The ongoing saga of the WannaCry ransomware attack which devastated the U.K.’s National Health Service (NHS) over the weekend and has already infected hundreds of thousands of computers across the globe reads like a Black Mirror episode set in our very times.
A cadre of amateur hackers took advantage of security flaws in widely-used Microsoft operating systems with a technique gleaned from none other than the U.S. National Security Agency (NSA)—and consequently brought a nation’s health system to its knees while throwing patients’ lives into disarray.
It’s still too early to gauge the fallout from this digital delinquency. But the breach highlights a stark—and scary—reality about health IT: Outdated medical systems are woefully unprepared to deal with a new class of criminals willing to hold patients’ medical data, credit card numbers, and other personal information hostage barring a big payout. In fact, the FBI has issued several stark warnings about the unique and growing threat ransomware presents to health care companies specifically in the past few months.
Click here to subscribe to Brainstorm Health Daily, our brand new newsletter about health innovations.
Just how vulnerable is health care? Consider: A 2017 Verizon Data Breach analysis found that ransomware surged from the 22nd most common type of malware in 2014 to the fifth most common this year. “For the attacker, holding files for ransom is fast, low risk and easily monetizable—especially with Bitcoin to collect anonymous payment,” wrote the authors. That same report found that a staggering 72% of all health care malware attacks in 2016 were ransomware. And the financial services sector is the only industry that’s targeted more than health care.
There are some obvious reasons that make the medical sector such an enticing target for criminals. For one, health information is simultaneously intensely personal, accompanied by crucial financial information, and universal—after all, health care consumerism isn’t so much a choice as it is an ontological necessity of being a human.
And then there’s the glacial process of health IT progress, at least on the administrative end. Medicine may be making science fiction-level advances; but the systems which house its day-to-day information have yet to receive the same 21st century jolt. Protective measures haven’t caught up with would-be attack methods, and human error—whether it be falling for phishing scams or a hospital administrator failing to change his or her password—continues to be a major hurdle to data security.
Some companies are trying to tackle digital attacks with their own advanced tech. In fact, some analysts have argued that artificial intelligence will be key to keeping pace with evolving cyber attack tactics. But in the meantime, the institutions responsible for our health care remain vulnerable.