Medical devices at US hospitals have been hit by the now-infamous WannaCry ransomware.
An unnamed source has released an image of an infected Bayer Medrad device, which is a radiology device used for imaging improvement for MRIs.
A Bayer spokesperson confirmed to Forbes that its products at two hospitals were indeed hit by the malware: "Operations at both sites were restored within 24 hours. If a hospital's network is compromised, this may affect Bayer's Windows-based devices connected to that network."
The spokesperson added that the company is preparing a patch for the Windows-based devices.
Some note that the patching process could be onerous. “Medical devices often use operating systems from the Microsoft’s Windows Embedded product line,” explained Craig Young, computer security researcher for the Tripwire Vulnerability and Exposures Research Team, via email. “Unfortunately...security fixes on embedded devices commonly require a complete firmware update from the vendor, which is then manually installed on the device. This can greatly increase patch delays due to the time it takes for vendors to prepare and test a new firmware to ensure that it will not interfere with the intended operation of the medical device.”
Another hindrance on keeping these systems up to date with security updates is that it requires that the devices (which may be in continuous use) are unavailable for some period of time while someone from IT installs and tests the firmware update.
“In many cases, devices will never receive updates, either because the OS is no longer supported, and memory, storage, and processing constraints may prevent the device from operating effectively with the latest software,” Young said. “Finally, I suspect that many hospital administrators may not recognize the danger from using outdated software on these devices and simply avoid patching because the device works. This ‘if it ain’t broke don’t try to fix it’ mentality can be tremendously detrimental to hospital security.”
Terry Ray, chief product strategist for Imperva, noted that the healthcare industry continues to be a top target for cybercriminals, because of the large quantity of valuable data they manage and the potential to negatively impact critical patient care.
“With so many medical devices connected to the internet, it’s not surprising to know that some of these devices were rendered useless by WannaCry,” Ray told Infosecurity. “As we’ve seen with ransomware activity, there’s an inherent operation damage to the enterprise. That damage cannot be mitigated by paying the ransom. This attack is a wakeup call for everyone to keep their security systems up to day so they can prevent future attacks.”