While the healthcare sector remained largely unharmed during unaffected by the NotPetya wiper cyberattacks in June 2017, a HIPAA business associate of many U.S. healthcare organizations, Nuance Communications was badly affected during the campaign
The Burlington, MA-based provider of dictation and transcription services had the NotPetya wiper installed on its infrastructure. The cyberattack crippled Nuance, stopping many healthcare groups from using its services.
It took an entire month for full services to be put back in place. Many of the firm’s healthcare clients were obstructed from using its services for many days, and in some instances weeks.
While malware and ransomware cyberattacks are normally reportable breaches under HIPAA Rules, Nuance Communications did not file this cyberattack to the Department of Health and Human Services’ Office for Civil Rights. Nuance Communications coompleted a risk assessment and determined that the nature of the cyberattack did not warrant a report of the breach to be registered with the OCR.
While NotPetya at first was believed to be ransomware, it was soon found to be a wiper. The aim of the attack was not data theft, but sabotage. Nuance communications did not experience a violation of ePHI, therefore the decision was made not to report the attack, although a media notice was released outlining that ePHI was made unavailable due to the attack. Nuance was forced close down down its systems to stop the spread of the virus.
It is not possible to stop all hacking attacks, but it is possible to gain important knowledge from these security breaches and improve security controls to ensure similar breaches do not occur in the future. Nuance has certainly learned a valuable lesson, but other healthcare groups could also benefit if details regarding the NotPetya wiper attack is made public.
That certainly seems to be the opinion of the House Committee on Energy and Commerce. Greg Walden, R-Ore., chair of the House Committee on Energy and Commerce, recently made contact with Nuance asking for the House Committee be given a formal briefing on the breach to better understand the nature of the cyberattack, the circumstances surrounding the hacking incident, and the steps that were utlized by Nuance to recover from the attack and restore its systems and services.
“While Nuance has announced that impacted services have been fully restored, Nuance’s original infection and its effects adds to the growing list of concerns about the potential consequences of cyber threats to the healthcare sector,” commented Walden. “It is important, therefore, for the committee to understand the details of this event so we can work together to ensure appropriate lessons are identified and addressed. Learning from this cyberattack will not only be advantageous for the healthcare sector, but also the millions of patients who depend on the availability of its products and services.”
The House Committee is seeking further details due to extensive disruption it inflicted. Walden remarked, “Nuance’s role as a transcription and dictation provider for a large percentage of the healthcare sector sets its infection and subsequent availability issues apart and raises the possibility of more serious aftereffects for the healthcare sector as a whole.”
Walden has asked the formal briefing take prior to November 2, 2017.