cyber security

How WannaCry caused global panic but failed to turn much of a profit

The cyber-attack hit 200,000 computers and a number of big global organisations. But it has only made $82,000 in ransom so far.

The recent WannaCry cyber-attack led to panic across the globe, showing just how important it is for organisations to have secure operating systems. This was not even the most sophisticated malware around. Numerous networks could easily cope with it and it largely hit legacy operating systems such as Windows XP.

In most corporate infrastructures, there would be no sign of Windows XP – and it seems unbelievable from a security perspective that the national health service of an advanced economy like the United Kingdom would run its critical infrastructure on such an unsafe, antiquated system.

Perhaps the most striking aspect of this recent attack is how unsuccessful it has been in terms of generating a ransom. As well as the National Health Service in the UK, it hit French car manufacturer Renault, US delivery service FedEx, Russia’s interior ministry and Spanish telecoms and gas companies. Yet, ransom payments currently total only around $82,000.

The chart shows the current balance of the three Bitcoin addresses known to be associated with the WannaCry ransomware. Source: Elliptic.
The chart shows the current balance of the three Bitcoin addresses known to be associated with the WannaCry ransomware. Source: Elliptic.

This is minuscule when we compare it to other ransomware attacks. CryptoWall made its author $325 million with over 406,000 attempted infections.

The interesting thing about the WannaCry ransomware is that it mostly hit large organisations with legacy networks – and they will often not pay ransoms as they have back-ups or run their data from a central server. Thus, despite more than 200,000 infections worldwide, there have been fewer than 200 payments.

The weak impact is because this is a different type of ransomware. The most successful ones spread through spear phishing emails and target individuals and small businesses, which often do not have back-ups. This ransomware was different in that it spread of its own accord through unpatched systems (systems that had not followed recent warnings to protect against a virus and back-up their files) – as a worm. But it is humans that are generally the weakest link when it comes to information security.

The perfect crime?

Ransomware is almost the perfect information technology crime. If an online criminal can trick you into installing malware, they can then lock your files and hold them ransom until you pay them a release fee. Only a secret encryption key, which they hold, can release the files.

It is simple, but highly effective. No virus scanner or law enforcement professional will be able to unlock your files unless they have the magic encryption key, and the longer the target takes to pay for it, the greater the risk there is to their business. As with any malware, though, there might be bugs in the software, so there’s no guarantee that you’ll get your files back, even if you do as the blackmailers say. And there’s always the risk that they will just ask for more money once you pay them. Some malware increases its ransom demands over time, ultimately deleting all the files affected.

Nonetheless, it means that the success rate of the crime is incredibly high – at around 65%, as sensitive and important documents are often the target of the infection.

Success rate for ransomware. Source: Trent Micro - New Research: Uncovering the Truth About Ransomware.
Success rate for ransomware. Source: Trent Micro - New Research: Uncovering the Truth About Ransomware.

Increasing infections

Computer security firm Trend Micro surveyed over 300 information technology decision makers in the United Kingdomin September 2016 and found that 44% of businesses have been affected by ransomware over the last two years. The same survey found 79 new types of ransomware in the first nine months of that year. This compared to just 29 in the whole of 2015.

This is a great worry for many companies. The impact on those affected by the infection can be costly, with an average of 33 person hours taken to fix it.

In around 20% of the cases, £1,000 was requested, with an overall average of £540. Some large organisations faced demands of as much as £1 million. But for many companies, this is the tip of the iceberg as it can be costly for a company in terms of reputation as customers could start seeing them as untrustworthy.

Perhaps the most frightening statistic that Trend Micro found was that in one in five cases, even when the company paid the ransom, they were unable to recover their important files – indicating that the ransomware service is not quite as robust as it should be.

If you ask many security professionals, the recent WannaCry ransomware was fairly easy to defend against, and was fairly unsophisticated. What it clearly shows is that there is still more success in tricking individuals than in spreading malware across large networks. The National Health Service does, though, need to make sure that not one unpatched computer ever goes near its network, and that employees understand that they shouldn’t click on suspicious links.

Meanwhile, with law enforcement agencies focused on the three Bitcoin wallets associated with WannaCry to try and find out who profits, there will be a whole lot more ransomware that goes unreported and unnoticed.
This article first appeared on The Conversation.

We welcome your comments at letters@scroll.in.
Sponsored Content BY 

What hospitals can do to drive entrepreneurship and enhance patient experience

Hospitals can perform better by partnering with entrepreneurs and encouraging a culture of intrapreneurship focused on customer centricity.

At the Emory University Hospital in Atlanta, visitors don’t have to worry about navigating their way across the complex hospital premises. All they need to do is download wayfinding tools from the installed digital signage onto their smartphone and get step by step directions. Other hospitals have digital signage in surgical waiting rooms that share surgery updates with the anxious families waiting outside, or offer general information to visitors in waiting rooms. Many others use digital registration tools to reduce check-in time or have Smart TVs in patient rooms that serve educational and anxiety alleviating content.

Most of these tech enabled solutions have emerged as hospitals look for better ways to enhance patient experience – one of the top criteria in evaluating hospital performance. Patient experience accounts for 25% of a hospital’s Value-Based Purchasing (VBP) score as per the US government’s Centres for Medicare and Mediaid Services (CMS) programme. As a Mckinsey report says, hospitals need to break down a patient’s journey into various aspects, clinical and non-clinical, and seek ways of improving every touch point in the journey. As hospitals also need to focus on delivering quality healthcare, they are increasingly collaborating with entrepreneurs who offer such patient centric solutions or encouraging innovative intrapreneurship within the organization.

At the Hospital Leadership Summit hosted by Abbott, some of the speakers from diverse industry backgrounds brought up the role of entrepreneurship in order to deliver on patient experience.

Getting the best from collaborations

Speakers such as Dr Naresh Trehan, Chairman and Managing Director - Medanta Hospitals, and Meena Ganesh, CEO and MD - Portea Medical, who spoke at the panel discussion on “Are we fit for the world of new consumers?”, highlighted the importance of collaborating with entrepreneurs to fill the gaps in the patient experience eco system. As Dr Trehan says, “As healthcare service providers we are too steeped in our own work. So even though we may realize there are gaps in customer experience delivery, we don’t want to get distracted from our core job, which is healthcare delivery. We would rather leave the job of filling those gaps to an outsider who can do it well.”

Meena Ganesh shares a similar view when she says that entrepreneurs offer an outsider’s fresh perspective on the existing gaps in healthcare. They are therefore better equipped to offer disruptive technology solutions that put the customer right at the center. Her own venture, Portea Medical, was born out of a need in the hitherto unaddressed area of patient experience – quality home care.

There are enough examples of hospitals that have gained significantly by partnering with or investing in such ventures. For example, the Children’s Medical Centre in Dallas actively invests in tech startups to offer better care to its patients. One such startup produces sensors smaller than a grain of sand, that can be embedded in pills to alert caregivers if a medication has been taken or not. Another app delivers care givers at customers’ door step for check-ups. Providence St Joseph’s Health, that has medical centres across the U.S., has invested in a range of startups that address different patient needs – from patient feedback and wearable monitoring devices to remote video interpretation and surgical blood loss monitoring. UNC Hospital in North Carolina uses a change management platform developed by a startup in order to improve patient experience at its Emergency and Dermatology departments. The platform essentially comes with a friendly and non-intrusive way to gather patient feedback.

When intrapreneurship can lead to patient centric innovation

Hospitals can also encourage a culture of intrapreneurship within the organization. According to Meena Ganesh, this would mean building a ‘listening organization’ because as she says, listening and being open to new ideas leads to innovation. Santosh Desai, MD& CEO - Future Brands Ltd, who was also part of the panel discussion, feels that most innovations are a result of looking at “large cultural shifts, outside the frame of narrow business”. So hospitals will need to encourage enterprising professionals in the organization to observe behavior trends as part of the ideation process. Also, as Dr Ram Narain, Executive Director, Kokilaben Dhirubhai Ambani Hospital, points out, they will need to tell the employees who have the potential to drive innovative initiatives, “Do not fail, but if you fail, we still back you.” Innovative companies such as Google actively follow this practice, allowing employees to pick projects they are passionate about and work on them to deliver fresh solutions.

Realizing the need to encourage new ideas among employees to enhance patient experience, many healthcare enterprises are instituting innovative strategies. Henry Ford System, for example, began a system of rewarding great employee ideas. One internal contest was around clinical applications for wearable technology. The incentive was particularly attractive – a cash prize of $ 10,000 to the winners. Not surprisingly, the employees came up with some very innovative ideas that included: a system to record mobility of acute care patients through wearable trackers, health reminder system for elderly patients and mobile game interface with activity trackers to encourage children towards exercising. The employees admitted later that the exercise was so interesting that they would have participated in it even without a cash prize incentive.

Another example is Penn Medicine in Philadelphia which launched an ‘innovation tournament’ across the organization as part of its efforts to improve patient care. Participants worked with professors from Wharton Business School to prepare for the ideas challenge. More than 1,750 ideas were submitted by 1,400 participants, out of which 10 were selected. The focus was on getting ideas around the front end and some of the submitted ideas included:

  • Check-out management: Exclusive waiting rooms with TV, Internet and other facilities for patients waiting to be discharged so as to reduce space congestion and make their waiting time more comfortable.
  • Space for emotional privacy: An exclusive and friendly space for individuals and families to mourn the loss of dear ones in private.
  • Online patient organizer: A web based app that helps first time patients prepare better for their appointment by providing check lists for documents, medicines, etc to be carried and giving information regarding the hospital navigation, the consulting doctor etc.
  • Help for non-English speakers: Iconography cards to help non-English speaking patients express themselves and seek help in case of emergencies or other situations.

As Arlen Meyers, MD, President and CEO of the Society of Physician Entrepreneurs, says in a report, although many good ideas come from the front line, physicians must also be encouraged to think innovatively about patient experience. An academic study also builds a strong case to encourage intrapreneurship among nurses. Given they comprise a large part of the front-line staff for healthcare delivery, nurses should also be given the freedom to create and design innovative systems for improving patient experience.

According to a Harvard Business Review article quoted in a university study, employees who have the potential to be intrapreneurs, show some marked characteristics. These include a sense of ownership, perseverance, emotional intelligence and the ability to look at the big picture along with the desire, and ideas, to improve it. But trust and support of the management is essential to bringing out and taking the ideas forward.

Creating an environment conducive to innovation is the first step to bringing about innovation-driven outcomes. These were just some of the insights on healthcare management gleaned from the Hospital Leadership Summit hosted by Abbott. In over 150 countries, Abbott, which is among the top 100 global innovator companies, is working with hospitals and healthcare professionals to improve the quality of health services.

To read more content on best practices for hospital leaders, visit Abbott’s Bringing Health to Life portal here.

This article was produced on behalf of Abbott by the Scroll.in marketing team and not by the Scroll.in editorial staff.