A Conversation with Two Cybersecurity Experts

Posted May 16, 2017

In the wake of last week’s global ransomware attack, AAMI reached out to two noted experts in the world of healthcare cybersecurity to get their thoughts. Kevin Fu is the CEO and chief scientist of Virta Labs, Inc., as well as an associate professor at the University of Michigan in Ann Arbor, where he runs the Archimedes Center for Medical Device Security. Axel Wirth is a distinguished technical architect with the Symantec Corp. He is a member of the Editorial Board of BI&T, AAMI’s peer-reviewed journal, for which he writes a cybersecurity column.

Kevin Fu
Kevin Fu

Axel WirthAxel Wirth

How vulnerable are hospital systems to this type of attack in the United States, especially given the fact that healthcare institutions typically use different vendors with different software?

Fu: Vendors of popular medical devices are already advertising the urgency of patching this flaw. Radiological systems are particularly at risk because they tend to depend more heavily on the vulnerable Windows software.

Wirth: U.S. hospitals are probably as vulnerable to this type of an attack as what we have seen with the National Health Service last Friday. The problem is the prevalence of legacy platforms, for example Windows XP, and the difficulty of moving off of them. There are many reasons that can slow down platform upgrades or even patches, starting with regulations (e.g., medical devices), economic limitations (can’t replace an MRI scanner just because the operating system is obsolete), an overall very conservative decision-making process, and very practical issues, such as staff training and device life-cycle management in a 24x7 environment. You could argue against any of these points individually, but taken all together the unfortunate result is a slow replacement rate and poor patch hygiene, which makes the healthcare environment very susceptible.

But this problem is not limited to healthcare alone—other industries have similar restraints and resulting poor security posture—as we saw last week—with car maker Renault shutting down assembly lines, Portuguese telecoms being affected, or the display system at German train stations. Another set of industries that took a hit were the ones that traditionally spend little on IT and hence run a lot of outdated systems, for example, the educational sector (universities in China) and government (the Russian Interior Ministry). So, I don’t think this was a question of who got targeted, more a result of who fit the profile, for whatever reason, of the malware.

As for why U.S. hospitals got spared? I think we need to get a few more days of analysis under our belt before we know for sure, but it may be a combination of a slightly better security posture and a bit of luck as we had a six-hour warning though the events in Europe.

Do you believe this attack has served as a wake-up call? How many questions and calls are you getting from hospitals or healthcare systems in the wake of Friday’s attack?

Fu: This ransomware is a wake-up call for the few people still in denial. Patients were denied scheduled heart surgeries. Ambulances were in disarray. We are receiving a lot of questions from hospitals, device manufacturers, and government.

Wirth: Although this type of an attack should not have come as a surprise, it still was very much a shot across the bow. We received many calls and inquiries from hospitals, but also journalists and other interested parties. Again, the outbreak was not limited to healthcare, so neither was the response. I need to give a tip of the hat to the information-sharing groups that responded quickly and provided regular information updates as the situation unfolded. The Department of Health and Human Services had daily calls through the weekend. The FBI InfraGard (specifically the Cyber Health Working Group), HIMSS, and NH-ISAC all provided regular updates on the situation. And commercial entities, such as Symantec, provided their customers with up-to-date threat intelligence and remediation advice. Also, bear in mind that the underlying vulnerability had been known since the National Security Agency tool dump by Shadow Broker back in March. All our security products had already been updated to protect against any potential attack against this specific vulnerability.

What’s the one thing that all healthcare institutions should do right now to better protect their medical devices and IT systems?

Fu: Every hospital should maintain an accurate cybersecurity inventory of networked medical devices that provides sufficient detail to assess risk when a new vulnerability arises. What version of what software and firmware runs everywhere? What about shadow IT? The bad guys know the vulnerabilities of devices on clinical networks better than the good guys at the hospitals. That’s not fair, and the only way forward is via a solid inventory. You can’t protect what you don’t know you have.

Wirth: Even though it may be desirable to get rid of all legacy systems and keep everything else updated and patched, unfortunately and as discussed above, that is neither practical nor feasible. Any organization with complex IT infrastructures, including legacy systems, has to deploy a ‘defense in depth’ approach—starting with the best possible protection for systems, over-network segregation, and network-based intrusion prevention tools. And not only is your security as good as its weakest link, it is also only as good as your vigilance. Be prepared, be able to respond quickly, and have a network of trusted partners.

Lastly, I want to add that this could have been much worse. Even though we hear of 100,000s of infected systems across 100 or more countries, the malware was far from well developed. It contained several amateurish mistakes that prevented the attackers from walking away with a lot of money (it is estimated that they received just tens of thousands of dollars) and allowed security researchers to take over the controlling domain, which effectively crippled the attack. So even though this has been labeled as the largest cyberattack (it was not, other malware has infected more computers) or an attack of unprecedented impact (that I tend to agree with), it could have been much worse. It is now time to take security seriously as the next attack may not be as easily contained—and because several industries, including healthcare, just sent a message to the world that they are poorly protected and ripe with legacy vulnerabilities.