WannaCry, NotPetya, and Cyberwarfare's Threat to Healthcare

One year after 2 devastating cyberattacks, healthcare is still grappling with a jarring new threat.

When the outage hit, Daniel Ripp, MD, didn’t think much of it. He recorded his appointment notes into his Dictaphone like he had for years, and when he couldn’t upload them to the transcription service, he went about his day. “OK, reboot the computer, and if it doesn’t work, we’ll do it tomorrow,” he figured. Ripp had been practicing internal medicine in Wisconsin for decades. He knew by then that some days, the internet just didn’t work right.

Later that night, Ashok Rai, CEO of Ripp’s employer, Prevea Health, got a phone call from the head of the company’s medical records department. Ripp wasn’t the only one with computer troubles. No physician in the health system could upload their audio notes. Rai fielded frantic phone calls and texts throughout the night as he and his colleagues rushed to figure out what to do. The clinics would have to open again in the morning, and already-busy doctors would be without their usual means of documenting their appointments.

“In healthcare, if you can’t document it, it didn’t happen,” Rai said. “It was all hands on deck.”

The next day, Prevea set up a “war room” where its leadership team began searching for a path forward. Similar scenes were playing out at health systems of all sizes across the country. About a third of the industry uses the same transcription service, and many doctors were forced to ditch their usual protocols and revert to manual documentation while executives raced to snap up temporary transcription workers and build backup plans.

The transcription blackout started 1000 miles to the east, where the mood was even more tense. Satish Maripuri was driving to work when a colleague texted him that “an incident of abnormal nature” was gripping their company’s computer networks, and it looked like ransomware. Ten minutes later, he got another text saying that whatever was happening was “a little more nefarious” than normal.

When he walked into his office at Nuance’s Burlington, Massachusetts, headquarters, the severity of the situation began to sink in. “We were down email, desktop IP phones. Networks were down,” said Maripuri, the company’s executive vice president. “I realized at that point it was going to be more serious.”

Nuance, a massive global information technology (IT) vendor whose services are vital to thousands of healthcare providers across the United States, had to act fast. It cut connectivity to all of its clients, hoping to keep whatever was ravishing its systems from spreading downstream. “In the fog of war, we want to make sure we don’t contaminate each other,” Maripuri said.

Nuance wasn’t the only major corporation scrambling for answers on June 27, 2017. Merck closed offices in southeastern Pennsylvania when its systems became inaccessible. FedEx’s European subsidiary TNT suffered major disruptions, and within days the company had warned investors that the situation would result in material losses. The infection spread to the global shipping firm Maersk, the food conglomerate Mondelēz, and even oil giant Rosneft.

Ground zero for the whole thing was even farther from Wisconsin than Massachusetts. At the time, Maripuri didn’t realize he and his team were dealing with what he later called a “Russian cyberterrorist attack” directed at Ukraine. They just knew it was bad. The company had more than 10,000 endpoint desktops and countless servers, and almost all went dark that day.

Devastating Material Damages

The incident has since come to be known as NotPetya, after incorrect early analysis led people to believe it was a strain of the notorious Petya malware. The attack inflicted serious injury on everything that it touched and brought harm to countless other organizations.

Infected corporations lost colossal amounts of money. Merck’s financial filings showed related losses in the third and fourth quarters of 2017, each in excess of $300 million. Maersk and FedEx also reported 9-figure damages.

For Nuance, losses totaled nearly $100 million, and the company wasn’t able to restore full functionality to all of its healthcare customers for nearly 2 months. The transcription provider was hit so hard that it had to rebuild many of its servers.

Providers also took a hit. Rai said the outage caused by NotPetya hurt Prevea’s efficiency and bit its bottom line to an extent it might never quantify. Extrapolate that experience to thousands of providers, and who knows how many working hours and dollars were burned nationwide? A few American health systems, like Heritage Valley Health System in western Pennsylvania, are even believed to have been directly infected with the virus.

In light of such crippling catastrophe, it might sound strange to say that American healthcare dodged a bullet. In retrospect, multiple sources who described the event to Healthcare Analytics News™ (HCA) used that very phrase.

Just 46 days earlier, the United Kingdom’s National Health Service (NHS) was brought briefly to its knees by another international cyberattack, WannaCry. As many as 70,000 devices—laptops, desktops, mobile devices, and other machines—were infected with what appeared to be ransomware.

For various reasons, NotPetya and WannaCry will forever be correlated. Both attacks hit during a 2-month period in the spring and summer of 2017. Both mutilated computer systems worldwide, in healthcare and in other industries, leading to massive disruptions and financial injuries. Both presented as ransomware but were not. And both were potent cyber munitions deployed by hostile foreign governments—demonstrations of the dangers healthcare must face in a new age of cyberwarfare.

Who Perpetrated the Attacks?

Speculation that other nations were behind both of the cyberattacks began almost immediately, although their motives and mechanisms were decidedly different.

NotPetya had originated in Ukraine immediately before a national holiday, Constitution Day. The virus had been planted in M.E.Doc, a Ukrainian tax-filing program, and leapt quickly across the world, through trusted connections between companies that do business there.

Within a week, Ukraine’s counterintelligence agency issued a statement accusing Russia of the incident. The timing—just before a national day off, when it would be harder to remediate—and culprit—the country that had been not-so-discreetly meddling in Ukraine for more than 3 years—made the attribution obvious to many in the cybersecurity community.

“The main purpose of the virus was to destroy important data and to disrupt the work of public and private institutions in Ukraine to spread panic among the population,” Ukrainian intelligence wrote. The White House followed suit this past February, claiming that the attack was “part of the Kremlin’s ongoing effort to destabilize Ukraine.”

It didn’t take long to tap a suspect in the WannaCry case, either. Days after it hit, a Google researcher tweeted about elements in the malware’s code that linked it to Lazarus, a hacker group believed to be tied to North Korea. In December 2017, however, the United States and United Kingdom formally accused the hermit kingdom of launching the virus, though some experts remain skeptical of North Korea’s involvement. In a Wall Street Journal editorial, Thomas P. Bossert, JD, a White House assistant for homeland security and counterterrorism, called the attack “indiscriminately reckless.” Noting its effects on the NHS, he claimed WannaCry “put lives at risk.”

But the differences between the 2 attacks were as pronounced as their similarities. Insiders with knowledge of the incidents and the US government’s response described them to HCA in starkly different terms: WannaCry was “sloppy.” NotPetya was “elegant.” (These sources requested anonymity due to their positions and the sensitive nature of the subject.)

North Korea’s attack exploited the much-publicized EternalBlue Windows exploit, a US National Security Agency trick that the hacker group Shadow Brokers released in April 2017. In response, Microsoft broke from policy and issued patches for unsupported operating systems like Windows XP. So, it wasn’t that the world lacked an answer to WannaCry, it was that, as usual, the patches went widely ignored.

NotPetya was decidedly more intricate, according to experts, and its spread was better calibrated. It didn’t slam through every vulnerable system. Rather, it used M.E.Doc to gain a foothold before slivering deeper into networks by impersonating users and changing permissions. And it did so quickly, although it perhaps traveled farther than intended. Both Maripuri and another expert said the virus was destined only for Ukraine, given programming features that identified location based on factors like IP address and system language. But the malware spread despite them. “Of course it escaped, right?” one expert mused. Nuance’s system, for example, became infected through a “trusted development partner” based in Ukraine, Maripuri said.

WannaCry didn’t have any geographic controls, but it might have contained an intentional ransomware component, although paying up often didn’t earn victims an unlock key. The virus’s “killswitch” was discovered almost instantly, and months after the attack, only $143,000 had been withdrawn from its associated bitcoin wallet, an unimpressive amount given the attack’s scale. And although NotPetya locked up infected systems with a ransomware interface, analysis suggests it never meant to return victims’ data. The unlock keys that it created were all destroyed as the virus spread.

The reasons both presented as ransomware, some speculated, were subterfuge and plausible deniability. Why would a nation expose its best cyberweapons when a slapdash virus like WannaCry could cause so much harm? And since companies expect to be hit by ransomware these days, why not try to blend in with all of the other criminals?

The Losses We Can’t Quantify

One day before Shadow Brokers leaked EternalBlue, the New England Journal of Medicine published a study on the effects of major urban marathons on emergency mortality rates. The idea was that delays in care caused by interrupted ambulance routes could harm patients undergoing time-sensitive medical events, like heart attacks and strokes.

The study found that patients who experienced myocardial infarction or cardiac arrest faced longer ambulance rides on marathon days—by more than 4 minutes, on average. They also suffered higher 30-day mortality rates than those hospitalized for the same reasons on nonmarathon days.

What does this have to do with international cyberterrorism? “Degraded and delayed patient care delivery affects mortality rates, period,” a cybersecurity expert told HCA. They said it wasn’t a question whether WannaCry and NotPetya killed people. It was a question of how many.

Efforts are underway to quantify the lives lost to WannaCry in the United Kingdom, where the cyberattack shut down clinics, deferring ambulances and canceling roughly 20,000 appointments, including some urgent referrals, the BBC reported. No government official or researcher has yet to publish a casualty count.

It could be difficult or impossible to quantify the effect NotPetya might have had on mortality rates in the United States. Nuance doesn’t have access to any such data, Maripuri said. But the possibility is there, given the complexity of American healthcare. Sure, the loss of transcription services wasn’t going to close emergency departments. Delayed appointments, stressed and overworked doctors, and documentation errors that led to missed diagnoses, however?

“People don’t like talking about that,” the source said. “They want to see the smoking gun: This attack killed this many people thanks to a specific flaw in a specific pacemaker. While we’re looking for CSI-level certainty, we’re ignoring public health issues. You can have material swings in mortality rates when you have the large-scale outage of something like Nuance.”

Congress and Nuance Talk Cybersecurity

Congress appears to have taken the Nuance outage seriously. Last October, Rep. Greg Walden (R-OR) sent a letter to Nuance requesting formal testimony before the House Energy and Commerce Committee. He wanted to know what went wrong and what it meant for Americans seeking healthcare. NotPetya, he said, represented a “new challenge.”

Walden added that Nuance’s dominance over transcription services in the healthcare sector “sets its infection and subsequent availability issues apart and raises the possibility of more serious aftereffects for the healthcare sector as a whole.”

Following a data breach, many might consider a call to the Hill a bad sign. Maripuri, however, saw a chance for constructive conversation. Nuance accepted Walden’s invitation, and in early January, he headed to Washington.

“There’s no question there was an impact on clients in the industry, and they really wanted to probe and understand that to the fullest extent,” Maripuri said of the hearing. “Some of that dialogue is tough and painful, because it’s never a good thing when someone goes through it—better us than someone else. I actually wish we had more conversations around those lines.”

And NotPetya ultimately led to changes. Rai said the incident has altered how Prevea Health approaches IT procurement, raising the level of scrutiny of any new network connection to an outside vendor. “There was a lot of caution, a lot of communication, and, for lack of a better word, a lot of frustration, too,” he said, still praising Nuance for being open and responsive during the outage.

For Nuance, the attack pushed forward investments in new technologies and protections, with nearly a third of its IT research and development budget now going toward cybersecurity. “I believe that no one is truly bulletproof and invulnerable, but our posture is a lot better than maybe it would have been,” Maripuri said. “This is not some lost cause.”

Executives for Prevea and Nuance believe their outcomes could have been worse. They credited good contingency planning and good fortune. One of Nuance’s transcription services, the natural language processing—based Dragon Medical platform, was hosted in the cloud by Microsoft Azure, which remained unaffected. In addition, Prevea had already begun shifting its transcription protocol to Dragon, so although the outage caused headaches for physicians in the system, it expedited the move to the new service.

A year after WannaCry and NotPetya, many companies are still grappling with what happened, how to portray the damages, and what new threats will emerge. Many victims have refused to discuss the attacks, at least with the press. Merck also received an invitation from Congress, which it reportedly accepted. But the company declined to make someone available for an interview for this story, instead pointing to its financial filings.

Maripuri said Nuance wanted to open up about NotPetya because healthcare still might not understand its gravity, and he said that expecting small regional hospitals to have IT defenses against military-grade cyberweapons was no different than expecting them to have a security staff that could safely protect their institution if terrorists walked through their front doors.

New and Evolving Nation-State Threats

“The industry realized WannaCry as a seminal event. It realized, ‘Holy mackerel, we just dodged a big bullet.’ And NotPetya was the next round,” one cybersecurity expert said. But neither that notion, nor the fact that most victims were collateral damage, provide comfort for the victims of reckless North Korean and Russian cyberwarfare.

Ripp described the feeling as “irritating.” Rai used stronger terms. “It makes it all sort-of real-world. No matter where you are, you’re not completely safe from what’s going on in the world of IT and interconnectivity these days,” he said.

A sense of inevitability permeated interviews conducted by HCA. “The question is when, not if,” Maripuri said. “Some may get lucky in the process, not necessarily because they’re better prepared. I think a lot of the industry in healthcare is just lucky.”

That’s certainly true in the case of WannaCry. The “sloppier” of the 2 attacks, it could’ve raked US computers were its killswitch not so quickly discovered, experts said. But the same Windows vulnerabilities exist today, and countless networks remain exposed, betting on luck.

Luck, however, seems an unreliable ally, particularly as cyberattacks grow more sophisticated.

Another cybersecurity source ruminated on what would happen if a single attack could harness both of the weapons’ strengths. “That scenario breaks through all [of] +the geographic boundaries that are the premise of disaster management. A tornado is geographically bounded. A WannaCry attack has no boundary,” they said. “WannaCry scale and NotPetya ferocity? The disaster management capabilities of the nation are not prepared for it.”

Russia and North Korea aren’t the only countries using potent cyberweapons. Symantec cybersecurity investigator Jon DiMaggio said his team has seen Middle Eastern countries launch malware attacks against each other. The United States’ leaked NSA toolkit has also caught the attention of adversarial countries developing new attacks. “It’s absolutely being taken advantage of by other nation states,” he said. “That is just an absolute disaster that that stuff was leaked out.”

Mac McMillan sees an even graver future for state-sponsored cyber warfare. He’s the CEO of cybersecurity firm CynergisTek and a longtime Department of Defense intelligence officer. What worries him are botnets: webs of thousands, or millions, of discreetly compromised internet devices that can be weaponized for denial-of-service attacks that crash computer networks by overloading their bandwidth. The wrong kind of botnet could prove more powerful than the infamous Mirai attack, which brought down web powerhouses, like Netflix and Reddit, in late 2016.

McMillan fears malicious actors are building botnets to go after infrastructure, like power grids and telecommunications services. If such an attack were to cause a regionwide blackout, the effects on healthcare would surpass those of WannaCry and NotPetya.

“I tell people this all the time now: You need to rethink your infrastructure,” he said. “You need to rethink who you’re connected to. You need to rethink your network. Just because you’re not the target doesn’t mean you can’t become the victim.”