WannaCry ransomware hit medical devices at American hospitals. An image of infected Bayer Medrad radiology device was released by an unknown source a while ago.
The spokesperson at Bayer confirmed the news and explained that their products at two hospitals were already hit by the ransomware:
“Operations at both sites were restored within 24 hours. If a hospital’s network is compromised, this may affect Bayer’s Windows-based devices connected to that network.”
The Bayer spokesperson also said their company is currently preparing a patch for the Windows-based devices. According to some experts, the patching process could be very hard.
“Medical devices often use operating systems from the Microsoft’s Windows Embedded product line,” the security researcher Craig Young, said. “Unfortunately…security fixes on embedded devices commonly require a complete firmware update from the vendor, which is then manually installed on the device. This can greatly increase patch delays due to the time it takes for vendors to prepare and test a new firmware to ensure that it will not interfere with the intended operation of the medical device.”
At the same time, the devices, which may be in continuous use, should not be used while they are being updated by someone from the IT specialists.
“In many cases, devices will never receive updates, either because the OS is no longer supported, and memory, storage, and processing constraints may prevent the device from operating effectively with the latest software,” Young said. “Finally, I suspect that many hospital administrators may not recognize the danger from using outdated software on these devices and simply avoid patching because the device works. This ‘if it ain’t broke don’t try to fix it’ mentality can be tremendously detrimental to hospital security.”
According to the chief product strategist for Imperva, Terry Ray, the healthcare industry continues to be a top target for hackers, due to the fact that the huge quantity of valuable data they manage and the potential to negatively impact critical patient care.
“With so many medical devices connected to the internet, it’s not surprising to know that some of these devices were rendered useless by WannaCry,” Ray said. “As we’ve seen with ransomware activity, there’s an inherent operation damage to the enterprise. That damage cannot be mitigated by paying the ransom. This attack is a wakeup call for everyone to keep their security systems up to day so they can prevent future attacks.”