What you need to know about the forces reshaping our industry.


May 15, 2017

Hospitals held for ransom: What just happened and how to protect your patients

Daily Briefing

    Read Advisory Board's take on preparing for ransomware attacks.

    HHS over the weekend alerted providers to a massive ransomware attack that had spread quickly through Europe and Asia on Friday, locking providers out of patient records in Britain and forcing affected hospitals to divert patients in need of urgent care.

    Ransomware incident response: Managing in minutes

    According to the New York Times, the hack is likely the largest ransomware attack on record. Europol as of Sunday estimated the attack had so far hit 200,000 computers in more than 150 countries. The attacks affected both private- and public-sector companies across industries. In Britain, the National Health Service appeared to take the brunt of the attack.

    About the hack

    The hack exploits a flaw in Microsoft's Windows operating system to propagate a strain of ransomware called WannaCry, which encrypts victims' computer systems and locks users out of critical data until they pay a ransom fee.

    The Windows flaw, according to the Times, was first identified by the U.S. National Security Agency, which reportedly discovered the vulnerability while assembling "its arsenal of cyberweapons."

    Microsoft in March released a patch to fix the vulnerability. According to the Wall Street Journal, the hack affected organizations that either had not installed the patch or were running outdated versions of Windows that Microsoft no longer regularly updates.

    The ransomware's spread was stemmed, for now, by a 22-year-old who uses the Twitter name MalwareTech, who discovered an effective "kill switch" in the malware that enabled him to end the attack by registering a specific web domain. Experts warned, however, that new versions of the ransomware without that vulnerability were likely to arise in the days ahead.

    Hack affects hospitals

    According to the Times, the attack affected at least 45 hospitals and other medical facilities in Britain, many of which were running outdated versions of Windows.

    During the attack, doctors were unable to access patient files, which forced many to cancel surgeries and led EDs to divert patients who needed urgent care. NHS said affected hospitals were instructed to take vital equipment, such as MRI scanners and X-ray machines, offline.

    The ransomware, according to the Times, also threatened to destroy the hospitals' data if the ransom—about $300 per computer—was not paid.

    British officials on Saturday said 48 of the country's 248 public health trusts had been affected, but all but six had been restored to normal operations, the Times reports. According to BBC, the hack also affected 13 NHS organizations in Scotland, but Scotland officials said they expected affected computers to be running again by Monday.

    According to the Times, a surgical resident who spoke on the condition of anonymity said several computers shut down while he was performing a heart operation. He said the patient monitoring equipment continued to work and his team was able to safely complete the surgery.

    To cope with the attack, providers and pharmacists resorted to paper to collect patient information and submit and fill prescriptions, the Times reports. NHS over the weekend said it still would be able to provide services in an emergency but cautioned that people should "use NHS wisely" while it recovers.

    U.K. Home Secretary Amber Rudd on Saturday said 97 percent of the NHS' computer systems were back online and that there was no evidence that patient data had been accessed. Britain's National Cyber Security Center on Sunday reported "no sustained new attacks," but warned that the malware could continue to spread within networks.


    Michael Fallon, Britain's defense minister, on Sunday said the government would spend about $64 million to bolster cybersecurity at NHS.

    Hospital employees in Britain said they had been cautioned about computer use. Greg Elston, a paramedic at St. Mary's Hospital, said, "We are all being extra careful," adding, "We've been instructed not to open email attachments on our phones."

    Microsoft also released a public patch for outdated versions of its Windows software—which are so old that they no longer receive regular security patches—in response to the attack, though according to experts the patch will not help those who have already been affected. 

    HHS issues alert on the hack

    According to The Hill, President Trump's top security officials met in the White House Situation Room over the weekend to assess the threat to U.S. companies, hospitals, and government agencies.

    HHS on Friday said there was "evidence" of the attack in the United States, but so far, U.S. hospitals have not been affected.

    For now, HHS is urging health care workers to:

    • Disable Remote Desktop Protocol (RDP) services on non-essential computers;
    • Ensure users know which version of Windows they are using, noting that older versions, such as Windows XP, are no longer supported by Microsoft;
    • Use email best practices, such as avoiding clicking on suspicious links or attachments; and
    • Update computer systems and antivirus software.

    HHS said it is working with other federal departments to protect its own systems and has alerted Veterans Affairs about the threat.

    Worst might not be over

    Security experts say the kill switch's deployment likely kept the initial attack from spreading to the United States, another wave of attacks could yet be on the way.

    Caleb Barlow, vice president of threat intelligence for IBM, said, "How the infections spread across Asia, then Europe overnight will be telling for businesses here in the United States" (Thomas et al., Wall Street Journal, 5/13; Perlroth/Sanger, New York Times, 5/12; Sweeney, FierceHealthcare, 5/124; Chan/Scott Sanger et al., New York Times, 5/14; Goldman, New York Times, 5/142; Larson, CNN, 5/13; BBC, 5/14; Kostov et al., Wall Street Journal, 5/15; Erlanger et al., New York Times, 5/12; Bazzoli/Goedert, Health Data Management, 5/15).

    The Advisory Board's take

    Ernie Hood, Health Care IT Advisor

    For many Americans, Friday's attack may have been the first time they heard the word "ransomware"— but it's all too familiar for hospitals these days, as such attacks have become increasingly common.

    Hospitals could have prevented the spread of this particular attack by installing a Microsoft software patch, and it's crucial that you keep your IT systems up to date—but the next attack might not have such a simple solution. That's why health care organizations need to take these 5 additional steps so they can be prepared.

    1. Back up your data. Having backed up files saved somewhere else than your computer (such as on an external hard drive) can help you restore them with ease.

    2. Install email filters and change script file associations. The majority of ransomware arrives via email, so organizations should set up their email gateway to screen as many malicious messages as possible. You should also change your Windows operating system's default script file associations. Modern malware takes advantage of Windows script files such as JavaScript (and others like .js, .jse, .wsf, .wsh, .lnk, .hta, .vbs and .vbe) to execute easily on most people's systems. If you change the default behavior of those file types on all your systems to a benign application such as Notepad, the ransomware won't be able to even run.

    3. Consider a whitelist. Rather than just blacklisting websites that are known to be malicious, some organizations use a "whitelist" to limit access only to websites that are known to be secure.

    4. Limit access points. While server access for clinical nursing stations is imperative, it’s not crucial that these machines be used for regular email and web-surfing functions that could increase your organization's exposure to an attack. Isolate or segment an internet-connected, non-clinical workstation that users can use for checking email and surfing the web.

    5. Make sure your staff and leadership are prepared. You need to ensure your staff know what to do if your system goes offline. It's also crucial that your leadership knows about recover limitations, including how frequently you do data backups and how long it will take to recover from a backup, so they aren't caught off-guard during a high-stress situation like a ransomware attack.

    This high-profile ransomware attack should be a wake-up call to all health care organizations, and can serve as a jumping-off point to engage leadership in a serious discussion about cybersecurity. My colleagues and I have been holding cybersecurity workshops for non-IT leaders around the globe. Advisory Board members who are interested in their own cybersecurity workshop can email me a

    And to learn more about how to bolster organization's cyber defenses, download our research briefing, "Ransomware Incident Response: Managing in Minutes," which outlines six steps to be ready to respond to a ransomware attack.

    Download Now

    Have a Question?


    Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.