In San Diego, a Rigorous Look at What’s Being Learned from the WannaCry and NotPETYA Attacks | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

In San Diego, a Rigorous Look at What’s Being Learned from the WannaCry and NotPETYA Attacks

February 4, 2018
by Mark Hagland
| Reprints
At the Health IT Summit in San Diego, healthcare IT security leaders parsed some of the dramatic cyberattacks of the past year, and what’s been learned from them

On Friday, February 2, day 2 of the Health IT Summit in San Diego, sponsored by Healthcare Informatics, the event focused fully on cybersecurity issues, with a several presentations and panel discussions touching on important issues.

On Friday morning, Sri Bharadwaj, director, information services, and CISO, at UC Irvine Health (Irvine, Calif.), led a panel entitled “Ransomware Risks: What We Learned From NotPETYA and WannaCry.” Bharadwaj was joined by Stan Banash, CISO of Children’s Hospital of Orange County (Orange, Calif.); Chris Convey, vice president, IT risk management CISO, Sharp Healthcare (San Diego); Jason Johnson, information security officer, Marin General Hospital (Greenbrae, Calif.); and Christian Abou Jaoude, director of enterprise architecture and Scripps Health (San Diego). As has been widely noted, the May 2017 cybersecurity attack dubbed “WannaCry” grabbed storylines internationally and across the healthcare landscape as tens of thousands of hospitals, organizations, and agencies across 153 countries had their data held hostage, while the June PETYA/NotPETYA attack unleashed further damage worldwide.

panelists (l. to r.): Bharadwaj, Banash, Convey, Abou Jaoude, and Johnson

“I was actually at a Healthcare Informatics conference” when the global WannaCry attack hit last May, Bharadwaj noted, referring to the Health IT Conference in Chicago. “I was speaking on a panel that morning, in Chicago, and this thing hit us. I got a frantic call, and I was on the phone call. For the first ten minutes, I said, OK, I’ll try to figure that out. That became six hours. I almost missed my flight home that day. It was one call after the other, providing updates, communication, etc. But we did not shut down the Internet, our Outlook, or any feedback back to the end users. We got the most hit from our medical devices. It was fairly easy to patch stuff and get stuff done, but we realized that our realm of exposure encompassed all sorts of things—who the heck knew that the parking system was running on a Windows 98G? Who knew that the cafeteria system was running an old version of Windows so old that we had to figure out what it was? So how can we learn from this?” he asked his fellow panelists.

“The key questions,” Banash said, “are, are you managing your risk? Do you understand your attack surfaces? What vectors are you vulnerable to? When this started out, no one knew what was going on; it was crazy. If you had one of those maps in your security center, it was all lit up, and it looked like ‘War Games.’ Initially, we thought it was via email, and we were chasing emails, but when we found out it was SMB vulnerability, we were able to chase that down. We were hit, but there was no successful attack on us. But understanding what was in your environment—it never became more important than on that day. And those MRI machines running on Windows XP—those machines are million-dollar pieces of equipment; it’s hard to justify new purchases to the board. I would say we were lucky; I’d like to say we manage things well, but we did get lucky.”

Asked about connections with law enforcement, Abou Jaoude said, “We do have a direct contact with law enforcement; we also have a protocol that we follow that’s been well-established. We followed those procedures, but the same thing happened to us: there wasn’t much information available during the first couple of days” following the WannaCry attack. “So I went out and read as much as I could about it, read articles to see whether there was something different about this. So we enacted that process, sent out notifications, and then a few days later, everyone learned what had happened.”

“I think we got lucky,” Sharp’s Convey said, “because this started in other parts of the world. Here in the US, we got lucky. I was at Millennium Healthcare then. SMB [Server Message Block] was blocked, that was the first thing. And then, how are our backups protected? And then patching. And it turns out, the basic security hygiene was needed. Look at what happened at NHS. And to be honest, we hadn’t patched as well as we could have. It’s hard to do, especially in the healthcare space, because you’ve got to test, and you don’t want to bring down patient care.”

“Let’s talk about communication; that’s one thing we’re always told we’re not good at in healthcare,” Bharadwaj said. “So, with regard to the oral process of communication, how did you talk to your c-suite?”

“As soon as we knew what was going on,” Banash said, “I reported to our CIO. But the first thing we needed to do was to kick off our incident response plan; and the easiest way to do that is to notify your management team. And, as you said, communication’s tough, we’re not always the best communicators. And in situations like that, you have to find a balance between over-communicating and under-communicating. You don’t want to be that CISO who’s freaking people out. As a CISO, if the only time you’re communicating with your c-suite is when something’s gone wrong, that’s not a good thing.”

“And in some respects, we won’t know what to communicate, because we don’t know what’s going on,” Bharadwaj noted.


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More