WannaCry made its first appearance on the morning of May 12, 2017, by infecting computers at Telefonica, a telecommunications company in Spain. Within hours, it had begun exploiting file-sharing networks in the UK’s National Health Service (NHS), eventually spreading to 45 organizations and 37 trusts in the UK. The ransomware attack forced NHS hospitals and clinics to shut down their electronic systems, divert patients needing emergency care to other hospitals, and cancel elective surgeries and general appointments. NHS racked up more than $1.4 million in losses because of WannaCry.
Before the malicious cyberattack was contained, it had spread to more than 150 other countries and infected 600,000 computers. Most hospitals in the United States went relatively unscathed, in part due to the discovery of a “kill switch” to deactivate the malware. But U.S. hospitals and health systems also benefited from relationships that had been cemented well in advance of WannaCry. Even as they wrestled with WannaCry, NHS members were informally alerting the U.S. healthcare community about the problem.
The anniversary of WannaCry offers an opportunity to reflect on what went wrong — and right — during the attack. The NHS provides a great example of leaders who shared information and knowledge outside their organization to thwart cyberthreats. Attacks in the healthcare sector have increased in frequency and virulence in recent years, making the need for information sharing and collaboration among healthcare organizations that much more critical.
It is becoming clear that a cyberattack on one organization can spiral into an attack on many, and this is especially true as health systems and other entities become digitally connected. To address this potential vulnerability, the Western New York region put together a multisector collaborative think tank that included Kaleida Health, where I am CIO. We developed relationships to mitigate risks if a breach occurs in an organization or an affiliated partner in the region. That includes a strategy for pooling resources and having a response team in place if an incident occurs.
This think tank has allowed what are traditionally competitive businesses to partner to prevent cyber incidents or lessen the damage during a breach. Our think tank model is not the only collaboration available to the healthcare IT community. The College of Healthcare Information Management Executives (CHIME), which I chair, also champions collaboration. That culture was apparent when WannaCry hit. Our public policy team was in close contact with federal agencies to provide timely and accurate updates to members, and members were networking with each other to share information and shore up defenses.
The healthcare IT community faces many challenges in this area, however. One obstacle to information sharing comes from concerns about potential repercussions, for instance, if it gets publicly reported that patients’ data have been exposed in a breach. At the federal level, CHIME’s public policy team in Washington, D.C., and our Public Policy Steering Committee have been educating lawmakers about the unintended consequences of a punitive approach when hospitals experience a breach despite having taken reasonable measures to protect patient information. We advocate for policies that encourage information sharing and assist hospitals in the event of a cyberattack.
And we have seen some progress. After the WannaCry incident, an HHS representative listed improving cyberthreat information sharing as a priority in written testimony to the House Energy and Commerce Subcommittee on Oversight and Investigations. We are encouraged by the changes being considered in Washington, and our members and public policy team continue to work with federal officials to educate them about the benefits of a collaborative and fully informed healthcare IT community.
The industry has learned many valuable cybersecurity lessons since WannaCry, including the importance of updating patches, backing up files, and practicing good cyber hygiene. These are all excellent practices, but they are not our only recourse. The more we stand together as allies against these bad actors, by sharing information and collaborating, the harder it will be for cybercriminals to succeed.