What the NotPetya malware strike showed the healthcare industry
November 07, 2019
by Thomas Dworetzky, Contributing Reporter
Slate has just excerpted “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers,” by Andy Greenberg, out now from Doubleday, recounting the worst malware strike to date.
When Russian hackers launched the NotPetya attack against the Ukraine on June 27, 2017 things got global, fast.
That strike may have been part of a long-standing regional conflict, but it quickly spread, laying waste to servers throughout the world and across all business sectors — including those related to healthcare.
Here are a few of the main takeaways from the excerpt:
There are no borders
The Russian military intelligence hacker group known as Sandworm targeted the Ukraine, but within just hours the malware spread via the Internet. For those in cybersecurity, the clear implication is that the global is local, and that 360-degree awareness of potential threats is needed at all times.
“Maersk, the world’s largest shipping firm, lost $300 million. FedEx lost $400 million. Drug maker Merck would eventually tally its losses at $870 million. In total, NotPetya would be responsible for $10 billion in damage,” according to the excerpt.
The speed of these attacks is almost unimaginable: An IT expert at Merck, for instance, told Greenberg that “the company had lost 15,000 Windows machines to NotPetya in 90 seconds.”
Healthcare IT vulnerabilities are about way more than financial losses or business delays
Bad as such losses were, the excerpt noted that “there was a less quantifiable element of the malware’s damage: its effects on hospitals, and the lives of the humans inside of them.”
The use of software and companies with servers positioned around the globe increases risks
The malware struck, for example, Sutter Health, with 24 hospitals and clinics. Jacki Monson, Sutter's chief privacy and information security officer, was alerted and determined that the malware had not hit its servers directly, but it knocked out popular transcription service Nuance, which has servers and offices in 70 locations around the globe.
“Nuance’s transcription service for electronic medical records, aided by the company’s team of human transcriptionists, was used by hundreds of hospitals and thousands of clinics around the world. And that’s where the real toll of its outage would be felt,” according to the excerpt.
Sutter switched to a Nuance competitor but that took two weeks. “Within just 24 hours, Sutter was facing a backlog of 1.4 million changes to patients’ records,” the book recounted — noting that these changes by doctors had major health implications.
Sutter started racing to review patient records looking for life-threatening issues. The team succeeded in tracking down urgent cases and ensuring that records were updated. “Fortunately, because of how proactive we were, we didn’t have any patient safety issues,” she said.
To recover data, some facilities relied on files that were offline or in other formats, such as audio files
At a different, unnamed U.S. hospital, IT workers turned to a frantic — but successful — review hours of audio files to find physician updates in a pair of critical cases. They succeeded, barely.
Windows machines are an integral part of most healthcare networks, often integrating with imaging and diagnostic devices — and can be a weak link
And at Heritage Valley Health System in Pennsylvania, which had actually been logged into a Nuance server when the worm hit and had its servers directly infected as a result, 2,000 computers and hundreds of servers were infected.
Even though imaging machines weren't running Windows and were not infected, this was crippling. “The MR didn’t get touched. But the computer that has the software to get the MR image off the machine, that got hit,” said a staffer. “Tests are no good if you can’t see the damn things.”
Heroic as these IT efforts were, there were still delays that could prove costly to the health of patients, noted Atlantic Council security researcher Joshua Corman, citing a New England Journal of Medicine study showing a 4 percent rise in mortality linked to traffic delays under 5 minutes.
“Think of every hospital in the U.S. that uses Nuance. Think about how many days it was down, multiplied by the number of lab results, transfers, discharges, and how many of those are time-sensitive,” Corman said. “In some cases, time matters. Pain level is affected. Quality of life is affected. Mortality is affected.”
When Russian hackers launched the NotPetya attack against the Ukraine on June 27, 2017 things got global, fast.
That strike may have been part of a long-standing regional conflict, but it quickly spread, laying waste to servers throughout the world and across all business sectors — including those related to healthcare.
Here are a few of the main takeaways from the excerpt:
There are no borders
The Russian military intelligence hacker group known as Sandworm targeted the Ukraine, but within just hours the malware spread via the Internet. For those in cybersecurity, the clear implication is that the global is local, and that 360-degree awareness of potential threats is needed at all times.
“Maersk, the world’s largest shipping firm, lost $300 million. FedEx lost $400 million. Drug maker Merck would eventually tally its losses at $870 million. In total, NotPetya would be responsible for $10 billion in damage,” according to the excerpt.
The speed of these attacks is almost unimaginable: An IT expert at Merck, for instance, told Greenberg that “the company had lost 15,000 Windows machines to NotPetya in 90 seconds.”
Healthcare IT vulnerabilities are about way more than financial losses or business delays
Bad as such losses were, the excerpt noted that “there was a less quantifiable element of the malware’s damage: its effects on hospitals, and the lives of the humans inside of them.”
The use of software and companies with servers positioned around the globe increases risks
The malware struck, for example, Sutter Health, with 24 hospitals and clinics. Jacki Monson, Sutter's chief privacy and information security officer, was alerted and determined that the malware had not hit its servers directly, but it knocked out popular transcription service Nuance, which has servers and offices in 70 locations around the globe.
“Nuance’s transcription service for electronic medical records, aided by the company’s team of human transcriptionists, was used by hundreds of hospitals and thousands of clinics around the world. And that’s where the real toll of its outage would be felt,” according to the excerpt.
Sutter switched to a Nuance competitor but that took two weeks. “Within just 24 hours, Sutter was facing a backlog of 1.4 million changes to patients’ records,” the book recounted — noting that these changes by doctors had major health implications.
Sutter started racing to review patient records looking for life-threatening issues. The team succeeded in tracking down urgent cases and ensuring that records were updated. “Fortunately, because of how proactive we were, we didn’t have any patient safety issues,” she said.
To recover data, some facilities relied on files that were offline or in other formats, such as audio files
At a different, unnamed U.S. hospital, IT workers turned to a frantic — but successful — review hours of audio files to find physician updates in a pair of critical cases. They succeeded, barely.
Windows machines are an integral part of most healthcare networks, often integrating with imaging and diagnostic devices — and can be a weak link
And at Heritage Valley Health System in Pennsylvania, which had actually been logged into a Nuance server when the worm hit and had its servers directly infected as a result, 2,000 computers and hundreds of servers were infected.
Even though imaging machines weren't running Windows and were not infected, this was crippling. “The MR didn’t get touched. But the computer that has the software to get the MR image off the machine, that got hit,” said a staffer. “Tests are no good if you can’t see the damn things.”
Heroic as these IT efforts were, there were still delays that could prove costly to the health of patients, noted Atlantic Council security researcher Joshua Corman, citing a New England Journal of Medicine study showing a 4 percent rise in mortality linked to traffic delays under 5 minutes.
“Think of every hospital in the U.S. that uses Nuance. Think about how many days it was down, multiplied by the number of lab results, transfers, discharges, and how many of those are time-sensitive,” Corman said. “In some cases, time matters. Pain level is affected. Quality of life is affected. Mortality is affected.”