The WannaCry ransomware attack that crippled the United Kingdom’s National Health Service also hit at least two Bayer medical devices in the U.S.
An image received by the business magazine Forbes shows the WannaCry ransom message obscuring the display of a Bayer radiology system.
The worldwide cybertattack began on Friday, May 12, 2017, and within days was reported to have infected more than 300,000 computers in over 150 countries. The attack affected parts of Britain’s National Health Service, Telefónica, Spain’s national broadband and telecommunications provider, FedEx, and German railroad Deutsche Bahn, among many entities worldwide.
According to the technology and consumer electronics website CNET, when the malware infects a computer it encrypts all the data. The program then puts up a screen demanding money to get access back. The hackers usually give a time limit, and if the ransom is not paid by the deadline, the files are destroyed. Some organizations affected by the WannaCry attack decided not to pay by ransom because they felt that they had adequate backups that would allow them to avoid losing their data.
One victim of WannaCry, a Renault auto plant in France, halted production while they assessed the damage and cleaned and rebooted the systems that that control robots on the factory floor. Plant management needed to make sure systems were functioning normally.
Bayer Confirms Two Reports of Devices Affected
Health care giant Bayer confirmed two reports of WannaCry affecting U.S. customers. The confirmation is the first time ransomware is known to have directly affected medical equipment in the U.S. In both cases, Bayer said operation was restored within 24 hours.
Complete fixes will take longer. Bayer plans to send out a patch for devices running Microsoft Windows. But experts say the use of the Microsoft Windows Embedded family of operating systems makes a quick and painless solution unlikely, according to Forbes.
Parker Waichman notes that many medical devices do not have basic security provisions like secure logins, leaving the devices vulnerable to hacking.
When a medical device is hacked, the patient can be in danger. A pump could deliver too much or two little medication or not deliver the dose in a timely manner. Tampering with the settings of a respirator or cardiac device could deprive the patient of needed breathing support or heart pacing. The patient could be in danger if a monitor does not sound an alarm at a critical moment.
But the problem is larger than the functioning of the devices themselves. Patients could also be injured or die if health care providers are out locked out of the system and cannot access medical records or control critical life support systems.
Craig Young, computer security researcher at Tripwire, a software company that makes security software, said these systems are not easy to patch. “Security fixes on embedded devices commonly require a complete firmware update from the vendor which is then manually installed on the device. This can greatly increase patch delays due to the time it takes for vendors to prepare and test a new firmware to ensure that it will not interfere with the intended operation of the medical device,” Young said. Young noted that hospitals would need to stop using devices while the firmware (the permanent software programmed into a device) is installed and updated.
Young said hospital administrators may not fully appreciate the dangers posed by outdated software. When trying to balance the difficulties that will certainly arise from taking devices offline for maintenance against the uncertain threat of a security breach, administrators may opt against patching technology. This mentality can be “tremendously detrimental to hospital security,” Young said.
Device makers BD and Siemens have given users detailed recommendations about devices without saying whether their equipment has been affected by the ransomware attack. Siemens provided guides for six groups of products that will require different fixes. Siemens said it is working on updates for the vulnerable products, which include CT and MRI devices. In the meantime, the company recommends hospitals use firewalls to block access to certain network ports or, if that is impossible, disconnect the device from the network until a patch or other fix is installed.
Legal Help for Those Harmed by Hacked Medical Devices
If you or someone you know been harmed as a result of hacking of a medical device or computer system, the attorneys at Parker Waichman LLP can help evaluate your legal rights. For a free, no-obligation case evaluation, fill out the contact form or call 1-800-YOURLAWYER (1-800-968-7529).