How the Petya Global Malware Incident Happened to Nuance, Merck, and Others, and What It Means to Health Care.
The Petya Malware attack (aka NotPetya, ExPetya, Ransomware, or WannaCry) has forever changed the health care IT world by shutting down industry giants Nuance, Merck, and others.
Since June 28 when Nuance first went down, many doctors still can’t use the associated transcription service eScription. Hospitals like Beth Israel Deaconess in Boston and the University of Pittsburgh Medical Center are left using pen and paper to document thousands of vital patient notes.
According to Bloomberg, Nuance’s affected dictation and transcription services have “no estimated time of resolution.” Nuance also acknowledged roughly 10 more affected products associated with healthcare including billing and quality of care tracking.
According to the Nuance Healthcare Twitter account and its semi-regular updates, restoration should have been achieved weeks ago. But drop down to the comments section, and it’s not hard to find Twitter users complaining about slow recovery times, the lack of communication, and an increasing undercurrent of frustration.
The official company status hasn’t been updated since July 15.
Customer frustration translates into lost profits.
Reuters reports Nuance’s third quarter earnings between $0.26 and $0.28 per share.
In addition, the company estimates an adjusted revenue of $484 million, down from a projected $510 million (HealthcareITNews).
But the biggest loss for Nuance may be its reputation.
“Any time there is a cyberattack and a company is exposed to that threat, that presents both reputational risk as well as the risk from disruption,” says Mandeep Singh, Intelligence analyst for Bloomberg.
Merck missed critical updates.
After Petya hit New Jersey-based drug maker Merck, internal company communications instructed employees to disconnect all mobile devices from the network and refrain from posting on social media.
Microsoft twice warned of critical updates necessary to patch systems against ETERNALBLUE — the core technology developed by the American intelligence community and now being exploited by a group of unknown hackers known as ShadowBrokers. Merck, by not complying and installing the updates, left their system open and vulnerable.
Even after the global attack in May 2017 when Microsoft issued a third warning and yet another patch, Merck still neglected system security.
Merck has refrained from commenting but did issue a statement saying:
“We have made good progress in our response to the June 27 global cyber attack. We have implemented business continuity plans and continue to ship orders and meet patients’ needs.
We and our external partners see no indication that the company’s data have been compromised.” (Endpoints News)
How does Petya malware work?
According to Symantec, Petya’s point of insertion into a system is via MEDoc, a tax and accounting software system primarily used in the Ukraine.
Once Petya gains access to a system, it spreads in several ways to infect corporate systems, quickly and ruthlessly.
Petya is a worm.
Meaning, Petya is a self-replicating program that infiltrates with the intent of spreading malicious code. Networks are hijacked to send copies of the worm’s original code to other computers which cause harm by eating up bandwidth or, in the case of Petya, deleting files. Worms can also install backdoors.
Petya builds a list of target IP addresses both on the local server and remote IPs.
(For a complete list of all included IP addresses and servers …)
It then creates a list of user name and passwords, stores the credentials from Windows Manager, and spreads outward.
Petya spreads by network shares or exploiting Windows transport protocol (SMB), specifically ETERNALBLUE.
Petya destroys files.
Once executed, Petya attempts to remove itself from the original, infected system by overwriting the file with null bytes. This is done to thwart forensic detection and trace. Finally, the file is deleted from the disk.
Infection and encryption.
But even that isn’t enough for this nasty piece of malware. Petya, after installation, modifies the master boot record (MBR). This allows for Petya to take over the normal reboot process and load its ransom note on the CHKDSK screen.
Petya builds in a delay, scheduling instead of forcing a reboot, and giving itself time to spread across the system unchecked.
Files with certain extensions are encrypted and effectively blocked off from the user.
.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h. hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip (Symantec)
A randomly generated key is used for encryption, but in reality, it can’t be used to decrypt the abovementioned files — the defining difference between Petya and Ransomware. Petya was always intended to destroy while Ransomware allowed for the chance of data recovery.
Petya was always intended to destroy while Ransomware allowed for the chance of data recovery.
That brings us back to the major impact of Petya on the health care IT industry.
Any information on a server infected by Petya is essentially destroyed. Promises of recovery, while comforting, are too good to be true.
The mechanism of Petya doesn’t allow for data recovery. Nuance, Merck, and others effected are recreating their databases. Patient notes outsourced for transcription before the malware attack aren’t coming back, no matter what an optimistic IT department says.
The data is gone.
The health care IT industry is outdated.
How did we end up with a health care system that when push came to shove reverted back to pen and paper? How is it that our security was so lax that even after multiple warnings from Microsoft and a previous global malware attack, a major pharmaceutical company was taken down by Petya?
Security must be a priority.
HIPAA mandates a level of information privacy that our current software system as illustrated by Nuance simply isn’t providing. If one group of hackers can access their system, others can as well.
Where were the backups? There should have been multiple layers of back-ups. In today’s world, information is priceless, and as Nuance has shown, sometimes irrecoverable.
Where was the transparency in communication when the data destruction was realized? Instead, there were promises that any day the servers would be restored and everything would go back to life as usual. But no. Hospitals across the country were scratching out notes by hand, taking essential time and resources from where it’s most needed … patient care.
What can the IT industry do?
More than ever before, the health care industry must stay at the forefront of technological innovation.
Steve Jobs said, “A lot of times, people don’t know what they want until you show it to them.” Our modern health care has reached the point where physicians and hospital administrators agree there is a major problem. Patient care is suffering due to bureaucratic overload and inefficient document management. But they have no idea what to do about it.
Doctors aren’t supposed to know how to fix their IT problems. It’s not their job.
Their job is listening to hearts and lungs. It’s the IT sector’s job to come up with the technology systems. And there are solutions.
When Nuance crashed, Peyton Manning Children’s Hospital was left stranded with 90% of its transcription service outsourced and lost to Petya. What did they do?
They called One Voice Data in a panic. And in a twenty-four-hour turnaround, with a fully integrated, cloud-based system and the highest standards of security, One Voice Data had Peyton Manning Children’s Hospital back up and running on their transcriptions.
Since then, One Voice Data has brought other stranded hospitals and medical practices back online, partnering with M*Modal in the type of cooperation this industry greatly needs.
ALSO POPULAR NOW: PHYSICIAN BURNOUT
Originally published at www.onevoicedata.com on July 25, 2017.
