Amongst targets across 150 countries (including Australia), the National Health Service (“NHS”) in England is still facing massive disruption following the most widespread and public malware outbreak for years.
As depicted below, the ransomware responsible, WannaCry, encrypts a computer’s files and demands that the victim makes a ransom payment (in Bitcoins) before allowing access again. Until a payment is made all files hosted on infected computers remain encrypted and effectively inaccessible.
Click here to view image.
WannaCry spreads as a computer virus that exploits a vulnerability in the Microsoft Windows operating software and through “phishing” emails. Victims received emails with a purportedly legitimate attachment but which actually contained the executable code for the virus and which, once clicked, infected the victim’s computer and then spread (by exploiting the vulnerability) across the victim’s computer network.
Once WannaCry is inside an organisation it locates vulnerable machines and infect them as well. According to UK media reports, approximately 90% of the NHS computers were vulnerable to infection by WannaCry due to running Windows XP, a 15-year old operating system. Microsoft had released a patch for the vulnerability WannaCry exploits in March 2017 but had discontinued supporting older operating systems such as Windows XP some time ago. Subsequently, Microsoft has released a patch specifically for older operating systems (including Windows XP) that are vulnerable to WannaCry.
Once the Bitcoin payment was made, the malware generated a decryption key to enable the victim to decrypt the encrypted files.
What steps should Australian health service providers take to protect themselves from WannaCry (and other potential malware infections)?
The Australian Cyber Security Centre (“ACSC”) issued urgent advice on 13 May 2017 (which it updated on 15 May 2017) to mitigate against the effects of WannaCry. The ACSC urged Australian organisations (including health service providers) to, at minimum, patch operating systems and applications to the latest versions to reduce vulnerability to exploitation.
To the extent that any Australian organisation is affected by WannaCry, the ACSC recommends that small and medium enterprises contact CERT Australia (the national computer emergency response team) on 1300 172 499.
Lessons and implications
However, this may only form a small part of the issue. As Jim Schuman from Peak Insight explains, large organisations supported by massive IT infrastructure have many partners and third party suppliers that connect to their network. It is therefore possible that a third party, which isn’t as well maintained as it should be, could be responsible for the spread of the virus. Complexity in IT networks and third party risk will become a much larger issue for businesses as an organisation’s cyber security protection is only as great as that of the weakest link in the network.
The cyber security attack at the NHS demonstrates the potential harm to the reputation of health service providers. It is a real wake-up call for organisations that hold sensitive medical or personal information as to the devastating impact an attack can have.
Australia’s corporate regulator, the Australian Securities & Investments Commission, has repeatedly made it clear that, (see here and here) as part of the directors’ discharge of their statutory duties, it is ultimately the responsibility of the directors to be aware of the risks and ensure the organisation’s technology and computers are safeguarded against potential cyber-attacks.
When the mandatory data breach notification laws come into effect next year in Australia, organisations will be required to notify affected individuals of a serious breach of their personal information (as determined in accordance with the legislation). Further details on what health service providers need to do once the changes to the Privacy Act 1988 (Cth) come into effect are available in this recent article.
Now is an opportune time for health service providers to review and update their policies relating to the handling of confidential and sensitive information, including patient data. Under the microscope would be policies relating to privacy of personal information, email and internet usage, password protection and the use of mobile devices. Health service providers could also remind all users of the dangers of opening email attachments from unknown or suspicious sources.
Additionally, health service providers can look at their disaster recovery and business continuity plans to determine whether, in the event the computer network is infected by ransomware or other malware, the provider could recover from such an event and continue business as usual.
From a practical perspective, the exploitation of a known vulnerability in Microsoft’s Windows operating system that was patched earlier this year suggests that health service providers look carefully at their IT practices to ensure that they have sufficient resources available to ensure that well-known vulnerabilities are patched as and when they become known.