Overview

Preventing cyberattacks on medical technology occupies the waking thoughts of device software manufacturers, but the global ransomware episode in mid-May shows that companies must also be alive to threat posed to their provider customers.

The WannaCry (WanaCrypt0r 2.0, WCry) ransomware attack that affected over 200,000 systems globally on May 12 locked users out of their IT systems and demanded a relatively small bitcoin ransom to let them resume access.

Most of the headlines focused on the relatively large effect on systems used by the NHS England, where 40 trusts reported that they had been hacked. Eleven Scottish Health Boards were also affected. Patient data were not affected: files were not compromised, simply inaccessible. Clinical care was affected and logistics disrupted.

This was a problem largely of the national UK health provider’s own making – the persistent use of unsupported systems using outdated Windows XP systems, and failure in some cases to upload security update patches when prompted to do so or in time.

NHS Digital counters that the vast majority of NHS organizations are running contemporary IT systems, but attributing blame to provider systems’ inadequate budgets is a pointless exercise after the fact. The lessons are there to be learned at provider systems around the world, which will be aware that the hacking could have been much more damaging. They should use the incident to protect their own systems from risk of compromise.

For their part, medical device industry suppliers were quick to help providers restore operations and protect systems from further risk of attack. Microsoft issued a patch to users a few days after the attack, but some NHS IT developers are recommending the health service reduce its reliance on Microsoft.

The exploitability of any such vulnerability depends on the configuration and deployment environment of each product. For the device industry branches most affected by the hack – digital pathology, and CT and MRI imaging, the solution is not as easy as simply applying a patch at will. That reality is explained by AXREM, the UK trade association representing suppliers of diagnostic medical imaging, radiotherapy, health care IT and care equipment, in a release issued on May 18.