Hey 42, here on the 12th of May 2017, thousands of hospital staff in the UK, from nurses to surgeons, turned on their computers to begin that day of work, as they usually do. But on that day they were not greeted with a login prompt, but this oops, your files have been encrypted.
Their computer was completely locked down unable to do anything except view. This sinister message: it stated that all their files have been encrypted and the only way to decrypt that was to pay 300 US dollars worth of Bitcoin to some anonymous entity.
Over 40 National Health Service facilities across Britain had been infected with a virus later known as wan na cry it ground the NHS to a halt and many appointments and crucial surgeries had to be canceled.
The water cry malware also infected among others, Russian banks and government ministries, Spanish oil and telephone companies, car makers and France and private individuals. Worldwide water cry was able to spread so quickly because it’s, exploited a vulnerability in Windows.
Smb communications protocol, specifically wan na cry, contained a piece of code or tool known as eternal blue that was able to effortlessly exploit this particular vulnerability. A tonal blue was developed by the NSA most likely to spy on people.
Eternal blue was stolen and distributed by a group known as the shadow brokers. Luckily, a security researcher in the UK discovered that whoever had developed this insidious ransom war had a Bertolli included a kill switch.
The virus would repeatedly ping a gibberish domain name to see if it was registered, but it wasn’t. So out of pure curiosity, he registered not domain and all of a sudden wan na cry stop spreading worldwide.
It simply shut itself down many of the details of wan na cry point to the fact that whoever developed it was actually somewhat of an amateur stas. They package it with a relatively obvious, kill switch and there was no automatic system to decrypt to use his data once the ransom had been paid.
It had to be done manually. It was actually just riding off the back of the masterfully powerful and considerably more professionally written, eternal blue NSA hack. The US, UK and Australia pointed the finger of blame at North Korea, but whoever did develop wan na cry.
It brought to light a festering issue that has always been at the heart of public services, a ticking time bomb that was only waiting to go off and will no doubt to go off again. I am talking about the insecurity of computer services that run our public industries, and nowhere is that security more crucial than us, a hospital, but as it turns out, hospitals and other healthcare services have some of the worst computer security of any public service.
What a cry proved that, and it’s only a matter of time before something similar to one. A cry proves that, yet again, the frustrating part of this story is that the NHS who were the worst affected by wan na cry of any organisation in the world could have safeguarded themselves against the attack with a simple computer update.
Water cry could affect Windows, XP and Windows 7. There was security updates already in place to protect against the faulty SMB protocol for Windows 7, but Windows XP very publicly, stopped being updated by Microsoft, all the way back in 2014, three years before the attack, but guess what in 2017, when one a Christ struck? Four point: seven percent of computers in the NHS were still running Windows XP, mostly because the amount of medical software such as x-ray imaging applications that only run on XP made it prohibitively expensive for the NHS to upgrade certain machines.
But this fatal mistake also left the doors wide open for abilities and malware. Some of the software used by the NHS and other healthcare companies around the world was developed by companies that are no longer in business.
Don’t get me wrong. The NHS and offer Hospital Association’s around the world do invest a significant amount into IT security, but all this research goes into protecting patient data and privacy, because that’s.
The most likely weakness that, if overlooked, could get hospitals into huge hot water, but there’s. A lot more to network security than just protecting data, especially when thousands of lives are on the line every single day, and I’m far from exaggerating the risks to public health that poor Hospital cybersecurity poses.
In early 2019, an israeli researcher published a paper that showed how it would be possible for a hacker, with only moderate skills, to adjust 3d brain scans using deep learning. The idea would be to target a specific high profile, individual, who is undergoing of routine brain scan or lung scan and tamper, with the results to show the presence of a brain of lung tumor, when in fact, there is no cancer at all a rival state or Terrorist organization could use this very technique to stop a political candidate in their tracks, tricking them into undergoing debilitating career and life, ruining cancer treatments for no reason whatsoever.
But of course it won’t just be high-profile individuals whose lives could be ruined by hospital hacks. A report in 2018, a year after wan na cry, revealed that poor IT practices and security in Britain’s.
National Health Service cost. Nine hundred patient lives per year and that’s, a conservative estimate. Some of these are due to simple computer errors. That, for example, may fail to spot drug overdoses.
So if poor day-to-day computer practices are already causing deaths, imagine what would happen if wan na cry 2.0 or whatever the next big virus is rikes. What a cry was far from us insidious and damaging as a computer virus can be, but parts of it were fairly basic and amateur the potential for a rogue state to invade the IT systems of hospitals is alarmingly high and not just in the UK, but in Every country they all have piss-poor security must have, it could be caused even physical damage to machinery and potentially thousands of patients could lose their lives due to an IT failure.
If healthcare, IT security standards, don’t rapidly increase. Then it’s only a matter of time until it happens, but surely NHS IT. Security has been entirely overhauled and tightened up since wan na cry.
Think again, the same report from 2018 assess the overall IT security of 200 NHS trusts post wan na cry. Every single one failed to meet the required standards that’s right. All 200 hospitals fell short of decent levels of computer security.
The professor of computer science, at Swansea University, Harold Finley, said that the levels of IT security across the entire NHS are so shoddy that’s quote there isn’t a word to describe how bad it is.
Unquote. Us hospitals, mostly dodged wan na cry infections, due to a combination of luck and better adherence to software updates, but they are by no means invulnerable to malware and if anything, that hasn’t yet been a large-scale malware.
That has infected a significant number of us-based hospitals which actually may work against them in the future, because it will be a greater shock when it does come and hospitals will be less prepared all over the world.
Hospital cybersecurity is terrible, but why it has a lot to do with the staff who work in hospitals on a daily basis. Don’t. Get me wrong. I’m, not blaming the incredible doctors, nurses and auxilary support staff for wan na cry or similar breaches.
But the issue is that they are rightly so more focused on patient Kenna than what’s going on inside the wards computers and they receive little to no cybersecurity training, so basic IT security practices are rarely followed.
In fact, because management puts little emphasis on the importance of computer security, those working on the wards often take shortcuts and liberties with their computers that severely weaken security.
For instance, a typical ultrasound machine will require a password to use it, but when interviewed, staff in most hospitals reveals that they will simply create one shared password that everyone who might possibly want to use.
Yatra sound has access to and sometimes that password may even be written down somewhere close to the machine itself, so they can quickly treat patients without remembering their unique password. I’m fairly.
Certain that I don’t need to explain to you how disastrously insecure that is also there’s. Usually, no measures in place to stop ward staff from using their personal devices and plugging them into the USB ports of hospital computers, which means the potential entry points for a virus to enter the hospital’s.
Apparently private network are plentiful. All it would require is a skilled hacker to implant malware on the smartphone or even a USB. Stick of any hospital staff from a nurse to a cleaner. Then simply wait for the inevitable to happen, which is that device being interfaced with one of the thousands of hospital computers, just like transmission of actual viruses, is greatly minimized through strict hygiene protocols on hospital wards similar and just as stringent procedures need to be introduced.
For the digital variety, just compare the hospital industry to another large scale, public industry that has some of the best IT security banks and you’ll quickly, see why hospital security pales in comparison and is actually embarrassingly weak.
Yet I would say that protecting lives is far more important than money. Forest arts there’s. What’s referred to as physical or on-site security? Here, the difference is most stock walk into any high street bank.
What computer systems could you physically torch a mess with if you wanted to without pulling a gun on the staff and forced them to lead you into a back room, 99 % of the time? Your only answer to this would be an ATM or some shitty touchscreen help desk, that’s.
It each of these are highly specialized machines and they have absolutely zero network interaction with the critical systems that run the bank and keep people’s. Money safe now. Compare this to any hospital.
You went to a gigantic building full of empty corridors and empty rooms, plenty of places to hide and seek around many of the rooms have computer terminals in them left unattended. It’s, usually not that difficult to enter a quiet office where a computer has been left logged in by a nurse who needed to run off to attend to a patient.
There have been examples of skilled pen testers, a planting malware on such computer systems without a single person asking them what they’re doing. It’s, far easier to do this during a night when fewer people are around, but that’s, just fine, because hospitals run 24/7 and online security is not too different.
Either. Bank security is vastly superior to your average hospital. In this realm, the vast majority of the systems are transfer, customer data or funds over the Internet are designed by or at least managed in-house, by that bank.
This means that every loose end can be tied up and it reduces the possible vulnerabilities by reducing the amount of third-party software needed. This is sometimes referred to as minimizing the hackable surface area of a system.
Hospitals are the polar opposites. The majority of software used by hospital computers are developed by a multitude of other companies in the private sector, then licensed to hospitals from authentication systems to transfer protocols used to send sensitive patient records to offer services in the healthcare system.
The hacker will surface area of hospital networks is many times larger. There are thousands of different hospital systems that talk to one another within any nation’s, healthcare infrastructure. The issue is that each such third-party software adds another layer of complexity to the whole system and when it comes to hacking, complex and cumbersome, software is the ideal target, because it is just statistically more likely to have books and vulnerabilities than a more lightweight and streamlined Alternative the number of potential cyber security holes within healthcare is enormous ly higher than in banking.
Unfortunately, it looks like it’s, going to take a few more wan na cry style. Global malware scares to affect public services before significant changes are made as to current rate of improvement, is nowhere near where it should be honestly.
I think the best solution would be to take the responsibility of IT. Security in organizations such as the NHS away from Barbara from Sheffield and put it into their hands of those a thousand times more capable this can be done by migrating existing in-house systems to software as a service providers such as Google cloud or Amazon Web Services.
This way, almost 100 percent of the security software updates bug fixes data protection, backups, encryption, decryption transfer protocols, databases and redundancy are managed by tech giants such as Google or Amazon on behalf of the NHS and let’s be real here.
These Silicon Valley companies are able to perform all these services at a market-leading level that the NHS and similar organizations all over the world could never reach or even begin to fund if they wanted to.
Of course, there will be those who have huge objections to sensitive patient data being stored on Google or Amazon servers, but there are ways around that pretty much every service you already use today is stored on those servers from Instagram to Netflix.
Proper encryption protocols can ensure that Google or Amazon can store that data without ever seeing what it is. If such a solution could save a few hundred lives or more each year, then I’m on board, which leads me nicely on to today’s, sponsor dust lee who will store all of your passwords in a super safe way without Ever having to access them or allowing anyone, but you to view them Lane is a password manager that creates strong and unique passwords for all of your online accounts and also fills them.
So you never have to click forgot password ever again and you don’t, have to sweat about the extremely rare chance that the same could be breached because lanes safely stores and decrypt your data on your local device.
Only using your master password. This means that Lane never has access to your personal data, and any hacker would only see random noise. Lane also also fills your credit card information whilst online shopping, so you can make purchases without even having to fetch your wallet.
It also has a VPN with country. Select so you can access any Content, stay secure and protect your privacy. At the same time with dashlane you’ll, be alerted if any of your accounts or data are breached.
It also has a dark web monitoring system that will immediately let you know if your personal information appears on the dark web, where it can be seen by hackers or spammers. Even if the public services you use everyday are insecure, you can take the steps to improve your personal security and be safe in the knowledge that your data and all of your accounts are completely protected by simply using dust lane.
For my experience, Lane is the best all bases, covered security and time-saving tool out there, and if you visit my unique promo link in the description, you can get a free premium trial of dashlane for 30 days plus.
If you enter 42, it checkout. You will get 10 % of dust Lane premium thanks for watching and thanks again to dash lane for sponsoring this article, don’t forget to check them out using the link below