The Implications of WannaCry on Medical Devices: How Interconnected Devices Can Exacerbate Cyber Attacks
Ransomware can be frightening. It holds all the data in a device hostage until the victim pays a sum of money, and even then, there is no guarantee thedata will return. To be more specific, ransomware takes advantage of a security flaw and locks the user out until said ransom is paid. Initially, over 200,000 victims were affected by the recent WannaCry attack worldwide, which exploited a flaw in Microsoft Windows 7 and demanded a ransom in Bitcoin. Worryingly, WannaCry infiltrated the computer systems of London hospitals. WannaCry even took its first medical device hostages in the US during the major attack. This is the heart of things: connected medical devices, on these networks, can expose them to risk if they're not well protected.
This sort of hacking is a real persistent threat in our modern age. It is estimated that by 2020, 25% of all enterprise breaches will involve interconnected devices. The more connected a device is, the more vulnerable it is to an attack.
Let’s consider what might happen to a type 1 diabetic as a victim of ransomware. That diabetic may use some of the amazing devices that do such things as hold drugs for extended periods of time, check vital levels automatically, and administer drugs as needed accordingly. They’re complex and need to run well, or disastrous results could follow. If ransomware disrupts these devices, it could be the patient’s money or their life. Regulations are just beginning to appear to address these issues.
In 2016, FDA began to outline how medical device manufacturers should keep hackers away in “Postmarket Management of Cybersecurity in Medical Devices.” However, the document does not include any plans for enforcement. The main issue here, as Rachel Becker from The Verge states, is that “The…document encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur. But the recommendations are not legally enforceable — so they’re largely without teeth.” FDA says this document is only the beginning as systems become more complex and the risk of disruption becomes great; more regulations are on the horizon.
Medical and combination device companies need to address cybersecurity sooner rather than later, and they may want to set high standards for themselves before FDA requires it. Reducing risk is paramount over any other activity when manufacturing a device, and now, cybersecurity has become a huge risk that must be mitigated to lessen its potential impact on patient safety.
Learn how Cognition is Helping Make Risk Reduction Easier
Download our free white paper Preliminary Hazard Analysis: A Guided Approach to find out more.