medical imaging systems at risk from WannaCry ransomware

WannaCry ransomware swiftly infiltrates vulnerable computers, encrypting critical Windows files on hard drives, rendering user access entirely unattainable and necessitating urgent cybersecurity measures.


The WannaCry Crisis: Unraveling the Notorious Ransomware Outbreak

Cyber security is paramount in the protection of medical imaging systems.  In May 2017, a global cyber attack hit large organisations such as the UK’s National Health Service (NHS).  During these attacks, patient operations were cancelled, X-rays, test results and patient records became unavailable, and communication channels did not function.  The WannaCry attack cost the NHS more than £92 million.  These cyber hackers infected computers in 150 countries using WannaCry ransomware.

The WannaCry infects computers and encrypts window files on the hard drive, making them impossible for users to access.  To access these blocked files, the hacker demands payment in bitcoin (digital gold) in order to decrypt them.  The WannaCry ransomware consists of several components.  The virus enters the windows system in the form of a dropper and starts to encrypt and decrypt data.  The United States National Security Agency (NSA) first uncovered this windows system weakness.  The ransomware attack was linked to the cyber crime organisation Lazarus Group (known as Hidden Cobra, Zinc) – a group of unknown individuals possibly linked to North Korea.

Interestingly, cyber security experts found that the programme code used to implement the WannaCry was not complicated.  The mode of operation was for WannaCry to access the coded URL known as the kill switch.  The ransomware hackers embedded this kill switch to check if a nonsense URL gave a live webpage response.

However, it was found that the domain name, www[.] ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com was not registered and inactive.  The domain status did not affect the spreading of ransomware.  When the URL was registered, it became active and killed the WannaCry virus.

The two strategies that slowed the spread of WannaCry was that Microsoft released a patch to help shield Windows XP devices; this was a rare event because Microsoft had not supported XP since 2014.  This approach assisted the older computer system with unstable security, and they could download the patch before WannaCry struck.

If the patch were unsuccessful, the ransomware virus would search for the files and produce, for example, encrypted Microsoft Office files to MP3s (MPEG-1 Audio Layer-3) and MKV file extension (Matroska Video file).  The result was that the user would be unable to access files, and a ransom notice would appear to demand $300 in Bitcoin to decrypt the files.  The WannaCry works by abusing the Windows implementation of the Server Message Block (SMB) protocol. The function of SMB protocol is to share access to files, printers, serial ports and other resources on a network.

The NSA discovered the vulnerability in Microsoft’s Windows operating system and developed a code called EternalBlue MS17-010 to exploit it.  They issued a security patch before the WannaCry ransomware spread worldwide, and the updated computer systems had early protection from WannaCry.

Subsequently, the hacking tools used by NSA were stolen and published by the Shadow Brokers hacker group and appeared in the summer of 2016.

WannaCry used EternalBlue to infect computers and began spreading rapidly on May 12.  Microsoft conflicted with the NSA because it did not disclose the operating system’s vulnerability during this period.

In addition, a new strain of the Petya ransomware started spreading on June 27, 2017, infecting many organisations.  This ransomware is similar to WannaCry but uses the EternalBlue exploit as one of the means to spread itself.  Petya (known as GoldenEye; NotPetya) uses SMB (Server Message Block) networks and can spread within organisations seemingly resistant to the EternalBlue patch.  The infection vector for the Petya cyber attack was MEDoc, a tax and accounting software package used by corporate networks.

Interestingly, when the computer system becomes infected with WannaCry, it will not initiate the encryption of files straightaway because the virus first tries to access the nonsense URL before going to work.  Consequently, if the virus can access the domain, this would result in WannaCry shutting itself down.  The possible idea behind this mechanism could be that hackers could stop the attack at any time.  WannaCry attempted to make contact with the URL and make an analysis of the code more complicated.

Cyber researchers will run malware in a sandbox environment to enable any URL or IP address details to be reachable. Necessarily, these automated malware analysis systems, known as sandboxes, are one of the latest weapons in the arsenal for cyber security. These sandbox systems will execute an unknown malware program in an instrumented environment and monitor their execution.

From Bytes to Bites: The Story of the WannaCry Ransomware Assault

Since the destruction of WannaCry, healthcare facilities have remained concerned about protecting their digital medical systems for imaging by employing medical cyber security and information technology professionals.

Just imaging a patient undergoing a CT scan, a hacker changes the scan and diagnosis!

The majority of medical imaging systems are part of internal and external networks and are at risk of cyber attacks which threaten the confidentiality, safety, and well-being of the patient.

The WannaCry outbreak emphasised the importance of robust cyber security practices in increasingly connected US and European healthcare sectors.  In these unfortunate situations, the data was held hostage to ransomware and medical devices were compromised. These attacks highlighted the possible consequences for radiology in healthcare.  The problem with IT in healthcare is that it intends to focus on patching known vulnerabilities (zero-day attacks) from the not sophisticated attacks because the regulatory requirements guide it.  A zero-day vulnerability results from a software security flaw known by the software vendor.  At the time, there was no patch to fix the flaw so that cyber criminals could exploit it.

The problem with some software vendors is that they do not have the expertise to address these issues. In these cases, the product remains a risk to security.  For example, the FDA criticised St. Jude Medical for failing to address known security issues with some of its implantable electrophysiology devices.  Nevertheless, medical device approval processes are still adjusting to changes in cyber security requirements.

Navigating the Cyber Threat Landscape: Developing Adaptive Strategies

To reduce these malware attacks on computer systems, a cyber security strategy must be in place to counteract these threats. These potential cyber attacks can be categorised by relating the type of information the hacker wants to access or what they want to achieve.  For example, untargeted information could include large quantities of personal health data compared to more targeted attacks where the hacker can control an infusion pump resulting in patient harm.

Also, healthcare providers must consider the sources of potential attacks within their organisation or external parties: if from employees or agency workers, there is already trusted access to the systems, which is a significant security threat.  The drive behind external attacks is usually for financial gain and, in some cases, may result from malice towards the organisation.

The issues to consider regarding internal cyber security threats within organisations include limited encryption, system set-up configuration, applications, operational security gaps, which may contain loopholes in processes and unpatched software and lack of authentication of user login credentials.  All these vulnerabilities can occur on any medical device, especially when connected to the internet, posing a real danger to the technology used in various hospital departments.

To put this into perspective, the number of devices per patient bed between 1995 and 2010 increased by 62%.  Today, a patient in a hospital bed will be monitored on average using at least 13 devices.

Connected Care: Cyber Medical Devices in Modern Medicine

It is important to protect medical devices by applying imaging system acceptance testing. This approach is usually in conjunction with the medical device supplier and the cyber security department of the hospital to assess all potential vulnerabilities, which may include: securing all USB ports and CD/DVD drives using validated devices: can suppliers gain remote access, are the medical devices protected using strong user names and passwords and finally are the computer systems well maintained using the most up to date antivirus and antimalware software.

When purchasing medical equipment for patient use, all the above considerations must be evaluated on a regular basis.  To help to facilitate the relationship between suppliers and providers of patient healthcare, the National Electrical Manufacturers Association (NEMA) has produced guidance documents such as PS3.15 of the DICOM standard relating to Security and System Management Profiles.  Another guidance relates to the Manufacturer Disclosure Statement for Medical Device Security (MDS2), which helps the healthcare provider to perform risk assessments.

According to Dr Suzanne Schwartz, Center for Devices and Radiological Health:

Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cyber security vulnerabilities that could be exploited by unauthorised users.

In 2015, a phishing attack – a social engineering attack to steal user data, such as login and credit card details – was unleashed on the computer systems at UC Davis Health.  The hacker(s) may have compromised the personal health information of 15,000 patients.  In this case, the attack was most likely initiated when an employee responded to a phishing email with their account login details. The hacker was then able to send emails to other employees requesting bank transfers.  Fortunately, the attack was stopped, and further investigation found no violation of sensitive information.

Several steps can be considered to prevent the loss of sensitive information from healthcare computer systems. They can include up-to-date cyber security training for all employees, picture archiving and communication system (PACS) on a separate system with its non-routable IP network to minimise exposure, data encryption at all points and updating Windows XP-based image acquisition devices.

The categorisation of security defences includes:

Technical – include firewalls, encryption and secure data transmission

Physical – the isolation of devices from each other, including backing up and restoring data in addition to proper device disposal methods

Administrative – documenting security policies, maintaining audit trails, training staff, and incident reporting logs

Most cyber attacks’ technical and physical categories result in hackers entering the device.  However, computer failure is usually due to administrative safeguards and results in a catastrophe.  Healthcare providers must introduce and set minimum standards for upholding secure data policy and focus on the high-risk elements of their computer systems.  Therefore, consideration to maintain healthcare systems must consider the capability to use whitelisting, which is a cyber security list only giving administrator-approved programs and, IP and email addresses, system access.  It is vital to ensure device functions towards best practices such as not using expired passwords and no elevated administrator privileges, including a supported operating system that third-party applications can upgrade. In addition, to no hard-coded or default passwords on the devices.

Cyber breaches in healthcare information regarding patients are on the increase. In the first six months of 2019, there was a 53% increase in breach of health records compared to the whole of 2018.  The increase in cyber breaches in healthcare is likely to continue due to the array of highly sensitive patient health information such as date of birth, social security number, credit card data, insurance information and medical records.  All this information is a treasure trove for criminality, especially on the dark web.

Medical imaging is central to patient care, and all these records are increasingly becoming digitised and stored on picture archiving communication systems (PACS).  The PACS system facilitates the sharing of medical images across healthcare organisations, so it is essential to implement robust cyber security.  However, ProPublica – an independent, non-profit newsroom that produces investigative journalism in the public interest – showed that 5 million patients in the US had their medical imaging data exposed on the internet.

This identifiable patient information can be used for blackmail purposes. It should be protected as it was discovered that over 13.7 million medical tests, including 400,000 images (e.g. MRI scans, X-rays) were available on the internet.  Consequently, these imaging records were stored on servers, including archiving systems, potentially without monitoring for unauthorised changes. All these systems should be securely configured and in compliance with regulatory standards.

To demonstrate how these vulnerabilities could be detrimental to medical imaging equipment and the networks, Israeli cyber security experts used malware that could change the information on CT scans.  This was done to reflect a different diagnosis; for example, the CT scan of a healthy patient showing cancer and a sick patient indicated no disease present.

In the future, healthcare organisations must protect their PACS networks, including the digital signature of all images, to prevent malware from altering CT and MRI scans by installing end-to-end encryption.  All investigations have demonstrated that future malware attacks on CT scans are a real threat, and both manufacturers and providers of medical imaging systems should not become complacent.  To further emphasise this potential problem, an investigation was carried out by altering real CT lung scans using advanced malware.  A group of radiologists reviewed 70 CT-altered scans and were misled into misdiagnoses.  Furthermore, the radiologists reviewed another batch of CT scans, and even though they knew this time about the malware, they were still misled by 60%.  Also, on removing cancerous nodules from the CT scans, the radiologists were unsuccessful in diagnosing sick patients 87% of the time.  These studies focus on the malware attack on the patient’s lung cancer CT scans.  However, malware can attack CT scans concerning brain tumours, bone fractures, spinal injuries and heart disease.

In the previous years, NHS Digital, which is the national provider of information, data and IT systems, has embarked on aggressive cyber security programmes in the following areas:

Cyber monitoring, threat intelligence and incident responses

Enhanced support and guidance for local organisations

Improved cyber training with greater awareness and engagement to create cyber security best practices among NHS staff and organisations

The Increasing Threat of Cyber Attacks on Medical and Personal Devices: The Need for Future Cyber Security Measures

If you have ever watched the cyber attack dramatisation in Chicago Med and Grey’s Anatomy, where hospitals came under attack resulting in the shutdown of vital equipment.  It is essential to realise these situations reflect the increasing fact that hackers are carrying out cyber attacks on medical and personal devices.  For example, in 2019, the U.S. Food and Drug Administration informed patients and doctors that a specific insulin pump was at risk of cyber attacks.  Also, in 2017, certain implanted heart devices were susceptible to hacking via home monitoring systems.  The accumulation of cyber attacks on medical devices has forced the FDA to publish new guidelines in 2018 regarding these situations.

The future platforms in cyber security are to understand what hackers want to achieve.  In most attacks, hackers obtain healthcare patient data and payment information (e.g. credit card data) for fraud.  To reduce these cyber threats, Government agencies require more trained cyber professionals to intercept these hackers and limit any damage caused.  On 25 May 2018, the EU’s General Data Protection Regulation (GDPR) came into force and will help protect personal data and aid cyber security.  Another vulnerability is the company supply chains, where hackers can infiltrate parts of systems during the construction to plant malware.  Therefore, companies must think like hackers and reduce cyber attacks by creating innovative security across the supply chains.

The future of cyber security will use artificial intelligence (AI) to secure devices and systems within the internet of things (IoT).  These connected devices are increasing rapidly, and the consequences lead to exposure to potential cyber attacks.  It is claimed that by 2025, there will be an estimated 75 billion internet connected devices worldwide.  Also, it is projected that ownership of smart devices could rise from 10 to 15 devices per UK household this year.

The old computer operating systems no longer have the capability to keep up with evolving security threats and depend on human surveillance to keep them in order, but this remains an ineffective approach.  Further investment into intelligent automated systems will monitor, detect, manage and prevent cyber attacks in real-time situations.

You Are Here: Home » medical imaging blog » cyber security

By Open Medscience

Open Medscience is a platform to discuss a range of imaging modalities including radiology, ultrasound, computed tomography, MRI, nuclear medicine (PET & SPECT) and radiation therapy.

Open Medscience