Late last week significant healthcare institutions - along with telecommunications, government, and education - were crippled by a rapidly spreading ransomware attack.
Unlike more well known data breaches, ransomware attacks are not based on the value of compromised data to those who should not have access to it - for example, selling a list of usernames and passwords, or stolen credit card data. Ransomware attacks exploit the value of the compromised data to those who should have access to it. In some cases last week, holding medical records hostage, demanding a ransom from medical institutions.
After gaining access to a vulnerable system, malicious software is able to encrypt the data on the physical machine, as well as network shares, while at the same time attempting to infect other systems on the same network. Once encrypted the files are only accessible to those that have the encryption key. It’s that key these data kidnappers offer to provide - for a price.
The truth is that last week’s ransomware shouldn’t have affected anything.
Microsoft released a patch for the vulnerability in March. In April the details of how to exploit that vulnerability were included in a set of leaked NSA documents. Regardless, most of the systems affected by the attack were running an operating system that Microsoft had stopped supporting years ago. They were never brought up to date.
The truth is that the most secure, patched, and up to date systems are not the systems on your local network. They’re the systems managed by giants like Amazon, Google, Rackspace, and the rest. They’re in that mystical ‘cloud’ healthcare at times seems so reluctant to leverage.
Moving critical data to those vendors means there’s nothing to ransom. Just wipe the hard drive, reinstall, and log back into the applications you use day to day. It’s certainly not an unfamiliar process. If you had to swap out your personal computer without warning, I’d bet you’d be annoyed - but I’d also bet you wouldn’t lose much data because the data you care about isn’t actually on that computer.
Yes, there are significant and reasonable concerns about security and privacy when storing sensitive data off-site. Last week is a clear example that there are very real concerns when storing that data on-premises as well.
The truth is it’s time for mainstream healthcare to seriously consider the value of PaaS (platform-as-a-service) and SaaS (software-as-a-service) offerings as well as the risk of managing their critical data themselves.
Because if your software vendor choice ties you to using operating systems that are no longer supported, makes you responsible for patching and securing the infrastructure your data is stored on, and end up leaving you exposed to attacks like last week - perhaps it’s time to ask what’s really the ransomware?