Dive Brief:
- After a massive international cyber attack Friday that froze computers at many hospitals in the United Kingdom — forcing them to suspend normal services and accept only emergency patients — health systems across the globe were bracing themselves Monday for a second wave. Although the malware did hit thousands of additional computers, no "catastrophic breakdowns" were reported and the second wave that experts initially feared had not arrived, according to The New York Times.
- Cybersecurity firm Avast said by Monday morning it had detected 199,000 instances of the malware in 104 countries. Over 40 U.K. hospitals were incapacitated by the attack, but no patient data has been stolen, according to reports. The HHS said “there is evidence of the attack occurring in the United States," but there was little more detail.
- The attack was a form of ransomware called WannaCry that gets into computers through phishing emails and demands payment in bitcoin for access to now-encrypted files.
Dive Insight:
Although the U.S. seems minimally affected at least for now, the incident shows how quickly and severely a cyber attack can cause chaos for hospitals. Health systems around the world will be on high alert after the debilitating attack left hospitals in the U.K. scrambling to minimize the damage.
“We are working with our partners across government and in the private sector to develop a better understanding of the threat and to provide additional information on measures to protect your systems. We advise that you continue to exercise cybersecurity best practices — particularly with respect to email,” the HHS said in a statement.
The malware targets a vulnerability in Microsoft Windows, which released a patch in March that fixes the security problem. But many hospitals apparently have not yet updated their systems. Kurt Osburn, a health IT security expert with ControlScan, told Healthcare Dive in an email that hospitals make themselves vulnerable when they are not prompt with patches and updates.
“Patch updates are becoming extremely important, because hackers are responding to critical bugs immediately,” he said. “Healthcare organizations are high value targets, which means their security and IT teams need to be extremely aware of what is happening in the wild and respond accordingly.”
The fact that healthcare organizations are a major target is without question. The industry was the victim of 88% of all ransomware attacks in the U.S. last year, according to NTT Group security company Solutionary. A HIMSS Analytics survey from last month found that 78% of healthcare leaders say employee awareness is their greatest security threat concern.
Ransomware has been a favorite format for hospital attacks — and in some cases, health systems have paid up. In February, Hollywood Presbyterian Medical Center paid hackers the equivalent of $17,000 in bitcoin. Hackers often use the phishing method because it tends to work. David Finn, health IT officer for Symantec, told Healthcare Dive in February that in phishing attack trials, he often sees a clickthrough rate of 20% — and once saw a provider with a 92% click rate on a link that could contain a virus.
A recent survey from HIMMS Analytics and Symantec found that despite the apparent danger, healthcare companies commit relatively few resources to IT security. The survey showed that 65% of systems dedicate 6% or less of their IT budget to IT security.
In a blog post Sunday, Microsoft President and Chief Legal Officer Brad Smith said the attack showed that industry, customers and governments need to work together. "More action is needed, and it’s needed now. In this sense, the WannaCrypt attack is a wake-up call for all of us," he wrote. "We recognize our responsibility to help answer this call, and Microsoft is committed to doing its part."