The massive ransomware cyberattack that began by crippling British hospitals and striking targets in dozens of countries, including the U.S., on May 12 remains a threat to health care organizations, among numerous entities, authorities from HHS and other federal agencies warn.

HHS, in its fourth and latest alert since May 13 — sent under the heading, “International Cyber Threat to Healthcare Organizations — reiterated May 17 that an organization victimized by a ransomware attack should report the event to its FBI Field Office Cyber Task Force, among other federal entities, and request assistance. HHS also referred organizations to recent guidance issued by its Office of Civil Rights specific to the so-called WannaCry ransomware. From a compliance standpoint, OCR says it presumes a breach in the case of ransomware attack, explains reporting requirements, and stresses that following the HIPAA Security Rule helps entities prepare for such attacks.

OCR cites a U.S. interagency report showing 4,000 daily ransomware attacks since early 2016, up from 1,000 daily ransomware attacks reported in 2015. (In April 2016, the FBI noted that ransomware incidents were not only increasing, but also becoming more sophisticated.)

The recent cyberattack stands out because its scale is notable, broader than most ransomware incidents seen recently, and it was built from leaked National Security Agency (NSA) tools, says Ed Zacharias, a partner in McDermott Will & Emery LLP’s health care practice group in Boston. But he says the WannaCry ransomware entered systems, and began locking down files and encrypting them, in a typical way: through email “phishing” or “spear phishing.”

Patch Management Is ‘Critical’

“How the ransomware was deployed in this circumstance wasn’t unique,” Zacharias says. Unlike incidents in which hackers try to steal and sell data, in ransomware cases the hackers don’t care whether they can access data, he says. Instead, hackers lock data and a text file says to pay “ransom,” typically not much, in Bitcoin to retrieve it. As of May 17, the aggressive WannaCry ransomware had infected more than 200,000 computers and collected $80,000-plus, according to @actual_ransom — a twitter bot set up to track the ransomware, The Merkle website reported.

In the latest incident, hackers are gaining access to servers by exploiting a Windows vulnerability. On March 14, Microsoft released a security update for the vulnerability; it released patches for some operating systems on May 13, the day following the attack.

“These types of attack are not going to stop, so patch management is critical for anybody, for any business,” Zacharias says. “This is critical for payers: being able to take your systems down and go through the patching process in a short period of time.”

In the case of the WannaCry ransomware attack, it began on a Friday and action had to be taken over the weekend before Monday when employees returning to work might click on infected emails. On Saturday, the day after the attack, Zacharias’s firm sent out an alert to clients.

“The trend has clearly been health care organizations are targeted by hackers now,” Zacharias says. “The perception is they’re vulnerable.”

Zacharias says he has heard of a couple of U.S. health care entities — not payers — that may have been affected by the recent global ransomware attack. So far the U.S. has fared pretty well, though the cyberattack has been “a little disruptive for businesses not doing adequate patching,” he said May 17.

(HHS’s Office of the National Coordinator for Health information Technology (ONC) referred AIS Health’s questions on whether any U.S. health care entities have been compromised by the WannaCry cyberattack to HHS’s Office of the Assistant Secretary for Preparedness and Response. That office declined to answer questions on the matter, referring AIS Health to the Dept. of Homeland Security (DHS), which failed to respond to queries by press time.)

No Single Tool Offers Panacea

If ransomware infects businesses, it can cause temporary or permanent loss of proprietary information, disrupt regular operations and require financial outlays to restore systems or files, the federal government warns.

Indeed, a year ago the Ponemon Institute reported that nearly 90% of health care organizations participating in its annual benchmark study of health care data security had a data breach— and nearly half had more than five breaches — in the two previous years. Each breach likely cost HIPAA-covered entities more than $2.2 million on average, the institute estimated. Ransomware, malware and denial-of-service attacks, which overwhelm system resources, were the top threats.

Zacharias echoes what the FBI began saying a year ago as ransomware attacks started to proliferate: No single method or tool will completely protect an organization from such attacks. In cases that cannot be prevented, “the best position a plan can be in is to have conducted regular backups so they can restore any affected systems and preserve integrity on those systems,” he says.

Since it’s difficult to detect a ransomware compromise before it’s too late, the FBI recommends focusing on training employees, putting technical controls in place and creating a business continuity plan in case of attack.

Zacharias offers the following suggestions to payers and other health care entities:

  • Know your patching strategy. “Payers should be talking to their chief information security officer about what their patch management strategy is,” and to understand when patching should occur and how it must flow with overall information technology (IT) strategy, he says. “Patch management as an effective safeguard is critical on the front end to hopefully avoid attack.”

  • Train employees. “I think from a preventive perspective, the take-home message, like a lot of things in data security in the health care world, is about training, and telling employees who to report suspicious information to,” and not simply to delete the email because there likely were multiple recipients, he says. “So, proactively, just educate people about what to be on the lookout for.”

  • Expend sufficient resources. He points to the technical component of preparedness, noting the health care industry, while lagging behind banking and other industries, is starting to dedicate more money to systems security, adding technology and staffing to monitor systems.

  • Keep documentation. Payers should have documented policies and procedures on how they back up systems and how they do patch management and virus updates, he says. “And people should be trained on them [i.e., policies and procedures] and they should be followed.”

  • Watch downstream vendors. “If a downstream vendor is infected and you’re on their email list, it’s a problem,” Zacharias says. “I don’t think that’s avoidable. When you’re doing due diligence on your vendors, you want to get some reasonable assurances they’re protecting information and have reasonable ways to protect your information,” he says.

  • Prepare for rapid recovery. The key to recovering after a cyberattack is being able to identify the incident by updating patches and antivirus software, and having audit log monitoring capable of searching for unusual activity, he says. “Regularly backing up your systems, especially your critical systems, is key,” he says. “When these [cyberattacks] happen, you need to disconnect servers and have redundancy” that allows computers to get back on line soon with recent backups.

HHS: Beware of ‘Malicious Actors’

On May 13, the day after the WannaCry attack began, HHS also stressed the importance of seeking legitimate help, warning about potentially malicious conduct toward health care entities.

“We would like to flag for the community that a partner noted an exploitative social engineering activity whereby an individual called a hospital claiming to be from Microsoft and offering support if given access to their servers. It is likely that malicious actors will try and take advantage of the current situation in similar ways,” HHS said. “Additionally, we received anecdotal notices of medical device ransomware infection.” FDA was to hold a seminar on cybersecurity for medical devices May 18-19 in the Washington, D.C., area.

Find OCR guidance at