MENU

WannaCry Ransomware Exposing Cybersecurity Flaws

  1. WannaCry Ransomware Exposing Cybersecurity Flaws
  • SUBSCRIBE TO OUR BLOG

What is ransomware? What is WannaCry (also known as Wanna Decryptor and Wcry)? And, more importantly, how does this relate to the Medical Device/Healthcare industry? These are questions I hope to answer. I have provided a references guide at the end of the post for anyone who wants to know more about this topic, or for verification purposes. Because of the severity of this situation, it is recommended that professionals continue following the WannaCry Ransomware attack as it develops further.

Ransomware is a specific type of cyberattack where hackers take control of a system and hold hostage the system’s data until the company (or individual) agrees to pay the ransom. On May 12th, 2017 the largest attack in history was unleashed, and more than 200,000 companies in more than 150 countries were suddenly held hostage. The primary targets were based in Russia, Ukraine, and Taiwan. (Bodkin, 2017) WannaCry made use of a flaw in Microsoft's operating software discovered by the National Security Agency (NSA). This information was leaked, and hackers used it to infect the vulnerable computers, wipe all data and only leave the WannaCry program and the directions on how to get the data back. In this case, the hackers demanded payment in Bitcoins. (McGoogan, 2017) It was found that computers operating on systems older than 2007 are the most vulnerable. In March of this year, Microsoft offered a free program/patch to their systems that addressed the issues discovered. However, many companies did not update their computers with the patch which left their systems vulnerable. The list of companies who elected not to update their systems included the National Health Service (NHS) in Britain, who was operating on systems more than fifteen years old. (Bodkin, 2017)

Shortly after the ransomware was released, a security expert stalled the attack by activating a "kill switch" found in the program. While this has provided a short respite from the attack, there is concern that the group responsible for the attacks is attempting to bypass the kill switch, so companies need to take quick measures to ensure their data is properly protected from these attacks. (McGoogan, 2017)

The easiest way for hackers to gain access to vulnerable systems is through compromised emails and suspicious websites. "Spear phishing" has been a particularly successful method for hackers to get results; in many cases, these are emails that look like they were sent by company management asking employees to follow links. The Digital Guardian published an article earlier this year discussing phishing attacks with more than twenty cyber security experts and how companies can protect against them—please visit read this article if you want more information. (Lord, 2017)

The impact WannaCry has had on the NHS highlighted the industry’s vulnerability to these attacks. Not only are companies running on outdated systems, but when the industry is impacted, the health and welfare of billions of people was put at risk. When NHS went down, patients waiting for critical operations suddenly found their appointments cancelled, and doctors were left in the precarious position of resorting to note taking with pen and paper while being unable to access medical histories of their patients—which would indicate things like critical statuses and allergies to medications.

Many medical devices run off of software. When this software is not kept updated, it leaves these devices at risk to attacks like WannaCry. Updating software can be expensive and difficult, so more often than not, these devices are left to run on their old systems—I mean, it still works, right? Companies involved in the supply chain for medical devices, from the manufacturers and designers, to the end users, need to find a solution to these difficulties. (AAMI, 2017) How doTUV USA Cybersecurity Man with Umbrella we make it so users can reasonably update the software of these expensive devices (like MRIs) without having to replace them before the device itself is obsolete? These critical questions need to be addressed, and will be a driving factor behind significant conversations in the medical device and healthcare industries this year.

The Association for the Advancement of Medical Instrumentation (AAMI) has announced that cybersecurity of medical devices will be a focal point of their upcoming conference and expo in Austin, Texas from June 9-12. Industry experts are expected to present on this topic, including Kevin Fu, who is an associate professor at the University of Michigan where he directs the Archimedes Center for Medical Device Security.

References

AAMI. (2017, May 16). Ransomware Attack Serves as 'Wake-Up' Call to Healthcare's Vulnerabilities. Retrieved from Association for the Advancement of Medical Instrumentation (AAMI): http://www.aami.org/newsviews/newsdetail.aspx?ItemNumber=4753 

Cara McGoogan, J. T. (2017, May 18). What is WannaCry and how does ransomware work? Retrieved from The Telegraph: http://www.telegraph.co.uk/technology/0/ransomware-does-work/

Henry Bodkin, B. H. (2017, May 13). Government under pressure after NHS crippled in global cyber attack as weekend of chaos looms. Retrieved from The Telegraph: http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/

** Lord, N. (2017, February 28). Phishing Attack Prevention: How to Identify & Avoid Phishing Scams. Retrieved from Digital Guardian: https://digitalguardian.com/blog/phishing-attack-prevention-how-identify-avoid-phishing-scams

 

 

 

 

This might also interest you

ISO 13485 Certificate

ISO 13485: 2003 represents the requirements that medical device manufacturers must incorporate into their management systems. The current document supersedes its 1996 incarnation as well as EN 46001, EN 46002 and ISO 13488.
Read more

Canadian Medical Devices Conformity Assessment System (CMDCAS)

To sell a medical device in Canada, manufacturers must meet the regulatory requirements as defined in the Medical Devices Regulations. Manufacturers of Class II, III, and IV medical devices must obtain a licence before selling them in Canada. After July 1, 2001, one element of the licensing process will involve manufacturers of Class II devices attesting that the quality system under which their devices are manufactured satisfy the quality system requirement: ISO 13488 and, manufacturers of Class III and IV devices attesting that the quality system under which their devices are designed and manufactured satisfy the quality system requirement: ISO 13485. To verify that these manufacturing processes meet the required standard, TPP will require manufacturers to have their QS registered by a Registrar accredited to the CMDCAS scope.
Read more

Medical Devices Directive (MDD)

"Medical device" means any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, together with any accessories, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application
Read more
  • Medical Systems Division