The recent “WannaCry” malware cyber-attack on computer networks utilizing the Windows Server operating system is yet another reminder of the fact that, despite the billions of dollars spent annually on computer security, many of the world’s computer networks remain vulnerable to attack from external sources. As an example of how a single “package” of malicious software can wreak havoc on critical systems, consider the effect of WannaCry on Britain’s National Health Service (NHS).
The Attack on Medical Device Security
On the morning of May 12, 2017 workers at 16 of Britain’s NHS hospitals found themselves facing a “pop-up” computer message informing them that their systems’ files had been encrypted and that the only way to restore those files was to pay the equivalent of 300 USD in Bitcoin to an anonymous account address. If the “ransom” wasn’t paid, the pop-up stated that these files would be destroyed after 7 days.
It was soon discovered that WannaCry exploited a known weakness in Windows Server 2003 networks and in older PC operating systems such as Window XP or Vista. Fortunately, a medical device security analyst known as “Malware Tech” quickly found a “defect” in the WannaCry code that could effectively neutralized the program and allowed system administrators to restore the encrypted files. By the following Monday (May 15), the NHS was again in full control of its computers and their data.
The Aftermath
Although the WannaCry attack caused havoc in the NHS, and in networks around the world, it is worth noting that there were no reports that patients with implanted, reprogrammable, medical devices such as pacemakers were harmed. There were well-founded concerns that external devices could have been compromised, but this does not appear to have been the case. All available reports suggest that only the NHS “infrastructure” (patient records, appointment schedules, and systems that stored or transmitted diagnostic imaging systems) was at risk. The attack does, however, raise concerns regarding the privacy and security of medical records as well as the vulnerability of programmable external and implanted medical devices.
Leading manufacturers of cardiac pacemakers and reprogrammable medical devices were quick to assure the public that their devices are not reprogrammable by computer and that any reprogramming must be initiated by trained personnel. However, in the world-wide rush to make medical records available in electronic format, it may have been that the vendors of record archival and management systems may have placed too much reliance on the built-in medical device security of Microsoft’s Windows operating system at the server level.
In fairness, it must be noted that Microsoft had issued a warning regarding the flaw that enabled the WannaCry attack on its Windows Server operating system almost two months before the WannaCry attack and had developed a software patch for that flaw shortly thereafter. Regardless of Microsoft’s actions, the incident raises an interesting question: “Who is liable for the consequences of a cyber-attack?”
Once the usual accusations that the CIA, NSA, or some other “A” was responsible for WannaCry are cast aside, one faction holds Microsoft to be totally at fault since their Windows Server product contained a flaw that allowed the cyber-attack to succeed, while the other side argues that the end-user has a responsibility to install updates and medical device security patches in a timely manner.
Regardless of the eventual resolution of this debate, the potential for compromise of sensitive patient information or even the “hijacking” of critical diagnostic and patient monitoring systems demands that both sides of the vendor-user unit work together to resolve these critical issues in patient safety and the security of confidential information.
Learn more about Medical Device News.