Imagine this scenario. You have just been diagnosed by your cardiologist with a heart arrhythmia and she advocates the implantation of a pacemaker (seen below left). This state-of-the-art medical device has the ability to be programmed remotely via the internet. At a routine check-up you connect your pacemaker to the internet and up pops a message on your smartphone: “Your pacemaker files have been encrypted, and nobody can recover your files without our decryption service. To recover these files safely, all you need do is send $500 worth of Bitcoin to the following address and we’ll provide the key to unlock your device.”
Could something like this really happen, or are medical devices immune from being hacked by ransomware? The simple answer is that it can occur and, indeed, the first known instance of a ransomware attack on a medical device happened in the USA in 2017. A device known as a “power injector” that delivers a contrast agent to improve the quality of MRI scans was infected by the WannaCry virus which demanded a ransom to unlock the device. Fortunately, patients were never in danger and the Windows-based operating system was updated to prevent further damage.
Earlier this week, the University of California, San Francisco (UCSF) reported it had paid $1.14 million to hackers responsible for a malware attack that encrypted a number of computer servers, making them temporarily inaccessible. “We quarantined several IT systems within the School of Medicine as a safety measure, and we successfully isolated the incident from our core network,” said the university. “Importantly, this incident did not affect our patient care delivery operations, or our COVID-19 work.” UCSF chose to pay the ransom to retrieve the encrypted data, no doubt frustrated by the reality of having to confront simultaneously two completely different viruses.
There is obviously a pressing need for the medical device sector to mitigate the risks of ransomware. One of the first steps is to classify certain medical devices as “computing end-points,” meaning that they can be connected to the internet and are therefore vulnerable to attack. Medical device companies like Medtronic, which manufactures pacemakers (seen above last), have joined forces with cybersecurity experts to improve the safety of their devices, as described in an update to the FDA in October 2018.
Medical devices can be life saving for many patients and so it is imperative for manufacturers to be proactive and adopt a preventative mindset during the all-important design phase. With vigilance, the impact of ransomware hackers can be minimised.