Ransomware has been a major issue for both people and companies over the past few years. Recently, major oil and shipping companies have been hit. These attacks haven’t been limited to just one country either, as many countries across Europe have been hit — the UK, Ukraine, France, and Spain were all victims of a ransomware attack that encrypted their data and then required a fee to restore access to the files. Presently, the United States has been hit with the attack – and in a major way. Merck is one of the largest pharmaceutical drug makers in the country, and they were infected by the malware. Other companies were also hit alongside it.
Hospitals have also been hit, and when one looks at what they’re using for their systems, it’s no real shock as to why. The healthcare industry as a whole generally runs on Windows XP to ensure that older legacy software works. In theory, they could update to Windows 10 and take chances – but doing so would lead to compatibility issues and not all of their required software working.
A report last year showed that up to 90% of hospitals still use Microsoft’s now-ancient operating system, resulting in an ever-present risk for the places that choose to still use it. They may gain compatibility, but by not moving onto newer software, they run the risk of having their systems hacked and possibly exposing vital information for countless clients. The health sector accounts for most of the data security breaches across all of the public sector, and the information they house is some of the most vital and personal in the world.
Similarly, police agencies are also known to use Windows XP, and while that number is lower than hospitals and medical-related companies, it is still worrisome. Microsoft stopped offering free security updates for XP in April of 2014. This was a highly-controversial move, and one that they could easily justify because it had been over 12 years since the OS went on sale. Any company that wants to use XP still can pay them and get customized support – which makes the concern over using it slightly less assuming those companies are also willing to pay for that support.
If companies don’t pay for the support, then they could be seriously hurting themselves when it comes to trust. Patients and other companies they do business with have a certain expectation of trust – and when you are dealing with medical records across a single generation, let alone multiple generations, they have a responsibility to their clients. If they aren’t willing to pay to keep up their software, then they will lose the trust of their clients both in terms of patients and business partners. If you run a large company and you find that a partner that you trust isn’t do what they should be doing to ensure that data is secure, would you honestly want to continue doing business with them?
Odds are, you might do it to fulfill a contractual need or perhaps as a favor to a higher-up that demands it. On a personal level, you would likely lose faith in that company and push for an end to a partnership with that company the second the opportunity arises. Simple clinics not getting security right could result in something “small” like prescriptions being messed up and still have far-reaching consequences. If a hospital has their systems hacked, one could expect things like surgery times being messed up or other crucial procedures having things like paperwork inaccessible.
Kaspersky recommends that every company that was (and is) infected by this ransomware — called NotPetya — should update their Windows software as soon as possible and have backups ready to go alongside ransomware detection. They also advice using AppLocker to disable the execution of any files named “perf.dat”. That attack infected many computers thanks to an NSA hacking tool called Eternal Blue. The exploit was discovered last April and used a vulnerability in Windows that Microsoft themselves issued an update for. However, without every Windows user making use of the update, it led to the malware spreading and infecting even more systems. It ranged from attacking Windows XP to Vista and finally, Windows 10.
This issue becomes more problematic when you consider that it can catch on like wildfire just from people opening e-mails. Even though this is a behavior commonly associated with the elderly and those who don’t use technology, it can still find its way into the daily routine of professionals. Fortunately, Microsoft’s own anti-virus software is able to stave off some attacks – which bodes well for everyday users who may not pay much attention, but it doesn’t do much for larger companies using an older OS that doesn’t properly secure their networks with antivirus software.
One of the biggest hurdles the medical profession has to overcome is simply not upgrading their equipment due to being satisfied with their current software. Many older users get set in their ways, and while it is understandable on one level, it is also quite risky. In gaining that user-friendly feel because they’re used to the software, the computer becomes a bit like that old pair of shoes everyone has in their closet. They aren’t fashionable, they have a few holes, but a little tape over a black pair of shoes looks okay and by golly, they just fit perfectly. You know what to expect from them and with that familiarity comes a false sense of security. You know them so well that you would never expect anything would be amiss – and then you check and see that they’ve got padding missing and that secure feeling is now replaced by pain.
With a computer system for a single user, or a larger network for a company or business, an OS can become that. You get used to what you have that learning something new with it becomes a bit of a nightmare. Sure, in theory it shouldn’t be since it didn’t take you too long to learn the first one – but this is new and thus has a steeper learning curve. When you have your mind opened up to learning new things, it’s easier – but when you’ve closed that part of your brain off due to a set routine, problems arise. For the good of the companies and the people whose information they protect, hospitals and other medically-related businesses need to update their operating systems as soon as they realistically can.
Not doing so can cause irreparable harm to their company and their clients, and we’re already starting to see this with more frequent ransomware attacks like NotPetya. The worst thing is that it’s so preventable and one would always hope that an industry that has a vested interest in your own health would also value their cyber well-being just as much. Windows XP usage among hospitals has been disputed, but it does seem like exact figures are hard to come by. If more hospitals and medical facilities are using Windows 7, that is better for everyone involved.
Source – Merck