As you may have seen reported in the news, multiple versions of a new ransomware cyber-attack called “WannaCry,” “WCry,” “Wanna Decryptor,” or “WannaCrypt,” was executed at the end of last week that impacted many businesses and users around the world. Physicians should ensure that their computer’s operating systems and anti-virus software are updated and patched:
- Run Windows Update immediately. Download and install any available updates (‘patches’). Run a scan on your anti-virus software and follow its prompts. Microsoft has released a customized patch for older platforms that do not receive mainstream updates, including Windows XP, Windows 8, and Windows Server 2003. At this time, Windows 10 has not been targeted by the attack.
- Check your computer’s settings to ensure that the system will automatically download and install new versions of the operating system and Microsoft Office software. Do the same for your anti-virus software.
- Note when the computer will install these new updates, and make sure the computer is on at that time.
While this specific malware did not have much impact in the U.S., physicians should contact their medical device vendors and manufacturers to ensure that they have patched their device software. ACG encourages members to be prepared for any threat in the future. The way ransomware works is by taking over your computer and essentially locking you out by encrypting your files. The hacker may then demand a “ransom” by forcing you to buy and transfer bitcoin to them in return for the decryption key necessary to unlock your files. The latest hack targets the Microsoft Windows operating system
If your organization is the victim of a ransomware attack, HHS sent out the following recommendation and steps earlier this week:
- Please contact your FBI Field Office Cyber Task Force (fbi.gov/contact-us/field/field-offices) immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
- Please report cyber incidents to the US-CERT (us-cert.gov/ncas) and FBI’s Internet Crime Complaint Center (www.ic3.gov).
- For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at HCCIC_RM@hhs.gov.
More important information for GI practices:
- HHS Fact sheet on cybersecurity and HIPPA
- HHS guidance on HIPAA Security Rule and preparing for ransomware attacks, including with regard to contingency planning.
- HHS guidance: May a HIPAA covered entity or its business associate disclose protected health information (PHI) for purposes of cybersecurity information-sharing of cyber threat indicators?
Whitfield L. Knapple, MD, FACG
Chair, ACG National Affairs Committee