How one reporter advanced a hospital cyberattack story Date: 08/22/17
By Melanie Evans
As a hospital reporter, I covered the global cyberattack in May known as WannaCry, which severely disrupted British hospitals and set off a scramble in the United States to prevent a similar outbreak. It was breaking news, but as often happens, the news raised questions with the potential for interesting follow-up stories.
WannaCry’s disruption to U.S. hospitals was minimal, but the malware did affect some medical devices. The cyberattack forced many hospitals to patch the security of vulnerable networks and medical devices.
I wanted to track of how WannaCry hit U.S. hospitals, but this was challenging because of limited public reporting of cyberattacks by hospitals.
Hospitals are not required to publicly report all cyberattacks. Disclosure to the Department of Homeland Security is voluntary. Reporting to the U.S. Department of Health and Human Services also is voluntary, with one exception. Mandatory reporting is limited to malware that steals or exposes confidential patient data.
Because WannaCry and other cyberattacks that use ransomware may not expose confidential data, whether to report them falls in a gray area. Federal regulators last year sought to clarify disclosure of ransomware attacks and some members of Congress want to see more mandatory reporting.
Explaining the sometimes voluntary nature of hospital disclosure of cyberattacks became a follow-up story to the WannaCry attack: “Why some of the worst cyberattacks in health care go unreported.”
I have covered hospitals my entire career and reported on cybersecurity occasionally. For this story, it helped me to ask sources for recommended reading. I asked them to refer me to anything they considered essential or helpful to understand the subject. I frequently find people are very generous with suggestions. I also spoke with several attorneys for the story, which I found to be helpful as I tried to navigate regulation and guidance released by regulatory agencies.
Testimony from public hearings and video from a cybersecurity panel discussion turned out to be very useful for this story because I did not get all the interviews I sought. The testimony and panel discussion video provided crucial details and quotes. In a case where an interview came through at the last minute, testimony from a public hearing provided background that led to one of my favorite details in the story. Executives at one California hospital paralyzed by ransomware in 2016 had to Google the phrase “how to get bitcoin,” the cybercurrency they needed to pay the ransom.