Hospitals Were Collateral Damage in Colossal Cyber Attack

As the scope of this week’s most recent global ransomware attack was becoming apparent, one hospital system in western Pennsylvania confirmed falling prey to it. Now, more and more health systems are emerging as victims.

Local news affiliates in San Antonio, Texas; Green Bay, Wisconsin; and Princeton, West Virginia all reported some form of interference as a result of the global attack. The Princeton Community Hospital, at the southern edge of West Virginia, and the Heritage Valley Health System, outside of Pittsburgh, both faced direct system shutdowns as a result of infections with the ransomware. Heritage Valley Health Systems reportedly had to cancel procedures and close facilities as they dug out from under the attack. A spokeswoman for Princeton Community Hospital said their disruptions, on the other hand, were minimal.

The health systems impacted in the San Antonio and Green Bay areas encountered problems because the ransomware was interfering with Nuance Communications, the company whose Dragon Medical 360 software is widely used in hospitals to translate spoken comment into text for electronic health records.

"The health care organizations locally weren't victims of the malware attack. Nuance was the victim of the malware attack. The information that the health care organizations have locally weren't at risk," said Dr. Ashok Rai, CEO of Prevea Health in Wisconsin, according to station WBAY, a local ABC affiliate.

The massive attack is alternatively referred to as “Petya,” “ExPetr,” and “NotPetya” in various media reports. Early belief was that it was related to last year’s Petya ransomware, but Kaspersky Labs determined it a fundamentally different malware and thus deemed it “NotPetya” or “ExPetr.” Since, Kaspersky officials have gone a step further, declaring that the ransomware half of the attack was a media ruse: “the main goal of the ExPetr attack was not financially motivated, but destructive,” they wrote in a post declaring that the attack was a “wiper.”

It began notably by interfering with important Ukrainian institutions, including the national bank, the state power company, and even the notorious Chernobyl power plant. Like traditional ransomware, it locked up Windows machines with a message stating that the system’s files had been encrypted and demanding a payment of $300 in bitcoin to have the data restored and the system freed.

The attack, however, did not actually provide any data restoration in exchange for the payment. Its Bitcoin wallet was linked to a single email account, which was quickly shut down, and it only received about $10,000 in payments, a meager amount for such a powerful and widespread attack. Theories abound regarding the motivation and actors behind the attack. Given that it seems to have originated in Ukrainian tax-filing software, many believe it could be political and originally directed at disrupting Ukraine's infrastructure.

Regardless of target, it still caused havoc globally, with shipping giant Maersk and pharmaceutical maker Merck joining a long list of major companies disrupted. The new Petya/NotPetya attack took advantage of the same EternalBlue exploit that allowed for the proliferation of WannaCry just last month, and Microsoft had indeed released a patch for it.

The chaos caused this week should remind health systems worldwide of the sheer volatility of the increasingly connected world in which they operate. At once, they face the threat of being targeted directly by typical ransomware, as was the case when Hollywood Presbyterian Medical Center paid a $17,000 ransom in 2016. They also face the constant threat of bad actors silently stealing valuable patient data, leaving patient identities exposed and health systems or providers subject to substantial fines (Anthem this week settled to pay over $100 million in fines for a data breach).

And then there’s situations like these, where hospitals in West Virginia and Pennsylvania can end up collateral damage to a potentially political attack on the other side of the world. Those in healthcare, however, may best understand such situations. No virus is 100% preventable, but vigilance and best practices can go a long way.