- WannaCry, a malware which reached 200,000 targets worldwide two years ago, is prevalent and attacking healthcare companies, according to a report from cybersecurity firm Armis.
- About 40% of healthcare delivery organizations have experienced at least one WannaCry attack in the last six months, largely because of older, unmanaged devices that are difficult to patch, according to the report.
- The findings come a week after Microsoft disclosed a vulnerability in Windows 7 and other older operating systems the malware could exploit. The healthcare sector has the highest rate of using older systems — followed by manufacturing and retail — with more than 70% of organizations using Windows 7 or older versions, according to Armis.
Two years ago this month, WannaCry made headlines when the malware spread to more than 100 countries. About 40 U.K. hospitals were forced to suspend normal services and accept only emergency patients. A few months later, a new form of the virus was blamed for disrupting a North Carolina health system, forcing it to shut down its network.
WannaCry is very much a threat, according to Armis.
"In healthcare organizations, many of the medical devices themselves are based on outdated Windows versions, and cannot be updated without complete remodeling," Ben Seri, VP of research at Armis, said in the report.
Device security is a major concern for healthcare organizations. Legacy systems lack basic cybersecurity controls and often aren't properly vetted before connecting to a network, according to research from Vectra.
Verizon's 2019 mobile security survey found that more than three-quarters of respondents felt IoT devices presented the greatest cybersecurity threat for hospitals.
FDA is working to push organizations toward better security. Its Medical Device Safety Action Plan calls on manufacturers to put security updates and patch capabilities into products at the design stage and dictates procedures for disclosing potential vulnerabilities after market.
Armis said more than $325 million has been paid out in ransom for WannaCry, part of a more than $4 billion price tag when disruption costs are included.
The virus is active in 103 countries and more than 145,000 devices are compromised worldwide. At least 3,500 attacks are successful per hour, according to Armis, which notes that even a single infected device "can be used by hackers to breach your entire network."
But many healthcare organizations aren't devoting a lot of resources to shoring up their systems. Most don't have a C-suite leader dedicated to managing cybersecurity and barely more than half routinely conduct risk assessments, according to Black Book Market Research.