Medical Devices Reportedly Infected in Ransomware Attack

blog2

HITRUST investigations show that medical devices were infected in the recent WannaCry ransomware attack that affected 150 countries.

The recent WannaCry ransomware attack that infiltrated more than 150 countries and forced some European healthcare organizations to suspend certain services reportedly infected certain medical devices as well.

HITRUST explained in an email update that its investigations found that MedRad (Bayer), Siemens, and other unnamed medical devices were infected.

Furthermore, Indicators of Compromise (IOCs) “were identified within the HITRUST Enhanced IOC program well in advance of last Friday’s attacks,” the organization stated.

“HITRUST is reaching out to healthcare organizations and trade associations to provide information to detect, prevent and remediate the threat and associated malware,” HITRUST said. “HITRUST identified the IOCs in advance of last Friday and published them to the HITRUST CTX and has been publishing guidance continuously since Friday, May 12th.”

The WannaCry ransomware attack targeted Microsoft’s Windows operating system, and also utilized the EternalBlue exploit that was allegedly developed by the National Security Agency (NSA). 

EternalBlue exploits Microsoft’s Server Message Block protocol. Healthcare organizations typically still use Windows XP and Windows Server 2003, which are no longer supported and updated by Microsoft.

Microsoft released a security update, MS17-010, on March 14, 2017. However, had organizations not yet installed the update the malware may have been able to have easier access to the systems.

A Microsoft security update was also released for Windows XP, Windows 8, and Windows Server 2003. Those operating systems had not received security patches for in some time.

“Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests,” Microsoft explained in terms of Windows SMB remote code execution vulnerabilities. “An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server.”

“To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server,” Microsoft continued. “The security update addresses the vulnerabilities by correcting how SMBv1 handles these specially crafted requests.”

It has been previously discussed how outdated medical device security could negatively impact healthcare organizations. Procrastinating system updates, postponing medical device updates, or even opting to “Frankenstein” medical devices can lead to data security issues.

ICIT research found that attackers may set up beach heads for future attacks. This can help create a type of remote access Trojan on a vulnerable device that has perhaps been “Frankensteined” into the IoT microcosm. The entire network could be vulnerable because there is no end point security for that device.

The Electronic Healthcare Network Accreditation Commission (EHNAC) also released a statement explaining that it is carefully monitoring the ransomware situation in North American healthcare organizations.

“This weekend’s WannaCry ransomware attack is a disturbing reminder of how susceptible the global healthcare arena is to cyber attacks,” EHNAC Executive Director Lee Barrett said. “Regardless of the outcomes of this attack, EHNAC’s executives and system administrators continue to review and enhance security and privacy controls within accreditation criteria to mitigate the threat of similar data breaches and to secure Protected Health Information managed by healthcare stakeholders.”

Healthcare organizations cannot assume that they will never be affected by a third-party cybersecurity attack. Medical devices must be regularly updated and employees should be continuously trained on proper data security prevention measures.

Staff members at all levels should know not to open suspicious emails or click on suspicious links. From there, employees need to report such activity.

Ransomware attacks are not going to disappear anytime soon, and can likely never be fully prevented. However, organizations can work to lessen the damage from such attacks and ensure that they will be able to quickly recover and continue normal operations.