Health IT, under attack

With the recent news of the WannaCry ransomware attack and how it particularly hurt UK hospitals, I figured it was appropriate to link to our writeup of An Academic Medical Center's Response to Widespread Computer Failure (PubMed / ResearchGate). This was our experience in the hours and days following a botched 2010 McAfee's antivirus update, which began attacking a core component of Windows, and rendering PCs unusable. While accidental, in many ways it resembled a cyberattack.

Of course, there's been great coverage of the attack and its implications. Halamka was quoted:

“By prioritizing clinical functionality and uptime, healthcare organizations may not always have the most up-to-date software. Thus, healthcare, in general, may be more vulnerable than other industries to cyberattacks, and the scope of the impact to the NHS in the U.K. illustrates the problem." 

He said that some mission-critical systems were built years ago and never migrated to today’s modern platforms. In 2017, there are still commercial products that require Windows XP for which few patches are available, he said.

Other useful perspectives on healthcare IT's vulnerabilities emphasize HIPAA / business associate concerns when accepting patches. Lessons abound. Hopefully we'll learn them well enough to prevent future episodes.