Recent Cyber Attack Enough to Make Medtech WannaCry

It was the U.S. Food and Drug Administration’s (FDA) worst nightmare come true.

On May 12, the WannaCry ransomware cryptoworm slithered its way into computers worldwide, infecting as many as 200,000 Microsoft Windows systems in 150 countries, including interfaces at 48 U.K. hospital trusts and an untold number of U.S. facilities.

Hospitals, of course, are not immune to computer hacks. In fact, more than 113 million personal health records were compromised in 2015, roughly nine times as many as the prior year, according to provider data reported to the U.S. Department of Health and Human Services.

The WannaCry worm, however, wasn’t limited to hospital computers. It also infected medical devices.

Quoting an unnamed “source,” Forbes reported the WannaCry attack affected a Bayer Medrad device in an unnamed U.S. hospital. The source could not confirm the specific model infected, but the magazine surmised the product to be a device used to monitor a “power injector,” which helps deliver a contrast agent to patients. Such agents are composed of chemicals that help improve the quality of magnetic resonance imaging scans.

A Bayer spokesperson confirmed the ransomware’s device contamination, telling Forbes the company received two reports from U.S. customers about its infected medical products. “Operations at both sites were restored within 24 hours,” the spokesperson said, declining to specify the product(s) or location(s) affected. “If a hospital’s network is compromised, this may affect Bayer’s Windows-based devices connected to that network.” 

Five days after the WannaCry attack began (and two days after its “accidental” demise), Bayer posted an advisory on its website about potentially compromised Windows networks and provided recommendations to customers about installing corrective or preventative measures. The company identified its vulnerable medical devices: the Medrad Stellant and Medrad MRXperion control room units (Certegra Workstations), Certegra and VirtualCare devices, Medrad Intego RDMS, and Certegra Connect, CT.

The company began deploying a Microsoft security patch for the ransomware on May 19, and instructed customers a week later to restart their Medrad Stellant control room unit (Certegra Workstation) if the systems were connected to Virtual Care Remote Support.  

Although WannaCry’s impact on patient health remains unclear, the Bayer infections are nevertheless concerning because they represent the first known instance of ransomware directly affecting the operation of a medical device—a problem the FDA has been preaching about for years. In 2015, the agency issued a cybersecurity alert about Hospira Inc.’s Symbiq infusion pumps, citing security vulnerabilities that potentially could allow “unauthorized access” to the devices and prevent them from properly functioning.

And just a month before the WannaCry attack, the FDA threatened Abbott Laboratories with regulatory action over safety and security issues in a remote cardiac monitoring system developed by St. Jude Medical Inc. (the two companies finalized their $25 billion merger earlier this year). In an April 12 warning letter, the agency accused St. Jude Medical of failing to properly investigate problems with both the batteries in its Merlin implantable defibrillators and the cybersecurity of its at-home monitoring equipment.

The letter gave Abbott Labs 15 days to submit a plan to address errors in the products’ designs that could allow hackers to tamper with the settings and drain the batteries or administer inappropriate pacing or shocks.

“…cybersecurity threats are real, ever-present, and continuously changing,” Suzanne Schwartz, the FDA’s associate director for science and strategic partnerships, wrote in an agency blog post late last year. “In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety. And as hackers become more sophisticated, these cybersecurity risks will evolve.”

Comforting thought.

In sounding the alarm bell on cybersecurity, the FDA released recommendations late last year on ways device manufacturers can maintain the safety of Internet-connected products, even after they have entered hospitals, patients’ homes, or the human body. First issued in draft form in January 2016, the 30-page guidance encourages companies to ensure device cybersecurity throughout the product lifecycle. It recommends manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur.

The agency also suggests that companies devise ways to monitor and detect cybersecurity vulnerabilities in their devices; understand, assess, and detect the level of risk a vulnerability poses to patient safety; work with cybersecurity researchers and other stakeholders to improve communication about potential vulnerabilities; and deploy mitigations (e.g., software patches) to address cybersecurity issues early, before they can be exploited and cause harm.

“Digital connections power great innovation—and medical device cybersecurity must keep pace with that innovation. The same innovations and features that improve healthcare can increase cybersecurity risks,” Schwartz wrote in her blog post. “This is why we need all stakeholders in the medical device ecosystem to collaborate to simultaneously address innovation and cybersecurity. We’ve made great strides, but we know that cybersecurity threats are capable of evolving at the same pace as innovation, and therefore, more work must be done.”

A lot more work.