Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel.
These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable.
The attack relied on a type of malicious software called ransomware, which keeps users from accessing their computer systems until they pay a ransom. Moreover, Wanna Cry does not distinguish between a computer, smartphone or medical device.
are extremely vulnerable to the type of massive cyber attack that tore through more than 150 countries Friday, and some health care providers here may have already been—or soon will be—hit, cybersecurity analysts warn.
The pernicious new strain, aptly named Wanna Cry, froze or slowed business and health care computer systems around the world, including several within the U. The malware exploits a vulnerability in the Windows operating system that many system administrators have not yet patched—including at many U. And, unlike the case with many other cyber attacks, a user need not click a link to unknowingly install it; if a health care system is connected to the internet and using an outdated system, the malware can find it and infect it. health care providers’ computer networks may already be under assault from threats that are not widely known.
“It’s kind of like we closed our doors but left them unlocked, so the malware just wiggles doorknobs until it finds one that’s open and walks in. hospitals” because many of its health care facilities have outdated systems, he says. “It is likely that [Wanna Cry] just didn’t hit a large network of our sites—the equivalent of NHS—but I guarantee American systems did get impacted in some regard,” he says, noting historically many companies have simply paid small ransoms rather than publicize that they have had glitches. One large hospital system in Boston took some drastic steps this weekend, disabling all attachments in e-mails—even though Wanna Cry can spread without any victim interaction, Fu says.
You don’t need to be there to get robbed,” says Kevin Fu, CEO and chief scientist of health care security company Virta Labs and director of the Archimedes Center for Medical Devices at the University of Michigan. In a hospital setting, a Wanna Cry infection can cause serious problems including blocking access to patient records and lab results or a failure to share allergy or drug interaction information with hospital computers or other devices. K.’s, which may have provided some degree of insulation, says Alex Heid, chief research officer at Security Scorecard, a risk management cybersecurity firm that tracks cyber attacks on health care in the U. “I would say we had dodged a bullet [compared with the U.
A user may only discover the security breach after turning on a device, when a locked screen comes up stating the person’s data is being held hostage unless a ransom is paid. had publicly reported a Wanna Cry attack as of the beginning of this week. K.], but I think the bullets are still coming and we know we are just as vulnerable,” he says, noting the malware could be further tweaked to cause future problems.
As a result, these computers are frequently infected with malware, and one or two have to be taken offline each week for cleaning, says Mark Olson, chief information security officer at Beth Israel. “Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems.There’s little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.” The worries over possible consequences for patients were described last Thursday at a meeting of a medical-device panel at the National Institute of Standards and Technology Information Security & Privacy Advisory Board, of which Fu is a member, in Washington, D. At the meeting, Olson described how malware at one point slowed down fetal monitors used on women with high-risk pregnancies being treated in intensive-care wards.“It’s not unusual for those devices, for reasons we don’t fully understand, to become compromised to the point where they can’t record and track the data,” Olson said during the meeting, referring to high-risk pregnancy monitors.The hospitals affected include North Tyneside General Hospital, Wansbeck General Hospital, Northumbria Specialist Emergency Care Hospital and hospitals in York, Scarborough and Malton are among those experiencing major problems with their IT systems, with reports systems have completely crashed following the attack.On Saturday morning, Vale of York Clinical Commissioning Group issued the following advice to patients: Pharmacies and prescriptions If patients need urgent supplies of repeat prescription medication they are advised to contact a pharmacy they are known to which will try to help with the request.