“If you see this text, then your files are no longer accessible because they have been encrypted.”
This is the on-screen message many organizations and individuals saw Tuesday, June 27 when a massive cyber-attack froze thousands of computers, especially in Ukraine, Russia, and the U.S. The message went on to demand $300 in Bitcoin as ransom, promising to employ a decryption service upon payment. The attack, originating in Ukraine, affected a number of large companies—and at least one U.S. hospital—resulting in millions of dollars in lost revenue and disruption.
Dubbed NotPetya, as it shares code with the earlier ransomware strain Petya, the attack was in fact a “ransomworm,” a variant of ransomware that incorporates worm functionality. Like the WannaCry attack in May of 2017, the NotPetya virus exploited a vulnerability in Microsoft Windows to infect networks with outdated security software, stealing passwords and gaining administrative access over the entire network. It then began spreading itself as a forced update to all machines on the network, before encrypting their hard drives.
However, unlike WannaCry, a kill switch has yet to be discovered for NotPetya. “Vaccines” for individual machines have protected some, but can do nothing to prevent the ransomworm from spreading to other computers on the same network. These ransomworms threaten unprecedented data loss, and experts think that may be their intended purpose, more so than to collect ransom money.
Ransomware and healthcare
The risks to healthcare organizations of a ransomware attack extend beyond data loss and expense—patient non-admittance, equipment downtime, HIPAA violations, and compromised EHR security are just a few. Given the recent spike in ransomware attacks, hospitals and health systems must establish guidelines for avoiding attacks—and prepare for the outcomes of a possible data breach. An incident-risk assessment and regular review of policies and procedures can help mitigate damage if a breach does occur. For more information on how to prepare, HHS has created a fact sheet on ransomware.
Some ways organizations can protect against ransomware attacks include:
- Timely software updates to reduce risk of entry
- Frequent system backups to prevent data loss
- Employing IT best practices as outlined by trade organizations like HIMSS
- Ensuring regular staff training in security tactics
In addition, keeping your staff up to date on the latest compliance rules is one of your organization’s best defenses against potential HIPAA violations resulting from an attack.
The information in this article is for general information purposes only and is not intended to be, and should not be interpreted to be, legal advice.