How to Avoid a Deadly Cyberattack On Your Medical Devices

By Jack O'Meara & Ricardo Davidson Sr. 

In September 2020, a woman died when ransomware was used during a cyberattack at a hospital in Germany.

Ransomware attacks are serious threats that can deny access to important medical devices and other systems operating on unsupported platforms or that have vulnerabilities, such as unencrypted network protocols.

The medical “internet of things (IoT)” is having a tremendous impact on the healthcare industry.

While connected patient monitors, MRI scans, and lifesaving equipment in hospitals have improved the quality and speed of care delivery, they have also increased the variety and severity of threats. In just the past three years, it is estimated that IoT-related breaches in the healthcare industry have compromised more than 135 million people in the U.S.—or about 41% of the nation’s population.

Healthcare organizations in California have spent up to $35 million on ransomware attacks since 2016.

It’s estimated that more than 80% of medical imaging devices could be susceptible to these attacks because they run on unsupported operating systems and unpatched software. Internal networks that may seem secure, such as virtual local area networks, can also be compromised through connected, vulnerable IoT medical devices that can allow an attacker access to sensitive information.

Performing an in-depth forensics investigation to understand how healthcare devices are connected, what communications are secured and unsecured, whether certain devices are running on unsupported systems, and other critical information, is necessary to mitigate the risks associated with the threat of cyber criminals.

Mitigating these risks involves a four-phase incident response approach.

1. Identify and assess

Coordinate with stakeholders and medical device manufacturers to establish lines of communication to triage the incident environment and determine the root cause, as well as perform log, network, and host-based forensics analyses of compromised systems.

• Discovered artifacts should be reviewed using malware analysis techniques and forensics tools to determine the objectives of the cybercriminal.
• Parsing firewall, web, and event log data is paramount to establish the timeline of events that led to the overall breach.

2. Respond and contain

Isolate compromised systems from the environment using industry standard short- and long-term containment strategies.

• Short-term containment involves blocking network segments to limit the spread of malware. This includes implementing new firewall rules that block network traffic to identified malicious command and control servers. Developing new security rules helps prevent outside communications from initiating commands for lateral movement within the environment.
• Long-term containment includes patching systems with the latest updates developed during the triaging of compromised systems. Organizations should continue to monitor their systems to determine the effectiveness of the provided resolutions. Extracting the identified malware from compromised systems and performing residual tracing helps to ensure all malicious data is removed.

3. Recover and reconnect

Restoring the environment is the most important part of incident response. Applying a comprehensive approach to reimage, patch, and perform system backups is critical. This requires applying the latest patches to ensure systems are adequately protected.

• Methodically perform a system backup for faster turnaround by restoring patched systems and placing them into the production environment to measure the effectiveness of the corrective actions.
• Scan the environment to confirm that remediation actions are effective and establish a timeline for reconnecting remediated systems to the production environment.

4. Retain and debrief

Create a report that retains the event summary, timeline, and technical details outlining root causes and the corrective actions taken.

• Debrief stakeholders on the report for further clarification.
• Facilitate a lessons-learned discussion/after-action review and provide recommendations regarding improvements to the organization’s go-forward incident detection and response capabilities.

With more than 900 cyber incidents occurring daily, it is more important than ever to be strategic about cybersecurity protections and become cyber resilient—especially during a pandemic. Both a proactive prevention program and the ability to quickly detect and respond to attacks is key to reducing the impact of cyber-related risks to your organization.