The member only article appears in the December issue of Patient Safety Monitor Journal.
The NotPetya computer hack that hit healthcare facilities last summer is a warning to get creative about tightening up security.
In the last week of June 2017, foreign-born computer malware attacked the systems of several U.S. companies—including Princeton Community Hospital in Princeton, West Virginia, and Heritage Valley Health System in Beaver, Pennsylvania.
This “NotPetya” malware is named after the 2016 Petya ransomware that it superficially resembles, according to Steven J. Hausman of Hausman Technology Presentations in Gaithersburg, Maryland. But it’s not really ransomware, and despite its so-far limited reach, that’s what makes it so frightening.
Health IT professionals will remember how in the course of just one weekend in May 2017, more than 300,000 computers in 150 countries were held hostage by a ransomware virus called “WannaCry,” including two multistate systems in the U.S. that successfully defended against the initial May 12 attack but found the malware lurking on isolated computers.
That attack came less than six months after CMS issued a warning to hospitals and other providers to tighten up cybersecurity and issued instructions to surveyors to discuss health IT during state agency survey visits.
Attacks are ‘like a pandemic’
Both WannaCry and NotPetya are related to the EternalBlue exploit, explains David Harlow, principal of Newton, Massachusetts–based The Harlow Group LLC healthcare law consultancy and proprietor of the HealthBlawg blog.
“[EternalBlue] is a Windows vulnerability that has been patched by Microsoft in currently supported versions of Windows,” says Harlow.
WannaCry was a “massive” phenomenon—“like a pandemic,” says Ken Dort, a partner in law firm Drinker Biddle & Reath’s IP Group and the chairman of the firm’s Technology Committee in Chicago—that indiscriminately hit about 250,000 companies, demanding relatively small payments from each.
NotPetya, on the other hand, has only hit a few companies, and the hackers behind it usually don’t ask for money. When they do, though, they don’t release the data upon payment, as is usual with ransomware. That’s because the data isn’t actually held—it’s completely destroyed.
“It was not set up for ransom per se; it just destroyed the data,” says Dort. “So there was no endgame of letting it out for payment.”
The group behind NotPetya “either didn’t fully understand the potential impact of their malware or considered the fallout as convenient collateral damage as it spread,” says Brian Chappell, senior director of enterprise and solutions architecture for BeyondTrust in the U.K. The other systems got hit as the exploit spread across Europe into the U.S.