In response to today’s massive cyberattack on the UK’s National Health System and at least 74 other countries, it is important to acknowledge two things: all institutions are vulnerable and people are the weakest link.
According to the New York Times, NHS staff were warned about the ransomware early in the day. However, the ransomware invaded the NHS file sharing systems anyway.
The New York Times wrote, “The malware was circulated by email; targets were sent an encrypted, compressed file that, once loaded, allowed the ransomware to infiltrate its targets.”
The UK’s Financial Times reported that this attack initially entered the system “laterally through the computer networks of infected organizations. “
The malware called Wanna Cry is a revamped version of an NSA malware virus that was evidently stolen by the organized hacker group called Shadow Brokers. Last year, Shadow Brokers attempted to auction off a block of NSA data for bitcoins, but apparently the auction was not well attended.
Perhaps Shadow Brokers are flexing muscle to see if they can gain better attendance at their next auction. In the meantime, patient information, health histories, blood work, surgeries and prescription information were compromised. It is not yet known if this includes any financial information.
Unfortunately, hospitals and medical organizations have become a major target. For example, Microsoft released a patch last March to stop this particular kind of malware, but many organizations have simply not applied it yet.
And if the malware was sent to users through email, they simply clicked the wrong link; a very boring but effective scheme, long in use, that locked computers and demanded the equivalent of $300.
But the price is far greater than money. Heart surgeries were cancelled. Patient information access was blocked by medical providers and held hostage by criminals. In fact, the actual Socratic oath was challenged. Though clearly inadvertent, the NHS put patients in harm. Will people die because of this attack?
Companies are vulnerable when they don’t keep up with patches or if an individual clicks the wrong link. Today shows how easily cybercrime bedlam spreads across the globe. It often seems that it is so commonplace there is no real defense. And this is just the beginning.
Hackers are more vast and sophisticated than ever and people are very much the same. Deploying patches is difficult, but must be done. In addition, direct user training needs to be considered. No one wants this to happen. But sometimes users need to be trained not to fall for the sometimes very convincing tactics of hackers.