Last year’s WannaCry attack had many disruptive effects across the world but the one that sticks in the minds of many security experts is the damage it did to the UK’s National Health Service (NHS).
In total, 81 NHS health trusts were affected by WannaCry ransomware, resulting in cancelled operations, thousands of missed appointments, and staff being locked out of computers.
For a period of hours to days, a significant part of one of the world’s largest heath systems, struggled to function.
A specific weakness was disruption to Magnetic Resonance Imaging (MRI) and Computed Tomography (CT) scanners which depended on Windows XP workstations prone to blue-screening when hit by WannaCry.
In the aftermath of WannaCry, a new Israeli study has concluded that it was no coincidence that Medical Imaging Devices (MIDs) caused problems.
These are now such a critical part of medical workflow that hospitals in every developed country find it almost impossible to function without them.
And yet, as WannaCry’s effect on the NHS demonstrated, they have a number of vulnerabilities that make them attractive targets for cyberattacks.
The simplest of these is a denial-of-service attack that takes them (or the workstations they are connected to) offline.
More disturbingly, malware could theoretically tamper with their operation directly by interfering with the way they move, by disrupting the scan signals, or altering their results.
In the most extreme scenario, in the case of a CT scanner, it might be possible to alter the radiation exposure levels in ways that could be dangerous to patients.
This is sobering stuff, as is the discovery that MIDs are, from a computing standpoint, surprisingly old-world in the way they work. For example, a single configuration file run from a workstation defines how each CT scan is carried out – an obvious potential target for any attacker aware of this.
Meanwhile, the security assumptions used to set up MIDs in hospitals may well be years out of date. This isn’t surprising:
Many medical devices development process takes years. It is estimated that time from concept to market for medical devices is 3-7 years.
The survey points out that the weakness in MIDs is overwhelmingly a problem of the PCs used to control them. In the case of the NHS and WannaCry, many of these were running Windows XP, an OS so aged and insecure Microsoft deliberately charges organisations huge fees as a way of trying to put them off using it.
The study concludes:
Attacks on MIDs are likely to increase, as attackers’ skills improve and the number of unpatched devices with known vulnerabilities that can be easily exploited grows.
The study’s authors promise to suggest “a novel technique for securing CT devices, based on machine learning”, for publication in a follow-up analysis.
The principle behind this seems to be to assume that each workstation is compromised, and every configuration file sent to the scanner should be analysed for evidence of tampering.
It’s not clear how quickly this kind of protection will reach the growing population of MIDs in hospitals across the world but it’s clear that until it does, health organisations have another big cybersecurity problem to worry about.