WannaCry Ransomware Encrypted Hospital Medical Devices
The WannaCry ransomware attacks on NHS hospitals in the UK have been widely publicized, but the extent to which U.S. healthcare organizations were affected is unclear. However, news has emerged that WannaCry ransomware has been installed on hospital systems and succeeded in encrypted medical device data.
The ransomware targeted older Windows versions and more recent operating systems that had not been updated with the MS17-010 patch that addressed the exploited vulnerability in Server Message Block 1.0 (SMBv1). The attacks claimed more than 200,000 victims around the globe.
So far, two healthcare organizations in the United States have confirmed they experienced a WannaCry ransomware attack that affected Bayer MedRad devices. The devices are power injector systems used to monitor contrast agents administered to improve the quality of imaging scans, such as MRIs.
Bayer told Forbes, “If a hospital’s network is compromised, this may affect Bayer’s Windows-based devices connected to that network.” In both cases that were reported to Bayer, the issue was resolved within 24 hours and systems were brought back online.
Get The Checklist
Free and Immediate Download
HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
Bayer is not the only device manufacturer that was affected by the ransomware attacks. According to HITRUST, reports were received from healthcare organisations that had Siemens devices encrypted by the ransomware. Siemens has not publicly confirmed that was the case with U.S hospitals, only that the company had been working with the NHS to help resolve the attacks.
HITRUST has been issuing updated information on the WannaCry ransomware attacks and confirmed that evidence has been uncovered suggesting other unnamed medical devices were impacted, in addition to Siemens and Bayer devices.
HITRUST also said indicators of compromise were confirmed via the HITRUST Enhanced IOC program well in advance of the attacks on Friday, pointing out that organizations that had already applied HITRUST CSF controls related to End Point protection and patch management would have appropriately addressed the threat – specifically Control References “09.j Controls Against Malicious Code” and “10.m Control of Technical Vulnerabilities.”
HITRUST also said organizations that leveraged the HITRUST CyberAid program have not been affected by the recent WannaCry ransomware attacks.
While the attacks using Friday’s WannaCry ransomware variant were halted after a researcher identified a kill switch, researcher Matt Suiche identified a second variant that referenced a different domain. He registered that domain and prevented attacks with the second variant, mostly in Russia.
Kaspersky Lab’s Costin Raiu said another version has been identified, with this one lacking the kill switch. While that version is spreading, it appears not to be capable of encrypting files as the ransomware component is corrupted.
What should be of particular concern, not just for healthcare organizations but all businesses, is a threat issued by Shadow Brokers – the group that released the ETERNALBLUE exploit used in Friday’s attacks. Shadow Brokers plans to release further exploits in a similar fashion on a monthly basis, including exploits for vulnerabilities in Windows 10.
Ransomware and other malware attacks on the same scale as WannaCry could become frequent events, highlighting the importance of updating software and applying patches promptly.