Medical Devices Hit By Ransomware For The First Time In US Hospitals

Is it possible that North Korea used a stolen National Security Agency hacking tool to infect medical devices at U.S. hospitals? Turns out, in today’s topsy-turvy world, it is.

When the NSA cyber weapon-powered WannaCry ransomware spread across the world this past weekend, it infected as many as 200,000 Windows systems, including those at 48 hospital trusts in the U.K. and so-far unnamed medical facilities in the U.S. too. It wasn’t just administrative PCs that were hacked, though. Medical devices themselves were affected too, Forbes has learned.

Is it possible that North Korea used a stolen National Security Agency hacking tool to infect medical devices at U.S. hospitals? Turns out, in today’s topsy-turvy world, it is.

When the NSA cyber weapon-powered WannaCry ransomware spread across the world this past weekend, it infected as many as 200,000 Windows systems, including those at 48 hospital trusts in the U.K. and so-far unnamed medical facilities in the U.S. too. It wasn’t just administrative PCs that were hacked, though. Medical devices themselves were affected too, Forbes has learned.

A source in the healthcare industry passed Forbes an image of an infected Bayer Medrad device in a U.S. hospital. The source did not say which specific hospital was affected, nor could they confirm what Bayer model was hacked. But it appears to be radiology equipment designed to help improve imaging. More specifically, it’s a device used for monitoring what’s known in the industry as a “power injector,” which helps deliver a “contrast agent” to a patient. Such agents consist of chemicals that improve the quality of magnetic resonance imaging (MRI) scans.

A Bayer MedRad device used to assist in MRI scans infected with the WannaCry ransomware.

A Bayer spokesperson confirmed it had received two reports from customers in the U.S. with devices hit by the ransomware, but would not say which specific products were affected. “Operations at both sites were restored within 24 hours,” the spokesperson added. “If a hospital’s network is compromised, this may affect Bayer’s Windows-based devices connected to that network.”

Bayer said it would be sending out a Microsoft patch for its Windows-based devices “soon.” The firm recommended hospitals work with their IT security teams and contact Bayer’s Technical Assistance Center “to ensure continued support of contrast-enhanced radiology procedures which use Bayer power injectors.”

As noted by Beau Woods, deputy director of Cyber Statecraft Initiative at the Atlantic Council, ransomware infecting such a device shouldn’t necessarily threaten patient safety directly, other than stopping scanning machines working. “I seriously doubt Windows is controlling any of the safety functions,” he said.

But on Twitter, Woods explained the real impact of such attacks: “Medical device outages increase resource needs, delay care, trigger more clinical mistakes. The harm can go unseen unless you look for it.” Multiple U.K. hospitals reported that their radiology departments were completely knocked out by the ransomware outbreak.

North Korea + NSA exploits = infected hospitals?

Whatever the impact on patient health, the Bayer infections represent the first known instance of ransomware directly affecting the operation of a medical device. They’ve also provided the first evidence that the WannaCry outbreak hit U.S. healthcare bodies, showing that America’s own powerful intelligence tools have been turned against some of its most sensitive institutions. Not to mention that clues indicate possible North Korean involvement in the attacks.

Cybersecurity firms are developing increasing levels of confidence of North Korean involvement. The WannaCry hackers used tools first leaked by a shady crew called the Shadow Brokers, combining them with code linked to North Korean cyber operations. BAE Systems, a government arms contractor and cyber specialist, said it had found “multiple overlaps” between the WannaCryp malware and that controlled by the Lazarus Group, which the firm associated with North Korean activity.

The similarities included common source code that was previously unique to Lazarus, use of the same code compiler, unusual “leetspeak” (a kind of internet language popular amongst certain hacker communities), and both focused on Bitcoin, “presumably for stealing funds and money-laundering,” said Adrian Nish, BAE’s head of threat intelligence.

Healthcare tech industry on alert

Meanwhile, in the last 24 hours, some of the world’s biggest healthcare tech companies have rushed out warnings about WannaCry and its impact on their products. Much the same as Bayer, they’re still developing adequate patches to protect systems from another similar attack.

The Health Information Trust Alliance (HITRUST), a privately held company that provides a cyber threat exchange platform for the healthcare industry, said it had reports of both Bayer and Siemens equipment being affected by the outbreak.

Siemens told Forbes it couldn’t confirm or deny reports its Healthineers technologies had been affected. But it publicly stated has been working with the U.K. National Health Service (NHS) to help get systems back online, with engineers deployed across the country to assist.

“Select Siemens Healthineers products may be affected by the Microsoft vulnerability being exploited by the WannaCry ransomware,” the firm wrote in an advisory. The firm is developing patches or remediation solutions for systems running the vulnerable version of Microsoft’s SMB v1, a component in Windows which was originally exploited by an NSA hacking tool known as EternalBlue before the WannaCry perpetrators abused it.

Another major healthcare tech firm – Becton, Dickinson and Company – put out its own warning: “At this time, we are actively monitoring the situation and working closely with customers to ensure the appropriate measures are taken to help safeguard our products.”

Woods said it was likely a wide range of medical systems were taken down by WannaCry. “Many of the bigger machines run the Windows operating system – X-ray, cat scan, MRI,” he said. But, importantly, the parts that actually control the heavy gear that generate the scans aren’t normally controlled by Windows PCs. Many of the pharmacy systems that dispense drugs also run potentially-vulnerable Windows systems, Woods added.

Numerous NHS hospitals are continuing to operate a limited service as of Wednesday. Barts Health Trust, the biggest such trust in the U.K., said it was having to cancel some operations and turn some patients away from the five hospitals it was managing, though some systems were coming back online.

Industrial control systems hit too

As for other critical IT infected during the WannaCry pandemic, the U.S.-government funded Industrial Control System Computer Emergency Response Team (ICS-CERT) reported late Tuesday that alongside the healthcare providers, companies including ABB, Rockwell Automation and Schneider Electric had put out their own WannaCry advisories to assist customers.

Robert M. Lee, CEO and founder of the industrial cybersecurity firm Dragos, said his team were “aware of infections that occurred in the industrial control system community and had impact.” Victims included small utilities and manufacturing sites in the U.S., he added, also pointing to previously-reported infections at Nissan and Renault car manufacturing plants, as well as the attack on Russian Railways. “Although no one’s been hurt and no safety was at risk.”

Ralph Langner, founder of German control system security consultancy Langner, said that in a typical industrial environment there were “lots of Windows boxes of which a majority is not up to patch.” Attacks on those Windows boxes shouldn’t halt production, however, because industrial machines work autonomously, he added.

But WannaCry has provided ample evidence of vulnerable critical infrastructure. And that’s why Langner’s outlook for the future if grim: “For a competent attacker it would be possible to use the encryption vector specifically against industrial targets and force a production halt. We haven’t seen that on a large scale yet but I predict it’s coming, with ransom demands in the six and seven digits.”

 

 By: Thomas Fox-Brewster, FORBES STAFF