ECRI Institute Publishes Guidance for Protecting Medical Devices from Ransomware Attacks
The ECRI Institute has released a new guidance article, "Ransomware Attacks: How to Protect Your Medical Device Systems, with recommendations to help hospitals identify and protect against ransomware attacks.
Ransomware is a form of computer malware that holds systems hostage with a ransom demand. Medical systems are vulnerable to such attacks, which can damage hospital operations and compromise patient care by barring users from accessing critical functions and data.
“With the recent news of nationwide cyberattacks, we thought it was very important to make this information available to the public as quickly as possible," Juuso Leinonen, project officer, Health Devices Group, ECRI Institute, said in a statement. "Following these recommendations will allow hospitals to minimize impact to normal operations and mitigate the risk of a ransomware infection with your medical devices."
The report provides recommendations for adapting general cybersecurity principles to the particular requirements of medical device systems, including a list of immediate do's and don'ts for quickly responding to emerging threats.
Among the “dos” on the ECRI Institute’s list of recommendations are identifying networked medical devices/servers/workstations that are operating on a Windows OS and identifying whether connected medical devices/device servers have gotten the relevant Microsoft Windows OS MS17-010 security patch. The ECRI Institute notes that all unpatched Windows versions may be vulnerable to the WannaCry ransomware.
Healthcare organizations should also consider running a vulnerability scan in their medical device networks to identify affected medical devices and then contact device vendors if there are medical devices/servers that didn’t receive the security patch to determine the recommended action for dealing with current ransomware threats. “If your device is managed by a third party or independent service organization, request prompt installation of appropriate security patches and documentation to support risk mitigation,” the ECRI Institute wrote in the guidance.
Among the “don’ts” that the organization identified: “Don’t overreact.” The guidance authors further note, “Even with good software update practices, it's not unusual to find medical device systems running outdated OS software. Don't assume that the presence of outdated software on your systems is a threat in its own right. These systems should already be noted as exceptions in your facility's IT patch update policy, and risk mitigation measures should already be in place.”
At the end of 2016, ECRI Institute launched its Cybersecurity Gap Analysis service to help hospitals and health systems develop a program to protect their medical devices from being used against them in a cyberattack.
"Patching medical devices' software and routinely training staff members about phishing emails are just two aspects of a medical device cybersecurity program; there are many other issues that every hospital has to address," Robert Maliff, director, Applied Solutions Group, ECRI Institute, said.
Software management gaps putting patients and patient data at risk is No. 6 on ECRI Institute's annual Top 10 Health Technology Hazards list for 2017; Medical Device Cybersecurity was No. 2 on ECRI Institute's 2016 Top 10 Hospital C-Suite Watch List.
