WannaCry Ransomware Attacks Put Organizations on Alert

Keep up with the latest on information governance as this key strategy emerges for addressing a myriad of information management challenges in healthcare. This blog will highlight the trends and opportunities IG presents for ensuring information is treated as an organizational asset.


By Kristi Fahy, RHIA

A chord of fear has been struck in many organizations—both healthcare and others—after the ransomware attacks that occurred last week that infected more than 200,000 computers across 150 different countries. The ransomware attacks known as “WannaCry” have left many organizations questioning their level of IT security and their system vulnerabilities. According to Reuters, the hackers used a tool that the US National Security Agency (NSA) had built. This tool was leaked online in April 2017 and the outcome was significant.

Reuters also stated that the affected organizations received requests from the attackers that they must pay at least $300 in bitcoin, a cryptocurrency that is being used more and more by hackers to make and obtain digital payments online, in order to unlock their infected information.

Organizations were forced to pay the ransom in order to regain access to their sensitive data and information that was critical to business operations. Many healthcare organizations were specifically targeted because of this. Patient care is compromised when providers don’t have full access to a patient’s clinical record. And consequently, a lack of patient information can lead to poor patient care outcomes. The patient records that were being held hostage left healthcare organizations with no other choice but to pay the ransom.

Although the attacks are in the rearview mirror, IT departments worldwide have their work cut out for them on the road ahead. Sadly, leaked national security information is a vulnerability that organizations must be prepared for in the future. It is important that these IT departments stay current on the latest IT updates and system upgrades. Organization leaders and IT departments will need to assess their current IT capabilities and architectures, and fast. What are the vulnerabilities that these IT systems possess? How can they be addressed? In the event of an attack, can the IT software systems contain the threat? Can the files be restored from backup systems? What is the level of staff awareness on these initiatives? These are questions that need to be asked to ensure effective IT security is in place.

It is events like these that prove that proactive approaches are much more effective than reactive approaches. IT investments can be costly, but the cost of corruption can be so much more… especially in healthcare. Implementing a more proactive IT infrastructure can reduce the risks of compromised patient care, damaged reputation, and the additional costs and labor associated with the breach itself—not to mention the Office for Civil Rights payments required PER breached patient record. The costs incurred by breach mitigation are quite substantial and organizations must be readily prepared if they plan on avoiding these sizeable consequences.

Kristi Fahy (kristi.fahy@ahima.org) is an information governance analyst at AHIMA.

1 Comment

  1. I recently began a program in healthcare information technology and have always been very concerned about information breaches as a threat to businesses and industries. It is very obvious that this is a continual threat that must be met and addressed on an ongoing basis and not simply after the threat. Indeed, a proactive stand would more likely prevent costly damage to a business than reactive by ensuring that every staff is well informed of any potential threat before it happens. This is best done by regular training on how to avoid suspicious messages and restricting access to vital information only those fully trained and knowledgeable on the potential consequences of carelessness and neglect of standard procedures in place. My understanding is that many businesses still use out of date operating systems such as windows XP or windows 7 because of familiarity with these platforms. Training employees is first thing, the other is for businesses to upgrade their operating systems to the most recent OS and re-train employees to stay ahead of such threats as most recent operating systems tend to have greater security systems to protect businesses.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!