Healthcare Cyber: House Inquiry Targets Medical Software

Author Craig A. Newman
Author Craig A. Newman

In its latest inquiry into cybersecurity risks in the healthcare sector, the House Energy and Commerce Committee in mid-October requested a “formal briefing” from medical transcription vendor Nuance Communications, Inc. concerning its handling of the NotPetya malware attack.

The committee also hinted that it was undertaking a broader inquiry into the cybersecurity practices in the healthcare industry.

Nuance – a key vendor to hospitals, medical groups and doctors – was one of hundreds of organizations hit by the NotPetrya cyber-attack in June.  The attack crippled multi-national companies in 65 countries, many in critical infrastructure sectors including healthcare, transportation and manufacturing.  For a list of sectors deemed critical infrastructure by the U.S. Department of Homeland Security, click here.

Representative Greg Walden (R-Oregon), chairman of the Energy and Commerce Committee, told Nuance CEO Paul Ricci, in a letter dated October 19, 2017, that his committee wanted to “better understand the circumstances surrounding Nuance’s initial infection by NotPetya, as well as what steps it has taken in order to recover and resume full capabilities.”

“While Nuance has announced that impacted services have been fully restored, Nuance’s original infection and its effects add to the growing list of concerns about the potential consequences of cyber threats to the healthcare sector,” said Walden in the letter.

Walden also intimidated that software vulnerabilities are a bigger issue for the healthcare industry.  “While Nuance was not the only company to suffer degraded capabilities,” he wrote, “Nuance’s role as a transcription and dictation provider for a large percentage of the healthcare sector sets its infection and subsequent availability issues apart and raises the possibility of more serious after effects for the healthcare sector as a whole.”

Like many companies affected by NotPetya, Nuance struggled to recover.  The company acknowledged that its network and flagship transcription product, eScription, were taken offline by the attack.  Ten other products were affected including those used for radiology, billing and tracking quality of care.  Almost half of the company’s revenues come from its healthcare and dictation business.

Other companies hit by the virus suffered similar fates.  Companies from Reckitt Benckiser Group Plc to Mondelez International Inc. warned that their sales would suffer from the attack.  And FedEx Corp.’s TNT unit is still coping with the operational and financial fall-out from the attack.

The letter to Nuance is the committee’s third inquiry into the implications of the NotPetya attack.  Last month, the committee asked the healthcare industry’s top regulator, the U.S. Department of Health and Human Services, for a briefing to “better understand” the implications of the agency’s plans for dealing with widespread cyber-attacks.  The committee also asked pharmaceutical company Merck & Co., Inc. to provide details on how the attack affected its manufacturing capabilities.

Nuance has been asked to provide its briefing to the committee by November 2, 2017.

 represents Patterson Belknap Webb & Tyler LLP, a law firm in New York that has a Privacy and Data Security Practice.  Read more Patterson Belknap blogs here.