WannaCry, NotPetya, and Cyberwarfare's Threat to Healthcare

Ryan Black
JUNE 11, 2018
wannacry notpetya, wannacry healthcare, wannacry NHS, ransomware hospitals

When the outage hit, Daniel Ripp, MD, didn’t think much of it. He recorded his appointment notes into his Dictaphone like he had for years, and when he couldn’t upload them to the transcription service, he went about his day. “OK, reboot the computer, and if it doesn’t work, we’ll do it tomorrow,” he figured. Ripp had been practicing internal medicine in Wisconsin for decades. He knew by then that some days, the internet just didn’t work right.

Later that night, Ashok Rai, CEO of Ripp’s employer, Prevea Health, got a phone call from the head of the company’s medical records department. Ripp wasn’t the only one with computer troubles. No physician in the health system could upload their audio notes. Rai fielded frantic phone calls and texts throughout the night as he and his colleagues rushed to figure out what to do. The clinics would have to open again in the morning, and already-busy doctors would be without their usual means of documenting their appointments.

“In healthcare, if you can’t document it, it didn’t happen,” Rai said. “It was all hands on deck.”

The next day, Prevea set up a “war room” where its leadership team began searching for a path forward. Similar scenes were playing out at health systems of all sizes across the country. About a third of the industry uses the same transcription service, and many doctors were forced to ditch their usual protocols and revert to manual documentation while executives raced to snap up temporary transcription workers and build backup plans.

The transcription blackout started 1000 miles to the east, where the mood was even more tense. Satish Maripuri was driving to work when a colleague texted him that “an incident of abnormal nature” was gripping their company’s computer networks, and it looked like ransomware. Ten minutes later, he got another text saying that whatever was happening was “a little more nefarious” than normal.

When he walked into his office at Nuance’s Burlington, Massachusetts, headquarters, the severity of the situation began to sink in. “We were down email, desktop IP phones. Networks were down,” said Maripuri, the company’s executive vice president. “I realized at that point it was going to be more serious.”

Nuance, a massive global information technology (IT) vendor whose services are vital to thousands of healthcare providers across the United States, had to act fast. It cut connectivity to all of its clients, hoping to keep whatever was ravishing its systems from spreading downstream. “In the fog of war, we want to make sure we don’t contaminate each other,” Maripuri said.

Nuance wasn’t the only major corporation scrambling for answers on June 27, 2017. Merck closed offices in southeastern Pennsylvania when its systems became inaccessible. FedEx’s European subsidiary TNT suffered major disruptions, and within days the company had warned investors that the situation would result in material losses. The infection spread to the global shipping firm Maersk, the food conglomerate Mondelēz, and even oil giant Rosneft.

Ground zero for the whole thing was even farther from Wisconsin than Massachusetts. At the time, Maripuri didn’t realize he and his team were dealing with what he later called a “Russian cyberterrorist attack” directed at Ukraine. They just knew it was bad. The company had more than 10,000 endpoint desktops and countless servers, and almost all went dark that day.

Devastating Material Damages

The incident has since come to be known as NotPetya, after incorrect early analysis led people to believe it was a strain of the notorious Petya malware. The attack inflicted serious injury on everything that it touched and brought harm to countless other organizations.

Infected corporations lost colossal amounts of money. Merck’s financial filings showed related losses in the third and fourth quarters of 2017, each in excess of $300 million. Maersk and FedEx also reported 9-figure damages.

For Nuance, losses totaled nearly $100 million, and the company wasn’t able to restore full functionality to all of its healthcare customers for nearly 2 months. The transcription provider was hit so hard that it had to rebuild many of its servers.

Providers also took a hit. Rai said the outage caused by NotPetya hurt Prevea’s efficiency and bit its bottom line to an extent it might never quantify. Extrapolate that experience to thousands of providers, and who knows how many working hours and dollars were burned nationwide? A few American health systems, like Heritage Valley Health System in western Pennsylvania, are even believed to have been directly infected with the virus.

In light of such crippling catastrophe, it might sound strange to say that American healthcare dodged a bullet. In retrospect, multiple sources who described the event to Healthcare Analytics News™ (HCA) used that very phrase.

Just 46 days earlier, the United Kingdom’s National Health Service (NHS) was brought briefly to its knees by another international cyberattack, WannaCry. As many as 70,000 devices—laptops, desktops, mobile devices, and other machines—were infected with what appeared to be ransomware.

For various reasons, NotPetya and WannaCry will forever be correlated. Both attacks hit during a 2-month period in the spring and summer of 2017. Both mutilated computer systems worldwide, in healthcare and in other industries, leading to massive disruptions and financial injuries. Both presented as ransomware but were not. And both were potent cyber munitions deployed by hostile foreign governments—demonstrations of the dangers healthcare must face in a new age of cyberwarfare.

Become a contributor