Share this article on:
While the healthcare industry was largely unaffected by the NotPetya wiper attacks in June, a HIPAA business associate of many U.S. healthcare organizations was badly affected.
Burlington, MA-based Nuance Communications – a provider of dictation and transcription services – had the NotPetya wiper installed on its system. The attack crippled Nuance, preventing many healthcare organizations from using its services. It took a month for full services to be resumed. Many of the firm’s healthcare clients were prevented from using its services for several days, and in some cases weeks.
While malware and ransomware attacks are usually reportable breaches under HIPAA Rules, Nuance Communications did not report its attack to the Department of Health and Human Services’ Office for Civil Rights. Nuance Communications conducted a risk assessment and determined that the nature of the attack did not warrant a report of the breach to be submitted to OCR.
While NotPetya was initially thought to be ransomware, it was soon determined to be a wiper. The purpose of the attack was not data theft, but sabotage. Nuance communications did not experience a breach of ePHI, therefore the decision was made not to report the attack, although a media notice was issued explaining ePHI was made unavailable as a result of the attack – Nuance was forced to shut down its systems to prevent the spread of the virus.
It is not possible to prevent all cyberattacks, but it is possible to learn from those security breaches and improve controls to ensure similar breaches do not occur in the future. Nuance has certainly learned a lesson, but other healthcare organizations could also benefit if information about the NotPetya wiper attack is shared.
That certainly appears to be the view of the House Committee on Energy and Commerce. Greg Walden, R-Ore., chair of the House Committee on Energy and Commerce, recently wrote to Nuance requesting the House Committee be given a formal briefing on the breach to better understand the nature of the attack, the circumstances surrounding the incident, and the steps that were taken by Nuance to recover from the attack and restore its systems and services.
“While Nuance has announced that impacted services have been fully restored, Nuance’s original infection and its effects adds to the growing list of concerns about the potential consequences of cyber threats to the healthcare sector,” wrote Walden. “It is important, therefore, for the committee to understand the details of this event so we can work together to ensure appropriate lessons are identified and addressed. Learning from this event will not only benefit the healthcare sector, but also the millions of patients who depend on the availability of its products and services.”
The House Committee is seeking further information due to extensive disruption it caused. Walden said, “Nuance’s role as a transcription and dictation provider for a large percentage of the healthcare sector sets its infection and subsequent availability issues apart and raises the possibility of more serious aftereffects for the healthcare sector as a whole.” Walden has requested the formal briefing take place before November 2, 2017.