June 30, 2017
Sizing Up NotPetya's Impact in US Healthcare Sector
Who are the Victims? And Why Aren't There More?
Like in the recent WannaCry attacks, the U.S. healthcare sector has so far mostly avoided becoming a victim of NotPetya, the malware menacing organizations across the globe.
As of June 30, only four healthcare sector-related organizations claimed that they were impacted by the malware attacks that hit hardest in the Ukraine. Those organizations are:
- Global pharmaceutical maker Merck;
- Pennsylvania-based Heritage Valley Health System, which operates two hospitals, plus other care facilities;
- West Virginia-based Princeton Community Hospital; and
- Massachusetts-based Nuance, a vendor of dictation and transcription software to healthcare and other sectors.
Heritage Valley reports in a statement that as of June 30, all its facilities "are open and operational with the exception of its satellite based laboratory and diagnostic imaging services." A Heritage spokeswoman says: "We are using a mix of both - computer systems and downtime procedures - at this time" at facilities that are back to serving patients.
Merck, Nuance and Princeton Community did not immediately respond to ISMG's requests for comment.
A Thursday posting by Princeton Community Hospital on its Facebook page tells its employees that "computer issues at PCH as a result of the 'Petya' cyberattack have affected our ability to access the quick charge system in the cafeteria, the Kronos time system and the Meditech payroll system." Another posting earlier in the day on Thursday tells employees that "on day-three" of dealing with the Petya attacks, the hospital is "working to replace computer hard drives and to have clean access to Meditech - our electronic medical record."
More to Come?
Information sharing and analysis organization Healthcare Information Trust Alliance says that more healthcare entities likely were impacted by the cyberattacks.
"We are aware of five, but the number is most likely much higher. Might be too early to tell but I'm sure we'll be hearing of more victims every day," a HITRUST spokeswoman says. HITRUST has seen numerous indicators of compromise in its cyber threat information exchange platform used by healthcare sector organizations. "They are anonymous so we don't see organization type or details," she adds.
For its part, the U.S. Department of Health and Human Services isn't saying exactly how many U.S. healthcare entities are known or suspected of being impacted by the latest global malware attack.
"HHS is aware of reports of healthcare impacts from Petya and are working with our partners in government and private industry to confirm these reports and assess any potential impacts to public health and safety," HHS' Office of the Assistant Secretary for Preparedness and Response says in a statement provided to Information Security Media Group.
Malware of Many Names
NotPetya loosely resembles another type of ransomware that emerged last year called Petya, security experts say. NotPetya is also being called SortaPetya, Petna, ExPetr, GoldenEye and Nyetya. The experts say the file-encrypting malware that wreaked havoc worldwide starting Tuesday was likely never intended to make its creators rich. Instead, the malware appears to have been designed to wipe data on PCs and ensure that there is no chance that it could ever be recovered (see Latest Ransomware Wave Never Intended to Make Money).
An official at another healthcare sector cyber information sharing organization tells Information Security Media Group: "This appears to be a targeted attack against Ukraine using a third-party financial processor as the attack vector. It did not really impact U.S. healthcare other than what you saw in open source reporting."
Kaspersky Labs says its security experts have determined that 50 percent of NotPetya targets were industrial organizations. The list includes electricity, oil and gas, transportation and logistics companies.
HHS, as it did during the recent WannaCry attacks, has been sending out frequent email alerts to healthcare sector organizations to keep them abreast of the situation and offer recommendations.
For instance, a June 30 alert notes: "Our partners at the National Health Information Sharing and Analysis Center have tested a 'vaccine' that has been reported as potentially helpful for systems that have not been impacted. The 'vaccine' may also help spread of infection. Use of this 'vaccine' should not preclude proper patching as it only prevents harm from one specific strain of malware."
The HHS alert notes: "When using this vaccine, consider any potential business impact. The 'vaccine' is the creation of a file C:Windowsperfc and setting the permissions to 'READ ONLY'. As with any patch/update, this modification should be evaluated before implementation by appropriate system security personnel."
Denise Anderson, president of NH-ISAC, tells ISMG the organization is extending its reach in assisting the healthcare sector through this latest crisis. "Our members were very involved with analyzing the attack and sharing mitigation strategies that we shared beyond our membership via the website and through our partners."
Meanwhile, HHS has hosted daily calls with trade associations and ISAOs to coordinate the dissemination of information and to assess potential impact of the malware.
"HHS has a long history of working with private sector organizations to prepare for and respond to cybersecurity incidents," HHS tells ISMG in its statement. "The WannaCry response put much of this planning into effect. After the first indications of the incident and its impacts on healthcare in the U.K., we activated the Secretary's Operations Center and worked across the Department and with the private sector to mount a coordinated response. From WannaCry, we learned new ways to leverage our private sector partnership to exchange information on cybersecurity incidents and refined some of our internal response processes. We have successfully implemented many of these response enhancements for Petya."
The Big Picture
But while it appears that the U.S. healthcare sector has so far mostly avoided being impacted, there's no reason for the sector to pat itself on the back yet.
"Let's proceed with caution on reaching conclusions; Petya is a breaking, evolving story and we're still learning what happened, how it happened, etc," says Bob Chaput, president of the security consultancy Clearwater Compliance.
"For sure, it's illustrative of how different cyberattacks are from conventional warfare and attacks. There are no longer national borders; each individual or organization needs to establish their own strong borders."
Petya has also illustrated how exploits in one part of the healthcare ecosystem can adversely affect other parts, Chaput says. "For example, the transcription services company, Nuance has been affected by Petya, in turn triggering major business workflow disruption in hospitals and health systems across the U.S."
Because so many healthcare organzations are still struggling with security basics, such as completing and updating risk assessments, when malware campaigns hit, Chaput says, "many are stuck in this tactical, technical, fire-fighting mode perpetually. Yes, this 'short game' must be played. At the same time, organizations must move to a 'long game' characterized by a more strategic, business-oriented and more architectural approach. In this case, it's a vendor risk management issue that would be part of a more holistic, programmatic approach."
Chaput says one essential step is adoption of the National Institute of Standards and Technology's Cybersecurity Framework.
This article, featuring the expertise of Clearwater CEO, Bob Chaput, was written by Marianne Kolbasuk McGee, Executive Editor of Information Security Media Group's HealthcareInfoSecurity.com media site.