The WannaCry ransomware that attacked computers globally — including the U.K.’s National Health Service and medical devices in the U.S. — has had some effect on healthcare providers statewide, who are mounting their defenses to curb the damage and secure their systems.
“We’ve been contacted by several Connecticut healthcare organizations of varying types who were affected by the attack, or were concerned that they could be vulnerable,” said Matt Kozloski, vice president of professional services at the Glastonbury-based IT security firm Kelser Corp. “The attack is ongoing – we will see additional victims over the next couple of weeks.”
Kozloski declined to identify the organizations that were impacted, saying only that smaller practices have been especially vulnerable.
“We frequently encounter medical practices who don’t believe their data is valuable or that they’re big enough to be a target,” said Kozloski. “The fact is, medical data fetches a premium on the black market because it can be used for various types of fraud that are extremely profitable to the attacker. A widespread, indiscriminate cyber attack is perfectly suited to prey on medical practices that haven’t taken the most basic steps to defend their data, which is something we see often.”
WannaCrypt or WannaCry is a type of software that infects computers by exploiting the vulnerability in outdated operating systems, including Windows XP. Hackers prevent users from accessing the operating system unless they receive a ransom paid in bitcoin.
Despite its vulnerabilities, Windows XP is still in use at healthcare organizations statewide.
“We recently performed a cybersecurity assessment at a medical practice using Windows XP, which was at the heart of the NHS attack. This version of Windows is no longer supported by Microsoft – there is no way to secure it against hackers,” Kozloski said. “The practice’s IT vendor told them that it’s fine to keep using this outdated operating system as long as it works for them.”
But, Kozloski said he wouldn’t recommend that anyone continue using Windows XP—particularly those professionals in industries regulated by privacy laws like the Health Insurance Portability and Accountability Act of 1996.
Robert Gibbons, chief technology officer at IT security firm Datto Inc. in Norwalk, said Datto has recently observed ransomware variants that could triple the ransom demanded if they detect patient records software on the infected computer, under the theory that a hospital will be willing to pay more to rescue their data.
“In many respects, the healthcare industry is vulnerable because of both the centralization [of patient data through Electronic Medical Records] and the value of the data their systems hold.”
In 2016, Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in bitcoin to hackers and Wichita-based Kansas Heart Hospital also paid a ransom, only to be hit by a second demand for payment. Chatham-based New Jersey Spine Center paid a ransom as well.
According to Jennifer Jackson, CEO of the Connecticut Hospital Association, hospitals statewide are testing their systems to reduce their vulnerability in the wake of WannaCry.
“They are also implementing enhanced communication with law enforcement and federal agencies about suspected or actual instances of cyber attack,” Jackson said.
Hartford HealthCare Corp., which owns and operates one of the largest medical centers and hospital networks statewide, began acting immediately after news broke of the attacks last Friday, according to Chief Technology Officer Joseph Venturelli.
“Our partner [an anti-virus firm] sent us the first of many mitigation tools which we deployed to our enterprise overnight. On Saturday morning, we hand-inspected the critical devices that are housed in critical patient care areas to ensure that all devices were safe; installed with the latest patches and anti-virus signatures,” he said. “By sundown, we were confident that Hartford HealthCare was prepared for any eventualities of the WannaCry ransomware.”
As widespread as WannaCry may be, healthcare organizations are no strangers to cyber attacks. To put it in perspective, HartfordHealthCare, which was not impacted by WannaCry, intercepts a whopping 715,000 viruses, and eliminates two million spam messages each month, Venturelli said.
Trinity Health-New England, which was also not impacted, is tracking the ransomware activity and has implemented specific protocols to identify and remediate events if they occur.
“We continue to engage in efforts to reduce exposure and minimize impact should our monitoring identify ransomware activity in our environment,” said Linda Shanley, vice president – regional chief information officer at Trinity Health – New England, whose member hospitals include Saint Francis Hospital and Medical Center in Hartford.
“Yale New Haven Health is in constant contact with regulators, law enforcement and leading industry experts,” said Glynn Stanton, chief information security officer. “We continue to monitor the situation.”
The group – which was not affected – consists of member hospitals including Bridgeport Hospital, Greenwich Hospital, and Yale New Haven Hospital.
Meanwhile health insurers Aetna Inc. and Cigna Corp., both of whom were unscathed by WannaCry, are nevertheless identifying vulnerabilities and stepping up protection.
Aetna’s cybersecurity incident response team has implemented several preventative measures resulting in additional layers of security protection against ransomware attacks, said James Routh, Aetna’s chief information security officer.
“We also shared any information that we learned through our work with the National Health Information Sharing and Analysis Center and other external cybersecurity groups to benefit the overall healthcare industry response to this particular issue, as well as similar issues in the future,” Routh said.
Cigna Corp.’s IT department is “working with our vendors and security partners since this hit the news to ensure proper protections are in place,” said Joe Mondy, Cigna spokesperson.
The cyber attacks are expected to become even more sophisticated. Experian Data Breach Resolution’s fourth annual Data Breach Industry Forecast predicts that healthcare organizations, including hospital networks, will become the most targeted sector in 2017 for cyber criminals, with new variants that could potentially elude detection by current systems.
“IT is one of those areas that is always under budgetary pressure – to get the newest software out, or to get the newest piece of workflow processing in place,” said Christopher Luise, executive vice president at Adnet Technologies LLC in Farmington. “But this is like changing the oil in your car. It you don’t, if you remiss in providing routine maintenance to your engine, you are subject to risk. This is the wake-up call.”