Last week’s ransomware attack infected Windows-based medical devices for the first time in the United States.
Despite FDA warnings, healthcare companies in the US didn’t appreciate that their medical devices were vulnerable to cyber-attacks.
According to a recent Forbes report, the fact that Windows-based medical devices were vulnerable to cyber-attacks was relatively unknown until the WannaCry ransomware arrived. Following the ransomware attack, several medical devices developed by the likes of Bayer and Siemens were found to be affected.
Beau Woods, deputy director of Cyber Statecraft Initiative at the Atlantic Council said on Twitter that medical device outages following cyber-attacks ‘increase resource needs, delay care and trigger more clinical mistakes.’ A Bayer spokesperson told Forbes that it had received reports of some of its Windows-based medical devices being hit by the ransomware and that it would be sending out a Microsoft patch for the devices soon.
A number of healthcare companies in the United Sates are now working at a frantic pace to build new patches for devices affected by cyber-attacks. At the same time, they are also issuing advisories and warnings on the susceptibility of medical devices to cyber-attacks. “At this time, we are actively monitoring the situation and working closely with customers to ensure the appropriate measures are taken to help safeguard our products,” said Becton, Dickinson and Company, a major healthcare firm.
Needless to say, the healthcare industry has been literally caught napping. This is despite the fact that the US Food and Drug Administration issued draft guidance for medical device manufacturers to address cyber security risks last year. The guidance recommended manufacturers to monitor, identify and address cyber security vulnerabilities in medical devices and understand the importance of information sharing via participation in an Information Sharing Analysis Organization (ISAO).
“All medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation,” said Suzanne Schwartz, associate director of the FDA’s Centre for Devices and Radiological Health.
“The draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cyber security issues while their product is on the market,” she added.
Craig Young, a security researcher at Tripwire, believes that it is difficult to patch security vulnerabilities in medical devices. This is either because considerable time is taken to build and test new firmware updates or because of memory, storage, and processing constraints. At the same time, many medical devices are based on outdated operating systems which are no longer supported and are hence highly vulnerable to potential cyber-attacks.
“I suspect that many hospital administrators may not recognize the danger from using outdated software on these devices and simply avoid patching because the device works. This “If it ain’t broke don’t try to fix it” mentality can be tremendously detrimental to hospital security,” he said, emphasizing that hospital staff and healthcare firms do not really appreciate the significant dangers that cyber-attacks pose on patient health and overall costs.