Cybersecurity experts gather to try to prevent future attacks like WannaCry

May 20, 2017 by Joe Carlson, Star Tribune (Minneapolis)

An entire team of experts works at the Mayo Clinic to ensure that 25,000 networked medical devices - everything from digital cameras to proton beam therapy systems - are hardened against cyberattacks like the WannaCry worm that affected hospitals from England to China last week.

It's no easy job, but - knock on wood - there have been no reported successful cyberattacks or malicious outsiders hacking Mayo's systems. Still, the WannaCry worm has infected at least some in the U.S., and well-funded hospitals like the Mayo Clinic may not be the first medical centers where successful hacking would crop up.

Rather, the public ought to think about the more than 600 financially struggling hospitals in smaller communities that are on the verge of closure. "Those are the people that we need to keep in mind for medical devices, not Mayo," said Kevin McDonald, Mayo's director of clinical information security.

"It costs a ton of money to be able to do this," he said. "Medical devices have now become the weakest link in your enterprise security defenses."

McDonald spoke Thursday morning in Silver Spring, Md., on the first day of the Food and Drug Administration's latest public forum on cybersecurity and medical devices. The two-day event is called "Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis," and is intended to produce a document that will identify potential "gaps" in regulation, product design and basic research in med-tech cybersecurity.

Unlike the previous meetings on med-tech cyber precautions, this week's workshop takes place against the backdrop of a worldwide cyberattack that has affected hundreds of thousands of computers and put government agencies on high alert for another wave.

The so-called WannaCry worm is based on a security vulnerability in older versions of Microsoft Windows, which is still run on many medical devices today. The Windows flaw was discovered by the National Security Agency years ago, and publicized recently after hackers got ahold of the NSA files. The worm is a form of "ransomware" that infects computers and computer networks, locking down critical files until the victim agrees to pay a ransom.

"A few years ago the biggest problem was the breach," which would allow a hacker to steal patient data and sell it on the black market for a profit. "What's really scary is now they've figured out how to monetize the attacks directly," said workshop speaker Todd Carpenter, chief engineer at Minneapolis' Adventium Labs.

No U.S. hospital has yet publicly acknowledged being affected by the WannaCry worm. Nonprofit information-security organization Hitrust Alliance said it had seen evidence that devices made by Siemens and Bayer's MedRad subsidiary, along with other unnamed device makers, have been affected by the worm since the news broke last Friday morning that WannaCry had crippled dozens of hospitals in the United Kingdom.

Thursday's FDA meeting was part of the long-running effort in the U.S. to not just raise the profile of med-tech cybersecurity as an issue, but to break through the logjams that have stood in the way of progress. One key question is how to pay for it all.

"Health care institutions do not have the time, money or resources to independently fix the problems," said one of McDonald's slides, under the title "Assumptions We Need to Make." "The costs and effort for securing devices should not, and cannot, be the full responsibility of hospitals."

The Star Tribune reported earlier this week that Hennepin County Medical Center will need to spend $200,000 to address vulnerabilities raised by WannaCry in a single machine.

But the problem of cybersecurity vulnerabilities in medical devices is much deeper than figuring out who's going to write these large checks.

Ken Hoyme, director of security for product and engineering systems at Boston Scientific, said hospitals sometimes buy expensive equipment whose service life doesn't take into account how long the underlying operating system will be current.

"There is this willingness to accept a device with an expiring operating system, when the buyer knows for certain that they are going to use it for 20 years," Hoyme said at the workshop. "There are certainly research needs for something that would fill that niche (for a durable OS) in a way that is cost-effective and long-term supportable."

Explore further: What we currently know about the global cyberattack

6 shares

Related Stories

Alarm grows over global ransomware attacks

May 12, 2017

Security experts expressed alarm Friday over a fast-moving wave of cyberattacks around the world that appeared to exploit a flaw exposed in documents leaked from the US National Security Agency.

Recommended for you

China auto show highlights industry's electric ambitions

April 22, 2018

The biggest global auto show of the year showcases China's ambitions to become a leader in electric cars and the industry's multibillion-dollar scramble to roll out models that appeal to price-conscious but demanding Chinese ...

Robot designed for faster, safer uranium plant pipe cleanup

April 21, 2018

Ohio crews cleaning up a massive former Cold War-era uranium enrichment plant in Ohio plan this summer to deploy a high-tech helper: an autonomous, radiation-measuring robot that will roll through miles of large overhead ...

Virtually modelling the human brain in a computer

April 19, 2018

Neurons that remain active even after the triggering stimulus has been silenced form the basis of short-term memory. The brain uses rhythmically active neurons to combine larger groups of neurons into functional units. Until ...

'Poker face' stripped away by new-age tech

April 14, 2018

Dolby Laboratories chief scientist Poppy Crum tells of a fast-coming time when technology will see right through people no matter how hard they try to hide their feelings.

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

del2
not rated yet May 20, 2017
"There are certainly research needs for something that would fill that niche (for a durable OS) in a way that is cost-effective and long-term supportable."
Linux? BSD?

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.