The WannaCry Legacy: Securing Medical Devices Against Ransomware

In May 2017, the world woke up to a far-reaching WannaCry ransomware attack that impacted nearly every industry vertical. While workers found themselves stranded during their morning commutes, hospital workers across the United Kingdom’s National Health Service (NHS) faced more than a simple inconvenience. When the WannaCry encrypted computers across hospitals and surgeries in England and Scotland, patients became the unwitting collateral damage as healthcare professionals canceled appointments and rerouted ambulances. 

While the WannaCry ransomware attack occurred over six years ago, healthcare delivery organizations (HDOs) still deal with its legacy. Today, health technology management (HTM), IT, and security teams across the healthcare industry still work tirelessly to protect patient data and health from threat actors. However, the rapid proliferation of internet-connected medical devices often makes protecting HDOs from ransomware attacks feel like an insurmountable obstacle. 

All these years later, WannaCry’s legacy lies in threat actors continuing to target HDOs, forcing them to work harder than ever to secure medical devices against ransomware attacks.

WannaCry: The Founding Father of Medical Device Ransomware

On the morning of May 12, 2017, users worldwide tried to turn on their computers, ones running Microsoft Windows, only to find encrypted files held hostage until they paid a Bitcoin ransom. Initially, only a few NHS facilities felt the impact. However, before the day ended, more than 60 NHS trusts would be unable to access patient records. 

WannaCry’s Immediate Impact

Although initial reports indicated only 20% of facilities were affected, the official April 2018 investigation report from the Department of Health National Audit Office found that the attack disrupted 34% of trusts in England, supplying the following list of outcomes across trusts and general practitioner (GP) practices:

  • 34 trusts infected and locked out of devices (25 of those being acute trusts)
  • 46 trusts not infected but reporting disruption
  • 21 trusts with systems attempting to connect to the WannaCry domain but not locked out of devices
  • 595 GP practices infected and locked out of devices
  • 8 other organizations infected and locked out of devices
  • 7 GP practices and other organizations not infected but reporting disruption
  • 71 GP practice and other organizations with systems attempting to connect to the WannaCry domain but not locked out of devices

The report continued to outline the following impact on patients:

  • 6,912 appointments known to be canceled
  • 19,494 patient operations and appointments estimated to have been canceled

Meanwhile, one retrospective report calculated activity totals for the 2 weeks before the attack, 7 days after the attack, and 2 weeks beyond that to estimate the following financial losses arising from Wannacry:

  • £4.0 M: Inpatient admissions
  • £0.6 M: Accident and emergency admissions
  • £1.3 M: Canceled outpatient appointments

Thankfully, one security research identified the kill switch, limiting the attack’s potential impact and threat to public health. 

The Long-Term Impact

The WannaCry ransomware uses the known exploit EternalBlue that leverages a known vulnerability in Microsoft Windows’s Server Message Block (SMB) protocol implementation. Although Microsoft released a security patch, many HDOs failed to install the update, putting them at risk. 

Given the ease with which attackers can infiltrate these vulnerable systems, the WannaCry ransomware still remains active. In 2021, researchers noted a resurgence in the attacks, finding a 53% increase between March and January. 

Even more troubling, WannaCry continues to plague systems with the 2023 IBM X-Force Threat Intelligence Index noting that legacy exploits, like EternalBlue, remain effective. X-Force has reported an 800% increase in WannaCry ransomware traffic within MSS telemetry data since April 2022, indicating that attackers recognize its continued effectiveness. 

Why Threat Actors Target Hospitals and Medical Devices

The rise of connected devices since 2017 makes these attacks even more potentially damaging. Today, a ransomware attack’s impact stretches beyond appointments and data. When organizations need to recover their systems, they need to take networks and connected devices offline. Taking medical devices that sustain or support life offline can harm patients, opening HDOs up to additional risks. 

Valuable Data

HDOs have been – and will continue to be – vast repositories of valuable patient data. Individual electronic Protected Health Information (ePHI) records contain enough data that attackers can sell entire profiles online, where other malicious actors can purchase them to perpetrate identity theft or other fraudulent activities. 

Talent Gap

Attackers recognize that HDOs often struggle with finding the right talent to manage their security. Most HDOs find themselves budgetarily restricted as they manage razor-thin operating margins of 0.4% in 2023. These financial restrictions also impact their ability to purchase security tooling that aligns with their analysts’ skill and experience levels. 

Lack of Visibility

Internet of Medical Things (IoMT) devices are notoriously difficult to identify on networks, especially as they move across different campuses and physical locations. Without a clear and continuously updated inventory, HTM, IT, and security teams lose track of what they have, leaving them unmanaged and providing a potential attack vector that threat actors can use. 

Confusion Over Responsibility

Traditionally, HTM teams managed medical device performance while IT and security teams handled network security and vulnerability management. However, as HDOs deployed more connected medical devices, these lines between security and performance have become blurred. In some cases, HDOs have not assigned a party or department responsible for managing medical device security. Siloed activities and recordkeeping technologies sometimes lead to security and vulnerability management gaps. Meanwhile, attackers continue to deploy their attacks, looking to exploit vulnerabilities across technologies and processes. 

Difficult to Secure

For HDOs, legacy technologies are mission-critical. Significant capital investments, like MRI and CT machines, often run on End of Life (EoL) or End of Service (EoS) operating systems, like Windows 7 or Windows XP. While the manufacturer no longer provides security updates for these technologies, the HDO can’t afford to replace these machines, seeking to implement clinically valid compensating security controls instead. 

Further, traditional active vulnerability scanners fail to work with medical devices. IoMT devices are sensitive to high volumes of network traffic, causing them to act unpredictably with traditional active network scanners. Without the ability to identify potential vulnerabilities in the medical device fleet, HDOs create additional attack vectors that malicious actors can exploit. 

Patient Safety

While medical devices are critical to providing high-quality, efficient, and effective patient care, they are inherently less secure than traditional IT technologies. Furthermore, HDOs struggle to balance system security and patient care. Threat actors continue to target HDO because they prioritize patient safety above all else, which makes them more willing to pay a ransom to get services back online quickly.

7 Steps to Minimize Ransomware’s Impact on Medical Devices

While attackers may never stop targeting the healthcare industry, the news isn’t entirely grim, as HDOs can take steps to minimize ransomware’s impact and improve their cyber resilience. 

1. Identify All Medical Devices

The first step to securing medical devices is identifying and inventorying them. With a passive scanning solution that inspects packets rather than initiating traffic, HDOs can build accurate device profiles that include the following for each device connected to their networks:

  • Operating system
  • IP address
  • MAC address
  • Port numbers
  • Hostname
  • Version number

With a comprehensive medical device inventory that combines the key features of a configuration management database (CMDB) and computerized maintenance management system (CMMS), HTM, IT, and security teams can collaborate more effectively, enabling them to share responsibilities when necessary.

2. Assess Risk

After creating a comprehensive inventory, HDOs should engage in a risk assessment to identify the medical devices posing the most significant data breach risk by understanding their impact on patient data and care. 

When determining medical device security and data privacy risks, HDOs need visibility into:

  • Devices containing vulnerabilities
  • Threat actors’ ability to use the devices in an attack
  • The impact that an attack on those devices would have on patient health, data, or hospital operations

With this information, they can calculate risk more precisely and prioritize their remediation activities. 

Additionally, they should build the risk assessment into their procurement processes so that they can make data-driven decisions that include:

  • The risk that each device poses
  • Device configurations, including their risk and potential impact on the organization
  • Manufacturer-provided and crowd-sourced device data

3. Establish Baselines and Compensating Controls

While the inventory documents each device, it also enables the HDO to identify, monitor, and manage secure configurations. 

HTM, IT, and security teams should be able to work with a shared source of information that documents the following for all medical devices connected to their networks:

  • Manufacturer
  • Device type
  • IP addresses
  • Applications on devices
  • Operating systems and versions
  • Software versions

Additionally, for EoL/EoS technologies, the teams should have information about how to apply clinically valid compensating controls to protect their systems and patients. 

4. Prioritize Vulnerability Remediation

With a passive scanning solution, HDOs can identify and prioritize vulnerabilities so that they understand the true risks associated with their unique environments and medical device ecosystems. Since many HDOs implement compensating controls, they need more than visibility into whether their devices contain vulnerabilities. They should know whether malicious actors can exploit those vulnerabilities during an attack. 

To gain these insights, they need solutions that help them prioritize vulnerability remediation actions by aggregating and analyzing:

  • Manufacturer-supplied security data
  • Open-source software components
  • Vulnerability criticality
  • Current attack methods using the vulnerability

Further, these technologies should provide simple, short, and effective recommendations, including activities like:

  • Deactivating unnecessary services without impacting clinical function.
  • Blocking risky services with a Network Access Control (NAC) tool.
  • Hardening vulnerable devices by updating their configurations.
  • Implementing micro-segmenting when altering configurations affects the clinical function.

Further, by combining their medical device passive scanning technologies with the data from the active scanning solutions that they use to monitor their IT infrastructure, HDOs create a comprehensive vulnerability management program. 

5. Fall Back On Network Segmentation

When simpler, faster mitigations and remediations are not available, isolating IoMT on networks can help. With segmentation and micro-segmentation, HDOs place medical devices on internal networks that don’t connect to the public internet. Micro-segmentation offers additional security by enabling security teams to gain visibility into network activity to more rapidly identify anomalous behavior that potentially indicates an attack. 

As a ransomware mitigation strategy, segmentation and micro-segmentation can prevent a ransomware attack from impacting medical devices, meaning that the HDO may not have to take them offline during the containment and recovery processes.

6. Monitor for Abnormal Network Activity

While preventing attacks is ideal, HDOs must implement appropriate incident response processes, including detecting attacks. With solutions built specifically to manage medical device security, they can monitor for abnormal network traffic and incorporate this into their overarching security monitoring. By building high-fidelity alerts that integrate medical device monitoring with traditional IT telemetry, they can detect, investigate, respond, and recover more quickly, reducing the financial and patient care impact that ransomware attacks cause. 

7. Document Processes for Compliance

Classified as a critical infrastructure, healthcare remains one of the most highly regulated industries. Further, legislative bodies increasingly incorporate medical device security into current regulatory compliance requirements. For example, US Congress amended the Health Information Technology for Economic and Clinical Health Act (HITECH) to include security practices set out under section 405(d) of the Cybersecurity Act of 2015, ultimately incorporating the Health Industry Cybersecurity Practices (HICP) framework security best practices which also identify metrics for medical device security.

By documenting their medical device security monitoring and remediation activities, HDOs reduce compliance risks, like the potential for fines arising from violations. 

Asimily: Mitigate Medical Device Ransomware Risks

Asimily provides holistic context into an HDO’s environment when calculating Likelihood-based risk scoring for devices. Our vulnerability scoring considers the compensating controls so you can more appropriately prioritize remediation activities.

HDOs efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS, Manufacturer Disclosure Statements for Medical Device Security (MDS2s), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.

Asimily clients are 10x more efficient because the engine can pinpoint and prioritize the top 2% of problem devices that are High-Risk (High Likelihood of exploitation and High Impact if compromised). Asimily’s clinically validated recommendations can easily be applied in several ways, including through seamless integration with NACs, firewalls, or other network enforcement solutions.

To learn more about the Asimily risk remediation platform, download our Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk whitepaper or contact us today.

Reduce Vulnerabilities 10x Faster with Half the Resources

Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.