The ransomware attacks spreading across at least 99 countries on Friday are the type of attack that could one day kill someone.
That sounds like hyperbole, but this attack froze and disrupted computers inside many National Health Service hospitals in the United Kingdom, and it’s not hard to see how an attack on hospital computer systems affects patient care or, at the very least, forces patients in need to find help elsewhere as hospital staff scramble to get vital systems back online. That type of disruption, combined with a person faced with a life-threatening condition, has the potential to result in the loss of life.
Cybersecurity experts have long used the phrase “where bits and bytes meet flesh and blood,” which signifies a cyberattack in which someone is physically harmed.
There’s no indication that someone was harmed on Friday as a result of this particular attack. But UK hospitals were forced to redirect patients from affected hospitals after a ransomeware virus spread through hospital computers, locking them down and demanding bitcoin payment in exchange for the return of the information contained in those computers.
Staff also asked that patients not come in unless they were experiencing an emergency. Some hospital staff couldn’t access patient records, and others had to cancel appointments.
The scale of this attack is unusual, but the type of attack is not. It’s happened before — to hospitals in London in January, for example — and it’s almost certainly going to happen again and again.
Joshua Corman, who sits on the Health Care Industry Cybersecurity Task Force, which falls under the Department of Health and Human Services, paints an abysmal picture of the state of cybersecurity at hospitals around the United States. According to him, around 85% of U.S. hospitals don’t have a single full-time cybersecurity expert on staff. Even if they did, that cybersecurity expert would often be helpless against ransomware attacks of the sort the world saw on Friday. Hospitals often run on comically outdated computers that are vulnerable to a range of unpatchable exploits, and those computers are often networked without the proper security precautions.
“Even though these are very avoidable things, like patching Microsoft, if there’s no one doing them…then yo have this very rich soil for these attacks to take root,” Corman said.
Part of what makes Friday’s ransomware attack so worrisome is that it did a ton of damage without much sophistication. It appears to have started just like most such attacks, by sending malicious documents around and waiting for folks to open them. Once opened, this attack installs a ransomware known as WannaCry, which locks down the infected computer and demands Bitcoin in exchange for a return to normalcy. At that point, WannaCry spreads to connected Windows computers through a Windows SMB Server vulnerability. Microsoft released a patch for that vulnerability on March 14, but if no one’s updated their computers since then, those computers remain vulnerable.
“There’s never going to be any shortage of unpatched systems or legacy systems that cannot be patched,” said Jim Walters, a senior research scientist at Cylance, which develops anti-virus software. “What you see today is just the latest in the ongoing trenchant behavior we’ve seen all along.”
Yet for hospitals, there’s no easy way to prevent this kind of attack.
“Everybody thinks, ‘oh if something bad happens we’ll just fix it,'” Corman said, but that’s not the case here. Blocking future ransomware attacks will require cybersecurity personnel, new computers, and better network security. Systemwide security revolution isn’t something that can be fixed in a matter of days, weeks, or even months.
But until hospitals have vastly greater cybersecurity, these attacks will continue to make frightening headlines.