In wake of WannaCry, medical industry prepares for better response to next cyber attack

Responding to cybersecurity threats is critical in health care, but recent events show that well-meaning responses can create their own havoc.

The WannaCry ransomware attacks that crippled hospitals in the U.K. last week prompted a flurry of large-scale conference calls among government agencies, hospitals and device makers. But some of the calls were held at overlapping times, and others were seen as needing improvement, like the call on which one government official refused to tell listeners what specific medical devices in hospitals were considered at highest risk for infection.

"The nice thing was, people wanted to share information. The bad thing was, they used every venue possible that could be used. It was not coordinated," said Rick Hampton, wireless communication manager with Boston's Partners HealthCare System.

When someone asked what devices were most vulnerable to WannaCry, "the answer that came back was, 'We don't want to tell you that because you will just check that one device and ignore the rest.' Give me a break," he said.

Hampton's critique came on the second day of a two-day workshop on cybersecurity in medical devices held by the Food and Drug Administration in Silver Spring, Md. The comments were couched within the larger observation that government agencies, hospitals and manufacturers alike are still learning the most effective ways to respond to real-time cyber threats in health care.

And there seemed no doubt among the meeting's 300 attendees that a "next attack" is inevitable. The only question is how to prepare.

The WannaCry computer worm, which locks down infected files on Windows machines and demands money to release them, did not appear to explicitly target health care. But the worm's ability to rapidly compromise entire networks from single infected computers meant it was most effective in sectors with highly interconnected systems and organizational complexity that makes them difficult to maintain — like government, education, manufacturing and health care.

For one, hospitals contain thousands of devices that could potentially be vulnerable in real-time attacks, making it important to quickly understand how to prioritize threat-mitigation efforts. With the WannaCry worm, that information is only now trickling out, a week after the attacks first surfaced.

Forbes has reported that two radiology machines in the U.S. made by Bayer's Medrad subsidiary were affected by the WannaCry virus, but the issues were said to be resolved without further issues.

Siemens Medical Solutions USA put out a security bulletin that said unspecified devices in its Healthineers imaging division "may be affected" by the computer worm, though "the exploitability of any such vulnerability depends on the actual configuration and deployment environment of each product."

Device maker BD reported working with its customers to ensure software patches have been made on dozens of its products that use Microsoft Windows operating systems, including Pyxis drug machines.

"At this time, we are actively monitoring the situation and working closely with customers to ensure the appropriate measures are taken to help safeguard our products," the BD security bulletin said.

One attendee at the FDA meeting recalled a situation where his IT department required all devices be regularly swept for problems, including CT scanners. In at least one case the scan happened unexpectedly during a patient encounter, forcing the clinicians to halt the CT procedure. But the patient already had contrast dye injected for the scan; such dye is considered safe, but it is not risk-free.

Another attendee at the FDA meeting, Michigan-based cybersecurity expert Kevin Fu, said that doing a simple network scan to detect the existence of a device on a network is sometimes enough to disable it.

"No one wants to admit this on camera, but if you scan your whole hospital, chances are you are going to knock something off of your network," Fu said Friday. (The meeting was webcast from a camera in the room.)

Fu addressed another oft-raised concern about unintended consequences of cybersecurity efforts — that talking about vulnerabilities publicly will encourage hackers to exploit them.

There's no industry consensus on exactly when and how a medical device company should communicate potential threats to hospitals, but there is a strong fear that communicating too much could weaponize unexploited vulnerabilities or provide hackers a damage assessment that could be useful for future attacks.

"There was a little bit of discussion/argument [at the meeting], doesn't that help the bad guys?" Fu said. "The counterargument is, 'Let's not put our heads in the sand.' … The bad guys are already scanning your network, so shouldn't you be, too?"