Multiple U.S. healthcare organizations infected in global ransomware attack
Major U.S. healthcare organizations were hit in an international ransomware attacked launched June 27. The virus, known as NotPetya, based on a previous ransomware called Petya, was reported in Russia, Ukraine, and Europe, the BBC reported, before hitting the U.S. as business started in the morning.
Heritage Valley Health System, a Sewickley, Pennsylvania-based health system comprising two hospitals, 60 physician offices, and 18 community satellite facilities, was hit by the virus, according to a statement on its website. The pharmaceutical giant Merck announced on Twitter that its network was compromised and it initiated business continuity plans. The Health Information Trust Alliance (HITRUST) received multiple reports of healthcare organizations infected by NotPetya, it said in a June 28 statement. Organizations affected by NotPetya should report the incident to the FBI’s Internet Crime Complaint Center, the Office for Civil Rights (OCR) said.
NotPetya encrypts the master boot records of infected Windows computers, rendering the machines unusable, OCR said in a June 27 email alert. Once the data has been encrypted, the information may not be unlockable, even by those who unleashed NotPetya, according to Kaspersky Lab. The National Health Information Sharing and Analysis Center reports that phishing emails have subsequently been sent that claim to be from government agencies offering help resolving the effects of NotPetya. However, these emails are instead an attempt to steal credentials from respondents by having them log into websites.
Reports suggest that NotPetya exploits vulnerabilities in Server Message Block (SMB). Users and administrators should review the United States Computer Emergency Readiness Team’s (US-CERT) article on the Microsoft SMBv1 vulnerability and Microsoft’s security bulletin MS17-010.
OCR publishes cybersecurity guidance material, including a cybersecurity incident response checklist and ransomware guidance aimed specifically at healthcare organizations. The presence of ransomware on a HIPAA covered entity (CE) or business associate (BA) computer system is a security incident, and CEs and BAs are required to initiate security incident response and reporting procedures, according to OCR’s ransomware fact sheet. CEs and BAs must complete a deep analysis to determine whether protected health information (PHI) was encrypted by the ransomware. If PHI was encrypted by ransomware, a breach is presumed to have occurred, unless the organization can prove that there is a low probability that PHI was compromised based on factors in the Breach Notification Rule.
A similar ransomware attack in May, using the WannaCry variant, impacted individuals and organizations across the globe, shutting the U.K.’s National Health System. Initial reports indicated the U.S. escaped unscathed from that attack, however later reports said otherwise. In a June 5 email alert, the Office of the National Coordinator of Health IT (ONC) said that two large, multistate health systems were still struggling to recover from the impact of WannaCry. NotPetya appears to use the same exploits utilized by WannaCry, HITRUST reported; therefore, mitigation and prevention methods used for WannaCry should work for NotPetya.
Questions can be sent to HHS at cip@hhs.gov. Organizations that experience a suspected cyberattack affecting medical devices can contact the FDA’s emergency line at (866) 300-4374. Reports should be aggregated on a system/facility level. Threat indicators and analysis should be sent to HHS’ Healthcare Cybersecurity and Communications Integration Center at HCCIC@hhs.gov.