Last week, numerous hospitals operated by Britain’s National Health Service (NHS) suffered a ransomware event in which hospital computer systems were encrypted, phone lines became inoperable, patients were diverted, and a Bitcoin ransom was demanded. Hospitals across Britain shut down their computer systems in order to protect patient data and prevent further spread and advised people to stay home unless there was an emergency. NHS Digital, Britain’s national hospital cybersecurity overseer, stated that 16 NHS organizations across Britain had reported an incident, but that the attack did not appear to be specifically targeting NHS hospitals. At this time, there is no indication that the ransomware has exfiltrated any personal data from the NHS.
The ransomware affecting the NHS - known as WannaCry - exploits a flaw in Microsoft software. Although Microsoft released patch in March fixing the flaw, the patch has been applied inconsistently, leaving many organizations and individuals vulnerable. WannaCry appears to be spreading across Europe and the globe at a rapid pace. A number of Spanish companies have been significantly impacted by WannaCry, leading Spain to activate a special protocol to safeguard its critical infrastructure. Many commentators think WannaCry could be “the big one” that ransomware experts have been predicting for some time.
Hospitals and other healthcare organizations have increasingly been targetedwith ransomware due to the value of electronic protected health information and the increasingly digital nature of healthcare. The scope of this ransomware attack, however, is unprecedented. Healthcare providers and other organizations should immediately conduct a risk analysis to determine their susceptibility to the WannaCry ransomware and take urgent steps to safeguard against this and other ransomware.
The Office of Civil Rights and the Federal Trade Commission have issued guidance on ransomware, which should be carefully considered by covered entities and their business associates. Healthcare organizations need to be vigilant in their cybersecurity practices to safeguard their systems and patient data, while staying operational during cyber threats.
What’s the Takeaway?
Healthcare organizations should take immediate steps to patch Microsoft vulnerabilities causing the spread of WannaCry. Prompt steps should also be taken to review cybersecurity plans, including performing an updated risk analysis and implementing recovery plans to prepare for a possible ransomware event. Failure to adequately protect electronic protected health information can expose covered entities and business associates to significant liability under HIPAA and state privacy and data security laws. As we have discussed before, best practices for organizations looking to keep their computer systems safe from ransomware include implementing strong security measures, training their workforce, and performing consistent backups.