International Cyberattack Affects Some Corners of U.S. Health Care, Including Medical Devices -- Update

By Melanie Evans Features Dow Jones Newswires

The international cyberattack that swept the globe has had some impact on the U.S. health-care system, as hospital systems scramble to prevent its further spread.

Continue Reading Below

On a conference call with health-care organizations Monday, U.S. federal officials said several medical devices had been infected with the ransomware that proliferated across dozens of countries, but declined to identify the devices, according to a person on the call. The Department of Health and Human Services, which organized the call, referred questions to Homeland Security, which didn't immediately respond to a request for comment.

The health-care unit of Siemens AG, which makes medical imaging and laboratory diagnostic devices, sent an urgent bulletin Monday to customers to alert them that some products are vulnerable to the ransomware, a spokesman said. The Siemens business is offering remediation for susceptible products, he said. "Responding to this global threat is of the utmost importance to the company," he said. The number and type of vulnerable health-care devices was not available, he said. Siemens AG's technology infrastructure and production was not affected by the cyberattack, he said.

In an interview Sunday, a Homeland Security official said some U.S. health-care companies reported suspected or confirmed attacks involving the ransomware. The official declined to say whether hospitals were among those affected. The malware didn't disrupt operations and mostly affected administration, a Homeland Security spokesman said Monday.

Cybersecurity experts across U.S. health care remained on alert through the weekend, racing to patch vulnerable computer networks and scanning for evidence of new variants of the malware known as WannaCry, which worms into computers through a vulnerability in Microsoft Corp. software. The malware encrypts files and demands ransom to release them.

The U.S.'s largest hospital operator, HCA Healthcare, hasn't detected an impact from the cyberattack, a spokeswoman said. The Nashville, Tenn.-based company, which also owns six hospitals in the U.K., continues to monitor its networks, she said.

Continue Reading Below

Northwell Health, which owns 18 hospitals and more than 550 outpatient centers in New York, gathered information-security employees Saturday at a data center in Westbury, N.Y. to monitor the health system's networks from banks of monitors that flashed status updates.

Northwell officials first learned of the cyberattack Friday morning, said John Bosco, senior vice president and chief information officer. Northwell set in motion the same emergency protocols it uses during hurricanes and other emergencies, he said. Officials raced to survey and update multiple layers of cybersecurity. Within hours, Northwell identified about 200 of about 50,000 computers with vulnerable software and a small number of its 4,000 servers that hadn't yet received a scheduled upgrade, Mr. Bosco said. Northwell says it staggers software upgrades to avoid disruption.

Northwell engineering and information security staff worked through Saturday to patch the software. Work finished Saturday evening with no reported breaches. Northwell continues to monitor networks for new variants of the malware, Mr. Bosco said.

As the day unfolded, Mr. Bosco watched reports of the ransomware spreading across the globe. "It was scary," he said. "It was very scary."

Insurance giant Aetna Inc. saw no impact from the ransomware but contacted hospitals and doctors in its networks asking for cybersecurity updates after Friday's first attacks, said James Routh, Aetna chief security officer and chairman of the National Health Information Sharing and Analysis Center, a nonprofit cybersecurity organization whose members include hospitals, health insurers and pharmaceutical and medical-device companies.

The nonprofit organization and federal agencies, including the Federal Bureau of Investigation, issued updated information on the cyberattacks to hospitals through the weekend.

U.S. hospitals are considered highly vulnerable targets for cyberattacks because of the sector's growing dependence on computerized health records and networked medical devices.

A hospital has a "very open, very porous, very expansive network with thousands of endpoints that are very hard to control and secure," said John Riggi, managing director of cybersecurity and financial crimes for consultants BDO USA LLP, which in December launched an effort with the American Hospital Association to improve hospital cybersecurity.Health care's shift to digitals records is more recent than in the financial services industry, a sector with more mature cybersecurity, experts said. Recent ransomware attacks at U.S. hospitals have accelerated the sector's efforts to boost its defenses, said Janis Orlowski, chief health-care officer for the Association of American Medical Colleges, a trade group including U.S. teaching hospitals.

Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 last year after ransomware took control of some of its computer systems. The cyberattack under way "just puts the entire industry on further alert," Dr. Orlowski said.

Write to Melanie Evans at Melanie.Evans@wsj.com

(END) Dow Jones Newswires

May 15, 2017 19:36 ET (23:36 GMT)