HHS Notice: WannaCry Malware Continues to Impact U.S. Healthcare Orgs | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

HHS Notice: WannaCry Malware Continues to Impact U.S. Healthcare Orgs

June 6, 2017
by Heather Landi
| Reprints

In an email cyber notice, the U.S. Department of Health and Human Services (HHS) is warning healthcare provider organizations that there are ongoing impacts to the U.S. healthcare sector from the WannaCry malware.

The Wanna Cry or Wanna Decryptor ransomware virus swept the globe last month and virtually shut down several dozen regional health authorities within the National Health Service of the United Kingdom, while simultaneously impacting the operations of such diverse entities as Spain’s national telephone service, La Telefónica; Germany’s railway system, Deutsche Bahn; automotive plants of the French car manufacturer, Renault; the Russian Interior Ministry; and universities in China and Taiwan.

In its notice sent out as part of Office of the National Coordinator for Health IT (ONC) and the Office for Civil Rights (OCR) list serves, HHS stated that the department is aware of two, large, multi-state hospitals systems in the U.S. that are continuing to face significant challenges to operations because of the WannaCry malware. HHS specifically notes that this not a new WannaCry attack.

“The behaviors that have been reported are typical for environments where the WannaCry scanning virus persists, even though the encryption stage has been blocked by anti-virus, or is not executing,” HHS wrote in the notice.

The virus can persist even on a machine that has been patched, however, the virus will not spread to a patched machine, but the attempt to scan can disrupt Windows operating systems when it executes. The particular effect varies according to the version of Windows on the device, HHS stated.

If a healthcare organization is the victim of a ransomware attack, HHS recommends the following steps:

Contact your FBI Field Office Cyber Task Force (www.fbi.gov/contact-us/field/field-offices) or US Secret Service Electronic Crimes Task Force (www.secretservice.gov/investigation/#field) immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.

Please report cyber incidents to the US-CERT (www.us-cert.gov/ncas) and FBI’s Internet Crime Complaint Center (www.ic3.gov).

Additionally, HHS states that if a facility experiences a suspected cyberattack affecting medical devices, those organizations should contact FDA’s 24/7 emergency line at 1-866-300-4374. Reports of impact on multiple devices should be aggregated on a system/facility level.

For further analysis and healthcare-specific indicator sharing, organizations are urged to share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at HCCIC_RM@hhs.gov .

WannaCry ransomware is a fast-propagating worm which exploits Windows’ Server Message Block version 1 (SMBv1) protocol to move through a network or infect other systems on the Internet. However, according to HHS in its notice, SMBv1 might not be the only vector of infection for WannaCry, so even patched systems could still be infected if the malware is introduced to the system in a different manner.

Furthermore, a newly patched system could have been previously infected, and if so, would still scan for other vulnerable systems and/or encrypt files. “Patching a system is similar to how in physical medicine, a quarantine will prevent an infection from spreading however will not cure the patient who has been quarantined. Reimaging removes the infection in the operating system no matter where the virus is residing,” HHS stated.

The agency also offered tips for how to mitigate the risk of WannaCry infection:

  • Patch vulnerable systems with the update from Microsoft which fixes the SMBv1 vulnerability: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • Disable SMBv1 on all devices, across the network and disable it at the firewall if possible. If it is not possible to disable SMBv1, consider the business-impact for quarantining those devices off the network until another solution can be found.
  • See the Tech Support page from Microsoft below for instructions on disabling SMBv1: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows-server
  • Block port 445 on all firewalls
  • If possible, reimage potentially affected devices to mitigate risk that malware is on the system in the background.
  • Use a reputable anti-virus (AV) product whose definitions are up-to-date to scan all devices in your environment in order to determine if any of them have malware on them that has not yet been identified. Many AV products will automatically clean up infections or potential infections when they are identified.
  • Work with vendors to make sure both the distribution stage and the encryption stage of WannaCry are detected and blocked.
  • Work with vendors or IT support staff to investigate and remediate systems exhibiting network-scanning activity consistent with WannaCry, which could reimaging per the previous bullet point.

 

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Former Health IT Head in San Diego County Charged with Defrauding Provider out of $800K

The ex-health IT director at North County Health Services, a San Diego County-based healthcare service provider, has been charged with spearheading fraudulent operations that cost the organization $800,000.

Allscripts Touts 1 Billion API Shares in 2017

Officials from Chicago-based health IT vendor Allscripts have attested that the company has reached a new milestone— one billion application programming interface (API) data exchange transactions in 2017.

Dignity Health, CHI Merging to Form New Catholic Health System

Catholic Health Initiatives (CHI), based in Englewood, Colorado, and San Francisco-based Dignity Health officially announced they are merging and have signed a definitive agreement to combine ministries and create a new, nonprofit Catholic health system.

HHS Announces Winning Solutions in Opioid Code-a-Thon

The U.S. Department of Health and Human Services (HHS) hosted this week a first-of-its-kind two-day Code-a-Thon to use data and technology to develop new solutions to address the opioid epidemic.

In GAO Report, More Concern over VA VistA Modernization Project

A recent Government Accountability Office (GAO) report is calling into question the more than $1 billion that has been spent to modernize the Department of Veterans Affairs' (VA) health IT system.

Lawmakers Introduce Legislation Aimed at Improving Medicare ACO Program

U.S. Representatives Peter Welch (D-VT) and Rep. Diane Black (R-TN) have introduced H.R. 4580, the ACO Improvement Act of 2017 that makes changes to the Medicare accountable care organization (ACO) program.