The massive global ransomware attack already responsible for breaching cybersecurity at 16 hospitals in the United Kingdom had yet to yield any public announcements of successful attacks at U.S. healthcare systems as of late Friday.
But that doesn’t mean hospitals in the U.S. won’t be impacted, and the federal government and healthcare data security analysts are urging chief information officers and their data security teams remain on high alert.
“Health and Human Services (HHS) is aware of a significant cybersecurity issue in the U.K. and other international locations affecting hospitals and healthcare information systems,” says Laura Wolf, critical infrastructure protection lead in the office of the national coordinator for HealthIT. “We are also aware that there is evidence of this attack occurring inside the United States. We are working with our partners across government and in the private sector to develop a better understanding of the threat and to provide additional information on measures to protect your systems. We advise that you continue to exercise cybersecurity best practices—particularly with respect to e-mail.”
In the U.K. on Friday, hospitals urged people with non-emergency conditions to stay away after the cyberattack affected large parts of the country’s National Health Service. 16 NHS organizations were hit by attacks that encrypted computer data and demanded ransom to unscramble the data.
“A number of NHS organizations have reported that they have suffered from a ransomware attack,” U.K. Prime Minister Theresa May told reporters. “It’s an international attack and a number of countries and organizations have been affected. We’re not aware of any evidence that patient data has been compromised.”
Hospitals in London, North West England and Central England have all been affected, according to the BBC. Mid-Essex Clinical Commissioning Group, which runs hospitals and ambulances in an area east of London, said on Twitter that it had “an IT issue affecting some NHS computer systems.”
A screen-shot of an apparent ransom message, sent to a hospital, showed a demand for $300 in bitcoin to decrypt files that had been encrypted. Workers across the NHS have since been sent e-mails from the health service’s IT teams warning not to open or click on suspicious attachments or links.
The attack appears to take advantage of a vulnerability in Microsoft windows that was disclosed when hackers posted National Security Agency documents online earlier this year. Microsoft issued a patch that protects against the vulnerability, but not all organizations apply security patches promptly.
The U.S. health system remains particularly vulnerable to ransomware attacks, according to healthcare security experts. “The cyberattack, using a ransomware bug known as WannaCry, appears to have used an NSA exploit known as ‘Eternal Blue’ that was disclosed on the web by Shadow Brokers,” says Creighton Magid a cybersecurity analyst and partner at the international law firm Dorsey & Whitney. “Microsoft released a patch earlier this year to address the vulnerability, but it appears that a number of hospitals and other users have not applied the patch.”
Earlier this year an Atlanta healthcare system was hit with a data breach and a ransomware attack that impacted the electronic health records of nearly 80,000 patients.
On Jan. 3 Emory Healthcare, the largest healthcare system in Georgia encompassing six hospitals, the Emory Clinic and more than 200 provider locations, reported to the federal government a data breach and a ransomware attack.
Ransomware is a type of malicious software designed to block access to a computer system or data on that system. Criminals demand money to unblock the affected network.
The data breach happened when an intruder gained unauthorized access to an online physician appointment scheduling program used by Emory’s orthopedics and spine center and its brain health center.
The intruder gained unauthorized access to patients’ names, dates of birth, contact information, internal medical record numbers, and appointment information such as dates of service, physician names and whether patients required imaging. The database did not contain patients’ Social Security numbers, financial information, diagnosis or other electronic medical record information, Emory says.
In the ransomware incident, Emory says over the New Year’s holiday weekend the cyber thieves eliminated the Emory patient scheduling and patient records database and demanded payment to restore it.
Emory has notified patients impacted by the breach and is working with an unidentified outside security firm to tighten up its data protection program but has yet to release any other public statement.
The Emory Healthcare data breach is the biggest so far this year, according to the U.S. Department of Health and Human Services Office of Civil Rights.
“The recent UK NHS cyberattack demonstrates that, as the healthcare industry continues to digitize, data protection technology has not been able to keep up with the variants of malware attacks, such as Wanna Decryptor,” says Ermis Sfakiyanudis, President and CEO at Trivalent, a healthcare security services company. “The result is an extreme risk to the safety of and confidentiality for patients, who entrust healthcare organizations to address their medical concerns and private information. Bottom line, with these next generation attacks, the data at rest should not be exposed and susceptible to malicious encryption attacks.”Favorite