Avi Rubin, professor of computer science at The Johns Hopkins University and director of the school’s Health and Medical Security Lab, which was established with funding from the Office of the National Coordinator for Health Information Technology, has been closely following the WannaCry cyberattack. The prominent healthcare cybersecurity expert spoke with sister publication Health Data Management on why providers are vulnerable and the steps they should take to protect themselves from future hacks.
Health Data Management: The origins of the WannaCry ransomware was the U.S. National Security Agency, correct?
Avi Rubin: It was a hacking tool leaked out with the Edward Snowden materials.
HDM: Is it fair to say that different variants of the NSA tool are now being propagated?
Rubin: People are creating the variants. I don’t think it is happening automatically.
HDM: What can healthcare organizations do to protect themselves from the ransomware, such as updating their Microsoft Windows computers, particularly those running Windows XP?
Rubin: I don’t think that anybody who was on top of their security fell victim to this. This affected people who were late to patch. There are actually legitimate reasons to wait to patch your systems. But updating your Microsoft operating system is something that should be done relatively quickly. I don’t think waiting two months is reasonable. Anybody who patched their Windows system in the last two months would not have been vulnerable to this.
A lot of healthcare systems are running older versions of Windows that are no longer supported by Microsoft, such as XP. Those were extremely vulnerable because they had their systems running for a long time without updates. Microsoft issued an emergency patch over the weekend addressing this situation for those people. You don’t hear about any of the top names in the financial industry having been hit with this because those guys usually put a lot of effort and funding into security and so were up to date and not vulnerable.
HDM: So healthcare organizations should still back up their data?
Rubin: Definitely. I think having backups of your data is the best response to the ransomware threat, because if you have data backed up, there is no need to pay someone ransom in the first place—as long as your backups are current.
HDM: For those that find themselves victims of ransomware, do you recommend that they pay the ransom?
Rubin: I wrote a blog on Saturday about this topic. The bottom line is that I don’t think you should pay.
First, you are funding the bad guys when you pay and are legitimizing their business model. Second, there is no guarantee that the attackers will actually restore your files or that they won't demand more money the next day. Whenever you succumb to these threats in any context, you risk further abuse. My general philosophy is to take the immediate loss and figure out how to move forward without paying any ransom.
However, having said that, I can definitely foresee circumstances where something would be so valuable to me that any chance that I had of getting it back, I would take it. It’s so easy for me, not currently a victim, to say you shouldn’t pay. For instance, what if a patient comes into an emergency room with a life-threatening situation, and staff couldn’t log into ER computers, but they are told by a ransomware screen that if they pay $500 they will be let into the system. Do you pay it in order to save that person’s life?
HDM: Is there any silver lining to this situation with the WannaCry ransomware?
Rubin: I would say that we’re fortunate that the people who perpetrated this seem to be pretty incompetent, and they may have done us all a favor because the vulnerability is there, and now it’s being fixed. If they were more talented and serious attackers, the damage could have been much worse.