When malware strikes: How Nuance avoided disaster after falling victim to Petya

The wiper malware wreaked havoc across the globe in June, but Nuance managed to keep its operations afloat by putting customer needs first.
By Jessica Davis
03:56 PM
How Nuance avoided disaster after falling victim to Petya

Just as companies were beginning to recover from May’s massive WannaCry campaign that shut down over 300,000 devices in 150 countries, Petya wiper malware struck the world on June 27 and proved to be even more damning than the last attack.

Unlike WannaCry, Petya masked itself as ransomware to hide its true directive: to wipe systems and drives. Included in Petya’s 2,000 victims from 64 countries was Nuance Communications, a leading voice and language tool provider with a long list of healthcare clients.

[Register Now: Upcoming HIMSS Healthcare Security Forum]

But while most major organizations are facing likely permanent damage from the attack -- FedEx and shipping giant Merck are still struggling to get operations back to normal -- Nuance has managed to push through the attack and mitigate some of the effects on its clients.

Nuance executives shared with Healthcare IT News how it weathered the attack and managed to get its systems back online.

Commence shut down procedures

Nuance was notified of a “widespread desktop outage” around 7 a.m. on June 27 by the company’s Global Operations Center, which continuously monitors Nuance’s systems.

However, the company quickly realized this wasn’t just a desktop issue, but part of the global Petya attack. Joe Petro, senior vice president of research and development at Nuance Healthcare said its system log analysis corroborated this assessment.

Containing the incident and protecting customers was top priority, said Petro. Nuance started shut down procedures, powered down systems and suspended data backups to prevent infection and contain the spread.

“Our overriding focus was and continues to be support for our clients in their mission to provide quality patient care,” Petro said. “We were in regular communication with our clients following the incident.”

This included daily conference calls, email correspondence with impacted clients and routine website updates on the company’s status. Petro said Nuance also had a great deal of one-on-one calls and meetings with clients.

As the virus only infected Windows systems, Nuance’s Linux servers remained untouched. However, Nuance’s transcription platforms, critical test results, quality solutions and CLU solutions were all infected.

Nuance’s Dragon Medical, PowerScribe and PowerShare solution families were not part of the attack.

Getting back to normal – slowly

Once the spread of the virus was stopped, Nuance shifted focus to restoring full functionality to its clients, said Petro. Nuance employed a third-party cybersecurity team to assess the damage. The company is also cooperating with the government and federal law enforcement.

“Our priority, and primary challenge, was ensuring that we brought systems back online in the safest way possible to prevent reinfection, as well as protect against future attacks. We took the time necessary to go beyond simple data restoration and used this opportunity to rebuild our configurations and enhance our security,” said Petro.

“We painstakingly rebuilt and enhanced our highly sophisticated and customized servers, networks and configurations,” he added. “This work had to be done rigorously and carefully, so our systems could be brought back online safely and securely.”

To alleviate issues for clients during this downtime, Nuance provided alternative platforms whenever possible. Petro explained that impacted eScription clients were transitioned to its Emdat transcription platform.

Nuance also offered thousands of free Dragon Medical licenses in the interim period.

The company has restored functionality to all clients of Nuance’s HIM transcription platform. All clients of the eScription RH and Clinic 360 solutions -- the cloud-based Emdat platforms -- have had service fully restored since July 3.

Clients of the Critical Test Results Management application -- part of the radiology workflow -- were reactivated on July 16.

Nuance is currently transitioning a small group of its clients using older transcription platforms to cloud-based solutions. Petro said he expects operations will return to normal for these clients in the near future.

“Our clients have been clear in their support, expressing understanding,” said Petro. “We remain grateful for and humbled by their partnership throughout the recovery process.”

Building on lessons learned

While Petya was designed to destroy data and systems, it wasn’t designed to copy or extract data. Petro said that no customer data was altered, lost or removed by the malware. Further, its investigation did not find any indication that any patient data was acquired, accessed or used.

But the malware did its job, by locking down servers, drives and disrupting operations. Petro said that the virus leveraged native Microsoft Windows capabilities and functionality, which allowed Petya “propagate into and through patched systems.”

“Unlike some malware, patching alone would not have arrested the propagation of NotPetya,” said Petro.

While the recovery process proved challenging, Petro said Nuance is using this time to enhance security to prevent future attacks, including hardening endpoint security configurations, deploying endpoint prevention and detection software and improving network security measures.

“In short, we enhanced our network architecture and IT policies as part of the recovery efforts to ensure we emerged from this incident with an enhanced, secure operating environment,” said Petro. “The more knowledgeable we all become, the more powerful we all can be in combatting future cybercrimes like the NotPetya malware attack.”

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com