No Minnesota hospitals hit by 'WannaCry' cyberattack, but experts warn of vulnerabilities

Information technology professionals at hospitals across Minnesota sprang into action and worked on cybersecurity preparations throughout the weekend to avoid the crippling "ransomware" attacks that hit vital services and companies across the world Friday.

Although it doesn't appear that hospitals were specifically targeted in the "WannaCry" ransomware attack — which seemed to ebb on Monday — health care providers are considered particularly vulnerable to attacks that attempt to force victims to pay money to unlock their files on infected computers.

So far no Minnesota hospital has reported being infected with the "WannaCry" malware program, which shut down dozens of hospitals in the United Kingdom on Friday and went on to infect health care, education, manufacturing and government facilities in more than 100 other countries over the Mother's Day weekend.

Experts warn that new and more effective versions could emerge in coming days. WannaCry is a self-replicating computer program that gets into a system and automatically encrypts valuable files to force the victim to pay a $300 ransom in the digital crypto-currency Bitcoin.

In the meantime, authorities continue working to catch the extortionists behind it — a difficult task that involves searching for digital clues and following the money.

Among their findings so far: the first suggestions of a possible connection between the ransomware and hackers linked to North Korea. Those findings remain quite tentative; one firm advancing the possible ties described them as intriguing but still "weak."

Ransomware attacks are common in large organizations, including in U.S. hospitals, but the WannaCry worm is unique because of how rapidly it can spread to compromise an entire network, said Axel Wirth, a health care security expert with cybersecurity firm Symantec.

The worm exploits a vulnerability in Microsoft Windows, though Microsoft released a security update for it in March. Older versions of Windows and computers that haven't been patched are the most vulnerable, according to the Minnesota Hospital Association's vice president, Mark Sonneborn.

Despite the lack of damage, U.S. officials are taking the threat seriously. The FBI has held at least three large conference calls with health care organizations since Friday, and on Saturday the agency published a detailed "Flash Alert" with technical details about what WannaCry is and how to respond to an infection.

At Hennepin County Medical Center in Minneapolis, a team was assembled as soon as it became clear Friday that a global ransomware attack was taking place. The team worked through the weekend to identify potential risks, tighten e-mail filtering and network blocking, and run scanning and diagnostic programs on the hospital network, said Matt Werder, chief technology officer at the 484-bed downtown public hospital.

"This is a good reminder to all of us," Werder said Monday.

Although no HCMC computers were infected, the team did identify one important system that is vulnerable and needs to be upgraded, declining to give more details. He said it will cost about $200,000 to upgrade this single piece of equipment.

The machine is one of the scores of "legacy" computer systems that dot hospital floors around the country.

Even though a single compromised machine can affect a whole organization, Werder said it can still be difficult to persuade top executives to pay for upgrades that don't offer a clear return on investment like a new piece of medical equipment would. And hospitals typically can't just rip out an older machine and replace it with a new version because hospital computer networks are so highly interconnected.

Such dynamics affect practically all hospitals, cybersecurity experts say.

Other industries with interconnected computer systems and tight fiscal constraints also were hit hard by the WannaCry worm, including the Deutsche Bahn German rail system, Spanish telecom giant Telefonica and French automaker Renault. Chinese state media reported Monday that universities were some of the hardest-hit organizations there, along with rail stations, shopping malls and hospitals.

In the U.S., hospitals have long attracted the interest of ransomware hackers because of the perceived vulnerabilities of their systems and the value of the underlying health information.

The Ponemon Institute, a private research and consulting business, found last year that 89 percent of the 91 health care organizations it surveyed had at least one breach involving the loss or theft of patient data in the prior two years, including ransomware breaches. The prevalence of such attacks may be surprising because hospitals don't like to talk about them publicly.

"They do try to keep them quiet. It is not something you want to advertise, especially if you can recover from it and not have any blowback in the local media," said Gregory Carter, a health care cybersecurity expert with Veritas. "If you do hear about it, it's because the ransomware attack was successful."

The FBI recommends that hospitals use a system that securely stores an organization's backup data, "so their response is simply to restore data from a known clean backup" if an attack does hit, the FBI's Saturday Flash Alert said.

Should hospitals ever pay a ransom, as Hollywood Presbyterian Medical Center in California did last year? The FBI's alert didn't say, but in the past the agency has cautioned that paying a cyber ransom doesn't guarantee data access will be restored.

"Absolutely, positively, they need to tell the police, which is the FBI for this kind of thing," said Todd Carpenter, chief engineer for Minneapolis tech security firm Adventium Labs. "It is a serious crime, and safety and people's lives are at risk."

The Associated Press contributed to this report.

Joe Carlson • 612-673-4779