Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.
By James Swann
Last week’s ransomware attacks, which hit hundreds of thousands of computers worldwide, also crippled more than 16 British hospitals and highlight the need for health-care organizations to regularly update and patch their software.
It’s possible that U.S. health-care organizations didn’t suffer from the attacks because they buy licensed software and receive regular software updates, Colin Zick, a health-care attorney with Foley Hoag LLP, told Bloomberg BNA May 15.
Many hospitals outside the U.S. often use black-market software and aren’t alerted to urgent software patches, Zick said. In the May 12 attacks, hackers encrypted hospital data and then demanded payment to unlock it.
Zick said it’s critical to train employees not to click on every email they get, noting that, by one estimate, 20 percent of employees click on emails embedded with malicious software, or malware.
Hospital leaders in the U.S. are monitoring what happened in the ransomware attacks in the U.K. and around the world and are using lessons learned from previous attacks to anticipate and respond to any emerging threats, Ashley Thompson, senior vice president for public policy at the American Hospital Association, told Bloomberg BNA May 15.
“While cyberthreats will continue against the health-care field, we remain committed to working with HHS, policy makers, law enforcement and hospitals and health systems to mitigate risk and protect the information of patients,” Thompson said.
Employee training and effective immediate response system can go a long way toward avoiding future malware attacks, Kirk Nahra, a health-care attorney with Wiley Rein, Washington, told Bloomberg BNA May 15.
Many hospitals have these systems in place, but it’s still very inconsistent, Nahra said. The attacks also elevate the importance of having good backup systems, Nahra said.
Nahra said the ransomware attacks seem to have been driven by individuals opening infected emails that triggered the malware.
The attack by the WannaCry virus went well beyond the 16 British hospitals and hit over 200,000 computers in 150 countries, according to Europol, the European Union’s law enforcement agency.
Companies attacked included FedEx Corp., Nissan Motor Co. and Renault.
The Department of Health and Human Services issued an alert May 12 to health-care stakeholders about the ransomware attacks and cautioned against opening up unexpected emails. An additional May 15 alert included a link to the Department of Homeland Security’s United States Computer Emergency Readiness Team, which is coordinating the investigation into the attack.
The WannaCry virus exploited a flaw in Microsoft Windows that Microsoft discovered and patched in an update in March, but organizations and individuals that run older versions of Windows and aren’t current with their updates are at risk, Eric Fader, a health-care attorney with Day Pitney LLP in New York, told Bloomberg BNA May 15.
“Probably the only way to protect the organization is to ensure that no one clicks on an email attachment, but it’s difficult to achieve a 100 percent education of your workforce when the malware rides on what looks like an email from the recipient’s friend,” Fader said.
Fader said Day Pitney’s IT department circulated an e-mail May 15 reiterating the warning that employees shouldn’t click on any attachments they’re not expecting, and every organization should do the same.
Ongoing education and reinforcement is critical, because even smart people can slip up and accidentally click on an attachment containing malware, Fader said.
In the aftermath of the ransomware attacks, every hospital management team in the country should be meeting over the next two days to discuss how to handle future attacks, Alisa Chestler, a health-care attorney with Baker, Donelson, Bearman, Caldwell & Berkowitz in Nashville, Tenn., told Bloomberg BNA May 15.
“They shouldn’t feel like they’re secure just because they passed this test; there will be more to come and they need to ask the hard questions in advance,” Chestler said.
Health-care organizations should also make sure they’ve installed the MS17-010 patch for Microsoft Windows, which fixes the vulnerability targeted by the WannaCry virus, Chestler said.
Hospitals should consider conducting ransomware simulations to guide their response, Chestler said, and should let forensic investigators and their internal counsel lead the effort.
Chestler also stressed that future attacks are the responsibility of every employee, not just a health-care organization’s information technology department.
“Organizations may think they’re prepared, but in my experience, they don’t even know where to begin when an attack of this magnitude happens,” Chestler said.
Chestler outlined several additional steps health-care organizations can take to prepare for a potential ransomware attack, including:
To contact the reporter on this story: James Swann in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Kendra Casey Plank at k email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)