- WannaCry, the malware that crippled dozens of hospitals in the United Kingdom two years ago, is still prevalent and attacking healthcare companies, according to a new report from cybersecurity firm Armis.
- About 40% of healthcare delivery organizations have experienced at least one WannaCry attack in the past six months, largely because of older, unmanaged devices that are difficult to patch, according to the report.
- The findings come a week after Microsoft disclosed a vulnerability in Windows 7 and other older operating systems the malware could exploit. The healthcare sector has the highest rate of using older systems (followed by manufacturing and retail), with more than 70% of organizations using Windows 7 or older versions, according to Armis.
Two years ago this month, WannaCry made headlines as nearly 200,000 instances of the malware were detected in more than 100 countries. About 40 U.K. hospitals were forced to suspend normal services and accept only emergency patients. A few months later, a new form of the virus was blamed for disrupting a North Carolina health system, forcing it to shut down its network.
And according to Armis, WannaCry is still very much a threat. "In healthcare organizations, many of the medical devices themselves are based on outdated Windows versions, and cannot be updated without complete remodeling," Ben Seri, VP of research at Armis, said in the report.
Device security is a major concern for healthcare organizations. Legacy systems that providers frequently use lack basic cybersecurity controls and often aren't properly vetted before connecting to a network, according to research from Vectra. Verizon's 2019 mobile security survey found that more the three quarters of respondents felt IoT devices presented the greatest cybersecurity threat for hospitals.
FDA is working to push organizations toward better security. Its Medical Device Safety Action Plan calls on manufacturers to put security updates and patch capabilities into products at the design stage and dictates procedures for disclosing potential vulnerabilities after market.
WannaCry attacks are typically ransomware — hackers request money to restore an organization's systems. Armis said more than $325 million has been paid out in ransom for WannaCry, part of a more than $4 billion price tag when disruption costs are included.
The virus is still active in 103 countries and more than 145,000 devices are compromised worldwide. At least 3,500 attacks are successful per hour, according to Armis, which notes that even a single infected device "can be used by hackers to breach your entire network."
But many healthcare organizations still aren't devoting a lot of resources to shoring up their systems. Most don't have a C-suite leader dedicated to managing cybersecurity and barely more than half routinely conduct risk assessments, according to Black Book Market Research.