Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

The Petya Global Malware Incident Hitting Nuance, Merck, and Many Others

Posted on July 3, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The Petya Malware (or NotPetya or ExPetya) has really hit healthcare in a big way. The biggest impact on the healthcare IT world was the damage it caused to Nuance, but it also hit Merck and some other healthcare systems. After a shaky start to their communication strategy, Nuance seems to finally at least be updating their customers who saw a lot of downtime from when it first started on June 28 until now. This rogue Nuance employee account has been pretty interesting to watch as well. There’s a lesson there about corporate social media policies during a crisis.

Petya was originally classified as ransomware, but experts are now suggesting that it’s not ransomware since it has no way to recover from the damage it’s doing. It’s amazing to think how pernicious a piece of malware is that just destroys whatever it can access. That’s pretty scary as a CIO and it’s no surprise that Petya, WannaCry, and other malware/ransomware is making CIOs “cry.”

It’s been eye opening to see how many healthcare organizations have depended on Nuance’s services and quite frankly the vast number of services they offer healthcare. It’s been extremely damaging for many healthcare organizations and has them rethinking their cloud strategy and even leaving Nuance for competitors like MModal. I’m surprised MModal’s social team hasn’t at least tweeted something about their services still being available online and not affected by Petya.

I’ll be interested to see how this impacts Nuance’s business. Nuance is giving away free versions of their Dragon Medical voice recognition software to customers who can’t use Nuance’s transcription business. Long term I wonder if this will actually help Nuance convert more customers from transcription to voice recognition. In the past 5 days, Nuance’s stock price has droppped $1.54 per share. Considering the lack of effective alternatives and the near monopoly they have in many areas, I’ll be surprised if their business is severely damaged.

As I do with most ransomware and malware incidents, I try not to be too harsh on those experiencing these incidents. The reality is that it can and will happen to all of us. It’s just a question of when and how hard we’ll be hit. It’s the new reality of this hyper connected world. Adding to the intrigue of Petya is that it seems to have been targeted mostly at the Ukraine and companies like Nuance and Merck were just collateral damage. Yet, what damage it’s done.

Earlier today David Chou offered some suggestions on how to prevent ransomware attacks that are worth considering at every organization. The one that stands out most to me with these most recent attacks is proper backups. Here is my simple 3 keys to effective backups:

Layers – Given all the various forms of ransomware, malware, natural disasters, etc, it’s important that you incorporate layers of backups. A real time backup of your systems is great until it replicates the malware in real time to your backup server. Then you’re up a creek without a paddle. An off site backup is great until your off site location has an issue. You need to have layers of backup that take into account all of the ways your data could go bad, be compromised, etc.

Simple – This may seem like a contradiction to the first point, but it’s not. You can have layers of backups and still keep the approach simple and straightforward. Far too often I see organizations with complex backup schemes which are impossible to monitor and therefore stop working effectively. The KISS principle is a good one with backups. If you make it too complex then you’ll never realize that it’s actually failing on you. There’s nothing worse than a failed backup when you think it’s running fine.

Test – If you’ve never tested your backups by actually restoring them, then you’re playing russian roulette with your data. It’s well known that many backups complete without actually backing up the data properly. The only way to know if your backup really worked is to do a test restore of the data. Make sure you have regularly scheduled tests that actually restore your data to a backup server. Otherwise, don’t be surprised if and when your backup doesn’t restore properly when it’s really needed. Malware events are stressful enough. Knowing you have a good backup that can be restored can soften the blow.

Backups won’t solve all of your problems related to malware, but it’s one extremely important step in the process and a great place to start. Now I’m going to go and run some backups on my own systems and test the restore.

Can Healthcare Ransomware Be Stopped? Yes, It Can!

Posted on May 25, 2016 I Written By

The following is a guest blog post by Steven Marco, CISA, ITIL, HP SA and President of HIPAA One®.
Steven Marco - HIPAA expert
As an Auditor at HIPAA One®, my goal is to dot every “i” and cross every “t” to ensure a comprehensive HIPAA Security Risk Analysis.  The HIPAA One® Security Risk analysis is a tool to guarantee compliance, automate risk calculations and identify high-risk technical, administrative, physical and organizational vulnerabilities.

Recently, I was on-site for a client named “Care Health” (name changed to protect their identity). Care Health had invested in the highest level of our SRA (Security Risk Analysis) to cover all aspects of security and protection from Ransomware, malware, and the proverbial “sophisticated malware.”

The HIPAA One® HIPAA Security Risk Analysis and Compliance Interview process guided Care Health through a series of HIPAA citation-based questions and required users to upload documents to demonstrate compliance.  These questions directly addressed the organization’s security controls in place to protect against ransomware and cyber-threats.  You can see a sample of the citation-driven controls HIPAA One required for malware and malicious software below:

Technical Audit Controls 164.312(b)
HIPAA One® Requirement:  Upload screenshots of the systems configuration page(s) detecting malware network communications or ePHI/PII going out/in.
Client Controls:  End-user education on malware and phishing. Cisco IPS/IPS module active to block critical threats and WebSense Filter for deep-packet web-traffic inspection.

Administrative Protection from Malicious Software 164308(a)(5)(ii)(B)
HIPAA One® Requirement:  Provide a document showing a list of all servers, workstations and other devices with updated AV Software versions.
Client Controls: BitDefender Enterprise deployed on all workstations and laptops.

Administrative Procedures to guard against malicious software 164.308(a)(5)(ii)(B)
HIPAA One® Requirement:  Please upload a list of each server and sample of PC devices containing server name, O/S version, Service pack and the most recent security updates as available by the software vendor.  Verify critical security patches are current.
Client Controls:  Microsoft Security Operations Center combined with an exhausting change-management process to test new patches prior to release.

HIPAA Citation:  Administrative Training program for workers and managers 164.308(a)(5)(i) for the HR Director role.
HIPAA One® Requirement: Please upload a screen capture of the HIPAA training system’s grades for individual employees and detail the training/grading system in notes section.  Go through training and verify it efficiently addresses organization’s Policies and Procedures with real-world threats.
Client Controls:  Training that is due and required before bonuses, pay-raises or schedule to work are awarded.  Workforce and IT Helpdesk are trained to forward any calls regarding suspicious activities to the HIPAA Security Officer (HSO).

HIPAA Security Risk Analysis Tool

Back to the Ransomware attack…One day during the project, two staff members’ in the Billing department were going about their daily tasks, which involved working with shared files in a network-mapped drive (e.g. N: drive).  One of them noticed new files were being spontaneously created and the file icons in the network folder were changing. Being attentive, she noticed one was named ransom.txt.

Acting quickly, she contacted the IT Helpdesk who were trained to triage all security-related service-desk requests immediately to the HIPAA Security Officer(HSO).   The HSO logged-into the N: shared drive and found Care Health files were slowly being encrypted!

How do you stop a Ransomware attack?
The Security officer ran Bitdefender full-scans on the Billing department computers and found nothing.  He then installed and ran Windows Defender, which has the most current malicious software removal utilities on Server 2012 and found Tescrypt.  Installing Windows Defender on the two desktops not only detected this, but also removed it.

This Ransomware variant had somehow infected the system and was encrypting these files.  The quick-acting team at Care Health recognized the attack and stopped the Tescrypt variant before patient data were compromised.  Backups were used to restore the few-dozen encrypted files on the network-drive. It was a close call, but Care Health was ready and the Crisis Averted.

Upon a configuration review of all of Care Health’s security appliances, WebSense had been configured to allow “zero-reputation” websites through.  Zero-reputation websites are new sites without a known reputation and are commonly used by hackers to send these types of attacks. At Care Health, the Ransomware apparently came from a valid website with an infected banner ad from a zero-reputation source. The banner ad was configured to trigger a client-browser download prior to the user being allowed to see the valid web page.  This forced visitors to this website to download the executable virus from the banner-ad and unknowingly installing the Ransomware on their local computer.  When downloaded, the Ransomware would start encrypting files in high-lettered network-drives first.

Lesson Learned
Ransomware is here to stay and attacks are rising.  Healthcare organizations need to have policies and procedures in place to prevent these attacks and a comprehensive user training and awareness program.  The HIPAA One® software is one of the most secure ways to implement a HIPAA Security Compliance Program.  But a risk analysis is only one step… Ultimately, organizations must build top line end-user awareness and training programs. So like at Care Health, the employees know to quickly report suspicious activities to the designated security officer to defend against Ransomware, Phishing and “sophisticated malware attacks”.

To learn more about stopping Malware and using HIPAA One® as your HIPAA Security Risk Analysis accelerator, click to learn more, or call us a 801-770-1199.

HIPAA One® is a proud sponsor of EMR and HIPAA.