U.K. Hospital Ransomware Attacks Show Need for Software Updates

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By James Swann

Last week’s ransomware attacks, which hit hundreds of thousands of computers worldwide, also crippled more than 16 British hospitals and highlight the need for health-care organizations to regularly update and patch their software.

It’s possible that U.S. health-care organizations didn’t suffer from the attacks because they buy licensed software and receive regular software updates, Colin Zick, a health-care attorney with Foley Hoag LLP, told Bloomberg BNA May 15.

Many hospitals outside the U.S. often use black-market software and aren’t alerted to urgent software patches, Zick said. In the May 12 attacks, hackers encrypted hospital data and then demanded payment to unlock it.

Zick said it’s critical to train employees not to click on every email they get, noting that, by one estimate, 20 percent of employees click on emails embedded with malicious software, or malware.

Hospital leaders in the U.S. are monitoring what happened in the ransomware attacks in the U.K. and around the world and are using lessons learned from previous attacks to anticipate and respond to any emerging threats, Ashley Thompson, senior vice president for public policy at the American Hospital Association, told Bloomberg BNA May 15.

“While cyberthreats will continue against the health-care field, we remain committed to working with HHS, policy makers, law enforcement and hospitals and health systems to mitigate risk and protect the information of patients,” Thompson said.

Employee training and effective immediate response system can go a long way toward avoiding future malware attacks, Kirk Nahra, a health-care attorney with Wiley Rein, Washington, told Bloomberg BNA May 15.

Many hospitals have these systems in place, but it’s still very inconsistent, Nahra said. The attacks also elevate the importance of having good backup systems, Nahra said.

Nahra said the ransomware attacks seem to have been driven by individuals opening infected emails that triggered the malware.

The attack by the WannaCry virus went well beyond the 16 British hospitals and hit over 200,000 computers in 150 countries, according to Europol, the European Union’s law enforcement agency.

Companies attacked included FedEx Corp., Nissan Motor Co. and Renault.

The Department of Health and Human Services issued an alert May 12 to health-care stakeholders about the ransomware attacks and cautioned against opening up unexpected emails. An additional May 15 alert included a link to the Department of Homeland Security’s United States Computer Emergency Readiness Team, which is coordinating the investigation into the attack.

Software Patching

The WannaCry virus exploited a flaw in Microsoft Windows that Microsoft discovered and patched in an update in March, but organizations and individuals that run older versions of Windows and aren’t current with their updates are at risk, Eric Fader, a health-care attorney with Day Pitney LLP in New York, told Bloomberg BNA May 15.

“Probably the only way to protect the organization is to ensure that no one clicks on an email attachment, but it’s difficult to achieve a 100 percent education of your workforce when the malware rides on what looks like an email from the recipient’s friend,” Fader said.

Fader said Day Pitney’s IT department circulated an e-mail May 15 reiterating the warning that employees shouldn’t click on any attachments they’re not expecting, and every organization should do the same.

Ongoing education and reinforcement is critical, because even smart people can slip up and accidentally click on an attachment containing malware, Fader said.

Emergency Meetings

In the aftermath of the ransomware attacks, every hospital management team in the country should be meeting over the next two days to discuss how to handle future attacks, Alisa Chestler, a health-care attorney with Baker, Donelson, Bearman, Caldwell & Berkowitz in Nashville, Tenn., told Bloomberg BNA May 15.

“They shouldn’t feel like they’re secure just because they passed this test; there will be more to come and they need to ask the hard questions in advance,” Chestler said.

Health-care organizations should also make sure they’ve installed the MS17-010 patch for Microsoft Windows, which fixes the vulnerability targeted by the WannaCry virus, Chestler said.

Hospitals should consider conducting ransomware simulations to guide their response, Chestler said, and should let forensic investigators and their internal counsel lead the effort.

Chestler also stressed that future attacks are the responsibility of every employee, not just a health-care organization’s information technology department.

“Organizations may think they’re prepared, but in my experience, they don’t even know where to begin when an attack of this magnitude happens,” Chestler said.

Chestler outlined several additional steps health-care organizations can take to prepare for a potential ransomware attack, including:

  •  sending alerts to all employees about what they can do to prevent attacks, such as not opening any phishing emails and reporting them immediately to IT staff;
  •  reviewing an incident response plan to ensure there’s a chain of communications among management, internal counsel and the IT staff;
  •  ensuring that a software patch management program is in place that updates all software on a regular basis; and
  •  using the attack to improve information security, such as by adding multifactor authentication.

To contact the reporter on this story: James Swann in Washington at jswann1@bna.com

To contact the editor responsible for this story: Kendra Casey Plank at k casey@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.