Bayer confirmed it received two reports of WannaCry affecting U.S. customers. The confirmation is the first time ransomware is known to have directly affected medical equipment in the U.S. In both cases, Bayer said operation was restored within 24 hours. Full fixes will take longer. Bayer plans to send out a patch for devices running Microsoft Windows “soon.” However, experts have noted the use of the Microsoft Windows Embedded family of operating systems on many medical devices makes the speedy, painless patching of equipment unlikely.
“These systems are not always easy to patch for a variety of reasons. Security fixes on embedded devices commonly require a complete firmware update from the vendor, which is then manually installed on the device. This can greatly increase patch delays due to the time it takes for vendors to prepare and test a new firmware to ensure that it will not interfere with the intended operation of the medical device,” Craig Young, computer security researcher at Tripwire, said in an emailed statement. Young also flagged up the need to stop using devices while the firmware is installed and updated. Many hospitals, including those in the U.K., are overstretched and can ill afford to reduce capacity. Young suspects hospital administrators under appreciate the dangers posed by outdated software. Faced with the predictable difficulties that will arise from taking a device offline for maintenance and the nebulous threat of a security breach, administrators may opt against patching technology. “This “if it ain’t broke don’t try to fix it” mentality can be tremendously detrimental to hospital security,” Young said.
The fallout of the WannaCry attack is likely to have made healthcare systems more amenable to taking preventative measures. Device manufacturers are stepping up to help these responses.
BD and Siemens both released statements detailing recommendations for users of their devices without explicitly stating whether their equipment has been affected by the ransomware. Users can protect some devices by installing a patch from Microsoft but this defense is only applicable to certain product lines.
Recognizing this, Siemens has provided guides for six groups of products that will require different fixes. Siemens said it is working on updates for the vulnerable products, which include CT and MRI devices. In the meantime, the company recommends hospitals use firewalls to block access to certain network ports or, if that is impossible, disconnect the device from the network until a patch or other fix is installed.
REFERENCE: Fierce BioTech; 19 MAY 2017; Nick Paul Taylor