The Malware Attacking the U.K.’s National Health Service Could’ve Been Stopped: Here’s Why It Wasn’t
The ransomware attacks spreading across the computer systems of the British National Health Service this week are a stark reminder of the shocking state of software-updating practices in even the most critical infrastructure systems across the world. The attacks involve the ransomware strain WannaCryptor, which encrypts the contents of infected computers until the victims make a Bitcoin payment of roughly $300. WannaCryptor takes advantage of vulnerabilities in the Windows operating system that were patched in March by Microsoft, after a group called the Shadow Brokers leaked similar tools, allegedly stolen from the NSA.
The NHS had two months to install this patch and inoculate itself from WannaCryptor—but it didn’t. In fact, many systems remain vulnerable. It would be bad enough if a wave of hospitals were under attack because a brilliant, determined adversary had identified new, never-before-exploited vulnerabilities in their computer systems. But to be suffering these sorts of crippling attacks at the hands of an adversary who is merely recycling old malware, which could have been stopped using existing patches, is downright shameful.
This is an old story. Computer security workers have been complaining about the people and organizations who don’t download security patches promptly for pretty much as long as there have been software patches. If you’ve ever dismissed a warning from your operating system urging you to download a critical update, you’re part of the problem. But then, you’re probably not making that decision on behalf of an entire hospital—much less, an entire nation’s health service.
And yet, those software patching decisions that are so much more crucially important in the context of health care and other critical infrastructure systems are, at the same time, much more difficult to execute. Ironically enough, this is partly because the health care industry has historically been subject to much more stringent data security and privacy regulations and standards than other sectors. In the United States, for instance, medical information is subject to the requirements laid out in the Health Insurance Portability and Accountability Act of 1996. That means that every new system or piece of software purchased by a hospital or health care provider in the U.S. needs to be approved as being HIPAA-compliant. [...]health information technology privacy regulation