Ransomware Attack Serves as ‘Wake-Up’ Call to Healthcare’s Vulnerabilities

Posted May 16, 2017

The worldwide ransomware attack that erupted last week shined a harsh light on the cybersecurity vulnerabilities in the healthcare industry, prompting calls for a reinvigorated and sustained effort to better protect medical devices and computer systems.

The attack crippled victims’ computers in more than 150 countries, including those in Britain’s National Health Service. Its full impact is still being assessed.

“This ransomware is a wake-up call for the few people still in denial,” said Kevin Fu, chief scientist of Virta Labs, Inc. “Patients were denied scheduled heart surgeries. Ambulances were in disarray.”

Axel Wirth, a distinguished technical architect for the Symantec Corporation and a cybersecurity columnist for AAMI’s journal BI&T, said the attack underscored the susceptibility of hospitals and other healthcare facilities to cyberattacks.

“Although this type of an attack should not have come across as a surprise, it still was very much a shot across the bow,” he said.

The brazen attack fully exposed the dangers of outdated computer software and the trouble that can ensue when patches are not quickly or effectively implemented. Hospitals are especially vulnerable to attacks that target the software of operating systems. In a column in The New York Times, Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina, explained why.

“The problem is even worse for institutions like hospitals which run a lot of software provided by a variety of different vendors, often embedded in expensive medical equipment,” she wrote in the May 13 column. “For them, upgrading the operating system (a cost itself) may also mean purchasing millions of dollars worth of new software. Much of this software also comes with problems, and the ‘no liability’ policy means that vendors can just sell the product, take the money and run. Sometimes, medical equipment is certified as it is, and an upgrade brings along re-certification questions. The machines can (as they should) last for decades; that the software should just expire and junk everything every 10 years is not a workable solution. Upgrades can also introduce new bugs. How do you test new software when the upgrade can potentially freeze your MRI?”

The Food and Drug Administration is stepping up its focus on cybersecurity in healthcare, urging both medical device manufacturers and hospitals to be more proactive in adjusting to the realities of the cyberworld. On Thursday and Friday, in fact, the agency is hosting a public workshop of the cybersecurity in medical devices at its headquarters in Silver Spring, MD.

The agency noted the stark conclusion of a science subcommittee with the Center for Devices and Radiological Health (CDRH): “Cybersecurity of medical devices was identified as one of the top 10 regulatory gaps,” the agency said in a notice about the workshop.

The departments of Homeland Security and Health and Human Services are also weighing in. In an email sent to healthcare organizations, the agencies urged heightened vigilance.

“It is likely that malicious actors will try and take advance of the current situation in similar ways,” the departments said in the email alert. “Additionally, we received anecdotal notices of medical device ransomware infection.”

Healthcare technology cybersecurity will be a major area of focus at next month’s AAMI 2017 Conference & Expo, where Fu is scheduled to deliver a keynote address. Fu, who is also an associate professor at the University of Michigan where he directs the Archimedes Center for Medical Device Security, noted that healthcare technology management professionals have a crucial role to play in the fight against cyberattacks, especially in helping to maintain an up-to-date and thorough inventory.

“The bad guys know the vulnerabilities of devices on clinical networks better than the good guys at the hospitals,” Fu said. “That’s not fair, and the only way forward is via a solid inventory. You can’t protect what you don’t know you have.”

Wirth emphasized the value of partnerships in combatting cyberattacks.

“Not only is your security as good as its weakest link, it is also only as good as your vigilance,” Wirth said. “Be prepared, be able to respond quickly, and have a network of trusted partners.”

AAMI Resource Focuses on Medical Device Security

A technical information report or TIR from AAMI provides medical device manufacturers with guidance on developing a cybersecurity risk management process for their products.

Underscoring the relevance of the report, the FDA added TIR57 to its list of recognized standards less than a month after it was approved by the AAMI standards committee that had drafted it.

More details about TIR57, including purchase information, are available at the online AAMI Store at www.aami.org/store.