WannaCry ransomware also infected medical devices

The aptly named WannaCry ransomware that crippled the digitized world over the weekend struck scores of hospitals in the UK as well as a smaller number of healthcare facilities in the United States. It appears that the hack also drilled down into some connected medical devices.

Forbes reports that a Bayer-branded radiology device in a U.S. hospital was affected by WannaCry ransomware. Although the source did not disclose the specific device nor the hospital where it is installed, Forbes writes that “it appears to be radiology equipment designed to help improve imaging” and is used for monitoring a “power injector, which helps deliver a contrast agent to a patient.”

Bayer confirmed to Forbes that it had received two reports from U.S. customers, noting that operations were restored within 24 hours. According to cybersecurity experts, patient safety was not at risk since the device’s safety features are not controlled via the Windows operating system, which the hack targeted. WannaCry ransomware did not aim to infect medical devices, but some were affected because they are connected to the hospital’s network.

The hack may have affected connected devices from other companies, but they are keeping mum while they rush to develop patches for the vulnerable Windows systems. Siemens would neither confirm nor deny reports to Forbes that its Healthiness technologies had been hacked. BD also issued a warning to customers that it was actively monitoring the situation.

Is this the world we now live in? Maybe so. An article in the Harvard Business Review ( HBR), “Medical systems hacks are scary, but medical device hacks could be even worse,” notes that “hacks of implanted or wearable medical devices are an even more sobering threat.”

As reported in PlasticsToday in April, “FDA has become increasingly concerned about the [cybersecurity] issue and is working to coordinate with other agencies on how to respond if a serious medical device hack were to occur.” The HBR article cites several cases of malware being found on computers supporting medical procedures and in software “residing on X-ray, blood-gas analyzer and communications devices.”

One of the scarier scenarios, which was exploited in season two of Homeland, is the transmission of life-threatening signals to implanted medical devices. The signals would not be fatal, according to researchers in Belgium and the UK investigating this possibility, unlike in the Homeland episode in which the U.S. Vice President was assassinated by terrorists who hacked into his pacemaker.

Citing limited resources and the need to focus on a host of regulatory and business challenges, HBR writes that cybersecurity efforts probably will remain low on the list of priorities of hospital administrators. “Cybersecurity remains secondary to medical purpose, even if cybersecurity could result in severe injury or death. Patients deserve better,” writes HBR