The crippling software attack on the British National Healthcare Service could put information sharing standards back by ten years.
The Wanna Cry ransomware attack forced Britain's NHS to cancel surgeries. The software seized and locked computer files until a ransom was paid. It also crippled computers in Russia and China, an estimated 100,000 machines worldwide. The NHS disruption is especially troubling as people may have been on the operating table when the attack hit.
The ease with which Wanna Cry did this implies a great deal about the poor state of the global information security industry. The infected systems were simply using old, unpatched versions of Microsoft Windows. Mouser Electronics wrote a blog about the ease with which secure sensor networks could implement a patient monitor, only to be embarrassed by this hangnail in the data gathering system.
Ideally, you want to make it easy for non-technical workers to add data-gathering nodes to a patient monitoring network in a hospital. On the other hand, you don’t want ease-of-use to be high jacked and held for ransom. Bringing down the computerized records of a hospital is damaging enough; imagining what hackers could do with kidnapped nodes on the Internet of Things is a terrifying prospect.
Infected institutions used older, unprotected versions (in some cases bootlegged versions) of Microsoft’s popular OS because of budgetary or administrative constraints. The NHS is not a small operation. The agency deals with more than a million patients every 36 hours. It employs more than 1.5 million people, putting it among the top five of the world’s largest workforces, behind the U.S. Department of Defense, McDonalds, Walmart and the Chinese People’s Liberation Army.
It may seem obvious that hospitals in the NHS would have robust cybersecurity strategies to prevent disruptions. But a Freedom of Information Act request by American software company Citrix last year showed that 90 percent of NHS hospitals had computers that were still running Windows XP.
The costs of goods and services turn out to be a major inhibitor in the system. Paid entirely with annual tax revenues (roughly $155 billion in U.S. dollars), the government-run NHS treats people for free. This means there is practically no money available for IoT spending, let alone an operating system upgrade.
Rather than investments in big iron such as CAT scanners and Magnetic Resonance Imaging systems, we perceive a movement toward using mobile devices including cell phones as wireless patient monitors. The adoption of wireless electronic health records (EHS), expected to exceed $23 billion in revenues in 2018, is one indication of this trend.
An EHR is more than just a digital version of a paper chart on a clipboard at a nurses’ station. They now include patients billing data and demographics, medical histories, medications, diagnostics and recommended treatments. EHRs also encode specialist data such as those used by laboratories, medical imaging facilities, pharmacies, and emergency rooms.
The good news is good security exists at the level of wireless patient monitors Bluetooth low-energy (BLE) and near field communications (NFC).
NFC requires transmitting-and-receiving devices to be in very close proximity to each other. Thus, NFC provides physical security by making it tough to eavesdrop or create man-in-the-middle attacks. Additional security may be needed for over-the-air wireless.
BLE uses a 128-bit encryption code and specialized decryption key generation that offers excellent protection from passive eavesdropping. Bluetooth also can prevent man-in-the-middle attacks to HTTPS, a popular security log-in protocol that unfortunately is only used by five percent of the world’s computers.
--Rudy Ramos is the project manager for the Technical Content Marketing team at Mouser Electronics.