Protecting Medical Devices from Ransomware: A Critical StepCybersecurity Expert Kevin Fu Spells Out an Action Plan
In the wake of the WannaCry ransomware campaign, healthcare entities need to take a critical step right now to prevent their medical devices from the next major ransomware attack, says cybersecurity expert Kevin Fu.
"We're going to be crushing these 'cockroaches' in a very ad hoc manner until we get one simple thing done," says Fu, comparing ransomware to the infiltration of the insects that stubbornly resists extermination. "And that is accurate inventory of cybersecurity risks of medical devices as it affects essential clinical performance."
That's because "pretty much all these problems boil down to the bad guys knowing the clinical networks better than the good guys," he says in an interview with Information Security Media Group.
"The bad guys know how to whittle their way in and they know what the vulnerabilities are. It's not fair that the healthcare systems don't have this information as well. So, we've got to figure out how to make the inventory more readily available to the healthcare systems so they can go back to their job - the delivery of healthcare."
Infected Medical Devices
While the U.S. Department of Homeland Security has said only about 10 U.S. organizations across all sectors were impacted by WannaCry, medical device manufacturer Bayer has confirmed that two unidentified U.S. hospitals were among those that reported they were affected (see HHS Ramps Up Cyber Threat Information Sharing).
Unpatched Windows-based radiology devices from Bayer used at the hospitals were impacted, but operations of those devices were restored within 24 hours, a Bayer spokeswoman confirmed to ISMG.
Taking inventory of medical device cybersecurity risks and vulnerabilities is challenging, Fu acknowledges.
"The number one thing that healthcare systems need to do is find a way to safely inventory everything on their clinical networks - not only their intended devices, like medical devices - but also get a really good cataloging of 'shadow IT.' These are devices almost like contraband that appear on clinical networks from unknown sources," he says.
"Until hospitals get really good coverage on this, it's going to be really tough to roll out effective defenses. They are always going to be playing catch up until they know their inventory."
The challenge, however is to accomplish the inventory process safely without interrupting the clinical workflow, he warns.
"I would love to suggest scanning all of your clinical networks, but I won't. And the reason is that we know that scanning a network tends to cause medical devices to topple over. Medical devices were not designed to withstand some very simple probing of security vulnerabilities."
In the interview, Fu also discusses:
- Whether entities might have medical devices infected with WannaCry or other ransomware and not realize it yet;
- The first signs that medical devices have been attacked by ransomware;
- Immediate steps organizations should take if they suspect ransomware has infected a medical device.
Fu is co-founder, CEO and chief scientist at healthcare cybersecurity firm Virta Laboratories. He's also associate professor of electrical engineering and computer science at the University of Michigan, where he directs the Archimedes Research Center for Medical Device Security. Previously, he served as an associate professor of computer science and adjunct associate professor of electrical and computer engineering at the University of Massachusetts, Amherst. Fu also has served as a visiting scientist at the Food and Drug Administration, the Beth Israel Deaconess Medical Center, Microsoft Research and Massachusetts Institute of Technology Computer Science and Artificial Intelligence Lab.