US hospitals are scrambling to strengthen their digital security systems following the ransomware attack that crippled the health care system in the United Kingdom.
But vulnerabilities are everywhere, making it virtually impossible to build an impervious system. The truth is that US health care is uniquely vulnerable to such an attack, even if it managed to escape this one relatively unscathed, said Dr. John Halamka, chief information officer at Beth Israel Deaconess Medical Center in Boston.
STAT spoke to Halamka, a national leader in health care information technology, about the concerns raised by Friday’s attack. Here are a few takeaways from the conversation:
1. Targeted software is widely used in the US.
The Windows XP software that hackers exploited in Friday’s attack is also used by a multitude of US providers, and so are many other software products with major weaknesses.
“Hospitals are filled with a lot of niche applications that are infrequently updated,” said Halamka. “There are still products that run only on Windows XP.”
Those products might be used by cardiologists, obstetricians, or other specialists whose lack of updated protections might offer an opening for hackers.
In the case of Friday’s hack, Windows had made a software patch available to plug security holes. “But that’s really, really rare,” Halamka said, who estimated that 10 percent of applications in large US hospitals still run on XP.
2. US hospitals were spared in this attack by decentralization.
US providers are not linked together the way providers are in the National Health Service. That lack of inter-operability is often lamented by healthcare leaders here, but it also made the US health system less vulnerable in the case of this attack.
Friday’s hack affected about one-fifth of the National Health Service providers in the United Kingdom, forcing many hospitals to postpone surgeries and deny treatment to patients. It succeeded in causing widespread problems because the hospitals in the UK were operating on the same network, making it easy for the malware to spread quickly.
The lack of similar connectedness in the US is no reason to breathe a sigh of relief, said Halamka. “It doesn’t mean that tomorrow there won’t be a new vulnerability found and a virus or ransomware application spreads very quickly” among US providers, he said. “We were lucky.”
3. The pain of the patch often delays key updates.
Much of the fallout in the UK is focused on why the Microsoft patch wasn’t installed in a timely way by providers. But at least part of the answer, said Halamka, is that applying a software patch is not as easy as slapping on a Band-Aid.
“Each time you patch, you potentially disrupt critical clinical functions,” he said. For example, a patch might shut down a medical records system for a period of several hours, or it could cause the whole system to slow down or leave parts of it disabled.
That means hospitals must carefully plan and execute software patches, and prepare contingency plans if they cause major problems. “As a CIO, you’re constantly weighing, ‘What is the risk of the patch versus the risk of the vulnerability,’” Halamka said. “It’s a tough problem. I sometimes describe keeping our environment secure as changing the wings on a 747 while it’s flying.”
4. A hospital’s IT system is only as strong as its weakest employee.
It only takes a tiny opening for a hacker to gain access to a computer system, and the opening is often found in the inbox of an unsuspecting employee.
Halamka said organizations must train their staffs to carefully screen emails and avoid opening anything from an unfamiliar address. “We as a culture are still likely to click on a link or an attachment,” Halamka said. “We need education which changes the culture and says, ‘You will not click on anything unless you are expecting it or asked for it.’”
One way to do that, he said, is for organizations to send phishing emails to their employees to test their level of compliance. “It only takes one authorized user to let the malware in,” Halamka said. “You can put in millions of dollars of technology protection, and still have it all defeated by a gullible employee who bypasses those controls.”
5. There is no silver bullet.
In the US and elsewhere, Friday’s cyber attack has spurred calls for a government response that could help strengthen security. But it’s not as easy as hiring more police offers to patrol the beat.
While law enforcement and better coordination is helpful, Halamka said, it’s going to take the efforts of individuals, hospitals, and other institutions to create a more secure system. He said hospitals must be more aggressive about installing software patches and creating technology policies that require employees to follow best practices and use more secure products.
“I would tell your readers: ‘Don’t rely on some single government entity to solve this for you,’” Halamka said. “It’s a multi-factorial solution and it’s going take all of us working together.”