We’ve been hacked. Forbes reports that the WannaCry ransomware did, in fact, infect a Bayer Medrad radiology power injector in U.S. hospitals. Thankfully, no safety-related functions were affected directly, but what about next time?
“The electronics and software embedded inside medical devices are computers. And to the extent that these are connected to the Internet, they are going to be attacked,” says Michael Barr, Barr Group CTO. “The Mirai botnet has taken control of an estimated one million embedded systems. So, it is not surprising that WannaCry has infected medical devices as it spreads in hospitals.”
Medical devices often use operating systems (OS) from Microsoft’s Windows embedded product line. “After examining several tens of thousands of IoT devices, we’ve found that approximately 11 percent of all medical devices are Windows-based devices. Upon further examination, almost all of them (99.8 percent) are based on legacy OS susceptible to WannaCry,” says Xu Zou, CEO of ZingBox.
It’s not enough to rely on patches and fixes for these systems. “This emphasizes our understanding that current recommendations of downloading the latest patch from Microsoft does not always apply to IoT devices,” Zou says.
“Unfortunately, these systems are not always easy to patch for a variety of reasons,” says Craig Young, computer security researcher for Tripwire’s VERT (Vulnerability and Exposures Research Team). “Security fixes on embedded devices commonly require a complete firmware update from the vendor, which is then manually installed on the device.
This can greatly increase patch delays due to the time it takes for vendors to prepare and test a new firmware to ensure that it will not interfere with the intended operation of the medical device.”
The onus is on you — the medical device OEMs — to ensure that your devices are secure from attack before they are deployed into the healthcare system. Once in the hospital, devices are often not updated because doing so requires that the devices, which may be in continuous use, are unavailable while firmware updates are installed and tested, Young says.
So, do you really need to worry? “The healthcare industry has been a top target for cyber criminals because of the large quantity of valuable data they manage and the potential to negatively impact critical patient care,” says Terry Ray, chief product strategist for Imperva. “With so many medical devices connected to the Internet, it’s not surprising to know that some of these devices were rendered useless by WannaCry.”
Medical devices will be attacked — and now it’s just a matter of time before the next one attacks a patient-connected device, causing injury or death. “As we’ve seen with ransomware activity, there’s an inherent operation damage to the enterprise. That damage cannot be mitigated by paying the ransom. This attack is a wake-up call for everyone to keep their security systems up to date so they can prevent future attacks,” says Ray.
Unfortunately, Barr says to expect many more attacks and headlines in the embedded systems space, where, he says, “Too many products are completely unsecured by their makers.”