What are the steps to take when there is a ransomware attack?
Device systems: What is ransomware?
Ransomware is a form of computer malware used to make data, software, and IT assets unavailable to users. It uses encryption of data to hold systems hostage with an associated ransom demand, often in Bitcoin (a virtual currency that is difficult to trace). This encryption is used to extort money from users, with the hacker promising to give the victims access to their data if the ransom is paid.
WannaCry, a ransomware affecting Windows-based operating systems (OS ), was released on May 12, 2017, and quickly spread through numerous countries, infecting thousands of computer systems. Propagating mainly through e-mail using attachments and malicious links, it has caused significant disruption to IT systems worldwide. Several hospitals in the United Kingdom and Indonesia experienced severe disruptions to hospital operations, resulting in cancellation of appointments, postponing of elective surgeries, and diversion of emergency vehicles. Unfortunately, any data that was not appropriately backed up has likely been lost in systems infected with WannaCry.
Some medical device systems may also have been affected by t his attack, and a t hreat to patient care may exist.
While your facility's IT department is likely tackling the WannaCry threat with the currently available Microsoft security patches, some Windows-based medical device systems will remain susceptible to ransomware attacks like WannaCry because either they are based on an older version of the Windows OS (for example, Windows XP ) and can't be upgraded, or they have not been validated for clinical use with the latest security patches
Such systems are often managed separately from regular IT assets to ensure appropriate clinical functionality through adherence with manufacturer-specific setup and requirements.
In this article, we recommend protective actions you can start to take, and point to some critical differences in how attacks on medical device systems should be managed as opposed to general hospital systems.
You might also like: Cybersecurity Report: New Threats
What should my first steps be?
Common best practices should always be followed when dealing with software updates and suspicious e-mails containing links and attachments as the first line of defence against any ransomware or other malware.
Continuing education should also be provided frequently to all levels of staff to promote awareness of and compliance with these best practices. There are also specific dos and donts to follow. These recommendations are intended for the medical device security lead, who is commonly someone from clinical engineering or IT , depending on the facility.
- Identify networked medical devices/servers/workstations that are
operating on a Windows OS . Useful sources for this information may include medical
device inventory (i.e., computerised maintenance management systems) change
management systems, manufacturer Disclosure Statement of Medical Device
Security (MDS 2) forms obtained during device purchase or medical device manufacturers
- Identify whether connected medical devices/device servers have the
relevant Microsoft Windows OS MS17-010 security patch. It is important to note that
all unpatched Windows versions may be vulnerable to the WannaCry ransomware
- Consider running a vulnerability scan in your medical device
networks to identif y affected medical devices. Vulnerability scanning can be used
to identify devices that may be vulnerable to malware. This method should only
be used if information is not available through other sources about the
existence of a Windows OS and the associated vulnerabilities on your medical
devices and you already have a list of which devices and systems are compatible
with vulnerability scanning. ECRI Institute is aware of medical device failures
that occurred when systems incompatible with vulnerability scanning were
medical devices/servers are identified that didn't receive the security patch,
contact the device vendor to determine the recommended actions for dealing with
the current ransomware threat. Request written documentation of those
recommendations from the manufacturer
your device is managed by a third party or independent service organisation,
request prompt installation of appropriate security patches and documentation
to support risk mitigation. Identify terms in the existing service contract
covering responsibilities in regard to security patch updates
with the facility's internal IT department to update affected medical devices
in accordance with the manufacturer's recommendations as soon as practicable.
Medical devices require all updates to firmware and software to be validated, which
often delays the availability of patches and updates. For any medical device
vendors without a validated security patch, demand expeditious validation. Many
medical device updates must be installed by hand while the unit is removed from
use (that is, they can't be distributed remotely), and downtime can directly
impact patient care. These factors should be considered when formulating an
response on any connected Windows- OS -based medical device systems such as
lifecritical devices, therapeutic devices, patient monitoring devices, alarm
notification systems, diagnostic imaging systems and others
- If a
malware infection is identified or suspected in a medical device if clinically
acceptable, disconnect the medical device from the network and work with your
internal IT department and the device manufacturer to contain the infection and
to restore the system. If any unencrypted patient data was involved, have risk
management coordinate the hospital's response regarding the data breach, as per
its obligation under HIPAA
overreact. Even with good software update practices, it's not unusual to find
medical device systems running outdated OS software. Don't assume that the
presence of outdated software on your systems is a threat in its own right.
These systems should already be noted as exceptions in your facility's IT patch
update policy, and risk mitigation measures should already be in place
install unvalidated patches. Unvalidated patches can make medical devices
faulty or inoperable, and a thorough supplier validation process can take some
time. Prior to installing any security updates or patches, ensure that they
have been validated by the manufacturer. Ask the manufacturer for documentation
of the validation
simply turn off or disconnect all networked medical devices that have Windows
OS . Consider the implications of disabling network connectivity as a risk
mitigation strategy on a case-by-case basis. Work with frontline clinicians to
understand what the connectivity is used for and the workflow disruption that
will result from disconnecting a medical device from the network. In some cases
when workflow disruption is deemed acceptable, a disconnection might be an
appropriate risk mitigation strategy until the security patches have been
installed per the manufacturer's recommendations.