When Medical Devices Get Hit With Ransomware

Is it possible that North Korea used stolen NSA hacking tools to infect medical devices at U.S. hospitals?  Forbes says, yes it is.

When the WannaCry ransomware spread out of control last week infecting 48 hospital trusts in the UK and unnamed medical facilities in the U.S. for the most part U.S. businesses were not affected.  Except for some.

For those people who work in offices, the effects of ransomware are annoying and if there are not sufficient backups, it can lead to losing data and losing customers.  And lawsuits.

But when it comes to hospitals, in addition to all of the above, it can lead to people dying.

Forbes was given an image of a Bayer Medrad power injector (shown below) that manages the injection of MRI contrast die into patients.

Many of these medical devices in hospitals are connected to Windows PCs and those PCs are often connected to email and the Internet.  When they are – and even if they are not – they can get infected with malware.  Think Iran and Stuxnet.  Those centrifuge controllers were not connected to anything and we still infected them.

Bayer acknowledged that at least two devices were infected here in the U.S., but they were able to restore them in 24 hours.

Microsoft released a patch for the bug that allows the ransomware to work in March.  Bayer said that it plans to release that same patch to its customers “soon”,  That means that hackers – say, perhaps, the North Koreans – have at least three months, maybe more after the patch is released to reverse engineer the patch and use that knowledge to infect medical devices.  From what I have heard. three months from vendor patch release to medical device patch release is super speedy.  And don’t forget that you have to add the time it takes the hospital to approve deploying that patch.

While this particular attack would, if effective, take the machine offline and not directly kill anyone, that is only THIS particular malware.

We have already seen demonstrations of hacking changing the settings inside drug infusion pumps.  If that bit of maliciousness propagated in the wild, it could change the dosage of drugs being dispensed to patients without any obvious indication externally (set it to 10 and it dispenses 50 for example) and then people would die.

In the case of that brand of infusion pumps, after beating up the vendor and the FDA for a year, the FDA finally issued a warning.  Hackers don’t use that kind of time scale.  You have to be able to warn hospitals in hours and the FDA and medical device industry are no where near the capability to do that.

Lets say that instead of locking up Windows PCs, the WannaCry worm instead infected infusion pumps.  Granted the same bug would not work in infusion pumps, but lets say there was a different one.   Think about how fast that worm spread around England, Scotland and a hundred plus other countries.  Could the national medical device regulators in all of those countries respond to that kind of event before people died.  Sadly, I don’t think so.

According to the article, the medical device manufacturers rushed out an alert telling hospitals that they were working on a patch and would release it sometime in the future.

HITRUST, a private company that helps the medical industry deal with cyber security issues said that it had reports of both Bayer and Siemens being affected.  Siemens said it could not confirm or deny reports of their machines being infected.

The Department of Homeland Security’s Computer Emergency Response Team (CERT) said that many industrial control systems vendors are issuing alerts also.  They said that ICS devices were infected and did have impact.

While this particular attack didn’t have deadly consequences, unless the medical device and industrial control industries up their cyber security game, it is just a matter of time before something bad happens.

Information for this post came from Forbes.

Leave a Reply

Your email address will not be published.