Hacking of Computers in FDA Regulated Industries Exposes Common Flaw     

Last week’s worldwide “ransomware” attack, that affected more than 200,000 computers in 150 countries, could have been easily averted if computers had been updated with a software patch released 2 months ago by Microsoft. But is it that simple? Is it fair to blame the victims? Some of the biggest victims were hospitals and other healthcare institutions leading to shutdown of critical emergency care systems. The episode exposes common flaws at many healthcare organizations that manage patient data and should be concerning to everyone else. The affected organizations were aware of the software patch but had not got around to implementing it. Many victims were using Windows-XP that was released 17 years ago and was not even supported by Microsoft for the last three years. The security flaw that led to the attack was present in all non-updated and/or outdated computers. But the flaw was exploited by hackers due to personnel who did not follow good email hygienic practices for work computers. It should be well entrenched in all trainings that if you don’t recognize the email address, or if the email has strange content, do not open it, and if you do open, do not click or download files. If you fear a computer infection, inform your IT security personnel immediately so the damage can be contained. Make copies of everything so if a computer is compromised there is a back-up which will allow operations to continue with minimal interruptions. It is fair to blame the IT infrastructure at companies that requires long delays to update systems, but cybersecurity should be a multi-dimensional activity. Almost all hacking attacks start with someone making an error. Your systems are mostly only as protected as the people using them. FDA regulations require access control so unauthorized personnel cannot access systems, back-up and storage of data so data is never lost, maintenance of computer systems so they are current, and timely troubleshooting so any errors can be contained before propagation. All computer systems must be compliant with 21CFR Part 11. Since FDA does not directly regulate hospital computer systems, these laws will not apply to most healthcare organizations. There is a silver lining though, for now; most people have become aware of the importance of updating their computer promptly. But habits are not easy to kill. Email hygiene should be an essential training. It was expected after the first attack that more will follow immediately after the first one is contained, which thankfully did not happen but it is bound to happen sometime again. In the interconnected world, this is the cost of using information technology. There is no credible data as to how many FDA-regulated companies were affected by the ransonware attack last week, and we will likely never know. Companies usually are very secretive about breaches of this kind. But we can safety assume that several FDA-regulated companies lost data in this attack. We can also safely assume that this was neither the first time data was lost, and will definitely not be the last time. Remember, the tool used for this attack was stolen from none other than the mighty NSA. If hackers could get inside the most secure computers in the World and steal information, they can get into any system. With electronic health records, electronic data capture, health informatics, and many other technological advances being the way of the day, we need to do our part to make hacking our system hard, as making it impossible is not possible.