In 2017, workers at two US hospitals were using a medical device that improves the quality of MRI images. Suddenly, the WannaCry ransomware screen popped up on the LCD readouts, demanding a ransom to unlock the apparatus. The devices were running an unpatched Windows-based operating system.
Fortunately, patients were never in danger. The vendor released a patch to prevent further damage. While this incident passed without significant repercussions, it was notable in one regard. This was the first known occurrence of a successful ransomware attack on a medical device.
Exploiting Vulnerable Medical Device Operating Systems
The threat of ransomware attacks on medical devices stems from changes in manufacturing. In recent years, manufacturers began including popular operating systems (OSs) on these devices. Formerly, medical devices used proprietary firmware or other exclusive features. That meant medical devices were rarely targeted in cyberattacks. The attacks simply didn’t pay off for criminals. Developing targeted attacks against these specialized devices was not as simple – or lucrative – as targeting mainstream systems.
But now manufacturers are building medical devices running Windows (and other popular OSs). The obvious benefit of running a standard operating system is that it’s easier for IT to apply patches. But there are also drawbacks. Ransomware attacks previously only seen on servers and desktops, now inflict medical devices as well.
Mitigating these attacks is especially critical in healthcare where the stakes are high. In most ransomware attacks, an organization might lose valuable data. But attacks on medical devices can put lives at stake.
So how can you ensure medical device security? One way is to understand their behavior patterns. For example, medical devices generally have a specific purpose. Their usage patterns typically don’t change much. Once you know these standard behaviors, you can identify unusual trends that could indicate the device has been compromised.
Gurucul UEBA and Medical Devices
Our User and Entity Behavior Analytics (UEBA) solution establishes baseline behavior profiles. From there you can detect activities that are outside the normal patterns. When a medical device acts irregularly, there are only a couple of reasons why. Either the device malfunctioned and needs to be serviced, or it was compromised. This anomalous behavior triggers our UEBA solution’s risk-based alerts. The alerts could mean, for instance, someone accessed the device and changed its configuration. In other words, it’s been hacked.
UEBA can also benefit healthcare organizations from an IT management perspective. It’s not uncommon to see new medical devices pop up on the hospital network. In these shadow IT situations, the apparatus is usually procured by a physician or a hospital organization with their own discretionary budgets.
Watch the video Allina Health Gurucul Customer Story: Monitoring Medical Devices” to hear the Allina Health CISO describe how Gurucul’s security analytics technology secures the medical devices on their hospital network.
This situation resembles the general IoT use case that any enterprise might deal with. However, the medical device use case introduces additional degrees of complexity. A device may report that it’s malfunctioning and must be swapped out for a new unit. From the IT perspective, that’s one device leaving and one device entering the network. With Gurucul UEBA you can know when a replacement device is performing differently than the typical behavior of those devices. Being aware of this issue and taking immediate action is essential.
Another challenge with medical device security is knowing when to safely patch or service the device. There’s a risk that the patching process might take the device down or disable it. The IT team can’t patch or update a device at will. The device might be performing a clinical service at that time. With UEBA it’s possible to know when a device is out of rotation. And that lets you know when it’s safe to perform maintenance.
For example, UEBA can tell us that a particular device is out of use between the hours of 8 PM and 6 AM. With this knowledge, you can perform maintenance during those off hours so as not to interfere with patient care.
Learn More About Medical Device Security
In the healthcare industry, patients must always come first. The prospect of a patient being harmed due to a faulty medical device behavior is not as farfetched as it may seem. UEBA’s ability to establish baseline behavior profiles to ensure medical device security holds great value for healthcare organizations.