The WannaCry ransomware attacks and the recent Petya attacks have infected thousands of computers, and could compromise medical device systems running on Windows OS. ECRI Institute recently published recommendations with protective actions you can take to keep your medical devices and health systems safe from attack.
What is Ransomware?
Ransomware is a form of computer malware used to make data, software and IT assets unavailable to users. It uses encryption of data to hold systems hostage with an associated ransom demand, often in Bitcoin (a virtual currency that is difficult to trace). This encryption is used to extort money from users, with the hacker promising to give the victims access to their data if the ransom is paid.
For example, WannaCry, ransomware affecting Windows-based operating systems (OS), was released on May 12,
2017, and quickly spread through numerous countries, infecting thousands of computer systems. Propagating mainly through e-mail using attachments and malicious links, it caused significant disruption to IT systems worldwide. Several hospitals in the United Kingdom and Indonesia experienced severe disruptions to hospital operations, resulting in cancellation of appointments, postponing of elective surgeries, and diversion of emergency vehicles. Unfortunately, any data that was not appropriately backed up has likely been lost in systems infected with WannaCry, which is characteristic for such ransomware attacks.
Similarly, on June 27, 2017, a ransomware called Petya started affecting Windows-based systems globally, exhibiting many similarities to WannaCry. Petya reportedly has infected numerous organizations, including some hospitals in the United States.
Some medical device systems may be at risk for these types of ransomware attacks, and a threat to patient care may exist. While your facility’s IT department is likely tackling the ransomware threats with the currently available Microsoft security patches, some Windows-based medical device systems will remain susceptible to ransomware attacks like WannaCry and Petya because either they are based on an older version of the Windows OS (for example, Windows XP) and can’t be upgraded, or they have not been validated for clinical use with the latest security patches.
Such systems are often managed separately from regular IT assets to ensure appropriate clinical functionality through adherence to manufacturer-specific setup and requirements.
In this article, we recommend protective actions you can start to take, and point to some critical differences in how attacks on medical device systems should be managed as opposed to general hospital systems.
What Should My First Steps Be?
Common best practices should always be followed when dealing with software updates and suspicious e-mails containing links and attachments, as the first line of defense against any ransomware or other malware. Continuing education should also be provided frequently to all levels of staff to promote awareness of and compliance with these best practices. There are also specific do’s and don’ts to follow. These recommendations are intended for the medical device security lead, who is commonly someone from clinical engineering or IT, depending on the facility.
Do’s
1. Identify networked medical devices/servers/workstations that are operating on a Windows OS. Useful sources for this information may include:
Medical device inventory (i.e., computerized maintenance management systems)
Change management systems
Manufacturer Disclosure Statement of Medical Device Security (MDS2) forms obtained during device purchase
Medical device manufacturers
Alerts from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) – a list of some medical devices impacted by WannaCry and Petya can be found here: https://ics-cert.us- cert.gov/alerts/ICS-ALERT-17-135-01I
2. Identify whether connected medical devices/device servers have the relevant Microsoft Windows OS security patches. (All Windows versions without the MS17-010 security patch may be vulnerable to the WannaCry and Petya ransomware.)
3. Consider running a vulnerability scan on your medical device networks to identify affected medical devices.
Vulnerability scanning can be used to identify devices that may be vulnerable to malware.
This method should only be used if (1) information is not available through other sources about the existence of a Windows OS and the associated vulnerabilities on your medical devices and (2) you already have a list of which devices and systems are compatible with vulnerability scanning. ECRI Institute is aware of medical device failures that occurred when systems incompatible with vulnerability scanning were scanned.
4. If medical devices/servers are identified that didn’t receive the security patch, contact the device vendor to determine the recommended actions for dealing with the current ransomware threat. Request written documentation of those recommendations from the manufacturer.
5. If your device is managed by a third party or independent service organization, request prompt installation of appropriate security patches and documentation to support risk mitigation. Identify terms in the existing service contract covering responsibilities in regard to security patch updates.
6. Coordinate with the facility’s internal IT department to update affected medical devices in accordance with the manufacturer’s recommendations as soon as practicable.
Medical devices require all updates to firmware and software to be validated, which often delays the availability of patches and updates. For any medical device vendors without a validated security patch, demand expeditious validation.
Many medical device updates must be installed manually while the unit is removed from use (that is, they can’t be distributed remotely), and downtime can directly impact patient care.
These factors should be considered when formulating an update response.
7. Prioritize response on any connected Windows-OS-based medical device systems as follows:
Life-critical devices
Therapeutic devices
Patient monitoring devices
Alarm notification systems
Diagnostic imaging systems
Other
8. If a malware infection is identified or suspected in a medical device:
If clinically acceptable, first disconnect the medical device from the network and then work with your internal IT department and the device manufacturer to contain the infection and to restore the system.
If any unencrypted patient data was involved, inform risk management so that the potential breach can be handled in accordance with HIPAA requirements.
Don’ts
1. Don’t overreact.
Even with good software update practices, it’s not unusual to find medical device systems running outdated OS software.
Don’t assume that the presence of outdated software on your systems is a threat in its own right. These systems should already be noted as exceptions in your facility’s IT patch update policy, and risk mitigation measures should already be in place.
2. Don’t install unvalidated patches.
Unvalidated patches can make medical devices faulty or inoperable, and a thorough supplier validation process can take some time.
Prior to installing any security updates or patches, ensure that they have been validated by the manufacturer. Ask the manufacturer for documentation of the validation.
3. Don’t simply turn off or disconnect all networked medical devices that have Windows OS.
Consider the implications of disabling network connectivity as a risk mitigation strategy on a case-by-case basis. Work with frontline clinicians to understand what the connectivity is used for and the workflow disruption that will result from disconnecting a medical device from the network.
In some cases when workflow disruption is deemed acceptable, a disconnection might be an appropriate risk mitigation strategy until the security patches have been installed per the manufacturer’s recommendations.
ECRI Institute published this guidance article, “Ransomware Attacks: How to Protect Your Medical Device Systems,” on June 29, 2017, as a free public resource to aid healthcare facilities in tackling immediate concerns in relation to ransomware like Petya and WannaCry. For additional information about membership in ECRI Institute’s Health Devices System, visit www.ecri.org, e-mail clientservices@ecri.org or call (610) 825-6000, ext. 5891.