9 ways to protect medical devices from ransomware

Key steps for protecting medical devices from ransomware

Research and patient safety organization ECRI Institute has issued guidance on protecting medical devices from the threat of ransomware. In addition to providing valuable steps, ECRI also offers suggestions for what organizations shouldn’t do when trying to protect the devices.

Identify devices and their operating systems

Locate networked medical devices, servers and workstations that are operating on a Windows OS. Useful sources for this information may include a medical device inventory from a computerized maintenance management system; change management systems; manufacturer disclosure statement of medical device security forms obtained during device purchase; or from medical device manufacturers.

Check on patch updates

Identify whether connected medical devices and device servers have gotten the relevant Microsoft Windows OS MS17-010 security patch. Note: All unpatched Windows versions may be vulnerable to the WannaCry ransomware.

Conduct a vulnerability scan

Consider running a vulnerability scan on your medical device networks to identify affected medical devices. Vulnerability scanning can be used to identify devices that may be susceptible to malware. However, this method should only be used if information is not available through other sources about the existence of a Windows OS and the associated vulnerabilities on your medical devices, and if you don’t already have a list of which devices and systems are compatible with vulnerability scanning. This approach is not foolproof, ECRI Institute says, noting that it is aware of medical device failures that occurred when systems incompatible with vulnerability scanning were scanned.

Communicate with device vendors

If medical devices or servers are identified that didn't receive the security patch, contact device vendors to determine the recommended actions for dealing with the current ransomware threat. Request written documentation of those recommendations from the manufacturers.

Request help from third-party managers

If your devices are managed by a third party or independent service organization, request prompt installation of appropriate security patches and documentation to support risk mitigation. Identify terms in the existing service contract covering responsibilities in regard to security patch updates.

Work in tandem with IT

Coordinate with the facility's internal IT department to update affected medical devices in accordance with the manufacturer's recommendations as soon as possible. Medical devices require all updates to firmware and software to be validated, which often delays the availability of patches and updates. For any medical device vendors that don’t have a validated security patch, demand expeditious validation. The process is further complicated because many medical device updates must be installed by hand while the unit is removed from use (i.e., they can't be distributed remotely), and downtime can directly impact patient care.

Prioritize patches for devices

Prioritize responses on patching any connected Windows OS-based medical device systems. The first priority should be life-critical devices, followed by therapeutic devices; patient monitoring devices; alarm notification systems; diagnostic imaging systems; and any other remaining devices.

Isolate infected devices

If a malware infection is identified or suspected in a medical device, act quickly. If it’s clinically acceptable, disconnect the medical device from the network and work with your internal IT department and the device manufacturer to contain the infection and to restore the system. If any unencrypted patient data was compromised, have risk management coordinate the hospital's response regarding the data breach, as per its obligation under HIPAA.

Don’t overreact

* Even with good software update practices, it's not unusual to find medical device systems running outdated OS software. However, don't assume that the presence of outdated software on your systems is a threat in its own right. These systems should already be noted as exceptions in your facility's IT patch update policy, and risk mitigation measures should already be in place.

* Also, don't install unvalidated patches, which could make medical devices faulty or inoperable. Before installing any security updates or patches, ensure that device manufacturers have validated them, and demand documentation of the validation.

* Don't simply turn off or disconnect networked medical devices that have Windows OS concerns. Work with frontline clinicians to understand what the connectivity is used for and the workflow disruption that will result from disconnecting a medical device from the network. In some cases when workflow disruption is deemed acceptable, a disconnection might be an appropriate risk mitigation strategy until the security patches have been installed.