WannaCry ransomware attack
Cyber security is paramount in the protection of medical imaging systems. In May 2017, a global cyber attack began to hit large organisations such as the UK’s National Health Service (NHS). During these attacks, patient operations were cancelled, X-rays, test results and patient records became unavailable and communication channels did not function. The WannaCry attack cost the NHS more than £92 million. These cyber hackers infected computers in 150 countries using WannaCry ransomware.
The WannaCry infects computers and encrypts window files on the hard drive, making them impossible for users to access. To access these blocked files, the hacker demands payment in bitcoin (digital gold) in order to decrypt them. The WannaCry ransomware consists of several components. The virus enters the windows system in the form of a dropper and starts to encrypt and decrypt data. This windows system weakness was first uncovered by the United States National Security Agency (NSA). The ransomware attack was linked to the cyber crime organisation, Lazarus Group (known as Hidden Cobra, Zinc) – a group of unknown individuals possibly linked to North Korea.
Interestingly, cyber security experts found that the programme code used to implement the WannaCry was not complicated. The mode of operation was for WannaCry to access the coded URL known as the kill switch. The ransomware hackers embedded this kill switch to check if a nonsense URL gave a live webpage response.
However, it was found that the domain name, www[.] ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com was not registered and inactive. The domain status did not affect the spreading of ransomware. When the URL was registered, it became active and resulted in the WannaCry virus being killed.
The two strategies that slowed down the spread of WannaCry was that Microsoft released a patch to help to shield Windows XP devices; this was a rare event because Microsoft had not supported XP since 2014. This approach assisted the older computer system with unstable security and they were able to download the patch before WannaCry struck.
If the patch was not successful, the ransomware virus would search for the files and produce for example encrypted Microsoft Office files to MP3s (MPEG-1 Audio Layer-3) and MKV file extension (Matroska Video file). The result was that the user would not be able to access files and a ransom notice would appear to demand $300 in Bitcoin to decrypt the files. The WannaCry works by abusing the Windows implementation of the Server Message Block (SMB) protocol. The function of the SMB protocol is used for sharing access to files, printers, serial ports and other resources on a network.
The NSA discovered the vulnerability in Microsoft’s Windows operating system and developed a code called EternalBlue MS17-010 to exploit it. They issued a security patch before the WannaCry ransomware had spread around the world and the computer systems which were updated had early protection from WannaCry.
WannaCry made use of EternalBlue to infect computers and began spreading rapidly on May 12. During this period, Microsoft had a conflict with the NSA because they did not disclose the vulnerability of the operating system.
In addition, a new strain of the Petya ransomware started spreading on June 27, 2017, infecting many organisations. This ransomware is similar to WannaCry but uses the EternalBlue exploit as one of the means to spread itself. Petya (known as GoldenEye; NotPetya) makes use of SMB (Server Message Block) networks and can spread within organisations seemingly resistant to the EternalBlue patch. The infection vector for the Petya cyber attack was MEDoc, a tax and accounting software package used by corporate networks.
Interestingly, when the computer system becomes infected with WannaCry, it will not initiate the encryption of files straightaway because the virus first tries to access the nonsense URL before going to work. Consequently, if the virus can access the domain, this would result in WannaCry shutting itself down. The possible idea behind this mechanism could be the fact that hackers could stop the attack at any time. WannaCry was attempting to make contact with the URL and make an analysis of the code more complicated.
Cyber researchers will run malware in a sandbox environment to enable any URL or IP address details to be reachable. Necessarily, these automated malware analysis systems known as sandboxes are one of the latest weapons in the arsenal for cyber security. These sandbox systems will execute an unknown malware program in an instrumented environment and then monitor their execution.
Medical cyber security
Since the destruction of WannaCry, healthcare facilities remain concerned about protecting their digital medical systems for imaging by employing medical cyber security and information technology professionals.
Just imaging a patient undergoing a CT scan and a hacker manages to change the scan and diagnosis!
The majority of medical imaging systems are part of internal and external networks and are at risk of cyber attacks which threaten the confidentiality, safety, and well-being of the patient.
The WannaCry outbreak emphasised the importance of robust cyber security practices in an increasingly connected US and European healthcare sectors. In these unfortunate situations, the data was held hostage to ransomware and medical devices were compromised. These attacks highlighted the possible consequences for radiology in healthcare. The problem with IT in healthcare is that it intends to focus on patching of known vulnerabilities (zero-day attacks) from the not sophisticated attacks because the regulatory requirements guide it. A zero-day vulnerability is a result of a software security flaw known by the software vendor. At the time, there is no patch in place to fix the flaw and therefore it can be exploited by cyber criminals.
The problem with some software vendors is that they do not have the expertise to address these issues. In these cases, the product remains a risk to security. For example, the FDA criticised St. Jude Medical for failing to address known security issues with some of its implantable electrophysiology devices. Nevertheless, medical device approval processes are still adjusting to changes in cyber security requirements.
To reduce these malware attacks on computer systems, a cyber security strategy must be in place to counteract these threats. These potential cyber attacks can be categorised by relating the type of information the hacker wants to access or what they want to achieve. For example, untargeted information could include large quantities of personal health data compared to more targeted attacks where the hacker can control an infusion pump resulting in patient harm.
Also, healthcare providers must take into account the sources of potential attacks within their organisation or external parties: if from employees or agency workers then there is already trusted access to the systems and therefore this is a significant security threat. The drive behind external attacks is usually for financial gain and in some cases may result from malice towards the organisation.
The issues to consider regarding internal cyber security threats within organisations include limited encryption, system set-up configuration, applications, operational security gaps which may contain loopholes in processes and unpatched software and lack of authentication of user login credentials. All these vulnerabilities can occur on any medical device, especially when connected to the internet, posing a real danger to the technology used in various hospital departments.
To put this into perspective, the number of devices per patient bed between 1995 and 2010 has increased by 62%. Today, a patient in a hospital bed will be monitored on average by the use of at least 13 devices.
Cyber medical devices
It is important to protect medical devices by applying imaging system acceptance testing. This approach is usually in conjunction with the medical device supplier and the cyber security department of the hospital to assess all potential vulnerabilities which may include: securing all USB ports and CD/DVD drives using validated devices: can suppliers gain remote access, are the medical devices protected using strong user names and passwords and finally are the computer systems well maintained using the most up to date antivirus and antimalware software.
When purchasing medical equipment for patient use, all the above considerations must be evaluated on a regular basis. To help to facilitate the relationship between suppliers and providers of patient healthcare, the National Electrical Manufacturers Association (NEMA) has produced guidance documents such as PS3.15 of the DICOM standard relating to Security and System Management Profiles. Another guidance relates to the Manufacturer Disclosure Statement for Medical Device Security (MDS2), which helps the healthcare provider to perform risk assessments.
According to Dr Suzanne Schwartz, Center for Devices and Radiological Health:
Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cyber security vulnerabilities that could be exploited by unauthorised users.
In 2015, a phishing attack – which is a type of social engineering attack in order to steal user data, such as login and credit card details – was unleashed on the computer systems at UC Davis Health. The hacker(s) may have compromised the personal health information of 15,000 patients. In this case, the attack was most likely initiated when an employee responded to a phishing email with their account login details. The hacker was then able to send emails to other employees requesting bank transfers. Fortunately, the attack was stopped and on further investigation found that there was no violation of sensitive information.
Several steps can be considered to prevent the loss of sensitive information from healthcare computer systems and can include: up to date cyber security training for all employees, picture archiving and communication system (PACS) on a separate system with its own non-routable IP network to minimise exposure, data encryption at all points and updating Windows XP-based image acquisition devices.
The categorisation of security defences includes:
Technical – include firewalls, encryption and secure data transmission
Physical – the isolation of devices from each other including backing up and restoring data in addition to proper device disposal methods
Administrative – documenting security policies, maintaining audit trails, training staff, and incident reporting logs
The technical and physical categories in most cyber attacks result in hackers entering into the device. However, computer failure is usually due to administrative safeguards and results in a catastrophe. The healthcare providers must introduce and set minimum standards for upholding secure data policy and focus on the high-risk elements of their computer systems. Therefore, consideration to maintain healthcare systems must take into account the following: the capability to use whitelisting, which is a cyber security list only giving administrator-approved programs and IP and email addresses, system access. It is vital to ensure device functions towards best practices such as not using expired passwords and no elevated administrator privileges, including a supported operating system that can be upgraded by third-party applications. In addition to no hard-coded or default passwords in the devices.
Cyber breaches in healthcare information regarding patients are on the increase. In the first six months of 2019, there was a 53% increase in breach of health records compared to the whole of 2018. The increase in cyber breaches in healthcare is likely to continue due to the array of highly sensitive patient health information such as date of birth, social security number, credit card data, insurance information and medical records. All this information is a treasure trove for criminality, especially on the dark web.
Medical imaging is central to patient care and all these records are increasingly becoming digitised and stored on picture archiving communication systems (PACS). The PACS system facilitates the sharing of medical images across healthcare organisations, so it is essential to implement robust cyber security. However, ProPublica – an independent, non-profit newsroom that produces investigative journalism in the public interest – showed that 5 million patients in the US had their medical imaging data exposed on the internet.
This identifiable patient information can be used for blackmail purposes and should be protected as it was , including 400,000 images (e.g. MRI scans, X-rays) were available on the internet. Consequently, these imaging records were stored on servers which included archiving systems potentially with no monitoring for unauthorised changes. All these systems should be securely configured and in compliance with regulatory standards.
To demonstrate how these vulnerabilities could be detrimental in medical imaging equipment and the networks, Israeli cyber security experts performed using malware that was capable of changing the information on CT scans. This was done to reflect a different diagnosis; for example, the CT scan of a healthy patient showing cancer and a sick patient indicating no disease present.
In the future, healthcare organisations need to protect their PACS networks including the digital signature of all images to prevent malware from altering CT and MRI scans by installing end-to-end encryption. All investigations have demonstrated that future malware attacks on CT scans are a real threat and both manufacturers and providers of medical imaging systems should not become complacent. To further emphasise this potential problem, an investigation was carried out by altering real CT lung scans using advanced malware. A group of radiologists reviewed 70 CT altered scans and were misled into misdiagnoses. Furthermore, the radiologists reviewed another batch of CT scans and even though they knew this time about the malware, they were still misled by 60%. Also, on the removal of cancerous nodules from the CT scans, the radiologists were unsuccessful in diagnosing actual sick patients 87% of the time. These studies focus on the malware attack on the patient’s lung cancer CT scans. However, malware can attack CT scans concerning brain tumours, bone fractures, spinal injuries and heart disease.
In the previous years, NHS Digital, which is the national provider of information, data and IT systems has embarked on aggressive cyber security programmes in the following areas:
Cyber monitoring, threat intelligence and incident responses
Enhanced support and guidance for local organisations
Improved cyber training with greater awareness and engagement to create cyber security best practices among NHS staff and organisations
If you ever watched the cyber attack dramatisation in Chicago Med and Grey’s Anatomy where hospitals came under attack resulting in the shutdown of vital equipment. It is essential to realise these situations reflect the increasing fact that hackers are carrying out cyber attacks on medical and personal devices. For example, in 2019, the U.S. Food and Drug Administration informed patients and doctors that a specific make of insulin pump was at risk to cyber attacks. Also, in 2017 it was found that certain implanted heart devices were susceptible to hacking via home monitoring systems. The accumulation of cyber attacks on medical devices has forced the FDA to publish new guidelines in 2018 regarding these situations.
The future platforms in cyber security are to understanding what hackers want to achieve. In most attacks, the hackers obtain healthcare patient data and payment information (e.g. credit card data) for fraudulent purposes. To reduce these cyber threats, Government agencies require more trained cyber professionals to intercept these hackers and limit any damage caused. On 25 May 2018, the EU’s General Data Protection Regulation (GDPR) came into force and will help in the protection of personal data and aid cyber security. Another vulnerability is the company supply chains where hackers can infiltrate parts of systems during the construction to plant malware. Therefore, companies have to think like a hacker and therefore reduce cyber attacks by creating innovative security across the supply chains.
The future of cyber security will use artificial intelligence (AI) to secure devices and systems within the internet of things (IoT). These connected devices are increasing at a rapid rate and the consequences lead to exposure to potential cyber attacks. It is claimed that by 2025, there will be an estimated 75 billion internet connected devices worldwide. Also, it is projected that ownership of smart devices could rise from 10 to 15 devices per UK household this year.
The old computer operating systems no longer have the capability to keep up with evolving security threats and depend on human surveillance to keep them in order but this remains an ineffective approach. Further investment into intelligent automated systems will monitor, detect, manage and prevent cyber attacks in real-time situations.