
Cyberattack Hits NHS, Spreads to Hospitals Across the Globe
The attackers appear to have used a vulnerability developed by the National Security Agency, which was stolen and posted online.
A massive, worldwide cyberattack that affected Britain’s National Health Service (NHS) and appeared particularly aimed at hospitals is spreading across the globe, locking doctors out of patient files and forcing facilities to divert patients or cancel surgeries.
The attack involved a ransomware bug called “WannaCry,” a particular kind of malware that locks people out of their computers and forces the user to pay a fee, or “ransom” to unlock the machine. Reports from
Concerns about cybersecurity are increasing as health systems are becoming more interconnected, in part with the goal of delivering better healthcare by sharing information to spot population-level health trends, outbreaks of infectious disease, or patient-level problems like whether a person suffering from opioid addiction is trying to obtain pain medication from multiple doctors and pharmacies.
As speakers at last week’s meeting of the
In the United States, health systems are required to report attacks above a certain level to the HHS Office of Civil Rights, and 2016 saw 93 major attacks—a huge surge of activity. Recent years have brought a wave of breaches, including 78 million records at the health insurer Anthem. The speakers at the ACO Coalition meeting said they have dealt with issues of ransomware. Last year, a
Early reports said today’s attackers appear to have exploited a vulnerability developed by the National Security Agency (NSA), which was later stolen and leaked by a group called Shadow Brokers, which has been putting NSA hacking tools online.
Creighton Magid, a partner at the law firm Dorsey & Whitney, said the NSA exploit, called “Eternal Blue,” could have been fixed with a Microsoft patch released earlier this year, but many hospitals and other users have not yet applied it. Apparently, the attackers were counting on that lapse.
“Let’s hope that the attack on the National Health Service in Britain is simply a matter of inconvenience, and that nobody is denied essential care. But what happens if someone is, and is harmed as a result?” Magid said. “What if a US hospital were attacked similarly, and someone’s health were to be seriously impacted. Beyond the human tragedy, it would suggest possible new liability targets, starting with the hospital that failed to ensure that it had updated all of its patches.”
Attacks were reported in at least 25 sites within the NHS system, and affected countries included Turkey, Vietnam, the Philippines, and Japan—but most of the computers hit were in Russia.
Ermis Sfakiyanudis, president and CEO of the data security company
Files can’t just be encrypted, Sfakiyanudis said, but must also be protected in way that renders them useless to unauthorized parties. Trivalent unveiled a
Magid said the nature of the incident shows the potential for cyberattacks to not be merely inconvenient, but to also shut down businesses and infrastructure.
Newsletter
Stay ahead of policy, cost, and value—subscribe to AJMC for expert insights at the intersection of clinical care and health economics.