malicious attacks and spending the extra time and energy it takes to maintain a proactive technological defense has always existed. However, the wide-reaching and extremely visible effects of the WannaCry attack may have raised the stakes, and will hopefully convince much of the healthcare industry to choose the latter option. Before the next WannaCry strikes, the industry should make sure to be better safe than sorry.