Cyber experts gather to try to prevent future attacks on medical devices
An entire team of experts works at the Mayo Clinic to ensure that 25,000 networked medical devices — everything from digital cameras to proton beam therapy systems — are hardened against cyberattacks like the WannaCry worm that affected hospitals from England to China last week.
It’s no easy job, but — knock on wood — there have been no reported successful cyberattacks or malicious outsiders hacking Mayo’s systems. Still, the WannaCry worm has infected at least some medical devices in the U.S., and well-funded hospitals like the Mayo Clinic may not be the first medical centers where successful hacking would crop up.
Rather, the public ought to think about the more than 600 financially struggling hospitals in smaller communities that are on the verge of closure. “Those are the people that we need to keep in mind for medical devices, not Mayo,” said Kevin McDonald, Mayo’s director of clinical information security.
“It costs a ton of money to be able to do this,” he said. “Medical devices have now become the weakest link in your enterprise security defenses.”
McDonald spoke Thursday morning in Silver Spring, Md., on the first day of the Food and Drug Administration’s latest public forum on cybersecurity and medical devices. Unlike the previous meetings on med-tech cyber precautions, this week’s workshop took place against the backdrop of a worldwide cyberattack that has affected hundreds of thousands of computers and put government agencies on high alert for another wave.
The so-called WannaCry worm is based on a security vulnerability in older versions of Microsoft Windows, which is still run on many medical devices today. The Windows flaw was discovered by the National Security Agency years ago, and publicized recently after hackers got ahold of the NSA files. The worm is a form of “ransomware” that infects computers and computer networks, locking down critical files until the victim agrees to pay a ransom.
“A few years ago the biggest problem was the breach,” which would allow a hacker to steal patient data and sell it on the black market for a profit. “What’s really scary is now they’ve figured out how to monetize the attacks directly,” said workshop speaker Todd Carpenter, chief engineer at Minneapolis’ Adventium Labs.