Cyberattack on Medical Software Shows Industry Vulnerability

Written by Bloomberg
July 21, 2017

Many doctors still can’t use a transcription service made by Nuance Communications Inc. three weeks after the company was hit by a powerful, debilitating computer attack.

(Bloomberg) — Many doctors still can’t use a transcription service made by Nuance Communications Inc. three weeks after the company was hit by a powerful, debilitating computer attack.

Hospital systems including Beth Israel Deaconess in Boston and the University of Pittsburgh Medical Center said eScription, a Nuance staple product that allows physicians to dictate notes from a telephone, still isn’t functioning. The outage obliterated doctors’ instructions to patients, forcing some to revert to pen and paper.

The computer virus, called Petya, has sent ripples through health care, among the last industries to make the switch to digital record keeping and one of the most frequently targeted by hackers, said Michael Ebert, a partner with KPMG who advises health and life-science companies on cybersecurity.

“Health care has been late to respond to the need for protected information, and the information is worth more,” Ebert said. “It’s amazing how far behind we are, and we know we have to do something.”

Hackers increasingly use viruses to encrypt companies’ information systems, unlocking the data only when a ransom is paid. After the Petya attack began in late June, companies from Oreo-maker Mondelez International Inc. to Reckitt Benckiser Group Plc warned of a blow to their sales. Information systems used by FedEx Corp.’s TNT unit may never fully recover, the shipping company said Monday.

Nuance shares fell 4 percent on Thursday, the most since Aug. 9, 2016, to close at $16.85. They’ve dropped almost 8 percent since June 27, when the attack began.

Read more: FedEx’s TNT reels from June cyberattack

The University of Pittsburgh Medical Center, a system of 25 hospitals and 3,600 doctors, said that its dictation and transcription services are still affected “with no estimated time of resolution.” The nonprofit is using features of medical records systems made by Cerner Corp. and closely held Epic Systems in the interim, said Ed McCallister, the Pittsburgh system’s chief information officer.

When the hack hit in June, the virus spread quickly. Ebert said one of his clients stood in a parking lot with a bullhorn, pleading with employees not to turn on computers, lest the virus spread into them. Another saw 100 workstations infected in an hour. Others shut down their entire systems, painstakingly starting computers one by one offline to see whether they had been tainted.

After acknowledging June 28 that portions of its network were affected, Nuance, based in Burlington, Massachusetts, is still picking up the pieces. In addition to transcription, Nuance named about 10 other affected products, including those used for radiology, billing and software that tracks quality of care.

About half of the company’s $1.95 billion in revenue came from its health-care and dictation business last year. The malware attack represents a big risk for Nuance, as many of its customers use products that appear to have been affected, according to Bloomberg Intelligence analyst Mandeep Singh.

“Any time there is a cyberattack and a company is exposed to that threat, that presents both reputational risk as well as the risk from disruption,” he said. “Since a lot of the deals get signed toward the end of the quarter, the timing of it could have impacted certain deal closures.”

Enhancing Security

Nuance said it has been fixing affected systems, enhancing security and bringing customers back online. The company declined to say how many clients were affected by the attack.

“We are doing everything within our power to support our health-care customers and provide them with the information and resources they need to provide quality patient care, including offering an alternative system and solutions,” company spokesman Richard Mack said Wednesday in an email. “We have no indication that any customer information has been lost or removed from the network.”

Other Products

The loss of service is an invitation to customers to seek other products and vendors, such MModal, a Nuance rival. Even though Intermountain Health Care, a Salt Lake City-based company that operates 22 hospitals, wasn’t affected, it turned off all its Nuance products and is using other transcription tools, said Daron Cowley, a spokesman.

At Beth Israel Deaconess, a Harvard-affiliated hospital, doctors who have been accustomed to using Nuance’s telephone-based product are switching to its Dragon system, where physicians dictate into a computer, making edits as they go.

That still means lost revenue for Nuance. While the computer-based product is a single software purchase, Nuance bills for eScription by line of text. So far, it’s been three weeks of revenue they can’t get back, and more users may drop away, said John Halamka, Beth Israel’s chief information officer.

“The hardest thing for a clinician is a change in workflow,” he said. “If you’ve changed for a couple of weeks, you might not go back.”

Nuance has done well to try to maintain customers in the aftermath of the attack, KPMG’s Ebert said, but the damage has already been done.

“They’re probably going to have a bad quarter,” he said.