Australia may have gotten off lightly in the WannaCry global ransomware attack, but if your systems aren’t up to date, you should still be worried
The WannaCry ransomware attack started last Friday and spread over the weekend, infecting hundreds of thousands of computers worldwide.
Small businesses such as pharmacy are often complacent about keeping on top of cyber-security, says Professor Matthew Warren, Professor of Cyber Security and Deputy Director of Deakin’s Centre for Cyber Security Research.
“Only three SMEs were affected in Australia, so compared to the rest of the world, that’s very light, and I think a lot of that was due to the fact that the Government was so proactive over the weekend,” Prof Warren told the AJP.
WannaCry acted differently from other ransomware in that it contained a worm which, once the malware was downloaded, sought out other computers and was thus able to lock down entire organisations.
“This is what we saw in the UK, at the NHS,” Prof Warren says. “In many cases, we see that small organisations aren’t prepared, and in this case we saw that large organisations weren’t prepared.
“Microsoft actually released a solution to the WannaCry problem in March – people only needed to patch their machines.
“But people are very bad at patching and updating their systems. Small businesses like pharmacy often don’t tend to be proactive about security, and from a cost perspective they use older versions of technology.”
Prof Warren said that the NHS was also using Windows NT systems across health services. This was one of several systems which Windows had stopped supporting via security patches, until the software provider took the highly unusual step of issuing the patch.
“Because of cost, the NHS was still running those obsolete systems,” Prof Warren says. “And pharmacies, from that cost perspective, may still be using older technology that may not be supported by manufacturers any more. That’s a major security issue for them.”
Employee pharmacists have told the AJP of their own experiences with previous ransomware attacks, one of which involved a pharmacy which backed up its systems overnight… but left its portable hard drive attached to the PC overnight.
“The back up was encrypted,” this pharmacist said. “Luckily they discovered their POS also did a back up to the cloud so they were able to get this data.”
Another told of a pharmacy which was affected by ransomware and had to reformat all computers and reinstall all programs, having not taken notice of provider newsletter warnings to keep systems up to date.
In both cases the pharmacies found themselves unable to dispense prescriptions for a time.
Pharmacy Board of Australia Chair William Kelly says proprietor pharmacists must ensure that confidential patient information is appropriately stored and accessed.
Pharmacists have an obligation to maintain patient records securely, especially when considering solutions for back-up storage of such information, he said.
Guideline 9.2 Protection of electronic data in the Board’s revised Guidelines for dispensing of medicines provides additional and updated guidance for pharmacists on this matter, including the need for appropriate backup and disaster recovery processes.
The previous guidelines were retired in December 2015.
The Board’s Code of conduct for registered pharmacists also states:
“Maintaining clear and accurate health records is essential for the continuing good care of patients or clients. …Good practice involves:
- b) ensuring that records are held securely and are not subject to unauthorised access, regardless of whether they are held electronically and/or in hard copy.”
Another expert, Dr Mark Gregory, Senior Lecturer in the School of Electrical and Computer Engineering at RMIT University, warns that the WannaCry ransomware is likely to be adapted and released again in the coming days or weeks.
“So it is vital that we take the time to ensure that we’re prepared,” he says.
“For organisations, it is important to subscribe to organisations, like the Australian Cyber Security Centre, to receive threat notifications so that early action can prevent a threat from becoming an unwanted incident.”
Prof Warren says that ransomware generally works when “someone gets sent an email with a link, then they click on that link and the malware is downloaded into their computer”.
“Once it’s installed, it locks the computer up, hence the ransomware request for payment, usually in bitcoins, to unlock the computer.
“There’s phishing and there’s spear phishing. Phishing is just general emails sent out to a global email spamming list.
“Spear phishing is where specific individuals or businesses are sought out. Reconnaissance is done. Someone may pretend to be a friend, someone you’ve met at a conference.
“From the attacker’s perspective, they know it’s only about 0.05% of people who will be victims, so generally the larger number of emails they send out, the greater the return. So what you would not see is a situation where pharmacies themselves were necessarily targeted, but they may be targeted in a mass email campaign.”
The recent ACCC report Targeting Scams reveals more than 4700 people had their computers held ransom from supposed Australia Post emails, while 2224 were duped by emails claiming to be from the Australian Federal Police.
Prof Warren says that as they’re operating on a short time frame and seek the greatest possible return on investment, criminals tend to target larger organisations such as banks if they are hacking systems instead of using malware.
Thus while privacy concerns over their health history may be something that worries a pharmacy’s consumers, their data is likely to be simply locked up in a ransomware attack rather than held for blackmail by hackers, he says.
But pharmacies can still lose enormous goodwill over the perception that health data is not safe, Prof Warren warns.
“When a cyber attack occurs, customers lose trust in the organisation,” he says. “If you’re a small business, to lose that trust can have a catastrophic impact and your business could potentially dry up.”
He also warns pharmacies not to pay the ransom, but to seek outside advice if affected by WannaCry or any other ransomware.
“If you pay a ransom, then one, your machine may not be released, and two, it will just happen again and again, and depending on the nature of the ransomware attack they may not be after just bitcoin, but your credit card details.
“So it’s a case of seeking advice from an IT professional to resolve it.
“In an ideal world, the data would have been backed up or stored on another drive, and so if that machine was locked down, you could just go to another.”
The Pharmacy Guild has issued a security update offering more advice on recognising suspect emails and protecting systems. Click here for more information.