Following WannaCry, HIT Needs to Stay Current
By Sumir Karayi
It's been quite a year for IT, with the virus conflagrations of WannaCry and Petya between them infecting upward of a million organizations, both attempting to exploit vulnerabilities in the operating system that should have been patched months before the attack.
In some sense, it was unfair that, of all the hundreds of thousands of organizations infected by the first of these attacks, WannaCry, the victim that tends to stick in everyone's head was the United Kingdom's National Health Service (NHS). This was perhaps inevitable, given the NHS's history and global reputation. However, there is also some logic in the NHS becoming WannaCry's emblematic victim.
After all, you won't find a more labyrinthine institution than one charged with providing health care (that endlessly multifaceted thing) to an entire population of more than 70 million people. And with myriad different regional and specialist departments, as well as a staggering 1.5 million employees, using thousands of specialist, life-and-death applications for their work, the need to stay current with regard to software, couldn't be more vital.
That latter point, of course, is the irony at the heart of the event. The day-to-day needs of the health service make software upgrades difficult, and even risky. Yet, simultaneously, the longer an organization avoids this one risk, the greater the other risk (arising from the vulnerability caused by being out of date) becomes.
In many ways, of course, the NHS is an exceptional case. For smaller health care providers, however, in more fragmented markets (such as the United States) similar problems will be faced.
Earlier this year, 1E published "State of the Migration: Enterprise Windows 10 in 2017," a survey of more than 1,000 US IT professionals. It found that a meager 9% had completed their migration—great news for the likes that gave the world WannaCry and depend upon perennially outdated operating systems and patching processes. Isolating the results from those respondents who worked in health care (a significant 15%) reveals that this sector does indeed lag when it comes to operating system (OS) migrations.
While 38% of respondents said they were currently undergoing a Windows 10 migration, that percentage fell to 28% for health industry respondents. And although there seemed to be a concerted intent to remedy this in 2018, with 17% of health industry respondents planning to begin the process next year (as opposed to the survey's 10% average), that doesn't make things much better if the expected industry-specific duration times for migration hold true.
Overall, organizations expected their transition to Windows 10 to take some time regardless of industry; 33% expect theirs to take a year and a half or more. However, this shot up to 44% for the health care industry.
When you consider the nature of the industry—the dispersal into different centers of expertise and geographical territories, the importance of specialist applications, etc—this spike will come as no surprise. Nonetheless, when you combine the slow pace of migration with this understandable tendency to delay and procrastinate, you get a context in which what happened to the NHS will inevitably recur.
Is it, though, a case of an industry being caught between a rock and a hard place? On the one hand, migration is long, costly, and risky; on the other, it can be just as (or more) dangerous to tether yourself to an out-of-date OS. The relevance is not, of course, limited to an OS migration. Updates of all sorts, including vital security patches, are becoming increasingly frequent and taxing. Meanwhile, threats become increasingly onerous.
Can better habits become a reality? Can the health care sector aspire to stay current? The solution lies in automation—without it, the process involves touching every single machine, a prohibitively slow and expensive process. Microsoft System Center Configuration Manager (SCCM) itself does a good job and there are third parties who leverage the Microsoft solution to complete the automation steps and provide a practice solution to staying current.
Riverside Health Systems is a US health care provider that embraced automation around the time of its Windows 7 migration. Prior to looking at automation, Riverside was looking at having to hire around $600,000 worth of labor to come in. In addition to those savings, Riverside cut its expected migration time down from three years to one. Now it has instigated a Windows 10 migration, with the same combination of Microsoft SCCM and third-party tools.
If the health care industry wants to avoid being a sitting target for cyber attackers for years to come, it is going to have to follow Riverside's example and automate.
— Sumir Karayi is founder and CEO of 1E.