The Worst Healthcare Cybersecurity Breaches of 2017

George Steptoe
DECEMBER 29, 2017
NotPetya spread in June, imitating a ransomware virus called Petya, which cropped up in 2016. But rather than extorting users by demanding Bitcoin to unlock data, NotPetya was designed to destroy.

Defense against NotPetya should have been easy, Cappos said. The virus was built “so, so, so poorly,” and “it was essentially just deleting the files on the system rather than really locking them up.” Cybersecurity leaders thought it was made to merely look like an attack.

NotPetya affected mainly Ukrainian businesses and appeared to have been launched by the Russian government, Cappos noted. It subsequently swept across the Atlantic and infected 4    companies: the pharmaceutical colossus Merck, Pennsylvania’s Heritage Valley Health System, Princeton Community Hospital in West Virginia, and Nuance, which sells dictation and transcription software.

A month later, Merck was still reeling from the virus, and Princeton Community Hospital was forced to replace all its hard drives and had yet to relaunch all its systems by late summer. The malware affected Merck’s production, delivery, manufacturing, research, and sales operations, according to a government filing.

NotPetya tapped the same vulnerability as WannaCry did but then spread through a software updater. WannaCry used a National Security Agency hacking tool called Eternal Blue, which NotPetya also exploited, Cappos said.

Not all security breaches require malicious hackers or software.

Human error caused the biggest security incident of 2017, according to HHS. About 655,000 patients of the Bon Secours Health System in Virginia were notified that their records might have been breached when a third-party contractor accidentally made files accessible online during a network settings adjustment.

Raising awareness is a low-tech solution. “It seems so simple and silly to mention, but educate your end users about what your security practices are, [and] raise their cybersecurity IQ by giving them simple, basic, easy-to-understand awareness tips,” Kim said. “Otherwise, you’ll be just chasing their tail.” Regularly changing passwords is an easy fix, Kim added.

Cybersecurity isn’t just an IT issue, said Juuso Leinonen, senior project engineer for health devices at the ECRI Institute. Protecting systems requires participation from the entire staff. Combating attacks “is something that each department within a healthcare facility can and should play a role in, from clinical engineering to information security, risk management, purchasing, and even the front-end clinicians,” Leinonen said.

Educating employees to identify risks is of utmost importance, Meadows agreed. Most attacks in 2017 occurred through phishing, she said. “The biggest recommendation that I have for hospitals specifically is to do ongoing education around phishing, ransomware, and malware, because you’re only as strong as your weakest link.”

Become a contributor