Understand how we got here — and how to move forward.


June 28, 2017

Ransomware strikes worldwide again—hitting at least two US health care organizations

Daily Briefing

Two U.S.-based health care companies have been affected by a ransomware attack that also has caused widespread disruption across Europe.

Ransomware incident response: Managing in minutes

Security experts said the ransomware likely is a version of the Petya virus. Experts said the attack uses digital tools originally created by the National Security Agency that were published online by a group known as the Shadowbrokers.

On Tuesday, drugmaker Merck on Twitter confirmed that its computer network had been compromised, and a Merck employee said all of the company's U.S. offices were affected by the attack. According to the Washington Post's "The Switch," Merck did not respond to a request for comment.

In addition, officials at the Pennsylvania-based Heritage Valley Health System said its network has been affected by the attack, but that the system has implemented procedures to ensure patient care is not disrupted. Some patients reported that the health system had to reschedule some surgeries. The health system late Tuesday said its antivirus software vendor had developed "corrective measures" that were "being implemented and tested."

The attack also has affected the U.S.-based food manufacturer Mondelez International, the Associated Press reports.

According to Healthcare IT News, the ransomware attack has caused the most disruption in Ukraine, where it has affected the country's banks, government offices, power grid, and other businesses. Officials and experts say the attack also has affected:

  • Denmark;
  • Germany;
  • India;
  • Italy;
  • The Netherlands;
  • Poland;
  • Russia;
  • Spain; and
  • The United Kingdom.

As of Tuesday, there were few details available on who might have waged the attack, Healthcare IT News reports. While the virus is similar to the WannaCry ransomware attack that affected computers in more than 100 countries in May, security experts say the current attack is not as widespread as the WannaCry attack.

Wannacry had spread quickly through Europe and Asia, locking health care providers out of patient records in Britain and forcing affected hospitals to cancel surgeries and divert patients in need of urgent care. Wannacry also had affected several medical devices and some U.S. health care organizations (Davis, Healthcare IT News, 6/27; Shaban/Nakashima, "The Switch," Washington Post, 6/27; AP/Sacramento Bee, 6/27; Satter/Bajak, AP/Sacramento Bee, 6/27; McMillan et al., Wall Street Journal, 6/27).

When a cyberattack occurs, the whole hospital is our patient

While the implications of cyberattacks are often unknown to health care leaders, clinicians, and staff, they are used to handling critical incidents in patient care. Luckily, the process for handling a cyber incident is nearly the same.

This graphic details how the steps in responding to a clinical crisis mirror one of the most widely used cyber response methods, the SANS Institute’s PICERL approach: preparation, identification, containment, eradication, recovery, lessons learned. By relating information security tactics to patient care, everyone can get on the same page and work together.

Get the Infographic

Have a Question?


Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.