Lack of trained IT professionals and insufficient budget are plaguing the health care industry with massive cyber security incidents. The latest WannaCry ransomware epidemic in May 2017 infected over 230,000 computers in over 150 countries. The National Health Service (NHS) in Britain, was severely affected. It was initially believed that the attack had been targeted at the NHS, but it was not so. The attack infected systems across the UK, Russia, Spain, India and China. This should offer some sort of relief for the NHS that it was not being specifically targeted to them.
The reason for the widespread infection has been attributed to computers that were running on Microsoft Windows operating systems that were no longer being supported (security updates) by Microsoft. Operating systems such as XP, Vista, Win 7, etc..., do not receive support anymore. Microsoft recommends upgrading to the latest operating system- Win 10 that is considered to offer better security.
The N.H.S. still uses many computers that run Windows XP, a very popular but out-of-date software. The NHS had a contract with Microsoft for software updates, but it expired two years ago. It has remained vulnerable till now. The reasons stated are — budgetary issues, and more importance being given to upgrading medical equipment and treatment facilities. And this reasoning is justifiable.
The WannaCry attack can be considered to be a wake-up call for health care systems to allocate higher budgets for IT cyber security. The inaccessibility of patient health data and other information had led to significant difficulties with many surgeries and other treatments having to be postponed. Physicians and surgeons could not access the patient data to provide treatment.
The health care industry would be in a dilemma on how to allocate their limited budgets and still ensure security from malware attacks. It must also be remembered that many medical devices are IoT devices which can be affected by malware.
The health care industry has the following options:
1. Have a skilled IT security team (allocate sufficient budget). Upgrade all operating systems and keep them updated with the latest patches. This may not be feasible if the hospital is not able to maintain sufficient skilled IT personnel. There would be many routine tasks and keeping all of the different operating systems and applications updated with the latest updates and patches may not be possible. It may be a near impossible task, or it may not be done properly. This is when security would fail. Furthermore, many hospitals may also use different types of devices in their network — workstations, laptops, smartphones, tablets, etc..., and BYOD may also be allowed. All these add to the burden on IT administrators, and patch management is put on the back burner.
2. Now hospitals must wake up, and look out for optimal solutions. They must consider subscribing to a Managed Services Provider (MSP) who would be able to secure all of the hospital's IT related solutions. Typically, MSPs offer Remote Monitoring and Management (RMM) involving Mobile Device Management and Patch Management to secure all the systems. As most of the features are cloud-based the effectiveness of these systems is many-fold. These systems offer better, more effective and easier management of the IT systems and network.
Overall better IT security is ensured with immense cost-benefits in the long-run, with the hospitals being able to better focus on providing — healthcare.