Expert tips on bracing for future WannaCry attacks
The WannaCry cyberattack has implications for the future of healthcare security, especially as the recent Health Care Industry Cybersecurity Task Force report came out essentially saying that the healthcare industry is in the midst of a staffing crisis.
Greg Touhill, former federal CISO and adjunct professor of cybersecurity and risk management at Carnegie Mellon University equated the initial WannaCry attacks to a slow-pitch softball, said more attempts are coming and the next one might be a fast ball during a Congressional hearing last week.
With WannaCry, there’s the good, the bad and the ugly. First the good. Ransomware attacks like WannaCry aren't particularly hard to avoid, said Lance Hayden, chief privacy and security officer at clinical trials technology vendor ePatientFinder. Hayden’s career spans more than 25 years in the security field, including positions with the CIA and Cisco.
“Regular backups, effective user training and updated software stop the majority of these attacks dead,” Hayden explained. “The security industry has lots of smart ‘good guys’ who are attacking the problem; case in point, the researcher who triggered the WannaCry kill switch.”
Then there is “the bad” to contend with. WannaCry was different in that it propagated on its own, rather than through phishing e-mails, and that’s disturbing.
“Although good hygiene is enormously effective, most organizations don’t practice good hygiene until it’s too late: after an attack,” he said. “The security industry is up against lots of smart ‘bad guys’ who only have to be successful once to cause lots of problems.”
And of course, with something as big and bad as WannaCry, there is “the ugly.” The recent Health Care Industry Cybersecurity Task Force report, for instance, shows systemic problems in healthcare that represent huge risks to the industry.
“Tools like WannaCry will only get more sophisticated; WannaCry took advantage of tools stolen from the government and released into the wild,” he added. “Healthcare CIOs and CISOs need to prepare, not panic. Healthcare security is a challenge, but no different than any of the other challenges the industry has had to face and overcome during its history. It’s not magic.”
Hayden advised healthcare CIOs and CISOs to put more effort and resources into their security program and understand that the preventative costs one thinks they cannot afford today pale in comparison to the reactive costs one will incur during a breach.
“Embed security into the culture: The human firewall is the single most effective security solution,” he said. “However, like safety or innovation, security is a cultural attribute that is hard to just embed by fiat. If creating an innovative culture was that easy, every company would be as innovative as a Google, Apple or Facebook just by implementing annual innovation training.”
There are “strategic intangibles,” and security is one of these, Hayden said. “The only way to make it happen is for the entire organization to decide that it’s important, and then to take it seriously. That kind of commitment usually starts at the top.”