Cyberattack Hits NHS, Spreads to Hospitals Across the Globe

The attackers appear to have used a vulnerability developed by the National Security Agency, which was stolen and posted online.

A massive, worldwide cyberattack that affected Britain’s National Health Service (NHS) and appeared particularly aimed at hospitals is spreading across the globe, locking doctors out of patient files and forcing facilities to divert patients or cancel surgeries.

The attack involved a ransomware bug called “WannaCry,” a particular kind of malware that locks people out of their computers and forces the user to pay a fee, or “ransom” to unlock the machine. Reports from the BBC said the malware requested a Bitcoin fee that was the equivalent of $300. While an initial report from The New York Times said the attack had hit 12 countries, a later report from the BBC said the attack had reached 74 nations.

Concerns about cybersecurity are increasing as health systems are becoming more interconnected, in part with the goal of delivering better healthcare by sharing information to spot population-level health trends, outbreaks of infectious disease, or patient-level problems like whether a person suffering from opioid addiction is trying to obtain pain medication from multiple doctors and pharmacies.

As speakers at last week’s meeting of the ACO & Emerging Healthcare Delivery Coalition® meeting observed, each exchange of data—between providers, contractors, or patients using portals or their devices—offers an opportunity for a breach. The speakers agreed that for health systems, it’s not a question of whether there will be a breach, but when, and health systems must have protocols in place to prevent them and deal with the aftermath. (The ACO Coalition is an initiative of The American Journal of Managed Care®.)

In the United States, health systems are required to report attacks above a certain level to the HHS Office of Civil Rights, and 2016 saw 93 major attacks—a huge surge of activity. Recent years have brought a wave of breaches, including 78 million records at the health insurer Anthem. The speakers at the ACO Coalition meeting said they have dealt with issues of ransomware. Last year, a Los Angeles hospital paid $17,000 after an attack, but some attacks go unpublicized.

Early reports said today’s attackers appear to have exploited a vulnerability developed by the National Security Agency (NSA), which was later stolen and leaked by a group called Shadow Brokers, which has been putting NSA hacking tools online.

Creighton Magid, a partner at the law firm Dorsey & Whitney, said the NSA exploit, called “Eternal Blue,” could have been fixed with a Microsoft patch released earlier this year, but many hospitals and other users have not yet applied it. Apparently, the attackers were counting on that lapse.

“Let’s hope that the attack on the National Health Service in Britain is simply a matter of inconvenience, and that nobody is denied essential care. But what happens if someone is, and is harmed as a result?” Magid said. “What if a US hospital were attacked similarly, and someone’s health were to be seriously impacted. Beyond the human tragedy, it would suggest possible new liability targets, starting with the hospital that failed to ensure that it had updated all of its patches.”

Attacks were reported in at least 25 sites within the NHS system, and affected countries included Turkey, Vietnam, the Philippines, and Japan—but most of the computers hit were in Russia.

Ermis Sfakiyanudis, president and CEO of the data security company Trivalent, said the attack shows that attacks have become more sophisticated, and that hospitals, pharmacies, and other stakeholders in healthcare “must strengthen their security strategy in order to get ahead of advanced or ‘next generation’ threats.”

Files can’t just be encrypted, Sfakiyanudis said, but must also be protected in way that renders them useless to unauthorized parties. Trivalent unveiled a next-generation product at HIMSS 2017 earlier this year.

Magid said the nature of the incident shows the potential for cyberattacks to not be merely inconvenient, but to also shut down businesses and infrastructure.