Federal officials on Monday confirmed that some U.S. health care companies and medical devices were affected by the recent ransomware attacks that infected computers in more than 100 countries, but they declined to give further details.
Ransomware incident response: Managing in minutes
Background
HHS over the weekend alerted health care providers to a massive ransomware attack that had spread quickly through Europe and Asia on Friday, locking providers out of patient records in Britain and forcing affected hospitals to cancel surgeries and divert patients in need of urgent care.
The hack exploits a flaw in Microsoft's Windows operating system to propagate a strain of ransomware called WannaCry, which encrypts victims' computer systems and locks users out of critical data until they pay a ransom fee. The hack affected organizations that either had not installed the patch or were running outdated versions of Windows that Microsoft no longer regularly updates. Microsoft in March released a patch to fix the vulnerability for its recent operating systems, and after the attack struck it also made publicly available a patch to its older Windows XP software.
Shortly after the attack, the Trump administration directed HHS to organize conference calls with health care providers to provide updates on the attack. More than 2,500 organizations, most them from the health care community, participated in the calls, which took place on Friday, Saturday, and Monday, according to Tressa Springmann, vice president and chief information officer at LifeBridge Health. Federal officials on the calls said the government had identified about 65 different variants of the ransomware, according to Healthcare IT News.
Some health care organizations affected
According to a source on Monday's call, federal officials said several medical devices had been affected by the attack, though they declined to name the affected devices.
In a separate interview on Sunday, a Homeland Security official said some U.S. health care organizations had reported suspected or confirmed activity related to the attack, the Wall Street Journal reports. However, a Homeland Security spokesperson on Monday said the attack mainly affected administrative tasks and did not hamper affected organizations' day-to-day operations.
Industry response
HHS on Tuesday updated its ransomware and cyber threat guidance for health care organizations. The updated guidance directs organizations with suspect or confirmed ransomware activity to immediately contact the FBI field office cyber task force and report the incident to the U.S. Computer Emergency Readiness Team (US-CERT). The agency also said organizations can contact US-CERT for an unauthenticated scan of public IP addresses.
A Siemens spokesperson said the company's health care arm, which develops medical imaging and laboratory diagnostic devices, alerted customers Monday that some of their products are vulnerable to the ransomware attack and should be updated, but the spokesperson said the company's technology infrastructure and production were not affected by the attack.
James Rough, Aetna's chief security officer and chair of the National Health Information Sharing and Analysis Center, said Aetna had not identified any attacks from ransomware in its network, but it contacted hospitals and doctors within its network to ask them to conduct cybersecurity updates.
John Bosco—senior vice president and chief information officer at Northwell Health, a health system that owns 18 hospitals and more than 550 outpatient centers in New York—said the health system on Friday surveyed its security systems and identified about 200 of about 50,000 computers with vulnerable software. It also found a small number of its 4,000 servers had not received a scheduled upgrade, according to Bosco.
Company officials worked through Saturday to patch the software vulnerabilities. According to the Wall Street Journal, the work was completed "with no reported breaches" (Evans, Wall Street Journal, 5/15; Siwicki/Monegain, Healthcare IT News, 5/15; AHA News, 5/16).
6 steps for your ransomware response plan
Health care organizations are attractive, lucrative targets for cyber attackers. With highly marketable data, security controls that may lack in strength and consistency, and a culture of openness and helpfulness, health care organizations can quickly become unwitting targets.
Now, more than ever, it is critical to ensure your organization has a proper response plan in place for cybersecurity incidents. This guide outlines the six steps your organization can take to ready for and respond to a ransomware attack.